I'm currently using FortiGate firewalls and FortiEMS, which has been a real headache for us. While the FortiGates work just fine, I'm thinking about keeping them for firewalling purposes but adding **Zscaler with ZPA** for remote access. Our setup is quite hybrid, with about **75% of staff working hybrid** while the other **25% is fully remote**. One big issue we're running into is that if remote users don't connect to the VPN for a while, they run into the *"lost trust relationship to the domain"* problem. Here's my question: with ZPA, would our domain controllers still have visibility of those remote machines, or is that even needed in a hybrid environment managed by Intune? I'd love to hear from anyone who has been through this and any practical examples you might have. Thanks!
5 Answers
I've been the support lead for Zscaler at my organization for several years now, and I haven’t encountered trust relationship issues either. It’s true that Zscaler can be complex, but it’s a solid choice if you’re implementing a Zero Trust framework.
I would suggest looking into Tailscale instead. Zscaler feels overly complex with all its admin portals. It might have been at the forefront, but now it seems bloated and pretty low quality. We’ve been trying a few other options and Cloudflare Zero Trust is catching our eye right now.
Yes, Zscaler Private Access has a Machine Tunnel option that can work before login to help with that issue. Switching your clients to Entra Joined instead of Hybrid Joined could also eliminate some of those dependency problems on domain controllers, especially for remote workers.
For Zscaler, you definitely still maintain visibility to remote machines. We don’t allow users to exit the client unless IT does it, and we’ve set it up so that it starts automatically on boot. For updates and apps using SCCM, make sure to include the full private IP ranges in your boundaries since they report back from home. It does take a bit to set up, but it works well in practice!
I have the same setup, and we require authentication for remote machines too. If they aren’t authenticated, conditional access will cut off their internet. It’s a pain to configure but definitely effective.
If you have enough support personnel, Zscaler can work really well for your setup. For those without the manpower, it can become a bit of a headache, but the capabilities are definitely solid if managed well.
I hear you on the management hassle with Zscaler. We trialed a few options and found that while Zscaler promises a lot, it comes with way too many interfaces to handle. We're leaning towards Cloudflare and Netbird for a cleaner experience.