• Name: Enter a unique alphanumeric name for your policy rule.
• Rule Order: Select the appropriate rule order value from the drop-down menu. The rule order reflects the order of precedence among configured profile policy rules and helps determine which rule the app downloads for a user upon enrollment. Precedence is based on ascending numerical order.
• Status: Select Disabled to inactivate the rule or select Enabled to activate the rule. If you don’t enable the rule, the policy rule is not enforced.

• Forwarding Profile: Select a forwarding profile of your configured forwarding profiles from the drop-down menu. You can also search for items to select. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.

  If you're using Zscaler Tunnel (Z-Tunnel) 2.0, you must choose a forwarding profile with Z-Tunnel 2.0 selected. To learn more, see About Z-Tunnel 1.0 & Z-Tunnel 2.0.

• ZIA Posture Profile: Select a posture profile from the drop-down menu to apply to the app profile. You can also search for items to select.
• Install Zscaler SSL Certificate: If you’re using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enable this option to allow Zscaler Client Connector to automatically install the Zscaler SSL certificate on users’ devices. If you uploaded your organization’s custom certificate in the Zscaler Client Connector Portal, the app installs your organization’s custom certificate instead.
• Install WFP Driver: Enable this option to install and use the WFP-based Zscaler driver for Flow Logging, Block Domain Profile Detection, Block All Inbound Traffic, Process-Based Application Bypass, and ZDX Autosense Probes. This driver inspects all traffic including bypass traffic.

• User Groups: When a user enrolls Zscaler Client Connector with the Zscaler service, Zscaler Client Connector checks the group to which the user belongs and downloads the app profile with the appropriate rule.

  • Click Selected to select user groups from the drop-down menu. The groups you've configured in the ZIA Admin Portal are displayed in this menu. There is no limit to the number of groups you can select.
  • Click All to select all groups.

  When new user groups are added, they are automatically selected. You can clear the checkbox to exclude them from your policy.

• Users: Select this option to apply this rule to a specific user. The users you've configured in the ZIA Admin Portal are displayed in this menu after a user enrolls Zscaler Client Connector with the Zscaler service. Zscaler Client Connector checks if the user belongs and downloads the app profile with the appropriate rule. You can select up to 50 users. By default, no users are selected.

  Don't select a user or a user group if you want to create and save a rule before applying it to a user or a user group.

• Device Groups: Select this option to apply this rule to specific groups or to all device groups. Click Select All to select all device groups or select individual groups from the drop-down menu. Device groups created in the Zscaler Client Connector Portal are displayed in this menu. To learn more, see Creating Device Groups.

  Device groups are available only on Zscaler Client Connector version 4.3 and later for Windows devices.

• Follow Global Settings for Partner Login: Enable this option to apply the Allow Users of This Tenant to Login to Other Tenants setting from the ZPA Partner Logins page to this profile. If enabled, you cannot configure partner login access on this profile.

• Allow Users of This Tenant to Login to Other Tenants: Enable this option to let users access a partner’s tenant if they are assigned this profile. If you enable this option, you can enter Partner Domains that users can select when they add a partner tenant to Zscaler Client Connector. If you leave Partner Domains blank, users must enter the partner domain in the app.

  Partner login settings on the app profile are available only on Zscaler Client Connector version 4.6 and later for Windows.

• PAC and Proxy

  • PAC Configuration:

    • PAC URL Location: Select one of the following options:
      • PAC URL: If you're using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enter a valid PAC URL in the Custom PAC URL field if you want Zscaler Client Connector to forward internet traffic to the Zscaler service and want to specify exceptions for certain types of traffic. The maximum number of characters is 512.
      • Registry Key:
        • Registry Path: Enter the Registry Path for Zscaler Client Connector to locate the PAC URL from the device. The maximum number of characters is 61,440.
        • Registry Name: Enter the Registry Name for Zscaler Client Connector to locate the PAC URL from the device. The maximum number of characters is 2,048.
    • Fallback to gateway domain: When you select this checkbox, Zscaler Client Connector falls back to the gateway domain when PAC proxies cannot be reached for Z-Tunnel 1.0.

    You must add a Custom PAC URL before you can use one of the following preferred ports.

    • Use Preferred Port from PAC for Z-Tunnel 1.0: If enabled, Zscaler Client Connector uses the custom port from the PAC file for Z-Tunnel 1.0. This feature does not impact the default ports 80, 443, and 8080.
    • Use Preferred Port from PAC for Z-Tunnel 2.0: If enabled, Zscaler Client Connector uses the custom port from the PAC file for Z-Tunnel 2.0. This feature does not impact the default ports 80, 443, and 8080.

    If you want to allow a user to bypass the app when connecting to the VPN gateway, use the VPN Gateway Bypass option.

  • Proxy Configuration: Select from the following options:
    • Override WPAD: The option to override Web Proxy Auto-Discovery is applicable only if you've selected a forwarding profile that uses forwarding profile PAC files.
    • Disable Loopback Restriction: When you enable this option, Zscaler Client Connector removes the communication restriction to the loopback interface for apps that use the Windows container. When selected, you can enable Remove Existing Exempted Containers to have Zscaler Client Connector remove existing exempted containers from the firewall configuration before disabling loopback restriction for all containers.
    • Restart WinHTTP Service: This option is applicable only if you've selected a forwarding profile that uses forwarding profile PAC files. Zscaler recommends selecting this option to delete any cached WPAD settings.
    • V8 JavaScript based PAC Parser: Enable Google’s open-source V8 engine to compile JavaScript for the PAC parser.
    • Set Proxies on VPN Adapters: When enabled, Zscaler Client Connector sets configured proxy settings on VPN adapters in addition to physical adapters.
    • Cache System Proxy: Enable this option to save and restore proxy settings. This setting stores any existing system proxy settings when Zscaler Client Connector is initiated. If a user exits or logs out of the app or if a user turns off ZIA from the app, proxy settings are restored to the system.

  Close
• App and IP Bypass

  • Global Bypasses

    Configure traffic bypass for process-based applications, VPN gateways, and source ports:

    • Process-Based Application Bypass: Allows bypassing of process-based applications created in Application Bypass that can be used for both Z-Tunnel 1.0 and Z-Tunnel 2.0. Select an option from the drop-down menu.

      To use this feature, you must enable Install WFP Driver.

    • Source Port-Based Bypasses: Enter the source port and protocol from which Zscaler Client Connector bypasses existing inbound traffic. The port value can range from 1 to 65535. The protocol value can be TCP, UDP, or *.

    • VPN Gateway Bypass: You can allow traffic destined for the VPN to bypass Zscaler Client Connector. The app sets the routing table to exclude any traffic destined for the VPN gateway.

      When a route-based driver is in use, the app creates IP-based exclude routes in the routing table. When a filter-based driver is in use, it creates bypass filters in the filter table.

      When your users have a VPN client running on their devices in conjunction with Zscaler Client Connector, the VPN gateway bypass must be used in these scenarios:

      • You selected Tunnel for the forwarding profile action of any trusted network type.
      • Your VPN runs in split-tunnel mode so that it takes some, but not all, user traffic from the device.

      To allow traffic to bypass Zscaler Client Connector using Tunnel mode, enter any of the following for all of your VPN gateways:

      • A FQDN (e.g., www.safemarch.com)

        If you add a fully qualified domain name (FQDN), the FQDN resolves and all resulting IP addresses are added to the bypass list at the start of the tunnel. However, if the FQDN resolves to a different IP address later, that address might not be bypassed. Zscaler recommends adding an IP or subnet where possible. Adding too many FQDNs can slow tunnel startup because Zscaler Client Connector resolves all these domains before starting tunneling.

      • A specific IP address (e.g., 192.0.2.1)
      • A subnet (e.g., 192.0.2.0/24)

      Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing Enter when finished. To ensure against connectivity issues, you must include all the VPN hostnames, IP addresses, or subnets to which the VPN connects.

      To allow traffic to bypass Zscaler Client Connector using Tunnel with Local Proxy mode, Zscaler recommends adding the IP address or addresses and hostname of the VPN gateway to the system PAC file in the forwarding profile to enable direct connections for VPN traffic. To learn more, see Best Practices for Using PAC Files with Zscaler Client Connector.

      While you can also use this field to bypass non-VPN destinations, you must limit the number of items in this list because Zscaler Client Connector attempts to resolve all entries after a network change.

      • Upload CSV: Allows you to upload a VPN gateway bypass list.

    Close
  • IP Bypasses

    For Z-Tunnel 2.0 only, you can configure traffic bypass for IP-based applications and add subnets for IPv4 and IPv6 inclusions and exclusions. You must choose a forwarding profile with Z-Tunnel 2.0 selected. To learn more, see About Z-Tunnel 1.0 & Z-Tunnel 2.0.

    To reset to the default configuration, click Restore Default. For both Destination Exclusions and Destination Inclusions, the default configuration includes all possible subnets (0.0.0.0/0) and excludes the RFC 1918 default private networks.

    • Predefined IP-Based Application Bypass: To bypass Z-Tunnel 2.0, click Select All or select applications from the IP-Based application bypass drop-down menu. You can also search for items to select.
    • Custom IP-Based Application Bypass: Select applications from the IP-Based application bypass drop-down menu to bypass Z-Tunnel 2.0. You can also search for items to select. To add applications to the IP-based application list, see Adding IP-Based Applications to Bypass Traffic.

    • IPv4/IPv6 Inclusions and Exclusions: To send a specific subset of your traffic to the ZIA Public Service Edge through Z-Tunnel 2.0, complete the following steps.

      When adding subnets, the protocol value is *, TCP, or UDP. You can also enter the subnet 0.0.0.0/0, which stands for all possible subnets. The maximum number of characters is 6,144.

      • IPv4 Inclusion: Enter the specific subnets of the traffic you want to include for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., 192.0.2.1)
        • A subnet (e.g., 192.0.2.0/24)
        • An IP:Port range (e.g., 192.0.2.1:80, 192.0.2.1:80-100, or 192.0.2.1:*)
        • An IP:Port:Protocol (e.g., 192.0.2.1:80:tcp, 192.0.2.1:80-100:udp, or 192.0.2.1:80:*)
      • IPv4 Exclusion: Enter the specific subnets of the traffic you want to exclude for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., 192.0.2.1)
        • A subnet (e.g., 192.0.2.0/24)
        • An IP:Port range (e.g., 192.0.2.1:80, 192.0.2.1:80-100, or 192.0.2.1:*)
        • An IP:Port:Protocol (e.g., 192.0.2.1:80:tcp, 192.0.2.1:80-100:udp, or 192.0.2.1:80:*)
      • IPv6 Inclusion: Enter the specific subnets of the traffic you want to include for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., [2001:0000::])
        • A subnet (e.g., [2001:0000::/32])
        • An IP:Port range (e.g., [2001:0000::]:80, [2001:0000::]:80-100, or [2001:0000::]:*)
        • An IP:Port:Protocol (e.g., [2001:0000::]:80:tcp)
      • IPv6 Exclusion: Enter the specific subnets of the traffic you want to exclude for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., [2001:0000::])
        • A subnet (e.g., [2001:0000::/32])
        • An IP:Port range (e.g., [2001:0000::]:80, [2001:0000::]:80-100, or [2001:0000::]:*)
        • An IP:Port:Protocol (e.g., [2001:0000::]:80:tcp)

      By default, the Zscaler service includes the RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in the exclusions list. To learn more, refer to RFC 1918 Address Allocation for Private Internets. Zscaler also includes the multicast range 224.0.0.0/4. Zscaler recommends that you keep these networks in the list, unless explicitly needed, because deleting them causes private network traffic (e.g., DHCP) to be tunneled through the cloud.

