Windows Zscaler Adapter for Z-tunnel 2.0?

Hello, Community

Understanding Z-tunnel 2.0 is hard hurdle for everyone, at least for me.
Hence I repeatedly read and read kbs.
On the all way down to the description, there is one point I cannot understand.
Here is the ones.

MTU for Zscaler Adapter : (Optional) This option is only applicable if you’re using Z App version 2.1.2 or later. Zscaler recommends only configuring this setting if you experience IP fragmentation when using Z-Tunnel 2.0 with the default value of 0. This setting allows you to decrease MTU to avoid IP fragmentation. To configure this setting, enter any value from 68 to 1500.
https://help.zscaler.com/z-app/configuring-forwarding-profiles-zscaler-app

I can understand the issue with IP fragmentation, it is general solution.
The problem is “Zscaler Adapter”.
I have assumed Windows Zscaler Adapter is only for Route Based, not LWF scenario.

What deepens my confusion is following description.

For the Windows version of Z App, Z-Tunnel 2.0 (in DTLS mode) changes the MSS for the TCP stream based on the configured MTU value, because it uses the Windows filter driver instead of the Zscaler adapter.
https://help.zscaler.com/z-app/configuring-forwarding-profiles-zscaler-app

My confusion reached the bottom of my brain and found a dearth of my personal IT knowledge.
Z-tunnel 2.0 uses or not uses Zscaler Adapter? DTLS only? Does it mean non-DTLS 2.0 tunnel will fall back on non-LWF driver?

Kindly someone help let me understand what these description means.

Best Regards,
Yosh

Hi Yosh,

We used “Zscaler Adapter” in the help as a general term for Mac, iOS and Android that still uses route based network adapters. The note at the end about DTLS is for Windows and it is slightly different.

The statement on Windows for DTLS and MSS means that in case of Windows ZApp, we change the MSS value of inner TCP connections when ZApp is tunneling them over DTLS to avoid IP fragmentation of outer DTLS connection packets.

Windows Ztunnel 2 is not using the Zscaler Adapter, but we still modify the MSS of the TCP connections inside of the DTLS tunnel, so there are no fragmentation issues.

I hope this clears things up!

Cheers

David

1 Like

Hi, David

Thank you for clearance!

Hence, it may be that…

iOS and Android - may not be related for it cannot handle Z-tunnel 2.0
Mac OS (Z App 2.1 or later) - Route Based - Adapter can decrease MTU
Windows OS with TLS as primary transport - no Adapter, modify TCP MSS value
Windows OS with DTLS as primary transport - no Adapter, modify inner TCP MSS value of DTLS connection

I guess, here are the whole branches of this scenario.
Kindly point out if my confusing neurons lead my typing fingers to erroring direction.

Anyway, Thank you again.

Best Regards,
Yosh