We recently ran into a problem with Source IP Anchoring on iOS devices running Zscaler Client Connector (ZCC). As per below, SIPA is only supported on Tunnel 2 but ZCC on iOS only supports Tunnel 1.
We decided to go with Dedicated Proxy Port for the iOS devices as a way of mitigation but the only way to enforce this (as far as I can tell) is by using the “Dedicated Proxy Port” setting in the mobile dashboard.
Since this is a global setting for the entire tenant I’m wondering what effect this could have to the other devices i.e. Windows, Mac, etc.
Has anyone on this forum used this setting before? Has anyone solved this issue in a different way?
Hi, I’m not sure DPP is applicable here. There may be a better way with a new feature that allows the road warriors (of which ZCC on iOS would be included) to make use of the firewall policy and have the firewall direct the traffic through SIPA. Currently, firewall policy doesn’t apply to iOS devices running ZCC for the reason you mentioned; Ztunnel2 is required.
However, with the firewall setting for road warriors option enabled, you may be able to apply the firewall rule redirecting traffic to the ZPA Proxy/SIPA. I can’t say I’ve actually tried this, but it seems like a simple option to check since you have everything set up if you’re using SIPA already.
Here’s the setting I’m referring to under Administration, Advanced Settings. in the ZIA Admin UI.
Hey Mark, thank you for the suggestion. We tested the “Enabled Firewall for Road Warriors” option with the customer today and confirmed the SIPA works on the iOS devices. Thanks again!