Global Zscaler Enforcement Nodes (ZENs)


Global Zscaler Enforcement Nodes (ZENs)

Zscaler has configured several Global, or Ghost, Zscaler Enforcement Nodes (ZENs) across its clouds. These ZEN addresses do not listen for traffic but are dummy addresses that every ZEN knows about. They can be useful when working in no default route environments. To learn more, see Implementing Zscaler in No Default Route Environments.

You can use the following IPs as Global ZEN IPs:

  • 185.46.212.88
  • 185.46.212.89
  • 185.46.212.90
  • 185.46.212.91
  • 185.46.212.92
  • 185.46.212.93
  • 185.46.212.97
  • 185.46.212.98

No Default Route Example

In order to send packets to a Global ZEN (185.46.212.88), a user's traffic with PAC configured will first resolve their PAC server address to http://pac.zscalertwo.net/<your organization's domain>/No-Default-Route. Because the user is coming from a ZEN IP via a tunnel, the PAC server returns the Zscaler Global IP. 

Diagram showing flow for using ZENs in no default route environments

The customer network must have a route for the Global ZEN IP through the internal network and be Destination NAT'd through the GRE or IPSec tunnel from the customer's router to the Zscaler service. 

Diagram of using Global ZENs with no default route environments with DNAT

If the user is outside the corporate network coming from a non-Zscaler ZEN IP and non- customer public IP, then the PAC would use the "${GATEWAY}" variable instead. 

Diagram showing how to use Global ZENs in no default route environments as a remote user

In the above solution, each of the customer location configurations will remain the same, providing a simple method of deploying configuration without differences between locations. This minimizes configuration and deployment complexity. In addition, both internal and external scenarios can be accommodated by a single PAC.

Customers can also detect whether the user is present on-premise (by resolving an internal domain) and then return the Global ZEN IP. A sample PAC file is given below:

function FindProxyForURL(url, host) {

// If the user is able to resolve the internal domain, he is located on premise and the PAC file

// should return the Global ZEN IP address.

if (shExpMatch (host, "internal.sample_company.com"))

    return "PROXY 185.46.212.88:9400";

// Otherwise the user is external, send the user to the nearest Zscaler DC IP

return "PROXY ${GATEWAY}:9400; PROXY ${SECONDARY_GATEWAY}:9400; DIRECT";

}