So with this new feature, I am not finding anything in the docs or trainings about what exactly this does and what the use cases would be, in combination with the “Use Z-Tunnel 2.0 for Proxied Web Traffic”. What exactly do these two options do to the traffic and what would the use cases be for these two new options? If there’s updated documentation, then that would be awesome to share.
I’ll take a look into the docs and expand this. But to explain it briefly:
Ztunnel 2.0 Domain Wildcard based bypasses typically require a forwarding profile pac, which essentially downgrades any browser traffic to Ztunnel 1.0, so it can be parsed through the app profile configuration for bypasses. Having the system proxy there was cumbersome, so this feature will explicitly route 80/443 TCP to the local proxy listener, which can then be parsed through the app profile pac. It gives you the ability to do wildcard domain bypasses without defining a system proxy essentially.
The second setting determines whether this now Ztunnel 1.0 traffic, should be sent to the cloud as Ztunnel 1.0, or sent inside Ztunnel 2.0. The former is the behavior today.
Interesting scenario but awesome explanation!
Does by enabling ZCC Listening Proxy means we only need to use App Profile PAC only for the bypasses? This is good, less PAC files to maintain.
Second setting, What is benefits sending it back inside Ztunnel2.0? Can explain more?