Is there any way to by-pass traffic from Zscaler Tunnel 2.0 without using Forwarding PAC ?
The reason I am asking is if we are using a Forwarding PAC, Local proxy is being enforces on the end-user system proxy settings.
We have a requirement where some VPNs DO NOT establish the connection if there is a proxy enabled on the Local Machine.
You can try to bypass through VPN bypasses and destination exclusions.
Tried that, but didn’t worked.
Rahul did you bypass the FQDN or IP ? We have 2 VPN solutions so for the one we added the FQDN but for the other we had to add the GW IP’s as FQDN didnt work.
Also it is good to see about if DNS servers are first bypassed as if the site is not public but the DNS traffic is send to zscaler then it could be an issue:
Also the VPN config needs to be checked as the VPN could be the one capturing the DNS traffic and check that Zscaler app is using packet mode and not route mode as to work with the VPN:
I decided to share with the community that the Guide
Best Practices for Zscaler Client Connector and VPN Client Interoperability | Zscaler is a little old on tunnel 2.0 seems to work good with a VPN agent as it detects it and the ip addresses/fqdn of the VPN gateways can also be excluded from the tunnel.
What is interesting is that when I used an example pac file for a forwarding profile for “Tunnel with local proxy” mode ip.zscaler did not work and it was because in the PAC file there was *.zs…
In the Client Connector 3.8, we introduced a new feature that can improve the FQDNs bypassing process. “Adds two new options for the Z-Tunnel 2.0 protocol bypass feature: Redirect Web Traffic to ZCC Listening Proxy and Use Z-Tunnel 2.0 for Proxied Web Traffic”. Using these knobs can eliminate the need of using the forwarding PAC to bypass domains.