Why this lesson matters
Lesson 1 gave you the vendor-comparison-grade view: "Zscaler is SSE, ZIA replaces SWG, the Exchange brokers everything." That's the slide-deck answer. This lesson gives you the L3-engineer answer: when a user complains "YouTube is blocked but it shouldn't be," you can trace it through CA → PSE → Trust Pool → policy evaluation in 30 seconds because you know where each thing lives.
Every Zscaler troubleshooting call eventually comes down to one of these: "is the right policy on the right PSE for this user's location?" That sentence alone has six concepts in it. Let's unpack each one.
The ZIA cloud — every component on one diagram
Before any deep dive, lock the high-level layout into your head:
Three layers — config (CA + Admin Portal), constraint (Sub-Cloud), enforcement (PSE pools grouped by region and Trust Pool). Nanolog sits beside the enforcement plane and feeds logs into Web Insights + your SIEM.
Component-by-component breakdown
Central Authority (CA) — the brain
The CA is the single config plane. One CA per Zscaler cloud (zscaler.net, zscloud.net, etc.). When you save a URL Filtering rule in the Admin Portal, you're writing to the CA. The CA then pushes that policy to every PSE in seconds via Zscaler's internal control-plane mesh.
The CA is multi-tenant — your company shares it with ~4000 others — but tenant isolation is enforced at the row level on every read. You never see another tenant's rules. The Org ID is shown in Administration → Company Profile → Org ID — not in the URL — and you'll need it on every Zscaler support call.
Public Service Edge (PSE) — the enforcement plane
PSEs are the actual servers (VMs running in Zscaler-operated data centres) that intercept user traffic, evaluate policy, and proxy to the internet. ~150+ PSE pools live worldwide; each pool typically has 4–8 active PSEs behind a single GeoDNS-resolved IP (Zscaler uses GeoDNS — not anycast — for ZIA PSE selection). Inside the PSE the Single Scan Multi-Action (SSMA) engine parses each packet once and runs every check (URL filter, SSL inspect, malware, DLP, IPS, sandbox) in parallel — that's why Zscaler can do SSL inspection at line rate where on-prem proxies usually need to serialise checks.
Every PSE has the same code running. The differences between PSEs are: (a) physical location, (b) which Trust Pool they're assigned to. Otherwise they're interchangeable.
Sub-Clouds — the tenant constraint layer
By default your tenant can land on any PSE in your Zscaler cloud (best-latency wins). A Sub-Cloud is a per-tenant constraint that says "for these users / these locations, only use this subset of PSEs." Real reasons to use Sub-Clouds:
- Data residency — German subsidiary must only hit EU PSEs (GDPR).
- FedRAMP / GovCloud isolation — federal traffic separated from commercial.
- Beta rings — a tenant in beta can be pinned to PSEs running the beta software train so production users aren't affected.
You configure Sub-Clouds in Administration → Resources → Sub-Cloud. Then attach them to Locations (per-site) or Departments (per-user-group).
Service Edges (Private + Virtual) — when public PSEs aren't enough
Three flavours, easy to confuse — keep them straight:
| Type | Lives where | Why use it |
|---|---|---|
| Public Service Edge (PSE) | Zscaler data centres | Default. Most tenants only use these. |
| Private Service Edge | Customer's own DC / VM | Strict data-sovereignty or air-gapped environments. Same code as PSE, customer-operated. |
| Virtual Service Edge (VSE) | Hyperscaler VM (AWS / Azure) | Burst capacity or specific region where Zscaler lacks a PSE. Customer-owned VM, customer-billed cloud compute. |
L1/L2 engineers may never touch Private or Virtual Service Edges. But know they exist — interviewers ask the difference.
Sub-Cloud variants — compliance flavours of each Zscaler cloud
Sub-Cloud variants: Each Zscaler cloud (zscalerone, zscalertwo, zscalerthree, zscloud, etc.) has variants — standard, GDPR (EU-resident processing), FedRAMP (US gov), Compliance (PCI/HIPAA isolation). The variant constrains the PSE list your tenant can land on. SSL Trust Store config is separate (under Administration → SSL Inspection).
Nanolog Cluster — the log plane
Nanolog is a separate cluster of servers per Zscaler cloud. Every PSE streams transaction metadata (URL, response code, file hash, user, location, policy hit) to Nanolog in real time. Inside Nanolog the data is compressed (~50:1 ratio — that's how Zscaler stores billions of transactions cheaply) and indexed for Web Insights queries. NSS / Cloud NSS connects to Nanolog and ships records to your SIEM. End-to-end latency PSE → Nanolog → query: typically 2–5 min for Web Insights (UI search index) and ~1 min for NSS streaming to your SIEM.
