Disable Zscaler Client when behind an IPSEC Tunnel

So I am running into a little bit of an issue. I would like to turn off the Zscaler Client (Tunnel 2.0) when On-Premise; which is connected to Zscaler via an IPSEC tunnel. I tried using the ‘None’ configuration in the ‘Forwarding Profile Action For ZIA’ for ‘On Trusted Network’. I confirmed that my ‘Trusted Network’ settings work properly and can tell when I am On Trusted Network but I am running into an issue with logging in the ‘None’ configuration. When the client is ‘Disabled’ while On Trusted Network, the Authentication from the Zscaler Client is not passing so I am not seeing the ‘User’ in the Web Insights Logging. I do not have Captive Portal turned on yet but if the Zscaler Client is not passing the User Auth, I do not want all of my users having to sign into the Captive Portal even once (they are a bunch of babies and complain when they have to click an extra button); which is why the Zscaler Client passing the Auth for me is the best possible solution when I do enable Captive Portal.

Just curious if any one else has seen this, knows how to get the user logged in the logs, or knows another configuration that may work.

Just a small backstory, we used to have Bluecoat and their agent automatically detected when it was behind a proxy and would disable the agent. I am trying to get a similar setup so that the 2.0 Tunnel is not routing DTLS traffic through the IPSEC tunnel when it is not needed. My network engineer saw that this was happening and is worried it could cause potential latency in the future.

Thank you again for your help


How about when you are on Network you drop the connectivity to Tunnel-1 and select port 80 as the proxy port. This will give you visibility with minimal over-head.

Just an idea,


Thank you… I forgot that Tunnel 1.0 has that capability. I will test it out and see how it works.

Thank you again