ZPA working with Cisco Jabber and CTI

Long story made incredibly short:
Client has a Cisco Jabber phone system. They have ZIA and ZPA, for what information that is helpful.
When we route traffic direct and bypass ZPA the calling features of Jabber work fine. The issue is they also have a piece of functionality call CTI (Computer Technology Integration) where the user can select a desk phone from the drop down inside of the soft client and pickup the call there instead. The endpoint for CTI is a private endpoint and not externally exposed.

When we route all traffic through ZPA the CTI piece works, however as we all know the rest of the voice calling on the soft client fails.

I’ve tried breaking apart the traffic so that CTI was an internal endpoint running through ZPA and that didn’t seem to work. Any guidance that anyone could provide would be HUGE! The only thing I haven’t tried – and not sure if it would help is to use SIPA for the public endpoints of Jabber, but I can’t see at this point in the troubleshooting stage how that would help.

Anyone ever gotten CTI to work? Any help is greatly appreciated.

Do you have any Cisco Expressway solution in place? Can you connect to Jabber and all its services if you are outside the corporate network?

I have deployed ZPA with several customers doing Jabber. Jabber initially tries to connect to two main SRV internal records, if there is no DNS response it will query a third one SRV record but this one responds with a FQDN which is normally reachable from the outside world. In this scenarios we have to bypass in ZPA using an app segmetn set to bypass always the two internal SRV records and if the response to the third SRV record is a FQDN that falls into your ZPA app segments you might need to bypass that one.


This will allow you to send all the destined traffic outside ZPA.

Yes, there’s a expressway in use. When outside of the org all Jabber servies work — except CTI. They have to connect to the Cisco ASA VPN to get the CTI service to work. Cisco does not support running the CTI through the expressway at this time.

How does CTI traffic work?

I assume the endpoint makes a call to CTI internal server, what happens next?

If the traffic falls in a situation like client to client or server to client this might not work for example if the CTI server initiates a brand new session towards the client. The app connector only receives connections from remote users but it doesn’t work in the opposite way (ZTNA).

SIPA would help if the remote server was configured to see only a specific source IP address range (ie an internal VLAN in your corporate network).

Bypassing Unified Communications Traffic | Zscaler).

So, unlike Jabber voice app CTI does work when we funnel all jabber traffic through ZPA. This gives us the functionality of CTI working, but not Jabber voice calls. We can then trade off where some users can have CTI functionality, but not the softphone. Others can have the softphone, but not CTI.

UC and CTI solutions typically involve the backend server making outbound requests to connect to the users endpoint or softphone. ZPA does not support this scenario. Here’s my response from a few months ago:

We had same issue with one of my customers. Basically, softphone not supported by ZPA since backend call manager needs to establish direct connection with the softphone agent. Here’s the response we received from Zscaler support. Zscaler has two ER’s, but no GA date. I hope this helps.

Issue : Softphone(IPC) not working as expected via ZPA.

  • Call manager server located in DC, (Does not have public IP enabled)
  • Remote users VOIP traffic going via ZPA
  • confirmed Call manager server initiated connection fails to reach user machine via ZPA(Server Initiated connection failed to connect user client)
  • Currently server Initiated connections does not work with ZPA.

Possible Workaround:

We have two enhancement already opened with PM, request to support Softphone and Server initiated connection with ZPA. ( ER-4829 and ER-4785 ).

Just checking to see if anyone has any thoughts? Right now through SIPA w/ advanced cloud firewall we have one group of users who can use CTI desk phone features remotely and Jabber text (but no soft phone). Another group of users who we set to bypass the zpa app segment and not use the SIPA rule, this group can use the soft phone and jabber text but not the CTI desk phone.