Access to our cloud servers which use a Whitelist


We have some websites on the net.
For our internal users that used our on premise proxy and Fortigate firewall it was easy to whitelist our own public IP’s to get access to those servers with special additional access.
With ZScaler the IP is not our own IP anymore.
Can we still use the whitelist?

You can bypass those destinations from Zscaler and sent it direct . As your IPs are already whitelisted site will work properly. Otherwise you have bypass Zscaler IPs .


You can bypass Zscaler IPs.


Use SIPA service

Hello Henk,

it depends what tunneling methods and combinations you use (ZCC, PAC, GRE-tunnel, etc.). Basically you have several options, but some only work e.g. if you have ZCC in place. You could

  1. use Zscaler SIPA, see About Source IP Anchoring | Zscaler (AFAIK proper subscription needed)
  2. use Zscaler Private Service Edge or Virtual Service Edge (AFAIK proper subscription needed)
  3. use any existing private Forward Proxy and extract traffic to dedicated IP/Hostnames via fwd-pacfile (ZCC needed, possibly also ZPA)
  4. use VPN-Gateway-Bypass/Destination Exclusion (ZCC needed
  5. wihitelist Zscaler ZEN IP-Ranges (could be quite a large list, see also

If you have GRE-tunnels you may also need to configure your routers accordingly to not route all traffic into the GRE tunnel (but I am not sure about that).

There may be other options I am not aware of right now.

We solved that problem via (3).


likely easiest solution is using SIPA

also helps for access to external servers where IP-ACL/geofencing measures are used (and the externals not willing/able to whitelist whole ZS cloud) and/or ‘the IP must come from within a certain country’ (and ZS has no CENR in that country; ukraine, egypt, chile as examples) and/or ‘IP must be owned by your company’ - and any possible combination of those.

Thanks, we will investigate this option.



I have this same situation at my client, and for providers that will do it, I have them whitelist the CENRs. For providers that will not do that, I route the traffic through ZPA to exit from the already whitelisted IP of their boundary. This is effectively SIPA, but technically that feature does not exist on