      Close

    Close

  Close
• Disaster Recovery

  • ZIA Disaster Recovery

    ZIA Disaster Recovery provides users access even when the Zscaler Internet Access (ZIA) service is down and is available only to enrolled users.

    To configure ZIA Disaster Recovery:

    1. Select Enable ZIA DR.
    2. Select from the following traffic forwarding actions in the drop-down menu:
       • Send Traffic Direct: Traffic bypasses Zscaler Client Connector, giving the user access to all applications through direct internet access.
       • Disable Internet Access: All traffic is dropped at the endpoint and users do not have access to the internet.
       • Allow preselected destinations: You can either block or allow access to specific URLs using a custom PAC file. Insert the custom PAC file URL in the Use Custom Destinations URL field.
         • Allow Zscaler Preselected Destinations (Recommended): When enabled, users can access only the URLs that are present in the Zscaler-provided global database allowlist. The rest of the URLs are blocked.

         • Allow Custom Destinations: Select this option to insert a custom PAC file URL in the Custom Destinations field. You can configure a custom PAC URL (with the http:// or https:// prefix) that users can access when the ZIA service is down. When configured in conjunction with the global database URL, both URL lists are allowed. The custom destinations URL takes precedence when there are any conflicts. You can also forward the traffic to a proxy server.

           • When configuring the custom PAC file, ensure that you allow access to the ZPA IP range 100.64.0.0/16 and ZPA domains, zpath.net and zpatwo.net, to prevent blocking ZPA traffic.
           • If you have enabled both the Allow Zscaler Preselected Destinations and Allow Custom Destinations fields, ensure that you remove the return drop; syntax from the custom PAC file statement because it blocks the URLs listed in the Zscaler-provided global database allowlist.

           Use the following sample custom PAC file:

           function FindProxyForURL(url, host) {
           var drop = "BLOCK";
           /* Return DIRECT to Allow access */
           if ((localHostOrDomainIs(host, "google.com")) ||
           (localHostOrDomainIs(host, "salesforce.com")) ||
           (localHostOrDomainIs(host, "microsoft.com")) ||
           (localHostOrDomainIs(host, "zscaler.com")) )
           return "DIRECT";
           /* Default Block Statement to block anything not allowed above */
           return drop;

           • Return DIRECT to allow destination access.
           • Return BLOCK (or any other return statement other than DIRECT) to block destination access.
           • Return PROXY to forward the selected internet traffic to a proxy server with or without a port. Applies to Zscaler Client Connector version 4.5 for Windows and macOS only.
    3. DNS Settings:

       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.

         If you have ZIA only, you cannot download the DNS Record Generator.

       • ZIA Domain name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    4. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    5. Test Mode: Enable Activate Test Mode if the selected users or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close
  • ZPA Disaster Recovery

    ZPA Disaster Recovery provides users access to applications when the Zscaler Private Access (ZPA) service is down and is available only to enrolled users.

    To configure ZPA Disaster Recovery:

    1. Select Enable ZPA DR.
    2. DNS Settings:
       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.
       • Activation Domain Name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    3. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    4. Test Mode: Enable Activate Test Mode if the selected users and/or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close
  • Business Continuity

    Business Continuity in ZPA allows users to continue to access applications during ZPA-related cloud outages or Internet Service Provider (ISP) outages. Select Configure ZPA Business Continuity to enable this feature. To learn more, see Configuring Business Continuity for Zscaler Client Connector.

    Close

  Close
• DNS

  • You can add specific DNS domains to send all DNS requests to the ZIA Public Service Edge through Z-Tunnel 2.0. Complete the following steps in the Domain Inclusion and Domain Exclusion fields:

    You can enter specific domains (e.g., google.com) or enter * to include or exclude all DNS domains. Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing Enter when finished.

    • Domain Inclusion: Enter the DNS domains that Zscaler Client Connector should tunnel through ZIA. You can include a maximum of 65,535 characters.
    • Domain Exclusion: Enter the DNS domains that Zscaler Client Connector should not tunnel through ZIA. You can exclude a maximum of 65,535 characters.

    If you are using the same DNS domain in inclusions and exclusions, the longest domain name suffix is used.

    Domain inclusions and exclusions take effect only if the DNS server IP address on the client belongs to RFC 1918 private subnet ranges that are by default excluded from Z-Tunnel 2.0.

  • DNS Server Route Exclusion: When enabled, Zscaler Client Connector excludes DNS servers from the routing table.
  • Parallel IPv4 and IPv6 DNS requests:
    • None: Select this option if you do not want Zscaler Client Connector to modify existing system settings for parallel IPv4 and IPv6 DNS requests. The default is None.
    • Disabled: Select this option to allow parallel IPv4 and IPv6 DNS requests via the Windows Registry.
    • Enabled: Select this option to turn off parallel IPv4 and IPv6 DNS requests via the Windows Registry. This helps prevent requests from being dropped or blocked.
  • Truncate ZPA Large UDP DNS Response: Enable to truncate DNS responses that exceed 512 bytes to retry the DNS query over TCP.
  • Update DNS Search Order: When enabled, Zscaler Client Connector prioritizes Zscaler’s DNS over Cisco’s DNS. The higher priority DNS gets the DNS traffic.
  • Bind Trusted Criteria DNS request to Default Adapter: This option has Zscaler Client Connector connect the DNS request to the default adapter. By default, this option is enabled. Disabled means Zscaler Client Connector does not connect the Trusted Hostname IP resolution DNS request to the default adapter.
  • Prioritize DNS Exclusions over Z-Tunnel 2.0: When enabled, DNS domains listed in the Domain Exclusion bypass Z-Tunnel 2.0 are prioritized even if the DNS server IP address is listed in IPv4 Inclusion or IPv6 Inclusion. Applies only to Zscaler Client Connector version 4.6 and later for Windows.

  Close
• Advanced

  • Tunnel Internal Client Connector Traffic: Enable this option for Zscaler Client Connector to tunnel internal traffic (e.g., app updates and policy updates) through Zscaler. This option is only applicable if you deploy in a no-default route environment and applies to Zscaler Client Connector version 2.12 and later for Windows. If disabled, Zscaler Client Connector sends internal traffic directly.

    When this option is enabled, Zscaler Client Connector does not tunnel PAC requests and continues to send PAC requests directly.

  • Intercept ZIA traffic: Enable this option to have Zscaler Client Connector intercept ZIA traffic from all network adapters. This setting only applies to Tunnel Mode with a Packet Filter Based driver. Disable this option to have Zscaler Client Connector intercept ZIA traffic only from the default adapters (adapters with 0.0.0.0/0 route).
  • Prioritize IPv4 over IPv6: This setting configures the operating system to prefer IPv4 over IPv6 and impacts applications running on that device. When enabled, this feature has no impact on IPv6 configuration. Applies to Zscaler Client Connector version 3.4 and later for Windows.
  • Install Windows Firewall Inbound Rule: When enabled, Zscaler Client Connector installs the Zscaler App Inbound Rule to the Windows firewall.

  • Block All Inbound Traffic: When enabled for one or more network types, Zscaler Client Connector installs Zscaler App Rule as a WFP filter. Inbound traffic is allowed to the tunnel for the selected network types. After selecting one or more network types, the Port-based Exclusions for Inbound Traffic field appears. Enter the port and protocol to exclude the port from being blocked. The port value can range from 1 to 65535. The protocol value can be TCP, UDP, or *.

    This feature applies only to Zscaler Client Connector version 4.5 and later for Windows. To use this feature, you must first enable Install WFP Driver and you must not enable Install Windows Firewall Inbound Rule.

  • Route Table for Tunnel Connections: Enable to have Zscaler Client Connector follow the routing table to connections for ZIA (i.e, Z-Tunnel 1.0, Z-Tunnel 2.0), ZPA, and bypassed connections. If the setting remains disabled, it instead binds to the system's default interface.
  • Reactivate ZIA After: Enter the number of minutes that must pass before Zscaler Client Connector reactivates ZIA after the user turns it off. To enable the reactivation period, enter any value from 1 to 1440 minutes. To disable, enter 0 (zero) so that Zscaler Client Connector doesn't reactivate ZIA after the user turns it off.

  • Trigger Domain Profile Detection: Enable this option to have Zscaler Client Connector prevent Windows Defender Firewall Domain Profile detection events during ZPA service connections and disconnections. You can use this setting to ensure that Windows Defender Firewall on remote endpoints (i.e., Off Trusted Network) continues to use the Public Profile when connected via ZPA and apply secure firewall rules (e.g., you can block inbound internet traffic). However, when the endpoint is on-premises (i.e., Trusted Network), Windows Defender Firewall can automatically switch to the Domain Profile. Applies to Zscaler Client Connector version 4.4 or later for Windows.

    To use this feature, you must enable the Install WFP Driver feature.

  • Block Domain Profile Detection: When you enable Trigger Domain Profile Detection, you can select the different network types for which Zscaler Client Connector blocks Windows Defender Firewall domain profile detection. Choose Select All or one or more of the following options from the drop-down menu:
    • On Trusted Network
    • VPN Trusted Network
    • Off Trusted Network
    • Split VPN Trusted Network

  Close

Install Endpoint DLP: Enable Install Endpoint DLP to install Endpoint Data Loss Prevention (DLP) on a device. To learn more, see About Endpoint Data Loss Prevention and Zscaler Endpoint Data Loss Prevention (DLP) Integration with Zscaler Client Connector.

If fail-open settings are also configured in Client Connector Support, these fail-open settings take precedence. This feature is available only in Zscaler Client Connector version 4.6 and later for Windows.

• ZIA Cloud Not Reachable: Select one of the following options to set what happens if the ZIA cloud is not available:
  • Follow Global Config: Allow access based on the setting in ZIA Cloud Not Reachable in Client Connector Support. This option is selected by default.
  • Direct Internet Access: Users are allowed to bypass the app and access the internet directly.
  • Disable Internet Access: Blocks HTTP/HTTPS traffic. All other traffic is allowed.
  • Fallback to ZIA DR: If Enable ZIA DR is enabled, follow the traffic forwarding settings in ZIA Disaster Recovery.
• Z-Tunnel Failover: Select one of the following options to set what happens if Zscaler Client Connector cannot establish a tunnel (Z-Tunnel 1.0 only):
  • Follow Global Config: Allow access based on the setting in Z-Tunnel Failover in Client Connector Support. This option is selected by default.
  • Direct Internet Access: Users are allowed to bypass the app and access the internet directly.
  • Disable Internet Access: Blocks HTTP/HTTPS traffic. All other traffic is allowed.
  • Fallback to ZIA DR: If Enable ZIA DR is enabled, follow the traffic forwarding settings in ZIA Disaster Recovery.
• Zscaler Client Connector Fail Close Settings: Enter the settings to use when Zscaler Client Connector is in strict enforcement mode and is in a fail-close state. You can include a configuration file with these settings when installing Zscaler Client Connector in strict enforcement mode using an MSI file or an EXE file. If Zscaler Client Connector cannot retrieve the config profile after an initial enrollment attempt, Zscaler Client Connector uses these settings until the config profile is retrieved from the Zscaler back-end servers.
  • Process-Based Application Bypass: Allows bypassing of process-based applications created in Application Bypass. Select an option from the drop-down menu.
  • IP Address Bypasses: Allows bypassing of IP addresses. Enter any of the following:
    • An IP address (e.g., 192.0.2.1)
    • A subnet (e.g., 192.0.2.0/24)
    • An IP:Port range (e.g., 192.0.2.1:80, 192.0.2.1:80-100, or 192.0.2.1:*)
    • An IP:Port:Protocol (e.g., 192.0.2.1:80:tcp, 192.0.2.1:80-100:udp, or 192.0.2.1:80:*)
  • Exit or Uninstall Password: Provide the password users must enter to exit or uninstall Zscaler Client Connector when in a fail-close state.
  • Thumbprint: The public key to use with the fail-close settings configuration file. Click Copy to copy the thumbprint for use during installation.
  • Download ZCC Fail Close Configuration: Download a configuration file with these settings to use when installing Zscaler Client Connector.

