Access application segment while on Trusted Network

First off: we’re relatively new to Zscaler and ZPA :slightly_smiling_face:

We have defined a Trusted Network based on having certain DNS servers in the default network interface. What we would like to do is to be able to access a specific ZPA application segment when working from a Trusted Network. The forwarding profile is configured to not tunnel traffic when working On Trusted Network.

Obviously, all app segments are available when working from a Non-Trusted Network (depending on ZPA access policies) but I was wondering if there is a possibility to make an exception: to access an app segment when working from a Trusted Network.

Hi GC,
Welcome to the Zscaler community !
Few questions to help with the answer:

  1. How many users needs access to this App Segment while on Trusted Network ? (Everyone or only a select few)
  2. Is this App Segment using any special port or just 80/443 ?


You can also explore ZPA Private Service edge which was designed to enforce Zero trust policies on premises leveraging ZPA…

Thank you Gerhard and Luis for your quick replies!

The issue was that I had configured a forwarding profile for ZCC which switched off ZPA forwarding while on a Trusted Network. So this was - practically speaking - an “either on or off” situation…

In the meantime, using the excellent documentation on, I dug into how ZPA Client Forwarding Policies work. Turns out this does exactly what I was looking for. Here’s how I have now set things up:

  • ZCC app profile for users in 2 locations
  • ZCC forwarding profiles for each of the 2 locations, using Pre-defined Trusted Networks specific to the location
  • ZPA fowards traffic when On Trusted or Off Trusted networks in both ZCC forwarding profiles
  • Configured ZPA Client Forwarding Polices to either bypass or forward ZPA based on “Client Connector Trusted Networks” criterium

Works like a charm, gives us so much more flexibility this way :grinning: