Tunnel 2.0 Non-Web-Traffic forwarding to other ZEN

Hi together

Is it possible to forward Non-Web-Based Traffic (Web Traffic is no Problem and descriped in help-article) forward to a specific ZEN?

e.g. I want to forward SSH Traffic to a private ZEN.


1 Like


When you mean private ZEN you mean for ZIA or ZPA access?

As to forward traffic from ZIA to ZPA you can see About Forwarding Control | Zscaler / About Source IP Anchoring | Zscaler but if it is not the case then maybe you can confirm with Zscaler as they may do some internal routing for you if possible as I am not aware for any method outside of gre tunnel or l2 redirect or pac file. If Zscaler can’t do it then you can have a VPN agent and send the traffic to the firewall that will use L2 redirect or gre tunnel to send it to the Private edge but this seems as a not optimal design.

Plain ZIA
ZPA is clearly the better solution for this, but this customer dont have ZPA (or SIPA).

So my question was more in direction “Can the traffic be forwarded via ZCC e.g. App PAC-File”.
But as I understand and test it, thats only possible for Web-Based Traffic.

You can use private ZIA ZEN but you will need to send the customer traffic to a firewall/router that has a gre tunnel as I mentioned or you deploy virtual ZIA ZEN with a configured location close to the customer, based on the location it will be selected by the zscaler client connector but maybe this in not what you want.

Thanks @Niokolay_Dimitrov - yes that’s not the solution I wanted :sweat_smile:

For sure I can change the Default ZEN in the App PAC to forward all traffic, but I want forward only 1-2 specific non-web-based Cases (e.g. RoadWarrior needs to open SSH or RDP Connection) and the rest uses the default “GATEWAY”-Variable.

Also T2.0 and GRE is not the best practice nor all router support that you can route encapsulated T2.0 (DTLS) Traffic within a granular routing table.

Question was more “can I forward the Non-Webbased Traffic from ZCC/ZApp to specific ZEN with a App PAC” - but as I thought that is not possible.

1 Like

Yes I don’t think it is possible but still you may ask Zscaler if they can make some internal magic for you.

Still the best option for now seems to have a remote desktop host or Citrix Desktop etc.and for the users to connect to it and to start SSH etc. as you will know to which Zscaler Public ZIA Edge the remote host usually connects to, also you can create virtual or private ZEN for the remote host as sometimes the public Edge can be changed as the Client Connector selection is dynamic or as the remote host is in your office you can also just use gre tunnel from the router to a Public ZEN edge to make certain which Public Edge will be used.

Hope you find your workaround for this as Zscaler should add the option for manual selection of a Public ZEN Edge in the client connector expecially for Tunnel 2.0 where PAC files can’t be used for non-web traffic.