Hosted PAC file retrieval trough IPsec tunnel


HI, When the user is located in the LAN and use the hosted PAC file with $gateway and $secondary_gateway, how is the GEO location working (whihc IP adress will it get) .I know evey zen proxy returned will work ofcourse if all traffic is sent into the tunnel. Just want to know hoe the geo locaiton will work.
Thank you



The PAC file uses ${GATEWAY} for the primary ZEN and ${SECONDARY_GATEWAY} for the secondary ZEN. The service uses the GeoIP coordinates of the source IP address to determine the nearest ZEN. Zscaler uses MaxMind databases to associate the longitude/latitude coordinates with the source IP address, and using that provides the closest data center to connect to.




So it uses the Source IP adress of the IPsec tunnel ? as normally private IP addresses are used within the tunnel.
Kind regards


Hi Marco,

It’s essentially what ever source IP hits the PAC server. If you are coming through a tunnel, it would probably be the egress IP of the tunnel as the source for the request.

However, if you are using an IPSEC tunnel to route the LAN traffic to the cloud, there should be no need to use PAC files pointing to ZENs. Generally you would leverage these PAC files with mobile users who aren’t sending traffic through an existing tunnel.




Hi @mmulder - If you PAC file request is being transparently included in the IPSec VPN tunnel that terminates on your closest Zscaler DC then the source IP of the request will be the Zscaler ZEN instance IP your request is proxied by.

The ZEN instance IP will be used by the Zscaler PAC file server to establish (maxmind lookup) the users closest Zscaler DC and replace the $gateway value with the VIP IP address of that Zscaler DC. It is likely to be the same DC that your tunnel terminates on…unless of course the DC is not included in the $gateway resolution (such as China nodes).


Thank you, for the explanation


you also have the following macro variables: ${COUNTRY} and ${COUNTRY_GATEWAY} to stay in the same country.
For example, if you have a user between the dutch and german border but located in the Netherlands, you can use ${COUNTRY} to send them to the AMS node even though maxmind says they are closer to FRA node.


One feature that can simplify deployments is to have the variable ${LOCATION}. What is this? Please, follow this example:

PC (user) ----> Tunnel IPsec/GRE —> ZEN Node (*) ----> PAC file server

1 - The request for PAC file travel from inside the IPsec / GRE tunnel, reach the ZEN that terminates the tunnel and goes to the PAC file Server.
2 - At the ZEN Node (*) a http header with the Location ID is inserted.
3 - PAC files server will read the Location ID and will return it ${LOCATION} variable.

Finally, on your PAC logic you can create the rule that will select the ZEN nodes that you want according the ${LOCATION}

(Note, this is similar than current ${SOURCE_IP} with the difference that is able to determine the proper location more precisely and will work with sites with Dynamic IPs)

My two cents here.

Best regards

Adrian Larsen
Maidenhead Bridge