Overview
When using Workspot with a Zscaler deployment, Workspot strongly recommends configuring Zscaler to bypass Workspot traffic to prevent it from passing through the Zscaler system entirely to ensure optimal performance, reduced latency, and a reliable user experience.
The is consistent with industry best practices for other Remote Desktop Protocol services used in conjunction with Zscaler products.
Zscaler products covered in this article:
Zscaler Client Connector (ZCC)
Zscaler Internet Access (ZIA)
Zscaler Private Access (ZPA), Application Segmentation (App Segment or App Seg), App Connector
Zero Trust Exchange (ZTE)
Private Service Exchange (PSE)
Your organization’s Zscaler may use different configurations and Zscaler products. For questions about Zscaler products and configuration, please consult your Zscaler contacts.
Guidance and Recommendations
Configuring the Zscaler for Workspot traffic requires both of the following steps:
Configure ZCC, ZIA, ZPA, and/or ZTE to bypass Workspot traffic, below.
If necessary, add a trusted enterprise certificate to Workspot Control.
Note: If external users are traversing another corporate network with Zscaler, the other network owner needs to configure the same Allowlist and bypass to ensure external users are not blocked from connecting to Workspot.
Which URLs/FQDNs to Bypass
These fall into two categories:
Your Workspot Resources. Depending on your Zscaler configuration, some or all of these must be bypassed:
Workspot Gateways.
Workspot Desktops and Application Servers.
Workspot Enterprise Connector.
Workspot’s Resources. These include Workspot Control, Workspot Watch, Workspot Trends, and other services.
A more extensive list that may be needed if you use Zscaler to filter internal traffic is Workspot Port Usage.
1. Configure Zscaler to Bypass Workspot Traffic.
Workspot strongly recommends bypassing Workspot URLs (detailed below), especially Workspot Client traffic to Workspot gateways, for the best end-user experience.
Bypassing prevents common issues such as:
Added latency that impacts user productivity.
Users blocked from their Workspot desktops and applications.
Non-Workspot traffic slowing down Workspot users.
SSL inspection impacting session performance.
Using ZIA
If using ZIA:
Configure ZCC Application Bypass for Workspot URLs, especially for the gateways.
Disable SSL Inspection. (SSL inspection increases latency, impacts performance when accessing virtual desktops, and may interfere with secured tunnels.)
Ensure ZIA’s Traffic Bypass rules allow for Workspot traffic and (and such things as DNS resolution) to pass through.
Using ZPA
If using ZPA:
Configure ZCC Application Bypass for Workspot URLs, especially for the gateways.
Disable SSL Inspection. (SSL inspection increases latency, impacts performance when accessing virtual desktops, and may interfere with secured tunnels.)
Ensure ZIA’s Traffic Bypass rules allow for Workspot traffic and (and such things as DNS resolution) to pass through.
Using ZTE or PSE
Note: Workspot strongly recommends Zscaler bypass Workspot traffic at the ZCC and ZPA levels for performance and operational simplicity.
If using ZTE or PSE:
PSE and ZPA are correctly configured to prevent hairpinning.
App Connect is correctly mapped to route the Workspot traffic to the correct Cloud or on-premises datacenters hosting the gateways and virtual desktops. Incorrect mapping may increase latency and/or block user access.
2. Updating the Zscaler Allowlist with Workspot URLs
Adding Workspot URLs to the Zscaler Allowlist enables Zscaler products to recognize and bypass Workspot traffic.
3. Add Certificate
If necessary, add a trusted enterprise certificate to Workspot Control.