I would like to force a set of road warriors to go to a specific ZIA Service Edge (ZSE) irrespective of their egress IP address. For example, some users in Indonesia are surfacing in Hong Kong (due to the ISP route) and use the Tokyo ZSE and I want to force them to go to either Hong Kong or Singapore.
We are using Tunnel 2.0 and I originally used the COUNTRY macro but the maxmind db is not reliable and the results were terrible.
Now, I have used the following script (snippet) in the App Profile PAC file where the IP addresses are the egress IP adresses the users surface from:
/* Force users to specific DC depending the egress gateway */
/* If the gateway is Tokyo force users to Hong Kong, failing that to Singapore */
if (gateway == tokyo1)
return "PROXY hkg3.sme.zscaler.net:80; PROXY sin4.sme.zscaler.net:80; DIRECT";
/* If the gateway is Hong Kong force users to Hong Kong, failing that to Singapore */
if (gateway == hongkong1)
return "PROXY hkg3.sme.zscaler.net:80; PROXY sin4.sme.zscaler.net:80; DIRECT";
/* If the gateway is Singapore force users to Singapore, failing that to Chennai */
if (gateway == singapore1)
return "PROXY sin4.sme.zscaler.net:80; PROXY maa2.sme.zscloud.net:80; DIRECT";
/* Default Traffic Forwarding */
return "PROXY ${GATEWAY_FX}:80; PROXY ${SECONDARY_GATEWAY_FX}:80; DIRECT";
Looks good. Since you are running Z-Tunnel 2.0 you will need to update your Forwarding Profile to ensure web traffic traverses Z-Tunnel 1.0. The directions are in the article. As always, please test before rollout
Unfortunately, it didn’t work. So far we have tried to force re-direction using the country, egressip and gateway macros with no luck on all three. We have raised a TAC with Zscaler to see what can be done.
