• Browser
  • Mail
  • News
  • Community
  • About
Register Login
HomeBlogsForumThemesContributeSocial

Vivaldi

  • Browser
  • Mail
  • News
  • Community
  • About

Navigation

    • Home
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. Desktop
    3. Vivaldi for Windows
    4. Vivaldi Browser and Zscaler Private Access

    Vivaldi Browser and Zscaler Private Access

    Vivaldi for Windows
    2
    4
    907
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      baites1
      last edited by

      Hi all,

      I’m wondering if anyone has had a similar issue, or is able to help with an issue in the way the Vivaldi browser interacts with Zscaler Private Access (https://help.zscaler.com/zpa/what-zscaler-private-access)

      Background: The organisation I work for uses Zscaler Private Access (ZPA) to facilitating remote access back to its private applications and systems. ZPA could be thought of as a cloud based, software defined VPN. The Zscaler Client Connector application gets installed on a user’s endpoint (laptop), and this application forms a tunnel through Zscaler’s cloud network back to the Zscaler Application Connectors (similar to a VPN Server) we provisioned within our private datacentre / network.

      Zscaler Private Access allows us to tunnel specific traffic back through their network, such that this traffic will ‘pop out’ of the Zscaler Application Connector of our choosing.

      Issue: We make use of a number of third-party SaaS applications which themselves make use of IP Source Restriction as a security control (i.e. The vendors SaaS app will only allow connections from certain "trusted" IP addresses that we had previously provide them with). As many of our staff are mobile, our user’s traffic doesn’t come from a 'trusted" range of public IP addresses as such, so we rely on tunneling traffic (destined for this SaaS app) through Zscaler, such that from the perspective of the SaaS app, every users traffic appears to come from the single public IP address of our privately hosted Zscaler Application Connector.

      This arrangement works perfectly for users of Chrome, Edge, or Firefox browsers.

      However, those users of Vivaldi (myself included) cannot access these SaaS applications. Using Vivaldi, we get the “you're coming from an untrusted IP address” view of these SaaS apps, as our traffic was not coming from a trusted IP address (i.e. through Zscaler Private Access).

      Whilst I don’t have intimate knowledge of Zscaler’s product under the hood (it’s a black box), I know that the Zscaler Client Connector Application (the app installed on a user’s computer) does some trickery with DNS resolution on the client, and inserts itself as a local authority for DNS resolution. For those applications (URLs) defined as a “Private App” in the Zscaler cloud, the Zscaler Client Connector Application knows that it must dynamically provide an IP address (to the calling client application) in the CGNAT range of 100.64.0.0/10.

      Example: If I were to define www.google.com as a “Private App”, when an application on my computer running the Zscaler App does a DNS lookup for this hostname, the response will be something similar to 100.64.0.10. This way, the Zscaler App knows to tunnel such traffic through their cloud, onto the “real” destination IP address at the other end of the tunnel. (See attached screenshot for a similar example of this in action)

      DNS Screenshot Example.png

      From what I can gather, the Vivaldi browser appears to be ignoring / discarding the IP address returned by the Zscaler Client Connector app, and may instead be using a hard coded public DNS server to resolve the real IP address of the SaaS application? As the browser receives the ‘real’ IP address, any subsequent traffic to this IP address is not captured by Zscaler, and now routes directly to the SaaS app, from the public IP address of whatever ISP happens to be in use by the end user.

      What DOES work - We can successfully use the Vivaldi browser to access those "Private Apps" with no public DNS entry. Example, If I have a privately hosted webserver, with a DNS record (in our organisations private DNS server) of webapp01.mycompany.internal, then the Vivaldi browser happily interreacts with Zscaler to tunnel this traffic, and display the WebGUI of this private webserver (i.e. users could happily visit https://webapp01.mycompany.internal using the Vivaldi browser, and interact with this privately hosted webserver)

      I'd be happy to hear any thoughts on this.

