Pac file, servers, unique policy

hi, looking at the best way to control server internet access

was thinking pac file

we don’t currently have a ipsec tunnel from DC to ZScaler (though is planned)

we don’t have advanced firewall control

so some serves need some level of internet access, but not full, so no bbc , gmail etc
so trying to think of the best way,

or is the best way to have IPSEC tunnel to zscaler and have sublocations and control it there?

Looking at the description seems like pac file is best as an interim solution to forward their Internet traffic to Zscaler cloud. Considering the server support cookies and pac file. Once gre tunnel will be implemented Internet traffic can will be forwarded to zscaler either using default routes or policy based routing in your infrastructure which might be the target state.

If you use PAC file and configure the egress IP address to be unique for you Server Traffic, you can create a location and have some specific policies for you servers. Without a location defined, you will have issues to authenticate traffic if it is not coming from the browser.

Also be sure to disable Surrogate IP on the location for non-tunnel locations, as you will be using NAT on the internet Egress and all systems are likely using the same IP.

It is still best to have tunnels, as this provides you control specific servers by using the source IP address in your Firewall or or sub-locations in your Web filtering policy for additional granularity.

Marco Put-Carstens
Customer Success Enablement Engineer
Zscaler.

thanks for that,

tunnel test is planned next week, but as i have a checkpoint device, this doesnt seem to be liked by zscaler, so will see how i get on