asked on Cloud applications thro' ZScaler
We are trying to connect Customer w/ Internet access. Customer has ZScaler and want the traffic to go via ZScaler. There is a site router and FW at the site. There are some AWS based applications at site which we are trying to connect by using Dest AWS IP Addresses in site router, so that they take path via configured GRE Tunnel to ZScaler DC. The ZS tunnels are up, However, we are not having much success as the traffic does not ride the ZS tunnels. Please see if we going wrong here w/ cloud based services?
* zscalerCloud Computing* cloud proxy
Last Comment
totaram
ASKER
The crux of the question is: Should Amazon apps be routed thro' Site router to GRE Tunnels after the Dest IP match?
i am very confused.
If a customer has a GRE tunnel for Zscaler, then all traffic should go through the Zscaler.
Am I on the wrong page?
If a customer has a GRE tunnel for Zscaler, then all traffic should go through the Zscaler.
Am I on the wrong page?
ASKER
No.. you are not on wrong page..
The GRE tunnels are configured from site router to zscaler. We are trying to provide destination ip addresss of the of cloud based application s in router, as to where the packets should be routed after zscaler. We are not finding adequate ip addresses for cloud application s.
Did you get our issue?
Thanks
The GRE tunnels are configured from site router to zscaler. We are trying to provide destination ip addresss of the of cloud based application s in router, as to where the packets should be routed after zscaler. We are not finding adequate ip addresses for cloud application s.
Did you get our issue?
Thanks
ASKER
Any comments?
why you need to provide destination IP address of the cloud base application in router? Since ALL the traffic from the router should goes to Zscaler by default.
Unless you do not use 0.0.0.0 to zscaler router?
if you browse from https://ip.zscaler.com (from inside) do you appear as the zscaler network?
Unless you do not use 0.0.0.0 to zscaler router?
if you browse from https://ip.zscaler.com (from inside) do you appear as the zscaler network?
ASKER
Yes, when on browser.. we get the source IP, VIP and Dest IP information on running https://ip.zscaler.com..
However, the customer is not able to access aws and other cloud based applications. Could it be something is wrong in their PAC file? We were thinking that we are not providing path for web cloud apps? Please suggest where the issue could be?
However, the customer is not able to access aws and other cloud based applications. Could it be something is wrong in their PAC file? We were thinking that we are not providing path for web cloud apps? Please suggest where the issue could be?
do they have pac file?
If you view the website, do it work OR not working?
do you see error?
if you have the admin access to it, do it view in web log?
Usually, it could be related certificate related and Zscaler is intercept it
you might need to avoid it
And it is best to log a ticket with Zscaler, unless they said you did not send it to them.
Further, did not they have the ZCC agent install? Or they just use the pac file version?
Pac file is not the best option and it might drop (hit by local firewall) because of that.
If you view the website, do it work OR not working?
do you see error?
if you have the admin access to it, do it view in web log?
Usually, it could be related certificate related and Zscaler is intercept it
you might need to avoid it
And it is best to log a ticket with Zscaler, unless they said you did not send it to them.
Further, did not they have the ZCC agent install? Or they just use the pac file version?
Pac file is not the best option and it might drop (hit by local firewall) because of that.
ASKER
"Further, did not they have the ZCC agent install? Or they just use the pac file version?
Pac file is not the best option and it might drop (hit by local firewall) because of that."
Jian;
Could you explain the above 2 sentences? The customer has zscaler client connectors installed on the laptops from where the testing is taking place, and I think they have the PAC files.
Also, remembering from testing last time:
we are able to see successful ip.zscaler.com after we provisioned an IP Address in ACL in the router, and we were thinking if we provision all other cloud IP Addresses, may be we can make it work(??) .
Pac file is not the best option and it might drop (hit by local firewall) because of that."
Jian;
Could you explain the above 2 sentences? The customer has zscaler client connectors installed on the laptops from where the testing is taking place, and I think they have the PAC files.
Also, remembering from testing last time:
we are able to see successful ip.zscaler.com after we provisioned an IP Address in ACL in the router, and we were thinking if we provision all other cloud IP Addresses, may be we can make it work(??) .
when use ZCC, pac file is considered transparent to the end user (really depends on the setup)
if you are off site using ZCC, do it work?
you need to able to default route 0.0.0.0 to GRe, and hence you ACL all IP address 0.0.0.0
This is not PAC, i.e. that you only go out via pac IP address.
in ZIA, there is a firewall as a service that shows up what IP address is allowed and denied.
if you are off site using ZCC, do it work?
you need to able to default route 0.0.0.0 to GRe, and hence you ACL all IP address 0.0.0.0
This is not PAC, i.e. that you only go out via pac IP address.
in ZIA, there is a firewall as a service that shows up what IP address is allowed and denied.
ASKER
Ok.. I think I understood you, basically what you are saying is that instead of configuring all sorts of IP Addresses in site router, just set the default path pointing to GRE tunnels to ZScaler and the traffic would get appropriately routed to whichever cloud provider it is destined to.. Yes, that makes sense.. Please let me know if my understanding is correct?
Secondly, is the PAC file not used when the customer is using Zscaler client connector on each Laptop? Is that correct, please validate.
Thanks again for making me understand the situation.
Secondly, is the PAC file not used when the customer is using Zscaler client connector on each Laptop? Is that correct, please validate.
Thanks again for making me understand the situation.
yes, you are right, the default path points to GRE tunnel.
If you are in the office, PAC file is not relevant because it will always go to the GRE tunnel Unless you have another network that doesn't default traffic to the GRE tunnel.
