Solved

ZScaler connectivity

Posted on 2014-01-30
15
2,118 Views
Last Modified: 2014-02-14
Hi;
I understand that Zscaler can connect to Backup ZEN in case primary ZEN were to go down.
Does this setup require two (2) internet connections from the sites/branch office?
0
Comment
Question by:totaram
  • 8
  • 7
15 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39823132
I doubt so as any fsiliver based on cliud service is transparent to end user. Likely the dns round robin will kick in as if analogous like managing high bandwidth demand. Enterprise just need to ensure the office has internet reach as per already setup. Good to get the support to advise further. May be good to resttict your enterprise firewall to only list of whitelisted zscaler io coming into your enterprise
0
 

Author Comment

by:totaram
ID: 39823178
Thanks breadtan.. I have one more question that I want to get out..

If we have the GRE tunnel setup for the enterprise, do we still need Proxy auto config (PAC) configured on clients for traffic forwarding to nearest ZEN?? Please clarify.
0
 
LVL 61

Expert Comment

by:btan
ID: 39823209
From the link, a PAC file is only needed when GRE tunneling is not in use. For businesses using GREs, PAC files are only needed for when devices go offsite (home). In the example below, all traffic except RFC1918 to go through Zscaler. E.g

https://support.google.com/chrome/a/answer/3504945?hl=en
0
 

Author Comment

by:totaram
ID: 39823241
That's what I thought...
Would you know how many suites does the product come in? My understanding was std, advanced and Premium... but I am reading in some unreliable drafts that there is one more suite called web threat suite.. (just for APT and anti virus and anti spyware).. please verify if possible.
0
 
LVL 61

Expert Comment

by:btan
ID: 39823331
See the various package in the Web Security Datasheet
http://www.zscaler.com/pdf/datasheets/ds-web-security-0713-web.pdf

May want to use the tco calculator
http://www.zscaler.com/tcocalculator/tco_cal-pound.php
0
 

Author Comment

by:totaram
ID: 39831577
Hi Breadtran;
Just have a doubt about the GRE tunnel method that is used to set up proxy... how does GRE tunnel really help.. I can understand port forwarding that diverts any internet/web traffic (port 80/443) & is routed to zscaler from site egress router/FW.. or proxy chaining.. But how does GRE tunnel really aid the proxy setting and what is its usefulness?

Also is the tunnel between the site and the Zscaler node or is it extended all the way from site to the web hosting server?
0
 
LVL 61

Expert Comment

by:btan
ID: 39831851
It is single site to zscalar whereby the traffic encapsulate all the enterprise traffic (on behalf of all its internal clients). In short the site to site tunnel and the GRE is the supported protocol.

If all clients that is connected through (including VPN) the enterprise "perimeter" and there exist only strictly a single ingress/egress point to reach zscalar (or internet), then there isn't really need for proxy setting. But most of the time, the proxy need to be lockdown as user can bypass the "perimeter" by changing it easily assuming they have the rights and know hows. Also client may not established VPN first and even be physically mobile not within the enterprise premise connectivity
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:totaram
ID: 39834679
Thank you so much Breadtran, understood it well..

I have one more question regarding connectivity.. we are trying to use zscaler for MPLS sites where each site (w/ 1xE1 link) is already protected by backup internet link. If E1 goes down, internet picks up bulk of regular site traffic.

Is there a way to send HTTP/HTTPS traffic (web traffic) to zscaler only on the given internet link? Customer wants to have an internet breakout, so that costly MPLS BW does not need to increase. Please illustrate it for 2 site configurations:
 
A. GRE tunnel from MPLS router to zscaler node
B. ProxyPAC on workstations/devices.

Which is preferrable of teh two above?

Thanks;
0
 
LVL 61

Accepted Solution

by:
btan earned 175 total points
ID: 39834749
A. you probably still looking at two tunnels - one is E1 link and another is internet link. GRE tunnel failover based on bandwidth statements under the tunnels. E.g. same metric on the internet (backup) tunnel but with a value of 256kps which is a less preferred metric. Some may have used 'delay' metric is the most recommended option. Note that if there is IPSEC, both tunnel need to use the same IPSEC key since it comes from the same host point.