The packet walk — one HTTPS request, every component touched
Trace one packet: a Mumbai-based user opens github.com/zscaler/private-repo in Chrome. Here's exactly what happens, in order:
Eight numbered steps from a Mumbai laptop's browser to GitHub and back. Note step 3 — Location matching happens at the PSE, not at the CA. The PSE looks up the source identity (ZCC enrollment ID or source IP) and decides which Location's policy bundle to apply. If the Location is wrong, the wrong policy applies — that's the #1 ZIA misconfiguration in production.
The ZIA Admin Portal — guided tour
Log in at https://admin.zscaler.net (or your cloud's URL — admin.zscalerthree.net, admin.zscloud.net). The sidebar has 6 sections. Here's what lives where — memorise this layout, it's identical across every Zscaler tenant in the world:
| Sidebar section | What's inside | You'll spend time on… |
|---|---|---|
| Dashboard | Tenant-wide stats, top categories, threats blocked, bandwidth | Daily morning glance — anomaly detection |
| Policy | URL Filtering · Cloud App Control · FW · IPS · DNS · Malware · Sandbox · DLP | 90% of your day-job is here |
| Administration | Locations · Sub-Locations · Departments · Users · Auth · Sub-Clouds | Day 1 of a new tenant rollout |
| Insights | Web · Firewall · DNS · Tunnel logs (Nanolog-backed search UI) | Every troubleshooting call |
| Analytics | Pre-built reports, Risk Assessment, Compliance dashboards | Monthly exec review |
| Activation | "Activate" button — pushes your saved-but-staged config to all PSEs | After every change (don't forget!) |
Every change in the ZIA Admin Portal is staged until you click Activation → Activate. Engineers new to Zscaler save a policy, refresh the page, and assume it's live. It isn't — it sits in the staging area until you push it. The Activation banner at the top of every page ("You have unsaved changes") is your reminder. Forgetting this is responsible for half the "I changed the rule but nothing happened" tickets.
Locations & Sub-Locations — the identity-by-IP layer
A Location in ZIA is a named source identity that maps to one or more public IPs. Your Mumbai HQ has IP 203.0.113.10 on its internet gateway? Create a Location called "Mumbai-HQ" with that IP. Every request hitting a PSE from 203.0.113.10 is now identified as coming from Mumbai-HQ, and the policy bundle for Mumbai-HQ applies.
A Sub-Location is a refinement within a Location. Same Mumbai-HQ has a separate Wi-Fi guest VLAN behind the same public IP? Create Sub-Location "Mumbai-HQ-Guest-WiFi" with the internal IP range (e.g. 10.20.30.0/24). Now the PSE distinguishes "Mumbai-HQ employee on LAN" from "Mumbai-HQ guest on Wi-Fi" — different URL Filtering rules, different bandwidth limits.
For roaming users (laptop on home Wi-Fi), there's no stable public IP. So roaming users are identified via their ZCC enrollment instead — the ZCC client sends an authenticated header that the PSE recognises. The Location for roaming users is usually a special "Road Warrior" Location with no IP, and matches via ZCC auth.
Configure a Location — the steps
Administration → Resources → Locations → + Add Location Name: Mumbai-HQ Public IP: 203.0.113.10 Country: India Timezone: Asia/Kolkata Auth Required: Yes (forces user authentication) Cookie SSO: Yes (transparent SAML re-auth) XFF Forwarding: Yes (preserves real client IP in logs) Caution: Off (warning page on first visit) Bandwidth: Use Sub-Location rules Profile: Standard (Sub-Cloud not applied) Save → top banner shows "1 staged change" → Activation → Activate Now (global activation is usually 60–90s in your region, up to 5 min worldwide)
Configure a Sub-Location
Administration → Locations → Mumbai-HQ → Add Sub-Location Name: Mumbai-HQ-Guest-WiFi IP Range: 10.20.30.0/24 Inherit policy: No (override parent — guests get stricter rules) Bandwidth Cap: 50 Mbps (down) / 20 Mbps (up) URL Filter Override: Yes → "Guest-Restricted" rule set Save → Activate
Always enable X-Forwarded-For (XFF) Forwarding on every Location. With it on, the PSE preserves the original client's internal IP (e.g. 10.20.30.45) in the request to the destination. Internal apps behind the PSE that log XFF will see the real source. Without XFF, every internal log shows the same PSE egress IP — useless for forensics.
After creating a Location, ask a user at that site to open https://ip.zscaler.com. The page returns:
- Public IP — should match the Location's configured IP
- Cloud — your tenant cloud (e.g.
zscaler.net) - Service Edge — the PSE handling their traffic
- Location — should show Mumbai-HQ (or your name)
If the Location field shows "Unknown" or the wrong name, your IP is wrong or the change hasn't been Activated yet.
