New with Zscaler. Our users use Cisco Finesse and Cisco Jabber with expressway

The Finesse go through Zscaler to cloud, but Jabber go through expressway on Internet, is that possible? how to set up the client? ty

Is your Expressway directly exposed to the internet? Are you using ZIA /ZPA or both?

Yes, expressway on Internet. Both.

Need to create a bypass in ZPA - to exclude all of the addresses. Also need to add them to the app profile for the vpn host name bypass.

You don’t really need to bypass all the IPs. It is based on the SRV records that your Cisco Finesse and Jabber use. Place a packet capture with Zscaler off.

You will see a DNS request to two SRV records.

  • _cisco-uds._tcp.safemarch.com
  • _cuplogin._tcp.safemarch.com

If Jabber doesnt see a DNS response for the first and second SRV it will try the one below:

_collab-edge._tls.safemarch.com

Your DNS will response most likely with another FQDN and TCP port which normally is 443.

Lets say the response was FQDN with .safemarch.com domain something like voice.safemarch.com then you will need to bypass this last one.

In ZPA create an app segment an include the 1st, 2nd SRV and the DNS response as a result of the third query.

This is what you need to bypass:

_cisco-uds._tcp.safemarch.com
_cuplogin._tcp.safemarch.com
voice.safemarch.com

Use all ports in your bypass

This will make your traffic go over ZIA only traffic destined for voice.safemarch.com

If you want to exclude that traffic out of ZIA now you only need bypass that traffic. Use any known bypass method for ZIA.

I hope this helps and good luck with your project.

Jabber needs to inquiry the Internet DNS for _collab-edge SRV to expressway, but Finesse will inquiry Internal DNS to reach out the internal Cisco UCCX server. how to setup it?