Source IP Anchoring - ZIA only

Is it possible to use ZIA Source-IP Anchoring with just a ZIA license. I understand it uses a ZPA app connector. But my customer is not subscribed to ZPA.



Hi Collin,
On top of your ZIA license, you can buy a SIPA license, not needed to buy full stack of ZPA cense. SIPA license is a light weight license comparatively ZPA license.

Ramesh M

thank you, we will inquire with our SE. Can SIPA handle all ports and protocols? I.E can SMTP traffic be anchored back to an app connector.

Yes, as long as the client is running ZCC w/tunnel 2.0 to support protocols other than HTTP/S like the SMTP protocol in your example. Tunnel 1.0 is the default in the mobile app console, so it may require that you make that adjustment in the associated forwarding app profile.

Yes indeed. it’s actually more for branch offices that use IPSEC tunnels.

Collin - yes, there is nothing stopping you from specifying port 25 for example in the app segment you’ve enabled source IP anchoring on. In that case, this is simply “backhauling” SMTP traffic to wherever your app connector is. Remember, the traffic goes to ZIA before it goes to the app connector, so the method of forwarding to the ZS Cloud in the first place is irrelevant in this case, which is why I mentioned the caveat for remote clients running tunnel2. The only requirement here is that you forward SMTP traffic from the branch office (i.e. you are not only forwarding web traffic through the IPSEC tunnel and in fact forwarding SMTP traffic and any other traffic you want to go through SIPA).

BTW, you threw me off a little because you added ZIA and SIPA tags, but submitted the question in the “Client Connector” community thread. :wink:

hehe, ya there is no straight ZIA category for some reason…

I was revisiting this thread and saw your last comment. I’m pretty sure there is a ZIA category that was likely the first category in the community so it rarely had to be referenced with a hashtag. :wink: #zia