Zscaler Private Access Firewall Whitelist

Looking for the latest changes? Changelog.

Some organizations choose to firewall or otherwise restrict outbound traffic to the Internet from the datacenter. It is possible to deploy a ZEN connector in such an environment as long as the connector is able to reach all of the Zscaler data centers containing ZPA ZENs. It is important to note that the full set of ZPA-enabled data centers must be allowed, as a partial firewall configuration will result in connectivity problems for end users.

IP Protocol Port Source Description
TCP/UDP Your Application Ports Connector Your Application Servers
TCP 53 Connector, Private Service Edge Local DNS Servers
UDP 53 Connector, Private Service Edge Local DNS Servers
UDP 123 Connector, Private Service Edge Local NTP Servers
TCP 80,443 Connector, Private Service Edge
  • https://yum.private.zscaler.com/
  • Linux repositories (to enable OS updates). Note that outbound restriction to a specific mirror, or accessing repository through a proxy, requires additional connector configuration. Please refer to configuration guide of the specific platform for details.
TCP 443 Connector, Private Service Edge, Zscaler Client Connector ANY (unrestricted outbound access to TCP 443)

Zscaler strongly recommends that connectors and the Zscaler Client Connector have unrestricted outbound access to the Internet on port 443, to ensure access to all Zscaler Service Edges as our infrastructure evolves and expands. However, if this best practice is not feasible in your environment and outbound Internet access restrictions must be applied with specific exemptions, the following connectivity must be permitted.

IP Protocol Port Source Domains & IPs Date Added
TCP 443 Connector, Private Service Edge, Zscaler Client Connector *.zpabeta.net 35.162.150.169/32
34.209.109.199/32
54.186.220.117/32
54.69.158.223/32
34.218.213.58/32
52.33.17.217/32
Initial Publication