Configure the following optional passwords:

• Logout Password: Provide the password users must enter to log out of Zscaler Client Connector.
• Disable Password ZIA: Provide the password users must enter to disable the ZIA service.
• Disable Password ZPA: Provide the password users must enter to disable the ZPA service.
• Exit Password: For Zscaler Client Connector version 3.5 and later for Windows, provide the password users must enter to exit the app from the system tray without disabling ZIA. For Zscaler Client Connector version 3.5 or earlier for Windows, this setting has the same functionality as Disable Password ZIA.
• Uninstall Password: Provide the password users must enter to uninstall Zscaler Client Connector.
• Password to Disable ZDX: Provide the password users must enter to disable the Zscaler Digital Experience (ZDX) service.
• Password to Disable Endpoint DLP: Enter a password to disable the Endpoint Data Loss Prevention (DLP) feature.

Click the View icon next to each password setting to show () or hide () the password.

• Machine Token: Select the machine token to which the rule applies from the drop-down menu. Machine tokens are configured in the ZPA Admin Portal.

  In the ZPA Admin Portal, machine tokens are referred to as Machine Provisioning Keys.

• ZPA Machine Authentication: When you enable this option, you require users to authenticate against your IdP before the machine tunnel starts if you use the machine tunnel feature in ZPA.

  If you are subscribed to ZIdentity and you have multi-factor authentication enabled in the ZIdentity Admin Portal, you must disable this option because Internet Explorer 11 does not support multi-factor authentication. To learn more, see What Is ZIdentity?

• Force ZPA authentication to expire: To trigger ZPA authentication to expire, choose Select All or one or more of the following actions from the drop-down menu:
  • On System Sleep/Hibernate
  • On System Restart
  • On Network IP Change

  • Windows Logon Session Start

    If enabled, this option triggers the expiration of ZPA authentication if users log in to Windows with fast startup enabled. Applies to Zscaler Client Connector version 4.5 and later.

  • Windows Session Lock

    If enabled, this option triggers the expiration of ZPA authentication after a Windows user has been locked for the number of minutes in the Minimum Time in Locked State (In Minutes). You can enter a number of minutes from 1 to 60. Applies to Zscaler Client Connector version 4.6 and later for Windows.

• Log Mode: Zscaler Client Connector generates logs that users can send to a designated support admin in your organization, or to Zscaler Support (in encrypted form). To specify the scope of the logs, select one of the following log modes:
  • Default (Current: <log mode>): Displays the default global log mode configured in Platform Settings. You can override this setting, for the current profile only, by selecting a different option from the drop-down menu.
  • Error: Zscaler Client Connector logs only when the app encounters an error and functionality is affected.
  • Warn: Zscaler Client Connector logs when the app is functioning but is encountering potential issues, or when conditions for the Error log mode are met.
  • Info: Zscaler Client Connector logs general app activity, or when conditions for the Warn log mode are met.
  • Debug: Zscaler Client Connector logs all app activity that could assist Zscaler Support in debugging issues, or when conditions for the Info log mode are met.
• Log File Size in MB: If you are using Zscaler Client Connector for ZPA only, skip this option. Enter a value between 50 and 1000 to specify the maximum size of the log file. The default log file size is 100 MB per log type. When logs reach the maximum file size, the oldest logs are truncated from the file to keep the file size below the maximum.
• Use Zscaler Notification Framework: This option enables notifications from the Zscaler Notification Framework instead of from the Windows-based notification system.
• Notify Users before ZPA Authentication Expires: Enable this option to alert users that applications they recently accessed through ZPA are going to expire. In the warning message that displays, users can click Reauthenticate to take them to an authentication screen before expiration. You can set the time to display the expiration notification before an application expires in the Advanced Notification time (In Mins) field. Enter a value between 5 and 1440. Users can also click Authenticate Early on the Private Access page, under the Connectivity section, in Zscaler Client Connector, to reauthenticate ZPA before their authentication expires.

• Flow Logging: When enabled, a WFP-based Zscaler driver is installed for flow logging to capture excluded traffic.

  You must enable Install WFP Driver to use this feature.

  Zscaler Client Connector logs and reports traffic flows to ZIA from the following areas you enable:

  • ZPA: Traffic that goes through the ZPA Tunnel.
  • Direct: Traffic that goes to the internet/intranet directly (i.e., the traffic not handled by Zscaler or VPN).
  • Report Zscaler Client Connector Blocked Traffic: Whether the Flow Logger should report the traffic blocked by Zscaler Client Connector. This type of flow is also known as Unclassified Flow.

These settings apply only to Zscaler Client Connector version 4.5 and later for Windows. If you use Zscaler Client Connector version 4.4 or earlier for Windows, you can enable captive portal detection on the Client Connector Support page. To learn more, see Configuring Fail-Open Settings for Zscaler Client Connector.

• Captive Portal Detection: Select to enable captive portal detection.

• Fail Open: Select to enable a fail-open state if a captive portal is detected. If enabled, Zscaler Client Connector blocks all traffic until users register in the captive portal using the embedded browser.

  To use this feature, you must first enable Embedded Captive Portal in the app profile.

• If Captive Portal Detected, Then Disable Web Security for: Enter the number of minutes the app must keep its services disabled after detecting a captive portal when Fail Open is enabled. You can enter any value between 1 and 60. After the specified period, the app enables its services automatically and traffic is forwarded to the Zscaler service.

  When configuring fail-open settings, Zscaler recommends setting the captive portal detection to a value that gives users a reasonable amount of time measured from the network change detection to the time they complete entering information requested by the portal. You cannot enter 0 (zero) in this field with Zscaler Client Connector version 4.5 and later for Windows. To disable captive portal detection, you must use the Captive Portal Detection field.

• Embedded Captive Portal: Select to enable an embedded browser to use when Zscaler Client Connector detects a captive portal. If enabled, the captive portal loads in the embedded browser (not the default browser) for user authentication. Users do not access the internet directly. All network traffic is blocked except for Zscaler Client Connector processes (DHCP, DNS, LDAP, and Kerberos). Zscaler Client Connector does not apply internet security to the captive portal, so you must use a separate antivirus solution if you want to secure captive portal traffic.

  Zscaler recommends that you enable the Zscaler Notification Framework so that end users receive a pop-up notification that allows them to open the captive portal with one click. To learn more, see Using the Zscaler Notification Framework.

  To use this feature, you must first enable Install WFP Driver in the app profile and enable WebView2. To learn more, see Enabling WebView2 Authentication.

• Packet Capture for Captive Portal: This option automatically starts packet capture when Zscaler Client Connector detects a captive portal. Zscaler Client Connector captures packets until 5 minutes have passed, or the user successfully authenticates the captive portal and the internet becomes available, or the disk space limit is reached. The disk space limit is the default setting (1 GB) or the latest limit set during manual packet capture.

  The app displays notifications to users, but users do not need to manually start or stop the packet capture. The packet capture files are stored with the Zscaler Client Connector logs.

  To use this feature, you must also enable local packet capture. To learn more, see Enabling Packet Capture for Zscaler Client Connector.

Enable Configuration to specify if the SCCM app uses location detection behavior. This option is only applicable for Zscaler Client Connector version 3.6 and later for Windows. You can select Cloud Management Gateway (CMG) to force the SCCM client to always use the internet or use Location Discovery, which is the default.

• On Trusted Network
• VPN Trusted Network
• Off Trusted Network
• Split VPN Trusted Network

Enable Command Line Interface to allow admins to interact with Zscaler Client Connector via a CLI. Applies to Zscaler Client Connector version 4.4 or later for Windows. For Disable Services, click Disable ZPA Password to require a password when disabling the ZPA service via CLI. Click Generate Password to generate a password to disable the ZPA service in the CLI. Click Copy to copy the generated password. Passwords expire after two hours.

This feature is available only for Zscaler Client Connector version 4.6 and later for Windows.

• Local Metrics: Enable to collect metrics including device events, statistics, profile, statistics for Zscaler Client Connector processes, and the top 5 processes. These metrics do not include PII (personally identifiable information). The default value is enabled.
• End to End Diagnostics: Enable to collect additional data for the selected network types.

• Enable Anti-tampering: Enable to allow anti-tampering. Anti-tampering protection prevents end users from stopping and modifying Zscaler endpoint products.

  You can set a timer to re-enable Zscaler Client Connector if a user disables it using the one-time password (OTP). In the Reactivate Anti-Tampering After (In Mins) field, enter a value between 0 and 1440 minutes.

• Override Anti Tampering Install Parameter: Enable to use the Enable Anti-tampering setting from the app profile regardless of how the --enableAntiTampering or ENABLEANTITAMPERING install option was set during installation. Applies to Zscaler Client Connector version 4.5 and later for Windows only.
• Send Disable Service Reason: This option allows users to send a description about why a Zscaler service (e.g., ZIA, ZPA, ZDX) was disabled on a device. By default, this option is disabled. This information is accessible when viewing device details.

• Enable Zscaler Client Connector Revert: When enabled, users have the option to revert to the previous Zscaler Client Connector version. Applies to Zscaler Client Connector version 3.9 and later for Windows. In the Revert Password field, provide the password that users must enter to revert to the previous Zscaler Client Connector version.

  Click the View icon to show () or hide () the password.

• Highlight Active Control: Enable this option to display an outline around an actively selected control. Applies to Zscaler Client Connector version 2.1.2 and later for Windows.
• Clear Kerberos DC: Enable to clear the list of Kerberos preferred domain controllers in the cache when Zscaler Client Connector connects to and disconnects from ZPA. Applies to Zscaler Client Connector version 4.5 and later for Windows only.
• Force Location refresh on SCCM Client: Enable this option to have Zscaler Client Connector trigger a location sync with the management point when the device connects to or disconnects from ZPA instead of waiting for the SCCM client to do the automatic sync. Applies to Zscaler Client Connector version 4.5 and later for Windows only.

Policy Description: Enter any notes regarding the policy.

• Name: Enter a unique alphanumeric name for your policy rule.
• Rule Order: Select the appropriate rule order value from the drop-down menu. The rule order reflects the order of precedence among configured profile policy rules and helps determine which rule the app downloads for a user upon enrollment. Precedence is based on ascending numerical order.
• Status: Select Disabled to inactivate the rule or select Enabled to activate the rule. If you don’t enable the rule, the policy rule is not enforced.
• Forwarding Profile: Select a forwarding profile of your configured forwarding profiles from the drop-down menu. You can also search for items to select. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.

If you're using Zscaler Tunnel (Z-Tunnel) 2.0, you must choose a forwarding profile with Z-Tunnel 2.0 selected. To learn more, see About Z-Tunnel 1.0 & Z-Tunnel 2.0.

