Following Maurice’s recent post on Delivery Optimization Troubleshooting, a thread on X and it is something I have seen time and time again, the issue of course is how proxies such as Zscaler are configured. This is then my first blog on the MSEndpointMgr blog, and I hope you find it useful!
Background
Over the past number of weeks both Maurice and I have been chatting back and forth about the issues I had been experiencing with poor Delivery Optimization results. During that time Maurice had one key question for me, “Are you using Zscaler?”, and of course we know the answer, otherwise we wouldn’t be doing this post.
The issue that faces many Configuration Manager / Intune administrators is when they start to try to embrace DO for content sharing and network optimization, it just doesn’t work, or at least doesn’t work as expected. The reason in the bulk majority of cases is down to the network, I know shock horror.
In this post we will walk you through how to configure your Zscaler to facilitate DO traffic, or at very least educate you on how to educate your network admin.
Zscaler Configuration
Here we will start off by accessing the Zscaler configuration portal and adding the required URL’s;
- Go to Zscaler portal
- Hover over “Administration” on the left side navigation bar
- Click on “URL Categories”
- Once the “URL Categories” page comes up click on “Add URL Category”
- Give it a name (ex:Microsoft DO)
- Add the URLs. (Look closely as you don’t need to use a * wild card)
- .dl.delivery.mp.microsoft.com
- .emdl.ws.microsoft.com
- .prod.do.dsp.mp.microsoft.com
- .windowsupdate.com
- Gave it a description
- Since this is a policy we want to target all of our users, we kept the “Scope Type” set to Any
- Save
Note in my testing, only the URL’s mentioned above were required, however, if you wish to include the full list of URL’s associated with DO and Connected Cache, these can be found on the Microsoft Learn docs – Microsoft Connected Cache content and services endpoints – Windows Deployment | Microsoft Learn.
At this point we can now we can create our SSL Inspection bypass policy.
SSL Inspection Bypass Policy
- Hover over “Policy” on the left side navigation bar
- Click on “SSL Inspection”
- Click on “Add SSL Inspection Rule” button
- Give a rule name (ex:Microsoft DO SSL Bypass)
- Click on the “URL Categories” drop down and select the URL Category you created in the previous step, we labeled it “Microsoft Do”
- Scroll down and check
- “Do Not Inspect”
- “Bypass Other Policies”
- Save
- Click on “Add SSL Inspection Rule” button
Saving changes
After creating our URL Category and SSL Bypass rule we have to Save and Activate our changes.
- Hover over “Activation” on the left side navigation bar
- Click “Activate”
Force Zscaler client to update its policy
If you’re testing right after the changes done in the portal, you will need to force update the client’s policy by: Open the Zscaler client > More > Update Policy
The Results
Seeing is believing, so let us take a look at the before and after results from the Windows Update for Business Workbook. Note that the screenshots were taken in short succession, but you can see the increase of peer traffic starting to grow.
Before:
After
We can see the peer count increasing, and this will take time of course, and as per the Deep Dive: Delivery Optimization Troubleshooting & Reporting – MSEndpointMgr post, you can see that figures into the 90% can be achieved.
I hope this write up has been useful for those who have been scratching their heads about Zscaler configuration, or just need a document to reference.
Add comment