To add a Windows firewall port exception:
On the client operating system, go to Start > Run and type firewall.cpl. The Windows Firewall window opens.
Click on the “Advanced Settings” link on the left pane. The Windows Firewall with Advanced security window opens.
Click on the “Inbound Rules” option.
On the left pane, click on “New rule”.
Under “Rule Type” select the option “Port” and click next.
Select “TCP”and “specific local ports” options.
Key in the port number, the default port is TCP port 135.
Click Next.
Select the option “Allow the connection”.
Click Next, do not change any option here and click Next again.
Specify a name for this rule.
Click Finish.
To add a program exception:
On the client operating system, go to Start > Run and type firewall.cpl.
Click on the “Advanced Settings” link on the left pane.
Windows Firewall with Advanced security window opens up.Click on the “Inbound Rules” option.
On the left pane, click on “New rule”.
Under “Rule Type” select the option “Program” and click next.
Select the option “This Program path”.
Browse to the Veritas System Recovery service location [Default location for System Recovery: C:\Program Files\Veritas\Veritas System Recovery\Agent\Vprosvc.exe” location.
Select the option “Allow the connection”.
Click Next, do not change any option here and click Next again.
Specify a name for this rule.
Click Finish.
Bypasses for Firewall
If you have a GPO-managed or AV-managed host firewall, you can configure firewall rules on your endpoint protection product for ZSATunnel.exe processes for all ports, protocols, network interfaces, and network addresses (e.g., 0.0.0.0/0).
Zscaler Client Connector also uses carrier-grade NAT range 100.64.0.0/16 as part of internal health checking and for the ZPA service.
You can bypass the processes listed under the following platforms in your firewall rules:
ZSATunnel.exe: InboundZSATunnel.exe: OutboundZSATray.exe: OutboundZSATrayManager.exe: OutboundZSAUpdater: OutboundZSAService.exe: OutboundZscalerappupdater.exe: Outbound
