Zscaler Zero Trust Exchange: ZIA, ZPA, and ZDX Explained
The classic enterprise perimeter assumed two things: users are in the office, and applications are in the data center. Neither is true anymore, and hairpinning a remote user's Microsoft 365 traffic through a VPN concentrator and a firewall stack in a data center three states away is how you get both bad security and bad performance.
Zscaler's answer is the Zero Trust Exchange: a globally distributed cloud that sits between users and everything they access. Instead of putting users on a network, it brokers individual connections — user to app, per session, per policy. No inbound holes in your firewall, no flat network to move laterally across.
The platform has three pillars you'll encounter: ZIA, ZPA, and ZDX.
ZIA — Zscaler Internet Access
ZIA is the outbound security stack as a service: secure web gateway, cloud firewall, TLS inspection, sandboxing, DLP, CASB. Every user's internet and SaaS traffic goes through the nearest Zscaler enforcement node, where policy follows the user — same rules in the office, at home, or in an airport.
What it replaces: the branch proxy appliance, the URL filter, most of the outbound firewall rulebase, and the "backhaul everything to HQ for inspection" WAN design.
Key capabilities to understand:
- TLS inspection at scale — most threats ride encrypted channels now; ZIA terminates and inspects TLS in the cloud. Plan the certificate deployment and the bypass list (banking, health) early; this is the politically hardest part of any rollout.
- Cloud firewall — full outbound port/protocol control, not just 80/443, so you can retire branch egress firewall rules.
- Bandwidth control & shaping — per-location policy, useful for guest networks.
- DLP and CASB — inline inspection of what's leaving, plus API scanning of data at rest in sanctioned SaaS.
ZPA — Zscaler Private Access
ZPA is the VPN replacement, and architecturally it's the more interesting product:
- App Connectors — lightweight VMs/containers deployed next to your private applications (data center, AWS VPC, wherever). They make outbound-only TLS connections to the Zscaler cloud. Your firewall needs zero inbound rules.
- Client Connector on the user device requests an application by name.
- The Zero Trust Exchange authenticates the user (via your IdP — SAML/SCIM), evaluates policy, and stitches the two outbound connections together.
The consequences of that design are the whole point:
- Apps are invisible. Nothing is listening on the internet to scan. There's no VPN concentrator CVE to lose a weekend to.
- No network access, only app access. A contractor authorized for one internal web app gets that app — not a routable path to the subnet it lives on. Lateral movement dies here.
- Server-initiated and east-west traffic don't fit naturally — ZPA is user-to-app. Plan separately for site-to-site and server-to-server flows.
If you've spent years managing full-tunnel VPNs, split-tunnel exceptions, and NAC, ZPA collapses the problem into identity + policy.
ZDX — Zscaler Digital Experience
Once user traffic flows through the Exchange, you have a monitoring vantage point no traditional tool has: the path from every user device to every app. ZDX instruments it:
- Synthetic probes from the endpoint to key applications (web probes, and network path probes doing traceroute-style hop analysis).
- Device telemetry — CPU, memory, Wi-Fi signal, VPN/tunnel status on the endpoint.
- A composite ZDX Score per user/app/location that puts a number on "is it slow?"
The operational win: when someone says "Salesforce is slow," ZDX shows whether the problem is their Wi-Fi, their ISP, the Zscaler edge, or Salesforce — in one screen. If you run New Relic or another observability platform for the app side, ZDX covers the last-mile blind spot those tools can't see, and its API lets you pull scores and alerts into the same dashboards (pairing nicely with the network-side telemetry I covered in my New Relic article).
Getting Traffic to the Cloud
Forwarding is where designs succeed or fail. The main mechanisms:
| Method | Use case | Notes |
|---|---|---|
| Zscaler Client Connector | Managed endpoints, anywhere | The default; handles ZIA + ZPA + ZDX in one agent |
| GRE tunnel | Whole office/branch egress | From your edge router/firewall (an MX or SRX terminates this fine) to two Zscaler DCs for redundancy |
| IPsec tunnel | Same, where GRE isn't available | Lower MTU headroom; watch fragmentation |
| PAC file / explicit proxy | Unmanaged or guest devices | Browser-level only |
Typical branch pattern with SD-WAN gear: local internet breakout at the branch, GRE/IPsec from the edge appliance into ZIA for inspection, ZPA for anything private. The WAN carries only what actually needs the WAN.
Rollout Advice From the Trenches
- Start with ZIA in transparent mode (no TLS inspection) to validate forwarding and get baseline visibility, then phase inspection in by user group.
- Deploy App Connectors in pairs per location/VPC from day one. They're stateless and cheap; redundancy is free.
- Segment by app, not by subnet. The temptation is to define a ZPA app as
10.0.0.0/8. That recreates the flat VPN with extra steps. Discover apps (ZPA has an app-discovery mode), define them individually, and scope access narrowly. - Get identity right first. The whole model hangs off your IdP groups — messy AD groups become messy access policy.
- Instrument the user experience. Day-one complaints are usually MTU, a missed TLS bypass, or a geo-suboptimal tunnel. ZDX (or even basic synthetic checks) turns those from anecdotes into tickets you can close.
Where It Fits in the Bigger Picture
Zero trust isn't a product you install, and Zscaler doesn't cover east-west data center traffic, unmanaged IoT on the LAN, or the switch port a camera plugs into — that's still your NAC, your segmentation, your EX4000 port policies. What the Zero Trust Exchange does replace is the perimeter as the unit of trust: users get to apps through an identity-aware broker, the internet gets inspected everywhere, and your attack surface stops including a row of VPN appliances with public IPs.
That trade — control plane in the cloud, enforcement close to the user, apps dark to the internet — is the same architectural shift Mist made for campus networks and Meraki made for the WAN. The perimeter didn't disappear; it moved to where the user is.