icon-zapp.svg
Client Connector

Implementing Zscaler Client Connector in No-Default Route Environments

You can deploy Zscaler Client Connector in a no-default route environment to provide a greater level of protection for end users connecting to the internet with minimal changes to the environment. In a typical network, the default route determines how traffic is forwarded to a specific destination when a route for that destination isn't available. The default route usually points to the edge router, and eventually out to the internet.

Some companies have deployed an alternate architecture, known as a no-default route environment, in their network. In such an environment, a default route isn't propagated through the network and the only way to egress is via an edge proxy server. Proxy servers are configured with a default route and placed in an edge DMZ (a neutral zone between an organization's internal network and the internet), which allows internet egress.

In a no-default route environment, browser traffic is explicitly sent to a proxy using a PAC file that is either served through a local web server, through the proxy itself, or through the use of Web Proxy Automatic Discovery. DNS resolution of public DNS records is restricted for all devices except the proxy server. The following image shows traffic flow in an explicit proxy environment.

Traffic flow in explicit proxy environment

In these explicit proxy environments, the web browser downloads the PAC file and sends the request to access the website explicitly to the on-premises proxy. The proxy server challenges the web browser for authentication. The browser resends the request to the proxy and includes the required credentials. The proxy validates the credentials with the IdP and queries the DNS server to resolve the hostname for the website. Upon successful DNS resolution, the proxy server sends a new request to the website on the internet via the edge firewall/router. The website responds back to the proxy with the requested content and the proxy server inspects the content and sends the website content to the web browser. Internal hosts are neither allowed to resolve external DNS records nor access the internet directly without sending the request via the proxy server.

Explicit proxy environment

Zscaler Client Connector Traffic Flow in a Typical Environment

Prior to deploying Zscaler Client Connector in a no-default route environment, it is important to first understand how the client operates in a typical environment. The following image shows traffic flow for Zscaler Client Connector in a typical environment. It doesn't show all operations (e.g., SAML and PKI) as those operations have no bearing on this article.

Traffic flow in a typical environment

In a typical environment, Zscaler Client Connector communicates with the following entities:

OperationEntityCommunication Details
Captive Portal DetectionZscaler Client Connector Portal

Probe to gateway.zscaler.net

Probe to gateway.[cloudname].net

Login StartZscaler Client Connector PortalAPI call to login.[cloudname].net
Name ResolutionInternal DNS ServersDNS resolution requests
Policy Download

Zscaler Client Connector Portal

Zscaler PAC Server

API call to mobile.[cloudname].net

Download App Profile PAC from pac.[cloudname].net

Service Discovery & EnrollmentZscaler Client Connector Portal

API call to gateway.[cloudname].net

API call to mobile.[cloudname].net

Tenant Cloud DiscoveryZscaler Client Connector PortalProbe to mobile.zscaler.net
ZIA Authentication

Customer IdP

ZIA SAML SP

SAML call to customer IdP

SAML call to ZIA (SP)

ZIA Traffic ForwardingZIA Public/Private Service EdgeForwarding using Tunnel with Local Proxy, Z-Tunnel 1.0 & 2.0
ZPA Authentication

Customer IdP

ZPA SAML SP

SAML call to customer IdP

SAML call to ZPA (SP)

ZPA Traffic ForwardingZPA Broker/Public/Private Service EdgeForwarding using Microtunnel (M-Tunnel)

Configuration Requirements for Implementing Zscaler Client Connector in a No-Default Route Environment

You can deploy Zscaler Client Connector in no-default route environments to support different kinds of traffic forwarding requirements. Zscaler Client Connector supports operation in a no-default environment on the following platforms:

  • Windows
  • macOS
  • Linux
  • iOS
  • Android
  • Android on ChromeOS

At a high level, you must configure the following requirements to enable Zscaler Client Connector to communicate with Zscaler cloud in a no-default route environment:

RequirementDescription
System PACFor initial Service Discovery, Enrollment, Authentication and Policy and PAC Download using an Explicit Proxy IP address
Internal DNS Server RecordsSpoofed Zscaler records pointing to Zscaler global virtual IP (GVIP) or an internal NAT address so Zscaler Client Connector can resolve Zscaler cloud addresses
GRE/IPsec TunnelTo provide connectivity to the Zscaler cloud during initial configuration of Zscaler Client Connector and traffic forwarding for ZIA and ZPA. Tunnel isn't used for traffic forwarding if a Private Service Edge is present
ZIA Private Service Edge (optional)You can deploy a ZIA Private Service Edge to forward traffic directly to the internet from the customer location. If Z-Tunnel 2.0 forwarding is required from on-premises, then a ZIA Private Service Edge is highly recommended
App and Forwarding Profile SettingsYou must configure App and Forwarding Profiles to support the environment with the use of Tunnel Internal Client Connector Traffic and other features
Third-Party Proxy (optional)You must configure explicit proxies to bypass authentication to the IdP and Zscaler cloud, must not attempt to re-resolve DNS based on Server Name Indication (SNI) and disable SSL inspection

Zscaler Client Connector supports forwarding of different types of traffic in no-default environments. The following table includes the requirements for each type of traffic forwarded by Zscaler Client Connector. The configuration details for each scenario are covered in this article.

ScenarioZIA Traffic TypeZscaler Client Connector Forwarding MethodSystem PAC FileDNS RecordsGRE/IPSec TunnelThird-Party ProxyZscaler Private/
Virtual Service Edge
Zscaler Private Access (ZPA)
1HTTP/
HTTPS
Tunnel w/ Local ProxyRequiredRequiredRequiredSupportedSupportedSupported
2TCP 80, 443Z-Tunnel 1.0RequiredRequiredRequiredSupportedSupportedSupported
3All ports/
protocols
Z-Tunnel 2.0RequiredRequiredRequired*N/ARequiredSupported
4All ports/
protocols
Z-Tunnel 2.0RequiredRequiredRequired**RequiredN/ASupported

* GRE/IPSec tunnels used for all traffic except for ZIA traffic forwarding

** GRE/IPSec tunnels used for Service Discovery, Enrollment, and initial authentication only

Common Configuration Steps for All No-Default Route Environments

The following image shows the Zscaler Client Connector traffic flow during Service Discovery, Enrollment, and Initialization in no-default route environments.

Traffic flow during service discovery

The following image shows Zscaler Client Connector using the Zscaler GVIP as an Explicit Proxy for Service Discovery, Enrollment, and Initialization in no-default route environments.

Zscaler Client Connector using the Zscaler GVIP as an Explicit Proxy

The following image shows that Zscaler Client Connector can use an internal IP as an Explicit Proxy for Service Discovery, Enrollment, and Initialization in no-default route environments. An edge device performs Destination NAT to the Zscaler GVIP.

Zscaler Client Connector can use an internal IP as an Explicit Proxy

No External Route Networks: Certain networks don't allow injection of public IP prefixes in internal routing tables. In these networks, an internal IP address can be used instead of the Zscaler GVIP with an upstream router/firewall performing Destination NAT and translating the internal address to the Zscaler GVIP. In these environments, the spoofed Zscaler DNS records must reference the internal IP instead of the Zscaler GVIP.

You must configure the following high-level steps to support Zscaler Client Connector in all no-default environments, regardless of traffic type and forwarding method. These steps allow Zscaler Client Connector to perform service discovery and enrollment when using Zscaler GVIPs.

  • Use the following steps to create GRE/IPSec tunnel configurations in ZIA and set up the tunnels from a router or firewall to the closest Zscaler data centers:

    Close
  • Follow the steps in Configuring Locations to configure a new location in ZIA. The Enforce Authentication option must be Disabled for the newly created location.

    Close
  • Determine the Zscaler GVIP address Zscaler Client Connector connects to by selecting one from the bottom of the page at https://config.zscaler.com/[cloudname].net/cenr. For example, if your tenant is hosted in the zscalertwo cloud, use the configuration information from https://config.zscaler.com/zscalertwo.net/cenr. The Zscaler GVIP address is located at the bottom of the page. The following image shows a list of GVIPs that you can use for forwarding traffic across the GRE/IPSec tunnel. This article uses 185.46.212.88 for all configurations except when forwarding traffic to a ZIA Private Service Edge.

    GVIPs used for forwarding traffic

    Create a route to forward traffic to the Zscaler GVIP via the GRE/IPSec tunnels.

    Close
  • Using 185.46.212.88 as the Zscaler VIP, create the following DNS Type A records in the internal DNS server.

    DNS RecordRecord TypeIP AddressExample Records for ZS2
    gateway.[cloudname].netA185.46.212.88gateway.zscalertwo.net
    gateway.zscaler.netA185.46.212.88gateway.zscaler.net
    login.[cloudname].netA185.46.212.88login.zscalertwo.net
    mobile.[cloudname].netA185.46.212.88mobile.zscalertwo.net
    mobile.zscaler.netA185.46.212.88mobile.zscaler.net
    pac.[cloudname].netA185.46.212.88pac.zscalertwo.net

    Certain networks don't allow injection of public IP prefixes in internal routing tables. In those scenarios, you can use an internal IP address for DNS records instead of the Zscaler GVIP with an upstream router/firewall performing Destination NAT and translating the internal address to the Zscaler GVIP.

    The following table shows the DNS records when an internal IP address is used instead of a Zscaler GVIP address.

    DNS RecordRecord TypeIP Address (No External Route Environments)Example Records for ZS2
    gateway.zscaler.netA10.10.10.10gateway.zscaler.net
    mobile.zscaler.netA10.10.10.10mobile.zscaler.net
    gateway.[cloudname].netA10.10.10.10gateway.zscalertwo.net
    mobile.[cloudname].netA10.10.10.10mobile.zscalertwo.net
    login.[cloudname].netA10.10.10.10login.zscalertwo.net
    pac.[cloudname].netA10.10.10.10pac.zscalertwo.net
    Close
  • A System PAC file is required for initial discovery, enrollment, authentication, app and forwarding profile policy and PAC file downloads. The System PAC enables Zscaler Client Connector to communicate with the Zscaler cloud in an explicit proxy mode. You can use a Zscaler GVIP address as the explicit proxy address or you can use a third-party proxy, as long as it meets the configuration requirements. After enrollment, the System PAC is no longer used by Zscaler Client Connector. Zscaler Client Connector restores the System PAC upon exit.

    To create a hosted PAC file in ZIA, see About Hosted PAC Files.

