The ZT800 Zero Trust Branch Device has support for the following copper and fiber small form-factor pluggable (SFP) ports in gateway mode:

• Copper: Finisar - FCLF8522P2BTL
  • Cat5e or later Ethernet cable
• Fiber short range (SR): Finisar - FTLF8519P3BNL
  • Multi-mode: Aqua fiber optic cable
  • Signal distance: 500 meters
  • Rate category for the interface type: 1000BASE-SX
• Fiber long range (LR): Finisar - FTLF1318P3BTL
  • Single-mode: Yellow fiber optic cable
  • Signal distance: 10 kilometers
  • Rate category for the interface type: 1000BASE-LX

Additionally, GE1 and GE2 ports are selectable as WAN and LAN ports, hot swappable, and only available for SFP ports.

To learn more, see Configuring a Branch Configuration Template.

Port and protocol forwarding enable granularity in inclusion and exclusion policies by allowing you to enter an IP address:port range or an IP address:port:protocol range.

To learn more, see Configuring VDI Forwarding Profiles.

Zscaler Cloud Connector supports Zscaler Private Access (ZPA) access policies based on the user-defined tags and cloud attributes mapped to a source workload. Security teams can leverage workload groups to use user-defined and attribute tags in Zscaler Internet Access (ZIA) policies. These workload groups extend to ZPA access policies. Workload group can be a criterion of a ZPA access policy, so Cloud Connector traffic can be matched by workload group criteria.

To learn more, see About Access Policy, About Workload Groups, Understanding Workload Groups, and Configuring Workload Groups.

Several enhancements have been made to Zero Trust Branch Devices. The functionalities include:

• Predefined DNS and forwarding rules added to the Zscaler Cloud & Branch Connector Admin Portal:
  • One predefined DNS rule and three predefined traffic forwarding rules, which use Zscaler domains groups, LAN destination groups, WAN destination groups, and app service groups for Zscaler domains, are available.
  • The rules are disabled by default, but you can enable them. They are only applicable to Zero Trust Branch Devices deployed in gateway mode and should not be applied to other form factors or Zscaler Cloud Connectors.
• Branch configuration template Dynamic Host Configuration Protocol (DHCP) enhancements made to Zero Trust Branch Devices deployed in gateway mode:
  • The default lease time's default value increased from 600 seconds to 86400 seconds.
  • The maximum lease time's default value increased from 86400 seconds to 604800 seconds.
  • You can specify up to 4 domain names and 4 DNS servers in the DHCP Options section.
  • You can configure peer DHCP when high availability (HA) is enabled.
• You can monitor ZIA gateway tunnel and ZPA broker tunnel data for Zero Trust Branch Devices deployed in gateway mode.
• An LED indicator on the front of Zero Trust Branch Devices changes to reflect the progress of a deployment. A solid green light indicates that all services are running, and the device is operating normally.

To learn more, see About DNS Gateways, About Traffic Forwarding, Configuring Traffic Forwarding Rules, About DNS Policies, About Destination IP Groups, Configuring a Branch Configuration Template, Analyzing Branch Connector Details, and Deploying Zero Trust Branch Devices.

The Microsoft Azure virtual machine (VM) for Zscaler Cloud Connector has been updated to version 24.3.3. This version addresses deployments in environments that contain a large number of network interface resources. To learn more, see Deploying Zscaler Cloud Connector with Microsoft Azure.

Zscaler Cloud Connector is available in the Amazon Web Services (AWS) China Marketplace. CloudFormation automation deployment templates were updated with support for Amazon Machine Image (AMI) version 24.3.1 in the AWS China (Beijing) region and the AWS China (Ningxia) region.

To learn more, see Deploying Zscaler Cloud Connector with Amazon Web Services.

The Zscaler Cloud Connector Microsoft Azure virtual machine (VM) was updated to version 24.3.2 and supports Virtual Machine Scale Sets (VMSS) deployment with Microsoft Azure. In the Zscaler Cloud & Branch Connector Admin Portal, references to Auto Scaling also refer to VMSS. To enable VMSS, contact Zscaler Support.

