About Virtual ZENs

Click to:

  1. Configure a Virtual ZEN. See How do I configure a VZEN instance?
  2. Download a Virtual ZEN VM. See How do I download a VZEN VM?
  3. Download MIB Files. See About the Zscaler SNMP MIBs.
  4. View a list of all configured Virtual ZENs.
  5. Download the SSL Certificate. See How do I download VZEN certificates?
  6. Edit a VZEN. See How do I edit, delete, or duplicate items in the admin portal?
  7. Modify the table and its columns. See How do I use tables in the admin portal?
  8. Search for a VZEN.  
  9. Click the Virtual ZEN Clusters tab to configure VZEN Clusters. See About VZEN Clusters.

Screenshot of the buttons to manage Zscaler virtual ZENs when traffic forwarding 

A key component of the Zscaler cloud, Zscaler Enforcement Nodes (ZENs) are full-featured secure Internet gateways that provide integrated Internet security. They inspect all web traffic bi-directionally for malware, and enforce security, compliance and next generation firewall (NGFW) policies.

ZENs are deployed in Zscaler data centers around the globe. So no matter where your users are, at headquarters or at a branch office, in a coffee shop or at the airport, they can access the Internet from any device and the ZENs will protect their traffic and apply your corporate policies.

ZENs have significant fault tolerance capabilities. They are deployed in active-active mode all over the world, to ensure availability and redundancy. Zscaler monitors and maintains its ZENs worldwide to ensure 24/7 availability. They are located in Zscaler data centers, which provide the highest level of data privacy and network security.

Zscaler always recommends that organizations forward traffic to the ZENs in the Zscaler cloud. However, some organizations may have certain requirements, such as those listed below, that may make forwarding their traffic to the ZENs in the Zscaler cloud less than ideal:

  • Locations with certain geopolitical requirements and regulations
  • Locations that experience high latency when connecting to public ZENs
  • Applications that require an organization's IP address as the source IP address
  • Users who need to see localized content

If your organization has similar requirements, then with Zscaler's approval, you can extend the Zscaler patented cloud architecture to your organization’s premise by licensing and deploying virtual ZENs (VZENs). A VZEN uses a virtual machine (VM) to function as a full-featured ZEN dedicated to your organization’s traffic. See Forwarding Traffic to VZENs. VZENs perform the same service as the public ZENs in the Zscaler cloud, including support for features, such as the Next Generation Firewall, Sandbox, and DLP.

Process diagram of Zscaler virtual ZEN in play when traffic forwarding

Integrated with Zscaler Cloud

VZENs are part of the Zscaler cloud. They communicate with the Zscaler cloud for user authentication and policy updates, and for logging and reporting. Thus, admins define policies only once, through the admin portal. Additionally, after users are signed in and authenticated to the Zscaler service, the service will always apply their policies, whether they connect to an on-premise VZEN or to a public ZEN anywhere in the world. Logs are transmitted to and stored on the Zscaler cloud as a central repository for integrated analytics. So you can view and monitor Internet traffic activity on the admin portal dashboard and make full use of the real-time logging and interactive reporting capabilities of the service.

Easy, Fault-Tolerant Deployment

  • VZENs are easy to deploy and require minimal administration. Your organization has full access to the VZENs for monitoring and configuration. Zscaler does not require access to the VZENs.
  • VZENs are horizontally scalable so you can easily add more VZENs as your traffic increases.
  • VZENs are deployed in a cluster, which features built-in load balancers to ensure availability and redundancy. See About VZEN Clusters.


VZENs currently do not support the following:

  • Traffic forwarding through IPsec VPN tunnels
  • Supports VMware ESX/ESXi only