Skip to content
Security Engineering
Zscaler

Zscaler

These notes are based on personal experience working with Zscaler in enterprise environments. Always refer to the official Zscaler documentation for the most current and authoritative guidance.

Overview

This section covers Zscaler operational topics including ZIA (Zscaler Internet Access) and ZPA (Zscaler Private Access) — focused on architecture concepts, real-world troubleshooting, packet capture procedures, and diagnostic workflows used in enterprise environments.

Key Components

App Connector

An App Connector is a lightweight software appliance deployed inside a private network — whether on-premises, in a data center, or inside a cloud VPC/VNet. It acts as the bridge between internal applications and the Zscaler ZPA cloud.

How it works:

  • The App Connector establishes outbound-only connections to the Zscaler cloud (no inbound firewall rules required)
  • When a user accesses a private application via ZPA, the broker instructs the App Connector to open a secure microtunnel to that user’s ZPA client
  • The application server sees traffic originating from the App Connector’s internal IP, not the user’s device IP

Why it’s used:

  • Eliminates the need for site-to-site VPN or inbound NAT rules
  • Enables Zero Trust access — users are never placed on the network, only connected to specific applications
  • Supports application-level segmentation rather than network-level access
  • Multiple App Connectors can be grouped for load balancing and high availability

Typical deployment locations:

  • On-premises data centres
  • AWS VPCs, Azure VNets, GCP VPCs
  • Co-location facilities

Cloud Connector

A Cloud Connector is a virtual appliance deployed inside public cloud environments (AWS, Azure, GCP) that provides ZIA inspection for cloud workload traffic — without requiring the Zscaler Client Connector (ZCC) to be installed on each VM or workload.

How it works:

  • Cloud workloads route their internet-bound traffic through the Cloud Connector
  • The Cloud Connector forwards that traffic to the Zscaler cloud for full ZIA inspection (URL filtering, SSL inspection, DLP, threat prevention)
  • Returns the inspected response back to the workload

Why it’s used:

  • Servers, containers, and cloud VMs cannot run ZCC — Cloud Connector fills that gap
  • Provides consistent security policy enforcement for cloud workloads alongside user traffic
  • Enables east-west and north-south traffic inspection within cloud environments
  • Replaces the need for complex cloud-native firewall rules or third-party inspection appliances
  • Traffic appears to originate from a consistent, known Zscaler egress IP — useful for SaaS allowlisting

Typical deployment:

  • Deployed as a virtual machine in a dedicated inspection VPC/VNet
  • Cloud workloads route traffic via UDR (Azure) or route tables (AWS) to the Cloud Connector

Branch Connector

A Branch Connector is a virtual appliance deployed at branch offices or remote sites that provides ZIA and ZPA capabilities for the entire branch — covering all devices including those that cannot run ZCC (printers, IoT, servers, legacy systems).

How it works:

  • Acts as a local gateway/proxy for all branch devices
  • Forwards branch internet traffic to the Zscaler cloud for inspection via GRE or IPSec tunnels
  • Enables ZPA access for applications without requiring per-device agent deployment
  • Integrates with SD-WAN solutions for automated tunnel management

Why it’s used:

  • Covers unmanaged and non-agent-capable devices at the branch (IoT, OT, printers, shared workstations)
  • Replaces traditional branch firewalls and MPLS backhauling to a central internet breakout
  • Reduces complexity — one appliance serves the entire branch rather than individual device configs
  • Supports local internet breakout with full Zscaler cloud inspection, reducing latency vs. backhauling
  • Works alongside ZCC for managed devices — giving consistent policy across the entire branch

Typical deployment:

  • Deployed as a VM on branch hypervisor or as a hardware appliance
  • Integrated with local routers or SD-WAN fabric to steer traffic

Source IP Anchoring

Source IP Anchoring is a ZPA feature that ensures traffic to a specific application always egresses from a predictable, fixed App Connector IP address — regardless of which ZPA path or broker is used.

The problem it solves:

By default, ZPA may route user sessions through any available App Connector in a connector group. If multiple connectors exist, the application server may see different source IPs across sessions — which breaks applications that rely on IP-based allowlisting, licensing tied to source IP, or strict audit logging.

How it works:

  • An Access Policy rule is configured to pin traffic to a specific App Connector Group
  • All sessions matching that rule are forced through connectors in that group
  • The application server consistently sees the App Connector’s IP — not the user’s IP, and not a rotating Zscaler cloud IP

Why it’s used:

  • IP allowlisting — legacy applications or SaaS tools that restrict access by source IP
  • Software licensing — tools that bind licence seats to a specific source IP
  • Audit & compliance — environments where all access to sensitive systems must appear from known, documented IPs
  • Third-party integrations — APIs or partner systems that validate caller IP before accepting requests

See the Source IP Anchoring – Configuration Guide for full step-by-step setup.

Pages in This Section

PageDescription
Packet Capture – ZCC & ZPAStep-by-step capture procedure for endpoint and App Connector
Source IP AnchoringFull configuration guide with explanation of every option