Common production gotchas (you'll hit these)
- NAT IP changed at the branch and you didn't update the Location. ISP gave you a new public IP, the branch now shows up as "Road Warrior" with the wrong policy bundle. Always update Location IPs the same day ISPs swap circuits.
- Sub-Location IP range overlaps another Sub-Location. ZIA picks the most specific (longest-prefix) match, but if you have ambiguity the result is non-deterministic. Audit overlap with `ip.zscaler.com` from each subnet.
- Forgot to Activate after a policy change. See the callout above — every change is staged until you click Activate.
- Sub-Cloud attached to the wrong Location. A German subsidiary's "EU-Only" Sub-Cloud accidentally got attached to a US Location. Their US traffic stopped working (no US PSE in the Sub-Cloud). Always sanity-check the Sub-Cloud → Location mapping after creating it.
- Trust Pool mismatch. You moved a tenant to FedRAMP for compliance, but a few PSE pools are still in General. Some SSL inspections randomly fail because not all PSEs trust the same root CA bundle. Rare but ugly — always confirm Trust Pool uniformity across the active PSE list.
- XFF disabled on Location. Internal SIEM logs lose source IPs after Zscaler rollout. Engineers blame Zscaler, but it's a Location setting. Turn XFF on by default.
Real-world scenario — branch IP changed, half the office is "wrong"
Sunday morning, the Pune branch's ISP swaps circuits during a planned outage. Public IP changes from 203.0.113.10 to 198.51.100.50. Monday morning, the Pune team complains: "YouTube which was blocked at the office is now allowed. And the corporate intranet is asking for re-auth every request."
Your debug path, using everything from this lesson:
- Ask a Pune user to hit
https://ip.zscaler.com. It returns the new public IP198.51.100.50andLocation: Road Warrior(the default catch-all). That's the root cause — ZIA is treating them as roaming users, not as Pune-HQ. - Roaming users get the default URL Filtering policy (looser — YouTube allowed). And without the Pune Location's Cookie SSO setting, users re-auth on every request.
- Fix: Administration → Locations → Pune-HQ → update Public IP to
198.51.100.50→ Save → Activation → Activate Now. Wait 60s. Re-test withip.zscaler.com— Location should now show "Pune-HQ". - Validate in Web Insights — filter by Location=Pune-HQ for the last 5 minutes; you should see Pune traffic returning. Cookie SSO re-engages, intranet auth stops popping.
Total fix time once you know the path: about 2 minutes. The whole incident would have been zero minutes if the branch network team had pinged you about the IP swap before Sunday.
📌 Quick reference (memorise before Module 3)
- CA = config plane (write rules here). PSE = enforcement plane (rules push down). Nanolog = log plane. One CA per cloud; 150+ PSE pools globally; one Nanolog cluster per cloud.
- Sub-Cloud = per-tenant constraint on which PSEs are allowed (data residency / compliance / beta).
- Service Edge flavours: Public (Zscaler DC) · Private (customer DC) · Virtual (customer VM on AWS/Azure).
- Sub-Cloud variants per Zscaler cloud — standard / GDPR / FedRAMP / Compliance — constrain which PSEs your tenant can land on. SSL Trust Store config is separate (Administration → SSL Inspection).
- SSMA = single parse, parallel checks → why Zscaler does SSL inspect at line rate.
- Location identifies traffic by public IP. Sub-Location refines by internal IP range. Road Warrior = catch-all for roaming users (ZCC auth instead of IP).
- Admin Portal sidebar: Dashboard · Policy · Administration · Insights · Analytics · Activation.
- Every change is staged until you click Activation → Activate Now. Global activation usually 60–90 s in your region, up to 5 min worldwide.
- XFF Forwarding always ON — preserves client IP in internal logs.
- Single diagnostic command:
https://ip.zscaler.com→ confirms Cloud, PSE, Location, and whether traffic is inspected.
Trace a request end-to-end:
- From your laptop with ZCC running, open DevTools and load
https://www.cnn.com. Note Response headers — find anyX-Zscaler-*markers. - In ZIA Admin → Analytics → Web Insights, search for your username in the last 5 min. Find the request, click into details — note: PSE name, Sub-Cloud, location, policy hit.
- Compare PSE name to your tenant's published cenr list — verify it's in your trust pool.
📝 Check your understanding
10 scenario questions — same depth you'll see in interviews + ZDTA practice exams. Pick one answer per question. You need 70% (7 of 10) to mark this lesson complete on your profile.
What's next — Lesson 3
You can now map every component, walk the packet, and configure Locations + Sub-Locations. Next lesson opens up identity: how ZIA and ZPA both authenticate users — SAML SSO assertion walkthrough, IdP integration (Azure AD / Okta / Ping), SCIM provisioning, and ZIdentity.