      Pathduck
      P
             1 Reply Last reply       Reply Quote 0
      • Pathduck
        P
        Pathduck Soprano Moderator Supporters @baites1
        last edited by

        @baites1 Hello and Welcome to the Vivaldi Community 🙂 👍

        Vivaldi works exactly like Chrome and other Chromium-based browsers when it comes to network access. It uses whatever DNS and proxy settings are set in the OS, unless overridden explicitly through command-line arguments (for proxy) or from the Chromium base settings (for DNS).

        It's important to know that for DNS resolution, in later versions of Chromium DNS-over-HTTPS is enabled by default, and it will automatically set a DoH provider depending on what it finds in the existing OS setting. For instance if you have 1.1.1.1 in your OS DNS setup, it will switch DNS to CloudFlare DoH. This can be overridden in: chrome://settings/security , Use Secure DNS.

        However, what often happens is that these companies make "rules" to allow/disallow certain applications based for instance on their executable name. Or they set GPO policies during installation, but again only for the recognized products. And of course these companies have no clue Vivaldi even exists...

        I'm not sure how this product you're talking about works, it sounds more like a dedicated proxy than a VPN. I have to say, relying solely on DNS for VPN tunneling seems a Bad Idea, a good VPN should route all traffic through their tunnel, there should be no backdoors outside, because it's very difficult to control all traffic coming from all applications on a system. This seems to me more like a proxy than a VPN.

        I suggest you make a log using:
        vivaldi://net-export
        Examine it in the viewer and you might be able to figure out what goes on. I suspect either a GPO or that Zscaler uses hard-coded executable names for DNS override in some way.

        🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
        🦆"With a rubber duck, one's never alone" -Douglas Adams🦆

        B
                 1 Reply Last reply         Reply Quote 1
        • B
          baites1 @Pathduck
          last edited by

          Hi @Pathduck.

          I can't thank you enough for supplying this information (the reference to chrome://settings/security). I was looking for something similar to the "Use Secure DNS" flag within vivaldi://settings and vivaldi://flags (but couldn't find anything), as I suspected this option could have been what's causing the issue.

          Resolution: I've since turned OFF "Use Secure DNS" within chrome://settings/security, and Vivaldi is now working inline with the behavior we see in Chrome, Edge, Firefox etc.

          In regards to how Zscaler's product suite operates, I've done a poor job of explaining it. To avoid adding confusion, I summarised some aspects and omitted details of their other components (as they are largely unrelated).

          Again, I genuinely appreciate the help. Those users whom use Vivaldi love it, and were hating the idea of needing to use another browser just for a handful of SaaS apps that didn't appear to work with Vivaldi

          Pathduck
          P
                     1 Reply Last reply           Reply Quote 1
          • Pathduck
            P
            Pathduck Soprano Moderator Supporters @baites1
            last edited by Pathduck

            @baites1 Wonderful 🙂

            I kind of suspected as much, since from your screenshot you use Cloudflare.

            The DNS request to CF also times out before you get an answer from Zscaler.
            If you use a tool like dig it will allow you to see what server actually gives the answer.

            I would also take that timeout issue up with Zscaler support, surely they can't expect customers to sit and wait for timeouts every time the browser makes a DNS request 🤦♂

            I suspect if you have a look in GPEdit on a client you might find policies applied to the various supported browsers, overriding DNS values.

            Vivaldi actually also supports GPOs, although I suspect not updated for ever, and not actually official. Basically they are the same as for Chrome:
            https://admx.help/?Category=VivaldiBrowser

            I wish at my employer we were allowed to use Vivaldi, but like the BOFH says:
            We are a 100% Microsoft Shop.

            So good on you for allowing users to choose what browser to use and being prepared to work out the little kinks 🙂 👍

            🎻Volunteer helper · Forum moderator · Sopranos tester 🛠️Troubleshooting 🐛Report a bug 📜Markdown help
            🦆"With a rubber duck, one's never alone" -Douglas Adams🦆

            1 Reply Last reply Reply Quote 0
            Loading More Posts
            • Oldest to Newest
            • Newest to Oldest
            • Most Votes
            Reply
            • Reply as topic
            Log in to reply
            • 1 / 1
            • First post
              Last post

            Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.

            Copyright © Vivaldi Technologies™ — All rights reserved. Privacy Policy | Code of conduct | Terms of use | Vivaldi Status