I want to share my experience and how we resolved some major performance issue’s regarding Zscaler ZENs in China.
We derived performance is much better when you address your ZEN configuration based on IP-address, which is not recommended by Zscaler but at least did the trick for our major accounts.
Eventually the philosophy is to keep everything as simple as possible and to avoid any DNS resolution or hitting the great China firewall with other protocols used to create tunnels.
Therefore the best way out is to create a separate pac-file for Chinese locations and have them use IP instead of DNS-names. Traffic forwarding will be pac-file based on IP location OR …over IPSEC/GRE
Whatever you do make sure it’s directed like below:
return "PROXY 220.127.116.11:10313; PROXY 18.104.22.168:10313; DIRECT";
Hopefully this helps, like it did for us.
BT - Security Consultant