Transcript
In this series of short videos, we'll be taking a look at recommendations for forwarding your traffic to the Zero Trust Exchange. This is Part 3 on the Client Connector Forwarding Profile. Regardless of the forwarding method chosen, Zscaler Client Connector has two profiles that must be configured, a forwarding profile and an app profile. At a high level, the forwarding profile controls how Zcc handles user traffic when in different network environments, and steers traffic to or away from the Client Connector itself within the OS stack. The app profile then makes routing decisions for traffic received by Zcc, steering it towards or away from the Zero Trust Exchange. As an example, the forwarding profile is where you would define trusted network criteria, which Zcc will use to determine whether or not it is on a trusted network, and where it will make the decision of which forwarding method to use. Let's start by taking a deeper look at the forwarding profile. One of the decisions you will need to make as part of the forwarding profile configuration is which driver type to use on Windows devices when forwarding traffic to the Zero Trust Exchange via Z-Tunnel 1 or 2. For non-Windows devices, the driver use will be a route-based driver, with Zcc creating a virtual network adapter and using OS routing to forward traffic via this interface. However, for Windows devices, you also have the option to use a packet-filter-based driver instead. This is recommended as the Windows packet-filter-based driver has several advantages over the route-based driver for this OS. First, it has improved throughput. Secondly, it's transparent and hidden, which means users cannot uninstall it or tamper with its routing. Since there are no IP routes or DNS server configurations created on the system, this driver also has better interoperability with VPN clients and avoids split DNS problems entirely. Note that as of Zcc version 4.8, which released in 2026, the packet-filter-based driver will always be used, and the route-based driver will no longer be selectable. The forwarding profile is also where you'll configure what traffic shouldn't be routed to Zcc in the first place. An example of this is if you want to use a third-party proxy to secure a portion of your traffic. The forwarding profile allows you to bypass this traffic before it reaches Zcc, so it can be routed to the appropriate third-party proxy. Note that for older versions of Zcc, prior to 2026, the forwarding profile is also where bypasses would be configured. This is no longer the case with current Zcc versions, which use the app profile instead. This will be discussed in the next video in this series. Finally, the forwarding profile is also where you can configure the Zcc behavior for web traffic on non-standard ports. This allows you to route this traffic through Zcc so that it is forwarded to the Zero Trust Exchange, even with ZTunnel1, to avoid attempts to evade ZIA security controls. That's it for this video. Thank you for watching!