    The following hosted System PAC file references the Zscaler GVIP previously mentioned and is specific to the Zscaler Two cloud.

    function FindProxyForURL(url, host) {
       var egressip = "${SRCIP}";
       var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
       var resolved_ip = dnsResolve(host);
       // Bypass RFC-1918 and internal domain
       if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip)))
           return "DIRECT";
        
       // Zscaler public egress subnets
       if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
           (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
           (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
           (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
           (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
           (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
           (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
           (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
           (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
           (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
           (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
           (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
           (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
           (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
           (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
           (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
           (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
           (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
           (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
           {
               if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) ||
                   (shExpMatch(host, "*.zscalertwo.net")) || //Service Discovery, Enrollment, Login
                   (shExpMatch(host, "mobilesupport.zscaler.com")) || //Support
                   (shExpMatch(host, "*.zdxcloud.net")) || //ZDX
                   (shExpMatch(host, "*.digicert.com")) || //Cert validation
                   // Required for ZPA
                   (shExpMatch(host, "*.prod.zpath.net")) || (shExpMatch(host, "*.private.zscaler.com")) ||
                   // Zscaler Updates
                   (localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) ||
                   (localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) ||
                   // Required for Entra IdP
                   (shExpMatch(host, "*.msauth.net")) || (shExpMatch(host, "*.msauthimages.net")) ||
                   (shExpMatch(host, "*.msftauthimages.net")) || (localHostOrDomainIs(host, "login.microsoftonline.com")) ||
                   (localHostOrDomainIs(host, "autologon.microsoftazuread-sso.com")) || (localHostOrDomainIs(host, "login.windows.net")) ||
                   // Required for OKTA
                   (shExpMatch(host, "*.okta.com")) || (shExpMatch(host, "*.oktacdn.com")) || (shExpMatch(host, "*.oktapreview.com")))
               {
                   return "PROXY 185.46.212.88:80";
               }
           }
     return "DIRECT";
    }
    Close

    You can use the System PAC file for devices that are on Trusted Networks (with a GRE/IPSec tunnel) or Off Trusted Networks (remote users). The PAC file logic detects the device location using the ${SRCIP} macro. If the device is at a location with an existing GRE/IPSec tunnel, it uses the Zscaler GVIP as the Explicit Proxy IP address in order to connect to Zscaler and if the device is on an Off Trusted Network, it communicates directly with the closest Zscaler data center.

    The following table shows the System PAC file code details:

    PAC File Code DetailsNotes
    var egressip = "${SRCIP}";
    Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud.
    if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip)))
    return "DIRECT";
    Don't use proxy for internal domains and RFC-1918 addresses. Replace internaldomain.com with your internal domains.
    // Zscaler public egress subnets
    if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
    (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
    (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
    (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
    (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
    (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
    (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
    (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
    (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
    (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
    (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
    (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
    (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
    (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
    (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
    (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
    (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
    (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
    (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))

    List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr

    if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) ||
    Special URL checked by Zscaler Client Connector to enroll using an explicit proxy, in this case the Zscaler GVIP (185.46.212.88).
    (shExpMatch(host, "*.zscalertwo.net")) || //Service Discovery, Enrollment, Login
    Replace the wildcard domain with the one that matches the customer cloud.
    (shExpMatch(host, "mobilesupport.zscaler.com")) || //Support
    (shExpMatch(host, "*.zdxcloud.net")) || //ZDX
    (shExpMatch(host, "*.digicert.com")) || //Cert validation
    Required for support access, Zscaler Digital Experience (ZDX) and certificate validation during discovery and enrollment.
    (shExpMatch(host, "*.prod.zpath.net")) || (shExpMatch(host, "*.private.zscaler.com")) ||
    Required for ZPA discovery and enrollment.
    (localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) ||
    (localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) ||
    Required for Zscaler Client Connector software and module updates during discovery and enrollment.
    (shExpMatch(host, "*.msauth.net")) || (shExpMatch(host, "*.msauthimages.net")) ||
    (shExpMatch(host, "*.msftauthimages.net")) || (localHostOrDomainIs(host, "login.microsoftonline.com")) ||
    (localHostOrDomainIs(host, "autologon.microsoftazuread-sso.com")) || (localHostOrDomainIs(host, "login.windows.net")) ||
    Required for authentication during enrollment. The example shows domains required by Entra. Use domains required for your IdP.
    {
    return "PROXY 185.46.212.88:80";
    }

    If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address for service discovery, enrollment, authentication, and policy and pac downloads.

    Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.

    return "DIRECT";
    }
    All other traffic is sent directly to the local network.
    Close
  • Zscaler Client Connector must be able to authenticate with the IdP in order for enrollment and policy downloads to succeed. To ensure that Zscaler Client Connector is able to authenticate, you must add the IdP URLs to the Authentication Exemptions list in ZIA.

    1. Follow the steps in Exempting URLs and Cloud Apps from Authentication to configure the authentication exemptions list.

    The IdP URLs depend on the type of IdP in use. Consult your IdP documentation for details. The following example shows IdP URLs for Microsoft Entra ID and Okta.

    1. Add the IdP and other required URLs to the Exempted URLs list.

    The following are example URLs for Entra ID and Okta.

    IdP/ServiceURL
    Entra IDlogin.microsoftonline.com
    autologon.microsoftazuread-sso.com
    *.windowsazure.com
    device.login.microsoftonline.com
    login.microsoft.com
    login.windows.net
    Okta*.okta.com
    *.oktacdn.com
    *.oktapreview.com
    ZPA*.zpath.net
    *.private.zscaler.com
    Close

Scenarios: Types of Traffic Forwarded by Zscaler Client Connector

  • The following image shows Zscaler Client Connector forwarding ZIA and ZPA traffic via the Zscaler GVIP IP.

