ZCC Working while on Trusted Network

Hi All,


Can someone within the community folks help me to understand ZCC ( Z-App) working while a user is on Trusted network. Assuming I already set the trusted network criteria in forwarding profile;

  1. Does Zpp goes to fail open mode when it detects trusted network ? Considering the fact I have transparent forwarding from the network edge device using GRE/IPSEC tunnels to public service edge?

  2. Or does it still establishes its own tunnel 1.0/2.0 depending on the configuration in the profiles ? In this case will it be a tunnel 1.0/2.0 inside a GRE /IPSEC tunnel at the edge device? or how does it work in this way?

  3. What would be a particular use case to use a Zpp for ZIA service when user is in corporate network and all my internet based traffic can be routed to public service edges using transparent forwarding at edge routers ? even my browser will use this GRE/IPSEC tunnel to forward interned based traffic to Zscaler public edges?

@Mac1809 When the app detects “trusted Network” based on the criteria you have configured in forwarding profile, you can go with one of the following options:

Tunnel: Even though you are on a trusted network, all your port 80 and 443 traffic will still be tunneled through Zscaler client connector (ZApp) using it own Z tunnel with an HTTP connect header.

Tunnel with Local Proxy: Though you are connected to a trusted network, Zscaler client connector will install a pac file on your device so that all traffic is tunneled to Zscaler through local host.

Enforce Proxy: Traffic will not be tunneled, instead system proxy settings will be used. You can also push proxy settings via ZCC while using “enforce proxy” option.

None: On detection of trusted network, Zscaler client connector “turns off” and does nothing. “On trusted network” message is displayed. All traffic is sent direct.

Hope this information helps you out!

1 Like

Thanks Raj for your comment!!!

And one more thing if you can help me …what is the exact difference between these two action (Enforce & Apply on network changes) for Configure System proxy setting option in forwarding profile .

The given explanation is as follows

Enforce: Client Connector enforces your proxy settings by monitoring for network changes and reapplying setting

Apply on Network Changes: Client Connector only enforces your proxy settings when the network changes, it does not monitor for proxy change afterward;