cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Make firefox work nicely with Zscaler type tools for enterprise

hegsie
Making moves

When using firefox behind zscaler you get a lot of certificate problems because zscaler performs interception on the web pages, it would be nice to make it work nicely when this tool or simliar tools for enterpise are in use.

https://www.zscaler.com

4 REPLIES 4

jscher2000
Leader

Generally speaking, users and administrators have two options:

(1) Let Firefox continue to use its own certificate store, and manually import the proxy server's signing certificate into Firefox as a valid authority so that the fake certificates are treated as genuine.

For the end user, there are multiple steps that aren't well documented.* For administrators, there is a Group Policy option, but I don't know how easy it is to deploy (https://github.com/mozilla/policy-templates#certificates--install).

* Example support thread: https://support.mozilla.org/en-US/questions/1199797#answer-1064849

(2) Switch Firefox to using the system certificate store.

There is a preference for this in about:config (security.enterprise_roots.enabled) and a Group Policy (https://github.com/mozilla/policy-templates#certificates--importenterpriseroots)

Some consumer security software (e.g., Avast) inserts a policy to reduce support issues. Of course, when users see on their Settings page that their organization is controlling some of their settings, it becomes a support issue for Mozilla...

Neither of these options work with zscaler 

What error message are you getting -- please click the Advanced button and copy/paste from there.

Also, can you confirm that the ZScaler proxy certificate is in the Windows certificate store used by Edge and Chrome?

hegsie
Making moves

Actually you are correct, that setting sorts the issue, thanks for your help, confirmed on the main network and on VPN