    Zscaler Client Connector forwarding ZIA and ZPA traffic via the Zscaler GVIP

    In this scenario, after enrollment has completed, Zscaler Client Connector forwards ZIA HTTP/HTTPS using TWLP/Z-Tunnel 1.0 and ZPA traffic using M-Tunnels to the Zscaler GVIP. The Zscaler GVIP in turn forwards the traffic to ZIA and ZPA services in the Zscaler cloud. You can optionally use a third-party proxy in this scenario as long as it meets the configuration requirements and forwards the traffic through the GRE/IPSec tunnel. The steps in this scenario do not cover configuration using a third-party proxy as third-party proxies aren't required.

    You must configure the following high-level steps to forward HTTP/HTTPS traffic by Zscaler Client Connector using Tunnel with Local Proxy (TWLP) in No-Default Environments.

    • Before following the next steps, make sure the configuration requirements for all no-default route environments are met.

      Close
    • Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file.

      function FindProxyForURL(url, host) {
         if ((dnsDomainIs(host, "1.2.3.4")) ||
             (shExpMatch(host, "*.prod.zpath.net")))
           return "PROXY 185.46.212.88:80";
         return "PROXY ${ZAPP_LOCAL_PROXY}";
      }
      Close

      See the following table for forwarding PAC file details.

      PAC File Code DetailsNotes
      if ((dnsDomainIs(host, "1.2.3.4")) ||Special URL checked by Zscaler Client Connector to enroll using an Explicit proxy, in this case the Zscaler GVIP (185.46.212.88).
      (shExpMatch(host, "*.prod.zpath.net")))Required for ZPA discovery and enrollment.
      return "PROXY 185.46.212.88:80";

      If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address to complete discovery and enrollment.

      Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.

      return "PROXY ${ZAPP_LOCAL_PROXY}";Send all other traffic to Zscaler Client Connector.
      Close
    • To create a forwarding profile for on-trusted and off-trusted networks:

      1. In the Zscaler Client Connector Portal, go to Administration > Forwarding Profile.
      2. Click Add Forwarding Profile.
        The Add Forwarding Profile window appears.
      3. Enter a name for the profile.
      4. For Predefined Trusted Networks, choose the Selected option. This allows Zscaler Client Connector to detect when it is in a no-default-route environment. To learn more about trusted networks, see Configuring Trusted Networks for Zscaler Client Connector.
      1. For On Trusted Network, select Tunnel with Local Proxy.
      2. For Proxy Action Type, select Enforce.
      3. Select the PAC URL Location and choose PAC URL.
      4. In the Custom PAC URL section, enter the PAC URL for the forwarding profile.
      1. For Off Trusted Network, select the forwarding mechanisms as per your organization's requirements. Zscaler supports all forwarding mechanism for off-trusted network users. The following example uses Z-Tunnel 2.0.
      2. For Off Trusted Network, choose Tunnel.
      3. For Tunnel version selection, select Z-Tunnel 2.0.
      1. Enable Redirect Web Traffic to Zscaler Client Connector Listening Proxy.

      A PAC URL is not required for an Off-Trusted Network.

      Close
    • Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:

      function FindProxyForURL(url, host) {
         var customPort = "${ZS_CUSTOM_PORT}"; // Assigned port for local region - ZS_CUSTOM_PORT
         var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
         var resolved_ip = dnsResolve(host);
         var trust = /^(trust|ips).(zscaler|zscalerone|zscalertwo|zscalerthree|zsdemo|zscalergov|zscloud|zsfalcon|zdxcloud|zdxpreview).(com|net)$/;
         var iam = /^.*.(zslogin|zsloginbeta|zslogindemo).net$/;
         var egressip = "${SRCIP}";
          // Don't send non-FQDN or private IP auths to us
         if (isInNet(resolved_ip, "192.0.2.0", "255.255.255.0") || privateIP.test(resolved_ip))
             return "DIRECT";
         // Zscaler public egress subnets
         if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
             (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
             (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
             (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
             (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
             (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
             (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
             (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
             (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
             (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
             (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
             (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
             (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
             (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
             (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
             (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
             (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
             (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
             (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
             return "PROXY 185.46.212.88:80";
         if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host))
             return "DIRECT";
         // Bypasses for ZPA
         if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net")))
             return "DIRECT";
         return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT";
      }
      Close

      Use the following PAC file code details:

      PAC File Code DetailsNotes
      var egressip = "${SRCIP}";
      Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud.
      if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip)))
      return "DIRECT";
      Don't use proxy for internal domains and RFC-1918 addresses. Replace internaldomain.com with your internal domains.
      // Zscaler public egress subnets
      if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
      	(isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
      	(isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
      	(isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
      	(isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
      	(isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
      	(isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
      	(isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
      	(isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
      	(isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
      	(isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
      	(isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
      	(isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
      	(isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
      	(isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
      	(isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
      	(isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
      	(isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
      	(isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
              return "PROXY 185.46.212.88:80";

      List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr

      {
      return "PROXY 185.46.212.88:80";
      }

      If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address for service discovery, enrollment, authentication, and policy and pac downloads.

      Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.

          if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host))
              return "DIRECT";
          // Bypasses for ZPA
          if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net")))
              return "DIRECT";
      When Zscaler Client Connector is Off Trusted Network use this criteria to bypass Zscaler.
          return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT";
      }
      Use auto-assigned data centers to connect via Z-Tunnel 2.0 when Off Trusted Network.
      Close
    • Create an App Profile and associate it to the previously created Forwarding Profile:

      1. In the Zscaler Client Connector Portal, in the left-side navigation, click App Profiles and select the relevant OS. The following example uses Windows.
      2. Click Add Windows Policy. The Add Windows Policy window appears.
      3. For Forwarding Profile, choose the forwarding profile previously created.
      1. In the PAC and Proxy section, enter the URL in the Custom PAC URL section.
      2. In Proxy Configuration, enable Disable Loopback Restriction.
      3. Enable the Cache System Proxy. When enabled, this option restores the System PAC after the user exits Zscaler Client Connector.
      4. Override WPAD: (Optional) Enable this option if WPAD is in use.
      5. Restart WinHTTP Service: (Optional) Enable this option if WPAD is in use.
      1. In the Advanced section, enable Tunnel Internal Client Connector Traffic.
      Close
    Close
  • In this scenario, Zscaler Client Connector forwards ZIA TCP 80/443 traffic using Z-Tunnel 1.0 and ZPA traffic using M-Tunnels to the Zscaler GVIP. The Zscaler GVIP, in turn, forwards the traffic to ZIA and ZPA services in the Zscaler cloud. In this scenario, you can optionally use a third-party proxy as long as it meets the requirements and forwards the traffic through the GRE/IPSec tunnel. The following directions don't cover configuration using a third-party proxy because third-party proxies aren't required and can be deprecated in this scenario.

    Zscaler Client Connector forwards ZIA TCP 80/443 traffic using Z-Tunnel 1.0 and ZPA traffic using M-Tunnels

    The following high-level steps must be configured to forward TCP 80/443 traffic by Zscaler Client Connector using Z-Tunnel 1.0 in no-default Environments.

    • Ensure that all configuration requirements have been met before continuing with the following steps.

      Close
    • Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file.

      function FindProxyForURL(url, host) {
         if ((dnsDomainIs(host, "1.2.3.4")) ||
             (shExpMatch(host, "*.prod.zpath.net")))
           return "PROXY 185.46.212.88:80";
         return "PROXY ${ZAPP_LOCAL_PROXY}";
      }

      Close

      Refer to the following table for forwarding PAC file details.

      PAC File Code DetailsNotes
      if ((dnsDomainIs(host, "1.2.3.4")) ||Special URL checked by Zscaler Client Connector to enroll using an Explicit proxy, in this case the Zscaler GVIP (185.46.212.88).
      (shExpMatch(host, "*.prod.zpath.net")))Required for ZPA discovery and enrollment.
      return "PROXY 185.46.212.88:80";

      If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address to complete discovery and enrollment.

      Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.

      return "PROXY ${ZAPP_LOCAL_PROXY}";Send all other traffic to Zscaler Client Connector.
      Close
    • Create a Trusted Network Criteria so Zscaler Client Connector can detect when it is on a Trusted Network (no-default route environment). Follow these steps to create forwarding profile:

      1. In the Zscaler Client Connector Portal, go to Administration > Forwarding Profile.
      2. Click Add Forwarding Profile.
        The Add Forwarding Profile window appears.
      3. Enter a name for the profile.
      4. For Predefined Trusted Networks, choose the Selected option. This allows Zscaler Client Connector to detect when it is in a no-default-route environment. To learn more about trusted networks, see Configuring Trusted Networks for Zscaler Client Connector.
      1. For On Trusted Network, select Tunnel.
      2. For Tunnel version selection, select Z-Tunnel 1.0.
      3. For Proxy Action Type, select Enforce.
      4. Select the PAC URL Location and choose PAC URL.
      5. In the Custom PAC URL section, enter the PAC URL for the forwarding profile.
      1. For Off Trusted Network, select the forwarding mechanisms as per your organization's requirements. Zscaler supports all forwarding mechanism for off-trusted network users. The following example uses Z-Tunnel 2.0.
      2. For Tunnel version selection, select Z-Tunnel 2.0.
      1. Enable Redirect Web Traffic to Zscaler Client Connector Listening Proxy.

      A PAC URL is not required for an Off Trusted Network.

      Close
    • Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:

      function FindProxyForURL(url, host) {
       
          var customPort = "${ZS_CUSTOM_PORT}"; // Assigned port for local region - ZS_CUSTOM_PORT
          var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
          var resolved_ip = dnsResolve(host);
          var trust = /^(trust|ips).(zscaler|zscalerone|zscalertwo|zscalerthree|zsdemo|zscalergov|zscloud|zsfalcon|zdxcloud|zdxpreview).(com|net)$/;
          var iam = /^.*.(zslogin|zsloginbeta|zslogindemo).net$/;
          var egressip = "${SRCIP}";
       
           // Don't send non-FQDN or private IP auths to us
          if (isInNet(resolved_ip, "192.0.2.0", "255.255.255.0") || privateIP.test(resolved_ip))
              return "DIRECT";
       
          // Zscaler public egress subnets
          if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
              (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
              (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
              (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
              (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
              (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
              (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
              (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
              (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
              (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
              (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
              (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
              (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
              (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
              (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
              (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
              (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
              (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
              (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
              return "PROXY 185.46.212.88:80";
       
          if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host))
              return "DIRECT";
       
          // Bypasses for ZPA
          if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net")))
              return "DIRECT";
       
          return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT";
      }
      Close

      Refer to the following table for forwarding PAC file details.

