How to Configure Zscaler to Work with Twingate
Overview
Zscaler may intercept Twingate TLS sessions, causing the Twingate Client to fail in establishing secure channels due to invalid certificates.
Symptoms
You may encounter the following error in twingate.log
on Windows devices:
[WARN] SSL check error from host: <twingate_network>.twingate.com. SSL Certificate is not pinned![ERROR] Failed to validate controller urlSystem.Net.Http.HttpRequestException: Could not establish trust relationship for SSL/TLS channel.
Resolution
To resolve this issue, you have two options:
Option 1: Disable Zscaler
- Uninstall Zscaler or stop/disable the Zscaler service from running (simply exiting won’t suffice).
Option 2: Bypass SSL Inspection
- In the Zscaler admin console, go to Administration → IP & FQDN Groups → Destination IPv4 Groups
- Create a group for SSL inspection bypass and add
.twingate.com
to it - In Policy → Client Connector Portal → Windows, add
<tenant>.twingate.com
as an exception for VPN Gateway Bypass - Update policy on Zscaler local agent
This should allow Zscaler and Twingate to run simultaneously. For more information on configuring Zscaler, refer to the Zscaler documentation.
Last updated 2 months ago