Virtual ZEN Requirements

Looking for the latest changes? Changelog.
  • To ensure that your Virtual ZEN works correctly in your environment, configure your firewall to allow the outbound connections listed in the following table.
  • There is no need to open inbound connections from the cloud.
Source IP Destination IP Service Port Description
VZEN IP Addresses Zscaler Hub IP 9422 (TCP) Authentication and Policy Retrieval
VZEN IP Addresses Zscaler Hub IP 443 (TCP) Download of software updates
VZEN IP Addresses Zscaler Hub IP 9431 (TCP) Log transmission to Zscaler Nanolog for Analytics
VZEN IP Addresses Zscaler Hub IP 9442 (TCP) VZEN Network configuration download
VZEN IP Addresses Remote Support IP 12002 (TCP)

Reverse Tunnel for Remote Support Assistance from Zscaler (This feature is disabled by default, and must be explicitly enabled on the Virtual ZEN. See the Troubleshooting Section in the Virtual ZEN Guide for usage)1

VZEN IP Addresses Local Nameserver IP 53 (TCP/UDP) Name Resolution
VZEN IP Addresses All or Local NTP Server IP 123 (UDP)

Time sync with NTP Servers. Virtual ZEN is extremely sensitive to VM and the cloud times being in sync. Please refer to the latest Virtual ZEN Guide for configuring sync with local NTP Server.

VZEN Proxy IP Address Any Any Outbound Proxy/Firewall/Traffic Forwarding For Protected Traffic

1Remote Support IP

VZEN IP Addresses refers to Proxy IP, Mgmt IP and the LB IP.


Virtual ZEN Inbound Connection Requirements

  • No inbound connections from Zscaler cloud required.
Source IP Destination IP Service Port Description
Local Network VZEN Management IP 22 (TCP) Shell access to the Virtual ZEN
Local Network VZEN Cluster IP or VZEN Proxy IP 80, 443, 8800, 9400, 9443, 9480, Organization Dedicated Port (TCP) or GRE Tunnel Traffic forwarding into VZEN. Use Cluster IP for cluster mode and VZEN Proxy IP for Standalone mode

Zscaler Hub IP Addresses

Required IP Addresses
Recommended IP Addresses