Hello -

My company started using Zscaler (I may be screwed - read on). I would like to be able to set the IP so that when I log into the Zscaler it shows a location I choose (say New York). I do have a limited ability to install software on an admin account (not my user account but another that is admin-equivalent but still on my laptop). If I install VPN for example, and then go to Mexico (I may already be there! :)), set my location to New York, will Zscaler think I am in New York? Whether this is ethical or not is not the discussion topic - my objective is to get educated on solutions from people smarter than I am so that I can see how risky the options are. I have not done this step of installing VPN software on my laptop since I am not sure if will create conflict with Zscaler and that will just a shine a big ass light on me, the very thing I want to avoid.

Side question - is there tech than allows the IP to be set at the router vs computer settings and is there potential for this to be a better solution for what I am trying to accomplish?

Gracias!

I’m not sure what you’re trying to accomplish…
Zscaler will work globally, and your company’s policies are typically based on your identity, not your location. So if you’re in Mexico, you will just connect to a Mexican DC. If you go to ip.zscaler.com, you’ll see your egress IP and which DC you are connected to.

ZCC uses your egress IP for your location, and there’s really no way to spoof that in this case. If you were to use a private VPN, that traffic would likely go through ZIA depending on your setup and company policies.

What are you trying to do? Maybe there’s a better way to accomplish what you’re trying to do.

You already figured out a pretty good solution to this in your side question.

For the record, I wouldn’t attempt this: If you want to work from “Mexico” and your employer has a problem with it, better to find an alternate employer.

Based off your description, I’m guessing you are using a company issued laptop, and don’t want them to know you are using this laptop from “Mexico”. Because of that, and because you don’t know what kind of monitoring/reporting they have on that device, you need to consider that laptop “compromised”, as in any measures you take on that device to fool zscaler could be countered or reported at an time. If their IT team has their shit together enough to be using zscaler, they are probably using some kind of security tool that can report everything running on the device, including any other vpn clients, which would throw a red flag.

So yes, the solution is to handle the circumvention from outside your “compromised” laptop, and to control it at the router level instead.

You should consider setting up a router running openwrt, and configuring it to COMPLETLY send ALL internet traffic through a VPN service that will make your egress appear where you want it to. Here is a decent guide for setting up openwrt to go through NordVPN for example:

https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-CI-setup-with-NordVPN.htm

Note, I don’t really recommend NordVPN, this guide just covers all the basic gotchas for the setup, for example, ensuring DNS traffic isn’t leaked outside the VPN. Just make sure you do all the same configs on your router with whichever openvpn provider you use.

If this is the only internet connection your laptop uses to get to the internet, zscaler shouldn’t be able to determine that you are connecting from anywhere else.

Again, disclaimer, I haven’t actually tried this, so unless you have the opportunity to do some testing and confirm things are working as expected, exercise caution.

Now, the gotcha:

The reason NordVPN is a bad idea for this is that, as far as VPNs go, they are pretty famous. As such, while it will look make it appear as if you are connecting from the US (if you use the correct NordVPN server), they will also be able to tell that it’s coming from a NordVPN IP. If they are paying attention to that, it’s just as bad of a red flag. In fact, that will be the case for any provider you use. You could maybe fly a bit under the radar by setting up your own openvpn server, if you know how to, but again, if you host it in a major data center like AWS or even a colo, seeing your traffic come from that IP would be just as suspicious.

Your best option, if you are going this route, would be to host your own openvpn server on a linux machine at a residential address in the US.

But the better option:

If you can: leave the laptop where it’s supposed to be.

Basically, what I would do is leave the laptop in the US, again, at a residential address you trust and/or have control over. It’s much easier to just remote into your laptop from elsewhere, and then use it. All the traffic from the laptop will show up as coming from where it’s supposed to.

If you want to be a little risky, you could put remote access software on the laptop like LogmeIn, Teamviewer, etc, but again, you are trying to fly under the radar, so maybe a less known software like splashtop.

But still, again, any of these might be blocked or detected at any time.

So what’s the REAL best answer?

