ZPA Data path for private application access

When ZPA for accessing my internal applications hosted in DC, will the traffic be analysed or inspected by the ZPA broker ? Will ZPA broker remain in the data path ?

After the user and device pass authentication, does the trust broker remain resident in the data path?

Hi, Yes the broker remains in the data path, this is important to remove the attack surface from the connector and client as these are outbound only. There is no inspection done by the broker, also your internal applications should be using encryption anyway, but if they don’t, you can enable double encryption per application segment, this will add another layer of encryption to your application traffic. This means you could have 3 layers of encryption, application, double encryption, and the connector/client encryption tunnel. I hope this answers your question?