• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2763
  • Last Modified:

ZScaler connectivity

Hi;
I understand that Zscaler can connect to Backup ZEN in case primary ZEN were to go down.
Does this setup require two (2) internet connections from the sites/branch office?
0
totaram
Asked:
totaram
  • 8
  • 7
1 Solution
 
btanExec ConsultantCommented:
I doubt so as any fsiliver based on cliud service is transparent to end user. Likely the dns round robin will kick in as if analogous like managing high bandwidth demand. Enterprise just need to ensure the office has internet reach as per already setup. Good to get the support to advise further. May be good to resttict your enterprise firewall to only list of whitelisted zscaler io coming into your enterprise
0
 
totaramAuthor Commented:
Thanks breadtan.. I have one more question that I want to get out..

If we have the GRE tunnel setup for the enterprise, do we still need Proxy auto config (PAC) configured on clients for traffic forwarding to nearest ZEN?? Please clarify.
0
 
btanExec ConsultantCommented:
From the link, a PAC file is only needed when GRE tunneling is not in use. For businesses using GREs, PAC files are only needed for when devices go offsite (home). In the example below, all traffic except RFC1918 to go through Zscaler. E.g

https://support.google.com/chrome/a/answer/3504945?hl=en
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
totaramAuthor Commented:
That's what I thought...
Would you know how many suites does the product come in? My understanding was std, advanced and Premium... but I am reading in some unreliable drafts that there is one more suite called web threat suite.. (just for APT and anti virus and anti spyware).. please verify if possible.
0
 
btanExec ConsultantCommented:
See the various package in the Web Security Datasheet
http://www.zscaler.com/pdf/datasheets/ds-web-security-0713-web.pdf

May want to use the tco calculator
http://www.zscaler.com/tcocalculator/tco_cal-pound.php
0
 
totaramAuthor Commented:
Hi Breadtran;
Just have a doubt about the GRE tunnel method that is used to set up proxy... how does GRE tunnel really help.. I can understand port forwarding that diverts any internet/web traffic (port 80/443) & is routed to zscaler from site egress router/FW.. or proxy chaining.. But how does GRE tunnel really aid the proxy setting and what is its usefulness?

Also is the tunnel between the site and the Zscaler node or is it extended all the way from site to the web hosting server?
0
 
btanExec ConsultantCommented:
It is single site to zscalar whereby the traffic encapsulate all the enterprise traffic (on behalf of all its internal clients). In short the site to site tunnel and the GRE is the supported protocol.

If all clients that is connected through (including VPN) the enterprise "perimeter" and there exist only strictly a single ingress/egress point to reach zscalar (or internet), then there isn't really need for proxy setting. But most of the time, the proxy need to be lockdown as user can bypass the "perimeter" by changing it easily assuming they have the rights and know hows. Also client may not established VPN first and even be physically mobile not within the enterprise premise connectivity
0
 
totaramAuthor Commented:
Thank you so much Breadtran, understood it well..

I have one more question regarding connectivity.. we are trying to use zscaler for MPLS sites where each site (w/ 1xE1 link) is already protected by backup internet link. If E1 goes down, internet picks up bulk of regular site traffic.

Is there a way to send HTTP/HTTPS traffic (web traffic) to zscaler only on the given internet link? Customer wants to have an internet breakout, so that costly MPLS BW does not need to increase. Please illustrate it for 2 site configurations:
 
A. GRE tunnel from MPLS router to zscaler node
B. ProxyPAC on workstations/devices.

Which is preferrable of teh two above?

Thanks;
0
 
btanExec ConsultantCommented:
A. you probably still looking at two tunnels - one is E1 link and another is internet link. GRE tunnel failover based on bandwidth statements under the tunnels. E.g. same metric on the internet (backup) tunnel but with a value of 256kps which is a less preferred metric. Some may have used 'delay' metric is the most recommended option. Note that if there is IPSEC, both tunnel need to use the same IPSEC key since it comes from the same host point.

In short,  the efforts is to create two GRE tunnels and run either RIP or OSPF or EIGRP over them - use metric/cost to bias your traffic via the preferred GRE tunnel for choosing the route to zscalar site. You are just touching the network appliance and not the clients per se...

https://web.irtnog.org/Members/xenophon/blog/failover-sla-gre-ipsec

B. Actually I do not see any changes at all to client machine PAC config file as if the proxy (via browser) is locked down to reach Enterprise proxy.urcompany.domain.net (for example), the client machine will try to resolve this DNS name to reach it (either int or ext proxy) and from the proxy  establish VPN if coming remotely or simply route from proxy into internet to zscalar transparent to user. The PAC should already have consider the remote and local use case regardless of the E1 or internet link.

The tricky part is more of how the PAC is configured and establishing VPN (disabling split tunneling so that all traffic route thru the VPN tunnel)...see "Safely using IsInNet(host, …) " and  "Proxy Load Balancing within a PAC File"

http://www.proxypacfiles.com/proxypac/?option=com_content&view=article&id=54&Itemid=83

I actually see both as complimentary and A is preferred from enforcement angle to route through single point. For B, it is just to make sure they tunnel into Enterprise and route back if possible. So A is a must since B will still go thru the A use case.

Best effort to differentiate with my minimal background
0
 
totaramAuthor Commented:
You are so smart Breadtran..
A final question... will the GRE solution work if Primary and Backup are routed over two separate routers? Seems like your solution is over single router..
0
 
btanExec ConsultantCommented:
The two tunnel failover shared is per single device hence if it is separate router it ideally the two separate router are configured to be in a load balanced, redundant or clustered mode.

The key thing is to maintain connectivity to zscalar via virtually the established tunnel existed else you will start seeing dropped connection and re-connection that can deteriorate user experiences.

The complexity get higher when there are more router and it can be really tough troubleshooting multiple routers for site to site tunnel. I rather go simple since the WAN traffic already having link failover, "overdoing" may complicate and introduce more issues.

Try my best to share :)
0
 
totaramAuthor Commented:
Hi Breadtran;
I see your point about not increasing any sort of complexity in the design but I am still hazy about how we are going to setup single router (edge) config... we have a primary MPLS connection on one router & we have added an edge router connecting to internet via an ISP. So far so good. (FW being replaced w/ edge router)

One GRE tunnel would connect the primary MPLS & other to the ISP internet connected router. So, we would always end up w/ separate connections on two different routers. Are you suggesting that we bounce HTTP/HTTPS traffic from MPLS router over to edge router and have two GRE tunnels on Internet connected router? Can you please shine some light on the setup w/ one router.
0
 
btanExec ConsultantCommented:
Always better to get the support advice too to log as formal case in advance on changes make since it is affecting the Enterprise traffic as a whole.

Better explain hearing experience from forum, pls see if it helps
https://supportforums.cisco.com/thread/2006431

The remote router will have a static default route pointing to the local ASA5505 (VPN internet connected). The default route is tracking an SLA (Pinging the HQ ASA5520 across internet). The remote router is also receiving a default route through OSPF with a higher weight than the static SLA tracked default route. Internet traffic will go out the local internet connection as primary and will failover to the MPLS network through HQ to the internet as secondary.
 
Our HQ data center IP subnet is advertised through MPLS and learned at the remote router. If this route goes away because of MPLS circuit outage or some other reason, traffic from the remote site to HQ data center will go over the internet based VPN between the remote ASA5505 and the HQ ASA5520.
 
The reason OSPF is enabled on the inside interface of the HQ ASA5520 is so that when a remote site's internet connection is down and internet bound traffic is sent through the MPLS to HQ (The remote router uses the OSPF learned default route when internet connection is down), the HQ ASA5520 knows how to route the internet return traffic back to the remote site through the MPLS network. Also, the learned OSPF route will be removed if the remote site is not reachable through the MPLS network so HQ data center traffic will use the HQ ASA5520 default route through the internet over the VPN tunnel between HQ and the remote site.

Assistance configuring failover with GRE tunnels from remote router to dual routers
https://supportforums.cisco.com/thread/2003410


Also this on HA for pt to pt GRE

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/2_p2pGRE_Phase2.html#wp117385

Cisco recommends that at least two tunnels be configured on each branch. Each branch router should have a tunnel to a primary headend, and an alternate tunnel to a secondary headend. Under normal operating conditions, both the primary and secondary tunnels have routing protocol neighbors established. The routing protocol maintains both paths, with the secondary tunnel being configured as a less preferred path.
0
 
totaramAuthor Commented:
Breadtran.. Yo da maan
0
 
btanExec ConsultantCommented:
totaram thanks!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now