Introduction
This document describes how to configure Umbrella roaming security module with ZScaler Private Access (ZPA).
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco Umbrella roaming security module.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Overview
The Cisco Umbrella roaming security module (AnyConnect or Cisco Secure Client) works with most software, but there are instances when extra action is required to have both types of software work as expected.
ZScaler Private Access (ZPA) is a VPN replacement for enterprise. This software has historically conflicted with Cisco Umbrella, and ZScaler has not been able to collaborate to produce a compatibility solution.
As of January 2022, a solution has been found in the field.
ZPA Incompatibilities
Problem
Zscaler makes use of ZPA. ZPA acts as a DNS proxy, which conflicts with Umbrella's own DNS encryption proxy software. DNS can fail to resolve (including local DNS) or can resolve to completely different IPs such as 100.x.x.x ZScaler IPs.
Solution
Cisco has discovered a workaround for ZPA incompatibility based on the prerequisites of ZPA. Add these domains to your Internal Domains list in Umbrella:
- prod.zpath.net
- private.zscaler.com
- prod.zpath.vip
Feedback