Wanted to jump into this conversation around Zscaler. Has anyone using Zscaler or another VPN experienced an issue such as this? This issue started occurring within the last two to three weeks. Our symptoms are this:
It is like the audio or RTP stream stops midway through a conversation. We have an open case with Genesys Support and are also working with our network team to try and help identify a root cause. Hopeful that someone else has went through something similar and when using zscaler ideally. This is intermittent and not across the board, so it's hard to replicate.
Original Message:
Sent: 02-24-2025 11:44
From: Jason Kleitz
Subject: ZScaler Configuration
Hey Alex,
Could you let me know where you found this information? We do not have any documentation on specific Zscaler configurations for Genesys Cloud. At a baseline, Genesys Cloud will work out of the box. If you are using additional software or platform, you will need to troubleshoot and test different configurations to ensure that all of the Genesys Cloud traffic is either bypassed or whitelisted.
You will want to engage your local IT or Network Team to check that these ports and services are enabled/whitelisted. I have included several articles that have some more information.
This article contains some of the domains that we commonly use:
https://help.mypurecloud.com/articles/domains-for-the-firewall-allowlist/
For the IPs, this article lists some of the IPs that should be added to the allowlist
https://help.mypurecloud.com/articles/ip-addresses-for-the-firewall-allowlist/
Also, the Amazon AWS IP address JSON file link on that article lists more IP ranges that we require for use.
We also have some more ports listed here:
https://help.mypurecloud.com/articles/ports-and-services-for-genesys-cloud-clients/
https://help.mypurecloud.com/articles/cidr-ip-address-range-for-cloud-media-services/
I would recommend you check out the following article for more information.
https://help.mypurecloud.com/articles/genesys-cloud-ports-services/
------------------------------
Jason Kleitz
Online Community Manager/Moderator
Original Message:
Sent: 02-24-2025 07:05
From: Alex Slocum
Subject: ZScaler Configuration
Website to Test Genesys Cloud Connectivity with ZScaler
To ensure that your ZScaler configuration is correctly set up for Genesys Cloud, you can use the following tools:
1. Genesys Cloud WebRTC Diagnostics
- URL: https://mypurecloud.com/webrtc-stats
- Purpose: This tool helps verify if WebRTC traffic is properly connecting to Genesys Cloud. It will show:
- ICE Candidate Connection Status
- Packet Loss
- Jitter & Latency Metrics
- STUN/TURN Server Connectivity
- Network Restrictions imposed by ZScaler
2. WebRTC Troubleshooter
- URL: https://test.webrtc.org
- Purpose: This tool provides a general WebRTC connection test and will indicate if ZScaler is interfering with WebRTC traffic.
3. Genesys Cloud Network Readiness Assessment
4. Amazon AWS IP Address Ranges
Steps to Validate ZScaler & Genesys Cloud Connectivity
- Run the WebRTC Diagnostics Test (https://mypurecloud.com/webrtc-stats)
- Check for ICE Connection Errors or TURN/STUN failures.
- Use WebRTC Troubleshooter (https://test.webrtc.org) to check for network issues.
- Run the Genesys Cloud Network Readiness Assessment for deeper insights.
- Check ZScaler logs for blocked or filtered traffic related to WebRTC (
*.webrtc.mypurecloud.com, UDP 3478-3481).
Expected Results for Proper ZScaler Setup
✅ WebRTC Stats should show ICE Candidate connections successful
✅ WebRTC Troubleshooter should pass all tests without errors
✅ Network Readiness Assessment should confirm no blocked ports
✅ ZScaler logs should not show dropped or inspected WebRTC traffic
If you still encounter dead air issues, ZScaler may still be blocking or inspecting WebRTC traffic-recheck your PAC file, bypass settings, and SSL inspection rules.
Step-by-Step Process to Retrieve ZScaler Logs for Genesys Cloud Agent Desktop
To troubleshoot ZScaler-related issues (such as dead air, call drops, or WebRTC failures) for Genesys Cloud Agent Desktop, follow these steps to collect ZScaler logs:
Step 1: Enable ZScaler Logging on the Agent's Device
-
Open ZScaler Client Connector
- Click on the ZScaler icon in the system tray (Windows) or menu bar (Mac).
- If it's not visible, search for ZScaler Client Connector in the Start Menu or Applications Folder.
-
Check ZScaler Connection Status
- The status should show "Connected".
- If it says "Disabled" or "Disconnected", verify network and login credentials.
-
Go to the Log Collection Section
- Click on the gear icon ⚙️ (Settings)
- Navigate to "Troubleshooting" or "Diagnostics"
- Select "Enable Advanced Logging"
- Set log level to "Verbose" or "Debug" to capture detailed logs.
