Prisma^® Access ZTNA Connector server-initiated traffic flow allows applications running in your data center to initiate connections to remote endpoints, solving a critical limitation where connections previously could only flow from clients to servers. This feature enables your data center servers to establish TCP, UDP, and ICMP connections to GlobalProtect^® users, Remote Network hosts, and IP subnet hosts in other ZTNA Connector data centers.

When you enable server-initiated traffic on a ZTNA Connector group, you gain bidirectional communication capability without deploying separate Service Connections, significantly reducing operational overhead. Your data center applications can now proactively reach out to endpoints, which is essential for remote troubleshooting, device management, patch distribution, and Voice Over IP (VoIP) applications. For example, your IT helpdesk can use applications like TeamViewer or LogMeIn to remotely access and troubleshoot user devices, inventory management systems can scan and update remote endpoints, and VoIP servers can initiate calls to users on managed devices.

The server-initiated feature integrates with your existing network architecture through either static or dynamic routing. With dynamic BGP routing, your data center routers automatically learn routes to permitted destinations, simplifying network management. For security, you control which destinations your servers can initiate connections to by selecting specific mobile user pools, remote network prefixes, and ZTNA Connector IP subnet targets.

When server-initiated traffic is enabled, all outbound flows are source-NATed with the ZTNA Connector’s IPsec tunnel interface IP, ensuring consistent routing regardless of overlapping data center IP spaces. This approach maintains compatibility with existing security policies while allowing you to enforce more granular security through your data center firewall or at the destination endpoints. The server-initiated traffic feature works seamlessly with Dynamic DNS Updates, allowing data center applications to resolve connected GlobalProtect users.