# Endpoint Agent VPN Support The ThousandEyes Endpoint Agent supports end-to-end visibility of network nodes and metrics for traffic that traverses a number of virtual private networks (VPNs). When present, the VPN will be displayed on the path visualization, and the client will populate the **VPN Vendor** attribute visible in the various Endpoint Agent views. VPN filters can also be applied to each view. {% hint style="info" %} Users can shift between showing the overlay (the path between the VPN gateway and the application) or the underlay (the path between the user and the VPN gateway) path trace, as well as collapse/expand them. This reduces the potentially large number of hops when combining the overlay and underlay in one view. {% endhint %} ![](/files/-MSf0XsKdMlYW7mh4s0p) ## Supported VPNs ThousandEyes supports the following VPNs for the Endpoint Agent: * Cisco AnyConnect * F5 BIG-IP APM VPN * Palo Alto Global Protect * Pulse Secure Connect (versions released after December 1, 2020 are not supported) * ZScaler Internet Access (ZIA) {% hint style="info" %} ZScaler (ZIA) uses proxies, direct-only TCP traffic, and other methods. This results in a number of support limitations, outlined in the table below. {% endhint %} | **Deployment Type** | **Visibility to VPN Gateway (Underlay) with TCP** | **Visibility to VPN Gateway (Underlay) with ICMP** | **End to End Visibility (Overlay) with TCP** | **End to End Visibilty (Overlay) with ICMP** | | -------------------------------------------------------------------------- | ------------------------------------------------- | -------------------------------------------------- | -------------------------------------------- | -------------------------------------------- | | Cisco AnyConnect | Yes | Yes | Yes | Yes | | F5 VPN | Yes | Yes | Yes | Yes | | Palo Alto Global Protect | Yes | Yes | Yes | Yes | | Pulse Secure Connect | Yes | Yes | Yes | Yes | | Zscaler via PAC File | Yes | Yes | No | No | | Zscaler Client Connector with Local Proxy | Yes | Yes | No | No | | Zscaler Client Connector with LWF driver (default on Windows) + Tunnel 1.0 | Yes | Yes | No | No | | Zscaler Client Connector with LWF driver + Tunnel 2.0 | Yes | Yes | No | Yes\*\* | | Zscaler Client Connector with Route driver (default on macOS) + Tunnel 1.0 | Yes | Yes | No | No | | Zscaler Client Connector with Route driver + Tunnel 2.0 | Yes | Yes | No | Yes\*\* | {% hint style="info" %} \*\*ICMP must be allowed on the local firewall for end-to-end visibility. {% endhint %} ## VPN Configuration No additional configuration is required to enable VPN support. ## Labels You can use labels to configure scheduled tests to run only while a user is on a VPN. For more information on configuring labels, see [Creating Endpoint Agent Labels](https://docs.thousandeyes.com/product-documentation/endpoint-agent/creating-scheduled-tests-on-endpoint-agents). ## Limitations and Caveats * ThousandEyes recommends using TCP-based testing, as some VPNs block ICMP traffic. * Full-tunnel VPNs will not allow any traffic outside the tunnel. As such, ThousandEyes may be unable to provide visibility to the underlay (the physical connection between the endpoint and the VPN gateway). ## Additional Information The Endpoint Agent passively monitors the VPN’s state by inspecting the VPN client’s logs. If an Endpoint Agent stops working or doesn’t work as expected, ThousandEyes recommends that you open a Support case, and include the specific VPN client version and the VPN client’s logs in the case. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.thousandeyes.com/product-documentation/global-vantage-points/endpoint-agents/endpoint-agent-vpn-support.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.