Automatic authentication through tunnel GRE

Hi everyone,
how can I ask users in my network to authenticate themselves each time the browser is opened?
Users have a file PAC installed and arrive on ZEN nodes via a GRE Tunnel.
The location they pass through is configured only with these features enabled:
Enforce Authentication - Enabled
Enforce Zscaler Client Connector SSL Setting - Enabled

When the user with pac file opens a browser by browsing I see it correctly unauthenticated but as soon as he tries to browse any other https or http site the system automatically authenticates it.

Could you please help me to understand?


Hi Luca,
Welcome to the community.
Authentication frequency is a global setting unter the Administration–>Authentication Settings page.
Please refer to the following article: for specifics of each option.
Note that this setting does not apply to client connector users, as they are always authenticated through the app, even if they are going through the GRE tunnel.


Thanks Nuno but this is not my goal.
I’ve some user with the PAC file installed that, from the Company Site, have to be authenticated before being able to navigate on Internet.
For this users I cannot enable the SSL Inspection and so, Zscaler ask me the authentication only on HTTP site or on site that doesn’t have the Auth_Cookie, how can I resolve this?
Keep in mind that for internal policy I cannot inspect this traffic and so, enabling the SSL Inspection cannot be the solution.


With Company site I mean a Known Location actually configured with the Enforce Authentication enable.


Hi all,
there is anyone that can help me to solve this problem?
Below a brief recap of the situation:

We have some Consultants with PAC files installed that cannot be subject to SSL Inspection due to company policies.
Currently these clients arrive at Zscaler matching the “Location_other but” and passing in a Tunnel GRE. Despite Enforce Authentication has been enabled, they still be able to browse without authenticating themselves, on all HTTPS sites.
How can we solve this problem without enabling SSL Inspection an without installing the Zscaler Root Certificate?
Remember that these users should NOT be able to browse if not authenticated.

Thanks in advice,