Zscaler Client with Split tunnel environnement


Below is a description of the problem we encounter:

We have salesforce domains that do source IP filtering so they only accept requests coming from our IPs, so to take into account these ecxeptions we have created bypasses for the salesforce domains on the two pac files FWD pac file + App profile pac file (because we are the ztunnel2.0 version) and we have added in the split tunnel configuration the salesforce domains that will have to go through this split tunnel.
However, we have noticed that there is a local evasion on the user’s computer when he tries to go to salesforce, in fact his request to salesforce arrives with the user’s IP instead of the IP of the VPN gateway, which means that he cannot connect to salesforce.
Someone has a solution for this problem ?


Hello Yoha, I have a few questions:

  1. Where is the user located?
  2. You mention VPN gateway. Does that mean there is also a VPN client actively running on the user’s machine at the same time?


Hello Keith,

The user is located in France.
Yes there is a vpn client running on the user machine, the user turn it ON when he tries to access to salesforce websites.


Have you considered using the Zscaler Identity Proxy for Salesforce? It will provide better security with less latency than going through VPN and just limiting the access to your IP addresses. Zscaler can provide Access Control by User/Group/Location, Advanced Threat Protection, DLP, File Control, and CASB Functionality (DLP, Malware) as well. The Identity Proxy Feature will ensure all access goes through Zscaler, Is Authenticated first using your IDP, and then Security is applied using SSL decryption and DPI.

Just an Idea,

-Todd Harcourt-

Hello Todd,
thank you for your feedback but this is not an option we are considering implementing at the moment.
we just want to bypass zscaler and send salesforce traffic to the VPN tunnel.
Do you have any ideas about the problem we are facing?



There are a few things you can try, but it all depends on the ZCC version you are running, and how you have it configured. Try bypassing the IPs or FQDN (Domain is supported on the latest versions), in the App profile under VPN bypasses. You can also try switching from Route based to Packet Filter, or Vice Versa. This will allow routes to direct the Salesforce IPs to the VPN. If those don’t work, open a support ticket and include the ZCC logs.


-Todd Harcourt-