Zscaler Private Access (ZPA) | ips.zscalerbeta.net

Zscaler Private Access Firewall Whitelist

Looking for the latest changes? Changelog.

Some organizations choose to firewall or otherwise restrict outbound traffic to the Internet from the datacenter. It is possible to deploy a ZEN connector in such an environment as long as the connector is able to reach all of the Zscaler data centers containing ZPA ZENs. It is important to note that the full set of ZPA-enabled data centers must be allowed, as a partial firewall configuration will result in connectivity problems for end users.

IP Protocol	Port	Source	Description
TCP/UDP	Your Application Ports	Connector	Your Application Servers
TCP	53	Connector, Private Service Edge	Local DNS Servers
UDP	53	Connector, Private Service Edge	Local DNS Servers
UDP	123	Connector, Private Service Edge	Local NTP Servers
TCP	80,443	Connector, Private Service Edge	https://yum.private.zscaler.com/ Linux repositories (to enable OS updates). Note that outbound restriction to a specific mirror, or accessing repository through a proxy, requires additional connector configuration. Please refer to configuration guide of the specific platform for details.
TCP	443	Connector, Private Service Edge, Zscaler Client Connector	ANY (unrestricted outbound access to TCP 443)

Zscaler strongly recommends that connectors and the Zscaler Client Connector have unrestricted outbound access to the Internet on port 443, to ensure access to all Zscaler Service Edges as our infrastructure evolves and expands. However, if this best practice is not feasible in your environment and outbound Internet access restrictions must be applied with specific exemptions, the following connectivity must be permitted.

IP Protocol	Port	Source	Domains & IPs		Date Added
TCP	443	Connector, Private Service Edge, Zscaler Client Connector	*.zpabeta.net	35.162.150.169/32 34.209.109.199/32 54.186.220.117/32 54.69.158.223/32 34.218.213.58/32 52.33.17.217/32	Initial Publication