Client Connector behavior and traffic handling before User gets logged in (ZIA)

Hey everyone,

I just wanted to make sure that I’m on the right track, while we are evaluating the interactions from Zscaler Client Connector (ZIA), Endpoint Protection and so on.
Especially with Windows 11 around the corner and some Windows Auto Pilot stuff that gets introduced.

While for ZPA there seems to be a Function for Pre Windows Login, I couldn’t find anything regarding Zscaler Client Connector with only ZIA and if there is anything I should be aware of.

I would guess that this would lead us to the following Situation:
1.) If the Device is connected to a “normal internet connection” like in Homeoffice, the ZApp would do nothing before the user logs in. So the traffic would go directly to the internet (if no other vpn solution or so is activated/interrupts that).

2.) If the User/Laptop is on a corporate network, he has no direct access to the internet. In our case he would get routed to Zscaler via GRE-Tunnels and would there be seen as “Unauthenticated Traffic” that would get handled according to the policies for unauthenticated traffic.

3.) Last but not least: All our Locations have “Enforce Authentication” enabled.
This will block every traffic that is not authenticated with the exception of those configured under "Administration > Advanced Settings → “Authentication Exemptions” - Correct?

In conjunction to that, if I would just “restart” my Laptop on the corperate network, while I was already authenticated… I would keep “authenticated” via IP Surrogate until this gets disassociated?

Thanks in advance and kind regards,


to 1-3) correct

IP surrogate stays linked to your user account until idle time ends, you log out or another user sends authenticated transactions from the same IP. So as long as your reboot doesn’t take longer than what the idle timer is set for you should be back after reboot in authenticated state.

1 Like