Application behind an IPsec Tunnel - ZPA

Hey folks,
Have anyone had an issue using ZPA to access an application that is reachable via an IPsec tunnel?

We have our ZAPP Connector in one of our DCs, That DC is currently using only a IPsec VPN to connect to our DC2 (thats the current scenario, it will not be like that forever, thats another topic).

We are planning to use ZPA to access our applications in our DC2 (keep in mind that our ZAPP is on DC1 only). Is it possible? No issues related to the fact that the traffic will get routed over a VPN? Maybe overhead? I am not sure, and wanted to have some ideas.

Hi Xavier,
To minimize latency and optimize performance, best practice would be to put app connectors in DC2 to provide connectivity to apps in that data center.

That said, as long as:

  1. the app connectors in DC1 can resolve DNS for apps in DC2
  2. routes are in place to forward traffic for those apps across the VPN tunnel, and
  3. access isn’t restricted in any way (e.g. by a network firewall),
    you shouldn’t have any problem using a point-to-point VPN for transport.

One thing you may have to consider is MTU, since IPSec will add some overhead there. But ZPA doesn’t add any additional overhead to the traffic from the app connector to the app, so if it works without ZPA it should work just as well through ZPA.


Hello Delmar,
Thanks a lot, you answered my question and went beyond.
I really appreciate it !!!