Zscaler, SIP and UDP call flow

Hi all, I am hoping I can find some answers to some of these questions/concerns I have with Zsclaer deployment using a combination of client connectors, PAC and GRE-Tunnel for routing traffic to Zoom Phone cloud. I have read some articles that raised latency and jitter as one issue seen within Zscaler used for voice traffic. I have also read an article from Zscaler that suggests bypassing Zscaler for UC traffic.

Bypassing Zscaler for UC traffic:


"Unified communications (UC) traffic for off-network and on-network users should use edge servers, externally accessible Session Border Controllers (SBCs), or UC gateways. These deployment models are recommended by UC vendors (for example, Skype for Business). Zscaler highly recommends adopting one of these UC deployment models to provide the best performance. Zscaler also recommends not sending UC traffic to ZPA, as this has the potential to add latency and jitter to the communication

Bypassing Zscaler for MSFT media

In the light of all this I have a few concerns and queries that I would appreciate Zscaler to address:

  1. Will Zscaler NAT traffic coming from clients before forwarding to Zoom Phone cloud? What will the impact of this on VOIP traffic since traffic going to Zscaler through the GRE tunnel via DMZ firewall will be NATTED.

  2. What is the interaction of Zscaler and SIP traffic?. Based on my tests so far, I don’t see Zscaler involved in the SIP flow. How does Zscaler cloud intercept media and proxy it back through its cloud from Zoom’s cloud SBC

  3. How is UDP traffic/media routed through Zscaler cloud and to the Zscaler client running client connector and how do you view the media within the zscaler portal

  4. How many Zscaler customers are using it for voip traffic? What are the optimisations done to achieve a good voice quality with these customers?

  5. How many latency and jitter related issues is Zscaler aware of and based on the links above, should we indeed not be using Zscaler for voice traffic?

Z-app picks only TCP 80 and 443 traffic if using Tunnel 1.0
All traffic is picked only when you are using tunnel 2.0

Regarding NAT, Zscaler will send all web traffic to Zscaler cloud and any destination would see your traffic coming from Zscaler IPs which can be found on ips.yourcloud eg ips.zscaler.net in case you are provisioned on zscaler.net cloud.

Hope I was answer some of your questions.


Thank you for your answer. The interesting thing is that I do not see any Zscaler iP when I send calls to Zoom. I only see my own PUBLIC IP, which suggests that my traffic is asymmetric. I wonder what the issue is here…