The Curious Case of Zscaler client connector

Hi All,

This is my first topic here, we just deployed ZCC for our environment but having a tough time in terms of traffic forwarding. Out setup use tunnel 2.0 with tunnel mode.

  1. How do we avoid sending traffic to Zapp(PSE/CA) instead use local routing to go internet. I understand from all the documents that i got to bypass in forwarding pac and then app pac, but i still see traffic in Zscaler webinsights. and in some case we needed to bypass some url/ip in vpn bypass also to bypass completely.

All i want Zscaler is to bypass domains/IP so that my local firewall can take care of such traffic.

  1. Any network diagram associate with ZCC traffic handling behavior, i received one from Zscaler PS team but it seems the App doesn’t handle the traffic that way.

You can refer to this article that describes how to bypass traffic from Z-Tunnel 2.0
Z-Tunnel | Zscaler

To know how Zscaler Client is working, please refer to this article:
Deep Dive - Zscaler App - The Cloud-First Architect - Zenith

1 Like

Maybe you can share a bit more on the application traffic you want to bypass. Is it browser traffic? If not is the traffic web based (port 80/443) and is the application proxy aware.

Using the FQDN / IP VPN bypass in the App profile will work very well for web and non-web traffic. Unfortunately the VPN bypass does NOT support domain-based bypasses or wildcards.

With Tunnel 2.0 we forward traffic by intercepting network traffic on the network stack. Tunnel 2.0 bypasses are possible with the Forwarding PAC and App PAC file. This PAC file logic will work fine for applications that are proxy aware, like browsers. Meaning that the application needs to respect the system proxy or set the proxy directly within the application (127.0.0.1 port 9000).

To bypass any non-web traffic, you need to use the VPN bypass and use the IP/FQDN’s to make the exception. In the App Profile for Windows you can also exclude traffic by the port number and IP combinations.