Zscaler recommends that organizations use a combination of GRE tunneling, PAC files, Surrogate IP, and Zscaler App to forward traffic to the Zscaler service. This article describes the most common GRE tunnel deployments.
Zscaler recommends that you configure two GRE tunnels from an internal router behind the firewall to the ZENs (Zscaler Enforcement Nodes); a primary tunnel from the router to a ZEN in one data center, and a secondary tunnel from the router to a ZEN in another data center. This type of deployment provides visibility into the internal IP addresses, which can be used for the Zscaler security policies and logging.
In this deployment, the GRE tunnel source IP address is a public IP address that is configured on the loopback interface of the router. On the firewall, you'll need to define a rule that allows GRE traffic from the router. Additionally, if your organization has redundant routers and/or ISPs, as shown in the diagram below, you can configure the routers so failover to a redundant ISP is automatic.
If the first deployment is not feasible, then you can configure a GRE tunnel from your border router to the ZENs. In this type of deployment, you will need to configure the border router to send Internet bound traffic to the ZENs. You will also need to disable NAT on your firewall to provide internal IP address visibility to the ZENs.