Configuring Forwarding Profiles for the Zscaler App


Configuring Forwarding Profiles for the Zscaler App

The forwarding profile tells the Zscaler App how to treat traffic from your users' system in different network environments for the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services.


To add a forwarding profile:

  1. In the Zscaler App portal, go to Administration from the top menu, then from the left menu, select Forwarding Profile.
  2. Click Add Forwarding Profile.
  3. Enter an alphanumeric Profile Name
  4. With Trusted Network Criteria, define how the Zscaler App recognizes when a user is On Trusted Network
    See instructions for Trusted Network Criteria.
  5. With Windows Driver Selection, define which driver method to use for Tunnel mode.

The filter driver only apples to Windows devices, and Tunnel mode for ZIA and ZPA. To learn more, see Using the Windows Filter Driver for the Zscaler App.

  1. With Forwarding Profile Action, define how the Zscaler App treats traffic from your users' systems for the ZIA service in different network environments. For each network type below, select a forwarding profile action which specifies how the app treats the traffic from your users' systems for the ZIA service.
    • On Trusted Network
    • VPN Trusted Network
    • Off Trusted Network

 There are four possible forwarding profile actions you can choose for each network type.

After you choose the behavior for On Trusted Network, if you want the same behavior to apply to either the VPN Trusted Network or Off Trusted Network, you can simply check Same as "On Trusted Network".

  1. With Forwarding Profile Action for ZPA, define how the Zscaler App treats traffic from your users' systems for the ZPA service in different network environments. For each network type below, select Tunnel if you want the app to tunnel traffic for the ZPA service. In other words, whether you want the app to provider the user with access to internal applications.
    • On Trusted Network
      • Tunnel: The app uses the ZPA service to provide users with access to internal applications even when users are on trusted networks.
      • None: ZPA is disabled, and the app does not provide users with access to internal applications. Users access them directly.
    • VPN Trusted Network
      • TunnelDo not select this option. For ZPA, the app does not forward user traffic if a VPN is also running on the device.
      • None: ZPA is disabled, and the app does not provide users with access to internal applications.
    • Off Trusted Network
      • Tunnel: The app uses the ZPA service to provide users with access to internal applications when users are off trusted networks.
      • None: ZPA is disabled, and the app does not provide users with access to internal applications. Users can only access internal applications if they have some other mechanism for reaching internal networks.

After you choose the behavior for On Trusted Network, if you want the same behavior to apply to either the VPN Trusted Network or Off Trusted Network, you can simply check Same as "On Trusted Network".

  1. Click Save.

The Trusted Network Criteria defines the criteria a network must meet in order for the Zscaler App to determine that it is one of your trusted networks. Provide the following information about your network, then specify whether the app must verify one or all of these settings in a network to determined that the network is trusted.

  • DNS Server: The DNS servers to which your corporate network sends DNS requests. Enter the DNS servers, separated by commas. The app verifies at least one DNS server.
  • DNS Search Domains: The search domains configured as the primary domains for the network adapter used for connecting to Zscaler. Enter the search domains, separated by commas. The app only verifies the primary domains assigned to the active network adapter.
  • Host Name and IP: A hostname and the IP addresses to which the hostname resolves when users are on the corporate network. Enter the IP addresses, separated by commas. The app verifies at least one IP address.


Zscaler recommends selecting the first two conditions, DNS Server and DNS Search Domains for trusted network criteria because they are static properties on the network interface. Hostname and IP resolution, in contrast, is a dynamic property, because the Zscaler App must take the step of resolving a hostname to see if it resolves to the IP address specified in the Trusted Network Criteria. There is a chance that a resolution might fail because of network transition processes. If a resolution fails, then the app can incorrectly determine the network is an untrusted one, in which case it applies the wrong forwarding profile action.

To configure Trusted Network Criteria:

  1. Under Add Condition, select one of the following, then click Add Condition.
    • DNS Servers
    • DNS Search Domains
    • Host Name and IP


The Condition Match field appears, along with the relevant condition field (DNS ServersDNS Search Domains, or Host Name and Resolved IPs for Host Name).

  1. Under Condition Match, do one of the following:
    • If you are specifying just this one condition, you can skip this step. For example, if you want the Zscaler App to check just for DNS servers to confirm a trusted network and not DNS Search Domains or Host Name and IP, you can skip this step.
    • If you are specifying more than just this condition (for example, you want the Zscaler App to check for DNS servers and DNS search domains):
      • Select Any if you want the app to validate just one of the conditions to determine the network is trusted.
      • Select All if you want the app to validate just all of the conditions to determine the network is trusted.
  2. In the condition field (DNS ServerDNS Search Domain, or Host Name / Resolved IPs for Host Name), do the following:
    • Under DNS Servers, enter the IP addresses of the DNS servers to which DNS requests on this trusted network are sent.
    • Under DNS Search Domain, enter the search domains that have been configured for this trusted network.
    • In Host Name, enter a hostname. In Resolved IPs for Host Name, enter the IP addresses to which that host name resolves when a user is on this trusted network.

In Tunnel mode, the app tunnels traffic at the network (IP) layer. It captures user traffic by setting IP routes on user devices. The app forwards all port 80/443 traffic to the Zscaler service through a routing mode tunnel (Z-tunnel) with an HTTP Connect header.

In the Configure System Proxy Settings dropdown menu, define the proxy settings your users’ systems follow by selecting one of the following:

  • Enforce: Select this option if you want to define specific system proxy settings for user devices. For example, you may want most user traffic to go to Zscaler with the app, but you might want some traffic to go directly to the web or to a third-party proxy service.

If you select the Enforce option, the Zscaler App also monitors for network changes and reapplies the proxy settings.

  • Apply on Network Change: Select this option if you want to define specific system proxy settings for user devices.

If you select the Apply on Network Change option, the Zscaler App only enforces your proxy settings when the network changes, but does not monitor for proxy change afterward.

  • Never: Select this option if you want Zscaler App to never update any system proxy settings.
     

For the Enforce and Apply on Network Change options, you can configure the following system proxy settings:

  • Automatically Detect Settings: Select this option if you want the users’ devices to use proxy discovery on the network.
  • Use Automatic Configuration Script: Select this option if you want to use a PAC file to specify automatic proxy settings on users’ devices.
     

In the PAC URL field, enter the custom PAC URL. Zscaler fetches the PAC file at the specified URL and enforces your chosen proxy settings.

When using Tunnel mode, only use the PAC file to bypass traffic away from the Zscaler App, and do not use it to tunnel traffic to Z App or the Zscaler cloud.

  • Use Proxy Server for your LAN: Select this option if you want to use a specific proxy server and port.


In the IP Address or Domain field, enter a FQDN, IP address, or a plain hostname with the http:// or https:// prefix. 
In the Port field, enter any port ranging from 1 to 65534.

  • Bypass Proxy Server for local addresses: Select this option if you to bypass local resources.
     
  • Execute GPO Update: Select this option if you want to execute the GPO update command on Windows devices when the Zscaler App detects a network change.


If your users run a VPN client on their devices while running the Zscaler App:

  • If your VPN runs in full-tunnel mode, Zscaler recommends that you don't select Tunnel mode for any network type. Zscaler advises this because VPN clients work at the network (IP) layer, which is the same layer the Zscaler App works in if you select Tunnel mode. Both the VPN and the app working at the same layer increases the likelihood of interoperability problems.

Instead, Zscaler recommends using Tunnel with Local Proxy mode for all networks in this case. At the least, Zscaler strongly recommends you don't select Tunnel for VPN Trusted Network if users are simultaneously running a VPN client. If your organization still decides to use the app in Tunnel mode alongside a VPN client for ZIA, see Best Practices for Zscaler App and VPN Client Interoperability for steps to take to prevent connectivity issues.

  • If your VPN runs in split-tunnel mode, ensure that you allow traffic destined for the VPN gateway to bypass the Zscaler App. For this mode, Zscaler recommends that you select Tunnel mode and select the packet filter driver for your Windows users.To learn more, see Best Practices for Zscaler App and VPN Client Interoperability.

When configuring forwarding profiles, this is the default mode selected for all network types. In this mode, the Zscaler App sets proxy settings on user devices so that all user traffic is tunneled to Zscaler. The app does this by automatically installing a PAC file on the system to force all traffic to go to the local host. Zscaler recommends this forwarding profile for the following reasons:

  • In Tunnel with Local Proxy mode, users don't encounter interoperability issues if they have VPN clients running alongside the app. This is because in this mode, the app works at the application layer, instead of the network (IP) layer, where VPN clients work. (In contrast, when the app runs in Tunnel mode, interoperability issues arise because the app and the VPN client contend for user traffic at the same layer.) In Tunnel with Local Proxy mode, the app allows the VPN to take traffic as needed, but sets proxy settings to ensure all user traffic is still protected by Zscaler.
  • In contrast to when you use the Enforce Proxy mode, the app transparently handles authentication for users. This way, users don't have to reauthenticate for applications when they open new browsers and are less likely to run into issues accessing applications that aren't browser-based.


