Accessing internal applications using SIPA?

Hello,

We have ZIA and SIPA, which SIPA essentially gives you everything (that I can tell) that you would get with ZPA, unless there is something on the backend that I am unaware of and can not see.

I have SIPA working fine with app connectors in my DCs. Users are able to forward traffic from ZIA through the app connectors for the applications specified in our app segments. What I am trying to attempt is to allow users to be able to access some internal web applications without having to be on our VPN client. The fact that we have traffic that can go from Zscaler to our datacenter leads me to believe that this should be possible, but so far I have not been able to make it work.

I have created a specific app segment for testing internal applications

Added new segment to access policy and forwarding policy in ZPA

Added new segment to forwarding policy and ZPA policy in ZIA

I have confirmed that I can resolve the internal application from the DC app connector

However, when I try to reach the application from my test machine, it gets a DNS can not resolve error. Looking at a packet capture, it seems its sending the DNS request to my local (off-net) DNS rather than passing it to Zscaler. I have checked that the DNS domain is not in the application profile bypass, so I am kind of stumped.

As a side note, I am able to “Enable” ZPA on our ZCC and successfully authenticate to it as well. I have tried created a segment that is not SIPA but I still get the same result.

Can anyone confirm if what I am attempting is possible, and if so, can you direct me to any good ZPA troubleshooting steps?

So you don’t forward to internal applications using SIPA - that’s purely a ZPA function. I do not know if you break an ZPA App Segment when you create a ZIA Forwarding policy targeting that same application segment - but I imagine you do.

What you’re looking to do is just a standard ZPA App Segment (so no ZIA Forwarding Policy): Configuring Defined Application Segments | Zscaler

Possible in theory as you have all the pieces but not entirely something you’d want ZScaler catch you doing.

SIPA, or Source IP Anchoring, is a function of ZPA by which you are forcing an external application (FQDN not in your domain) to use the App Connectors to forward traffic to the Internet on behalf of your users. This is used when you have SaaS applications that use IP Whitelisting, so that you have all traffic going to that SaaS coming from your datacenter’s IP(s) and not from a random Zscaler Gateway.

ZPA intercepts all traffic matching your domain (as configured in ZPA) and if there’s an App Segment defined will forward the traffic to the App Connector. If no App Segment is defined, then the traffic is dropped.

So in basic, ZPA handles *.mydomain.com, and SIPA forwards specified traffic that is not *.mydomain.com through your App Connectors. ZPA replaces your VPN client for accessing internal resources.