icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring Disaster Recovery

Enabling disaster recovery ensures business continuity in the event of a disaster scenario that impacts the global Zscaler cloud infrastructure. Disaster recovery is for organizations that depend on the Zscaler cloud to remain operational during disaster events by providing users with access to critical applications. Zscaler provides support for disaster recovery in both Zscaler Private Access (ZPA) and ZIA.

The ZIA Disaster Recovery mode is only available to enrolled users.

To enable disaster recovery for ZIA, you must configure the following settings in your Zscaler Client Connector Profiles:

  1. In the ZIA Admin Portal, go to Policy > Zscaler Client Connector Portal.
  2. Click the App Profiles menu.

  3. On the Windows page, click Add Windows Policy. The Add Windows Policy window appears.

  4. In the General section, under the ZIA Disaster Recovery, you can configure the following to provide users access even when the ZIA service is down.

    1. Select Enable ZIA DR.
    2. Select from the following traffic forwarding actions in the drop-down menu:
      • Send Traffic Direct: Traffic bypasses Zscaler Client Connector, giving the user access to all applications through direct internet access.
      • Disable Internet Access: All traffic is dropped at the endpoint and users do not have access to the internet.
      • Allow preselected destinations: You can either block or allow access to specific URLs using a custom PAC file. Insert the custom PAC file URL in the Use Custom Destinations URL field.
        • Allow Zscaler Preselected Destinations (Recommended): When enabled, users can access only the URLs that are present in the Zscaler-provided global database allowlist. The rest of the URLs are blocked.

        • Allow Custom Destinations: Select this option to insert a custom PAC file URL in the Custom Destinations field. You can configure a custom PAC URL (with the http:// or https:// prefix) that users can access when the ZIA service is down. When configured in conjunction with the global database URL, both URL lists are allowed. The custom destinations URL takes precedence when there are any conflicts. You can also forward the traffic to a proxy server.

          • When configuring the custom PAC file, ensure that you allow access to the ZPA IP range 100.64.0.0/16 and ZPA domains, zpath.net and zpatwo.net, to prevent blocking ZPA traffic.
          • If you have enabled both the Allow Zscaler Preselected Destinations and Allow Custom Destinations fields, ensure that you remove the return drop; syntax from the custom PAC file statement because it blocks the URLs listed in the Zscaler-provided global database allowlist.

          Use the following sample custom PAC file:

          function FindProxyForURL(url, host) {
var drop = "BLOCK";
/* Return DIRECT to Allow access */
if ((localHostOrDomainIs(host, "google.com")) ||
(localHostOrDomainIs(host, "salesforce.com")) ||
(localHostOrDomainIs(host, "microsoft.com")) ||
(localHostOrDomainIs(host, "zscaler.com")) )
return "DIRECT";
/* Default Block Statement to block anything not allowed above */
return drop;
          • Return DIRECT to allow destination access.
          • Return BLOCK (or any other return statement other than DIRECT) to block destination access.
          • Return PROXY to forward the selected internet traffic to a proxy server with or without a port. Applies to Zscaler Client Connector version 4.5 for Windows and macOS only.
    3. DNS Settings:

      • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.

        If you have ZIA only, you cannot download the DNS Record Generator.

      • ZIA Domain name: Enter a valid domain name.
      • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    4. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    5. Test Mode: Enable Activate Test Mode if the selected users or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

  5. Click Save.
Related Articles
Choosing Traffic Forwarding MethodsBest Practices for Traffic ForwardingHandling DNS Resolution for Various Traffic Forwarding MethodsUnderstanding Zscaler Authoritative DNS ServersAbout SubcloudsUnderstanding SubcloudsEditing a SubcloudAbout Data Center Exclusion Based on Traffic Forwarding MethodExcluding a Data Center Based on Traffic Forwarding MethodAbout Static IPSelf-Provisioning of Static IP AddressesImporting Static IP Address from a CSV FileUnderstanding Multi-Cluster Load SharingUnderstanding Proxy ModeDetermining Optimal MTU for GRE or IPSec TunnelsImplementing Zscaler in No-Default Route EnvironmentsVerifying a User's Traffic is Being Forwarded to the Zscaler ServiceAlternative Options to Caching Web TrafficTroubleshooting Users' Traffic not Going to the Nearest ZIA Public Service EdgeConfiguring Disaster RecoveryZscaler Traffic Bypasses