Ztunnel v2 - how do I route traffic to a specific vZEN

Hi,

what is the correct way to route traffic for a specific URL to a specific vZEN when using zTunnel v2 ?

Is it by simply adding such statement to the app profiles PAC file:

if (shExpMatch(host, “*.myhost.com”))
return “PROXY vzen.mynet.net:80”;

Thanks Tom

Hi Mitchell,

Ztunnel 2.0 now doesn’t support sending traffic to more than one ZEN. It will only use the PAC file to find out the DC to be connected.

Best Regards,

Jones Leung

Manager of Systems Engineering

ASEAN & Greater China

ZScaler, Inc

Hi Jones,

so there is no way to route dedicated URLs through vZENs ?

Our tests showed that at least in our office this is working with two ZENs (a global ZEN IP and a vZEN) with ztunnel v2.

I am a bit confused because I heard different statements about this one ZEN restriction.

Regards Thomas

Hi Tom,

So when you say it works for your office location, do you mean you are sending some URLs to one zen and others to the other one?

Also, would you confirm with the zapp window that it is running with ztunnel 2.0? As ztunnel 2.0 can fallback to ztunnel 1.0 if it is not successfully built.

And what is your actual use case for sending some URLs to VZEN? If it is to consume your local IP address, source IP anchoring is probably a better and new option to go (https://help.zscaler.com/zia/about-source-ip-anchoring).

Best Regards,

Jones

Hi Jones,

So when you say it works for your office location, do you mean you are sending some URLs to one zen and others to the other one?

Yes exactly. The zAPP shows connection with tunnel v2 to the Global ZEN handled by a Silver Peak Appliance. And special URLs which need IP preservation are correctly tunneled to our vZen Port 80.

Also, would you confirm with the zapp window that it is running with ztunnel 2.0? As ztunnel 2.0 can fallback to ztunnel 1.0 if it is not successfully built.

Yes DTLS. BUt what we learned is that there is a restriction that zAPP can only handle the tunnels via the default network interface. In our case when working remotely the vZens for special URLs are only accessible via the VPN virtual adapter. Running wireshark we can see zAPP trying to connect to the vZEN but sadly on the default network adapter. The workaround we are currently using is a PAC statement in the forwarding profile which bypasses the zTunnel and connect to the vZEN on the Kerberos port 8800.

And what is your actual use case for sending some URLs to VZEN? If it is to consume your local IP address, source IP anchoring is probably a better and new option to go (https://help.zscaler.com/zia/about-source-ip-anchoring).

The reason is (1) source ip anchoring and (2) getting around “regional access problems”.
We are currently looking into the new option but still waiting also for infos how this is handled license wise since we only have ZIA.

Regards Tom

Hi Tom,

if you want to send traffic to a specific proxy IP (regardless of VZEN or something else) in ztunnel2.0 you have to add this statement in your forwarding profile PAC:

if (shExpMatch(host, “*.myhost.com”))
return “PROXY vzen.mynet.net:80”;

If you want to bypass traffic completly in ztunnel2.0, you have to send it to the bypass variable ${ZAPP_TUNNEL2_BYPASS} (which is resolved to 127.0.0.1:9000). This traffic will be send to the listener port of the Zscaler Client Connector. Therefore you need the same bypass in the App Profile PAC but then with the return “DIRECT” (yes this is a little bit complex).

Do not try to send traffic in the App Profile PAC to a specific IP for bypasses. Zscaler Client Connector will try to use it as a ZEN to connect to. So it will try to establish a ztunnel2.0 to this IP. Only thing you can do is to return the Country Gateway variable in the App Profile PAC with ztunnel2.0. Then Zscaler tries to use the ZEN in your country to connect the ztunnel.

Best regards,
Oliver

Hi Oliver,

thanks for your feedback.

Do not try to send traffic in the App Profile PAC to a specific IP for bypasses. Zscaler Client Connector will try to use it as a ZEN to connect to. So it will try to establish a ztunnel2.0 to this IP.

But that is exactly what I want to do when using a vZen, correct ?
So if I understood correctly for a vZEN tunnel connection to be made I would add this to the APP profile:

if (shExpMatch(host, “*.myhost.com”))
return “PROXY vzen.mynet.net:80”;

Regards Thomas