• ZIA Posture Profile: Select a posture profile from the drop-down menu to apply to the app profile. You can also search for items to select.
• Install Zscaler SSL Certificate: If you’re using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enable this option to allow Zscaler Client Connector to automatically install the Zscaler SSL certificate on users’ devices. If you uploaded your organization’s custom certificate in the Zscaler Client Connector Portal, the app installs your organization’s custom certificate instead.

• User Groups: When a user enrolls Zscaler Client Connector with the Zscaler service, Zscaler Client Connector checks the group to which the user belongs and downloads the app profile with the appropriate rule.
  • Click Selected to select user groups from the drop-down menu. The groups you've configured in the ZIA Admin Portal are displayed in this menu. There is no limit to the number of groups you can select.
  • Click All to select all groups.

When new user groups are added, they are automatically selected. You can clear the checkbox to exclude them from your policy.

• Users: Select this option to apply this rule to a specific user. The users you've configured in the ZIA Admin Portal are displayed in this menu after a user enrolls Zscaler Client Connector with the Zscaler service. Zscaler Client Connector checks if the user belongs and downloads the app profile with the appropriate rule. You can select up to 50 users. By default, no users are selected.

  Don't select a user or a user group if you want to create and save a rule before applying it to a user or a user group.

• Device Groups: Select this option to apply this rule to specific groups or to all device groups. Click Select All to select all device groups or select individual groups from the drop-down menu. Device groups created in the Zscaler Client Connector Portal are displayed in this menu. To learn more, see Creating Device Groups.

• Pac and Proxy

  • PAC Configuration:

    • If you're using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enter a valid PAC URL in the Custom PAC URL field if you want Zscaler Client Connector to forward all internet traffic to the Zscaler service and want to specify exceptions for certain types of traffic. The maximum number of characters is 512.
    • Fallback to gateway domain: When you select this checkbox, Zscaler Client Connector falls back to the gateway domain when PAC proxies cannot be reached for Z-Tunnel 1.0.

    You must add a Custom PAC URL before you can use one of the following preferred ports.

    • Use Preferred Port from PAC for Z-Tunnel 1.0: If enabled, Zscaler Client Connector uses the custom port from the PAC file for Z-Tunnel 1.0. This feature does not impact the default ports 80, 443, and 8080.
    • Use Preferred Port from PAC for Z-Tunnel 2.0: If enabled, Zscaler Client Connector uses the custom port from the PAC file for Z-Tunnel 2.0. This feature does not impact the default ports 80, 443, and 8080.

    If you want to allow a user to bypass the app when connecting to the VPN gateway, you can do so using the VPN Gateway Bypass option.

  • Proxy Configuration: Select from the following options:
    • V8 JavaScript based PAC Parser: Enable Google’s open-source V8 engine to compile JavaScript for the PAC parser.

  For Zscaler Client Connector version 4.3 and later for macOS, the legacy PAC parser option is not available. All users must use the V8 JavaScript based PAC Parser option.

  • Set Proxies on VPN Adapters: When enabled, Zscaler Client Connector sets configured proxy settings on VPN adapters in addition to physical adapters.
  • Cache System Proxy: Enable this option to save and restore proxy settings. This setting stores any existing system proxy settings when Zscaler Client Connector initiates. If a user exits or logs out of the app or if a user turns off ZIA from the app, proxy settings are restored to the system.

  Close
• App and IP Bypass

  • Global Bypasses

    Configure traffic bypass for process-based applications and VPN gateways.

    • Process-Based Application Bypass: When enabled, this option uses the Transparent Proxy System Extension to bypass applications defined via Application Bundle Identifier using the configuration profile in the mobile device management (MDM). To learn more, see Deploying Zscaler Client Connector with JAMF Pro for macOS and Deploying Zscaler Client Connector with Microsoft Intune for macOS.

    • VPN Gateway Bypass: You can allow traffic destined for the VPN to bypass Zscaler Client Connector. The app sets the routing table to exclude any traffic destined for the VPN gateway.

      When a route-based driver is in use, the app creates IP-based exclude routes in the routing table.

      When your users have a VPN client running on their devices in conjunction with Zscaler Client Connector, the VPN gateway bypass must be used in these scenarios:

      • You selected Tunnel for the forwarding profile action of any trusted network type.
      • Your VPN runs in split-tunnel mode so that it takes some, but not all, user traffic from the device.

      To allow traffic to bypass Zscaler Client Connector using Tunnel mode, enter any of the following for all of your VPN gateways:

    • A FQDN (e.g., www.safemarch.com)

      If you add a fully qualified domain name (FQDN), the FQDN resolves and all resulting IP addresses are added to the bypass list at the start of the tunnel. However, if the FQDN resolves to a different IP address later, that address might not be bypassed. Zscaler recommends adding an IP or subnet where possible. Adding too many FQDNs can slow tunnel startup because Zscaler Client Connector resolves all these domains before starting tunneling.

      • A specific IP address (e.g., 192.0.2.1)
      • A subnet (e.g., 192.0.2.0/24)

    Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing ENTER when finished. To ensure against connectivity issues, you must include all the VPN hostnames, IP addresses, or subnets to which the VPN connects.

    • To allow traffic to bypass Zscaler Client Connector using Tunnel with Local Proxy mode, Zscaler recommends adding the IP address or addresses and hostname of the VPN gateway to the system PAC file in the forwarding profile to enable direct connections for VPN traffic. To learn more, see Best Practices for Using PAC Files with Zscaler Client Connector.

      While you can also use this field to bypass non-VPN destinations, you must limit the number of items in this list because Zscaler Client Connector attempts to resolve all entries after a network change.

    Close
  • IP Bypasses

    For Z-Tunnel 2.0 only, you can configure traffic bypass for IP-based applications and add subnets for IPv4 and IPv6 inclusions and exclusions. You must choose a forwarding profile with Z-Tunnel 2.0 selected. To learn more, see About Z-Tunnel 1.0 & Z-Tunnel 2.0.

    To reset to the default configuration, click Restore Default. For both Destination Exclusions and Destination Inclusions, the default configuration includes all possible subnets (0.0.0.0/0) and excludes the RFC 1918 default private networks.

    • Pre-Defined IP-Based Application Bypass: To bypass Z-Tunnel 2.0, click Select All or select applications from the IP-Based application bypass drop-down menu. You can also search for items to select.

    • IPv4/IPv6 Inclusions and Exclusions: To add specific subnets to send a specific subset of your traffic to the ZIA Public Service Edge through Z-Tunnel 2.0, complete the following steps.

      When adding subnets, the protocol value is *, TCP, or UDP. You can also enter the subnet 0.0.0.0/0, which stands for all possible subnets. The maximum number of characters is 6,144.

      • IPv4 Inclusion: Enter the specific subnets of the traffic you want to include for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., 192.0.2.1)
        • A subnet (e.g., 192.0.2.0/24)
        • An IP:Port range (e.g., 192.0.2.1:80, 192.0.2.1:80-100, or 192.0.2.1:*)
        • An IP:Port:Protocol (e.g., 192.0.2.1:80:tcp, 192.0.2.1:80-100:udp, or 192.0.2.1:80:*).
      • IPv4 Exclusion: Enter the specific subnets of the traffic you want to exclude for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., 192.0.2.1)
        • A subnet (e.g., 192.0.2.0/24)
        • An IP:Port range (e.g., 192.0.2.1:80, 192.0.2.1:80-100, or 192.0.2.1:*)
        • An IP:Port:Protocol (e.g., 192.0.2.1:80:tcp, 192.0.2.1:80-100:udp, or 192.0.2.1:80:*).
      • IPv6 Inclusion: Enter the specific subnets of the traffic you want to include for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., [2001:0000::])
        • A subnet (e.g., [2001:0000::/32])
        • An IP:Port range (e.g., [2001:0000::]:80, [2001:0000::]:80-100, or [2001:0000::]:*)
        • An IP:Port:Protocol (e.g., [2001:0000::]:80:tcp).
      • IPv6 Exclusion: Enter the specific subnets of the traffic you want to exclude for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., [2001:0000::])
        • A subnet (e.g., [2001:0000::/32])
        • An IP:Port range (e.g., [2001:0000::]:80, [2001:0000::]:80-100, or [2001:0000::]:*)
        • An IP:Port:Protocol (e.g., [2001:0000::]:80:tcp).

      By default, the Zscaler service includes the RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in the exclusions list. To learn more, refer to RFC 1918 Address Allocation for Private Internets. Zscaler also includes the multicast range 224.0.0.0/4. Zscaler recommends that you keep these networks in the list, unless explicitly needed, because deleting them causes private network traffic (e.g., DHCP) to be tunneled through the cloud.

      Close

    Close

  Close
• Disaster Recovery

  • ZIA Disaster Recovery

    ZIA Disaster Recovery provides users access even when the Zscaler Internet Access (ZIA) service is down and is available only to enrolled users.

    To configure ZIA Disaster Recovery:

    1. Select Enable ZIA DR.
    2. Select from the following traffic forwarding actions in the drop-down menu:
       • Send Traffic Direct: Traffic bypasses Zscaler Client Connector, giving the user access to all applications through direct internet access.
       • Disable Internet Access: All traffic is dropped at the endpoint and users do not have access to the internet.
       • Allow preselected destinations: You can either block or allow access to specific URLs using a custom PAC file. Insert the custom PAC file URL in the Use Custom Destinations URL field.
         • Allow Zscaler Preselected Destinations (Recommended): When enabled, users can access only the URLs that are present in the Zscaler-provided global database allowlist. The rest of the URLs are blocked.

         • Allow Custom Destinations: Select this option to insert a custom PAC file URL in the Custom Destinations field. You can configure a custom PAC URL (with the http:// or https:// prefix) that users can access when the ZIA service is down. When configured in conjunction with the global database URL, both URL lists are allowed. The custom destinations URL takes precedence when there are any conflicts. You can also forward the traffic to a proxy server.

           • When configuring the custom PAC file, ensure that you allow access to the ZPA IP range 100.64.0.0/16 and ZPA domains, zpath.net and zpatwo.net, to prevent blocking ZPA traffic.
           • If you have enabled both the Allow Zscaler Preselected Destinations and Allow Custom Destinations fields, ensure that you remove the return drop; syntax from the custom PAC file statement because it blocks the URLs listed in the Zscaler-provided global database allowlist.

           Use the following sample custom PAC file:

           function FindProxyForURL(url, host) {
           var drop = "BLOCK";
           /* Return DIRECT to Allow access */
           if ((localHostOrDomainIs(host, "google.com")) ||
           (localHostOrDomainIs(host, "salesforce.com")) ||
           (localHostOrDomainIs(host, "microsoft.com")) ||
           (localHostOrDomainIs(host, "zscaler.com")) )
           return "DIRECT";
           /* Default Block Statement to block anything not allowed above */
           return drop;

           • Return DIRECT to allow destination access.
           • Return BLOCK (or any other return statement other than DIRECT) to block destination access.
           • Return PROXY to forward the selected internet traffic to a proxy server with or without a port. Applies to Zscaler Client Connector version 4.5 for Windows and macOS only.
    3. DNS Settings:

       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.

         If you have ZIA only, you cannot download the DNS Record Generator.

       • ZIA Domain name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    4. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    5. Test Mode: Enable Activate Test Mode if the selected users or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close
  • ZPA Disaster Recovery

    ZPA Disaster Recovery provides users access to applications when the Zscaler Private Access (ZPA) service is down and is available only to enrolled users.

