Zscaler - Hosted PAC

Below is my scenario.

  • From my branch location want to have local internet breakout to Zscaler
  • I will be using the PAC file which will be hosted in Zscaler (ex - http://pac.zscalerbeta.net/abc.pac)
  • Each user PC in the branch will be configured with the Zscaler Proxy PAC URL.
  • When the user tries to browse from browser www.google.com following will happen.


  • In my branch router I don’t want configure complete default route. I want to configure only the route for Zscaler
  • i.e the Zen Node IP range & the proxy PAC URL IP address

My understanding is that the Zen Node IP address will be assigned based on the location.
But for the Proxy PAC URL resolution , will it be same always are will be changing every time.

If it is same, I will add the route for it, so that I dont open the complete access to Internet.
Only access to Zscaler for both PRoxy URL resolution & Zen Node.

You should have all 8 ZS PAC IPs reachable (or 3x/24 network), see https://ips.zscaler.net/pac

Which CENR you end up on depends on pac content.
If you use GATEWAY variable you basically tell the PAC server ‘please fill in the CENR you think is best for this IP’.
I would propose that you also have routes for all CENR ranges; easier to maintain