Best practices for bypassing domains in tunnel 2.0

https://help.zscaler.com/z-app/best-practices-adding-bypasses-z-tunnel-2.0
i was following this doc on how to test the scenario out. I cannot seem to get a test domain to work. I am confused about the part looking for a tunnel 1.0 listener.

I guess z tunnel 2.0 is available only for limited test customers. You can connect with your RSM or CSM or TAM to get enable this.

yes we have it enabled in beta. What i don’t understand is how to bypass domains we can’t send to zscaler.

You can bypass the domains on PAC files configured on app profile or forwarding profile

tunnel 2.0 if (localHostOrDomainIs(host, “”)) doesn’t seem to work for *.domain.com or domain.com when you are trying to do all hosts in the domain.

shExpMatch(host, “*.safemarch.com”)) doesn’t seem to work either.

What seems to work is if (dnsDomainIs(host. and i am able to bypass all hosts in the domain. Anyone know why?

Hi John,

dnsDomainIs will match a domain, not a URL portion or string, so this is probably better to use, noting that shExpMatch is a check for a string, so you need to be careful this isn’t opening you up to an issue. e.g. shExpMatch(host, “*company.com”) would also match evilpersoncompany.com.

I’ve also seen issues with some browsers using the asterisk wildcard in shExpMatch and not matching.

localHostorDomainIs, as far as I know needs to be an exact match, rather than wildcard.

Using dnsDomainIs for .company.com would match anything for company.com.

Regards

David

2 Likes

interestingly enough, shEXPMatch works great using the pac file and tunnel 1.0. For some reason with 2.0 and the forwarding + app pac file it was not matching correctly.