Z App Forwarding Method


(Mark Potosky) #1

Is there a document that outlines the best practice guidance on how to configure Z App traffic forwarding? We’re deploying Z App in “Tunnel with Local Proxy” currently, but I’ve recently come to understand that this mode still has a heavy dependency on our PAC files, which I don’t believe are optimally configured. I am looking for the implications of moving from tunnel with local proxy to straight tunnel using the packet filter driver.

(David Creedy) #2

Hi Mark,

The forwarding method generally depends on the specific environment as each forwarding method behaves differently. You’ve probably see this, but here is a doc that explain at a high level: https://help.zscaler.com/z-app/configuring-forwarding-profiles-zscaler-app

We generally recommend tunnel mode with packet filter, though of course there might be limitations in an environment that require the use of tunnel with local proxy.

For Tunnel with local proxy, you don’t necessarily need to have a complex pac file. If you leave the profiles default, Z App will automatically steer traffic towards Z App from the user’s browser and proxy aware applications. You should only need to modify this forwarding profile PAC if there are specific destinations you need to bypass. I’d be interested to know what issues you are seeing with the PACs.

Moving to tunnel mode is fairly straight forward, the main differences between the the firewall rules required (https://help.zscaler.com/z-app/what-zscaler-app-processes-should-i-whitelist) and also that tunnel mode only gets 80/443 TCP, unlike tunnel with local proxy which can get web traffic on non-standard ports.



(Venkat) #3

Hi David,

When you say " Z App will automatically steer traffic towards Z App from the user’s browser and proxy aware applications" does it apply the applications which use non standard ports (ports - 1433) and are not browser specific? Will they use the Z app and finally access the PAC file to return to their destinations ?

I have a database application which use port 1433 for communication. And we have tunnel with local proxy as our forward method. we want to use an internal proxy server for this application traffic and we have created an exception in PAC file. But we only see that this application always goes direct to internet being this application is aware of proxy.

Is any port 80 and 443 restriction is applied here ?


(Mark Potosky) #4

Thanks David. Do you have any examples of limitations in environments that would require the use of tunnel with local proxy? I’m trying to get an understanding of what to look out for.

I can’t prove that that my PAC files are directly causing issues, but I do know that they are huge and poorly documented. I can’t explain why some sites are being sent direct. I know that I’m bypassing most O365 URLs via PAC, but sending all O365 to ZS (with one click enabled) via GRE when users are on network.

I’ve also seen issues with PAC files not properly standing down when the client is on network, resulting in “double hopping Zens” (PAC is sending traffic to Zen1 but GRE is sending it to Zen2).

If I change a forwarding profile from tunnel with proxy to tunnel only, does Z App automatically pick up and apply that change? Is there any impact to the end user? Would they have to re-authenticate? I am not currently leveraging SCIM via Okta to manage Zscaler user lifecycle.