Force road warriors to specific ZIA service edge

Hi all,

I would like to force a set of road warriors to go to a specific ZIA Service Edge (ZSE) irrespective of their egress IP address. For example, some users in Indonesia are surfacing in Hong Kong (due to the ISP route) and use the Tokyo ZSE and I want to force them to go to either Hong Kong or Singapore.

We are using Tunnel 2.0 and I originally used the COUNTRY macro but the maxmind db is not reliable and the results were terrible.

Now, I have used the following script (snippet) in the App Profile PAC file where the IP addresses are the egress IP adresses the users surface from:

var egressip = “${SRCIP}”;

if (shExpMatch(egressip,“x.x.x.50”) ||
shExpMatch(egressip,“x.x.x.170”) ||
shExpMatch(egressip,"x.x.x.210 "))

This is also failing. Any suggestions on the scripting?

Much appreciated,

PS: I have not done any mods on the forwarding profile PAC file.

Hi Rallis -

Please check out the following article on how to do this. How to temporarily bypass specific DCs for Road Warriors running ZCC

Hi Niladri,

Thank you for the article. If I follow the logic therein, would the following script make sense then:

var gateway_port = “${GATEWAY}”;
var gateway = gateway_port.replace(“:80”,“”);
var hongkong1 = dnsResolve(“”);
var singapore1 = dnsResolve(“”);
var tokyo1 = dnsResolve(“”);

/* Force users to specific DC depending the egress gateway */

/* If the gateway is Tokyo force users to Hong Kong, failing that to Singapore */
if (gateway == tokyo1) 
    return "PROXY; PROXY; DIRECT";

/* If the gateway is Hong Kong force users to Hong Kong, failing that to Singapore */
if (gateway == hongkong1)

/* If the gateway is Singapore force users to Singapore, failing that to Chennai */
if (gateway == singapore1)
/* Default Traffic Forwarding */


Looks good. Since you are running Z-Tunnel 2.0 you will need to update your Forwarding Profile to ensure web traffic traverses Z-Tunnel 1.0. The directions are in the article. As always, please test before rollout :slight_smile:

Hi Niladri,

Will have a go and test it.

Many thanks,

Unfortunately, it didn’t work. So far we have tried to force re-direction using the country, egressip and gateway macros with no luck on all three. We have raised a TAC with Zscaler to see what can be done.

Much appreciated