How do I use PAC files to forward traffic to the Zscaler service?

Zscaler recommends that organizations use a combination of tunneling, PAC files, Surrogate IP, and Zscaler App to forward traffic to the Zscaler service. If your organization has an internal router, switch or firewall that supports GRE and its egress port has a static address, Zscaler recommends that you configure a GRE tunnel to forward all outbound traffic from your location to the Zscaler service. If your router or firewall does not support GRE or if you use dynamic IP addresses, you can use an IPsec VPN tunnel instead. Note that IPsec tunnels have additional processing overhead on your equipment, compared to GRE tunnels. Zscaler also recommends that organizations deploy mechanisms such as IP SLA to monitor tunnel health and enable fast failover. In addition to the GRE or IPsec VPN tunnel, Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.

The Zscaler service hosts four non-editable default PAC files, recommended.pac, proxy.pac, mobile_proxy.pac, and kerberos.pac, which are all configured to automatically forward all browser traffic to the nearest Zscaler Enforcement Node (ZEN).

The service recommends that you deploy the recommended.pac file to your organization's devices. If necessary, your organization can use more than one PAC file. For example, you can use one PAC file for mobile devices and another for all other devices. Use the Kerberos PAC file if you are deploying Kerberos authentication.

To forward web traffic to the Zscaler service, you can use either the default PAC file or a custom PAC file.

To use the default PAC file that is hosted by the Zscaler service, do the following:

  1. Go to Administration > Resources > Hosted PAC Files.
  2. Copy the URL of the default PAC file.
  3. Distribute the PAC file URL to your users.

To use a custom PAC file, do the following:

  1. Ensure that you review the best practices.
  2. Test the newly edited or created PAC file on a local machine before production deployment.
  3. Add the PAC file to the admin portal.
  4. Distribute the PAC file URL to your users.
  5. Review the  firewall requirements and ensure that you have made the necessary configuration changes.