Why do I see "This site cannot be reached" or "ERR_TUNNEL_CONNECTION_ERROR" during NTLM/Kerberos authentication?

Views:

This error indicates a network connectivity issue between the client and the Auth Proxy. To resolve this, you must ensure the Auth Proxy FQDN is correctly defined, resolvable, and reachable.

Procedure

Identify your Auth Proxy FQDN.
The FQDN used for NTLM/Kerberos authentication depends on your model:
- Single Gateway: The Auth Proxy FQDN is the Service Gateway FQDN.
  - Action: Ensure you have updated the Service Gateway FQDN to a valid DNS name that resolves to the Service Gateway’s IP address. Go to Service Gateway Management → <Service Gateway selected as Auth Proxy> → Configuration → Edit name.
- Multiple Gateways (Load Balancer): The Auth Proxy FQDN is the Load Balancer FQDN.
Configure the Proxy Bypass by adding the Auth Proxy FQDN to your PAC file or proxy bypass list.

The ZTSA Cloud Scanner or On-Premise Gateway may not be able to resolve or connect to the Auth Proxy FQDN if the DNS record resides on a private intranet server. Configuring a bypass forces the client to resolve and connect to the Auth Proxy directly.
Verify Connectivity:
Ensure that the client machine can resolve the Auth Proxy FQDN and reach the required port. Run the following on the client machine:
```
nslookup <auth_proxy_fqdn>
Test-NetConnection <auth_proxy_fqdn> -Port 8089
```