Zscaler Private Access Firewall Whitelist
Some organizations choose to firewall or otherwise restrict outbound traffic to the Internet from the datacenter. It is possible to deploy a ZEN connector in such an environment as long as the connector is able to reach all of the Zscaler data centers containing ZPA ZENs. It is important to note that the full set of ZPA-enabled data centers must be allowed, as a partial firewall configuration will result in connectivity problems for end users.
|TCP/UDP||Your Application Ports||Connector||Your Application Servers|
|TCP||53||Connector, Private Service Edge||Local DNS Servers|
|UDP||53||Connector, Private Service Edge||Local DNS Servers|
|UDP||123||Connector, Private Service Edge||Local NTP Servers|
|TCP||80,443||Connector, Private Service Edge||
|TCP||443||Connector, Private Service Edge, Zscaler Client Connector||ANY (unrestricted outbound access to TCP 443)|
Zscaler strongly recommends that connectors and the Zscaler Client Connector have unrestricted outbound access to the Internet on port 443, to ensure access to all Zscaler Service Edges as our infrastructure evolves and expands. However, if this best practice is not feasible in your environment and outbound Internet access restrictions must be applied with specific exemptions, the following connectivity must be permitted.
|IP Protocol||Port||Source||Domains & IPs||Date Added|
|TCP||443||Connector, Private Service Edge, Zscaler Client Connector||*.zpabeta.net||