curious if anyone has had some real world experience with what kind of performance impacts/quirks when a customer insists on sticking Zscaler in between the user (on prem) and their (also on prem, but in an isolated network) vdi desktops - i've found a plethora of anecdotal reasons not to do this, and a few official docs flat out saying bypass it (from citrix at least), and obviously from a protocol standpoint it doesn't make sense, but I'm looking at that possibility with a horizon project i'm working on..

I have been forced to use it for some locations. It can kill performance if you don't exclude the Citrix traffic from it.

yeah that's what i've seen talked about across the board - can't imagine why, i mean encapsulating an encapsulated protocol and routing on prem traffic to the internet - i can't imagine why that'd affect performance 😄

most of these (Microsoft with W365/AVD, Citrix, etc.) have specific statements on not supporting doing inspection on the traffic we need for the cloud services, brokering, etc.

We recommend bypassing it. , Zscaler won't be able to understand anything about Blast-over-UDP traffic beyond the source and destination IP+port in the UDP header. Even with TCP I'm not sure they will gather much either especially with the content carried in it.

chris, i don't suppose there's any official documentation on that yes there? i haven't been able to dig any up yet or get any of the AIs to 🙂