      PAC File Code DetailsNotes
      var egressip = "${SRCIP}";
      Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud.
      if ((shExpMatch(host, "*.internaldomain.com")) || (privateIP.test(resolved_ip)))
      return "DIRECT";
      Don't use proxy for internal domains and RFC-1918 addresses. Replace internaldomain.com with your internal domains.
      // Zscaler public egress subnets
      if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
      	(isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
      	(isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
      	(isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
      	(isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
      	(isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
      	(isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
      	(isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
      	(isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
      	(isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
      	(isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
      	(isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
      	(isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
      	(isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
      	(isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
      	(isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
      	(isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
      	(isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
      	(isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
              return "PROXY 185.46.212.88:80";

      List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr

      {
      return "PROXY 185.46.212.88:80";
      }

      If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address for service discovery, enrollment, authentication, and policy and pac downloads.

      Instead of using the Zscaler GVIP, use the internal IP address, e.g, . 10.10.10.10 for No External Route Networks.

          if (trust.test(host) || iam.test(host) || /^trust.zscaler.us$/.test(host) || /^config.zscaler.com$/.test(host))
              return "DIRECT";
          // Bypasses for ZPA
          if ((isInNet(resolved_ip, "100.64.0.0", "255.255.0.0")) || (shExpMatch(host, "*.private.zscaler.com")) || (shExpMatch(host, "*.zpath.net")))
              return "DIRECT";
      When Zscaler Client Connector is Off Trusted Network, use this criteria to bypass Zscaler.
          return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT";
      }
      Use auto-assigned data centers to connect via Z-Tunnel 2.0 when Off Trusted Network.
      Close
    • Create an App Profile and associate it to the previously created Forwarding Profile:

      1. In the Zscaler Client Connector Portal, on the left-side navigation, click App Profiles and select the relevant OS. The following example uses Windows.
      2. Click Add Windows Policy. The Add Windows Policy window appears.
      3. For Forwarding Profile, choose the forwarding profile created previously created.
      1. In the PAC and Proxy section, enter the URL in the Custom PAC URL section.
      2. In Proxy Configuration, enable Disable Loopback Restriction.
      3. Enable the Cache System Proxy option. When enabled, this option restores the System PAC after the user exits Zscaler Client Connector.
      4. Override WPAD: (Optional) Enable this option if WPAD is in use.
      5. Restart WinHTTP Service: (Optional) Enable this option if WPAD is in use.
      1. In the Advanced section, enable Tunnel Internal Client Connector Traffic.
      Close
    Close
  • In this scenario, Zscaler Client Connector forwards ZIA traffic across all ports and protocols using Z-Tunnel 2.0 via the ZIA Private Service Edge. ZPA M-Tunnels and authentication traffic are forwarded using the Zscaler GVIP. The Zscaler GVIP, in turn, forwards the traffic to ZPA services in the Zscaler cloud. In this scenario, the ZIA location associated with the ZIA Private Service Edge cluster has Force Authentication enabled to ensure that the Private Service Edge doesn't operate as an open proxy.

    Zscaler Client Connector forwards ZIA traffic across all ports and protocols using Z-Tunnel 2.0

    You must configure the following high-level steps to forward traffic on all ports/protocols by Zscaler Client Connector using Z-Tunnel 2.0 in no-default Environments.

    • Ensure that all configuration requirements have been met before continuing with the following steps.

      Close
    • Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:

      function FindProxyForURL(url, host) {
         var resolved_ip = dnsResolve(host);
         if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) ||
             (shExpMatch(host, "*.zscalertwo.net")) || //Service Discovery, Enrollment, Login
             (shExpMatch(host, "mobilesupport.zscaler.com")) || //Support
             (shExpMatch(host, "*.zdxcloud.net")) || //ZDX
             (shExpMatch(host, "*.digicert.com")) || //Cert validation
              
             // Zscaler Updates
             (localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) ||
             (localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) ||
              
             // Required for Entra IdP
             (shExpMatch(host, "*.msauth.net")) || (shExpMatch(host, "*.msauthimages.net")) ||
             (shExpMatch(host, "*.msftauthimages.net")) || (localHostOrDomainIs(host, "login.microsoftonline.com")) ||
             (localHostOrDomainIs(host, "autologon.microsoftazuread-sso.com")) || (localHostOrDomainIs(host, "login.windows.net")))
         {
             return "PROXY 185.46.212.88:80";
         }
         /* Forward to Client Connector */
         return "DIRECT";
      }
      Close

      Refer to the following table for forwarding PAC file details.

      PAC File Code DetailsNotes
      if ((dnsDomainIs(host, "1.2.3.4")) || (shExpMatch(host, "*.zscaler.net")) ||Special URL checked by Zscaler Client Connector to enroll using an Explicit proxy, in this case the Zscaler GVIP (185.46.212.88).
      (shExpMatch(host, "*.zscalertwo.net")) || //Service Discovery, Enrollment, LoginReplace the wildcard domain with the one that matches the cloud.
      (shExpMatch(host, "mobilesupport.zscaler.com")) || //Support
      (shExpMatch(host, "*.zdxcloud.net")) || //ZDX
      (shExpMatch(host, "*.digicert.com")) || //Cert validation
      Required for Support access, Zscaler Digital Experience (ZDX), and certificate validation during discovery and enrollment.
      (localHostOrDomainIs(host, "d32a6ru7mhaq0c.cloudfront.net")) || (localHostOrDomainIs(host, "d3l44rcogcb7iv.cloudfront.net")) ||
      (localHostOrDomainIs(host, "dwv281inkfqg3.cloudfront.net")) ||
      Required for Zscaler Client Connector software and module updates during discovery and enrollment.
      (shExpMatch(host, "*.msauth.net")) || (shExpMatch(host, "*.msauthimages.net")) ||
      (shExpMatch(host, "*.msftauthimages.net")) || (localHostOrDomainIs(host, "login.microsoftonline.com")) ||
      (localHostOrDomainIs(host, "autologon.microsoftazuread-sso.com")) || (localHostOrDomainIs(host, "login.windows.net")) ||
      Required for authentication during enrollment. The example shows domains required by Entra. Use domains required for your IdP.
      return "PROXY 185.46.212.88:80";

