Solved

ZScaler connectivity

Posted on 2014-01-30
15
2,445 Views
Last Modified: 2014-02-14
Hi;
I understand that Zscaler can connect to Backup ZEN in case primary ZEN were to go down.
Does this setup require two (2) internet connections from the sites/branch office?
0
Comment
Question by:totaram
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39823132
I doubt so as any fsiliver based on cliud service is transparent to end user. Likely the dns round robin will kick in as if analogous like managing high bandwidth demand. Enterprise just need to ensure the office has internet reach as per already setup. Good to get the support to advise further. May be good to resttict your enterprise firewall to only list of whitelisted zscaler io coming into your enterprise
0
 

Author Comment

by:totaram
ID: 39823178
Thanks breadtan.. I have one more question that I want to get out..

If we have the GRE tunnel setup for the enterprise, do we still need Proxy auto config (PAC) configured on clients for traffic forwarding to nearest ZEN?? Please clarify.
0
 
LVL 64

Expert Comment

by:btan
ID: 39823209
From the link, a PAC file is only needed when GRE tunneling is not in use. For businesses using GREs, PAC files are only needed for when devices go offsite (home). In the example below, all traffic except RFC1918 to go through Zscaler. E.g

https://support.google.com/chrome/a/answer/3504945?hl=en
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:totaram
ID: 39823241
That's what I thought...
Would you know how many suites does the product come in? My understanding was std, advanced and Premium... but I am reading in some unreliable drafts that there is one more suite called web threat suite.. (just for APT and anti virus and anti spyware).. please verify if possible.
0
 
LVL 64

Expert Comment

by:btan
ID: 39823331
See the various package in the Web Security Datasheet
http://www.zscaler.com/pdf/datasheets/ds-web-security-0713-web.pdf

May want to use the tco calculator
http://www.zscaler.com/tcocalculator/tco_cal-pound.php
0
 

Author Comment

by:totaram
ID: 39831577
Hi Breadtran;
Just have a doubt about the GRE tunnel method that is used to set up proxy... how does GRE tunnel really help.. I can understand port forwarding that diverts any internet/web traffic (port 80/443) & is routed to zscaler from site egress router/FW.. or proxy chaining.. But how does GRE tunnel really aid the proxy setting and what is its usefulness?

Also is the tunnel between the site and the Zscaler node or is it extended all the way from site to the web hosting server?
0
 
LVL 64

Expert Comment

by:btan
ID: 39831851
It is single site to zscalar whereby the traffic encapsulate all the enterprise traffic (on behalf of all its internal clients). In short the site to site tunnel and the GRE is the supported protocol.

If all clients that is connected through (including VPN) the enterprise "perimeter" and there exist only strictly a single ingress/egress point to reach zscalar (or internet), then there isn't really need for proxy setting. But most of the time, the proxy need to be lockdown as user can bypass the "perimeter" by changing it easily assuming they have the rights and know hows. Also client may not established VPN first and even be physically mobile not within the enterprise premise connectivity
0
 

Author Comment

by:totaram
ID: 39834679
Thank you so much Breadtran, understood it well..

I have one more question regarding connectivity.. we are trying to use zscaler for MPLS sites where each site (w/ 1xE1 link) is already protected by backup internet link. If E1 goes down, internet picks up bulk of regular site traffic.

Is there a way to send HTTP/HTTPS traffic (web traffic) to zscaler only on the given internet link? Customer wants to have an internet breakout, so that costly MPLS BW does not need to increase. Please illustrate it for 2 site configurations:
 
A. GRE tunnel from MPLS router to zscaler node
B. ProxyPAC on workstations/devices.

Which is preferrable of teh two above?

Thanks;
0
 
LVL 64

Accepted Solution

by:
btan earned 175 total points
ID: 39834749
A. you probably still looking at two tunnels - one is E1 link and another is internet link. GRE tunnel failover based on bandwidth statements under the tunnels. E.g. same metric on the internet (backup) tunnel but with a value of 256kps which is a less preferred metric. Some may have used 'delay' metric is the most recommended option. Note that if there is IPSEC, both tunnel need to use the same IPSEC key since it comes from the same host point.

