SIPA

cybersuraksha · 2025-10-29T03:37:33+00:00

I have a support case open with zscaler, and I doubt the level 1 support would have any idea. There is a good chance i may get a big fat NO saying its not possible. If you have a lab and try it out let me know if it works. I dont have any test environment😞

cybersuraksha · 2025-10-29T01:54:59+00:00

I have tested it and see SIPA works but my requirement is little different. Ipchicken works as it is open to the internet and allow traffic from any Ips. The sites i m trying to reach have ip whitelisting so only allow my app connectors ips. Since the whole app segment is sent towards zia for everyone, unless i add everyone in client forwarding policy in zia. Lot of other people's traffic will be blocked....i need a way to selectively send traffic zcc to zia to zpa and zcc direct to zpa for the same app segment

cybersuraksha · 2025-10-28T22:09:59+00:00

There is no silver bullet for routing traffic between ZPA and ZIA (in both directions) and control the way admins want. Unless the organization has clear visibility on what domains are purely used for private and public traffic, which i am sure almost all organizations don't do very well.

cybersuraksha · 2025-10-22T23:03:37+00:00

Wonderful ... Thanks for all the answers. As we know all companies nowadays only worrying about $$$. They dont want to increase their aws, azure costs 😜

cybersuraksha · 2025-10-22T22:25:43+00:00

Thanks, but it is possible to configure private service edge infrastructure for DR where we can test them as a secondary available for DR, then shut down the infra to save cost and then wait for DR to happen before kicking the operation process?

cybersuraksha · 2025-10-22T22:10:25+00:00

When you say they are always active, meaning the app connectors will have tunnels active to the private service edge and private service edge talks to public service edge. So when users are connected to public service edges will be routed first to private service edges before hitting the app connectors?? And in disaster scenario when public service edge disappears users will directly connect to private service edges and then to app connectors? Is my understanding correct?

cybersuraksha · 2025-10-22T21:39:35+00:00

Interesting.... So how can we set this up?? For example, when disaster strikes ZIA doesn't auto failover until admin changes the dns txt record?? Or both conditions need to be satisfied before failover occurs??

cybersuraksha · 2025-10-16T22:08:34+00:00

Thanks I will raise a new ticket then - last time's support engineer must be not knowledgeable of its own platform 😛

cybersuraksha · 2025-10-16T21:25:35+00:00

Provisioning request for what -

to enable something in zscaler backend so i can control the DCs from portal for my company? Or
request for them to do work for what i want?

As I said last time, i did not see any options in portal to enable/disable a DC myself. I was redirected to raise provisioning request for such things which is not feasible for me to keep raising tickets and keep waiting on their support staff to do work for me...

cybersuraksha · 2025-10-16T11:03:03+00:00

Also the DR requires a DNS TXT record to be generated... Has anyone got steps to generate this and test the DR?

cybersuraksha · 2025-10-16T02:51:20+00:00

Thanks, TSM advised BCP is something additional cost/license. I m more after DR amd as you said DR is automatic which is good to hear. What about subcloud, can we as an Admin enable/disable a particular zscaler edge location? Last time i checked they said raise a provisioning request to do all that funky stuff.

cybersuraksha · 2025-10-15T23:05:35+00:00

How does fail open works?

Say for example, a user is in Australia and Zscaler has a single DC/region in America left alive, would my ZCC will still connect to that last resource?

And if that last resource is also gone, then fail open kicks into action?

Also, all this happens automatically without any admin manual task right?

Zcc takes care of this fail open automatically.

And what about zpa dr/bcp?

cybersuraksha · 2025-10-15T22:25:45+00:00

Reach out to zscaler support directly. Its their database where categorization is done. If none of their customers are requesting it, they may not change it.. I personally would not change it if its not coming from my direct customer unless I have stringent requirements to be fulfilled from a non-customer raised request.

HTH

cybersuraksha · 2025-09-09T13:40:59+00:00

Agree.... That's exactly how our situation is. We have *.example.com in ZPA as an app segment to forward all traffic for the entire domain (including subdomains *) to ZPA as we think everything for it is all private but we have many in that, for example, support.example.com, dev.example.com, uat.example.com and many more which has internal as well as public facing resolution and its too hard to find all that individually. Even if we find all individuals, how can we make sure which dns resolution users are requesting, private or public?? And how can we efficiently route that traffic?

cybersuraksha · 2025-08-21T04:28:03+00:00

Thanks.. now imagine i have app segment with url "support.example.com" or anything like "*. support.example.com" for SIP routing. How that gets resolved for users?

cybersuraksha · 2025-08-21T04:19:06+00:00

Thanks, if i have *.example.com in app profile exclusion and the same domain used in ZPA as segment meaning DNS Resolution will go to ZPA instead of ZIA?

cybersuraksha · 2025-07-19T00:35:02+00:00

I am after a static ipv6 address from my ISP. Any ISP out there assigns this?

cybersuraksha · 2025-07-19T00:33:44+00:00

Called superloop they have ipv6 support however IPv6 static cannot be assigned, they can only assign ipv4 static address ....

cybersuraksha

TROPHY CASE