To learn more, see About Cloud Provisioning Templates, Configuring a Cloud Provisioning Template, About Cloud Connector Groups, Troubleshooting Cloud Connector with Microsoft Azure, Deployment Templates for Zscaler Cloud Connector, and Deploying Zscaler Cloud Connector with Microsoft Azure.

Zscaler Branch Connector now supports deployment on the Microsoft Hyper-V platform.

To learn more, see Deploying Branch Connector with Hyper-V, Deploying Branch Connector & App Connector with Hyper-V, Deployment Templates for Zscaler Branch Connector & App Connector, Downloading Branch Connector Images, About Branch Configuration Templates, and Configuring a Branch Configuration Template.

Zscaler Cloud Connector is available in the Amazon Web Services (AWS) China Marketplace. Terraform automation deployment templates were updated with support for Amazon Machine Image (AMI) version 24.3.1 in the AWS China (Beijing) region and the AWS China (Ningxia) region.

To learn more, see Deployment Templates for Zscaler Cloud Connector.

Zscaler Cloud Connector deployment is available from the Azure China Marketplace. If you are deploying from China, you no longer need to request a private Azure VHD from Zscaler Support. Instead, you can deploy to the Azure China Marketplace through Terraform deployment templates available on GitHub.

To learn more, see Deployment Templates for Zscaler Cloud Connector and Deploying Zscaler Cloud Connector with Microsoft Azure.

You can leverage user-defined tags across Amazon Web Services (AWS) accounts in cross-account deployments with workload communications. To learn more, see About Amazon Web Services Accounts, Adding an Amazon Web Services Account, About Amazon Web Services Account Groups, and Adding an Amazon Web Services Account Group.

Support for Zscaler Private Access (ZPA) using Zscaler Client Connector for VDI is available.

To learn more, see What Is Zscaler Client Connector for VDI?, Step-by-Step Configuration Guide for Zscaler Client Connector for VDI, Configuring VDI Forwarding Profiles, and Configuring VDI Templates.

The name of the Zscaler VDI Agent has changed to Zscaler Client Connector for VDI in the Zscaler Cloud & Branch Connector Admin Portal. To learn more, see What is Zscaler Client Connector for VDI, Downloading Zscaler Client Connector for VDI, Step-by-Step Configuration Guide for Zscaler Client Connector for VDI, and Zscaler Client Connector for VDI Management.

The Zscaler Cloud & Branch Connector Admin Portal login process was updated to allow Zscaler to check if ZIdentity is enabled for your account depending on your Login ID.

To learn more, see Accessing and Navigating the Zscaler Cloud & Branch Connector Admin Portal and Accessing and Navigating the ZIdentity Landing Page.

The Zscaler Client Connector for Virtual Desktop Infrastructure (VDI) application version 1.3.0.14 is available for download from the Zscaler Cloud & Branch Connector Admin Portal, but it does not have 32-bit support. This version contains a new installer parameter, USEEMBEDDEDBROWSER, which enables embedded browser support.

The Zscaler Client Connector for Virtual Desktop Infrastructure (VDI) application version 1.2.0.19 is available for download from the Zscaler Cloud & Branch Connector Admin Portal, but it does not have 32-bit support. This version changes the name of the application from Zscaler VDI Agent to Zscaler Client Connector for VDI. It also contains a new installer parameter, HIDEAPPONUILAUNCH, which minimizes the application when launching. To learn more, see Downloading Zscaler VDI Agent.

The Microsoft Azure virtual machine (VM) for Zscaler Cloud Connector has been updated to version 24.3.1. This version contains improvements to the Azure Linux VM Agent.

To learn more, see Deploying Zscaler Cloud Connector with Microsoft Azure and Deployment Templates for Zscaler Cloud Connector.

The Zscaler Virtual Desktop Infrastructure (VDI) Agent application version 1.1.0.12 is available for download from the Zscaler Cloud & Branch Connector Admin Portal. This version fixes an issue where the policy was not updating after restarting the Zscaler VDI Agent. It also fixes an issue where the driver was not being installed due to a race condition. Improvements were also made to rate limit reauthentication prompts for users.

