PAC File Authenication


We currently have ldp as azure with scim.

For mobile devices such as ipads/iphones and laptops we use the zApp.

for our desktops we cant use a gre tunnel but were going to use pac files, however on testing our users get redirected for a login, is there any way to do a transparent sso were the users dont get prompted but zscaler can detect the user and apply the correct url policy?

has anyone else also noticed when browsing using the pac file its slow?

Hi @bhcjmc - welcome to the community!

Is there any reason you wouldn’t use the Z App on the desktops? If a GRE tunnel isn’t something you can do (would be interested to know more here) the Z App could be deployed to the desktops easily using something like SCCM or other software deployment tool. This would allow you to administer their Zscaler access/policy in a similar fashion to the mobile devices.

Hi Thomas,

Regarding GRE - the FW at out perimeter doesnt support GRE.

regarding the zapp whilst most users use one computer, there are some depts where there is shared computers so 25 people could be using 5 computers

  1. they would need to sign in and authenticate on each computer
  2. until they sign to the zapp they have unrestricted internet access ( is there a way to stop this?)
  3. the Zapp seems to encrypt all traffic to Zscaler so some tools we use with netflow cant see the urls the users are requesting, i was hoping with a pac file that the traffic would still be visible


Understood regarding the firewall. Is IPsec an option? Zscaler supports the use of IPsec tunnels, with the caveat that the bandwidth maximums are not the same as with GRE. and failover is different However, unlike GRE, you don’t need to come from a fixed IP with an IPsec tunnel.

You can force people to sign into the Z App using the “STRICT ENFORCEMENT” flag when it is installed: You can also use Kerberos and IWA:

The traffic flowing through the Z App may not show the URLs the users are requesting, but the Zscaler portal will! As we move forward with the Z App, it is planned that eventually there will be a full tunnel option. (The current version forwards web traffic.) To that end, netflow tools may not see more of the traffic – this will still be available within Zscaler. We also announced an exciting product, Zscaler Digital Experience (ZDX) at Zenith Live recently that may give you additional exciting options when it comes to visibility in the future!

If you’re looking to cross-correlate information with your netflow tools and have a SIEM and Nanologging with Zscaler, there is also the option to stream Nanologs to the SIEM.

Thanks for the info thomas so bascially i have the two options for the desktops:

  1. use Z App with strict enforcement so users need to authenticate for internet access?

  2. use a pac file with kerberos for transparent authentication were the user can open internet explorer and access the internet without a login prompt and get the relevant policy for them? forcepoints client enforces the pac file and authenicates the user as long as they are synced to the portal. Zscaler should look at these for ZIA and the Z app

  3. if you use ipsec will users still need to authenticate once per machine?

They will need to authenticate at least once. Unless it is traffic you opt to not authenticate. You can set certain IP ranges behind GRE or IPSec to not be authenticated. This is helpful for servers, etc.

Good morning,
I came across your message about ZDX from a few months ago (in searching for performance insights) and wanted to know what the release date might be? I don’t see it in my portal yet, but is that something we could review?