Hi,
sometimes we have websites beeing used in our Company which are not reachable when using Zscaler.
As soon as you disable Zscaler Client, and working as Road Warrior, the website will load.
Most of the time it is a government website which is only reachable from a Country IP, but not always.
As we have our default Route pointing to Zscaler and GRE Tunnels towards Zscaler in place, there is no easy Zscaler bypass possible (For example in a PAC file).
What are you doing when Zscaler IPs seems to be blocked at the destination side?
This white paper outlines use cases, deployment considerations, and best practices for layering existing source IP address identification controls with Zscaler’s state-of-the-art, multi-tenant security model.
As Charles already pointed out the solution for such issues is SIPA.
What we’ve found over time is
external partners which only allow your users to connect via a single/few IP address (range|s)
external systems doing geofencing of some sort (mainly but not only government and banking systems demand ‘from this country only’ or ‘IP must be from within EU’)
external systems demanding like ‘your users must come from an IP owned by your company’
externals simply unwilling to allow ZScaler cloud to connect to their stuff
In all these cases the answer is ‘have a SIPA and tunnel traffic to those destinations through that’.
i hope we’ll never end up in that situation … fingers crossed and knocking on wood …
At least so far in all countries were we had to work around geofencing or some other flavor of ACL (@Ben_Garrison - new entry for the soup! ACL=Access Control List) we either had an office location in that country or could instead route traffic through one of our SIPAs which uses an IP owned by us to make the external system happy.