How to add an exception to Zscaler IP rerouting for logging in to Salesforce?

Hi everyone,

I’m asking here because my Zscaler team seems stumped and I am not able to log into a partner’s salesforce. Our network is using the Zsclaer client connector, and Zscaler will re-route traffic to show as coming from the Zscaler Server instead of our actual server location.

I need to log in to login.salesforce.com which is being operated by one of our partner organizations, but they are only willing to whitelist our actual server IP, not the Zscaler Server IP. Hence, we have set up exceptions to Zscaler for the URLS they provided, and for Salesforce in particular we tried to put in exceptions to Zscaler to not reroute traffic from addresses like Salesforce dot com , c dot salesforce dot com, or their location cookie, (https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location), but Salesforce still shows the login attempt as coming from the Zscaler server IP.

Does anyone here have experience with configuring Zscaler to NOT take over traffic going to salesforce? Also, my apologies if this isn’t the correct forum to ask a question like this.

Thank you for any help on the topic.

I think you meant “client source IP” or the client’s egress IP and not “server IP”, but bypassing salesforce.com in the ZCC app profile should certainly do the trick, as the traffic would not pass through Zscaler - full stop. However, if you’re coming from a remote location like your home office, there’s no way to register every client’s client source IP as I assume the partner wanted one or two, or a range of public IP addresses that represent your organization. Additionally, if you’re on the network and using ZCC behind an IPSEC or GRE tunnel to Zscaler, that would explain why it is still going through Zscaler, even if you had “*.salesforce.com” in the app profile VPN bypass or in an associated pac file.

All that said, there is one sure way to do this, still have the traffic traverse Zscaler to apply your security policy, and provide one of your egress IPs to be the source of all your ZCC and tunneled traffic. That method would be the SIPA (Source IP Anchoring) subscription on your ZIA instance. This will allow you to specify specific URLs you want to egress from your own IP address range. There is a cost associated with this subscription that varies depending on whether you are using just ZIA or have a subscription to ZPA (Private Access) as well.