A remote webserver has blacklisted my favorite Zscaler Enforcement Node. What can I do?


(Pratyusha Vemuri) #1

Issue: When a web server that is popular in a particular region receives a strong stream of traffic from a single IP address, such as that of a ZEN (Zscaler Enforcement Node), its webmaster may suspect a threat and blacklist the IP address, which in this case, is the egress IP address of the ZEN. So instead of serving content for requests originating from the ZEN, the web server might reset the connection or just not respond.

Solution: If this occurs, contact Zscaler Support. Zscaler will reach out to the site’s webmaster, explain the nature of our service, and request the removal of the ZEN IP address from the blacklist. Additionally, Zscaler highly recommends that you contact the web site as well and ask the webmaster to remove the ZEN IP address from their blacklist. We have found this approach to be highly effective.

To view the list of Zscaler public node IP addresses, go to ips..net and view the Cloud Enforcement Node Ranges page. To learn how you can find your cloud name, click here.

When you contact the webmaster, give them the data center IP ranges in the Actual Usable Range column. It contains less IP addresses than the CIDR Notation column.

Note that the webmasters at the remote website will need time to respond and to remove the ZEN IP address from the blacklist. In the meantime, you can try the following options to restore connectivity to the website immediately.

Only in the rarest cases do we see a user’s secondary ZEN blacklisted in addition to their primary ZEN. If your organization uses PAC files, we recommend adding a rule in the PAC file that routes traffic to that particular website through the next-closest ZEN. One way to do this is with the dnsDomainIs() function shown below:

if (dnsDomainIs(host, “.remote-server.name”)) return “PROXY ${SECONDARY_GATEWAY}; DIRECT”;
This allows traffic to that web server to continue going through the Zscaler service.

Alternatively, you can add a rule in the PAC file that forwards traffic directly to the web server, bypassing the Zscaler service. You can specify this with the dnsDomainIs() function as well, shown below:

if (dnsDomainIs(host, “.remote-server.name”)) return “DIRECT”;
Additionally, you can also configure a Zscaler service bypass through the proxy configuration menu in most browsers.