Teams Access: bypass when using gateway rule not working (update)

Hi,

EDIT: it now no longer works for the original client either. I did not change anything in the configuration. My apps have a “bypass” rule set to “gateway” and the clients are connected using the Warp client using the Gateway. I have no idea why this is not working.

(Long story short: “bypass when connected to gateway” only works for some of the clients)

I am currently running a test with two user accounts in Cloudflare Teams. The goal is as follows:

We have an internal application accessible through a cloudfare tunnel. Users can access the application directly if they are connected to the Team’s gateway. If not, they need to log in additionally using their AzureAD credentials.

So, in access i have set up 2 rules:

  • “Allow” rule with AzureAD login
  • “Bypass” rule with a device posture connected “gateway”

On the clients iOS devices have installed the Warp (1.1.1.1) app. For one client this works perfectly: connected to gateway :direct access, disconnect and you get a prompt to login.

However, the second client always gets the login prompt, even when connected to the gateway. I have no idea what could be causing this. The configuration is near identical for both users, I see the users and the devices in the dashboard, but still the login screen still shows for the one user when connected to the gateway.

Any ideas on possible causes and/or what I can do to troubleshoot?

@user18074 Did you manage to fix this? I’m getting the same issue (“allow” rule with One-time OTP, “bypass” with device posture “gateway”). On android it works fine, not shown the login page when connected to warp teams. Though on Windows 10 I get the login page in all browsers (regardless if connected to warp teams or not). We use incognito windows a lot for testing so logging in every time is not practical.
@Sheril_Nagoor Can you help?

No, I cannot get it to work.

I get the same.
Any update on this?

No, I have not received any updates on this. I’m not a paying customer, so I really don’t have any means of escalating the issue.

I did some further testing and have come to the conclusion that the rule does work, but that somehow Cloudflare Access does detect that the device is connected through the gateway.

I followed all the steps in this tutorial: Require Gateway · Cloudflare Zero Trust docs I can see the dns-requests and the traffic in the Cloudflare Teams logs.

Not sure why this is happening and I have only been able to test this on iOS. Maybe this is an os-limitation or a result of the manual deployment. I really don’t know what is happening here.

I have found the issue and resolved it.

For this to work you have to enable TLS Decryption. in Settings > Network. Note that this requires you to install a certificate on all your clients using Warp. You will also have to create “do not inspect” rules for apps using certificate pinning.

Once I enabled the TLS Decryption, my bypass rules started working immediately.

Great!
What’s about only enable proxy gateway without tls decryption?

No, that does not work. You need TLS decryption. I guess you can bypass everyting except your application, but you still would have to install the Cloudflare certificate I believe.

Another important UPDATE: the gateway does not (yet) support HTTP/3. So if you have a HTTP/3 enabled client, you must make sure your server does not allow this or your “gateway” rule will not work.

If you use a Cloudflare domain to access your internal applications, you can do this in the Cloudflare dashboard (not the teams dash) of your domain (called website in the dash) and go to the network settings. There you can disable HTTP/3.