Step 2: Reproduce the Genesys Cloud Issue
-
Open Genesys Cloud Agent Desktop (Web or App)
-
Make a Test Call (Inbound or Outbound)
- Observe if there is dead air, one-way audio, or call drops.
-
Run WebRTC Stats Check
Step 3: Capture ZScaler Logs
-
Open ZScaler Log Collector
- Return to the ZScaler Client Connector settings.
- Click "Collect Logs" or "Download Logs".
-
Save the Log File
- The logs will be saved as a ZIP file (e.g.,
ZscalerLogs_<timestamp>.zip). - The file includes:
- ZScaler connection events
- Blocked domains & IPs
- SSL inspection logs
- Proxy and firewall actions
- Traffic logs for WebRTC, TCP/UDP, and DNS requests
Step 4: Analyze the Logs for WebRTC & Genesys Cloud Issues
-
Check for WebRTC-Related Blocks or Drops
- Open the log file (
ZscalerLogs_<timestamp>.zip). - Look for entries related to:
-
webrtc.mypurecloud.com -
voice.mypurecloud.com -
api.mypurecloud.com -
*.twilio.com - Errors like:
TCP Reset, SSL Inspection Blocked, Proxy Bypass Failed
-
Verify Bypass Rules Applied
- Check if Genesys Cloud traffic is being proxied instead of bypassed.
- Look for ZScaler action:
Bypassed or Allowed (✅) vs. Blocked or Inspected (❌).
Step 5: Export & Share Logs for Further Troubleshooting
- Zip & Send Logs to IT/Network Team or Genesys Support
- Attach the log file in a ServiceNow/ITSM ticket.
- Include:
- Timestamp of issue occurrence
- Genesys Cloud user ID
- Agent's public IP address
- ZScaler version & profile settings
- Perform a Final Test After Fixes Are Applied
- Restart the ZScaler Client Connector.
- Re-test Genesys Cloud Agent Desktop calls.
- Confirm the logs no longer show WebRTC drops or blocked traffic.
Expected Fixes Based on Logs
| Issue in Logs | Resolution |
| SSL Inspection Blocked | Add *.mypurecloud.com & WebRTC domains to SSL Bypass List. |
| Proxy Applied Instead of Bypass | Ensure PAC File & ZScaler Tunnel Exclusions are correctly configured. |
| WebRTC Traffic Dropped (UDP 3478-3481) | Allow STUN/TURN UDP Traffic in firewall/ZScaler rules. |
| DNS Resolution Failure | Ensure *.mypurecloud.com domains are resolving correctly. |
Next Steps
✅ If issues persist, escalate logs to ZScaler & Genesys Cloud Support.
✅ Verify that WebRTC tests pass without packet loss.
✅ Ensure PAC file or Bypass Rules correctly apply to Genesys Cloud traffic.
This should help resolve ZScaler-related dead air issues for Genesys Cloud users. ��
Alex Slocum
Genesys CX/AI Solutions Architect
Royal Caribbean Group
C 954-483-6089
royalcaribbeangroup.com
| 
| Information Technology
Infrastructure & Operations |
"With a little bit of imagination, anything is possible."
~ MacGyver
Original Message:
Sent: 2/24/2025 4:31:00 AM
From: James Dunn
Subject: RE: ZScaler Configuration
We are using Zscaler and we have Genesys whitelisted / bypassed, and generally it is working fine. We don't really get problems with elements not loading or recording playback but we do get a fair amount of intermittent audio issues, disconnections etc that I've never been able to properly isolate. I've always suspected that Zscaler was in some way to blame but our Security team (who manages Zscaler) just assures me that it is whitelisted / bypassed and so not the problem...
------------------------------
James Dunn
Telecoms Specialist
Original Message:
Sent: 02-23-2025 18:12
From: Alex Slocum
Subject: ZScaler Configuration
I'm in the process of deploying Genesys Cloud Agents in an environment secured by ZScaler, and I'm running into connectivity issues. I've attempted to whitelist a few Genesys Cloud endpoints, but the agents still face intermittent connection problems.
I'm looking for advice from anyone who's successfully integrated Genesys Cloud Agents with ZScaler. Specifically:
- What Genesys Cloud endpoints and ports need to be whitelisted or configured in ZScaler?
- Are there any specific ZScaler settings or policies recommended to ensure seamless connectivity?
- Have you encountered any known issues or best practices that might help troubleshoot this setup?
Any insights, documentation links, or step-by-step instructions would be greatly appreciated. Thanks in advance for your help!
#Implementation
------------------------------
Alex Slocum
n/a
------------------------------