Zscaler Gateway vs Sub Cloud

(Rajeev Srikant) #1

I am looking for the below.
Planning to use Proxy PAC.
I want the closest Zen to be used for the users.

For Ex - My location is close to Singapore. So it should forward the request to Singapore Zen.
In case if there is any issue with Singapore region then It should use Tokyo Zen…

Let me know how to achieve it.
Should I be using Gateway or Sub cloud concept in PAC configuration.

(Jones Leung) #2

Hi Rajeev,

Suggest you to open a ticket with your IP address, to check the default primary and secondary Dcs we will resolve for your current location.

If you are currently having your desired primary DC and secondary DC, you should be able to achieve your purpose by simply keeping the $GATEWAY and $SECONDARY_GATEWAY in the PAC file.

Best Regards,

Jones Leung

(Rajeev Srikant) #3

Thanks Jones
So I don’t need to use Sub Cloud.
With $GATEWAY I will be able to be directed to the close Zen which will be Singapore.

(Jones Leung) #4

Yes in most cases. We resolve the $GATEWAY and $SECONDARY_GATEWAY based on Geo-IP mapping. So as long as you are closed to Singapore geographically you are fine.

You can do a quick test by downloading the default PAC from our admin console, and check if the variables match the IP ranges of your desired DC we published at ips.<your cloud name, such as zscaler.net>.com.

Best Regards,

Jones Leung

(Rajeev Srikant) #5

Thanks Jones

If I host the PAC in my PAC server rather than on Zscaler Hosted PAC, will I be able to use the below functionality.


I will host the PAC file in my on premises & will point to Zscaler & use the above variable.
If so will it be able still provide me with the nearest ZEN IP ?

(Jones Leung) #6

Hi Rajeev,

The two variables are designed by zscaler to leverage our CA to bring user traffic to the closest zen. They are not understandable by normal browser.

The way we make it work, is every time when you download the pac file from our CA, our CA will resolve the variable to be the closest zen based on the geo ip mapping on the fly, so that when the browser receives the file it will only see the actual pri and sec zen ip. As zscaler CA must be involved to do the translation on the fly, the pac file must be hosted in zscaler pac file server (which is part of our CA).

Best Regards,

Jones Leung

SE Manager, Greater China