In our company, we use a VPN (Meraki) to connect to certain services. This was set up prior to Zscaler and is used for whitelisting purposes (i.e vendor needs a static IP for whitelisting).
On our Chromebooks (Android as Zscaler call them), our users are not able to connect to the VPN alongside Zscaler, even if disabling ZIA/ZDX, so they need to completely logout and then it works.
Can anyone recommend how to use another VPN alongside Zscaler by adding a bypass or something similar?
TIA
Why don’t you simply use SIPA and have the same approach with the static IP address and remove the VPN altogether?
Use SIPA, and you won’t need any VPN. Better battery life, simpler config, and no pointing fingers when troubleshooting!
We are in the process of setting SIPA up but just needed an immediate bypass if it was possible, for the time being
Costs xtra if your current plan doesn’t include it or you aren’t using ZPA
I came across this page https://help.zscaler.com/zscaler-client-connector/best-practices-zscaler-client-connector-and-vpn-client-interoperability and it says:
“For Android, you cannot run Zscaler Client Connector and any third-party VPN simultaneously because the Android OS only allows one concurrent VPN at a time.”
But even when disabling ZIA/ZDX, VPN usage still does not work. Would the user need to completely exit Zscaler?
There is a new feature coming out next year called Egress NAT, where you can do this from ZIA, but you’re correct that they only way to IP anchor right now is by sending the traffic through ZPA.
The other solution is to have the vendor whitelist all ZIA egress IPs. They wouldn’t be specific to your tenant, but egress IP is only one criteria, so it’s pretty low risk.