Configuring Cloudi-Fi
This topic describes how to integrate Cloudi-Fi with SteelConnect. It includes these sections:
Cloudi-Fi overview
Cloudi-Fi is a guest Wi-Fi provider that partners with Zscaler. Cloudi-Fi leverages and extends Zscaler for its security capabilities and performance.
The integration of Cloudi-Fi with SteelConnect provides these benefits:
•Security - Control the guest use of the network with URL filtering, content filtering, a cloud firewall, and more.
•Compliance - Store authentication and transaction logs in compliance with local regulations. Logs are also available in real time through the Cloudi-Fi administration interface.
•Customization - Personalize and brand community messages with custom format and content.
•Extended marketing - Improve the customer experience at your point of sale with fast and easy-to-use guest Wi-Fi.
As part of the Cloudi-Fi service, Cloudi-Fi support will provision a Zscaler account as an OEM service, with or without an existing Zscaler subscription. No additional infrastructure is required.
Configuring Cloudi-Fi
Before configuring Cloudi-Fi, make sure you have current Cloudi-Fi account credentials.
A SteelConnect gateway automatically connects with a Zscaler Enforcement Node (ZEN), creating a secure IPsec VPN tunnel between the Cloudi-Fi cloud and the SteelConnect gateways at sites. SteelConnect automatically chooses the best ZENs based on latency, and it enforces traffic policies configured on Cloudi-Fi. Here are some key Cloudi-Fi components:
•Each customer account is associated with one Cloudi-Fi cloud.
•Each cloud consists of ZENs in various geographic regions.
•ZENs act as proxy servers that do traffic analysis and filtering.
Automatic ZEN assignment is the default, recommended method; however, you can manually choose a primary ZEN and a secondary ZEN for each site. For example, you might need to select ZENs located in a particular country for certain geographic requirements and regulations, or for users who need to see localized content. For details, see
To manually set the ZENs for the site.
Cloudi-Fi is not supported for data center deployments using gateway SDI-5030 clusters.
Cloudi-Fi is not supported on SteelHead SD 570-SD, 770-SD, and 3070-SD appliances.
Basic steps
To deploy Cloudi-Fi and SteelConnect, complete these tasks:
Selecting an active cloud
The first task is to select an active cloud. The Cloudi-Fi active cloud must be different than the Zscaler active cloud. SCM warns you if you try to select the same active cloud for both Zscaler and Cloudi-Fi.
To select an active cloud
1. In SCM, choose Network Design > Cloudi-Fi.
2. Select an active cloud from the drop-down list.
Cloudi-Fi active cloud
By default, SteelConnect performs automatic ZEN selection. After you select a cloud:
•SteelConnect automatically enables Cloudi-Fi and sends the list of available ZENs to all gateways.
•The ZENs belonging to the selected cloud appear.
•SteelConnect creates a Cloudi-Fi WAN for the organization.
•The gateway measures latency to all of the ZENs. SteelConnect selects the two ZENs with the lowest latency.
•SteelConnect pairs the ZENs with the sites in the organization.
•Each gateway establishes IPsec VPN tunnels to its primary and secondary ZENs through an internet connection to the assigned ZEN pairs for the sites. Automatic ZEN selection and tunnel creation finish in approximately two minutes.
•If the primary IPsec VPN tunnel or an intermediate connection goes down, all traffic is rerouted through the backup IPsec tunnel to the secondary ZEN in approximately 60 seconds. It can take up to 120 seconds.
Triggering automatic ZEN selection
Because changing ZENs can briefly impact connectivity and change exit IP addresses, SteelConnect assigns the ZENs once and doesn’t update them after the initial assignment. This means that you must trigger automatic ZEN selection after you move a site to another location, change an ISP, and so on.
To trigger automatic ZEN selection
1. Choose Network Design > Sites.
2. Select a site.
3. Select the Cloudi-Fi tab.
4. Click the (Re-)optimize latencies button.
Configuring locations
A Cloudi-Fi scope provides a place to store locations in SCM.
To retrieve your Cloudi-Fi scope
1. Log in to the Cloudi-Fi administrator’s console.
2. Choose Locations.
3. Click the Scope text field.
The list of scopes to which you have access appears.
4. Locate a scope and note it for use in
Step 4 in the next procedure.
To set the scope
1. In SCM, choose Network Design > Cloudi-Fi.
2. In the upper-right corner, click the down arrow next to Download Config.
3. Select Change credentials.
The SCM domain name appears as the default.
4. Specify the Cloudi-Fi scope that you identified in the previous procedure.
Specifying a valid scope is especially important for shared accounts so that all administrators sharing the account can manage the locations. Be careful to enter a scope you can access. If you enter a scope you don’t have access to, when you import the locations file (
Step 2 in the next procedure), the import process might create locations that you will not be able to see or manage.
5. Click Submit.
To create the locations within the scope
1. In the upper-right corner, click the down arrow next to Download Config.
2. Click Download Locations.
3. Click Close.
SCM downloads the locations file in .CSV format.
4. Import the locations file into Cloudi-Fi.
Cloudi-Fi provisions the locations, which can take a few hours. The status icon in the Cloudi-Fi admin panel shows the status and lets you know when the location is ready to use.