KVM over IP, something like this:

https://www.amazon.com/Extender-Keyboard-Ethernet-Network-Latency/dp/B07N2M5YYR/ref=sr_1_3?keywords=ip%2Bkvm&qid=1673837702&sr=8-3&ufe=app_do%3Aamzn1.fos.f5122f16-c3e8-4386-bf32-63e904010ad0&th=1

Remember, the best solution is one outside the “compromised” device.

You connect the laptop to one of these things.

To the laptop, you’ve simply plugged in a monitor, keyboard, and mouse.

You remote into the KVM over the internet, and presto, it’s like you are sitting there with the laptop. Some can even do remote power on, etc.

Configure the laptop to use the kvm monitor as the only monitor, since you won’t be there to see the built in laptop screen.

Especially if you have a friend,etc, you can call to put hands on the device in the rare occassion something goes wrong (power failure, loss of internet, etc) this is probably the safest and most fullproof way to accomplish what you want.

To the best of my knowledge, since Z is on your machine as a client, it knows what your IP is on your true location before you’ve hit any destination / third party VPN.

In other words, if you’re in Mexico but want to use Nord in Ireland to watch Netflix, Zscaler will know you’re in MX but Netflix will think you’re in IE.

Edit: maybe use ip.ZScaler.com to confirm. It’s been a while since I tested this particular use case.

i’m in a similar boat. I have:

1. a wireguard server running at my house in the US
2. a GLI travel router (the Opal was enough, but the Slate AX is much faster) running the wireguard client
3. The travel router is configured to kill traffic outside of the wireguard VPN, so if the VPN is out for some reason my work computer can’t reach the internet.
4. Wifi off on the computer, or at least auto-reconnect turned off for known networks outside of the US.

With that configuration my PC only sees the internet through my house in the US, and that’s enough to fool zscaler client running on the PC, and I don’t need to touch anything on the work computer. The work computer doesn’t have a GPS, so it can’t figure out where it is except for the IP of my house in the US, so it thinks it’s in the US.

With a mobile phone you need to be careful to disable the phone network (LTE etc), and location, leaving only wifi and having wifi connect only to your travel router. I don’t need a mobile phone for work except for okta 2nd auth and I don’t think that cares about where the phone is, but if you want to play safe take the phone precautions (which would likely force you to have 2 phones).

This has worked fine for me for the time being, I use zoom for meetings, VNC for running on servers, else ssh+screen+vim if connection is not good enogh.

I get my stuff done, and I’m free from location restrictions. I believe there are tax and insurance things into play, so be careful. Stuff like: If you get hurt in Bali when working for a US company they may be liable, and may not have that setup. Or if everybody is working from Bali company should be dealing with Bali taxes (yes, most of this effort is for the sake of surfing).

If you want details on how to set this up i can share a few links. You’ll have to pay for hardware (between $50 and $400 depending on speed you need and what your current router can do) , but no monthly costs.

Happy surfing.

FYI the Zscaler client will detect when you are using a VPN and admins can set policy on what happens when a VPN is seen. Your admins may have set policy to bypass Zscaler when a VPN is detected. Regardless of what happens I’m pretty sure your VPN use would be logged. If your VPN does anything to proxy settings the traffic won’t be forwarded properly to Zscaler cloud and this can be reported on. Also anonymiser use can be easily blocked in ZIA so your policy may already be blocking your VPN.

What you are suggesting could work though assuming your admins have not setup Zscaler properly. However given VPNs are commonly used to attempt to bypass Zscaler it’s likely something they’ve considered.

The other response from garretwcox is the best solution. Leave your laptop at home and RDP to it…

If you go to here you can see which Zscaler DC you are connected to.

ZCC can be forwarded through a VPN tunnel. Geo location for data center selection is performed via an API call from client connector. As long as the client source IP used for that API call appears in a particular region based on the MaxMind database, you’re good to go by default. Now as long as there is no endpoint posture checking happening that looks at physical GPS geolocation via MDM functionality, you should be ok. Otherwise, your mileage could get very limited.

You can always visit https://www.ip2location.com and check where is your IP geolocation from Zscaler detected.

Thanks for the feedback. Essentially I want to take my work laptop and work remotely from Mexico (or pick a country) for a US-based company. Currently most of the companies in the US do not officially allow an employee to travel anywhere and work form location X (I know mine does not) simply because it creates a hassle with the official taxation mechanism and hence they mandate remote workers stay within the US…I see no harm done to anyone so breaking them would not keep me awake at night. My objective is to see if I can set my IP to a US location while being outside…with reasonable confidence.

