Pac File Exclusions on Tunnel 2.0

I’ve been having a lot of trouble getting pac exclusions to work for Tunnel 2.0. We’ve been piloting Tunnel 2.0 and there are a few Chinese/Taiwanese sites we need to bypass and the pac file exclusions aren’t working. Zscaler support recommended using the VPN bypass in the app profile, but my understanding is that should only be used for VPN hosts. Anyone else running into this??

Here’s are example exclusions that aren’t working as the traffic still comes to Zscaler:
/* China Hospital site added Aug 9, 2021 by KG */
if (dnsDomainIs(host, “*gov.cn”)) return “DIRECT”;
if (dnsDomainIs(host, “login.gjzwfw.gov.cn”)) return “DIRECT”;

if (shExpMatch(url, “*.gov.cn”)) return “DIRECT”;

The second exclusion was working fine in the Tunnel 1.0 pac file.

Please see the best practices: Best Practices for Adding Bypasses for Z-Tunnel 2.0 | Zscaler
You need to modify both forwarding profile and APP profile pac file.

1 Like

Sorry I should’ve mentioned that. I added the exclusion to both the app profile pac and the forwarding profile pac

Please recheck on the forwarding profile ,

/* China Hospital site added Aug 9, 2021 by KG /
if (dnsDomainIs(host, “.gov.cn”) ||
dnsDomainIs(host, “login.gjzwfw.gov.cn”) ||
shExpMatch(url, “
.gov.cn”))
return “PROXY ${ZAPP_TUNNEL2_BYPASS}”;

Katlyn, Can you share thee PAC files? If you would rather not post them you can send them to my work email and I will take a look at the PACs. tharcourt@zscaler.com.

Thanks,

-Todd-

I actually just got it working! It seems there were two issues that were contributing to the problem:

  • wildcard character was not working (ex. *.google.com)
  • the order of operations was not correct in our forwarding profile pac. The default operation of return “direct” was before the bypassing I was attempting to do.

Here are the final exclusions that are working correctly now.

App profile pac:
/* China Hospital site added Aug 9, 2021 by KG */
if (dnsDomainIs(host, “fuwu.most.gov.cn”)) return “DIRECT”;

Forwarding profile pac:

function FindProxyForURL(url, host) {

/* China Hospital site added Aug 9, 2021 by KG */
if (dnsDomainIs(host, “fuwu.most.gov.cn”)) return “PROXY ${ZAPP_TUNNEL2_BYPASS}”;

/* Default Traffic Forwarding, Return DIRECT to tunnel using Tunnel2 */
return "DIRECT";

}

Good Deal… :slight_smile:

Todd Harcourt
Sr. Solutions Architect
Zscaler, Inc.
713.299.4968

| katlyn.gallo Katlyn Gallo
August 20 |

  • | - |

I actually just got it working! It seems there were two issues that were contributing to the problem:

  • wildcard character was not working (ex. *.google.com)
  • the order of operations was not correct in our forwarding profile pac. The default operation of return “direct” was before the bypassing I was attempting to do.

Here are the final exclusions that are working correctly now.

App profile pac:
/* China Hospital site added Aug 9, 2021 by KG */
if (dnsDomainIs(host, “fuwu.most.gov.cn”)) return “DIRECT”;

Forwarding profile pac:

function FindProxyForURL(url, host) {

/* China Hospital site added Aug 9, 2021 by KG */
if (dnsDomainIs(host, “fuwu.most.gov.cn”)) return “PROXY ${ZAPP_TUNNEL2_BYPASS}”;

/* Default Traffic Forwarding, Return DIRECT to tunnel using Tunnel2 */
return "DIRECT";

}

Hi,

For tunnel 2.0, you need to also add a pac file in your forwarding profile and leverage a specific bypass variable, before web traffic can be bypassed. The app profile pac file is still required, but it won’t work without the other pac file:

https://help.zscaler.com/z-app/best-practices-adding-bypasses-z-tunnel-2.0

Best Regards,

Jones Leung