You are viewing limited content. For full access, please sign in.

Question

Question

Laserfiche Server using WA with VPN and Zscaler

Version 10 Laserfiche
Updated August 2, 2021
asked on July 28, 2021

Hello. Has anyone had experience connecting to Laserfiche over a VPN with ZScaler using WA? The customer can connect using a Laserfiche username and password. Using the VPN and ZScaler, when they try connect with WA, they immediately get a 1201 error. The 1201 error found on the support site does not apply here since the user does not have any issue logging in with WA without ZScaler. We have opened all ports known for AD in the ZScaler policy. Any suggestions would be helpful? Thanks for your time.

0 0

Replies

replied on July 29, 2021

Hi there,

Are you using LFDS for authentication or logging in directly through Web Client?

Can you check if any of the event logs have any corresponding relevant messages/stack traces? If so, please post them here.

0 0
replied on August 2, 2021

The customer does not log into Laserfiche with LFDS. They are using the desktop client and full client. 

0 0
replied on August 2, 2021

Okay. I'm assuming the issue only occurs when users click the "Windows Authentication" button, not when they enter their credentials into the Web Client username and password fields. Clicking "Windows Authentication" triggers IIS to send an HTTP 401 Challenge for the Negotiate (Kerberos/NTLM) authentication method. That's where something is going wrong. 

You can try a few things:

  1. Investigate if the customer is running into the issue described here: Zscaler Integrated Windows Authentication (IWA) and Tunnel Mode
  2. Add an exclusion rule for the Web Client URL/IP in Zscaler. I'm not a Zscaler expert, so I don't have exact instructions here.
  3. Use Wireshark/Fiddler to try to identify the specific way the auth handshake is going wrong with Zscaler in the middle, then see if you can fix the issue in Zscaler in a more granular way.
0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...