      If Zscaler Client Connector is at a no-default route location, it uses the Zscaler GVIP 185.46.212.88 as the explicit proxy address to complete discovery and enrollment.

      Instead of using the Zscaler GVIP, use the internal IP address, e.g., 10.10.10.10 for No External Route Networks.

      return "DIRECT";
      }
      All other traffic is sent to Zscaler Client Connector.
      Close
    • Create a Trusted Network Criteria so Zscaler Client Connector can detect when it is on a Trusted Network (no-default route environment). Follow these steps to create a forwarding profile:

      1. In the Zscaler Client Connector Portal, go to Administration > Forwarding Profile.
      2. Click Add Forwarding Profile.
        The Add Forwarding Profile window appears.
      3. Enter a name for the profile.
      4. For Predefined Trusted Networks, choose the Selected option. This allows Zscaler Client Connector to detect when it is in a no-default route environment. To learn more about trusted networks, see Configuring Trusted Networks for Zscaler Client Connector.
      1. For On Trusted Network, select Tunnel.
      2. For Tunnel version selection, select Z-Tunnel 2.0.
      1. Disable Redirect Web Traffic to Zscaler Client Connector Listening Proxy and Use Z-Tunnel 2.0 for Proxied Web Traffic.
      2. For Proxy Action Type, select Apply on Trusted Network Type Change.
      3. Select the PAC URL Location and choose PAC URL.
      4. In the Custom PAC URL section, enter the PAC URL for the forwarding profile.
      1. For Off Trusted Network, select the forwarding mechanisms as per your organization's requirements. Zscaler supports all forwarding mechanism for off-trusted network users. The following example uses Tunnel.
      2. For Tunnel version selection, select Z-Tunnel 2.0.
      1. Enable Redirect Web Traffic to Zscaler Client Connector Listening Proxy.

      A PAC URL is not required for an Off Trusted Network.

      Close
    • Follow the steps for Using Custom PAC Files to Forward Traffic to ZIA to add a custom PAC file. Use the following PAC file:

      function FindProxyForURL(url, host) {
       
          var customPort = "${ZS_CUSTOM_PORT}"; // Assigned port for local region - ZS_CUSTOM_PORT
          var egressip = "${SRCIP}";
       
          // Zscaler public egress subnets
          if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
              (isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
              (isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
              (isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
              (isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
              (isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
              (isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
              (isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
              (isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
              (isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
              (isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
              (isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
              (isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
              (isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
              (isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
              (isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
              (isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
              (isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
              (isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
              return "PROXY 10.10.10.50";
       
       
          return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT";
      }
      PAC File Code DetailsNotes
      var egressip = "${SRCIP}";
      Determines the client's public IP address using the ${SRCIP} macro which is only available when the PAC file is hosted in the Zscaler cloud.
      // Zscaler public egress subnets
      if ((isInNet(egressip, "58.220.95.0", "255.255.255.0")) || (isInNet(egressip, "64.215.22.0", "255.255.255.0")) ||
      	(isInNet(egressip, "87.58.64.0", "255.255.192.0")) || (isInNet(egressip, "94.188.131.0", "255.255.255.128")) ||
      	(isInNet(egressip, "94.188.139.64", "255.255.255.192")) || (isInNet(egressip, "94.188.248.64", "255.255.255.192")) ||
      	(isInNet(egressip, "98.98.26.0", "255.255.255.0")) || (isInNet(egressip, "98.98.27.0", "255.255.255.0")) ||
      	(isInNet(egressip, "98.98.28.0", "255.255.255.0")) || (isInNet(egressip, "101.2.192.0", "255.255.192.0")) ||
      	(isInNet(egressip, "104.129.192.0", "255.255.240.0")) || (isInNet(egressip, "112.137.170.0", "255.255.255.0")) ||
      	(isInNet(egressip, "124.248.141.0", "255.255.255.0")) || (isInNet(egressip, "128.177.125.0", "255.255.255.0")) ||
      	(isInNet(egressip, "136.226.0.0", "255.255.0.0")) || (isInNet(egressip, "137.83.128.0", "255.255.192.0")) ||
      	(isInNet(egressip, "140.210.152.0", "255.255.254.0")) || (isInNet(egressip, "147.161.128.0", "255.255.128.0")) ||
      	(isInNet(egressip, "154.113.23.0", "255.255.255.0")) || (isInNet(egressip, "165.225.0.0", "255.255.128.0")) ||
      	(isInNet(egressip, "165.225.192.0", "255.255.192.0")) || (isInNet(egressip, "167.103.0.0", "255.255.0.0")) ||
      	(isInNet(egressip, "170.85.0.0", "255.255.0.0")) || (isInNet(egressip, "185.46.212.0", "255.255.252.0")) ||
      	(isInNet(egressip, "194.9.96.0", "255.255.240.0")) || (isInNet(egressip, "194.9.112.0", "255.255.252.0")) ||
      	(isInNet(egressip, "194.9.116.0", "255.255.255.0")) || (isInNet(egressip, "196.23.154.64", "255.255.255.224")) ||
      	(isInNet(egressip, "196.23.154.96", "255.255.255.224")) || (isInNet(egressip, "197.98.201.0", "255.255.255.0")) ||
      	(isInNet(egressip, "197.156.241.224", "255.255.255.224")) || (isInNet(egressip, "198.14.64.0", "255.255.192.0")) ||
      	(isInNet(egressip, "199.168.148.0", "255.255.254.0")) || (isInNet(egressip, "209.55.128.0", "255.255.192.0")) ||
      	(isInNet(egressip, "209.55.192.0", "255.255.224.0")) || (isInNet(egressip, "211.144.19.0", "255.255.255.0")) ||
      	(isInNet(egressip, "220.243.154.0", "255.255.254.0")) || (isInNet(egressip, "221.122.91.0", "255.255.255.0")))
              return "PROXY 10.10.10.50:80";

