Source IP Anchoring

Hi Team,

I have doubt on SIPA (Source IP Anchoring).

Is this related to assign a fixed IP in Public Service Edge subnet for any organization like we do this with VZEN/PZEN.

Recently in trust portal, we have an incident Traffic Forwarding using SIPA, will this impacted traffic from regular user who doesn’t obtained SIPA feature ??

Best Regards,
Pardeep Rawat

Hi Pardeep,
SIPA leverages a ZPA component (the App Connector) in your organization’s network. SIPA traffic first passes through the ZIA cloud, where your policy and security settings are enforced. From there, the traffic is sent to the App Connector, which follows the network path to break out to the internet. Since the traffic comes from your organization’s network, the connection reaches the destination with your organization’s egress IP address.
The purpose of SIPA is comparable to that of VZENs and PZENs (source IP whitelisting), but with SIPA, your traffic still passes through the ZIA public service edge.
More information on SIPA is here: About Source IP Anchoring | Zscaler.

The SIPA incident only affected SIPA traffic specifically. The incident did not impact any non-SIPA traffic.


Hi @pvanroosbroek , Thanks for detailed clarification :slight_smile: …

One last question, SIPA we can use with ZCC agent only what if user is in Trusted network and use Tunnel (GRE/IPSec) and PAC file to forward traffic towards Zscaler.
Can SIPA work with that scenario ??

Best Regards,
Pardeep Rawat

Yes, SIPA will work in PAC+GRE or PAC+IPSec mode. ZCC works as well, both in ZTunnel1.0 and ZTunnel2.0. In ZTunnel1.0 mode, you must enable the “Enforce firewall policy for Road warriors” feature.

1 Like