ZIA Virtual Service Edge

Looking for the latest changes? Changelog.
  • To ensure that your ZIA Virtual Service Edge works correctly in your environment, configure your firewall to allow the outbound connections listed in the following table.
  • There is no need to open inbound connections from the cloud.
Source IP Destination IP Service Port Description
ZIA Virtual Service Edge IP Addresses Zscaler Hub IP 9422 (TCP) Authentication and Policy Retrieval
ZIA Virtual Service Edge IP Addresses Zscaler Hub IP 443 (TCP) Download of software updates
ZIA Virtual Service Edge IP Addresses Zscaler Hub IP 9431 (TCP) Log transmission to Zscaler Nanolog for Analytics
ZIA Virtual Service Edge IP Addresses Zscaler Hub IP 9442 (TCP) ZIA Virtual Service Edge Network configuration download
ZIA Virtual Service Edge IP Addresses Remote Support IP 12002 (TCP)

Reverse Tunnel for Remote Support Assistance from Zscaler (This feature is disabled by default, and must be explicitly enabled on the ZIA Virtual Service Edge. See the Troubleshooting Section in the Virtual ZEN Guide for usage)1

ZIA Virtual Service Edge IP Addresses Local Nameserver IP 53 (TCP/UDP) Name Resolution
ZIA Virtual Service Edge IP Addresses All or Local NTP Server IP 123 (UDP)

Time sync with NTP Servers. ZIA Virtual Service Edge is extremely sensitive to VM and the cloud times being in sync. Please refer to the latest ZIA Virtual Service Edge Guide for configuring sync with local NTP Server.

ZIA Virtual Service Edge Proxy IP Address Any Any Outbound Proxy/Firewall/Traffic Forwarding For Protected Traffic

1Remote Support IP 199.168.148.101

ZIA Virtual Service Edge IP Addresses refers to Proxy IP, Mgmt IP and the LB IP.

 

ZIA Virtual Service Edge Inbound Connection Requirements

  • No inbound connections from Zscaler cloud required.
Source IP Destination IP Service Port Description
Local Network ZIA Virtual Service Edge Management IP 22 (TCP) Shell access to the ZIA Virtual Service Edge
Local Network ZIA Virtual Service Edge Cluster IP or ZIA Virtual Service Edge Proxy IP 80, 443, 8800, 9400, 9443, 9480, Organization Dedicated Port (TCP) or GRE Tunnel Traffic forwarding into ZIA Virtual Service Edge. Use Cluster IP for cluster mode and ZIA Virtual Service Edge Proxy IP for Standalone mode

Zscaler Hub IP Addresses

Required IP Addresses
165.225.44.0/24165.225.75.0/24
104.129.202.0/24165.225.108.0/24
8.25.203.0/24 27.251.211.238/32
216.52.207.64/26213.152.228.0/24
64.74.126.64/26 70.39.159.0/24
137.83.128.0/1872.52.96.0/26
89.167.131.0/24104.129.192.0/23
104.129.194.0/23104.129.196.0/23
185.46.212.0/22199.168.148.0/24
165.225.72.0/22199.168.149.0/24
199.168.150.0/24199.168.151.0/24
209.51.184.0/26216.218.133.192/26
Recommended IP Addresses
104.129.192.0/20
165.225.0.0/17
165.225.192.0/18
199.168.148.0/22