What to implement to make sure Cloudi-Fi captive portal is detected properly when Zscaler ZCC Agent is turned on for users devices

Introduction

Zscaler ZCC Agent's primary purpose is to ensure all employee traffic is sent through Zscaler infrastructure.

The captive portal detection mechanism relies on HTTP calls to public URLs, which are well known and intercepted by the Network Controller and redirected to the captive portal.

Zscaler ZCC Agent hides these HTTP calls to Network Controller since it encapsulates this traffic through an SSL tunnel to Zscaler.

Solution

As a workaround, we must tell Zscaler to bypass the ZCC Tunnel for this traffic type. It can be easily done by applying the following PAC File exceptions:

    var GooglePortalTest = /\/generate_204/;
    var GooglePortalAltTest = /\/gen_204/;
    if ((localHostOrDomainIs(host, "captive.apple.com")) ||
            (localHostOrDomainIs(host, "detectportal.firefox.com")) ||
            (localHostOrDomainIs(host, "www.msftconnecttest.com")) ||
            (localHostOrDomainIs(host, "connectivity-check.ubuntu.com")) ||
            (localHostOrDomainIs(host, "network-test.debian.org")) ||
            GooglePortalTest.test(url) ||
            GooglePortalAltTest.test(url) ||
            (localHostOrDomainIs(host, "www.msftncsi.com"))
        ) {
        return "DIRECT";