All Categories Zscaler Internet Access Tunnel 2.0: Domain Based Bypasses + Proxy Listener Configuration

Tunnel 2.0: Domain Based Bypasses + Proxy Listener Configuration

In the Tunnel forwarding mode with Z-Tunnel 2.0, Zscaler Client Connector behaves as a pseudo-VPN client and ‘includes’ or ‘excludes’ traffic at the IP Layer, which means it has no native way to recognize domain-based addresses, host names or URLs for special treatment. However, you can configure domain-based bypasses with custom PAC files for the forwarding profile and the app profile. This allows you to create bypasses for domain-based applications (e.g. applications that can’t be resolved to a single IP address).

The following is the 2-step configuration process that will achieve the domain-based bypasses:

  1. Explicitly proxy traffic for specific FQDNs, domains or URLs into Client Connector using the ${ZAPP_TUNNEL2_BYPASS} macro in the Forwarding Profile PAC file, and

  2. Bypass the same FQDNs or domains in the App Profile PAC file.

Do take note that this 2-step process downgrades the traffic to be bypassed (or proxied) to Z-Tunnel 1.0 with a TWLP configuration, so that it may be handled by bypass or proxy statements in the App Profile PAC file. The option to bypass hosts from the Forwarding Profile PAC file (so Zscaler Client Connector does not even process that traffic) is not available for these Z-Tunnel 2.0 Domain-based bypass destinations.

To configure domain-based bypasses:

  1. Configure the Forwarding profile PAC file

    Configure the forwarding profile PAC file to include the Z-Tunnel 2.0 bypass return statement for any destinations you want to send direct:

    function FindProxyForURL(url, host) {
    
    /* Updates are directly accessible */
    if (dnsDomainIs(host, "<domain>"))
    return "PROXY ${ZAPP_TUNNEL2_BYPASS}";
    
    /* Default Traffic Forwarding. Return DIRECT to tunnel using Tunnel2 */
    return "DIRECT";
    }

    For <domain>, enter the domain URL or wildcard you want to bypass for Z-Tunnel 2.0.

  2. Configure the App profile PAC file

    Configure the app profile PAC file to include a return direct statement for the domain:

    function FindProxyForURL(url, host) {
    var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
    var resolved_ip = dnsResolve(host);
    
    /* Updates are directly accessible */
    if (dnsDomainIs(host, "<domain>"))
    return "DIRECT";
    
    /* Default Traffic Forwarding */
    return "PROXY ${GATEWAY}:443";
    }

    For <domain>, enter the same domain URL or wildcard you’ve configured in the forwarding profile PAC.