Copilot Returns ‘Connection Reset by Peer’ Behind ZScaler Proxy: Fix
🔍 WiseChecker

Copilot Returns ‘Connection Reset by Peer’ Behind ZScaler Proxy: Fix

by

When your organization uses ZScaler as a secure web gateway or proxy, Microsoft Copilot in Microsoft 365 may fail to connect and display the error Connection reset by peer. This happens because ZScaler intercepts and inspects encrypted HTTPS traffic, and Copilot’s network stack does not trust the proxy’s TLS certificate by default. This article explains why the error occurs, provides a step-by-step fix to trust the ZScaler root certificate on Windows, and covers related network issues that can cause similar failures.

Key Takeaways: Copilot Connection Reset by Peer Behind ZScaler

  • Windows Certificate Manager > Trusted Root Certification Authorities > Certificates: Import the ZScaler root CA certificate to resolve TLS inspection failures.
  • Group Policy > Computer Configuration > Windows Settings > Security Settings > Public Key Policies: Deploy the ZScaler certificate enterprise-wide to prevent per-user import steps.
  • Copilot app or browser > Proxy settings: Verify that the system proxy is configured to use ZScaler’s proxy address and port (usually gateway.zscaler.net:9400 or a custom address).

ADVERTISEMENT

Why ZScaler Proxy Causes the Connection Reset Error in Copilot

ZScaler operates as a forward proxy that decrypts outbound HTTPS traffic, inspects it for threats, and re-encrypts it before forwarding to the destination. When Microsoft Copilot sends a request to the Microsoft 365 backend, ZScaler presents its own TLS certificate rather than Microsoft’s original certificate. If the Windows device does not trust the ZScaler root certificate authority, the TLS handshake fails. The underlying network library in Copilot then raises the Connection reset by peer error because the secure channel is terminated prematurely.

The Role of TLS Interception in the Error

ZScaler’s TLS inspection feature requires that each client device trusts a specific root CA certificate issued by the organization. This certificate is used to sign all intercepted connections. Without this trust relationship, the Windows certificate store rejects ZScaler’s certificate, and Copilot cannot establish a secure connection to copilot.microsoft.com or api.copilot.microsoft.com. The error appears in the Copilot pane, the browser console, or the Microsoft 365 app logs as System.Net.Sockets.SocketException: Connection reset by peer.

Other Network Factors That Contribute

Beyond certificate trust, ZScaler may also block or modify specific HTTP headers that Copilot requires. For example, the Authorization header for OAuth tokens can be stripped by proxy rules. Additionally, if the proxy does not support HTTP/2 or WebSocket upgrades, Copilot’s real-time features may time out and produce the same reset error. The fix described here addresses the most common root cause: missing certificate trust.

Steps to Fix Copilot Behind ZScaler by Importing the Root Certificate

This procedure installs the ZScaler root CA certificate into the Windows Trusted Root Certification Authorities store. Perform these steps on each Windows device where Copilot is used.

  1. Obtain the ZScaler root CA certificate file
    Ask your network administrator for the .cer or .crt file that ZScaler uses for TLS inspection. The file is typically named something like ZScaler_Root_CA.cer. Save it to a local folder, such as C:\Temp.
  2. Open the Windows Certificate Manager
    Press Windows key + R, type certlm.msc, and press Enter. This opens the certificate manager for the local machine. Click Yes if prompted by User Account Control.
  3. Navigate to the Trusted Root Certification Authorities store
    In the left pane, expand Trusted Root Certification Authorities. Click the Certificates folder inside it.
  4. Import the ZScaler certificate
    Right-click the Certificates folder and select All Tasks > Import. The Certificate Import Wizard opens. Click Next.
  5. Browse to the certificate file
    Click Browse, navigate to the .cer file you saved in step 1, select it, and click Open. Click Next.
  6. Select the certificate store location
    Ensure Place all certificates in the following store is selected and the store shows Trusted Root Certification Authorities. Click Next.
  7. Complete the import
    Click Finish. A dialog confirms the import was successful. Click OK. Close the Certificate Manager.
  8. Restart Copilot and the Microsoft 365 app
    Close all Microsoft 365 apps (Word, Outlook, Teams, Edge). Reopen the app where Copilot was failing. The error should no longer appear.

Deploy the Certificate via Group Policy for Multiple Devices

For enterprise environments, import the ZScaler root CA certificate through Group Policy so all domain-joined devices trust it automatically.

  1. Open Group Policy Management Console
    On a domain controller, run gpmc.msc. Create a new GPO or edit an existing one linked to the relevant organizational unit.
  2. Navigate to the certificate policy path
    Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  3. Add the certificate to Trusted Root Certification Authorities
    Right-click Trusted Root Certification Authorities in the right pane, select Import, and follow the wizard to add the ZScaler .cer file.
  4. Run gpupdate on client devices
    On each Windows device, open Command Prompt as administrator and run gpupdate /force. Restart the Microsoft 365 app and test Copilot.

ADVERTISEMENT

If Copilot Still Shows the Connection Reset Error After Certificate Import

Copilot Returns Generic Output Instead of Tenant-Specific Data

If the certificate is trusted but Copilot still fails, check that ZScaler is not blocking the specific URLs Copilot uses. The required domains include copilot.microsoft.com, api.copilot.microsoft.com, login.microsoftonline.com, and graph.microsoft.com. Add these to the ZScaler bypass list or ensure they are allowed through the proxy policy.

Copilot Fails Only in Microsoft Teams or Outlook but Works in Edge

This indicates that the desktop app uses a different network stack than the browser. Confirm that the system proxy settings in Windows match the ZScaler proxy address. Go to Settings > Network & Internet > Proxy and verify the Address and Port fields. If using a PAC file, ensure the file resolves the Copilot endpoints correctly.

Copilot Connection Reset Occurs Intermittently

Intermittent resets often point to ZScaler session timeouts or load balancing. Ask your network team to review the ZScaler logs for TCP resets to the Copilot backend IP ranges. They may need to increase the idle timeout value or add the Microsoft 365 service tags to a bypass rule.

Copilot Connection Issues: Certificate Trust vs Proxy Bypass

Item Certificate Trust Method Proxy Bypass Method
Description Import ZScaler root CA into Windows Trusted Root store Add Copilot URLs to ZScaler bypass list so traffic is not intercepted
Impact on security Allows TLS inspection for all traffic Copilot traffic is not inspected by ZScaler
Implementation effort One-time per device or via Group Policy Requires change in ZScaler admin portal
Best for Organizations that must inspect all outbound traffic Organizations that trust Microsoft 365 traffic and want quick resolution

The Connection reset by peer error in Copilot behind ZScaler is almost always a certificate trust problem. Importing the ZScaler root CA into the Windows Trusted Root Certification Authorities store resolves the issue for most users. If the problem persists, verify that the proxy settings are correct and that Copilot’s required domains are not blocked. For enterprise deployments, use Group Policy to distribute the certificate automatically and add a bypass rule for Microsoft 365 endpoints as a fallback.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You