Using Zscaler Client Connector, users can get all of the benefits of the Zscaler service for internet traffic, as well as granular, policy-based access to internal resources from a single point.

• With Zscaler Internet Access (ZIA), you can protect your users' web traffic even when they are outside your corporate network. You can also protect your users' mobile traffic, whether they're connected to Wi-Fi or cellular networks. The app forwards user traffic to the Zscaler service and ensures that your organization's security and access policies are enforced wherever they might be accessing the internet.
• With Zscaler Private Access (ZPA), you can enable your users to securely access enterprise applications from outside the corporate network. ZPA establishes a secure transport for accessing your enterprise apps and services.
• With Zscaler Digital Experience (ZDX), you can monitor your organization’s user devices to detect user experience and productivity issues. ZDX relies on Zscaler Client Connector to perform synthetic probing to a desired Software as a Service (SaaS) application or internet-based service (e.g., OneDrive, Gmail, etc.).
• With Zscaler Endpoint Data Loss Prevention (DLP), you can protect your organization from data loss on endpoints. Endpoint DLP policy complements Zscaler DLP policy by extending the monitoring of sensitive data to the activities that end users take on endpoints (i.e., printing, saving to removable storage, saving to network shares, or uploading to personal cloud storage accounts).

You have the ability to control various settings for the app in the Zscaler Client Connector Portal. The Zscaler Client Connector Portal is dedicated to app management, accessible directly from the ZIA and ZPA Admin Portals. With administration options, you can configure general settings for the app, such as auto-update and in-app support.

You can also configure app profiles and specify, for example, how the app detects when a user is connected to a trusted network, and if a trusted network is detected, whether the app must disable its service. For greater flexibility, you can configure app profiles so that they apply to all users or to specific groups of users in your organization.

In the Zscaler Client Connector Portal, you can define policies that control how a device forwards traffic to the Zscaler service and which apps, functionality, and content can be accessed from a device. For mobile devices, the Zscaler service also provides per-user and per-department logging and reporting.

After you configure settings and policies in the Zscaler Client Connector Portal, you can silently deploy the app on users' devices for Windows and macOS. You can also deploy the app on users’ devices for Android, Android on ChromeOS, and iOS via MDM. Users need only complete a simple login process to enroll their devices with the Zscaler service.

When users enroll, the app downloads the administration settings you've configured, as well as the appropriate app profile, and begins forwarding traffic and protecting users immediately. The app regularly checks for updates to administration options and app profiles, and downloads any changes you make, ensuring the app reflects your latest settings.

For Android devices, Zscaler Client Connector also establishes a proprietary, secure HTTP-tunnel-based VPN to forward the mobile traffic from the user's applications to Zscaler Client Connector. Zscaler Client Connector then sends this traffic to the cloud. Zscaler uses Samsung Approved for Enterprise (SAFE) KNOX APIs for enforceability.

Users might be able to turn off the VPN on non-Samsung Android devices.

When you run Zscaler Client Connector on Android and iOS devices, it also installs the policy that you configured on the Zscaler Client Connector Portal as a profile on your mobile device. Additionally, it enrolls the device in the Zscaler service. After the device is enrolled, the device establishes a local VPN that connects locally to Zscaler Client Connector to direct traffic. As the browser and other applications generate traffic, this is automatically forwarded to the Zscaler cloud.

Key Features

The following are some key Zscaler Client Connector features and benefits:

• Authentication: The app supports all authentication mechanisms supported by the Zscaler service, except Kerberos. It also supports SAML with two-factor authentication. Your organization's users can seamlessly log in and enroll with their existing user credentials. If you are using the app for ZPA, your organization must use SAML authentication.
• Enforcement: You can configure the app profile so that after users enroll, they cannot log out of, disable, or uninstall Zscaler Client Connector without an admin-provided password.
• Trusted Network Detection: The app can detect when users are connecting from a trusted network (for example, from your corporate network) and disable its internet security service so that user traffic is forwarded to the Zscaler service via the network's configured traffic forwarding mechanism. Learn more about configuring trusted networks.
• Captive Portal Detection: The app can detect when users try to connect to networks where a captive portal requires users to pay or accept a use policy before accessing the web (for example, Wi-Fi networks at airports or hotels). When it detects a captive portal, it can disable its service for a period of time you specify, allowing users to complete the steps necessary to access the network, before automatically re-enabling itself. Learn more about captive portal detection.
• SSL Inspection: If you are using Zscaler Client Connector to secure your web traffic, it can automatically install the Zscaler SSL certificate during enrollment so that the Zscaler service can perform SSL inspection on web traffic forwarded by the app. However, you must enable SSL inspection for mobile traffic in the ZIA Admin Portal. This feature applies to the Internet Security service only. ZPA does not support SSL inspection.
• Auto-Update to Latest Release: You can enable auto-updates so that apps on users' devices are automatically updated whenever Zscaler releases a new version. If you prefer to test new app versions before allowing updates, you also have the option of pushing app updates from the Zscaler Client Connector Portal when you're ready. Learn more about update settings.
• Easy Administration with the Zscaler Client Connector Portal: In the Zscaler Client Connector Portal, you can easily manage app profiles and administration settings. The app checks regularly for updates and downloads any changes you make. If users exit the app, log out and log back into the app, or restart their devices, the app also checks for updates and download changes.
• Dashboards and Device Fingerprint Information: In the Zscaler Client Connector Portal, you can view a dashboard that provides information about devices that have been enrolled with the Zscaler service, including the number of Zscaler Client Connector licenses being used, the device models, platforms, and operating systems on which the app is running, as well as information about which devices are running outdated app versions. You can also view device fingerprint information for all devices that have been enrolled.
• In-App Access to Support: You can provide users with different options for requesting support in Zscaler Client Connector. You can allow users to send support request emails directly from the app to your organization's support team, or you can allow users to submit tickets directly from the app to Zscaler Support. Learn more about support access in Zscaler Client Connector.
• Localization: Zscaler Client Connector supports changing the language of the app user interface based on the system language. To learn more, see Localization Support.

