Zapp forwarding profile to local OnPremise private proxy

Hi Guru,

I read below community discussions.

difference-between-tunnel-and-tunnel-with-local-proxy/5404
difference-in-use-of-app-profile-pac-file-and-forwarding-profile-pac-file/6847

and below docs as well.

best-practices-using-pac-files-zscaler-app
configuring-forwarding-profiles-zscaler-app#forwarding-profile-action-zia

but still confusing what should do.

BACKGROUND.
We use ZIA for office users. All good.Now we are implementing ZPA and Zapp
Our internal domains (applications) can reachable via ZPA application segments + access policy. Our public domains also reachable as we bypass those not to come ZPA.
So far so good. We are fine Zapp + ZPA until we start Zapp + ZIA forwarding profile.

We have to implement Zapp ZIA for our Road Warrior because we want them to use ZIA even they are outside office (Off-Trusted). We also have our partner proxy which is written in PAC file with private IP address and proxy port. Those are able to use for our internal On-trusted users.
for example,
if (
shExpMatch(url, “https://abc.def.hijk.com:8443/*”)
) {
return “PROXY 10.1.1.1:8080”;
}
That 10.1.1.1 is partner proxy we cannot touch. And it is private IP that connect with our internal routing. And those FQDN “abc.def.hijk.com” cannot nslookup even from our internal On-trusted clients but we can access those as of PAC file.We have 3 to 4 partners with similar PAC configuration, different proxies and ports.

QUESTION
Which mode should I use in forwarding profile (TWLP or Enforce Proxy?) because we need to use existing PAC file with above partner proxy? Requirement is Zapp Off-trusted Road warrior should able to reach all those partner URLs. Note : ZPA connector cannot resolve those FQDN to IP. CentOS ZPA connector can configure proxy but not PAC files.

We are also discussing at case #02483308 & remote assistance is available.

Kindly suggest me.

Regards
Minn

1 Like

Hello Guru,

It works now.
Forwarding proxy TWLP + PAC.
PAC uses ${ZAPP_LOCAL_PROXY} and localHostOrDomainIs(host, “abc.def.hijk.com”),
ZPA application segments with On-Premise proxy.

Re.,
Minn