How will PAC be fetched in No Default Route environment?


(Andy Logan) #1

What are my option for clients to receive a PAC file in a no default route environment?


(Chandan Agarwal) #2

PAC files can be hosted on Customer’s Internal servers or on Zscaler’s PAC servers.

Internally hosted PAC file:
Host and build a PAC file on an internal server. Use Zscaler global ZEN IP in the return statement.
Check for on/off location awareness in PAC file. As an example, you can find the location of the user by resolving a local host name.
Build GRE/IPSEC tunnels to nearest Zscaler Data center.
Route the Global SME IP in to the tunnel.

Zscaler Cloud hosted PAC file (Recommended)
Host and build a PAC file on Zscaler PAC servers with Global ZEN IP in the return statement.
Check for on/off location awareness in PAC file. As an example, you can find the location of the user by resolving a local host name. If on location, return the Global ZEN IP. If off network, use the ${GATEWAY} macro.
Build GRE/IPSEC tunnels to nearest Zscaler data center.
Route the Global SME IP in to the tunnel.

Now, PAC download itself needs to be considered as there is no route for the PAC servers. Zscaler PAC server hostnames are in the format: pac.cloudname.net (for example: pac.zscalertwo.net). Zscaler publishes PAC server IP addresses on https://ips.cloudname.net/pac.

Option-1: If the internal DNS server can resolve the PAC server host name, you can create routes for PAC server ip’s in the Internal network.
Option-2: If creating a DNS forwarder or creating routes for PAC server ip’s is not feasible, then create an Internal DNS entry for pac..net resolving to Global ZEN IP. As Global ZEN IP is routed through the tunnel, a user will be able to pull the PAC file through the tunnel. In other words, both PAC file download and Internet access happens via Global ZEN IP and through the tunnel.