First off: we’re relatively new to Zscaler and ZPA
We have defined a Trusted Network based on having certain DNS servers in the default network interface. What we would like to do is to be able to access a specific ZPA application segment when working from a Trusted Network. The forwarding profile is configured to not tunnel traffic when working On Trusted Network.
Obviously, all app segments are available when working from a Non-Trusted Network (depending on ZPA access policies) but I was wondering if there is a possibility to make an exception: to access an app segment when working from a Trusted Network.
Thank you Gerhard and Luis for your quick replies!
The issue was that I had configured a forwarding profile for ZCC which switched off ZPA forwarding while on a Trusted Network. So this was - practically speaking - an “either on or off” situation…
In the meantime, using the excellent documentation on help.zscaler.com, I dug into how ZPA Client Forwarding Policies work. Turns out this does exactly what I was looking for. Here’s how I have now set things up:
ZCC app profile for users in 2 locations
ZCC forwarding profiles for each of the 2 locations, using Pre-defined Trusted Networks specific to the location
ZPA fowards traffic when On Trusted or Off Trusted networks in both ZCC forwarding profiles
Configured ZPA Client Forwarding Polices to either bypass or forward ZPA based on “Client Connector Trusted Networks” criterium
Works like a charm, gives us so much more flexibility this way
