MSEndpointMgr

Delivery Optimization & Zscaler – A how to guide

Following Maurice’s recent post on Delivery Optimization Troubleshooting, a thread on X and it is something I have seen time and time again, the issue of course is how proxies such as Zscaler are configured. This is then my first blog on the MSEndpointMgr blog, and I hope you find it useful!

Background

Over the past number of weeks both Maurice and I have been chatting back and forth about the issues I had been experiencing with poor Delivery Optimization results. During that time Maurice had one key question for me, “Are you using Zscaler?”, and of course we know the answer, otherwise we wouldn’t be doing this post.

The issue that faces many Configuration Manager / Intune administrators is when they start to try to embrace DO for content sharing and network optimization, it just doesn’t work, or at least doesn’t work as expected. The reason in the bulk majority of cases is down to the network, I know shock horror.

In this post we will walk you through how to configure your Zscaler to facilitate DO traffic, or at very least educate you on how to educate your network admin.

Zscaler Configuration

Here we will start off by accessing the Zscaler configuration portal and adding the required URL’s;

  • Go to Zscaler portal
  • Hover over “Administration” on the left side navigation bar
  • Click on “URL Categories”
  • Once the “URL Categories” page comes up click on “Add URL Category”
    • Give it a name (ex:Microsoft DO)
    • Add the URLs. (Look closely as you don’t need to use a * wild card)
      • .dl.delivery.mp.microsoft.com
      • .emdl.ws.microsoft.com
      • .prod.do.dsp.mp.microsoft.com
      • .windowsupdate.com
    • Gave it a description
    • Since this is a policy we want to target all of our users, we kept the “Scope Type” set to Any
    • Save

Note in my testing, only the URL’s mentioned above were required, however, if you wish to include the full list of URL’s associated with DO and Connected Cache, these can be found on the Microsoft Learn docs – Microsoft Connected Cache content and services endpoints – Windows Deployment | Microsoft Learn.

At this point we can now we can create our SSL Inspection bypass policy.

SSL Inspection Bypass Policy

  • Hover over “Policy” on the left side navigation bar
  • Click on “SSL Inspection
    • Click on “Add SSL Inspection Rule” button
      • Give a rule name (ex:Microsoft DO SSL Bypass)
      • Click on the “URL Categories” drop down and select the URL Category you created in the previous step, we labeled it “Microsoft Do”
      • Scroll down and check
        • “Do Not Inspect”
        • “Bypass Other Policies”
      • Save

Saving changes

After creating our URL Category and SSL Bypass rule we have to Save and Activate our changes.

  • Hover over “Activation” on the left side navigation bar
  • Click “Activate

Force Zscaler client to update its policy

If you’re testing right after the changes done in the portal, you will need to force update the client’s policy by: Open the Zscaler client > More > Update Policy

The Results

Seeing is believing, so let us take a look at the before and after results from the Windows Update for Business Workbook. Note that the screenshots were taken in short succession, but you can see the increase of peer traffic starting to grow.

Before:

After

We can see the peer count increasing, and this will take time of course, and as per the Deep Dive: Delivery Optimization Troubleshooting & Reporting – MSEndpointMgr post, you can see that figures into the 90% can be achieved.

I hope this write up has been useful for those who have been scratching their heads about Zscaler configuration, or just need a document to reference.

Bruce Sa

Cloud Architect, dealing with all of the fun Microsoft Modern Management things. Entra, Intune, Windows365, AVD...

Maurice Daly

Maurice has been working in the IT industry for the past 20 years and currently working in the role of Senior Cloud Architect with CloudWay. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017. Most recently his focus has been on automation of deployment tasks, creating and sharing PowerShell scripts and other content to help others streamline their deployment processes.

Add comment

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.