We see often clients in nearby AP countries are reaching into China using brokers and connectors we have inside China. How can this be prevented while still using the brokers/connectors in china for employees inside china?
You can use a sub-cloud and remove the China ZEN’s or you could use a country-based variable in youir PAC file to force users in a specific country to only use in-country ZEN’s.
I use coutry variable already in PAC for ZIA but I am asking about ZPA.
I haven’t seen issues with hopping into brokers in China, but ZPA utilizes a geographic choice as part of connector choice. You could either place connectors closer to the surrounding users or place them in a different location and fake the location during configuration in the admin panel to the location close to the users. For example, I have had to fake the cou try to India when deploying connectors to keep users out of our China infrastructure
There is no such feature like ZIA to manually affect the ZPA decision of broker selection, but that should not be required as we have added additional mechanism to use broker and connector in China only for user in China. If you still see it as an issue, please open a ticket.
When was this rolled out? We’ve had issues within the last month that surrounding countries still utilize connectors in China?
@grrttmrtn if your asking me when we rolled our our china deployment it’s been 6+ months ago.
Sorry, this was in reply to Jones where it was mentioned a mechanism was changed that stopped non China users from hitting China as I have not seen this behavior.
The mechanism was rolled about 2 months ago. If you still encounter an issue, I think a support case is needed to review the details- such as the DNS setting in your connector, your actual user location and so.
SE Manager, Greater China