Zscaler performs SSL/TLS inspection by acting as a man-in-the-middle (MitM), decrypting traffic, and re-encrypting it with a Zscaler-issued certificate. However, when an administrator configures an SSL Inspection policy rule to exempt or bypass inspection for specific traffic (e.g., for privacy or application compatibility reasons), the Zscaler service does not perform decryption. In this scenario, Zscaler tunnels the encrypted session, and the original SSL/TLS certificate from the destination server is passed directly to the user's browser. The browser then establishes a secure session directly with the server through the Zscaler proxy.

A. Detecting a known threat signature within encrypted traffic requires SSL inspection, where Zscaler would issue its own certificate, not the server's.

B. Web traffic on custom TCP ports is not automatically exempted; it is subject to SSL inspection policies just like standard port traffic.

D. A user's past connection history does not influence the SSL inspection policy, which is evaluated for each new session based on configured rules.

1. Zscaler Help Portal

"About SSL Inspection": In the section describing the process

it states

"When SSL inspection is disabled for traffic

the ZIA Public Service Edge...allows the encrypted traffic to pass through without inspection

and the original server certificate is presented to the user's browser." This directly confirms that exemption policies result in forwarding the server certificate.

2. Zscaler Help Portal

"Configuring SSL Inspection Policy": This document details the policy actions. The "Do Not Inspect" action is defined as the method to "Bypass SSL inspection." This is the specific configuration that triggers the behavior described in the question.

3. Zscaler

"ZIA SSL Inspection Deployment Guide

" Page 6: The guide explains SSL bypasses: "For traffic that is bypassed from decryption

Zscaler simply tunnels the SSL/TLS traffic between the client and the server. The client receives the original server certificate and Zscaler has no visibility into the encrypted tunnel." This reinforces that a bypass policy is the direct cause.