When SSL Inspection policy bypasses a transaction, Zscaler does not decrypt and re-sign the session. Instead, the proxy passes the TLS connection through so the browser receives the real origin-server certificate. This behavior is used for pinned applications, privacy categories, and traffic that should not be decrypted. Option C (When traffic is exempted in SSL Inspection policy rules) is correct because bypassed SSL Inspection rules preserve the server certificate in the user's browser session.
Why the other options are incorrect:
A. When traffic contains a known threat signature: Threat signatures trigger security handling such as blocking or inspection. Passing the real server certificate happens when SSL inspection is bypassed.
B. When web traffic is on custom TCP ports: Custom TCP ports affect traffic handling and forwarding. They do not automatically make Zscaler present the real origin certificate to the browser.
D. When user has connected to server in the past: Past connection history does not decide certificate presentation. The SSL Inspection policy action for the current transaction does.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit