Client Connector
Implementing Zscaler Client Connector in No-Default Route Environments
You can deploy Zscaler Client Connector in a no-default route environment to provide a greater level of protection for end users connecting to the internet with minimal changes to the environment. In a typical network, the default route determines how traffic is forwarded to a specific destination when a route for that destination isn't available. The default route usually points to the edge router, and eventually out to the internet.
Some companies have deployed an alternate architecture, known as a no-default route environment, in their network. In such an environment, a default route isn't propagated through the network and the only way to egress is via an edge proxy server. Proxy servers are configured with a default route and placed in an edge DMZ (a neutral zone between an organization's internal network and the internet), which allows internet egress.
In a no-default route environment, browser traffic is explicitly sent to a proxy using a PAC file that is either served through a local web server, through the proxy itself, or through the use of Web Proxy Automatic Discovery. DNS resolution of public DNS records is restricted for all devices except the proxy server. The following image shows traffic flow in an explicit proxy environment.

In these explicit proxy environments, the web browser downloads the PAC file and sends the request to access the website explicitly to the on-premises proxy. The proxy server challenges the web browser for authentication. The browser resends the request to the proxy and includes the required credentials. The proxy validates the credentials with the IdP and queries the DNS server to resolve the hostname for the website. Upon successful DNS resolution, the proxy server sends a new request to the website on the internet via the edge firewall/router. The website responds back to the proxy with the requested content and the proxy server inspects the content and sends the website content to the web browser. Internal hosts are neither allowed to resolve external DNS records nor access the internet directly without sending the request via the proxy server.

Zscaler Client Connector Traffic Flow in a Typical Environment
Prior to deploying Zscaler Client Connector in a no-default route environment, it is important to first understand how the client operates in a typical environment. The following image shows traffic flow for Zscaler Client Connector in a typical environment. It doesn't show all operations (e.g., SAML and PKI) as those operations have no bearing on this article.

In a typical environment, Zscaler Client Connector communicates with the following entities:
Operation | Entity | Communication Details |
Captive Portal Detection | Zscaler Client Connector Portal | Probe to gateway.zscaler.net Probe to gateway.[cloudname].net |
Login Start | Zscaler Client Connector Portal | API call to login.[cloudname].net |
Name Resolution | Internal DNS Servers | DNS resolution requests |
Policy Download | Zscaler Client Connector Portal Zscaler PAC Server | API call to mobile.[cloudname].net Download App Profile PAC from pac.[cloudname].net |
Service Discovery & Enrollment | Zscaler Client Connector Portal | API call to gateway.[cloudname].net API call to mobile.[cloudname].net |
Tenant Cloud Discovery | Zscaler Client Connector Portal | Probe to mobile.zscaler.net |
ZIA Authentication | Customer IdP ZIA SAML SP | SAML call to customer IdP SAML call to ZIA (SP) |
ZIA Traffic Forwarding | ZIA Public/Private Service Edge | Forwarding using Tunnel with Local Proxy, Z-Tunnel 1.0 & 2.0 |
ZPA Authentication | Customer IdP ZPA SAML SP | SAML call to customer IdP SAML call to ZPA (SP) |
ZPA Traffic Forwarding | ZPA Broker/Public/Private Service Edge | Forwarding using Microtunnel (M-Tunnel) |
Configuration Requirements for Implementing Zscaler Client Connector in a No-Default Route Environment
You can deploy Zscaler Client Connector in no-default route environments to support different kinds of traffic forwarding requirements. Zscaler Client Connector supports operation in a no-default environment on the following platforms:
- Windows
- macOS
- Linux
- iOS
- Android
- Android on ChromeOS
At a high level, you must configure the following requirements to enable Zscaler Client Connector to communicate with Zscaler cloud in a no-default route environment:
Requirement | Description |
System PAC | For initial Service Discovery, Enrollment, Authentication and Policy and PAC Download using an Explicit Proxy IP address |
Internal DNS Server Records | Spoofed Zscaler records pointing to Zscaler global virtual IP (GVIP) or an internal NAT address so Zscaler Client Connector can resolve Zscaler cloud addresses |
GRE/IPsec Tunnel | To provide connectivity to the Zscaler cloud during initial configuration of Zscaler Client Connector and traffic forwarding for ZIA and ZPA. Tunnel isn't used for traffic forwarding if a Private Service Edge is present |
ZIA Private Service Edge (optional) | You can deploy a ZIA Private Service Edge to forward traffic directly to the internet from the customer location. If Z-Tunnel 2.0 forwarding is required from on-premises, then a ZIA Private Service Edge is highly recommended |
App and Forwarding Profile Settings | You must configure App and Forwarding Profiles to support the environment with the use of Tunnel Internal Client Connector Traffic and other features |
Third-Party Proxy (optional) | You must configure explicit proxies to bypass authentication to the IdP and Zscaler cloud, must not attempt to re-resolve DNS based on Server Name Indication (SNI) and disable SSL inspection |
Zscaler Client Connector supports forwarding of different types of traffic in no-default environments. The following table includes the requirements for each type of traffic forwarded by Zscaler Client Connector. The configuration details for each scenario are covered in this article.
Scenario | ZIA Traffic Type | Zscaler Client Connector Forwarding Method | System PAC File | DNS Records | GRE/IPSec Tunnel | Third-Party Proxy | Zscaler Private/ Virtual Service Edge | Zscaler Private Access (ZPA) |
1 | HTTP/ HTTPS | Tunnel w/ Local Proxy | Required | Required | Required | Supported | Supported | Supported |
2 | TCP 80, 443 | Z-Tunnel 1.0 | Required | Required | Required | Supported | Supported | Supported |
3 | All ports/ protocols | Z-Tunnel 2.0 | Required | Required | Required* | N/A | Required | Supported |
4 | All ports/ protocols | Z-Tunnel 2.0 | Required | Required | Required** | Required | N/A | Supported |
* GRE/IPSec tunnels used for all traffic except for ZIA traffic forwarding
** GRE/IPSec tunnels used for Service Discovery, Enrollment, and initial authentication only
Common Configuration Steps for All No-Default Route Environments
The following image shows the Zscaler Client Connector traffic flow during Service Discovery, Enrollment, and Initialization in no-default route environments.

The following image shows Zscaler Client Connector using the Zscaler GVIP as an Explicit Proxy for Service Discovery, Enrollment, and Initialization in no-default route environments.

The following image shows that Zscaler Client Connector can use an internal IP as an Explicit Proxy for Service Discovery, Enrollment, and Initialization in no-default route environments. An edge device performs Destination NAT to the Zscaler GVIP.

No External Route Networks: Certain networks don't allow injection of public IP prefixes in internal routing tables. In these networks, an internal IP address can be used instead of the Zscaler GVIP with an upstream router/firewall performing Destination NAT and translating the internal address to the Zscaler GVIP. In these environments, the spoofed Zscaler DNS records must reference the internal IP instead of the Zscaler GVIP.
You must configure the following high-level steps to support Zscaler Client Connector in all no-default environments, regardless of traffic type and forwarding method. These steps allow Zscaler Client Connector to perform service discovery and enrollment when using Zscaler GVIPs.
- 1. Create GRE/IPSec tunnel configurations in ZIA and set up the tunnels from a router or firewall to the closest Zscaler data centers.
Use the following steps to create GRE/IPSec tunnel configurations in ZIA and set up the tunnels from a router or firewall to the closest Zscaler data centers:
Close - 2. Create a new location in ZIA.
Follow the steps in Configuring Locations to configure a new location in ZIA. The Enforce Authentication option must be Disabled for the newly created location.
Close - 3. Determine the Zscaler GVIP address to use as the Explicit Proxy IP address and set up routing.
Determine the Zscaler GVIP address Zscaler Client Connector connects to by selecting one from the bottom of the page at https://config.zscaler.com/[cloudname].net/cenr. For example, if your tenant is hosted in the zscalertwo cloud, use the configuration information from https://config.zscaler.com/zscalertwo.net/cenr. The Zscaler GVIP address is located at the bottom of the page. The following image shows a list of GVIPs that you can use for forwarding traffic across the GRE/IPSec tunnel. This article uses 185.46.212.88 for all configurations except when forwarding traffic to a ZIA Private Service Edge.
Create a route to forward traffic to the Zscaler GVIP via the GRE/IPSec tunnels.
Close - 4. Create required spoofed Zscaler DNS records in the internal DNS server.
Using 185.46.212.88 as the Zscaler VIP, create the following DNS Type A records in the internal DNS server.
DNS Record Record Type IP Address Example Records for ZS2 gateway.[cloudname].net A 185.46.212.88 gateway.zscalertwo.net gateway.zscaler.net A 185.46.212.88 gateway.zscaler.net login.[cloudname].net A 185.46.212.88 login.zscalertwo.net mobile.[cloudname].net A 185.46.212.88 mobile.zscalertwo.net mobile.zscaler.net A 185.46.212.88 mobile.zscaler.net pac.[cloudname].net A 185.46.212.88 pac.zscalertwo.net Certain networks don't allow injection of public IP prefixes in internal routing tables. In those scenarios, you can use an internal IP address for DNS records instead of the Zscaler GVIP with an upstream router/firewall performing Destination NAT and translating the internal address to the Zscaler GVIP.
The following table shows the DNS records when an internal IP address is used instead of a Zscaler GVIP address.
CloseDNS Record Record Type IP Address (No External Route Environments) Example Records for ZS2 gateway.zscaler.net A 10.10.10.10 gateway.zscaler.net mobile.zscaler.net A 10.10.10.10 mobile.zscaler.net gateway.[cloudname].net A 10.10.10.10 gateway.zscalertwo.net mobile.[cloudname].net A 10.10.10.10 mobile.zscalertwo.net login.[cloudname].net A 10.10.10.10 login.zscalertwo.net pac.[cloudname].net A 10.10.10.10 pac.zscalertwo.net - 5. Create a System PAC file in ZIA Admin Portal and assign the PAC URL to internal devices using GPO or WPAD.
A System PAC file is required for initial discovery, enrollment, authentication, app and forwarding profile policy and PAC file downloads. The System PAC enables Zscaler Client Connector to communicate with the Zscaler cloud in an explicit proxy mode. You can use a Zscaler GVIP address as the explicit proxy address or you can use a third-party proxy, as long as it meets the configuration requirements. After enrollment, the System PAC is no longer used by Zscaler Client Connector. Zscaler Client Connector restores the System PAC upon exit.
To create a hosted PAC file in ZIA, see About Hosted PAC Files.
The following hosted System PAC file references the Zscaler GVIP previously mentioned and is specific to the Zscaler Two cloud.
Closefunction FindProxyForURL(url, host) { var egressip = "${SRCIP}"; var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/; var resolved_ip = dnsResolve(host); // Bypass RFC-1918 and internal domain if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip))) return "DIRECT"; // Zscaler public egress subnets if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) || (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) || (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) || (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) || (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) || (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) || (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) || (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) || (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) || (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) || (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) || (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) || (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) || (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) || (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) || (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) || (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) || (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) || (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0"))) { if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) || (shExpMatch(host, "*.zscalertwo.net")) || //Service Discovery, Enrollment, Login (shExpMatch(host, "mobilesupport.zscaler.com")) || //Support (shExpMatch(host, "*.zdxcloud.net")) || //ZDX (shExpMatch(host, "*.digicert.com")) || //Cert validation // Required for ZPA (shExpMatch(host, "*.prod.zpath.net")) || (shExpMatch(host, "*.private.zscaler.com")) || // Zscaler Updates (localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) || (localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) || // Required for Entra IdP (shExpMatch(host, "*.msauth.net")) || (shExpMatch(host, "*.msauthimages.net")) || (shExpMatch(host, "*.msftauthimages.net")) || (localHostOrDomainIs(host, "login.microsoftonline.com")) || (localHostOrDomainIs(host, "autologon.microsoftazuread-sso.com")) || (localHostOrDomainIs(host, "login.windows.net")) || // Required for OKTA (shExpMatch(host, "*.okta.com")) || (shExpMatch(host, "*.oktacdn.com")) || (shExpMatch(host, "*.oktapreview.com"))) { return "PROXY 185.46.212.88:80"; } } return "DIRECT"; }
You can use the System PAC file for devices that are on Trusted Networks (with a GRE/IPSec tunnel) or Off Trusted Networks (remote users). The PAC file logic detects the device location using the
${SRCIP}
macro. If the device is at a location with an existing GRE/IPSec tunnel, it uses the Zscaler GVIP as the Explicit Proxy IP address in order to connect to Zscaler and if the device is on an Off Trusted Network, it communicates directly with the closest Zscaler data center.The following table shows the System PAC file code details:
ClosePAC File Code Details Notes var egressip = "${SRCIP}";
Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud. if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip))) return "DIRECT";
Don't use proxy for internal domains and RFC-1918 addresses. Replace internaldomain.com
with your internal domains.// Zscaler public egress subnets if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) || (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) || (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) || (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) || (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) || (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) || (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) || (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) || (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) || (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) || (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) || (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) || (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) || (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) || (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) || (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) || (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) || (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) || (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr
if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) ||
Special URL checked by Zscaler Client Connector to enroll using an explicit proxy, in this case the Zscaler GVIP (185.46.212.88). (shExpMatch(host, "*.zscalertwo.net")) || //Service Discovery, Enrollment, Login
Replace the wildcard domain with the one that matches the customer cloud. (shExpMatch(host, "mobilesupport.zscaler.com")) || //Support (shExpMatch(host, "*.zdxcloud.net")) || //ZDX (shExpMatch(host, "*.digicert.com")) || //Cert validation
Required for support access, Zscaler Digital Experience (ZDX) and certificate validation during discovery and enrollment. (shExpMatch(host, "*.prod.zpath.net")) || (shExpMatch(host, "*.private.zscaler.com")) ||
Required for ZPA discovery and enrollment. (localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) || (localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) ||
Required for Zscaler Client Connector software and module updates during discovery and enrollment. (shExpMatch(host, "*.msauth.net")) || (shExpMatch(host, "*.msauthimages.net")) || (shExpMatch(host, "*.msftauthimages.net")) || (localHostOrDomainIs(host, "login.microsoftonline.com")) || (localHostOrDomainIs(host, "autologon.microsoftazuread-sso.com")) || (localHostOrDomainIs(host, "login.windows.net")) ||
Required for authentication during enrollment. The example shows domains required by Entra. Use domains required for your IdP. { return "PROXY 185.46.212.88:80"; }
If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address for service discovery, enrollment, authentication, and policy and pac downloads.
Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.
return "DIRECT"; }
All other traffic is sent directly to the local network. - 6. Exempt IdP URLs from authentication in ZIA.
Zscaler Client Connector must be able to authenticate with the IdP in order for enrollment and policy downloads to succeed. To ensure that Zscaler Client Connector is able to authenticate, you must add the IdP URLs to the Authentication Exemptions list in ZIA.
- Follow the steps in Exempting URLs and Cloud Apps from Authentication to configure the authentication exemptions list.
The IdP URLs depend on the type of IdP in use. Consult your IdP documentation for details. The following example shows IdP URLs for Microsoft Entra ID and Okta.
- Add the IdP and other required URLs to the Exempted URLs list.
The following are example URLs for Entra ID and Okta.
CloseIdP/Service URL Entra ID login.microsoftonline.com autologon.microsoftazuread-sso.com *.windowsazure.com device.login.microsoftonline.com login.microsoft.com login.windows.net Okta *.okta.com *.oktacdn.com *.oktapreview.com ZPA *.zpath.net *.private.zscaler.com
Scenarios: Types of Traffic Forwarded by Zscaler Client Connector
- Scenario 1 - Forwarding ZIA HTTP/HTTPS Traffic Using Tunnel with Local Proxy and ZPA Traffic
The following image shows Zscaler Client Connector forwarding ZIA and ZPA traffic via the Zscaler GVIP IP.
In this scenario, after enrollment has completed, Zscaler Client Connector forwards ZIA HTTP/HTTPS using TWLP/Z-Tunnel 1.0 and ZPA traffic using M-Tunnels to the Zscaler GVIP. The Zscaler GVIP in turn forwards the traffic to ZIA and ZPA services in the Zscaler cloud. You can optionally use a third-party proxy in this scenario as long as it meets the configuration requirements and forwards the traffic through the GRE/IPSec tunnel. The steps in this scenario do not cover configuration using a third-party proxy as third-party proxies aren't required.
You must configure the following high-level steps to forward HTTP/HTTPS traffic by Zscaler Client Connector using Tunnel with Local Proxy (TWLP) in No-Default Environments.
Close- 1. Complete Common Configuration Requirements for All No-Default Route Environments
Before following the next steps, make sure the configuration requirements for all no-default route environments are met.
Close - 2. Create a Hosted Forwarding Profile PAC File for Tunnel with Local Proxy (TWLP)
Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file.
Closefunction FindProxyForURL(url, host) {
if ((dnsDomainIs(host, "1.2.3.4")) ||
(shExpMatch(host, "*.prod.zpath.net")))
return "PROXY 185.46.212.88:80";
return "PROXY ${ZAPP_LOCAL_PROXY}";
}
See the following table for forwarding PAC file details.
ClosePAC File Code Details Notes if ((dnsDomainIs(host, "1.2.3.4")) ||
Special URL checked by Zscaler Client Connector to enroll using an Explicit proxy, in this case the Zscaler GVIP (185.46.212.88). (shExpMatch(host, "*.prod.zpath.net")))
Required for ZPA discovery and enrollment. return "PROXY 185.46.212.88:80";
If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address to complete discovery and enrollment.
Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.
return "PROXY ${ZAPP_LOCAL_PROXY}";
Send all other traffic to Zscaler Client Connector. - 3. Create a Forwarding Profile to Use Tunnel with Local Proxy for On Trusted Network and Use Z-Tunnel 2.0 for Off Trusted Network
To create a forwarding profile for on-trusted and off-trusted networks:
- In the Zscaler Client Connector Portal, go to Administration > Forwarding Profile.
- Click Add Forwarding Profile.
The Add Forwarding Profile window appears. - Enter a name for the profile.
- For Predefined Trusted Networks, choose the Selected option. This allows Zscaler Client Connector to detect when it is in a no-default-route environment. To learn more about trusted networks, see Configuring Trusted Networks for Zscaler Client Connector.
- For On Trusted Network, select Tunnel with Local Proxy.
- For Proxy Action Type, select Enforce.
- Select the PAC URL Location and choose PAC URL.
- In the Custom PAC URL section, enter the PAC URL for the forwarding profile.
- For Off Trusted Network, select the forwarding mechanisms as per your organization's requirements. Zscaler supports all forwarding mechanism for off-trusted network users. The following example uses Z-Tunnel 2.0.
- For Off Trusted Network, choose Tunnel.
- For Tunnel version selection, select Z-Tunnel 2.0.
- Enable Redirect Web Traffic to Zscaler Client Connector Listening Proxy.
A PAC URL is not required for an Off-Trusted Network.
Close - 4. Create a Hosted App Profile PAC File for Tunnel with Local Proxy (TWLP)
Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:
Closefunction FindProxyForURL(url, host) {
var customPort = "${ZS_CUSTOM_PORT}"; // Assigned port for local region - ZS_CUSTOM_PORT
var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
var resolved_ip = dnsResolve(host);
var trust = /^(trust|ips).(zscaler|zscalerone|zscalertwo|zscalerthree|zsdemo|zscalergov|zscloud|zsfalcon|zdxcloud|zdxpreview).(com|net)$/;
var iam = /^.*.(zslogin|zsloginbeta|zslogindemo).net$/;
var egressip = "${SRCIP}";
// Don't send non-FQDN or private IP auths to us
if (isInNet(resolved_ip, "192.0.2.0", "255.255.255.0") || privateIP.test(resolved_ip))
return "DIRECT";
// Zscaler public egress subnets
if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
(isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
(isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
(isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
(isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
(isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
(isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
(isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
(isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
(isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
(isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
(isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
(isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
(isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
(isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
(isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
(isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
(isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
(isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
return "PROXY 185.46.212.88:80";
if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host))
return "DIRECT";
// Bypasses for ZPA
if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net")))
return "DIRECT";
return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT";
}
Use the following PAC file code details:
ClosePAC File Code Details Notes var egressip = "${SRCIP}";
Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud. if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip))) return "DIRECT";
Don't use proxy for internal domains and RFC-1918 addresses. Replace internaldomain.com
with your internal domains.// Zscaler public egress subnets if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) || (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) || (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) || (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) || (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) || (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) || (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) || (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) || (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) || (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) || (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) || (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) || (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) || (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) || (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) || (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) || (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) || (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) || (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0"))) return "PROXY 185.46.212.88:80";
List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr
{ return "PROXY 185.46.212.88:80"; }
If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address for service discovery, enrollment, authentication, and policy and pac downloads.
Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.
if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host)) return "DIRECT"; // Bypasses for ZPA if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net"))) return "DIRECT";
When Zscaler Client Connector is Off Trusted Network use this criteria to bypass Zscaler. return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT"; }
Use auto-assigned data centers to connect via Z-Tunnel 2.0 when Off Trusted Network. - 5. Create an App Profile
Create an App Profile and associate it to the previously created Forwarding Profile:
- In the Zscaler Client Connector Portal, in the left-side navigation, click App Profiles and select the relevant OS. The following example uses Windows.
- Click Add Windows Policy. The Add Windows Policy window appears.
- For Forwarding Profile, choose the forwarding profile previously created.
- In the PAC and Proxy section, enter the URL in the Custom PAC URL section.
- In Proxy Configuration, enable Disable Loopback Restriction.
- Enable the Cache System Proxy. When enabled, this option restores the System PAC after the user exits Zscaler Client Connector.
- Override WPAD: (Optional) Enable this option if WPAD is in use.
- Restart WinHTTP Service: (Optional) Enable this option if WPAD is in use.
- In the Advanced section, enable Tunnel Internal Client Connector Traffic.
- 1. Complete Common Configuration Requirements for All No-Default Route Environments
- Scenario 2 - Forwarding ZIA TCP 80/443 Traffic Using Z-Tunnel 1.0 and ZPA Traffic
In this scenario, Zscaler Client Connector forwards ZIA TCP 80/443 traffic using Z-Tunnel 1.0 and ZPA traffic using M-Tunnels to the Zscaler GVIP. The Zscaler GVIP, in turn, forwards the traffic to ZIA and ZPA services in the Zscaler cloud. In this scenario, you can optionally use a third-party proxy as long as it meets the requirements and forwards the traffic through the GRE/IPSec tunnel. The following directions don't cover configuration using a third-party proxy because third-party proxies aren't required and can be deprecated in this scenario.
The following high-level steps must be configured to forward TCP 80/443 traffic by Zscaler Client Connector using Z-Tunnel 1.0 in no-default Environments.
Close- 1. Complete common configuration requirements for all no-default route environments
Ensure that all configuration requirements have been met before continuing with the following steps.
Close - 2. Create a hosted Z-Tunnel 1.0 Forwarding Profile PAC file
Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file.
function FindProxyForURL(url, host) {
if ((dnsDomainIs(host, "1.2.3.4")) ||
(shExpMatch(host, "*.prod.zpath.net")))
return "PROXY 185.46.212.88:80";
return "PROXY ${ZAPP_LOCAL_PROXY}";
}
Refer to the following table for forwarding PAC file details.
ClosePAC File Code Details Notes if ((dnsDomainIs(host, "1.2.3.4")) ||
Special URL checked by Zscaler Client Connector to enroll using an Explicit proxy, in this case the Zscaler GVIP (185.46.212.88). (shExpMatch(host, "*.prod.zpath.net")))
Required for ZPA discovery and enrollment. return "PROXY 185.46.212.88:80";
If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address to complete discovery and enrollment.
Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.
return "PROXY ${ZAPP_LOCAL_PROXY}";
Send all other traffic to Zscaler Client Connector. - 3. Create a Forwarding Profile to use Z-Tunnel 1.0 when On Trusted Network and use Z-Tunnel 2.0 when Off Trusted Network
Create a Trusted Network Criteria so Zscaler Client Connector can detect when it is on a Trusted Network (no-default route environment). Follow these steps to create forwarding profile:
- In the Zscaler Client Connector Portal, go to Administration > Forwarding Profile.
- Click Add Forwarding Profile.
The Add Forwarding Profile window appears. - Enter a name for the profile.
- For Predefined Trusted Networks, choose the Selected option. This allows Zscaler Client Connector to detect when it is in a no-default-route environment. To learn more about trusted networks, see Configuring Trusted Networks for Zscaler Client Connector.
- For On Trusted Network, select Tunnel.
- For Tunnel version selection, select Z-Tunnel 1.0.
- For Proxy Action Type, select Enforce.
- Select the PAC URL Location and choose PAC URL.
- In the Custom PAC URL section, enter the PAC URL for the forwarding profile.
- For Off Trusted Network, select the forwarding mechanisms as per your organization's requirements. Zscaler supports all forwarding mechanism for off-trusted network users. The following example uses Z-Tunnel 2.0.
- For Tunnel version selection, select Z-Tunnel 2.0.
- Enable Redirect Web Traffic to Zscaler Client Connector Listening Proxy.
A PAC URL is not required for an Off Trusted Network.
Close - 4. Create a hosted App Profile PAC file
Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:
Closefunction FindProxyForURL(url, host) { var customPort = "${ZS_CUSTOM_PORT}"; // Assigned port for local region - ZS_CUSTOM_PORT var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/; var resolved_ip = dnsResolve(host); var trust = /^(trust|ips).(zscaler|zscalerone|zscalertwo|zscalerthree|zsdemo|zscalergov|zscloud|zsfalcon|zdxcloud|zdxpreview).(com|net)$/; var iam = /^.*.(zslogin|zsloginbeta|zslogindemo).net$/; var egressip = "${SRCIP}"; // Don't send non-FQDN or private IP auths to us if (isInNet(resolved_ip, "192.0.2.0", "255.255.255.0") || privateIP.test(resolved_ip)) return "DIRECT"; // Zscaler public egress subnets if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) || (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) || (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) || (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) || (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) || (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) || (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) || (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) || (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) || (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) || (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) || (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) || (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) || (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) || (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) || (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) || (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) || (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) || (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0"))) return "PROXY 185.46.212.88:80"; if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host)) return "DIRECT"; // Bypasses for ZPA if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net"))) return "DIRECT"; return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT"; }
Refer to the following table for forwarding PAC file details.
ClosePAC File Code Details Notes var egressip = "${SRCIP}";
Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud. if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip))) return "DIRECT";
Don't use proxy for internal domains and RFC-1918 addresses. Replace internaldomain.com
with your internal domains.// Zscaler public egress subnets if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) || (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) || (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) || (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) || (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) || (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) || (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) || (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) || (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) || (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) || (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) || (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) || (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) || (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) || (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) || (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) || (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) || (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) || (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0"))) return "PROXY 185.46.212.88:80";
List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr
{ return "PROXY 185.46.212.88:80"; }
If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address for service discovery, enrollment, authentication, and policy and pac downloads.
Instead of using the Zscaler GVIP, use the internal IP address, e.g, . 10.10.10.10 for No External Route Networks.
if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host)) return "DIRECT"; // Bypasses for ZPA if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net"))) return "DIRECT";
When Zscaler Client Connector is Off Trusted Network, use this criteria to bypass Zscaler. return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT"; }
Use auto-assigned data centers to connect via Z-Tunnel 2.0 when Off Trusted Network. - 5. Create an App Profile
Create an App Profile and associate it to the previously created Forwarding Profile:
- In the Zscaler Client Connector Portal, on the left-side navigation, click App Profiles and select the relevant OS. The following example uses Windows.
- Click Add Windows Policy. The Add Windows Policy window appears.
- For Forwarding Profile, choose the forwarding profile created previously created.
- In the PAC and Proxy section, enter the URL in the Custom PAC URL section.
- In Proxy Configuration, enable Disable Loopback Restriction.
- Enable the Cache System Proxy option. When enabled, this option restores the System PAC after the user exits Zscaler Client Connector.
- Override WPAD: (Optional) Enable this option if WPAD is in use.
- Restart WinHTTP Service: (Optional) Enable this option if WPAD is in use.
- In the Advanced section, enable Tunnel Internal Client Connector Traffic.
- 1. Complete common configuration requirements for all no-default route environments
- Scenario 3 - Forwarding ZIA Traffic on All Ports and Protocols Using Z-Tunnel 2.0 via On-Premises ZIA Private Service Edge and ZPA Traffic
In this scenario, Zscaler Client Connector forwards ZIA traffic across all ports and protocols using Z-Tunnel 2.0 via the ZIA Private Service Edge. ZPA M-Tunnels and authentication traffic are forwarded using the Zscaler GVIP. The Zscaler GVIP, in turn, forwards the traffic to ZPA services in the Zscaler cloud. In this scenario, the ZIA location associated with the ZIA Private Service Edge cluster has Force Authentication enabled to ensure that the Private Service Edge doesn't operate as an open proxy.
You must configure the following high-level steps to forward traffic on all ports/protocols by Zscaler Client Connector using Z-Tunnel 2.0 in no-default Environments.
Close- 1. Complete Common Configuration Requirements for All no-default Route Environments
Ensure that all configuration requirements have been met before continuing with the following steps.
Close - 2. Create a Hosted Forwarding Profile PAC File
Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:
Closefunction FindProxyForURL(url, host) {
var resolved_ip = dnsResolve(host);
if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) ||
(shExpMatch(host, "*.zscalertwo.net")) || //Service Discovery, Enrollment, Login
(shExpMatch(host, "mobilesupport.zscaler.com")) || //Support
(shExpMatch(host, "*.zdxcloud.net")) || //ZDX
(shExpMatch(host, "*.digicert.com")) || //Cert validation
// Zscaler Updates
(localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) ||
(localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) ||
// Required for Entra IdP
(shExpMatch(host, "*.msauth.net")) || (shExpMatch(host, "*.msauthimages.net")) ||
(shExpMatch(host, "*.msftauthimages.net")) || (localHostOrDomainIs(host, "login.microsoftonline.com")) ||
(localHostOrDomainIs(host, "autologon.microsoftazuread-sso.com")) || (localHostOrDomainIs(host, "login.windows.net")))
{
return "PROXY 185.46.212.88:80";
}
/* Forward to Client Connector */
return "DIRECT";
}
Refer to the following table for forwarding PAC file details.
ClosePAC File Code Details Notes if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) ||
Special URL checked by Zscaler Client Connector to enroll using an Explicit proxy, in this case the Zscaler GVIP (185.46.212.88). (shExpMatch(host, "*
.zscalertwo.net
")) || //Service Discovery, Enrollment, Login
Replace the wildcard domain with the one that matches the cloud. (shExpMatch(host, "mobilesupport.zscaler.com")) || //Support
(shExpMatch(host, "*.zdxcloud.net")) || //ZDX
(shExpMatch(host, "*.digicert.com")) || //Cert validation
Required for Support access, Zscaler Digital Experience (ZDX), and certificate validation during discovery and enrollment. (localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) ||
(localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) ||
Required for Zscaler Client Connector software and module updates during discovery and enrollment. (shExpMatch(host, "*
.msauth.net
")) || (shExpMatch(host, "*
.msauthimages.net
")) ||
(shExpMatch(host, "*
.msftauthimages.net
")) || (localHostOrDomainIs(host, "
login.microsoftonline.com
")) ||
(localHostOrDomainIs(host, "
autologon.microsoftazuread-sso.com
")) || (localHostOrDomainIs(host, "
login.windows.net
")) ||
Required for authentication during enrollment. The example shows domains required by Entra. Use domains required for your IdP. return "PROXY 185.46.212.88:80";
If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address to complete discovery and enrollment.
Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.
return "DIRECT";
}
All other traffic is sent to Zscaler Client Connector. - 3. Create a Forwarding Profile to Use Z-Tunnel 2.0 Forwarding for Both Trusted Network (no-default Route Network) and Off Trusted Network
Create a Trusted Network Criteria so Zscaler Client Connector can detect when it is on a Trusted Network (no-default route environment). Follow these steps to create a forwarding profile:
- In the Zscaler Client Connector Portal, go to Administration > Forwarding Profile.
- Click Add Forwarding Profile.
The Add Forwarding Profile window appears. - Enter a name for the profile.
- For Predefined Trusted Networks, choose the Selected option. This allows Zscaler Client Connector to detect when it is in a no-default route environment. To learn more about trusted networks, see Configuring Trusted Networks for Zscaler Client Connector.
- For On Trusted Network, select Tunnel.
- For Tunnel version selection, select Z-Tunnel 2.0.
- Disable Redirect Web Traffic to Zscaler Client Connector Listening Proxy and Use Z-Tunnel 2.0 for Proxied Web Traffic.
- For Proxy Action Type, select Apply on Trusted Network Type Change.
- Select the PAC URL Location and choose PAC URL.
