Hello
Zscaler is deprecating SMS MFA for hosted admins on Aug 7. Please migrate to some other method of MFA authentication.
Miami IV DC now online
We have a new DC in Miami!
Note!
If you use a subcloud: remember you need to raise a support ticket to add this DC to your subcloud.
ZCC AI-found patches coming soon
Hola
It has been announced recently that Zscaler is now part of the Glasswing project.
Consequently, the first batch of new Zscaler Client Connector releases will be out on June 1st. In the mass email to clients Zscaler recommends to upgrade as soon as possible.
RedHat vulnerabilities: Dirty Frag and Fragnesia
Hello
It’s getting really repetitive now isn’t it? having to patch systems every few days but… it is what it is. Brave new world of Anthropic Mythos.
If you can, automate upgrades of your app connectors using Ansible, Terraform, or raise a support ticket with Zscaler to enable Automated OS Updates because new vulnerabilities will make your life miserable if you have to do that manually every few days. Let’s be smart.
Zscaler and Minecraft: a battle of wills
I’ve finally come across a real challenge: Getting Minecraft to work together with Zscaler. In a nutshell: I’ve tried everything. SSL bypasses, tunnel bypasses, authentication exemptions. Nothing will work. Minecraft launcher takes forever to fully load, sometimes it can’t even get information about your accounts; sometimes it can. If it loads after 2-3 minutes, you can’t play online.
Now here’s a really strange thing: even if I disable Internet services (ZIA), it still won’t load, which is really strange.
(5 hours of troubleshooting later):
What loads even if ZIA services are off? WFP driver of course. Once i disabled the driver in app profile, it all worked fine.
Here’s my complete policy set for Minecraft:
1) a firewall policy which allow all ports to certain IP addresses and I’m quite sure i don’t have the full set yet.
142.251.153.119, 192.178.223.84, 52.123.242.82, 23.214.208.9, 142.251.155.119, 142.250.117.113, 142.251.157.119, 216.239.36.223, 142.251.150.119, 142.251.30.139, 216.239.32.223, 142.251.156.119, 142.251.152.119, 2.19.252.154, 92.123.128.170, 92.123.128.181, 92.123.128.134, 2.19.252.151, 92.123.128.174, 216.239.34.223, 142.251.127.84, 142.251.151.119, 172.217.76.84, 8.8.4.4, 8.8.8.8, 142.251.154.119
2) Another firewall policy to allow certain ports needed by multiplayer (17404, 46500, 25565, 25561) but only at weekends (for all users) and in the afternoon for my son.
I block everything else (apart from DNS, HTTP and HTTPS) in another policy further down.
3) Then I have an SSL inspection policy which exempts a lot of URLs from being inspected (www.bing.com,minecraftservices.com,.overwolf.com,windows.net, .minecraft-services.net, .mojang.com, bing.com, .minecraft.net, .minecraftservices.net, dns.google, googleapis.com, .minecraftservices.com, .live.com, .xboxlive.com,.xboxservices.com, gamepass.com,microsoft.com)
I inspect everything else in a further policy.
I will also use Microsoft Family settings to only allow 2h of active time every day.
Another URL Recategorisation coming on May 31st
Hello
What: URL recategorisation
When: May 31st
What: https://trust.zscaler.com/notifications/url-change-notification
Patching application connectors #copyfail
Hello
Just a reminder that because AI is getting quicker and better at discovering Linux vulnerabilities, it is essential that your app connectors be patched as soon as possible.
1) it’s always good to limit network access to your app connectors. They only need to be able to make outbound traffic requests. Any inbound access rules should be limited to the minimum (e.g. from Cyberark VMs or your dedicated SSH box)
2) review and delete any non-essential accounts to minimise the exposure to privilege escalation attacks
3) Make sure that Zscaler software version, Zscaler manager software version as well as OS version are all updated.
4) Consider enabling the new Managed software/Manage OS updates feature from Zscaler. Please note that these two features are still in Limited Availability status.
If you have a lot of app connectors, consider automation tools like Ansible or Terraform (Captain Obvious strikes again, k’boom!)
Here’s a really nice entry on the recent Copy Fail vulnerability:
https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
ZCC 1.x versions will stop working at the end of April
If you still have any devices with Zscaler Client Connector version 1.x, please upgrade them as soon as possible.
Action Required if you use Just-in-Time provisioning for Zidentity admin users
Hello
What:
If you use JIT provisioning, go to your IDP and check if email attribute is present and contains the user’s email address. Then check if the mapping is done correctly (i.e. uses the correct email attribute name).
Finally, create a new admin user in your IDP and check if that new admin can log in.
When :
By April 15th
Why:
Zscaler has deployed a fix for attribute validation during JIR provisioning.
If you use JIT and don’t verify the mapping, you may see the error “Primary Email is required” while logging in to the admin console.
More details::
https://trust.zscaler.com/zscaler.net/posts/28776
URL and Risk index reshuffle coming in April
Just to let you know that we’re doing some changes to URL categories and risk indexes
https://trust.zscaler.com/notifications/url-change-notification
My name is Tomek De Wille. Welcome to my blog about Zscaler 