Skip to content
Support Portal

Cloudflare Zero Trust/One

JWA uses Cloudflare as part of its security and access toolkit. The tool we use is called many names, but the general names you’ll see are Cloudflare Zero Trust or Cloudflare One. This platform consists of three things:

  • A lightweight client installed on your computer or device called Cloudflare WARP
  • A portal that opens when you try to access certain services called Cloudflare Access
  • A web security product that works in the background (using the Cloudflare WARP client) called Cloudflare Gateway

What it does

Cloudflare Gateway

Cloudflare Gateway is our Secure Web Gateway (SWG). In other words, it looks at the web traffic coming from our network and blocks any traffic that is malicious or against company policy. It does this at three different layers:

DNS layer - always on unless turned off (unless) Network layer (by IP addresses) HTTP layer

Cloudflare Access

Troubleshooting

HTTP 526 errors

HTTP 526 is an error that means “Invalid SSL certificate”.

Per Cloudflare’s own documentation, if you see a 526 error from Cloudflare Gateway it means one of two things:

  • An untrusted certificate is presented from the origin to Gateway (usually this means a certificate has expired)
  • The connection from Gateway to the origin is insecure (usually when your browser defaults to loading as HTTPS but the site only exists as HTTP).

If you encounter this issue with a site like this, please file a ticket to request an exemption.

In the meantime, you can switch Cloudflare WARP to Gateway with DoH mode by clicking the cloud icon, then clicking the gear icon and selecting “Gateway with DoH”. There is also a tool in Self-Service to switch modes. Gateway with DoH still provides security against web-based threats, but doesn’t allow us to look for things in downloaded files, for example.

Captive portals (hotel/airport wi-fi)

Captive portals (the pre-connection screens you may see when connecting to a guest network at a hotel or in the airport) can experience issues with tools like Cloudflare WARP that sit between web traffic. Other times, these issues are caused by networks not liking the presence of a VPN (which is what Cloudflare essentially acts like).

Cloudflare has made a number of updates to the Cloudflare WARP application to improve compatibility with networks that captive portals. However, you may still experience issues with certain networks. If you experience issues while trying to connect to a network with a captive portal, try these steps:

  • Disable the Cloudflare WARP client temporarily while trying to connect via the captive portal, then turn it back on once the connection is successful.
  • Switch to Gateway with DoH mode by clicking the cloud icon, then clicking the gear icon and selecting “Gateway with DoH”. There is also a tool in Self-Service to enable this.