// We’ve been told that this is the FEATURE by ZScaler support.
// But we want to restrict our employee not to directly access to the internet.
// Does someone has any idea?
We have configured ZCC to send almost all traffic to ZEN with Z-Tunnel 2.0.
Of course some types of traffics are configured to be bypassed due to the necessity of local function, such as DNS,DHCP on home router.
But we’ve expected traffics directed to internet to go through ZEN without any exception.
However, we found that when we use TCP53 then the traffics are always bypassed.
We can directly access to the internet using TCP53.
We’ve conducted several tests with my AWS instance,binding some server application to TCP53.
case1) HTTP-Proxy(squid) binded to TCP53
ideal) [Browser] → [ZEN] → [AWS/Squid:TCP53] → [Origin Server]
actual) [Browser] → [AWS/Squid:TCP53] → [Origin Server]
In this case,using TCP53, I was able to access the internet without any policy enforcement.
// Proxy configuration is enforced by ZCC.
// So in my test,I used FireFoxPortable.
case2) SMTP-Server(postfix) binded to TCP53.
ideal) [MUA] → [ZEN] → [AWS/postfix:TCP53]
actual) [MUA] → [AWS/postfix:TCP53]
In each test I found provider-provided global IP address(NOT ZEN IP) logged on server log.
So traffics should have been sent directly to the internet, bypassing ZScaler.
We want our employee not to directly access the internet.
Does anyone have possible solution?