To learn more, see Downloading Zscaler VDI Agent.

App segments allow more granularity and control in traffic forwarding policies. You can enable all app segments, which applies them to a ZPA or Drop traffic forwarding rule.

Alternatively, you can disable all app segments and select one of the following:

• Configure neither application segments or segment groups and the rule bypasses this setting.
• Configure a specific application segment and/or segment group and the rule only matches configured segments or groups.

To learn more, see Configuring Traffic Forwarding Rules and Ranges & Limitations.

The Zscaler Virtual Desktop Infrastructure (VDI) Agent application version 1.1.0.8 is now available for download from the Zscaler Cloud & Branch Connector Admin Portal. This version fixes an issue where the Zscaler VDI Agent caused packet fragmentation, resulting in failed connections to internal Microsoft Azure endpoints. It also moves the Zscaler VDI Agent's user configuration file to the user's roaming profile folder, which allows you to restore the user-specific configurations using tools such as Citrix UPM or FSLogix.

To learn more, see Downloading Zscaler VDI Agent.

You can add wildcard domains and fully qualified domain names (FQDNs) as criteria for traffic forwarding rules in the Zscaler Cloud & Branch Connector Admin Portal. The wildcard domain and FQDN feature require you to ensure firewalls do not restrict communication between grouped Cloud or Branch Connectors.

To learn more, see Configuring Traffic Forwarding Rules, Configuring Destination IP Groups, Troubleshooting Cloud Connector with Amazon Web Services, Troubleshooting Cloud Connector with Microsoft Azure, and Troubleshooting Cloud Connector with Google Cloud Platform.

Zscaler Cloud Connector and Zscaler Branch Connector sublocations configured within the ZIA Admin Portal (Administration > Location Management) can now be selected when configuring traffic forwarding rules and DNS filtering rules within the Zscaler Cloud & Branch Connector Admin Portal. Additionally, Cloud & Branch Connector sublocations can be selected when configuring policies within the ZPA Admin Portal. Sublocations enable Cloud & Branch Connector to create new locations that reference IP addresses encapsulated within Cloud & Branch Connector tunnels.

To learn more, see About Locations, Understanding Sub-Locations, Configuring Sub-Locations, Configuring Traffic Forwarding Rules, and Configuring the DNS Filtering Rule.

Zscaler Cloud & Branch Connector supports DNS gateways and split DNS policies, which provide enhancements to DNS features. To learn more, see About DNS Gateways, Configuring a DNS Gateway, Configuring the DNS Filtering Rule, and Modifying the Default DNS Control Rule.

Zero Trust Branch Devices (ZT400, ZT600, and ZT800) can be deployed in gateway mode. Gateway mode deployment provides the following functionalities:

• Multiple wide area network (WAN) uplinks
• Internet service provider (ISP) uplink path monitoring with quality score
• Multiple Layer 3 local area network (LAN) interfaces
• Virtual local area network (VLAN) tags (802.1q encapsulation)
• Dynamic host configuration protocol (DHCP) server and client enablement
• Static routing
• WAN redundancy (Active/Active or Active/Standby)
• LAN redundancy (High Availability per VLAN interface)
• Device redundancy (High Availability for WAN interface failure)
• LAN-to-LAN traffic filtering
• DNS security through DNS gateways and DNS policy
• Application-aware path selection based on uplink quality score
• Enhanced monitoring and visibility of Zero Trust Branch Devices
• Integrated App Connector deployment servicing all LAN ports
• Ability to edit Zero Trust Branch Device configurations after deployment

To enable this feature, contact Zscaler Support.

To learn more, see Configuring a Branch Configuration Template, Configuring Traffic Forwarding Rules, Configuring a DNS Gateway, Configuring the DNS Filtering Rule, Analyzing Branch Connector Details, Installing Zero Trust Branch Devices, and Deploying Zero Trust Branch Devices.