    To configure ZPA Disaster Recovery:

    1. Select Enable ZPA DR.
    2. DNS Settings:
       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.
       • Activation Domain Name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    3. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    4. Test Mode: Enable Activate Test Mode if the selected users and/or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close

  Close
• DNS

  • You can add specific DNS domains to send all DNS requests to the ZIA Public Service Edge through Z-Tunnel 2.0. Complete the following steps in the Domain Inclusion and Domain Exclusion fields:

    You can enter specific domains (e.g., google.com) or enter * to include or exclude all DNS domains. Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing ENTER when finished.

    • Domain Inclusion: Enter the DNS domains that Zscaler Client Connector should tunnel through ZIA. You can include a maximum of 65,535 characters.
    • Domain Exclusion: Enter the DNS domains that Zscaler Client Connector should not tunnel through ZIA. You can exclude a maximum of 65,535 characters.

  If you are using the same DNS domain in inclusions and exclusions, the longest domain name suffix is used.

  Domain inclusions and exclusions take effect only if the DNS server IP address on the client belongs to RFC 1918 private subnet ranges that are by default excluded from Z-Tunnel 2.0.

  • DNS Server Route Exclusion: When enabled, Zscaler Client Connector excludes DNS servers from the routing table.
  • DNS Priority Ordering for Trusted DNS Criteria: Enable to have Zscaler Client Connector use the DNS servers corresponding to the DNS service name configured in DNS Priority Ordering for trusted network evaluation.
  • DNS Priority Ordering: Add each DNS in the order you want Zscaler Client Connector to use them when DNS Priority Ordering for Trusted DNS Criteria is enabled.
  • Update DNS Search Order: When enabled, Zscaler Client Connector prioritizes Zscaler’s DNS over Cisco’s DNS. The higher priority DNS gets the DNS traffic.
  • Bind Trusted Criteria DNS request to Default Adapter: This option has Zscaler Client Connector connect the DNS request to the default adapter. By default, this option is enabled. Disabled means Zscaler Client Connector does not connect the Trusted Hostname IP resolution DNS request to the default adapter.

  Close
• Advanced

  • Add Ifscope Route: Enable this option to add the ifscope route corresponding to the default interface on the system.
  • Clear ARP Cache: Enable this option to configure Zscaler Client Connector to clear the ARP cache when the service starts.
  • Tunnel Internal Client Connector Traffic: Enable this option for Zscaler Client Connector to tunnel internal traffic (e.g., app updates and policy updates) through Zscaler. This option is only applicable if you deploy in a no-default route environment. If disabled, Zscaler Client Connector sends internal traffic directly.

  When this option is enabled, Zscaler Client Connector does not tunnel PAC requests and continues to send PAC requests directly.

  • Route Table for Tunnel Connections: Enable to have Zscaler Client Connector follow the routing table to connections for ZIA (i.e, Z-Tunnel 1.0, Z-Tunnel 2.0), ZPA, and bypassed connections. If the setting remains disabled, it instead binds to the system's default interface.
  • Reactivate ZIA After: Enter the number of minutes that must pass before Zscaler Client Connector reactivates ZIA after the user turns it off. To enable the reactivation period, enter any value from 1 to 1440 minutes. To disable, enter 0 (zero). Zscaler Client Connector doesn't reactivate ZIA after the user turns it off.

  Close

Zscaler Firewall: When enabled, the Zscaler firewall determines which network traffic is allowed and blocked. The default setting is disabled. To learn more, see Blocking LAN Access.

Install Endpoint DLP: Enable Install Endpoint DLP to install Endpoint Data Loss Prevention (DLP) on a device. To learn more, see About Endpoint Data Loss Prevention and Zscaler Endpoint Data Loss Prevention (DLP) Integration with Zscaler Client Connector.

Configure the following optional passwords:

• Logout Password: Provide the password users must enter to log out of Zscaler Client Connector.
• Disable Password ZIA: Provide the password users must enter to disable the ZIA service.
• Disable Password ZPA: Provide the password users must enter to disable the ZPA service.
• Disable Password ZDX: Provide the password users must enter to disable the Zscaler Digital Experience (ZDX) service.
• Exit Password: Provide the password users must enter to exit the app from the system tray without disabling ZIA.
• Uninstall Password: Provide the password users must enter to uninstall Zscaler Client Connector.
• Password to Disable Endpoint DLP: Enter a password to disable the Endpoint Data Loss Prevention (DLP) feature.

Click the View icon next to each password setting to show () or hide () the password.

• Machine Token: Select the machine token to which the rule applies from the drop-down menu. Machine tokens are configured in the ZPA Admin Portal. In the ZPA Admin Portal, machine tokens are referred to as Machine Provisioning Keys.
• Force ZPA authentication to expire: To trigger ZPA authentication to expire, choose Select All or one or more of the following actions from the drop-down menu:
  • On System Sleep/Hibernate
  • On System Restart
  • On Network IP Change

• Log Mode: Zscaler Client Connector generates logs that users can send to a designated support admin in your organization, or to Zscaler Support (in encrypted form). To specify the scope of the logs, select one of the following log modes:
  • Default (Current: <log mode>): Displays the default global log mode configured in Platform Settings. You can override this setting, for the current profile only, by selecting a different option from the drop-down menu.
  • Error: Zscaler Client Connector logs only when the app encounters an error and functionality is affected.
  • Warn: Zscaler Client Connector logs when the app is functioning but is encountering potential issues, or when conditions for the Error log mode are met.
  • Info: Zscaler Client Connector logs general app activity, or when conditions for the Warn log mode are met.
  • Debug: Zscaler Client Connector logs all app activity that could assist Zscaler Support in debugging issues, or when conditions for the Info log mode are met.
• Log File Size in MB: If you are using Zscaler Client Connector for ZPA only, skip this option. Enter a value between 50 and 1000 to specify the maximum size of the log file. The default log file size is 100 MB per log type. When logs reach the maximum file size, the oldest logs are truncated from the file to keep the file size below the maximum.
• Use Zscaler Notification Framework: This option enables notifications from the Zscaler Notification Framework instead of from the macOS-based notification system.

Enable Command Line Interface to allow admins to interact with Zscaler Client Connector via a CLI. Applies to Zscaler Client Connector version 4.3 and later for macOS. For Disable Services, click Disable ZPA Password to require a password when disabling the ZPA service via CLI. Click Generate Password to generate a password to disable the ZPA service in the CLI. Click Copy to copy the generated password. Passwords expire after two hours.

• Send Disable Service Reason: This option allows users to send a description about why a Zscaler service (e.g., ZIA, ZPA, ZDX) was disabled on a device. By default, this option is disabled. This information is accessible when viewing device details.
• Enable Zscaler Client Connector Revert: When enabled, users have the option to revert to the previous Zscaler Client Connector version. Applies to Zscaler Client Connector version 4.1 and later for Windows. In the Revert Password field, provide the password users must enter to revert to the previous Zscaler Client Connector version.

Policy Description: Enter any notes regarding the policy.

• Name: Enter a unique alphanumeric name for your policy rule.
• Rule Order: Select the appropriate rule order value from the drop-down menu. The rule order reflects the order of precedence among configured profile policy rules and helps determine which rule the app downloads for a user upon enrollment. Precedence is based on ascending numerical order.
• Status: Select Disabled to inactivate the rule or select Enabled to activate the rule. If you don’t enable the rule, the policy rule is not enforced.
• Forwarding Profile: Select a forwarding profile of your configured forwarding profiles from the drop-down menu. You can also search for items to select. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.

If you're using Zscaler Tunnel (Z-Tunnel) 2.0, you must choose a forwarding profile with Z-Tunnel 2.0 selected. To learn more, see About Z-Tunnel 1.0 & Z-Tunnel 2.0.

• Install Zscaler SSL Certificate: If you’re using Zscaler Client Connector for Zscaler Internet Access (ZIA) only, skip this option. Enable this option to allow Zscaler Client Connector to automatically install the Zscaler SSL certificate on users’ devices. If you uploaded your organization’s custom certificate in the Zscaler Client Connector Portal, the app installs your organization’s custom certificate instead.

• User Groups: When a user enrolls Zscaler Client Connector with the Zscaler service, Zscaler Client Connector checks the group to which the user belongs and downloads the app profile with the appropriate rule.
  • Click Selected to select user groups from the drop-down menu.
  • Click All to select all groups.

When new user groups are added, they are automatically selected. You can clear the checkbox to exclude them from your policy.

• Users: Select this option to apply this rule to a specific user. The users you've configured in the ZIA Admin Portal are displayed in this menu after a user enrolls the app with the service. Zscaler Client Connector checks if the user belongs and downloads the app profile with the appropriate rule. You can select up to 50 users. By default, no users are selected.

Don't select a user if you want to create and save a rule before applying it to a user.

• PAC and Proxy

  PAC Configuration: If you're using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enter a valid PAC URL in the Custom PAC URL field if you want Zscaler Client Connector to forward all internet traffic to the Zscaler service and want to specify exceptions for certain types of traffic. The maximum number of characters is 512.

  If you want to allow a user to bypass the app when connecting to the VPN gateway, use the VPN Gateway Bypass option.

  Close
• App and IP Bypass

  • Global Bypasses

    Configure traffic bypass for VPN gateways and source ports:

    • VPN Gateway Bypass: You can allow traffic destined for the VPN to bypass Zscaler Client Connector. The app sets the routing table to exclude any traffic destined for the VPN gateway.

      When a route-based driver is in use, the app creates IP-based exclude routes in the routing table.

      When your users have a VPN client running on their devices in conjunction with Zscaler Client Connector, the VPN gateway bypass must be used in these scenarios:

      • You selected Tunnel for the forwarding profile action of any trusted network type.
      • Your VPN runs in split-tunnel mode so that it takes some, but not all, user traffic from the device.

      To allow traffic to bypass Zscaler Client Connector using Tunnel mode, enter any of the following for all of your VPN gateways:

      • A FQDN (e.g., www.safemarch.com)

        If you add a fully qualified domain name (FQDN), the FQDN resolves and all resulting IP addresses are added to the bypass list at the start of the tunnel. However, if the FQDN resolves to a different IP address later, that address might not be bypassed. Zscaler recommends adding an IP or subnet where possible. Adding too many FQDNs can slow tunnel startup because Zscaler Client Connector resolves all these domains before starting tunneling.

      • A specific IP address (e.g., 192.0.2.1)
      • A subnet (e.g., 192.0.2.0/24)

    Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing ENTER when finished. To ensure against connectivity issues, you must include all the VPN hostnames, IP addresses, or subnets to which the VPN connects.

    To allow traffic to bypass Zscaler Client Connector using Tunnel with Local Proxy mode, Zscaler recommends adding the IP address or addresses and hostname of the VPN gateway to the system PAC file in the forwarding profile to enable direct connections for VPN traffic. To learn more, see Best Practices for Using PAC Files with Zscaler Client Connector.

    While you can also use this field to bypass non-VPN destinations, you must limit the number of items in this list because Zscaler Client Connector attempts to resolve all entries after a network change.

    • Source Port-Based Bypasses: Enter the source port and protocol from which Zscaler Client Connector bypasses existing inbound traffic. The port value can range from 1 to 65535. The protocol value can be TCP, UDP, or *.

    Close
  • IP Bypasses

    For Z-Tunnel 2.0 only, you can configure traffic bypass for IP-based applications and add subnets for IPv4 inclusions and exclusions. You must choose a forwarding profile with Z-Tunnel 2.0 selected. To learn more, see About Z-Tunnel 1.0 & Z-Tunnel 2.0.

    To reset to the default configuration, click Restore Default. For both Destination Exclusions and Destination Inclusions, the default configuration includes all possible subnets (0.0.0.0/0) and excludes the RFC 1918 default private networks.

