ZAB Connection Requirements

Looking for the latest changes? Changelog.
  • The ZAB requires only outbound connections to the Zscaler service. It does not require any inbound connections to your network from the Zscaler service. Ensure that your outbound firewall is configured to allow the necessary connections listed in the table.
  • No inbound connections necessary from Zscaler cloud to the ZAB VM unless authentication is performed through ZAB.
Source IP Destination IP Service Port Description
Inbound Requirements (optional)
Customer IP Addresses ZAB IP Addresses 443 (TCP) Customer authentication
Outbound Requirements
ZAB IP Addresses Zscaler Hub IP 9422 (TCP) Authentication and Policy Retrieval
ZAB IP Addresses Zscaler Hub IP 443 (TCP) Download of software updates
ZAB IP Addresses Remote Support IP 12002 (TCP) Reverse Tunnel for Remote Support Assistance from Zscaler. (This feature is disabled by default, and must be explicitly enabled on the ZAB. See the Troubleshooting Section in the ZAB Guide for usage)1
ZAB IP Addresses Zscaler Hub IP 9442 (TCP) ZAB Network configuration download
ZAB IP Addresses Local Nameserver IP
Zscaler Hub IP
53 (UDP/TCP) Name resolution
ZAB IP Addresses All or Local NTP Server IP 123 (UDP) Time sync with NTP Servers. The ZAB is extremely sensitive to VM and the cloud times being in sync. Please refer to the latest ZAB Guide for configuring sync with local NTP Server.
ZAB IP Addresses LDAP or AD LDAP/AD Listening Port (TCP)Typically: 389, 636, 3268, 3269 Connection to the LDAP or AD Server for synchronizing and/or authenticating users. Zscaler strongly recommends secure LDAP connections

1Remote Support IP

Zscaler Hub IP Addresses

Required IP Addresses
Recommended IP Addresses