CLIENT CONNECTOR : WHAT IS ZSCALER CLIENT CONNECTOR?

Client Connector
What Is Zscaler Client Connector?
Using Zscaler Client Connector, users can get all of the benefits of the Zscaler service for internet
traffic, as well as granular, policy-based access to internal resources from a single point.
With Zscaler Internet Access (ZIA), you can protect your users' web traffic even when they are
outside your corporate network. You can also protect your users' mobile traffic, whether they're
connected to Wi-Fi or cellular networks. The app forwards user traffic to the Zscaler service and
ensures that your organization's security and access policies are enforced wherever they might be
accessing the internet.
With Zscaler Private Access (ZPA), you can enable your users to securely access enterprise
applications from outside the corporate network. ZPA establishes a secure transport for accessing
your enterprise apps and services.
With Zscaler Digital Experience (ZDX), you can monitor your organization’s user devices to detect
user experience and productivity issues. ZDX relies on Zscaler Client Connector to perform
synthetic probing to a desired Software as a Service (SaaS) application or internet-based service
(e.g., OneDrive, Gmail, etc.).
With Zscaler Endpoint Data Loss Prevention (DLP), you can protect your organization from data
loss on endpoints. Endpoint DLP policy complements Zscaler DLP policy by extending the
monitoring of sensitive data to the activities that end users take on endpoints (i.e., printing, saving
to removable storage, saving to network shares, or uploading to personal cloud storage accounts).

You have the ability to control various settings for the app in the Zscaler Client Connector Portal. The
Zscaler Client Connector Portal is dedicated to app management, accessible directly from the ZIA and
ZPA Admin Portals. With administration options, you can configure general settings for the app, such as
auto-update and in-app support.
You can also configure app profiles and specify, for example, how the app detects when a user is
connected to a trusted network, and if a trusted network is detected, whether the app must disable its
service. For greater flexibility, you can configure app profiles so that they apply to all users or to
specific groups of users in your organization.
In the Zscaler Client Connector Portal, you can define policies that control how a device forwards traffic
to the Zscaler service and which apps, functionality, and content can be accessed from a device. For
mobile devices, the Zscaler service also provides per-user and per-department logging and reporting.
After you configure settings and policies in the Zscaler Client Connector Portal, you can silently deploy
the app on users' devices for Windows and macOS. You can also deploy the app on users’ devices for
©2025 Zscaler, Inc. All rights reserved. 1
 CLIENT CONNECTOR : WHAT IS ZSCALER CLIENT CONNECTOR?

Android, Android on ChromeOS, and iOS via MDM. Users need only complete a simple login process to
enroll their devices with the Zscaler service.

When users enroll, the app downloads the administration settings you've configured, as well as the
appropriate app profile, and begins forwarding traffic and protecting users immediately. The app
regularly checks for updates to administration options and app profiles, and downloads any changes
you make, ensuring the app reflects your latest settings.
For Android devices, Zscaler Client Connector also establishes a proprietary, secure HTTP-tunnel-
based VPN to forward the mobile traffic from the user's applications to Zscaler Client Connector.
Zscaler Client Connector then sends this traffic to the cloud. Zscaler uses Samsung Approved for
Enterprise (SAFE) KNOX APIs for enforceability.

 Users might be able to turn off the VPN on non-Samsung Android devices.

When you run Zscaler Client Connector on Android and iOS devices, it also installs the policy that you
configured on the Zscaler Client Connector Portal as a profile on your mobile device. Additionally, it
enrolls the device in the Zscaler service. After the device is enrolled, the device establishes a local VPN
that connects locally to Zscaler Client Connector to direct traffic. As the browser and other applications
generate traffic, this is automatically forwarded to the Zscaler cloud.

Key Features
©2025 Zscaler, Inc. All rights reserved. 2
 CLIENT CONNECTOR : WHAT IS ZSCALER CLIENT CONNECTOR?

The following are some key Zscaler Client Connector features and benefits:
Authentication: The app supports all authentication mechanisms supported by the Zscaler service,
except Kerberos. It also supports SAML with two-factor authentication. Your organization's users
can seamlessly log in and enroll with their existing user credentials. If you are using the app for
ZPA, your organization must use SAML authentication.
Enforcement: You can configure the app profile so that after users enroll, they cannot log out of,
disable, or uninstall Zscaler Client Connector without an admin-provided password.
Trusted Network Detection: The app can detect when users are connecting from a trusted network
(for example, from your corporate network) and disable its internet security service so that user
traffic is forwarded to the Zscaler service via the network's configured traffic forwarding
mechanism. Learn more about configuring trusted networks.
Captive Portal Detection: The app can detect when users try to connect to networks where a
captive portal requires users to pay or accept a use policy before accessing the web (for example,
Wi-Fi networks at airports or hotels). When it detects a captive portal, it can disable its service for
a period of time you specify, allowing users to complete the steps necessary to access the
network, before automatically re-enabling itself. Learn more about captive portal detection.
SSL Inspection: If you are using Zscaler Client Connector to secure your web traffic, it can
automatically install the Zscaler SSL certificate during enrollment so that the Zscaler service can
perform SSL inspection on web traffic forwarded by the app. However, you must enable SSL
inspection for mobile traffic in the ZIA Admin Portal. This feature applies to the Internet Security
service only. ZPA does not support SSL inspection.
Auto-Update to Latest Release: You can enable auto-updates so that apps on users' devices are
automatically updated whenever Zscaler releases a new version. If you prefer to test new app
versions before allowing updates, you also have the option of pushing app updates from the
Zscaler Client Connector Portal when you're ready. Learn more about update settings.
Easy Administration with the Zscaler Client Connector Portal: In the Zscaler Client Connector
Portal, you can easily manage app profiles and administration settings. The app checks regularly
for updates and downloads any changes you make. If users exit the app, log out and log back into
the app, or restart their devices, the app also checks for updates and download changes.
Dashboards and Device Fingerprint Information: In the Zscaler Client Connector Portal, you can
view a dashboard that provides information about devices that have been enrolled with the Zscaler
service, including the number of Zscaler Client Connector licenses being used, the device models,
platforms, and operating systems on which the app is running, as well as information about which
devices are running outdated app versions. You can also view device fingerprint information for all
devices that have been enrolled.