    • Predefined IP-Based Application Bypass: To bypass Z-Tunnel 2.0, click Select All or select applications from the IP-Based application bypass drop-down menu. You can also search for items to select.

    • IPv4 Inclusions and Exclusions: To send a specific subset of your traffic to the ZIA Public Service Edge through Z-Tunnel 2.0, complete the following steps.

      When adding subnets, the protocol value is *, TCP, or UDP. You can also enter the subnet 0.0.0.0/0, which stands for all possible subnets. The maximum number of characters is 6,144.

      • IPv4 Inclusion: Enter the specific subnets of the traffic you want to include for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., 192.0.2.1)
        • A subnet (e.g., 192.0.2.0/24)
        • An IP:Port range (e.g., 192.0.2.1:80, 192.0.2.1:80-100, or 192.0.2.1:*)
        • An IP:Port:Protocol (e.g., 192.0.2.1:80:tcp, 192.0.2.1:80-100:udp, or 192.0.2.1:80:*).
      • IPv4 Exclusion: Enter the specific subnets of the traffic you want to exclude for Z-Tunnel 2.0 in the following formats:
        • An IP address (e.g., 192.0.2.1)
        • A subnet (e.g., 192.0.2.0/24)
        • An IP:Port range (e.g., 192.0.2.1:80, 192.0.2.1:80-100, or 192.0.2.1:*)
        • An IP:Port:Protocol (e.g., 192.0.2.1:80:tcp, 192.0.2.1:80-100:udp, or 192.0.2.1:80:*).

      By default, the Zscaler service includes the RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in the exclusions list. To learn more, refer to RFC 1918 Address Allocation for Private Internets. Zscaler also includes the multicast range 224.0.0.0/4. Zscaler recommends that you keep these networks in the list, unless explicitly needed, because deleting them causes private network traffic (e.g., DHCP) to be tunneled through the cloud.

      Close

    Close

  Close
• Disaster Recovery

  • ZIA Disaster Recovery

    ZIA Disaster Recovery provides users access even when the Zscaler Internet Access (ZIA) service is down and is available only to enrolled users. To configure ZIA Disaster Recovery:

    1. Select Enable ZIA DR.
    2. Select from the following traffic forwarding actions in the drop-down menu:
       • Send Traffic Direct: Traffic bypasses Zscaler Client Connector, giving the user access to all applications through direct internet access.
       • Disable Internet Access: All traffic is dropped at the endpoint and users do not have access to the internet.
       • Allow preselected destinations: You can either block or allow access to specific URLs using a custom PAC file. Insert the custom PAC file URL in the Use Custom Destinations URL field.
         • Allow Zscaler Preselected Destinations (Recommended): When enabled, users can access only the URLs that are present in the Zscaler-provided global database allowlist. The rest of the URLs are blocked.

         • Allow Custom Destinations: Select this option to insert a custom PAC file URL in the Custom Destinations field. You can configure a custom PAC URL (with the http:// or https:// prefix) that users can access when the ZIA service is down. When configured in conjunction with the global database URL, both URL lists are allowed. The custom destinations URL takes precedence when there are any conflicts. You can also forward the traffic to a proxy server.

           • When configuring the custom PAC file, ensure that you allow access to the ZPA IP range 100.64.0.0/16 and ZPA domains, zpath.net and zpatwo.net, to prevent blocking ZPA traffic.
           • If you have enabled both the Allow Zscaler Preselected Destinations and Allow Custom Destinations fields, ensure that you remove the return drop; syntax from the custom PAC file statement because it blocks the URLs listed in the Zscaler-provided global database allowlist.

           Use the following sample custom PAC file:

           function FindProxyForURL(url, host) {
           var drop = "BLOCK";
           /* Return DIRECT to Allow access */
           if ((localHostOrDomainIs(host, "google.com")) ||
           (localHostOrDomainIs(host, "salesforce.com")) ||
           (localHostOrDomainIs(host, "microsoft.com")) ||
           (localHostOrDomainIs(host, "zscaler.com")) )
           return "DIRECT";
           /* Default Block Statement to block anything not allowed above */
           return drop;

           • Return DIRECT to allow destination access.
           • Return BLOCK (or any other return statement other than DIRECT) to block destination access.
           • Return PROXY to forward the selected internet traffic to a proxy server with or without a port. Applies to Zscaler Client Connector version 4.5 for Windows and macOS only.
    3. DNS Settings:

       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.

         If you have ZIA only, you cannot download the DNS Record Generator.

       • ZIA Domain name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    4. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    5. Test Mode: Enable Activate Test Mode if the selected users or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close
  • ZPA Disaster Recovery

    ZPA Disaster Recovery provides users access to applications when the Zscaler Private Access (ZPA) service is down and is available only to enrolled users. To configure ZPA Disaster Recovery:

    1. Select Enable ZPA DR.
    2. DNS Settings:
       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.
       • ZPA Domain name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    3. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    4. Test Mode: Enable Activate Test Mode if the selected users and/or groups for the app profile are part of a group to test Disaster Recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close

  Close
• DNS

  • To add specific subnets to send a specific subset of your traffic to the ZIA Public Service Edge through Z-Tunnel 2.0, complete the following steps in the Domain Inclusion and Domain Exclusion fields:

    You can enter specific domains (e.g., google.com) or enter * to include or exclude all DNS domains. Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing ENTER when finished.

    • Domain Inclusion: Enter the DNS domains that Zscaler Client Connector should tunnel through ZIA. You can include a maximum of 65,535 characters.
    • Domain Exclusion: Enter the DNS domains that Zscaler Client Connector should not tunnel through ZIA. You can exclude a maximum of 65,535 characters.

  If you are using the same DNS domain in inclusions and exclusions, the longest domain name suffix is used.

  Domain inclusions and exclusions take effect only if the DNS server IP address on the client belongs to RFC 1918 private subnet ranges that are by default excluded from Z-Tunnel 2.0.

  • Bind Trusted Criteria DNS request to Default Adapter: This option has Zscaler Client Connector connect the DNS request to the default adapter. By default, this option is enabled. Disabled means Zscaler Client Connector does not connect the Trusted Hostname IP resolution DNS request to the default adapter.

  Close
• Advanced

  • Tunnel Internal Client Connector Traffic: Enable this option for Zscaler Client Connector to tunnel internal traffic (e.g., app updates and policy updates) through Zscaler. This option is only applicable if you deploy in a no-default route environment. If disabled, Zscaler Client Connector sends internal traffic directly.
  • Prioritize IPv4 over IPv6: This setting configures the operating system to prefer IPv4 over IPv6 and impacts applications running on that device. When enabled, this feature has no impact on IPv6 configuration. Applies to Zscaler Client Connector version 3.7 and later for Linux.
  • Reactivate ZIA After: Enter the number of minutes that must pass before Zscaler Client Connector reactivates ZIA after the user turns it off. To enable the reactivation period, enter any value from 1 to 1440 minutes. To disable, enter 0 (zero). Zscaler Client Connector doesn't reactivate ZIA after the user turns it off.

  Close

Configure the following optional passwords:

• Logout Password: Provide the password users must enter to log out of or uninstall Zscaler Client Connector.
• Disable Password ZIA: Provide a password users must enter to disable the ZIA service.
• Disable Password ZPA: Provide a password users must enter to disable the ZPA service.
• Exit Password: Provide a password users must enter to exit the app from the system tray without disabling ZIA.

Click the View icon next to each password setting to show () or hide () the password.

• Log Mode: Zscaler Client Connector generates logs that users can send to a designated support admin in your organization, or to Zscaler Support (in encrypted form). To specify the scope of the logs, select one of the following log modes:
  • Default (Current: <log mode>): Displays the default global log mode configured in Platform Settings. You can override this setting, for the current profile only, by selecting a different option from the drop-down menu.
  • Error: Zscaler Client Connector logs only when the app encounters an error and functionality is affected.
  • Warn: Zscaler Client Connector logs when the app is functioning but is encountering potential issues, or when conditions for the Error log mode are met.
  • Info: Zscaler Client Connector logs general app activity, or when conditions for the Warn log mode are met.
  • Debug: Zscaler Client Connector logs all app activity that could assist Zscaler Support in debugging issues, or when conditions for the Info log mode are met.
• Log File Size in MB: If you are using Zscaler Client Connector for ZPA only, skip this option. Enter a value between 50 and 1000 to specify the maximum size of the log file. The default log file size is 100 MB per log type. When logs reach the maximum file size, the oldest logs are truncated from the file to keep the file size below the maximum.

Send Disable Service Reason: This option allows users to send a description about why a Zscaler service (e.g., ZIA, ZPA, ZDX) was disabled on a device. By default, this option is disabled. This information is accessible when viewing device details.

Policy Description: (Optional) Enter any notes regarding the policy.

• Name: Enter a unique alphanumeric name for your policy rule.
• Rule Order: Select the appropriate rule order value from the drop-down menu. The rule order reflects the order of precedence among configured profile policy rules and helps determine which rule the app downloads for a user upon enrollment. Precedence is based on ascending numerical order.
• Status: Select Disabled to inactivate the rule or select Enabled to activate the rule. If you don’t enable the rule, the policy rule is not enforced.
• Forwarding Profile: Select a forwarding profile from your configured forwarding profiles from the drop-down menu. You can also search for items to select. The supported forwarding profile modes for iOS are Tunnel and None. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.

Zscaler does not support Z-Tunnel 2.0 on iOS at this time.

• ZIA Posture Profile: Select a posture profile from the drop-down menu to apply to the app profile. You can also search for items to select.

• User Groups: When a user enrolls Zscaler Client Connector with the Zscaler service, Zscaler Client Connector checks the group to which the user belongs and downloads the app profile with the appropriate rule.
  • Click Selected to select user groups from the drop-down menu. The groups you've configured in the ZIA Admin Portal are displayed in this menu. There is no limit to the number of groups you can select.
  • Click All to select all groups.

When new user groups are added, they are automatically selected. You can clear the checkbox to exclude them from your policy.

• Users: Select this option to apply this rule to a specific user. The users you've configured in the ZIA Admin Portal are displayed in this menu after a user enrolls Zscaler Client Connector with the Zscaler service. Zscaler Client Connector checks if the user belongs and downloads the app profile with the appropriate rule. You can select up to 50 users. By default, no users are selected.

  Don't select a user or a user group if you want to create and save a rule before applying it to a user or a user group.

• PAC and Proxy

  PAC Configuration: If you're using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enter a valid PAC URL in the Custom PAC URL field if you want Zscaler Client Connector to forward all internet traffic to the Zscaler service and want to specify exceptions for certain types of traffic. The maximum number of characters is 512.

  If Use Preferred Port from PAC for Z-Tunnel 1.0 is enabled, Zscaler Client Connector uses the custom port from the PAC file for Z-Tunnel 1.0. This feature does not impact the default ports 80, 443, and 8080. You must add a Custom PAC URL before you can use the preferred port.

  If you want to allow a user to bypass the app when connecting to the VPN gateway, use the VPN Gateway Bypass option.

  Close
• App and IP Bypass

  Global Bypasses: Use VPN Gateway Bypass to allow traffic destined for the VPN to bypass Zscaler Client Connector. The app sets the routing table to exclude any traffic destined for the VPN gateway.

  When a route-based driver is in use, the app creates IP-based exclude routes in the routing table.

