Configure ZScaler proxy for LiveKit connections
Fix connection failures when using ZScaler proxy with Deep Packet Inspection by configuring bypass rules for LiveKit domains.
Last Updated:
Mike McLaughlinTroubleshootingIf a ZScaler proxy is in use with Deep Packet Inspection enabled, connections to LiveKit will likely fail (including TURN). In order to fix this, customers will need to update their ZScaler configuration to bypass this:
Required ZScaler Configuration
Add the following bypass rules to your ZScaler configuration:
url.domain=turn.livekit.cloud detect_protocol(no)url.domain=<project subdomain>.livekit.cloud detect_protocol(no)Where <project subdomain> is your LiveKit project subdomain.
Why This Is Needed
Deep Packet Inspection (DPI) in ZScaler proxies can interfere with WebRTC and TURN connections because:
- WebRTC encryption: LiveKit uses encrypted media streams that DPI cannot properly inspect without breaking the connection
- TURN protocol: TURN servers require uninterrupted UDP/TCP connections that DPI can disrupt
- Real-time requirements: Any inspection delay can cause connection timeouts or quality degradation
By setting detect_protocol(no) for these domains, ZScaler will bypass DPI inspection and allow the connections to proceed normally.
Finding Your Project Subdomain
Your LiveKit project subdomain can be found in:
- The LiveKit Cloud dashboard URL (e.g.,
https://cloud.livekit.io/projects/p_xxxshows your project) - Your project settings in the dashboard
- Your LiveKit WebSocket URL (e.g.,
wss://your-project.livekit.cloud)
Replace <project subdomain> in the configuration above with your actual subdomain (e.g., if your WebSocket URL is wss://acme-corp.livekit.cloud, use acme-corp).