Question on client lookup of Service Edge

Hi there,

When using ZCC with ZPA the client will ‘any.broker.prod.zpath.net’ to find the local ZPA service edge.
This routes the ZPA traffic to the the local service edge.

My question is this, when accessing ZIA with ZCC, what is the FQDN that it looks up to select the ZIA service edge ?

For example, if i use a PAC file, I can determine the primary and secondary nodes using the ‘GATEWAY’ variables. But when using the client, with tunnel 2.0 mode operation (no PAC files), how does the client determine what is the primary and secondary service edges to use.

The documents refer to ‘mobile.zscaler.net’ and ‘login.zscaler.net’ - if I ping test these two FQDN’s I will get completely IPs from the 104.129.192.0/20 range, yet when I look up ‘ip.zscaler.com’ on a client enabled PC, it will indicate for example that my service edge is in the ‘165.225.0.0/17’ range.

This is purely for a process documentation purpose - I’m looking to write a procedure to verify if the service is accessible (from a ping response, as an example) or whether traffic to the FQDN is being filtered. I know to check ‘any.broker.prod.zpath.net’ for ZPA, I’d like to have something similar for ZIA.

Thanks in advance

Hi Paul,

ZCC is using the PAC file logic to select the closest DC and connect to it. If you do not specify the custom PAC file in the App Profile, the default PAC will be used.
To sum up, with the default config ZCC will use ${GATEWAY} to find the closest endpoint.

mobile.zscaler.net and login.zscaler.net are used for user enrollment and policy updates.

1 Like

Thanks Mateusz.

I was aware of the use of the PAC via ‘http://127.0.0.1:9000/systemproxy..pac’, I was interested to know if there was possibly a FQDN like the ZPA… if not, not a problem.

Paul,

The ${GATEWAY} macro is populated by hitting “https://pac.CLOUDNAME.net/getVpnEndpoints?srcip=?endpoint_source_ip

Best

1 Like