Endpoint Agent VPN Support

The ThousandEyes Endpoint Agent supports end-to-end visibility of network nodes and metrics for traffic that traverses a number of virtual private networks (VPNs). When present, the VPN will be displayed on the path visualization, and the client will populate the VPN Vendor attribute visible in the various Endpoint Agent views. VPN filters can also be applied to each view.

Users can shift between showing the overlay (the path between the VPN gateway and the application) or the underlay (the path between the user and the VPN gateway) path trace, as well as collapse/expand them. This reduces the potentially large number of hops when combining the overlay and underlay in one view.

Supported VPNs

ThousandEyes supports the following VPNs for the Endpoint Agent:

  • Cisco AnyConnect

  • Pulse Secure Connect

  • Palo Alto Global Protect

  • ZScaler Internet Access (ZIA)

ZScaler (ZIA) uses proxies, direct-only TCP traffic, and other methods. This results in a number of support limitations, outlined in the table below.

Deployment Type

Visibility to Proxy (Underlay)

End to End Visibility (Overlay)

PAC File



ZAPP with Local Proxy

No (proxy on loopback)


ZAPP with LWF driver (default on Windows) + Tunnel 1.0



ZAPP with LWF driver + Tunnel 2.0



ZAPP with Route driver (default on macOS) + Tunnel 1.0



ZAPP with Route driver + Tunnel 2.0



*ICMP must be allowed on the local firewall for end-to-end visibility.

VPN Configuration

No additional configuration is required to enable VPN support.


You can use labels to configure scheduled tests to run only while a user is on a VPN. For more information on configuring labels, see Creating Endpoint Agent Labels.

Limitations and Caveats

  • ThousandEyes recommends using TCP-based testing, as some VPNs block ICMP traffic.

  • Full-tunnel VPNs will not allow any traffic outside the tunnel. As such, ThousandEyes may be unable to provide visibility to the underlay (the physical connection between the endpoint and the VPN gateway).

Additional Information

The Endpoint Agent passively monitors the VPN’s state by inspecting the VPN client’s logs. If an Endpoint Agent stops working or doesn’t work as expected, ThousandEyes recommends that you open a Support case, and include the specific VPN client version and the VPN client’s logs in the case.