With using ZPA SIPA with ZIA, the traffic is forwarded to ZIA, inspected as normal, and then forwarded over ZPA, from the ZIA public service edge towards an app connector where it will be egressed out likely via a NAT boundary which includes your organisations public IP address.
For http/https traffic this is forwarded via the same way that you would forward traffic to ZIA from a location. Such as PAC file, Tunnel, Client connector using ztunnel1 or 2. For road warriors or home workers this feature requires traffic to be forwarded to ZIA using ztunnel 2.0
Providing the feature is enabled on your tenant you simply configure an app segment for source IP anchored applications, or perhaps for the specific application include an application such as www.acme.com, or this could even include a *.acme.com, with the destination ports that are required for the application. Ensure that source IP anchor is enabled for the application segment. I tend to place the application segment into an application segment group for SIPA, which I apply to the client forwarding and access policy later. I also create a server group with dynamic discovery just for Source IP Anchoring.
Next configure a client forwarding policy in ZPA matching on the application segments with a rule action of Only Forward Allowed Applications, to ensure that the traffic isn’t forwarded via ZPA directly from the client connector
Then configure an access policy to permit the traffic, matching ZIA Service Edge, and the application segment.
As the application segment has been configured with Source IP anchor enabled, the application segment will be synced into your ZIA tenant, and available for configuration within ZIA forwarding control.
First add gateway for ZPA within ZIA admin portal, under administration, Forwarding methods Zscaler private access., and select the server group you created earlier, you will see the application segments populate.
Then configure ZIA forwarding control, under policy, ZIA forwarding control. Select the forwarding method as ZPA, and select the application segment, or segments, with action to forward to the ZPA gateway (the ZPA server group you created earlier). You can match based upon location etc.
At this point you should be ready to test, and will see within the live logs for ZPA traffic originating for the ZIA service edge, additionally ZIA transaction logs have a log field for forwarding method, forwarding rule, Application segment, gateway name, to show that this traffic is forwarded to ZPA.
It is also possible to forward non-web traffic via ZIA and then onwards to ZPA for SIPA. However this requires that DNS control policy has been enabled to resolve traffic so that it is forwarded to ZPA via ZIA.
Example guide is available below.