Usually, When you deploy ZCC, you deploy in tunnel mode, i.e. that from the laptop, you don't see the PAC file.
without accessing your zscaler portal, you got zero chance of finding it out.
for small environment, we usually send all traffic to Zscaler without any need or understanding of PAc file, Unless there is a requirement that TRAFFIC must not travel to Zscaler (mainly login.microsoftonline.com for authentication purpose or have custom proxy onsite that need to use that instead, OR requirement that it make sense but i don't know. )
If you are in the office, PAC file is not relevant because it will always go to the GRE tunnel Unless you have another network that doesn't default traffic to the GRE tunnel.
Usually, When you deploy ZCC, you deploy in tunnel mode, i.e. that from the laptop, you don't see the PAC file.
without accessing your zscaler portal, you got zero chance of finding it out.
for small environment, we usually send all traffic to Zscaler without any need or understanding of PAc file, Unless there is a requirement that TRAFFIC must not travel to Zscaler (mainly login.microsoftonline.com for authentication purpose or have custom proxy onsite that need to use that instead, OR requirement that it make sense but i don't know. )
ASKER
Hi Jian;
Your comments have been very helpful.. Would you know if AWS cloud applications require some special treatment?
Your comments have been very helpful.. Would you know if AWS cloud applications require some special treatment?
in general, i have not heard it needed.
The only case is if the application must see it's original SSL certificate, in this case, you still let it go through Zscaler, but tell Zscaler not to inspect that website traffic.
The only case is if the application must see it's original SSL certificate, in this case, you still let it go through Zscaler, but tell Zscaler not to inspect that website traffic.
ASKER
Hi Jian;
Sorry to be missing for some time.. the above issues are fixed. There is an application that requires VPN to work.. I have heard that zscaler can replace the need for vpn w/ ZPA .. would you know how zpa works?
Sorry to be missing for some time.. the above issues are fixed. There is an application that requires VPN to work.. I have heard that zscaler can replace the need for vpn w/ ZPA .. would you know how zpa works?
ZPA can deploying a app connector and replace VPN.
Can you read it here https://www.zscaler.com/partners/aws
It is a true ZTNA but it comes with cost as well.
Can you read it here https://www.zscaler.com/partners/aws
It is a true ZTNA but it comes with cost as well.
ASKER
Thank you Jian for above.. very helpful
The customer has another quiry and I seriously like to get your input..
Everything seems to be working fine w/ Z App on Laptops is turned on and the traffic is taking auth GRE tunnel, there is another GRE Tunnel created for non-auth users (Guests/byod Etc.) that customer wants to send the traffic from guest wireless for laptops that do not have Z App. 2 tunnels one for staff and one for guests, So far so good.
Here is My question : Customer is asking us to make the staff/employee web traffic to go via non-auth tunnel when Z App is turned off on their laptops... Is there any potential security risk there? Reading your other emails on zscaler related topics, there could be some breaches??
The customer has another quiry and I seriously like to get your input..
Everything seems to be working fine w/ Z App on Laptops is turned on and the traffic is taking auth GRE tunnel, there is another GRE Tunnel created for non-auth users (Guests/byod Etc.) that customer wants to send the traffic from guest wireless for laptops that do not have Z App. 2 tunnels one for staff and one for guests, So far so good.
Here is My question : Customer is asking us to make the staff/employee web traffic to go via non-auth tunnel when Z App is turned off on their laptops... Is there any potential security risk there? Reading your other emails on zscaler related topics, there could be some breaches??
GRE tunnel is GRE tunnel. any traffic ( auth or unauth) can get through it.
Obviously, you can tell Zscaler to treat auth and unauth traffic separately.
The only difference between auth and unauth traffic is whether you can "trace" to the end user.
Usually, if it is unauth traffic, it will be further lockdown. that's a policy you need to plan.
Security risk is a risk. It is not a technical conversation we can come out here.
the major difference for unauth traffic is it cannot perform SSL inspection.
I don't understand the breaches side. it is another risk that you carry with any cloud application. It is either they have been upfront or not. Usually where there is a breach, they will try to see whether there is customer impact, if so, they will inform respective customer to make the correct remediation.
It is a shared responsibility when using any cloud services.
Obviously, you can tell Zscaler to treat auth and unauth traffic separately.
The only difference between auth and unauth traffic is whether you can "trace" to the end user.
Usually, if it is unauth traffic, it will be further lockdown. that's a policy you need to plan.
Security risk is a risk. It is not a technical conversation we can come out here.
the major difference for unauth traffic is it cannot perform SSL inspection.
I don't understand the breaches side. it is another risk that you carry with any cloud application. It is either they have been upfront or not. Usually where there is a breach, they will try to see whether there is customer impact, if so, they will inform respective customer to make the correct remediation.
It is a shared responsibility when using any cloud services.
ASKER
Thank you so much Jian, I am beginning to see the light..
When you so the following,
Security risk is a risk. It is not a technical conversation we can come out here.
the major difference for unauth traffic is it cannot perform SSL inspection.
Do you mean the websites (like google/youtube etc.) that employ SSL inspections can't be viewed when Z App is turned off? Please expand on it.
When you so the following,
Security risk is a risk. It is not a technical conversation we can come out here.
the major difference for unauth traffic is it cannot perform SSL inspection.
Do you mean the websites (like google/youtube etc.) that employ SSL inspections can't be viewed when Z App is turned off? Please expand on it.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you so very much.. Really really appreciate your looking into issues w/ me.
Seems that you have very good grasp over zscaler matters.
Thanks once again...
Seems that you have very good grasp over zscaler matters.
Thanks once again...