In the Configure System Proxy Settings dropdown menu, define the proxy settings your users’ systems follow:

The Enforce option is selected by default and cannot be changed. This option allows the Zscaler App to enforce your proxy settings by monitoring for network changes and re-applying settings. The Zscaler App also ensures that users cannot tamper with their proxy settings.

You can configure the following system proxy settings:

  • Use Automatic Configuration Script: This option is selected by default. This option allows you to use a PAC file to specify automatic proxy settings on users’ devices.


In the PAC URL field, enter the custom PAC URL. Zscaler fetches the PAC file at the specified URL and enforces your chosen proxy settings.

If using Zscaler App version 1.1.1 or later, you are not required to add a custom PAC file when selecting Tunnel with Local Proxy. If using a version earlier than 1.1.1, you must create a local proxy PAC file that includes a proxy statement to a loopback IP address and port (127.0.0.1:9000). The app installs this PAC file on users' systems and is able to capture all traffic from the system. 

  • Execute GPO Update: Select this option if you want to execute the GPO update command on Windows devices when the Zscaler App detects a network change.
     

Best Practices:

If you have a VPN client running simultaneously with the Zscaler App, ensure VPN clients aren't configured to change proxy settings on user devices. If VPN clients tamper with proxy settings in any way, the app does not forward traffic properly.

In this mode, you can choose to Disable Loopback Restriction, Override WPAD, and Restart WinHTTP Service for Windows devices to ensure the app can properly set proxy settings on those devices. To learn more, see Configuring Zscaler App Profiles.

In Enforce Proxy mode, the Zscaler App enforces system proxy settings as specified, without tunneling any traffic.

In the Configure System Proxy Settings dropdown menu, define the proxy settings your users’ systems follow:

The Enforce option is selected by default and cannot be changed. This option allows the Zscaler App to enforce your proxy settings by monitoring for network changes and re-applying settings. The Zscaler App also ensures that users cannot tamper with their proxy settings.

You can configure the following system proxy settings:

  • Automatically Detect Settings: Select this option if you want the users’ devices to use proxy discovery on the network.
  • Use Automatic Configuration Script: Select this option if you want to use a PAC file to specify automatic proxy settings on users’ devices.
     

In the PAC URL field, enter the custom PAC URL. Zscaler fetches the PAC file at the specified URL and enforces your chosen proxy settings.

  • Use Proxy Server for your LAN: Select this option if you want to use a specific proxy server and port.


In the IP Address or Domain field, enter a FQDN, IP address, or a plain hostname with the http:// or https:// prefix. 
In the Port field, enter any port ranging from 1 to 65534.

  • Bypass Proxy Server for local addresses: Select this option if you to bypass local resources.
     
  • Execute GPO Update: Select this option if you want to execute the GPO update command on Windows devices when the Zscaler App detects a network change.

In None mode, the Zscaler App does not tunnel any traffic at all. It performs no actions on the user's device.

In the Configure System Proxy Settings dropdown menu, define the proxy settings your users’ systems follow:

  • Apply on Network Change: Select this option if you want to define specific system proxy settings for user devices.

If you select the Apply on Network Change option, the Zscaler App only enforces your proxy settings when the network changes once, but does not monitor for proxy change afterward.

  • Never: Select this option if you want Zscaler App to never update any system proxy settings.


For the Apply on Network Change options, you can configure the following system proxy settings:

  • Automatically Detect Settings: Select this option if you want the users’ devices to use proxy discovery on the network.
  • Use Automatic Configuration Script:  Select this option if you want to use a PAC file to specify automatic proxy settings on users’ devices.
     

In the PAC URL field, enter the custom PAC URL. Zscaler fetches the PAC file at the specified URL and enforces your chosen proxy settings.

  • Use Proxy Server for your LAN: Select this option if you want to use a specific proxy server and port.


In the IP Address or Domain field, enter a FQDN, IP address, or a plain hostname with the http:// or https:// prefix. 
In the Port field, enter any port ranging from 1 to 65534.

  • Bypass Proxy Server for local addresses: Select this option if you to bypass local resources.
     
  • Execute GPO Update:  Select this option if you want to execute the GPO update command on Windows devices when the Zscaler App detects a network change.