Zscaler Proxy PAC

(Rajeev Srikant) #1

I am planning to use Zscaler PAC to forward all my user internet traffic to Internet.
This will be used for users who are inside the LAN network & also for the mobile users.
Below are my queries:

  1. I understand that I can use custom PAC file for my organization
    Question : How to differentiate my organization PAC file from others ?
    How it will be restricted only to my organization ?
    Do I need to purchase dedicated port for this ?

  2. DNS - For users internal in my LAN how will the DNS resolution for the proxy PAC URL ?
    Question : Should my internal DNS be able to resolve the Zscaler Proxy PAC URL ?

  3. How redundancy is achieved when using Proxy PAC ?

    • How auto failover happens when 1 Zen node goes down & how automatically it is switched to alternate Zen node ?
  • Will there be any down time.
(Rajeev Srikant) #2

any inputs regarding this.

(Rajeev Srikant) #3

In addition to the above I found the below from YouTube.

Not clear about the 2nd and 3rd option.
What is the difference between 2nd and 3rd option

(Ramesh M) #4

$Gateway returns the closet ZEN IP based on Geo IP location of the client.
gateway.zscaler.net returns the the ZEN IP closet to the DNS server. Here the server resolve the IP address based on GEO IP of the DNS server. FOr example if you are using US DNS server in India, then returns US ZEN IPs.

(Rajeev Srikant) #5

Thanks Understood.
Could you please help in answering my other queries as well.

(Patrick) #6

Hi Rajeev,

Questions under 1:

Question under 3:

  • You can enter the {GATEWAY} and {SECONDARY_GATEWAY}. If the client can’t reach the GATEWAY it will send the request over to SECONDARY_GATEWAY. But from our experience there are almost never problems with a Zscaler Node and if there is a big problem Zscaler often reroute the traffic to another Node without any change of client configuration needed. I have never seen a better IT related service in reliability, performance and support then Zscaler.

Best Regards,
Patrick

(Rajeev Srikant) #7

Hi Patrick - Thanks.

Regarding the 1st question if I am not using obfuscate URL & if any one outside my company knows about my proxy URL, “http://pac.zscaler.net/acme.corp/mypacfile.pac” they will be able to use it - Let me know if my understanding is right.

Regarding 3rd question is there any document or reference link which explains this in detail.

(Patrick) #8

Hi Rajeev,

They can download the pac file and read the content. Maybe this will expose some information about your internal infrastructure but if they start try to use Zscaler they have to authenticate with a valid user from your Zscaler authentication source. If they can’t authenticate proper they can’t use the Zscaler service.

The only reference for failover is mentioned in Best Practices For Writing PAC Files
.

Best Regards,
Patrick

1 Like
(Rajeev Srikant) #9

Thanks Patrick

Regarding the point which you mentioned above that the client will use the secondary Zen Proxy in case of failure of the primary , let me know how much will it require to switch over to the secondary.
What is the expected time for the switchover to the secondary proxy in case primary proxy fails.

(Scott Bullock) #10

Proxy failover depends on the os/browser and is usually not configurable. Most browsers failover after 30 seconds of network-connection loss.

(Rajeev Srikant) #11

Thanks.
any official document from Zscaler where this has been highlighted or explained

(Scott Bullock) #12

Not really, documenting behaviours of product we have no control over is hard to reliably maintain. Perhaps ask on the browser-vendor forums, most document their failover process, but I’ve not been able to source specific timing/metrics.

E.g.