So when you say it works for your office location, do you mean you are sending some URLs to one zen and others to the other one?
Yes exactly. The zAPP shows connection with tunnel v2 to the Global ZEN handled by a Silver Peak Appliance. And special URLs which need IP preservation are correctly tunneled to our vZen Port 80.
Also, would you confirm with the zapp window that it is running with ztunnel 2.0? As ztunnel 2.0 can fallback to ztunnel 1.0 if it is not successfully built.
Yes DTLS. BUt what we learned is that there is a restriction that zAPP can only handle the tunnels via the default network interface. In our case when working remotely the vZens for special URLs are only accessible via the VPN virtual adapter. Running wireshark we can see zAPP trying to connect to the vZEN but sadly on the default network adapter. The workaround we are currently using is a PAC statement in the forwarding profile which bypasses the zTunnel and connect to the vZEN on the Kerberos port 8800.
And what is your actual use case for sending some URLs to VZEN? If it is to consume your local IP address, source IP anchoring is probably a better and new option to go (https://help.zscaler.com/zia/about-source-ip-anchoring).
The reason is (1) source ip anchoring and (2) getting around “regional access problems”.
We are currently looking into the new option but still waiting also for infos how this is handled license wise since we only have ZIA.