Zscaler App, Forwarding Profiles and Windows DirectAccess


I’m trying to configure Z-app to work with our DirectAccess setup, but keep running into an issue where DirectAccess can’t connect when I’m running tunnel mode, or any other mode for that matter. Do I need to configure split-tunnel? A pac file? A VPN gateway bypass? I’m a bit lost currently.

Wondering if anyone has experience setting this up? Cheers

Hi Regan,

I haven’t but I am about to setup something similar for one of our clients. I’d assume you need DA configured in split tunnel and DA end-point IP bypassed from Z-App using VPN gateway bypass. I’d be interesting to see if that fixes your issue.


Creating bypasses for the DA server, DHCP server and DNS server yield no results unfortunately.

Hi Regan,

Just to double check, the bypass you’ve configured is under the “Hostname or IP Address Bypass for VPN Gateway” field? Also is DA configured for split or full tunneling? If you’re OK sharing a packet capture I’d be happy to take a look to see if DA traffic is in fact going out direct.


I’ve actually got it working with DA now. My problem is just domain resolution - when a laptop connected to zscaler has the lid shut and the network driver is put to sleep, when it wakes up again, it can’t regain connection to DA until it’s manually turned off. Then it gets a connection, and you re-enable z-app, and it comes back.

Getting closer but still not in a deployable state…

Just in case anyone finds this, I fixed it by using Wireshark to observe outgoing DNS requests and creating a VPN bypass for the URL it was looking for.