Writing a PAC File - Redirecting users from a specific location to a specific ZENs


I would like to ask how do I determine which IP addresses to use for the proxy to a specific ZENs using https://ips.zscaler.net/cenr. I am currently practicing my PAC file writing skills, any help will be gladly appreciated.


If you know the public IP of your location,

var egressip = “${SRCIP}”;
if (shExpMatch(egressip,“”)) {
/* User is in the office location with external IP */
return “PROXY ams2.sme.zscloud.net:80;DIRECT”; // Amsterdam hostname or VIP IP (1185.46.212.42) can use

If you are using location subnet to sent to specific ZEN,

var resolved_ip = dnsResolve(host);
if (isInNet(resolved_ip, “”, “”)) // Location private subnets
return “PROXY ams2.sme.zscloud.net:80;DIRECT”;

Below links will help you,

Ramesh M


Appreciate that you share your insights with me. Can I know how you get this “VIP IP (1185.46.212.42)”?

Thank you.

You can find it from ips.zscloud.net. If you are with other cloud, you need to replace the cloud name accordingly, such as ips.zscaler.net.

Best Regards,

Jones Leung

Hey Jones,

Nice, thank for helping me out on this.

Really appreciated the help.

Matthews Loke

Hi Ramesh,

but at least as long as the location is connected with a GRE tunnel always the CENR where the tunnel terminates will take that traffic; a CENR2CENR-forwarding does not happen.

When i have a location with GRE to Amsterdam/ams2 even when a client in that location uses Madrid/mad2 as static proxy - a webserver in the internet will still see the connection coming from ams2 IP range.

From a behaviour PoV same as if i use one of the ‘Global CENR IPs’ on the client.