How to Configure Zscaler to Work with Twingate

Overview

Zscaler may intercept Twingate TLS sessions, causing the Twingate Client to fail in establishing secure channels due to invalid certificates.

Symptoms

You may encounter the following error in twingate.log on Windows devices:

[WARN] SSL check error from host: <twingate_network>.twingate.com. SSL Certificate is not pinned!
[ERROR] Failed to validate controller url
System.Net.Http.HttpRequestException: Could not establish trust relationship for SSL/TLS channel.

Resolution

To resolve this issue, you have two options:

Option 1: Disable Zscaler

  • Uninstall Zscaler or stop/disable the Zscaler service from running (simply exiting won’t suffice).

Option 2: Bypass SSL Inspection

  • In the Zscaler admin console, go to AdministrationIP & FQDN GroupsDestination IPv4 Groups
  • Create a group for SSL inspection bypass and add .twingate.com to it
  • In PolicyClient Connector PortalWindows, add <tenant>.twingate.com as an exception for VPN Gateway Bypass
  • Update policy on Zscaler local agent

This should allow Zscaler and Twingate to run simultaneously. For more information on configuring Zscaler, refer to the Zscaler documentation.

Last updated 2 months ago