Recently we have been challenged with bypassing web conference traffic via the ZCC tunnel in order to better tune video conference application performance. Seems that only web traffic used for signaling traverses the tunnel while the main audio/video traffic bypasses the ZCC tunnel since the real time application traffic is mainly UDP traffic. I have been tasked with weighing out if the signaling traffic could interfere or cause issues for these types of traffic and determine if there were any advantages of updating our PAC files to bypass said traffic altogether. Thoughts?
Bill, you could do that but as you are aware maintaining PAC files can be cumbersome. I think it would be better to use the packet capture function in the ZCC client and open a ticket with Zscaler TAC to have them take a look.
Thanks Pat. We have already concluded the traffic is working that way via packet captures.
We understand the challenges that come with maintaining the PAC file.
Just curious if anyone has any experience with this concern and if so, did they change anything
AHH, gotcha Bill. Maybe we’ll just allow some others to provide feedback. Which conferencing platform are you folks using?
Cisco WebEx, MS Teams, and Zoom
Bill, not sure if you folks are using ZCC with Tunnel 2.0, but if so in the App Profile we do have a new easy setup for the following conferencing platforms to by bypassed: * Microsoft Teams, * Zoom, * Microsoft Teams- New
It’s under an item called - Z-TUNNEL 2.0 CONFIGURATION
Just a suggestion. I imagine at some point we will add WebEx to that list as well
Thanks Pat… I am aware of tunnel 2.0 settings… where you can bypass those two apps. I am currently on tunnel 1.0.
That said, it looks like the app profile is bypassing via IP addresses for Teams and Zoom. My next question is, how does the integrate with ZDX? When I do a bypass for those apps in my PAC file (FQDN and IP addresses), I still see ZDX data coming in. Looks like according to the packet captures, ICMP probes are still being issued but not sure if this is the only reason.
Those Tunnel 2.0 application bypasses Bill will only bypass audio/video traffic but the control channel will still move through ZS hence how we’ll be able to display ZDX reporting. Are you using ICMP probes in ZDX for a Cloudpath Probe? You can change the Cloudpath probe type to ‘TCP’ instead of ‘ICMP’ or ‘UDP’ or ‘Adaptive’. If you select TCP Cloudpath then this will follow the PAC and would go DIRECT and not through Zscaler ZENs.
We are using Adaptive probing. Thanks for your responses and info. good stuff via ZDX data. So…now to figure out if control channel traffic going out one way and routing UDP traffic outside the tunnel could have potential impact on video conference performance
So… we have implemented the VC bypasses with some good results. We are bypassing WebEx, Teams, and Zoom.
So… oddly enough, the ZDX scores for all WebEx traffic is in the tank now… but ONLY when they are in the office where there is a tunnel to Zscaler’s network (and of course, we have firewall rules).
I don’t think it the firewall rules since I isolated one test machine and allow all ports/protocols and still get the same results.
I have a ticket with support… uploaded captures and screenshots but nothing back from them yet. This is very frustrating.