In short,  the efforts is to create two GRE tunnels and run either RIP or OSPF or EIGRP over them - use metric/cost to bias your traffic via the preferred GRE tunnel for choosing the route to zscalar site. You are just touching the network appliance and not the clients per se...

https://web.irtnog.org/Members/xenophon/blog/failover-sla-gre-ipsec

B. Actually I do not see any changes at all to client machine PAC config file as if the proxy (via browser) is locked down to reach Enterprise proxy.urcompany.domain.net (for example), the client machine will try to resolve this DNS name to reach it (either int or ext proxy) and from the proxy  establish VPN if coming remotely or simply route from proxy into internet to zscalar transparent to user. The PAC should already have consider the remote and local use case regardless of the E1 or internet link.

The tricky part is more of how the PAC is configured and establishing VPN (disabling split tunneling so that all traffic route thru the VPN tunnel)...see "Safely using IsInNet(host, …) " and  "Proxy Load Balancing within a PAC File"

http://www.proxypacfiles.com/proxypac/?option=com_content&view=article&id=54&Itemid=83

I actually see both as complimentary and A is preferred from enforcement angle to route through single point. For B, it is just to make sure they tunnel into Enterprise and route back if possible. So A is a must since B will still go thru the A use case.

Best effort to differentiate with my minimal background
0
 

Author Comment

by:totaram
ID: 39838002
You are so smart Breadtran..
A final question... will the GRE solution work if Primary and Backup are routed over two separate routers? Seems like your solution is over single router..
0
 
LVL 61

Expert Comment

by:btan
ID: 39838340
The two tunnel failover shared is per single device hence if it is separate router it ideally the two separate router are configured to be in a load balanced, redundant or clustered mode.

The key thing is to maintain connectivity to zscalar via virtually the established tunnel existed else you will start seeing dropped connection and re-connection that can deteriorate user experiences.

The complexity get higher when there are more router and it can be really tough troubleshooting multiple routers for site to site tunnel. I rather go simple since the WAN traffic already having link failover, "overdoing" may complicate and introduce more issues.

Try my best to share :)
0
 

Author Comment

by:totaram
ID: 39849149
Hi Breadtran;
I see your point about not increasing any sort of complexity in the design but I am still hazy about how we are going to setup single router (edge) config... we have a primary MPLS connection on one router & we have added an edge router connecting to internet via an ISP. So far so good. (FW being replaced w/ edge router)

One GRE tunnel would connect the primary MPLS & other to the ISP internet connected router. So, we would always end up w/ separate connections on two different routers. Are you suggesting that we bounce HTTP/HTTPS traffic from MPLS router over to edge router and have two GRE tunnels on Internet connected router? Can you please shine some light on the setup w/ one router.
0
 
LVL 61

Expert Comment

by:btan
ID: 39849217
Always better to get the support advice too to log as formal case in advance on changes make since it is affecting the Enterprise traffic as a whole.

Better explain hearing experience from forum, pls see if it helps
https://supportforums.cisco.com/thread/2006431

The remote router will have a static default route pointing to the local ASA5505 (VPN internet connected). The default route is tracking an SLA (Pinging the HQ ASA5520 across internet). The remote router is also receiving a default route through OSPF with a higher weight than the static SLA tracked default route. Internet traffic will go out the local internet connection as primary and will failover to the MPLS network through HQ to the internet as secondary.
 
Our HQ data center IP subnet is advertised through MPLS and learned at the remote router. If this route goes away because of MPLS circuit outage or some other reason, traffic from the remote site to HQ data center will go over the internet based VPN between the remote ASA5505 and the HQ ASA5520.
 
The reason OSPF is enabled on the inside interface of the HQ ASA5520 is so that when a remote site's internet connection is down and internet bound traffic is sent through the MPLS to HQ (The remote router uses the OSPF learned default route when internet connection is down), the HQ ASA5520 knows how to route the internet return traffic back to the remote site through the MPLS network. Also, the learned OSPF route will be removed if the remote site is not reachable through the MPLS network so HQ data center traffic will use the HQ ASA5520 default route through the internet over the VPN tunnel between HQ and the remote site.

Assistance configuring failover with GRE tunnels from remote router to dual routers
https://supportforums.cisco.com/thread/2003410


Also this on HA for pt to pt GRE

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/2_p2pGRE_Phase2.html#wp117385

Cisco recommends that at least two tunnels be configured on each branch. Each branch router should have a tunnel to a primary headend, and an alternate tunnel to a secondary headend. Under normal operating conditions, both the primary and secondary tunnels have routing protocol neighbors established. The routing protocol maintains both paths, with the secondary tunnel being configured as a less preferred path.
0
 

Author Closing Comment

by:totaram
ID: 39860848
Breadtran.. Yo da maan
0
 
LVL 61

Expert Comment

by:btan
ID: 39860949
totaram thanks!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now