Good afternoon,
Is there anyone in the forum with experience that has had to make OpenZiti and Zscaler coexist? In theory it should be possible to make Zscarler trust the Openziti network… but I don’t know how to do it.
Good afternoon,
Is there anyone in the forum with experience that has had to make OpenZiti and Zscaler coexist? In theory it should be possible to make Zscarler trust the Openziti network… but I don’t know how to do it.
Welcome back @arnavarr. You want a device that’s running both endpoint softwares from Ziti and Zscaler to be able to access services without conflict, correct?
If that’s right, then I imagine the two main factors will be which OS and type of service the device is accessing, e.g., IP range vs. DNS name.
Admitedly, I’m not familiar with how Zscaler works. Maybe we can narrow the question down to a scenario like “Windows computer accessing services provided by both.”
Thanks, @qrkourier.
Firstly, I apologize for the delayed response and appreciate your patience. Ideally, I'd prefer not to have both agents coexisting on the same endpoint.
I wonder if one approach could be to use ziti-host
as a Gateway that can connect with the overlay network. In this configuration, Zscaler Private Access (ZPA) would simply see the Gateway as another network segment, thereby avoiding any conflicts at the agent level.
However, this may introduce a challenge in identity propagation. Once a user is authenticated by Zscaler, the overlay network would need to be aware of the user’s identity and respective permissions for accessing specific services. This is straightforward when running the tunneling software or using a browser-based solution, but I don't know how to accomplish this in the proposed scenario (if it is possible).
I'm open to suggestions and would appreciate any insights you could offer on this matter
Software like OpenZiti tunnelers and ZPA will often conflict just due to the nature of what the software is trying to do. If you know how to configure ZPA and OpenZiti's tunnelers, maybe you can get it working but I don't know of anyone that has gone to the trouble to do that yet. A big challenge will probably be that none of us are going to be super-familiar with configuring/using ZPA.
What is it that you're using ZPA for? Generally speaking, I'd think whatever ZPA was doing you could do with OpenZiti (I realize it's 'work' to migrate, so I would guess that's the driving motivator here).
Similar question in Reddit fwiw
Thank you for your input, @TheLumberjack . I acknowledge the complexities involved in having both OpenZiti and Zscaler Private Access (ZPA) operate on the same endpoint.
To address your question, the adoption of ZPA was rather rapid and didn't give us much room to fully assess its compatibility with our existing OpenZiti setup. Initially, we had envisioned a more extended timeline to work with OpenZiti, but circumstances dictated a quicker adoption of ZPA.
For the time being, we've relegated ZPA to handle only external accesses. However, I am keen on finding an optimal way to make both systems coexist harmoniously. I appreciate any suggestions or best practices you might have in accomplishing this.
You'll probably have to get more intimate with how to configure ZPA (and OpenZiti) then as that reddit post @smilindave26 linked to wher @gormami commented the following:
Assuming Windows for the moment, there is configuration option to update the address range used.
Open Ziti Desktop Edge > Main Menu > Advanced Settings > Tunnel Configuration > Edit Values > Change IPv4 Address from 100.64.0.1 / 10 to 100.100.0.1 / 16 Then you can restart the tunnel with the big stop/start button. That should keep them out of each others way. You can change it to any address/subnet you need to, depending on how many connections each is making, but that should be more than enough. I think it's the same for MacOs, but I don't drive one, so I'm not positive, but it should be extremely similar if not.
I'd say start there and if we can help further we will. I'd love to see you write up a 'how-to' and publish it if you get it working (and feel so inclined to write up a how-to! )