What is Surrogate IP?

In certain deployments from known locations, you can enable the Zscaler service to map a user to a private IP address so it applies the user's policies, instead of the location's policies, to traffic that it cannot authenticate, which includes:

  • Applications that do not support cookies, such as Google Earth and Skydrive
  • HTTPS transactions that are not decrypted
  • Transactions that use unknown user agents

If a user browses the internet from multiple private IP addresses, the service maps all the private IP addresses to the user. The service also associates the transactions with the user in the logs.

The service maps a private IP address to only one user at a time. It retains the mapping until the configured idle time ends, until the user logs out of a session or logs out of the Zscaler service gateway, or until another user sends authenticated transactions from the same private IP address. The service will map the private IP address to a new user if a different user logs in to a session or to the service gateway from the same private IP address. If the mapping changes more than three times in a minute, that is, three different users log in and surf the Internet from the same private IP address within a minute, the service will stop mapping users to the private IP address for five minutes and will apply the location policies to the transactions that do not support authentication during these five minutes.

Additionally, an organization can subscribe to one or more dedicated proxy ports and associate them with a location. If you enable this feature on a location with at least one subscribed port, the service maps the public IP address and not the internal or private IP address to the user, so it can apply user-level policies to road warrior traffic that it cannot authenticate.

Feature Requirements

To use this feature, your organization must use one of the following methods to forward traffic to the service:

  • GRE or IPSec tunnel without NAT
  • Forward proxy chaining with the Enable XFF Forwarding option turned on for the location or sub-location
  • Your organization subscribes to a dedicated proxy port

Also, the location or sub-location must have Enforce Authentication turned on. To learn more about enabling surrogate IP on locations and sub-locations, see Configuring Locations and About Sub-Locations.