Z-App with PulseSecure VPN Split Tunneling

We have been using Z-App since 1.0. Many new feature have been added over the years. We currently run our VPN with no split tunneling. This was fine until the use of video conferencing during the pandemic. Currently we are set with Tunnel-Routed mode, and NONE for On-Trusted and NONE for VPN Trusted. We don’t use PAC files.

I’d like to turn on Split Tunneling, and allow default route to go through Zscaler. We have some traffic bypassing Zscaler today on-net due to various reasons (usually when login move to using a non-standard TLS port). We also bypass GSuite since Zscaler doesn’t inspect it. So it would appear from reading that the best practice for us is:

  1. On-Net = NONE
  2. VPN-Trusted = Tunnel
  3. OFF-Trusted = Tunnel

Should we set the Tunnel to Packet Filter so we can create bypass rules?
It seems that the “HOSTNAME OR IP ADDRESS BYPASS FOR VPN GATEWAY” setting could be used for this with Routing mode.

Thanks for your suggestions.
-=Dan=-

Current Forwarding Settins:
TRUSTED NETWORK CRITERIA
Condition Match
Any
DNS Servers
10.x.x.1,10.x.x.2
WINDOWS DRIVER SELECTION
Tunnel Driver Type
Route Based
FORWARDING PROFILE ACTION FOR ZIA
On Trusted Network
None
Configure System Proxy Settings
System Proxy Settings
VPN Trusted Network
Same as “On Trusted Network”
Off Trusted Network
Tunnel
Configure System Proxy Settings
System Proxy Settings

Hi Dan,

In most cases we recommend packet filter against route mode for zapp tunnel, as it has higher compatibility with the OS.

Best Regards,

Jones Leung

1 Like

Just to be clear:
Recommendation is Tunnel Driver Type = Packet Filter Based.

Yes that’s correct Dan

1 Like

Looking at https://help.zscaler.com/z-app/using-windows-filter-driver-zscaler-app I don’t see a way to add bypass domains. Does this support that, or do i use the HOSTNAME bypass in the Z-App App Policy?

If you are talking about bypassing sites from ztunnel, you can do it in the app profile pac file. If you don’t put any pac file there, the default one will be used, what you can do is to create a pac file in the main admin portal and put the normal pac file function to make traffic “DIRECT” (in case you need it, you can find many examples at http://findurlforproxy.com). Once you put the pac file in the app profile ZScaler app will follow the logic there and bypass traffic as you like

So if using Packet Filtering, does the .PAC file trump the routing? If I have split tunneling send 10/8 through the VPN tunnel via a route, Will is send here first, or will it check PAC?

Hi Dan,

Private IP traffic will not send to ZScaler actually. So you don’t need to worry about it.

Suggest you to do two things:

  1. Make sure your vpn gateway IP or host name is added to the app profile vpn bypass list, so that we will not “touch” any traffic sending to the vpn gateway. It should be only for bypassing vpn gateway but not other sites

  2. Use the app profile pac file to bypass any other sites from ZScaler if you need

So working in Forwarding Profile, I was updating the VPN Trusted Network System Proxy Settings:

  • Tunnel Mode
  • Apply on Network Change
  • Use Automatic Configuration Script
    Set to my new custom PAC file.

So you are saying that the PAC file needs to be specified in the App Profile too? How do the two differ?

What is the difference between the Automatic Configuration Script in the Forwarding Profile (under VPN and Off NET) and the Proxy in the App Profile?

The PAC in the forwarding profile is set in the system/browser and processes traffic BEFORE it get’s sent for Z-app forwarding, e.g., sending traffic to some other proxy.

The App profile PAC tells Zscaler App what to to AFTER it’s been received for forwarding, e.g. which Service Edge to connect to, send direct, etc.

Hi Dan,

If you simply want to use pure tunnel 1.0 mode to send traffic to ZScaler, you don’t need a pac file in the forwarding profile (which is designed to add browser proxy config to your user’s machine). You only need pac file for the app profile so that you can specify what traffic you want to bypass from zapp tunnel 1.0.

You also need to specify the vpn gateway ip or hostname in the app profile.

Best Regards

Jones

Thanks Scott. I’ve added the custom PAC to the VPN and Off-Net Auto Proxy setting in Forwarding AND to the Custom PAC in App Profile.

Is there a way to verify the routing after deploying. Just looking in logs or is there a way to see what is happening from the Z-app?

ip.zscaler.com is the best way t check Zscaler path is working

There may also be something in INFO or DEBUG Z-App logs, I’ve never really looked TBH.

Logs seem to be encrypted. Is the a way to view them?

You can look at the logs directly in c:\programdata\zscaler

We’ll soon be able to export logs unencrypted too.

One quick PAC file question. As you explained, I can add a custom PAC file to the VPN and OffNet Forwarding Profiles. If I add it to the App Profile, wouldn’t it be used for all three forwarding scenarios, basically overriding the use of the default PAC file for OnNet?

The App profile is only good for steering traffic to Zscaler nodes to direct, and should only have simple logic in there. I’d personally craft each PAC specific the profile function as opposed to reusing the same PAC

steering traffic to Zscaler nodes to direct.

Can you explain this more or give an example. Is this “steering to the desired cloud enforcement node” and nothing more?

Is this what you mean by a steering PAC file.

function FindProxyForURL(url, host) {

return “PROXY {GATEWAY}:9400; PROXY {SECONDARY_GATEWAY}:9400; PROXY {GATEWAY}:80; PROXY {SECONDARY_GATEWAY}:80; DIRECT”;

}