Please note that this article is intended for technical audiences such as IT administrators.
Symptom
When trying to use aircall in a network environment with ZScaler, users are unable to get Aircall to connect.
Cause
Aircall does not support Certificate Pinning.
Solution
In addition to the normal list of our domains, subnets, and ports that need to be allowed through the firewall or endpoint security software (referenced in our KB article here), when using ZScaler we also require Certificate Pinning and SSL Inspection to be Disabled.
ZScaler Configuration:
-
Certificate Pinning: Certificate pinning involves associating a specific SSL/TLS certificate with a particular domain. When enabled, ZScaler bypasses SSL inspection for traffic encrypted with pinned certificates, ensuring that the integrity and security of these connections are preserved. This is crucial for maintaining secure communication with specific services or applications that require certificate pinning for authentication or security purposes.
-
SSL Inspection: SSL inspection, also known as SSL/TLS decryption or SSL/TLS interception, involves decrypting and inspecting encrypted traffic passing through the ZScaler network. However, in some cases, such as compliance requirements or specific application needs, SSL inspection may need to be disabled. This ensures that encrypted traffic remains opaque to ZScaler, preserving end-to-end encryption for sensitive data.
-
The documentation provided by ZScaler here provides more details.