Hi, I work in large company that recently adopted Zscaler. My workflow is: activate Zscaler client on my pc, open specific url in browser, launch Citrix connection to my remote PC running in server farm in my company.
My questions are:
-
Is my understanding correct that once I enable Zscaler client all my traffic runs through Zscaler servers or it is configured for specific URLs? Is it possible to run connections only to specific sites with it?
-
I used to have vpn client (NordVPN in my case) running, is my understanding correct that it clashes with Zscaler - when I run both of them Zscaler often shows message that secure access is disconnected?
Is it possible to have a setup when I run VPN on my PC and inside it there is a Zscaler connection created to give me an access to my work PC? So, for example, I can have a torrent running in background and it doesn’t go through Zscaler or my work networks?
Thanks.
Are you using Zscaler Internet Access or Zscaler Private Access?
You should not be running a VPN at the same time as Zscaler.
In theory you could configure a split VPN, so only torrent traffic would go through it, but this isn’t practical. It sounds like you are using Zscaler Private Access which only forwards traffic based on specific URLs or networks.
ZCC can be run with a VPN but there are also conflicts commonly. Typically configuration specific to the VPN connection would be added to the Zscaler tenant.
If you go to a site like ip.me that shows your IP you can see if you are proxying through zscaler. Also going to ip.zscaler.com will show if you are going via their DCs.
One of the configuration options is to disable the security (ZPA or ZIA) if a VPN is detected. Sounds like that’s what’s going on.
You can run VPN when using ZPA, but you have to bypass VPN address in specific App Profile on Client Connector Portal.
Private Access. Generally, your admins would create “app segments” for certain URLs or IP blocks and associated TCP/UDP ports. So likely just specific traffic is being steered.
There’s a debug command you can run on MacOS and grep for to see what apps steer thru ZPA. Probably would see the same in Windows.
Another tip is to use devtools in chrome. Anything 100.64 is going over ZPA.
You can also use nslookup to determine if something steers over ZPA or not.