Greatly appreciate your input - this is exactly what I was looking for. Next step is to research in depth each option and test things out. I know it is cliche, but knowledge truly is the real power. Thanks!

Awesome explanation. I’ve tested this scenario. Have a travel router that can full tunnel all the traffic to the “home” router.

Loving this answer and the effort put into it but if his company has Zscaler Digital Experience (ZDX) OP can just get busted as that logs hop-by-hop jumps through each network.

Hello. Can you share the links of how to get this setup? Thanks

Hi, can you explain what you mean by this?

“VNC for running on servers, else ssh+screen+vim if connection is not good enogh.”

My work laptop will be using Zscaler and MS Teams.

Thanks. Thing is, whether I am logged into Zscaler on my laptop or not I get the same window when I go to https://ip.zscaler.com. I.e., I get “The request received from you didn’t come from a Zscaler IP therefore you are not going through the Zscaler proxy service.”

It’s not that companies don’t allow it, when you go to work in a foreign country (like Mexico), you’re required to get a work visa, and you and the employer must pay taxes there.

If there isn’t a work reason for you to be in Mexico, then your company most likely doesn’t want to have to pay taxes for you there, or sponsor your visa.

What some people do is a “work-cation”. That’s where you travel somewhere as a tourist, but do some remote work while there. That’s still technically tax fraud, and violates the terms of your entry to the country, but it’s harder to get caught if your primary visit is tourism. But you’re still screwing over the local population, since they aren’t getting the tax revenue from your work.

In terms of Zscaler, you’d connect to the Mexico DC, unless your company uses a sub cloud and only allows US DCs. In that case you’d connect to DFW, LA, or MIA. Chances are your boss probably isn’t going to be watching which DC you’re connected to, so they may not even know. The only issue you may see is that government and certain bank sites will block access for users outside of the country (that’s common in most countries), so if you use those types of sites, you may need to force yourself to use a US DC.

Did you try any of the above? Did it work?

u/krelfodollar I recently learned about https://tailscale.com/ , may be easier to setup. The travel router client may be the trickier part. I haven’t tried it myself, so I can’t recommend it quite yet.

That said, here are my notes about what I have working with Asus and GL.iNet routers:

Hardware

1. Home router that supports
   • A VPN server. Ideally wireguard, else OpenVPN.
   • ddns. A lot include a free version (Asus, GL.iNet, TP-Link).
   • Reliable speed, specifically upload since that’ll act as download when using VPN
2. A travel router that supports the corresponding VPN client.

A sample configuration (mine):

1. Asus RT-AX88U Pro. Goes for 270+tax new, ~150 used off ebay or others.
2. GL.iNet GL-AXT1800 (Slate AX). Goes for 112+tax new, may be used versions

Either side can be cheaper, the cheapest combo is likely a server+client each from an GL.iNet GL-SFT1200 (Opal), but speed will be significantly slower than with a more expensive set (I saw x4 wrt my setup).

Software

The VPN protocol I recommend is Wireguard, it’s lightweight, allowing it to run significantly faster than OpenVPN on the robot. There are clients for mobile, linux, and I assume windows.

I have both the Wireguard and OpenVPN servers running at my place, the latter as a fallback which I’ve only used for debugging.

I’m sw dev and often work on servers that are in the office. VNC and ssh are 2 ways to access remote machines. In you use case I don’t think any of that is relevant.

With the approach I suggested you can just use teams on your local machine. Performance will depend on 1. internet speed at your current location 2. internet speed where you have your VPN server running 3. routers you are using (the very cheap ones can end up being the bottleneck due to CPU limitations).

Maybe they’re using only ZPA (Private Access; to connect into internal applications) without protecting Internet communications. Not the most secure thing to do, but it’s known to happen. (Or, now I think of it, they could specifically bypass traffic going to ip.zscaler.com…). You can check yourself: if you open the client (after logging in), do you see a “ZIA” and/or a “ZPA” icon? If you do you can click on it and look at the amount of traffic processed; that should tell you more