Zscaler client connector version 3.8 now can use DTLS for tunnel type 2.0!

This is great news as DTLS like IPsec has better performance than TLS, especially for voip traffic. Hope the ZPA tunnel will have soon such option! About Z-Tunnel 1.0 & Z-Tunnel 2.0 | Zscaler

@Niokolay_Dimitrov, apologies but I dont understand. Are you talking about the new features within ZCC 3.8 - Adds two new options for the Z-Tunnel 2.0 protocol bypass feature: Redirect Web Traffic to ZCC Listening Proxy and Use Z-Tunnel 2.0 for Proxied Web Traffic. ?

Or are you moving from Tunnel 1.0 to 2.0 yourself ?

Hm, we are using ZIA with Tunnel 2.0 and DTLS for quite some time (years) now and only switched manually to TLS if some of our employees had issues with the internet provider… :smiley:

DTLS has been available for quite some time already. The newly added options are for the Tunnel With Local Proxy running in the background of Tunnel 2.0, whenever you have ZCC in Tunnel 2.0 you’ll have a loopback to point traffic at this background alternative method, this alternative method is originally just an HTTP Connect Tunnel but with the new option we will be able to do DTLS/TLS for that as well.

Redirect Web Traffic to ZCC Listening Proxy. This option is meant to remove a bit of complexity on Tunnel 2.0 Domain Based Bypasses by automatically pointing web traffic at the listening loopback instead of having to utilize the ZAPP_TUNNEL2_Bypass in a Forwarding Profile PAC.


Thanks Gabriel for the details. Much apprecciated!

What about the ZPA tunnel does it use DTLS and failover to TLS as in the documentation it is just TLS?

All communication between ZPA components travel within a mutually pinned, client and server certificate-verified, TLS connection. Within this TLS-encrypted Zscaler Tunnel, a microtunneling protocol (i.e., Microtunnel) exists. Select components of ZPA run through this encrypted Microtunnel end-to-end.

Also I meant about Tunnel 2.0 being DTLS that many times when there are performance issues better to check that the traffic has not failovered to TLS as VOIP and other real time applications get really affected by this and some file transfers have a low bandwidth if TLS is used from what I have seen.

ZPA over DTLS is being tested by early adopters but I’m sure (hoping) we’ll have the same level of control like ZIA when it comes to Prod release. We see so many ISP’s squeezing the DTLS tunnel which wont help when it comes to ZPA.

1 Like