Private Zscaler Enforcement Node (ZEN) Access Requirements

Looking for the latest changes? Changelog.

In order to make certain that the Private Zscaler Enforcement Node (ZEN) works correctly in your environment, please ensure that your ACL configuration allow the types of traffic neccessary. Refer to the following tables for more details.

Interface(s) Service Port Source Description
Inbound Requirements
Service TCP Any Zscaler HUB IP Address Active Service Monitoring
Service TCP 80,443,8080,8800,9400, 9443,9480,Organization Dedicated Port Customer Network(s) or Any If Supporting Road Warriors Traffic Forwarding To ZEN for Inspection
Management TCP 12001 ICMP Zscaler HUB IP Addresses SSH Management of ZEN Active Service Monitoring Centralized System Configuration Management
IPMI TCP/UDP Any ICMP Zscaler HUB IP Addresses Lights Out Management
Outbound Requirements
Service TCP Any Any Outbound Proxy/Traffic Forwarding For Protected Traffic
Service TCP & UDP 53 (DNS) Customer Provided DNS Servers and Zscaler Hub IP Address DNS Resolution
Service TCP 9442 Zscaler Hub IP Address Connection to SMCDC and CA
Service TCP 9431 Zscaler Hub IP Address Connection to NL
Management TCP Any Zscaler Hub IP Address TLS Encrypted Communication to Cloud
Management TCP 9442 Zscaler Hub IP Address Connection to SMCDC
Management TCP & UDP 53 (DNS) Customer Provided DNS Servers and Zscaler Hub IP Address DNS Resolution
Management UDP 123 Customer NTP IP Address NTP Communications

Zscaler Hub IP Addresses

Required IP Addresses
165.225.44.0/24165.225.75.0/24
104.129.202.0/24165.225.108.0/24
8.25.203.0/24 27.251.211.238/32
216.52.207.64/26213.152.228.0/24
64.74.126.64/26 70.39.159.0/24
72.52.96.0/2689.167.131.0/24
104.129.192.0/23104.129.194.0/23
104.129.196.0/23185.46.212.0/22
199.168.148.0/24165.225.72.0/22
199.168.149.0/24199.168.150.0/24
199.168.151.0/24209.51.184.0/26
216.218.133.192/26137.83.128.0/18
Recommended IP Addresses
104.129.192.0/20
165.225.0.0/17
165.225.192.0/18
199.168.148.0/22