      List of Zscaler public IP addresses to detect whether Zscaler Client Connector is accessing the Zscaler cloud using a GRE/IPSec tunnel. These addresses are documented in the Zscaler Aggregate IP Address Ranges section: https://config.zscaler.com/[cloudname].net/cenr

      If Zscaler Client Connector is at a no-default route location with a GRE/IPSec tunnel, then connect to the ZIA Private Service Edge VIP address at 10.10.10.50.

      return "PROXY ${GATEWAY_FX}:${ZS_CUSTOM_PORT}; PROXY ${SECONDARY_GATEWAY_FX}:${ZS_CUSTOM_PORT}; DIRECT";
      }
      Use auto-assigned data centers to connect via Z-Tunnel 2.0 when Off Trusted Network.
      Close
    • Create an App Profile and associate the previously created Forwarding Profile with it.

      1. In the Zscaler Client Connector Portal, on the left-side navigation, click App Profiles and select the relevant OS. The following example uses Windows.
      2. Click Add Windows Policy. The Add Windows Policy window appears.
      3. For Forwarding Profile, choose the forwarding profile created previously.
      1. In the PAC and Proxy section, enter the URL in the Custom PAC URL section.
      2. In Proxy Configuration, enable Disable Loopback Restriction.
      3. Enable the Cache System Proxy option. When enabled, this option restores the System PAC when the user exits Zscaler Client Connector.
      4. Override WPAD: (Optional) Enable this option if WPAD is in use.
      5. Restart WinHTTP Service: (Optional) Enable this option if WPAD is in use.
      1. In the Advanced section, enable the Tunnel Internal Client Connector Traffic.
      1. In the App and IP Bypass section, under IPv4 Exclusion, ensure that all internal IP subnets are added so the internal traffic is not tunneled to ZIA.
      1. Ensure that 0.0.0.0/0 is present in the IPv4 Inclusion section.
      1. Add a list of all internal domains in the Domain Exclusion field for which DNS requests are sent to internal DNS servers and not ZIA.
      1. Ensure * is added to the Domain Inclusion field, so all external DNS requests are tunneled via ZIA.
      Close
    • The detailed steps to deploy a ZIA Private Service Edge cluster are not covered in this article because they are well documented in the Zscaler Help Portal.

      Create a new ZIA Location and associate the ZIA Private Service Edge cluster to that location and ensure that Force Authentication is enabled for that location to prevent traffic leakage with an open proxy.

      Close
    Close
  • In this scenario, Zscaler Client Connector forwards ZIA traffic across all ports and protocols using Z-Tunnel 2.0 via a third-party proxy. ZPA M-Tunnels and authentication traffic are forwarded using the Zscaler GVIP. The Zscaler GVIP, in turn, forwards the traffic to ZPA services in the Zscaler cloud.

    Zscaler forwards forwards ZIA traffic across all ports and protocols

    The configuration for this scenario is the same as Scenario 3 with the following exceptions regarding the third-party proxy:

    • The Forwarding Profile for Z-Tunnel 2.0, when on-premises should only use TLS (instead of DTLS).
    • The proxy must not attempt to authenticate requests destined for Zscaler IP addresses.
    • The proxy must not attempt to authenticate requests destined for the IdP.
    • The proxy must not attempt to re-resolve DNS based on SNI.
    • The proxy must have TLS inspection disabled and tunnel all Zscaler and IdP bound requests.
    • A separate ZIA Location (used for the ZIA Private Service Edge cluster in the previous step) isn't required.
    • To account for situations where Zscaler Client Connector falls back to Z-Tunnel 1.0 at locations with a large number of users, consider using a Source-NAT IP address pool with multiple IP addresses and ensure that the load-balancing used with the pool uses sticky connections based on client IP addresses.
    Close
Related Articles
Implementing Zscaler Client Connector in No-Default Route EnvironmentsDomain Validation in Zscaler Client Connector for ZPA ApplicationsBest Practices for Zscaler Client Connector and VPN Client InteroperabilityZscaler Client Connector and Charles Proxy InteroperabilityZscaler Client Connector Processes to AllowlistAllowing Traffic to the ID Federation URL by Bypassing Zscaler Client ConnectorEnrolling Zscaler Client Connector Users When Using a ProxyUsing Fiddler with Zscaler Client ConnectorBest Practices for Using PAC Files with Zscaler Client Connector