APM Proxy Handling Conflict

Hi GDC1-TRG-F5

you should prevent both products from trying to configure the proxy of your clients. Either the proxy configuration is driven by the Zscaler agent or the proxy configuration is driven by F5 BUT not both.

To avoid that F5 drives the proxy configuration and the zscaler agent does it, the solution is:

• You must ensure that the VPN client is not configured to change proxy settings on users’ devices THEN "Try to  Enable Use Local Proxy Settings in F5 BIG-IP APM". When Use Local Proxy Settings, is  enabled, after the client f5 VPN establishes a network access connection, proxy settings configured on the client continue to be used. The Use Local Proxy Settings option instructs f5 that  doesn't merge or overwrite the local Proxy configuration.

If it is not possible to change the configuration in BIG-IP APM side, you must change Zscaler agent behaviour to never alters yur client proxy settings (perhaps change the forwarding profile for Z-Tunnel 1.0 + “Proxy Action Type” to “Never" from ZCC admin portal.... Never: If you select this option, Zscaler Client Connector never alters your proxy settings).

>>Will the VPN traffic be routed through Zscaler according to the PAC settings.?

YES. In the F5 VPN tunnel connection establishment, if the zscaler agent is active, the F5 VPN traffic depends on the PAC file in zscaler or the Zscaler agent configuration. The usual way is to make an exception in the Zscaler PAC file or in the Zscaler configuration to do a “VPN Gateway bypass”.

Enrique Pernas