  When your users have a VPN client running on their devices in conjunction with Zscaler Client Connector, the VPN gateway bypass must be used in these scenarios:

  • You've selected Tunnel for the forwarding profile action of any trusted network type.
  • Your VPN runs in split-tunnel mode so that it takes some, but not all, user traffic from the device.

  To allow traffic to bypass Zscaler Client Connector using Tunnel mode, enter any of the following for all of your VPN gateways:

  • A FQDN (e.g., www.safemarch.com)

    If you add a fully qualified domain name (FQDN), the FQDN resolves and all resulting IP addresses are added to the bypass list at the start of the tunnel. However, if the FQDN resolves to a different IP address later, that address might not be bypassed. Zscaler recommends adding an IP or subnet where possible. Adding too many FQDNs can slow tunnel startup because Zscaler Client Connector resolves all these domains before starting tunneling.

  • A specific IP address (e.g., 192.0.2.1)
  • A subnet (e.g., 192.0.2.0/24)

  Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing Enter when finished. To ensure against connectivity issues, you must include all the VPN hostnames, IP addresses, or subnets to which the VPN connects.

  To allow traffic to bypass Zscaler Client Connector using Tunnel with Local Proxy mode, Zscaler recommends adding the IP address or addresses and hostname of the VPN gateway to the system PAC file in the forwarding profile to enable direct connections for VPN traffic. To learn more, see Best Practices for Using PAC Files with Zscaler Client Connector.

  While you can also use this field to bypass non-VPN destinations, you must limit the number of items in this list because Zscaler Client Connector attempts to resolve all entries after a network change.

  Close
• Disaster Recovery

  • ZIA Disaster Recovery

    ZIA Disaster Recovery provides users access even when the Zscaler Internet Access (ZIA) service is down and is available only to enrolled users.

    To configure ZIA Disaster Recovery:

    1. Select Enable ZIA DR.
    2. Select from the following traffic forwarding actions in the drop-down menu:
       • Send Traffic Direct: Traffic bypasses Zscaler Client Connector, giving the user access to all applications through direct internet access.
       • Disable Internet Access: All traffic is dropped at the endpoint and users do not have access to the internet.
       • Allow preselected destinations: You can either block or allow access to specific URLs using a custom PAC file. Insert the custom PAC file URL in the Use Custom Destinations URL field.
         • Allow Zscaler Preselected Destinations (Recommended): When enabled, users can access only the URLs that are present in the Zscaler-provided global database allowlist. The rest of the URLs are blocked.

         • Allow Custom Destinations: Select this option to insert a custom PAC file URL in the Custom Destinations field. You can configure a custom PAC URL (with the http:// or https:// prefix) that users can access when the ZIA service is down. When configured in conjunction with the global database URL, both URL lists are allowed. The custom destinations URL takes precedence when there are any conflicts. You can also forward the traffic to a proxy server.

           • When configuring the custom PAC file, ensure that you allow access to the ZPA IP range 100.64.0.0/16 and ZPA domains, zpath.net and zpatwo.net, to prevent blocking ZPA traffic.
           • If you have enabled both the Allow Zscaler Preselected Destinations and Allow Custom Destinations fields, ensure that you remove the return drop; syntax from the custom PAC file statement because it blocks the URLs listed in the Zscaler-provided global database allowlist.

           Use the following sample custom PAC file:

           function FindProxyForURL(url, host) {
           var drop = "BLOCK";
           /* Return DIRECT to Allow access */
           if ((localHostOrDomainIs(host, "google.com")) ||
           (localHostOrDomainIs(host, "salesforce.com")) ||
           (localHostOrDomainIs(host, "microsoft.com")) ||
           (localHostOrDomainIs(host, "zscaler.com")) )
           return "DIRECT";
           /* Default Block Statement to block anything not allowed above */
           return drop;

           • Return DIRECT to allow destination access.
           • Return BLOCK (or any other return statement other than DIRECT) to block destination access.
           • Return PROXY to forward the selected internet traffic to a proxy server with or without a port. Applies to Zscaler Client Connector version 4.5 for Windows and macOS only.
    3. DNS Settings:

       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.

         If you have ZIA only, you cannot download the DNS Record Generator.

       • ZIA Domain name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    4. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    5. Test Mode: Enable Activate Test Mode if the selected users or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close
  • ZPA Disaster Recovery

    ZPA Disaster Recovery provides users access to applications when the Zscaler Private Access (ZPA) service is down and is available only to enrolled users.

    To configure ZPA Disaster Recovery:

    1. Select Enable ZPA DR.
    2. DNS Settings:
       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.
       • Activation Domain Name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    3. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    4. Test Mode: Enable Activate Test Mode if the selected users and/or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close

  Close
• DNS

  • You can add specific DNS domains to send all DNS requests to the ZIA Public Service Edge through Z-Tunnel 2.0. Complete the following steps in the Domain Inclusion and Domain Exclusion fields:

    You can enter specific domains (e.g., google.com) or enter * to include or exclude all DNS domains. Press Enter after each entry. You can add multiple items at the same time by separating each item with a comma and then pressing ENTER when finished.

    • Domain Inclusion: Enter the DNS domains that Zscaler Client Connector should tunnel through ZIA. You can include a maximum of 65,535 characters.
    • Domain Exclusion: Enter the DNS domains that Zscaler Client Connector should not tunnel through ZIA. You can exclude a maximum of 65,535 characters.

  If you are using the same DNS domain in inclusions and exclusions, the longest domain name suffix is used.

  Domain inclusions and exclusions take effect only if the DNS server IP address on the client belongs to RFC 1918 private subnet ranges that are by default excluded from Z-Tunnel 2.0.

  • DNS Server Route Exclusion: When enabled, Zscaler Client Connector excludes DNS servers from the routing table.
  • Enforce Split DNS: Enable this option to have Zscaler Client Connector handle DNS traffic of the desired ZPA domains only. The remaining DNS traffic is handled by the system DNS.
  • DNS Priority Ordering for Trusted DNS Criteria: Enable to have Zscaler Client Connector use the DNS servers corresponding to the DNS service name configured in DNS Priority Ordering for trusted network evaluation.
  • DNS Priority Ordering: Add each DNS in the order you want Zscaler Client Connector to use them when DNS Priority Ordering for Trusted DNS Criteria is enabled.
  • Update DNS Search Order: When enabled, Zscaler Client Connector prioritizes Zscaler’s DNS over Cisco’s DNS. The higher priority DNS gets the DNS traffic.
  • Bind Trusted Criteria DNS request to Default Adapter: This option has Zscaler Client Connector connect the DNS request to the default adapter. By default, this option is enabled. Disabled means Zscaler Client Connector does not connect the Trusted Hostname IP resolution DNS request to the default adapter.

  Close
• Advanced

  • IPV6 Modes: Zscaler Client Connector handles IPv6 traffic based on the configuration mode set here.
    • IPv6Cleanout: If selected, Zscaler Client Connector does not apply any IPv6 settings.
    • IPv6BlockInDualStack: If selected, Zscaler Client Connector blocks IPv6 traffic only in a dual stack network.
    • IPv6Block: If selected, Zscaler Client Connector blocks IPv6 traffic irrespective of the network type.
    • IPv6NAT64Only: If selected, Zscaler Client Connector handles IPv6 traffic through NAT64 translation.
    • IPv6Native: If selected, Zscaler Client Connector handles IPv6 traffic natively.
  • Tunnel Internal Client Connector Traffic: Enable this option for Zscaler Client Connector to tunnel internal traffic (e.g., app updates and policy updates) through Zscaler. This option is only applicable if you deploy in a no-default route environment. If disabled, Zscaler Client Connector sends internal traffic directly.

  When this option is enabled, Zscaler Client Connector does not tunnel PAC requests and continues to send PAC requests directly.

  • Drop QUIC Traffic: This option is for websites that use QUIC (UDP 443), which is not supported by Z-Tunnel 1.0. When enabled, Z-Tunnel 1.0 drops QUIC packets so the application can fall back to TCP 443.
  • Route Table for Tunnel Connections: Enable to have Zscaler Client Connector follow the routing table to connections for ZIA (i.e., Z-Tunnel 1.0), ZPA, and bypassed connections. If the setting remains disabled, it instead binds to the system's default interface.
  • Reactivate ZIA After: Enter the number of minutes that must pass before Zscaler Client Connector reactivates ZIA after the user turns it off. To enable the reactivation period, enter any value from 1 to 1440 minutes. To disable, enter 0 (zero). Zscaler Client Connector doesn't reactivate ZIA after the user turns it off.

  Close

Configure the following optional passwords:

• Logout Password: Provide the password users must enter to log out of Zscaler Client Connector.
• Disable Password ZIA: Provide the password users must enter to disable the ZIA service.
• Disable Password ZPA: Provide the password users must enter to disable the ZPA service.
• Profile Passcode: Provide the password users must enter to connect to the VPN.

Click the View icon next to each password setting to show () or hide () the password.

• Log Mode: Zscaler Client Connector generates logs that users can send to a designated support admin in your organization, or to Zscaler Support (in encrypted form). To specify the scope of the logs, select one of the following log modes:
  • Default (Current: <log mode>): Displays the default global log mode configured in Platform Settings. You can override this setting, for the current profile only, by selecting a different option from the drop-down menu.
  • Error: Zscaler Client Connector logs only when the app encounters an error and functionality is affected.
  • Warn: Zscaler Client Connector logs when the app is functioning but is encountering potential issues, or when conditions for the Error log mode are met.
  • Info: Zscaler Client Connector logs general app activity, or when conditions for the Warn log mode are met.
  • Debug: Zscaler Client Connector logs all app activity that could assist Zscaler Support in debugging issues, or when conditions for the Info log mode are met.
• Log File Size in MB: If you are using Zscaler Client Connector for ZPA only, skip this option. Enter a value between 50 and 1000 to specify the maximum size of the log file. The default log file size is 100 MB per log type. When logs reach the maximum file size, the oldest logs are truncated from the file to keep the file size below the maximum.
• Show per-app VPN Tunnel Notification: When enabled, Zscaler Client Connector notifies the end user that per-app VPN tunnel establishment is in progress.

Send Disable Service Reason: This option allows users to send a description about why a Zscaler service (e.g., ZIA, ZPA, ZDX) was disabled on a device. By default, this option is disabled. This information is accessible when viewing device details.

Policy Description: Enter any notes regarding the policy.

• Name: Enter a unique alphanumeric name for your policy rule.
• Rule Order: Select the appropriate rule order value from the drop-down menu. The rule order reflects the order of precedence among configured profile policy rules and helps determine which rule the app downloads for a user upon enrollment. Precedence is based on ascending numerical order.
• Status: Select Disabled to deactivate the rule or select Enabled to activate the rule. If you don’t enable the rule, the policy rule is not enforced.
• Forwarding Profile: Select a forwarding profile of your configured forwarding profiles from the drop-down menu. You can also search for items to select. The supported forwarding profile modes for Android are Tunnel and None. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.

Zscaler does not support Z-Tunnel 2.0 on Android.

• ZIA Posture Profile: Select a posture profile from the drop-down menu to apply to the app profile. You can also search for items to select.
• Install Zscaler SSL Certificate: If you’re using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enable this option to allow Zscaler Client Connector to automatically install the Zscaler SSL certificate on users’ devices. If you uploaded your organization’s custom certificate in the Zscaler Client Connector Portal, the app installs your organization’s custom certificate instead.

• User Groups: When a user enrolls Zscaler Client Connector with the Zscaler service, Zscaler Client Connector checks the group to which the user belongs and downloads the app profile with the appropriate rule.
  • Click Selected to select user groups from the drop-down menu. The groups you've configured in the ZIA Admin Portal are displayed in this menu. There is no limit to the number of groups you can select.
  • Click All to select all groups.

