How to Configure Zscaler to Work with Twingate

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Overview

Zscaler may intercept Twingate TLS sessions, causing the Twingate Client to fail in establishing secure channels due to invalid certificates.

Symptoms

You may encounter the following error in twingate.log on Windows devices:

[WARN] SSL check error from host: <twingate_network>.twingate.com. SSL Certificate is not pinned!
[ERROR] Failed to validate controller url
System.Net.Http.HttpRequestException: Could not establish trust relationship for SSL/TLS channel.

Resolution

To resolve this issue, you have two options:

Option 1: Disable Zscaler

Uninstall Zscaler or stop/disable the Zscaler service from running (simply exiting won’t suffice).

Option 2: Bypass SSL Inspection

In the Zscaler admin console, go to Administration → IP & FQDN Groups → Destination IPv4 Groups
Create a group for SSL inspection bypass and add .twingate.com to it
In Policy → Client Connector Portal → Windows, add <tenant>.twingate.com as an exception for VPN Gateway Bypass
Update policy on Zscaler local agent

This should allow Zscaler and Twingate to run simultaneously. For more information on configuring Zscaler, refer to the Zscaler documentation.

Last updated 3 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription