If (and only if) the clients are always on the Internet, then you can configure them to be always on the Internet at installation time and they will always use the CMG.
If they roam between intranet and Internet, then there are a couple of paths today:
- Use AD sites as noted above. There is a way for ZPA to map clients to specific AD sites not based on their client IP. See https://community.zscaler.com/t/zscaler-private-access-active-directory/8826 for details. This is ZPA specific so if you have questions on this, please discuss with ZScalar.
- Add all of the private IP address ranges as boundaries and map those to boundary groups associated with the CMG.