Source IP Anchoring uses ZIA forwarding policies and Zscaler Private Access (ZPA) App Connectors to selectively forward the application traffic to the appropriate destination servers. You can configure forwarding rules in the ZIA Admin Portal to forward Source IP Anchored traffic to ZPA through ZIA threat and data protection engines. To learn more, see Understanding Source IP Anchoring.

To enable and configure Source IP Anchoring:

1. Complete the following steps to do the initial setup on the ZPA Admin Portal if you are using ZPA solely for Source IP Anchoring. You can skip this step if you have already done the initial setup on the ZPA Admin Portal.
   1. Update your company and administrator information.
   2. Configure the enrollment certificates for the App Connectors. For Source IP Anchoring, it is sufficient if you configure the enrollment certificates only for the App Connectors.
   3. (Optional) Configure Single Sign-On Authentication.
   4. Configure your App Connectors.
2. Configure the following items in the ZPA Admin Portal:

   1. Create and configure an application segment for which you need Source IP Anchoring.

      Ensure that you enable the Source IP Anchor option and select Use Client Forwarding Policy under the Bypass field while configuring the application segment.

   2. Configure a client forwarding policy for the application segment. You should create separate client forwarding policy rules for IP address-based and domain-based applications.

      For IP address-based applications, select the Only Forward Allowed Applications rule action for Source IP Anchoring application segments.

      For domain-based applications, configure the following rules:

      1. Rule 1: Select the Bypass ZPA rule action for Source IP Anchoring Segment Groups and Client Types > Client Connector.
      2. Rule 2: Select the Forward to ZPA rule action for Source IP Anchoring Segment Groups and Client Types > ZIA Service Edge.

   3. Create and configure an access policy for the application segment. You should create separate access policy rules for IP address-based and domain-based applications.

      For IP address-based applications, configure the following rules:

      1. Rule 1: Select the Block Access rule action and add all the client types, except the ZIA Service Edge client type for the application segments. This rule prevents application download on the Zscaler Client Connector.
      2. Rule 2: Select the Allow Access rule action and add only the ZIA Service Edge client type for the application segments.

      For domain-based applications, ensure that you allow the Source IP Anchoring client (ZIA Service Edge client type) to access the applications.

3. Configure the following items in the ZIA Admin Portal:

To support Source IP Anchoring for Zscaler Tunnel (Z-Tunnel) 1.0 traffic, you must enable the Enable Firewall for Z-Tunnel 1.0 and PAC Road Warriors option under Administration > Advanced Settings.

1. Configure the ZPA gateway.
2. Configure the forwarding policies for ZPA. You can also configure rules for source IP-anchored traffic in these ZIA policies
   • DLP Policy
     • DLP Policy with Content Inspection
     • DLP Policy without Content Inspection
   • File Type Control
   • Firewall Filtering
   • IPS Control
   • Sandbox
   • SSL Inspection

   Close
   .
3. To configure Source IP Anchoring for all traffic forwarded to the ZIA Admin Portal, enable the appropriate pre-configured DNS filtering rule from the Policy > DNS Control page:
   • For location users, enable the ZPA Resolver for Locations rule.
   • For remote users, enable the ZPA Resolver for Road Warrior rule.

When the ZPA Resolver for Road Warrior rule is disabled, the road warrior traffic automatically falls under the ZPA Resolver for Locations rule instead of blocking the traffic. Therefore, Zscaler does not recommend disabling the ZPA Resolver for Road Warrior rule.

Ensure that these DNS rules are the top rules (i.e., Rule 1 and Rule 2) to configure Source IP Anchoring. The DNS rules are associated with the respective preconfigured IP pools under Administration > IP & FQDN Groups > IP Pool. You can edit the IP pools based on your needs. To learn more, see About IP Pool. Any change in the IP pool is reflected in the Action column of the respective DNS rule when the rule is enabled.

Zscaler also recommends having open firewall rules for the Source IP Anchoring pools while sending DNS traffic to the Zscaler service for the Source IP Anchoring domains (i.e., the Action column on the Firewall Filtering policy should be set to Allow for the Source IP Anchoring pools).

Ensure that your client's DNS requests for domain-based non-web traffic are forwarded to Zscaler services so the predefined ZPA DNS Resolver policies take effect.