community Alteryx IO Alteryx.com
alteryx Community
Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Close
Free Trial

Alteryx Designer Desktop Knowledge Base

Definitive answers from Designer Desktop experts.

Connectors and Zscaler

d_vansell
Alteryx
Alteryx
Created

on ‎07-26-2022 12:07 PM - edited on ‎08-16-2022 05:56 PM by Alteryx

Troubleshooting Python-Based Connectors with Zscaler on an endpoint.

This is a guide for when a user cannot connect with a python-based connector (Anaplan, SharePoint Files, Power BI, Tableau Output, OneDrive, Salesforce Input, etc)  and is running Zscaler as their endpoint security.  Zscaler is not your typical security program, but more of a reverse VPN. 

Prerequisites

Errors

image.jpegimage.jpeg

Also see errors from: Connection Errors with Python-based Connectors and Troubleshooting Python based Connectors on Alteryx Gallery


Procedure

These steps apply, when the steps from Connection Errors with Python-based Connectors are followed, and the connection error still persists.
  • In a browser, go back to the login page for the data source related to the connector 
  • Click the lock icon next to the URL in the browser, then click Certificate. These steps may be different on different browsers.
  • On the Certification Path tab, Zscaler will have multiple certs showing under the root
                                    image.jpegimage.jpeg
  • You will need to copy the cert for ALL the Zscaler certs listed under the root.
    • Typically, there are two, but depending on security, there may be more or less.
  • Reference Connection Errors with Python-based Connectors for detailed steps to copy all the certs found into the cacert.pem file for the connector
  • Now when running the workflow, it should connect while Zscaler is turned on

Additional information

  • If this works, then the user will need to talk with their Zscaler administrators
  • Typically, the sub-certifications listed under the root are rotating and will change after a set time.
    • IE:  Root cert stays the same, but the two listed sub certs change every two weeks on alternating weeks
      • This would mean that weekly the user would need to change the cacert.pem file with the new cert to keep the connection
  • One way to bypass this is to whitelist in Zscaler the endpoints for the connector.
    • You will need to run Fiddler to find the endpoint the user is using for their connection
    • This may not be a viable resolution for all Zscaler administrators since it does leave a hole in the network, but it is the only workaround at this time. When new connectors that look to the Cert Store become available, this workaround will no longer be necessary (some are currently in Beta).
  • Zscaler is typically only installed on Endpoint machines and not on Server machines
    • This may not be true for all environments, so the end-user would need to verify with their Zscaler administrators
    • If a workflow works with Zscaler turned off, then it will work on as a scheduled workflow on Server w/o Zscaler

 

Additional Resources

Comments
d_vansell
Alteryx
Alteryx
‎07-27-2022 10:40 AM

Something to add:   If you have Zscaler and do not want to do rotating certs, then want to whitelist in Zscaler the endpoints for the connector you are having issues.  This will allow the connector to connect without having to do the cert changes.

Contributors
Labels