How Does Zscaler Client Connector Work?

This section describes how Zscaler Client Connector works when you use it to secure your web and mobile traffic. To learn about how the app works when you use it with ZPA to provide secure access to your internal resources, see What is Zscaler Private Access? To learn about how the app works when you use it with ZDX to monitor your users' experience and productivity issues, see What is Zscaler Digital Experience? To learn about how the app works when you use it for Endpoint Data Loss Protection (DLP), see Zscaler Endpoint Data Loss Prevention (DLP) Integration with Zscaler Client Connector and About Endpoint Data Loss Prevention.

When you install Zscaler Client Connector for PC, a Zscaler Network Adapter is also installed on your user's computer. When the user connects to the web, the network adapter captures web traffic from that device. The app then uses geolocation technology to locate the ZIA Public Service Edge closest to the user, establishes a lightweight tunnel (called the Z-Tunnel) to the ZIA Public Service Edge, and forwards the user's web traffic through the tunnel so that the ZIA Public Service Edge can apply appropriate security and access policies.

When you install Zscaler Client Connector on a mobile device, it authenticates the user using your corporate authentication mechanism and completes the following tasks:

• Installs the appropriate app profile
• Installs a VPN profile locally (if not already installed via MDM)
• Registers the mobile device to the Zscaler service

The device then establishes a local VPN tunnel that captures application traffic and directs it to Zscaler Client Connector on the device.

While this is the default behavior of the app, you can modify the app's traffic forwarding settings as necessary. For example:

• Instead of the app automatically determining the ZIA Public Service Edge to which it tunnels traffic, you can specify the particular ZIA Public Service Edges to which the app must tunnel traffic (for example, you must do this if your organization uses ZIA Public Service Edges or Virtual Service Edges).
• If you are running Zscaler Client Connector version 1.4 or later, you can choose multiple destinations for Zscaler Client Connector to send traffic (for example, you can send traffic for a certain domain to a Service Edge or Virtual Service Edge, and send the rest to the geographically closest ZIA Public Service Edge.)
• You can choose to allow some traffic (for example, traffic to certain domains like identity federation URLs) to bypass the app tunnel and go directly to the web.

To modify the app's traffic forwarding behavior in these ways, you can add a custom PAC file in your app profile so that the app forwards traffic according to its instructions. The app checks the PAC file regularly to make sure it retrieves the latest one, and whenever it retrieves a new PAC file, it saves that PAC file to your users' computers. This ensures that the PAC file is accessible even after users restart the app or their computers, allowing them to access internal resources and send traffic to private IP ranges even if your organization faces internet connectivity issues.

Whether you use a custom PAC file or have the app forward traffic to the service per its default behavior, the app regularly checks to make sure traffic is forwarded correctly and efficiently. For example, it checks at regular intervals whether the ZIA Public Service Edge to which the app is currently tunneling traffic is still the best ZIA Public Service Edge for a given user's traffic. It also performs these checks whenever a user changes networks, or restarts the app or their devices.

By default, the app overrides any proxy settings configured on users' browsers so that users cannot manipulate the app's traffic routing. If you prefer to allow users' browser proxy settings to apply, you can do so with your app profile policy.

Zscaler can check IP addresses to avoid IP address conflict. For example, if you are using 100.64.0.0/16 and Zscaler sees a conflicting IP address, Zscaler changes it to 100.65.0.0/16. This change in the IP addresses can range from 100.64.0.0/16 to 100.83.0.0/16.

To learn more about the end user functionality within the app, see End User Guides. To start the configuration process for Zscaler Client Connector, see Accessing and Navigating the Zscaler Client Connector Portal and the Step-by-Step Configuration Guide for Zscaler Client Connector.