Private Service Edge: how do I know it's working?

We have a branch office in Santiago de Chile, Chile, South America. We have App Connectors running at this office, allowing remote users access to applications which are hosted at this location as well.

ZCC uses the Public Service Edge in Sao Paulo, Brasil for - as far as I can see - 90% of the users in South America. This has a negative impact on application latency.

To solve this we have installed a ZPA Private Service Edge in the Santiago office. The SE is connected and uses Public Service Edge SA-BR-8568 (Sao Paul, Brasil).
The public IP of the Private Service Edge is the WAN IP of the internet connection of the Santiago office. So it seems all is running properly.

However, when I check the ZPA diagnostics logs for user activity for users working remotely in Chile I still see that they connect via one of the Public Service Edges in Sao Paulo. When I filter the logs for “Service Edge Type = Private” I get no results.

My question: how do I enforce that the Private Service Edge is used? I’ve correctly specified the location of the Private Service Edge.

Private Service Edge Group configuration:
Status: Enabled
Publicly Accessible: Disabled
Client Connector Trusted Networks: our company’s trusted networks
Service Edge Location: Santiago, Santiago Metropolitan Region, Chile (shows correctly on the map)

Service Edge configuration:
Publish IPs or Domains: no values entered
Listen IPs: no values entered

1 Like

Hi Glen,

Do you see the Public and Private IP addresses when you check the PSE health, or when you validate configuration under service edges the public and private ip should be shown.

I cleared my PSE config of publish ip and listen IPs, and the PSE shows correctly.

When connected to trusted network that has been configured for the Service edge group the client connector will show Network type “trusted Network” and the broker as the private service edge.

If the client connector is unable to connect to the private service edge, it will connect to the public service edge. Client connector logs will show this.

User activity logs will show the service edge, and using the filter as you’ve described will filter logs as appropriate.

Are you testing from a trusted location? If so, if the traffic from client to PSE traverses a firewall to check that traffic is permitted.

If testing for a user off-network the PSE must be configured to be publically accessible, and inbound firewall policy must be configured to allow traffic towards the listener.


Hi Dan,

Many thanks for the quick response!

Yes, I see the public- and private IP address of the PSE when I check it’s health in ZPA dashboard. The dashboard shows that the PSE is online (green arrow)

I’m new to PSE and you’re reply has made things a bit more clear. I hope you don’t mind me posing a few follow-up questions:

We don’t need the PSE to be accessible from trusted networks. We only need it to be accessible from untrusted networks (i.e. remote workers) so that their ZCC can use a service edge which is geographically closer to the applications than the Public Service Edges which Zscaler hosts in South America.

I’m guessing I would then firstly need to clear the Client Connector Trusted Network values. And secondly to enable the Publicly Accessible setting. Is that correct?
If so: which other settings will I need to enable/ enter a value for: Listen IP? (if so, which IP would I specify here) And which inbound traffic would I need to allow on our firewall? I couldn’t find any specifics for this on

Hi Glen,

You should only need to make the zpa PSE group publicly accessible for this requirement.

Thanks Dan, I’ve configured the PSE group accordingly. So no need to open op firewall rules to allow specific incoming traffic?

You should open incoming rules if the pse is going to use from public location. Example ZCC traffic from internet pse requies incoming policies.

Check out for port opening requirements…

Ah okay. And in this case the PSE will only be used for ZPA, so no need to open up incoming traffic right?

App connectors and client Connector will use this pse, if incming ports are opened.Decide the deployment model like whether the pse is only for internal users and within local network or publicly available the same.

The PSE will only be publicly available. We want to provide our users a PSE which is geographically close than the Public SE’s hosted by Zscaler. Which incoming ports would I need to open in this scenario?

Geographically availability can ensure by configuring the pse group with right location details. Zscaler cloud will get those location cordinates decides which pse is nearer to the user and app connector.

You should enable inbound access to expose the pse to public.

Ramesh M

Thanks Ramesh. Can you please tell me which ports I need to open for the inbound access you’re referring to?

Port number 443 for users and connectors to acces the pse public ip address.

Hi Ramesh,

I’ve created a firewall rule which allows inbound TCP/443 to the PSE. At which point will ZCC know that this PSE is available for connecting to?

Thus far I don’t see any incoming traffic from Zscaler IP addresses. I fo see other incoming HTTPS traffic, which is due to the rule allowing incoming HTTPS from any remote host (for testing ourposes)

Have you configured this, this will be after pse ready abd shown in portal. Edit it and do the config…

  • Publish IPs or Domains: The IP addresses and domains that clients and App Connectors can use to open a connection to the ZPA Private Service Edge. If this is not specified, then the clients and App Connectors will try to connect using the Listen IPs. The primary use case is where you want to specify a ZPA Private Service Edge by name and use a Domain Name System (DNS) to find it. Another use case is where the IP address that clients and App Connectors use to connect to the ZPA Private Service Edge isn’t actually apart of the ZPA Private Service Edge; it is a static external IP the Service Edge system (e.g., AWS) controls.
    You can add or remove IPs and domains when editing a ZPA Private Service Edge.
  • Listen IPs: The interface addresses for the Service Edge system that the ZPA Private Service Edge listens to for connection requests from clients and App Connectors only at set addresses. If not configured, the ZPA Private Service Edge automatically listens to all interfaces. The common use case is to not specify any Listen IPs.
    You can add or remove IPs when editing a ZPA Private Service Edge.

I’ve left both fields empty, which - as I understand - means it will use the Listen IP and will listen on all interfaces for this.

In this case your interfaces should configured with public ip addresses.

Hi Ramesh,

Many thanks for your help! After assigning the public IP address the PSE became available. We see in the logs that this PSE is used by ZCC in that region.


1 Like