- In the Custom PAC URL section, enter the PAC URL for the forwarding profile.
- For Off Trusted Network, select the forwarding mechanisms as per your organization's requirements. Zscaler supports all forwarding mechanism for off-trusted network users. The following example uses Tunnel.
- For Tunnel version selection, select Z-Tunnel 2.0.
- Enable Redirect Web Traffic to Zscaler Client Connector Listening Proxy.
A PAC URL is not required for an Off Trusted Network.
Close - 4. Create a Hosted App Profile PAC File
Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:
function FindProxyForURL(url, host) { var customPort = "${ZS_CUSTOM_PORT}"; // Assigned port for local region - ZS_CUSTOM_PORT var egressip = "${SRCIP}"; // Zscaler public egress subnets if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) || (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) || (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) || (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) || (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) || (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) || (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) || (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) || (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) || (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) || (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) || (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) || (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) || (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) || (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) || (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) || (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) || (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) || (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0"))) return "PROXY 10.10.10.50"; return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT"; }
ClosePAC File Code Details Notes var egressip = "${SRCIP}";
Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud. // Zscaler public egress subnets if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) || (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) || (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) || (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) || (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) || (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) || (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) || (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) || (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) || (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) || (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) || (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) || (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) || (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) || (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) || (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) || (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) || (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) || (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0"))) return "PROXY 10.10.10.50:80";
List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr
If Zscaler Client Connector is at a no-default route location with a GRE/IPSec tunnel, then connect to the ZIA Private Service Edge VIP address at
10.10.10.50
.return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT"; }
Use auto-assigned data centers to connect via Z-Tunnel 2.0 when Off Trusted Network. - 5. Create an App Profile
Create an App Profile and associate the previously created Forwarding Profile with it.
- In the Zscaler Client Connector Portal, on the left-side navigation, click App Profiles and select the relevant OS. The following example uses Windows.
- Click Add Windows Policy. The Add Windows Policy window appears.
- For Forwarding Profile, choose the forwarding profile created previously.
- In the PAC and Proxy section, enter the URL in the Custom PAC URL section.
- In Proxy Configuration, enable Disable Loopback Restriction.
- Enable the Cache System Proxy option. When enabled, this option restores the System PAC when the user exits Zscaler Client Connector.
- Override WPAD: (Optional) Enable this option if WPAD is in use.
- Restart WinHTTP Service: (Optional) Enable this option if WPAD is in use.
- In the Advanced section, enable the Tunnel Internal Client Connector Traffic.
- In the App and IP Bypass section, under IPv4 Exclusion, ensure that all internal IP subnets are added so the internal traffic is not tunneled to ZIA.
- Ensure that
0.0.0.0/0
is present in the IPv4 Inclusion section.
- Add a list of all internal domains in the Domain Exclusion field for which DNS requests are sent to internal DNS servers and not ZIA.
- Ensure
*
is added to the Domain Inclusion field, so all external DNS requests are tunneled via ZIA.
- 6. Deploy a ZIA Private Service Edge Cluster and Associate with a New ZIA Location with Force Authentication Enabled
The detailed steps to deploy a ZIA Private Service Edge cluster are not covered in this article because they are well documented in the Zscaler Help Portal.
CloseCreate a new ZIA Location and associate the ZIA Private Service Edge cluster to that location and ensure that Force Authentication is enabled for that location to prevent traffic leakage with an open proxy.
- 1. Complete Common Configuration Requirements for All no-default Route Environments
- Scenario 4 - Forwarding ZIA Traffic on All Ports and Protocols Using Z-Tunnel 2.0 via On-Premises Third-Party Proxy And ZPA Traffic
In this scenario, Zscaler Client Connector forwards ZIA traffic across all ports and protocols using Z-Tunnel 2.0 via a third-party proxy. ZPA M-Tunnels and authentication traffic are forwarded using the Zscaler GVIP. The Zscaler GVIP, in turn, forwards the traffic to ZPA services in the Zscaler cloud.
The configuration for this scenario is the same as Scenario 3 with the following exceptions regarding the third-party proxy:
- The Forwarding Profile for Z-Tunnel 2.0, when on-premises should only use TLS (instead of DTLS).
- The proxy must not attempt to authenticate requests destined for Zscaler IP addresses.
- The proxy must not attempt to authenticate requests destined for the IdP.
- The proxy must not attempt to re-resolve DNS based on SNI.
- The proxy must have TLS inspection disabled and tunnel all Zscaler and IdP bound requests.
- A separate ZIA Location (used for the ZIA Private Service Edge cluster in the previous step) isn't required.
- To account for situations where Zscaler Client Connector falls back to Z-Tunnel 1.0 at locations with a large number of users, consider using a Source-NAT IP address pool with multiple IP addresses and ensure that the load-balancing used with the pool uses sticky connections based on client IP addresses.