PAC File for Z-App "Tunnel mode"

Howdy folks.

My client is affected by the same issue like this below

They cannot change from Tunnel mode to TWLP mode for some reason.
We think that the issue might be caused because they use the same PAC file for both AP and FP
(I checked this below as well
Zapp Bypass PAC file configuration)

So, now I am looking for the return statement for FP PAC to forward traffic to Z-App
Since the user uses the return statement below for FP PAC
return “PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; DIRECT”;

And this is not recommended because this means FP forwards the traffic to Zscaler cloud, right?

Thus, I need the return statement, which is added in the bottom of PAC, to forward traffic to Z-App if the traffic is not forwarded directly (return “DIRECT”:wink:

I referred the help this below, but there is not only sample PAC for FP Tunnel mode…
:frowning:
https://help.zscaler.com/z-app/best-practices-using-pac-files-zscaler-app?_ga=2.126602829.1549648291.1587601183-1650288619.1576123141

If you have some idea or solution, please help me in this case!
Thank you in advance.

Tokio

Hi Tokio,

It’s worth looking at what the customer is trying to achieve and then determine the best settings. It sounds like there is more than 1 Pac file being used which seems overly complicated. I’m assuming you’re using ZTunnel 1.0

If they are running in Tunnel mode with the LWF filter then all 80 and 443 traffic will be sent to ZApp. Once it gets to ZApp then the App Profile Pac file determines if it goes to Zscaler or Direct.

They don’t need a FP PAC file most likely unless they have traffic on ports other than 80 or 443. Traffic to those domains can have the return “PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; statement. This will have the effect of it being sent to ZApp. All other traffic can go direct (which means to ZApp).

Hello Jamie

Thank you for your answer.

Just one thing, if every 80/443 traffic will be captured by Z-App in tunnel mode, we cannot bypass any web traffic on port 80/443, right?

How does Zscaler expect users to use
return “PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; statement
for Z-Tunnel 1.0 to forwards non-80/443-port traffic to ZEN

I mean, what kind of situation will those statements become useful?
I understand that this statement is used only when the end user copes with non-80/443 port traffics. But what kind of situation is that?

I appreciated if you could answer this.

Regards,

Tokio

Hi Tokio,

Just one thing, if every 80/443 traffic will be captured by Z-App in tunnel mode, we cannot bypass any web traffic on port 80/443, right?

JB: You can bypass traffic in the App Profile Pac file. It goes to ZApp first and can be bypassed there.

How does Zscaler expect users to use
return “PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; statement
for Z-Tunnel 1.0 to forwards non-80/443-port traffic to ZEN

JB: The way I’d see this working is if you had a domain that used a different port, eg. 1001. You could set a system proxy to return “PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80. Once it was on port 80 the LWF driver filter would pick it up and send it to ZApp. In the App Profile pac that would then send it onto the ZEN.

Cheers

Jamie

Thank you Jamie!

That was really helpful.

Can I ask you another thing?
If a user uses Z-Tunnel 2.0, a user can use FP PAC which has a return statement below to bypass Z-Tunnel 2.0 and forwards specified traffics to the internet directly.

return "PROXY ${ZAPP_TUNNEL2_BYPASS}

I configured this, but an added domain was not bypassed ZEN.
It seems that the domain has to be bypassed App Profile if it is web traffic (or 80/443)

In this case, what zscaler expects users how to use Z-Tunnel is the same b/w 1.0 and 2.0?
Which means, when a user wants to bypass non-80/443 port traffics, he can use the return statement above for Z-tunnel 2.0?

Please answer when you have time : - )
I really appreciate your support anyway.

Regards,

Tokio