Adding Bypasses for Z-Tunnel 2.0

3 BYPASSES that you can deploy on Z-Tunnel 2.0

Following are the best practices for IP-based bypasses:

• VPN Gateway Bypasses

• Destination Exclusions and Inclusions

• Port Based Bypasses

1. IP-Based Bypasses

   For Z-Tunnel 1.0, you can add network bypasses to the app profile PAC file. But if you are using Z-Tunnel 2.0, do not add network bypasses to Zscaler Client Connector profile policy’s PAC file.

   For Z-Tunnel 2.0, you must add the network bypasses as VPN gateway bypasses or destination exclusions.

2. Domain-Based Bypasses

   You can configure domain-based bypasses with custom PAC files for the forwarding profile and the app profile. This allows you to create bypasses for domain-based applications (i.e., applications that can’t be resolved to a single IP address).

   This bypass requires Z-Tunnel 1.0 listener, which can only bypass the web traffic (i.e., HTTP/HTTPS traffic) originating from the system proxy. You must route system proxy traffic to the listener and then bypass the domains in the app profile PAC.

   To configure domain-based bypasses :

   • Configure the Forwarding profile PAC file

     Configure the Forwarding Profile PAC file to include the Z-Tunnel 2.0 bypass return statement for any destinations you want to send direct:

     In Tunnel mode, you must only use the Forwarding Profile PAC file to bypass traffic away from Zscaler Client Connector or to tunnel traffic to Zscaler Client Connector. Do not use it to tunnel traffic to the Zscaler cloud.

     function FindProxyForURL(url, host) {
     
     /* Updates are directly accessible */
     if (dnsDomainIs(host, "<domain>"))
     return "PROXY ${ZAPP_TUNNEL2_BYPASS}";
     
     /* Default Traffic Forwarding. Return DIRECT to tunnel using Tunnel2 */
     return "DIRECT";
     }
     

     For <domain>, enter the domain URL or wildcard you want to bypass for Z-Tunnel 2.0.

     Close

   • Configure the App profile PAC file

     Configure the App Profile PAC file to include a return direct statement for the domain:

     function FindProxyForURL(url, host) {
     var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
     var resolved_ip = dnsResolve(host);
     
     /* Updates are directly accessible */
     if (dnsDomainIs(host, "<domain>"))
     return "DIRECT";
     
     /* Default Traffic Forwarding */
     return "PROXY ${GATEWAY}:443";
     }
     

     For <domain>, enter the same domain URL or wildcard you’ve configured in the forwarding profile PAC.

3. Port-Based Bypasses

   To add a port-based bypass, add the port to the network bypass in the Destination Exclusions field in Zscaler Client Connector profile. You must add the port to the end of the network bypass.

   For example, to bypass port 80 for the subnet 192.168.1/24, add 80 to the end of the subnet. The port-based bypass is 192.168.1/24:80.

   You can also bypass a range of ports by adding the port range to the end of the network bypass. In this example, the subnet is 192.168.1/24 and the port range is from 80 to 85. The port-based bypass is 192.168.1/24:80-85.