Full Tunnel VPN - Zscaler Client Connector Configuration


Some of our users are using a client VPN which is configures as a Full Tunnel.
As it is a Full Tunnel VPN, all the traffic is routed to the VPN client. Hence we have added the DNS servers to trusted criteria which will populate when connected to Client VPN & selected the Forwarding Profile in VPN Trusted Network as NONE.

So when the user is connected to client VPN, ZCC identifies it is connected to a VPN Network and goes to DISABLED identifying it as a VPN Trusted Network.

Now the issue here is end-users are able to access all the unrestricted sites on the Client VPN as ZCC is disabled on the system.

Is our configuration correct ? or we can also restrict internet access even though users are using a Full Tunnel VPN?

Please share your thoughts on this.

Rahul V

Hi Rahul,
Can you build a GRE/IPsec tunnel from the VPN gateway to Zscaler DC? In your case, the web traffic is routed to the VPN client and then exiting from the VPN gateway. Can you add a tunnel from that node to the Zscaler DCs?


If the ZCC client is disabled when on a full tunnel VPN then what Jamil is explaining is the only solution for you. You would need to get that traffic that lands in your DC to somehow make it to us in order for policy enforcement to be applied. This can be done by placing that VPN traffic as it leaves your DC into a tunnel (IPsec or GRE).


Hello Nicholson,

We are seeing this limitation from VPN client only and its installing a default route as well.

Also, traffic lands at client’s gateway only which will not be in our control and its mamaged by client only.

Any solution for this ?

Rahul V

Hello Rahul,

The only solution would be for you to do a split-tunnel deployment for the VPN client, sending internally destined traffic over the IPSec tunnel from the VPN client back to your VPN concentrator. All other traffic, internet-bound traffic, send to ZCC and ultimately our cloud.