How to Manually Set the ZIA Public Service Edge for ZCC

First find the FQDN of the public service edge (PSE) you want to use

  1. Access https://config.zscaler.com
  2. Choose the cloud you are assigned for ZIA
  3. Select the proxy hostname. In this example we are selecting zscalerone.net and the New York III PSE. Notice that the green check is not enabled to the left of the proxy hostname showing that this PSE will not be used in the dynamic selection process. In other words, New York will never be dynamically selected when a user connects to zscalerone.net. This screenshot was for 5/1/22.

To manually set the PSE that is used

  1. Access ZIA GUI
  2. Access “Administration > Resources > Hosted PAC Files”
  3. Click “Add PAC File”
  4. Modify PAC file
  • Change domain to the login domain
  • Go to the bottom of the PAC file
  • Duplicate the last two lines so that you can modify it and still have a reference to the original.
  • Replace ${COUNTRY_GATEWAY} with the PSE chosen above. This is shown below with the original line commented out with “//”

/* Forwarding statically to New York /
return “PROXY nyc3.sme.zscalerone.net:9400; PROXY ${COUNTRY_SECONDARY_GATEWAY}:9400; DIRECT”;
/
Default Traffic Forwarding. Forwarding to Zen on port 80, but you can use port 9400 also */
// return “PROXY ${COUNTRY_GATEWAY}:9400; PROXY ${COUNTRY_SECONDARY_GATEWAY}:9400; DIRECT”;

  • Click “Verify PAC File” to validate that the syntax is correct
  • Click Save
  • Copy the name of the Hosted URL for applying to the ZCC App Profile in a later step. This is shown below

  1. Open the ZCC configuration policy by accessing “Policy > Mobile > Zscaler Client Connector Portal”
  2. Select the App Profile to be used and edit
  3. Change the “Custom PAC URL” to the URL of the PAC file created earlier. This is shown below.

Test

  1. Open ZCC client on a computer to test
  2. Click on “More” option on the bottom left as shown below and click “Update Policy”

  1. Access https://ip.zscaler.com to verify that the manually configured PSE is being used

1 Like

Great! Thank you for sharing this info.

Just as a fast note if “Tunnel with Local Proxy” is used for example in cases where there is a VPN agent and the computer is Apple Mac as this is one of the recommended forwarding modes for Zscaler Client connector then two PAC files are used and the PAC file for the forwarding profile just needs to have " return “PROXY ${ZAPP_LOCAL_PROXY}”; " but the other things are the same as normal tunnel mode and the way you showed how to select a Zscaler Edge ( Best Practices for Using PAC Files with Zscaler Client Connector | Zscaler ).

1 Like

Hi,
return “PROXY ${ZAPP_LOCAL_PROXY} statement will be on the forwarding profile.

Above configuration should be on the app profile PAC file which decides where to connect.

Regards
Ramesh M