When new user groups are added, they are automatically selected. You can clear the checkbox to exclude them from your policy.

• Users: Select this option to apply this rule to a specific user. The users you've configured in the ZIA Admin Portal are displayed in this menu after a user enrolls Zscaler Client Connector with the Zscaler service. Zscaler Client Connector checks if the user belongs and downloads the app profile with the appropriate rule. You can select up to 50 users. By default, no users are selected.

Don't select a user if you want to create and save a rule before applying it to a user or a user group.

• Device Groups: Select this option to apply this rule to specific groups or to all device groups. Click Select All to select all device groups or select individual groups from the drop-down menu. Device groups created in the Zscaler Client Connector Portal are displayed in this menu. To learn more, see Creating Device Groups.
  

Device groups are available only on Zscaler Client Connector version 3.7 and later for Android devices.

• PAC and Proxy

  PAC Configuration: If you're using Zscaler Client Connector for Zscaler Private Access (ZPA) only, skip this option. Enter a valid PAC URL in the Custom PAC URL field if you want Zscaler Client Connector to forward all internet traffic to the Zscaler service and want to specify exceptions for certain types of traffic. The maximum number of characters is 512.

  Close
• App and IP Bypass

  • Global Bypasses

    Global Bypasses:

    • Bypass Traffic for Specific Application: Enter the identifier of any Android application to configure a bypass for it. You can find the identifier after the id parameter in the URL of the app’s Google Play details page. For example, Zscaler Client Connector’s identifier is zscaler.com.zscaler.
    • Bypass Traffic for MMS Applications: Enable this option for Zscaler Client Connector to automatically bypass standard messaging applications on Android. The bypassed messaging apps include WhatsApp and the Android Messages app.

    Close
  • IP Bypasses

    You can configure traffic bypass for IP-based applications.

    To reset to the default configuration, click Restore Default.

    • Predefined IP-Based Application Bypass: Click Select All or select applications from the IP-Based application bypass drop-down menu. You can also search for items to select.
    • Custom IP-Based Application Bypass: Select applications from the IP-Based application bypass drop-down menu. You can also search for items to select. To add applications to the IP-based application list, see Adding IP-Based Applications to Bypass Traffic.

    Close

  Close
• Disaster Recovery

  • ZIA Disaster Recovery

    ZIA Disaster Recovery provides users access even when the Zscaler Internet Access (ZIA) service is down and is available only to enrolled users. To configure ZIA Disaster Recovery:

    1. Select Enable ZIA DR.
    2. Select from the following traffic forwarding actions in the drop-down menu:
       • Send Traffic Direct: Traffic bypasses Zscaler Client Connector, giving the user access to all applications through direct internet access.
       • Disable Internet Access: All traffic is dropped at the endpoint and users do not have access to the internet.
       • Allow preselected destinations: You can either block or allow access to specific URLs using a custom PAC file. Insert the custom PAC file URL in the Use Custom Destinations URL field.
         • Allow Zscaler Preselected Destinations (Recommended): When enabled, users can access only the URLs that are present in the Zscaler-provided global database allowlist. The rest of the URLs are blocked.

         • Allow Custom Destinations: Select this option to insert a custom PAC file URL in the Custom Destinations field. You can configure a custom PAC URL (with the http:// or https:// prefix) that users can access when the ZIA service is down. When configured in conjunction with the global database URL, both URL lists are allowed. The custom destinations URL takes precedence when there are any conflicts. You can also forward the traffic to a proxy server.

           • When configuring the custom PAC file, ensure that you allow access to the ZPA IP range 100.64.0.0/16 and ZPA domains, zpath.net and zpatwo.net, to prevent blocking ZPA traffic.
           • If you have enabled both the Allow Zscaler Preselected Destinations and Allow Custom Destinations fields, ensure that you remove the return drop; syntax from the custom PAC file statement because it blocks the URLs listed in the Zscaler-provided global database allowlist.

           Use the following sample custom PAC file:

           function FindProxyForURL(url, host) {
           var drop = "BLOCK";
           /* Return DIRECT to Allow access */
           if ((localHostOrDomainIs(host, "google.com")) ||
           (localHostOrDomainIs(host, "salesforce.com")) ||
           (localHostOrDomainIs(host, "microsoft.com")) ||
           (localHostOrDomainIs(host, "zscaler.com")) )
           return "DIRECT";
           /* Default Block Statement to block anything not allowed above */
           return drop;

           • Return DIRECT to allow destination access.
           • Return BLOCK (or any other return statement other than DIRECT) to block destination access.
           • Return PROXY to forward the selected internet traffic to a proxy server with or without a port. Applies to Zscaler Client Connector version 4.5 for Windows and macOS only.
    3. DNS Settings:

       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.

         If you have ZIA only, you cannot download the DNS Record Generator.

       • ZIA Domain name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    4. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    5. Test Mode: Enable Activate Test Mode if the selected users or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    If you have ZIA only, you cannot download the DNS Record Generator.

    Close
  • ZPA Disaster Recovery

    ZPA Disaster Recovery provides users access to applications when the Zscaler Private Access (ZPA) service is down. ZPA Disaster Recovery mode is available only to enrolled users. To configure ZPA Disaster Recovery:

    1. Select Enable ZPA DR.
    2. DNS Settings:
       • Precreate a DNS TXT record with the Zscaler DNS generator tool: To create an Active Domain Name and Domain Public Key, see Creating DNS TXT Records.
       • ZPA Domain name: Enter a valid domain name.
       • TXT Record Signing Public Key: Click Upload to add a valid public key. You can only upload .pem files.
    3. Activation: Activate or test disaster recovery by updating the DNS TXT record value. To learn more, see Creating DNS TXT Records.
    4. Test Mode: Enable Activate Test Mode if the selected users and/or groups for the app profile are part of a group to test disaster recovery. Zscaler recommends that disaster recovery be tested periodically with just a few users.

    Close

  Close
• DNS

  • Custom DNS Server: Enter a DNS server IPv4 address to specify a DNS server for Android and Chromebook devices. You can enter up to three DNS server IPv4 addresses.
  • Bind Trusted Criteria DNS Request to Default Adapter: This option has Zscaler Client Connector connect the DNS request to the default adapter. By default, this option is enabled. Disabled means Zscaler Client Connector does not connect the Trusted Hostname IP resolution DNS request to the default adapter.

  Close
• Advanced

  • Tunnel Internal Client Connector Traffic: Enable this option for Zscaler Client Connector to tunnel internal traffic (e.g., app updates and policy updates) through Zscaler.

  When this option is enabled, Zscaler Client Connector does not tunnel PAC requests and continues to send PAC requests directly.

  • Drop QUIC Traffic: This option is for websites that use QUIC (UDP 443), which is not supported by Z-Tunnel 1.0. When enabled, Z-Tunnel 1.0 drops QUIC packets so the application can fall back to TCP 443.
  • Reactivate ZIA After: Enter the number of minutes that must pass before Zscaler Client Connector reactivates ZIA after the user turns it off. To enable the reactivation period, enter any value from 1 to 1440 minutes. To disable, enter 0 (zero). Zscaler Client Connector doesn't reactivate ZIA after the user turns it off.

  Close

Configure the following optional passwords:

• Logout Password: Provide the password users must enter to log out of Zscaler Client Connector.
• Disable Password ZIA: Provide the password users must enter to disable the ZIA service.
• Disable Password ZPA: Provide the password users must enter to disable the ZPA service.
• Disable Password ZDX: Provide the password users must enter to disable the Zscaler Digital Experience (ZDX) service.
• Uninstall Password: Provide the password users must enter to uninstall Zscaler Client Connector.

Click the View icon next to each password setting to show () or hide () the password.

• Log Mode: Zscaler Client Connector generates logs that users can send to a designated support admin in your organization, or to Zscaler Support (in encrypted form). To specify the scope of the logs, select one of the following log modes:
  • Default (Current: <log mode>): Displays the default global log mode configured in Platform Settings. You can override this setting, for the current profile only, by selecting a different option from the drop-down menu.
  • Error: Zscaler Client Connector logs only when the app encounters an error and functionality is affected.
  • Warn: Zscaler Client Connector logs when the app is functioning but is encountering potential issues, or when conditions for the Error log mode are met.
  • Info: Zscaler Client Connector logs general app activity, or when conditions for the Warn log mode are met.
  • Debug: Zscaler Client Connector logs all app activity that could assist Zscaler Support in debugging issues, or when conditions for the Info log mode are met.
• Log File Size in MB: If you are using Zscaler Client Connector for ZPA only, skip this option. Enter a value between 50 and 500 to specify the maximum size of the log file. The default log file size is 100 MB per log type. When logs reach the maximum file size, the oldest logs are truncated from the file to keep the file size below the maximum.
• Verbose Logging: When you select this option, users can enable extra debugging logs in Zscaler Client Connector.
  

For Android devices, you can define a monthly quota to ensure that cellular bandwidth is used for business applications only. This quota setting affects cellular data only. It doesn't affect Wi-Fi. You must allowlist your business applications to exempt them from the quota.

Zscaler ended support of bandwidth quota control for Zscaler Client Connector version 1.5.3 and later for Android.

Before the quota is exceeded, users can use cellular data for both personal and business apps. When the quota is met, users can only access cellular data for corporate apps (i.e., apps placed on the allowlist). Although personal apps are not allowed to access the cellular data network, users can use Wi-Fi for personal apps.

• Enable Quota on Cellular Network: Enable to define a monthly quota to ensure that cellular bandwidth is used for business applications only. To learn more, see Configuring a Cellular Quota with Zscaler Client Connector for Android.
• Enforce Quota Only for Roaming Users: Enable to enforce the quota only when users are roaming.
• Monthly Billing Day: Select a day of the month from the drop-down menu. The day you select is when the cellular quota is reset every month (e.g., if you select 1, the cellular quota is reset on January 1st, February 1st, March 1st, etc.).
• Quota (MB): Specify the quota in MB. Enter a value from 1 to 10000.
• Wi-Fi SSID: (Optional) Enter the service set identifier (SSID) of your wireless local area network (WLAN) if you want to test and simulate data usage for that specific SSID.
• Block Notification Message: (Optional) Enter or paste text of the notification that appears when the quota is exceeded. You can enter HTML tags and images, as long as the image files are accessible from the internet.
• Android Applications on Allowlist: (Optional) To allowlist Android applications:
  1. Add the apps’ identifiers, separated by commas, to exclude apps from the quota calculation. To find the app identifier, go to Google Play and navigate to the app’s details page. The identifier is listed after the id parameter in the details page’s URL. For example, the URL for Zscaler Client Connector’s Google Play detail page is https://play.google.com/store/apps/details?id=zscaler.com.zscaler. The identifier for Zscaler Client Connector is zscaler.com.zscaler.
  2. Click Find Applications.
  3. In the Edit Applications List window:
     1. View the applications under Android Applications on Allowlist.
     2. Click the Delete icon for an application to remove it from Android Applications on Allowlist.
     3. Select applications from the Preloaded Apps list to add them back to Android Applications on Allowlist.
     4. Click Save.

The saved applications appear in the Android Applications on Allowlist section.

Send Disable Service Reason: This option allows users to describe why a Zscaler service (e.g., ZIA, ZPA, ZDX) was disabled on a device. By default, this option is disabled. This information is accessible when viewing device details.

Policy Description: Enter any notes regarding the policy.