icon-unified.svg
Experience Center

Understanding Source IP Anchoring Direct

Source IP Anchoring Direct is a set of configurations that supports Source IP Anchoring forwarding policies when in disaster recovery mode. When configured for disaster recovery, the Source IP Anchoring configurations must be changed to the Source IP Anchoring Direct configurations to ensure proper forwarding during a disaster recovery event.

To configure Source IP Anchoring client policies for Source IP Anchoring Direct, you must change or verify the following configurations for the duration of a disaster recovery event:

  • The Client Forwarding Policy rule configured for Source IP Anchoring must be changed as follows:

    1. Go to the Client Forwarding Policy page (Infrastructure > Private Access > Client Connector Policies > Client Forwarding Policies).
    2. Change the client forwarding policy rules:

      • For the domain-based application rule with Segment Groups and Client Types > Client Connector criteria, change the Rule Action from Bypass Private Applications to Forward to Private Applications.

      • For the IP address-based application rule with Segment Groups, change the Rule Action from Only Forward Allowed Applications to Forward to Private Applications.
    Close

  • Some Access Policy configurations support Source IP Anchoring but do not support Source IP Anchoring Direct. The following Access Policy configurations prevent Source IP Anchoring Direct from working:

    • Any Access Policy rule that blocks access to Zscaler Client Connectors. For example, Application Segment (or Segment Groups) and Client Type > Client Connector with the Block Access rule action enabled.
    • Any Access Policy rule that results in the Default Rule.
    Close

If you plan to use the Source IP Anchoring Direct configurations, Zscaler recommends that you ensure there is an Access Policy that allows access to the applications from Zscaler Client Connectors. To learn more, see Configuring Access Policies.

Restoring Source IP Anchoring after Source IP Anchoring Direct

When the disaster recovery event ends, revert the Client Forwarding Policy rule and Access Policy rule configured for Source IP Anchoring Direct back to the Source IP Anchoring configuration as follows:

  • The Client Forwarding Policy rule configured for Source IP Anchoring Direct must be changed as follows:

    1. Go to the Client Forwarding Policy page (Infrastructure > Private Access > Client Connector Policies > Client Forwarding Policies).
    2. Change the client forwarding policy rules:
      • For the domain-based application rule with Segment Groups and Client Types > Client Connector criteria, change the Rule Action from Forward to Private Applications to Bypass Private Applications.
      • For the IP address-based application rule with Segment Groups, change the Rule Action from Forward to Private Applications to Only Forward Allowed Applications.

    Close

  • The Access Policy rule configured for Source IP Anchoring Direct must be changed as follows:

    1. Go to the Access Policy page (Policies > Access Control > Private Applications > Access Policy).
    2. Change the Access Policy rules:
      • For domain-based applications, ensure that you allow the Source IP Anchoring client to access the applications.
      • For IP address-based applications, configure the following rules:
        1. Rule 1: Select the Block Access rule action and add all the client types, except the Service Edge client type for the Source IP Anchoring application segments. This rule prevents application download on the Zscaler Client Connector.
        2. Rule 2: Select the Allow Access rule action and add only the Service Edge client type for the Source IP Anchoring application segments.
    Close
Related Articles
About ApplicationsConfiguring Defined Application SegmentsEditing Defined Application SegmentsAbout AI-Powered Recommendations for Application SegmentsConfiguring AI-Powered RecommendationsMerging AI-Powered RecommendationsSharing Defined Application SegmentsConfiguring AI-Powered Recommendations SettingsValidating a Client HostnameAdding DNS Search DomainsSetting Application Segment Configuration WarningsAbout AppProtection ApplicationsAbout Privileged Remote Access ApplicationsAbout Application DiscoveryAbout Application AccessUnderstanding Double EncryptionUnderstanding Health ReportingDefining a Dynamically Discovered ApplicationConfiguring Bypass SettingsDisabling Access to ApplicationsUnderstanding Source IP Anchoring DirectUsing Application Segment MultimatchAbout Application Segment ImportUsing Application Segment ImportMerging Imported Application Segments