Updated: Jan-5-2023
Zscaler has a number of options when customers want to bypass specific DCs for their Road Warriors. The recommended solution is to use Subclouds and remove the DC.
You can find more information on Subclouds here. As of v6.2+, customers can manage their own Subclouds in the ZIA AdminUI and no longer need to open a case with Zscaler support to make changes. This is the recommended long term approach.
Another approach is to use an App Profile PAC for situations where you may want to avoid a specific DC or a specific VIP for a short period of time.
Caveats:
-
This bypass method is meant for web traffic (80/443) over Z-Tunnel 1.0 only
-
This method is also applicable for customers using Z-Tunnel 2.0 with the new “Redirect Web Traffic to ZCC Proxy” feature enabled + “Use Z-Tunnel 2.0 for Proxied Web Traffic” feature disabled which results in Z-Tunnel 1.0 being used for web traffic. This is used in situations where customers need to bypass destinations for non proxy-aware Windows applications.
-
In other scenarios where Z-Tunnel 2.0 is in use, Zscaler recommends the use of Subclouds
Configuration Steps:
In the below example, the Chicago DC will be bypassed and the secondary DC will be used instead.
-
In order to bypass Chicago, find the Proxy hostnames to bypass using Zscaler Config for ZS3. In this case zscalerthree.net (ZS3) is in use and the hostnames are chi1.sme.zscalerthree.net and chi1-2.sme.zscalerthree.net
-
Create a PAC file to bypass the Chicago DC by entering the Proxy names from step 2 above. Example PAC file shown below.
function FindProxyForURL(url, host) {
var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
var resolved_ip = dnsResolve(host);
/* Don't send non-FQDN or private IP auths to us */
if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(resolved_ip))
return "DIRECT";
/* test with ZPA */
if (isInNet(resolved_ip, "100.64.0.0","255.255.0.0"))
return "DIRECT";
/* Trust sites are directly accessible */
var trust = /^trust\.(zscaler|zscalerone|zscalertwo|zscloud|zscalergov|zsfalcon|zdxcloud)\.(com|net)$/;
if (trust.test(host))
return "DIRECT";
/* === Chicago DC Bypass ================ */
var gateway_port = "${GATEWAY}";
var gateway = gateway_port.replace(":80","");
var chicago1 = dnsResolve("chi1.sme.zscalerthree.net");
var chicago2 = dnsResolve("chi1-2.sme.zscalerthree.net");
/* Bypass Chicago */
if ((gateway == chicago1)||
(gateway == chicago2))
return "PROXY ${COUNTRY_SECONDARY_GATEWAY_FX}:80; DIRECT";
/* === End Bypass Section ================ */
/* Default Traffic Forwarding. Forwarding to Zen on port 80, but you can use port 9400 also */
return "PROXY ${GATEWAY_FX}:80; PROXY ${SECONDARY_GATEWAY_FX}:80; DIRECT";
-
Update the App Profile with the new PAC URL. Its best to use a new PAC URL as Zscaler Client Connector will enable it quicker can changing the contents of an existing PAC.
-
Instead of sending web traffic to the Chicago DC, Zscaler Client Connector will now send traffic to the backup DC
-
When you want to start using the Chicago DC again, replace the App Profile PAC URL with the original PAC URL and Zscaler Client Connector will start using the Chicago DC in the next 15 mins