©2025 Zscaler, Inc. All rights reserved. 3

 CLIENT CONNECTOR : WHAT IS ZSCALER CLIENT CONNECTOR?

In-App Access to Support: You can provide users with different options for requesting support in
Zscaler Client Connector. You can allow users to send support request emails directly from the
app to your organization's support team, or you can allow users to submit tickets directly from the
app to Zscaler Support. Learn more about support access in Zscaler Client Connector.
Localization: Zscaler Client Connector supports changing the language of the app user interface
based on the system language. To learn more, see Localization Support.

How Does Zscaler Client Connector Work?

This section describes how Zscaler Client Connector works when you use it to secure your web and
mobile traffic. To learn about how the app works when you use it with ZPA to provide secure access to
your internal resources, see What is Zscaler Private Access? To learn about how the app works when
you use it with ZDX to monitor your users' experience and productivity issues, see What is Zscaler
Digital Experience? To learn about how the app works when you use it for Endpoint Data Loss
Protection (DLP), see Zscaler Endpoint Data Loss Prevention (DLP) Integration with Zscaler Client
Connector and About Endpoint Data Loss Prevention.
When you install Zscaler Client Connector for PC, a Zscaler Network Adapter is also installed on your
user's computer. When the user connects to the web, the network adapter captures web traffic from
that device. The app then uses geolocation technology to locate the ZIA Public Service Edge closest to
the user, establishes a lightweight tunnel (called the Z-Tunnel) to the ZIA Public Service Edge, and
forwards the user's web traffic through the tunnel so that the ZIA Public Service Edge can apply
appropriate security and access policies.
When you install Zscaler Client Connector on a mobile device, it authenticates the user using your
corporate authentication mechanism and completes the following tasks:
Installs the appropriate app profile
Installs a VPN profile locally (if not already installed via MDM)
Registers the mobile device to the Zscaler service

The device then establishes a local VPN tunnel that captures application traffic and directs it to Zscaler
Client Connector on the device.
While this is the default behavior of the app, you can modify the app's traffic forwarding settings as
necessary. For example:
Instead of the app automatically determining the ZIA Public Service Edge to which it tunnels traffic,
you can specify the particular ZIA Public Service Edges to which the app must tunnel traffic (for
example, you must do this if your organization uses ZIA Public Service Edges or Virtual Service
Edges).
©2025 Zscaler, Inc. All rights reserved. 4
 CLIENT CONNECTOR : WHAT IS ZSCALER CLIENT CONNECTOR?

If you are running Zscaler Client Connector version 1.4 or later, you can choose multiple
destinations for Zscaler Client Connector to send traffic (for example, you can send traffic for a
certain domain to a Service Edge or Virtual Service Edge, and send the rest to the geographically
closest ZIA Public Service Edge.)
You can choose to allow some traffic (for example, traffic to certain domains like identity
federation URLs) to bypass the app tunnel and go directly to the web.

To modify the app's traffic forwarding behavior in these ways, you can add a custom PAC file in your
app profile so that the app forwards traffic according to its instructions. The app checks the PAC file
regularly to make sure it retrieves the latest one, and whenever it retrieves a new PAC file, it saves that
PAC file to your users' computers. This ensures that the PAC file is accessible even after users restart
the app or their computers, allowing them to access internal resources and send traffic to private IP
ranges even if your organization faces internet connectivity issues.
Whether you use a custom PAC file or have the app forward traffic to the service per its default
behavior, the app regularly checks to make sure traffic is forwarded correctly and efficiently. For
example, it checks at regular intervals whether the ZIA Public Service Edge to which the app is currently
tunneling traffic is still the best ZIA Public Service Edge for a given user's traffic. It also performs these
checks whenever a user changes networks, or restarts the app or their devices.
By default, the app overrides any proxy settings configured on users' browsers so that users cannot
manipulate the app's traffic routing. If you prefer to allow users' browser proxy settings to apply, you
can do so with your app profile policy.
Zscaler can check IP addresses to avoid IP address conflict. For example, if you are using 100.64.0.0/16
and Zscaler sees a conflicting IP address, Zscaler changes it to 100.65.0.0/16. This change in the IP
addresses can range from 100.64.0.0/16 to 100.83.0.0/16.
To learn more about the end user functionality within the app, see End User Guides. To start the
configuration process for Zscaler Client Connector, see Accessing and Navigating the Zscaler Client
Connector Portal and the Step-by-Step Configuration Guide for Zscaler Client Connector.

©2025 Zscaler, Inc. All rights reserved. 5