In short,  the efforts is to create two GRE tunnels and run either RIP or OSPF or EIGRP over them - use metric/cost to bias your traffic via the preferred GRE tunnel for choosing the route to zscalar site. You are just touching the network appliance and not the clients per se...

https://web.irtnog.org/Members/xenophon/blog/failover-sla-gre-ipsec

B. Actually I do not see any changes at all to client machine PAC config file as if the proxy (via browser) is locked down to reach Enterprise proxy.urcompany.domain.net (for example), the client machine will try to resolve this DNS name to reach it (either int or ext proxy) and from the proxy  establish VPN if coming remotely or simply route from proxy into internet to zscalar transparent to user. The PAC should already have consider the remote and local use case regardless of the E1 or internet link.

The tricky part is more of how the PAC is configured and establishing VPN (disabling split tunneling so that all traffic route thru the VPN tunnel)...see "Safely using IsInNet(host, …) " and  "Proxy Load Balancing within a PAC File"

http://www.proxypacfiles.com/proxypac/?option=com_content&view=article&id=54&Itemid=83

I actually see both as complimentary and A is preferred from enforcement angle to route through single point. For B, it is just to make sure they tunnel into Enterprise and route back if possible. So A is a must since B will still go thru the A use case.

Best effort to differentiate with my minimal background
0
 

Author Comment

by:totaram
ID: 39838002
You are so smart Breadtran..
A final question... will the GRE solution work if Primary and Backup are routed over two separate routers? Seems like your solution is over single router..
0
 
LVL 64

Expert Comment

by:btan
ID: 39838340
The two tunnel failover shared is per single device hence if it is separate router it ideally the two separate router are configured to be in a load balanced, redundant or clustered mode.

The key thing is to maintain connectivity to zscalar via virtually the established tunnel existed else you will start seeing dropped connection and re-connection that can deteriorate user experiences.

The complexity get higher when there are more router and it can be really tough troubleshooting multiple routers for site to site tunnel. I rather go simple since the WAN traffic already having link failover, "overdoing" may complicate and introduce more issues.

Try my best to share :)
0
 

Author Comment

by:totaram
ID: 39849149
Hi Breadtran;
I see your point about not increasing any sort of complexity in the design but I am still hazy about how we are going to setup single router (edge) config... we have a primary MPLS connection on one router & we have added an edge router connecting to internet via an ISP. So far so good. (FW being replaced w/ edge router)

One GRE tunnel would connect the primary MPLS & other to the ISP internet connected router. So, we would always end up w/ separate connections on two different routers. Are you suggesting that we bounce HTTP/HTTPS traffic from MPLS router over to edge router and have two GRE tunnels on Internet connected router? Can you please shine some light on the setup w/ one router.
0
 
LVL 64

Expert Comment

by:btan
ID: 39849217
Always better to get the support advice too to log as formal case in advance on changes make since it is affecting the Enterprise traffic as a whole.

Better explain hearing experience from forum, pls see if it helps
https://supportforums.cisco.com/thread/2006431

The remote router will have a static default route pointing to the local ASA5505 (VPN internet connected). The default route is tracking an SLA (Pinging the HQ ASA5520 across internet). The remote router is also receiving a default route through OSPF with a higher weight than the static SLA tracked default route. Internet traffic will go out the local internet connection as primary and will failover to the MPLS network through HQ to the internet as secondary.
 
Our HQ data center IP subnet is advertised through MPLS and learned at the remote router. If this route goes away because of MPLS circuit outage or some other reason, traffic from the remote site to HQ data center will go over the internet based VPN between the remote ASA5505 and the HQ ASA5520.
 
The reason OSPF is enabled on the inside interface of the HQ ASA5520 is so that when a remote site's internet connection is down and internet bound traffic is sent through the MPLS to HQ (The remote router uses the OSPF learned default route when internet connection is down), the HQ ASA5520 knows how to route the internet return traffic back to the remote site through the MPLS network. Also, the learned OSPF route will be removed if the remote site is not reachable through the MPLS network so HQ data center traffic will use the HQ ASA5520 default route through the internet over the VPN tunnel between HQ and the remote site.

Assistance configuring failover with GRE tunnels from remote router to dual routers
https://supportforums.cisco.com/thread/2003410


Also this on HA for pt to pt GRE

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/2_p2pGRE_Phase2.html#wp117385

Cisco recommends that at least two tunnels be configured on each branch. Each branch router should have a tunnel to a primary headend, and an alternate tunnel to a secondary headend. Under normal operating conditions, both the primary and secondary tunnels have routing protocol neighbors established. The routing protocol maintains both paths, with the secondary tunnel being configured as a less preferred path.
0
 

Author Closing Comment

by:totaram
ID: 39860848
Breadtran.. Yo da maan
0
 
LVL 64

Expert Comment

by:btan
ID: 39860949
totaram thanks!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question