How to disconnect zscaler service while accessing a particular network

How to disconnect zscaler service while accessing a particular network…


Hello. If you are using the Zscaler Client Connector agent then in the Client Connector Mobile admin portal you will find under Administration the Forwarding Profile configuration. In the Forwarding Profile you can enable a setting called ‘Trusted Network Criteria’ and how it can be used to disable ZS services on the client. Here is a help section on Trusted Network Criteria - Configuring Forwarding Profiles for Zscaler Client Connector | Zscaler


1 Like

Hello Pat,
Thanks for your time… As far as I am aware, trusted network criteria will show the matching conditions which should be satisfied to identify the user in trusted zone…My query is for eg., I am using some URL and want ZS service should be disabled while accessing a particular network (randome page/URI , without making client connector OFF) , then how this can be achieved…?

Hi Shreya,

Pat’s info was to bypass the agent when you are on a specific origin network. If you would like to bypass some traffic based on destination (some URI or domain) then you should be using either the App Profile pacfile or the Forwarding profile pacfile to bypass traffic, depending on the mode the agent is running on (normally I would suggest using the App Profile’s pacfile like you see in this example here Allowing Traffic to the ID Federation URL by Bypassing Zscaler Client Connector | Zscaler)

You can find information on how to do this here: Writing a PAC File | Zscaler

Using this App Profile’s pacfile, you can tell the agent that if you are accesing a domain or url it should bypass the traffic. Actually you could say “if your source IP is X.Y.Z bypass the traffic” (using myipaddress function, see documentation here: Proxy Auto-Configuration (PAC) file - HTTP | MDN) also, pacfiles are very versatile in this sense

Hope it helps

1 Like

Thanks Pablo for such detailed information.
I got both the scenarios. However, if you could reply with exact statement which needs to be written in app profile pac(for traffic bypass based on source) as well as the exact configuration to be put into forwarding profile trusted network criteria (in case of agent bypass) would be really helpful.
Sorry to bug you one more time but I tried to open your links for pac file but quite confused about where to put the exact config though I truly understand the concept.

Which ZCC mode are you using? tunnel? tunnel with local proxy? or tunnelv2

Tunnel with local proxy

So in either the app profile pacfile, or the forwarding profile pacfile (on the one you normally put the bypasses) here are some examples to do the bypasses you want:

Based on your IP
if (isInNet(myIpAddress(), "", "")) return "DIRECT";

or, for multiple

if (
isInNet(myIpAddress(), "", "") ||
isInNet(myIpAddress(), "", "")
return "DIRECT";

Based on destination (note that the equals to and any subdomain due to the initial dot)

if (dnsDomainIs(host, "")) return "DIRECT";

Based on your public ip address (useful to determine if you are on a building for example)

var egressip = "${SRCIP}";
if (shExpMatch(egressip,"")) {
		/* User is in the office */
		return "DIRECT";

This would cover all your usecases i think. You can maybe open a support ticket if you need help doing your specific configuration or with profilesional services or your assigned sales engineer

Hope it helps


Thank you so much.
Would this be same for tunnel mode?

1 Like

This would be same for Tunnel mode as well.
@ Pablo_Valenzuela
Please correct me if I am wrong.

Hi, yes, it would work in tunnel mode (if you put this on the App profile’s pacfile)

@wdmine is totally right :slight_smile:

But this is only working in Tunnel with local proxy.

This is not working in Tunnel mode even added in forwarding PAC ?

Any Idea :roll_eyes:


In tunnel mode, you can put that exact code in the App Profile pacfile (not the FWD profile, leave that one alone since it’s Tunnelv1) and should work perfectly

I’ve used a very similar one many times so… it should work. If it doesn’t please contact support