ZIA, Pulse Secure and Proxy


One of our customers want to use Zscaler ZIA and Pulse Secure (configured with Split tunneling).
Because some partners check the source IP address of the traffic (HQ IP Ranges), some traffic needs to to the proxy located on the DC (proxy IP is in the split tunneling range).
I tried to configure Proxies/Gateways + Forwarding Control (Proxy chaining) for specific URL but traffic seems to go ZEN…
Do I need to “play” the PAC file (App/Forwarding Profile) ?
Which are the configuration steps to solve this issue ??



This sounds to me like SIPA is the answer here with an app connector in the same network as the proxy you are trying to go through. Forget about proxy forwarding etc.

First, thanks for your input !
The customer still want to use the Pulse Secure appliance for traffic leading to internal network and ZIA package only (budget reason)…


you would need to create a pac file which sends by default anything to ZScaler and as exception to the onprem proxy you have.

roughly like this:

function FindProxyForURL(url, host) {
// set the default proxy clients should use

// define list of external systems which have to be routed via dedicated/on-prem proxy with known fixed IP
dst_proxy=new Array("staticip-needed.example.com","somewhere.else.example.net");

for (i in dst_proxy) if(shExpMatch(host,dst_proxy[i])) {GW="PROXY onprem-px.mycorp.com:8080"; break;}
if (isPlainHostName(host) || helper=="direct") return "DIRECT";
else return GW;

With that anything listed in array ‘dst_proxy’ will instruct the client to use onprem-px on port 8080 to connect, everything else will be sent to ZScaler CENR node at port 1234.

1 Like

We doing it the same way as Thomas described above for some time now. Just remember to put this “diversion” in the fwd-proxy pac-file.


Hi all,

Thanks a lot for your answer ! I will try this…