5. After the locations are provisioned, select any of the locations you just created.
6. Click Edit Location.
7. Locate the VPN ID and the VPN key for use in the next task.
Setting the Cloudi-Fi VPN credentials
The next task is to add the credentials to SCM.
1. Choose Network Design > Cloudi-Fi.
2. In the upper-right corner, click the down arrow next to Download Config.
3. Select Change credentials.
4. Specify the VPN ID domain name.
5. Specify the preshared key for the domain. The preshared key should be different than the preshared key used for Zscaler.
6. Click Submit.
Viewing the ZEN selections
You can view the IPsec VPN tunnels ZEN selections in SCM.
To view the ZEN selections for the site
1. In SCM, choose Network Design > Cloudi-Fi.
2. Select the site.
3. Select the Cloudi-Fi tab.
Setting the ZENs manually
Automatic ZEN assignment is the default and the recommended method; however, you can manually choose a primary ZEN and a secondary ZEN for each site.
You can use any ZEN in the same cloud. All ZENs in a cloud share the same configuration. For some ZENs, a regional surcharge might apply. SteelConnect supports ZENs with a regional surcharge.
If the automatic ZEN selections are correct, skip ahead to
Setting traffic policies.
ZEN selection
To manually set the ZENs for the site
1. Choose Network Design > Sites.
2. Select a site.
3. Select the Cloudi-Fi tab.
4. After ZEN Selection, select Manual from the drop-down list.
The current primary and secondary ZEN settings appear.
5. Click the search selector and select a primary and secondary ZEN.
6. Click Submit.
SCM shows all VPN configuration details under ZEN status as soon as the system creates the third-party VPN connection. The status also reports any tunnel latency at the time of the automatic selection.
You can disable Cloudi-Fi on a per-site basis.
To enable or disable a ZEN from the active cloud
•Next to the ZEN, click On or Off.
Setting traffic policies
The final task is to steer traffic through Cloudi-Fi using internet breakout preferences and/or traffic rules.
Configuring the Cloudi-Fi WAN as the internet breakout
When Cloudi-Fi is enabled, SCM creates a Cloudi-Fi WAN. You can configure a Cloudi-Fi WAN as the default internet breakout (as the organization’s default, as the site’s default, or for specific zones). For details, see
WAN settings.
For example, you can configure a guest Wi-Fi zone with a breakout through Cloudi-Fi.
Defining traffic rules
Configure a breakout preference to backhaul specific applications using traffic rules. Traffic rules determine which traffic is sent to the internet breakout or other VPNs. For example, you could send all traffic to the Cloudi-Fi WAN and break out internal or data center applications to backhaul them using a traffic rule. For details, see
Directing traffic using traffic rules.
Only traffic rules doing application detection based on the first packet can be used.
Viewing Cloudi-Fi tunnels
You can check the status of Cloudi-Fi tunnels in SCM.
The SCM dashboard shows the Zscaler VPN tunnels between sites; it doesn’t show the tunnel endpoints for Zscaler.
To view Cloudi-Fi tunnels
1. Choose Visibility > Troubleshooting.
2. Select a site.
The Tunnels tab shows the tunnel status for each site.
Cloudi-Fi tunnel status
You can also view Cloudi-Fi Analytics dashboards for reporting and analysis.
Viewing the VPN ID
You can view the VPN ID credential used for tunnel authentication in SCM. This can be useful for determining whether a site has a configured location in Cloudi-Fi.
To view the VPN ID
1. Choose Network Design > Sites.
2. Select a site.
3. Select the Cloudi-Fi tab.
The VPN username derived from the location name and the fully-derived VPN ID appears in the label below the text field.
Cloudi-Fi VPN credential for a site
We do not recommend changing the VPN username, and typically there is no reason to do so. However, if the VPN username automatically generated by Cloudi-Fi does not match the username that SCM has generated, you can use the username text field to override the VPN username so that it matches the SCM username. Do not include a domain after the username, as SCM will add it. Changing the VPN username makes it possible to force a SteelConnect site to connect as a specific other Cloudi-Fi location.
Troubleshooting Cloudi-Fi
If a Cloudi-Fi tunnel status is offline, check these items:
•Is the configuration on Cloudi-Fi up to date? Try importing the configuration file into Cloudi-Fi again. Ensure that the VPN credentials are linked to locations and the locations have been provisioned by Cloudi-Fi.
•Could the ZEN be down? Has it moved to another location? The current list of ZENs is updated during SCM startup and reflects ZENs that were added, updated, or deleted according to their availability.
If the node is problematic, disable it in the ZEN list. Under Network Design > Cloudi-Fi, click Off to disable the problematic node. For sites with manually configured ZENs, choose a different ZEN manually.
If the Cloudi-Fi tunnels are up, but traffic is not going through Cloudi-Fi:
•Check the internet breakout configuration in the organization, site, zone, or traffic rule.
•If you’re testing a recent change, make sure that the browser is using a new connection. Changes only apply to new connections. Be aware that browsers usually attempt to reuse existing connections.
•Make sure that the traffic rules use the first packet to detect the application.
•The client must be using the SteelConnect gateway as the DNS server. This only applies to some types of traffic rules and doesn’t apply to organization, site, or zone breakout preferences.