Configuring Zscaler
This topic describes how to integrate Zscaler with SteelConnect. It includes these sections:
Zscaler overview
Integrating with Zscaler
Troubleshooting Zscaler
Zscaler overview
Zscaler is a cloud-based security provider that distributes components of a standard proxy to create a giant global network that acts as a single virtual proxy. The native integration of Zscaler with SteelConnect provides these benefits:
Easy configuration - Organizations with mobile users and numerous branch offices can use Zscaler instead of deploying an advanced firewall at each branch office. SteelConnect reduces the complexity of connecting to the cloud security service to a few simple clicks.
A SteelConnect gateway automatically connects with a Zscaler Enforcement Node (ZEN), creating a secure IPsec VPN tunnel between the Zscaler cloud and the SteelConnect gateways at sites.
Flexibility - After establishing a secure IPsec tunnel between the Zscaler cloud and SteelConnect gateways, you have the flexibility to configure Zscaler as an internet breakout preference at the organization, site, or zone level or as a breakout preference in traffic rules.
Robustness - If the primary IPsec VPN tunnel or an intermediate connection goes down, all traffic is rerouted through the backup IPsec tunnel to a secondary ZEN in approximately 60 seconds.
Visibility - The SCM troubleshooting page provides visibility into tunnel status.
Automatic tunnel optimization - SteelConnect automatically optimizes tunnel latency by choosing the best ZEN for each site.
IPsec VPN with SteelConnect gateway and ZEN
Before you begin
Before configuring Zscaler, make sure you:
have a Zscaler Security as a Service platform subscription. The SteelConnect integration with Zscaler supports Zscaler Internet Access (ZIA).
plan the level at which to configure internet breakout. For example, you might want to fall back to direct breakout if Zscaler is unavailable, or you might want to break traffic out at the organization or site level using a traffic rule.
decide in which order the breakout should occur: Zscaler, Zscaler and then internet, or internet and then Zscaler. Are there sites that require special routing such as guest zones? Do you need to breakout the data center sites directly?
Zscaler is not supported for data center deployments using gateway SDI-5030 clusters. SteelConnect 2.11 includes support for Zscaler on the SDI-2030 gateway and SteelHead SD 570-SD, 770-SD, and 3070-SD appliances in addition to SteelConnect SDI-130, SDI-330 and SDI-1030 gateways. For details on Zscaler on SteelHead SD 570-SD, 770-SD, and 3070-SD appliances, see Zscaler overview in the SteelHead SD User Guide.
Integrating with Zscaler
SteelConnect automatically routes traffic destined for the internet to the nearest ZEN for minimum latency, and it enforces traffic policies configured on Zscaler. Here are some key Zscaler components:
Each customer account is associated with one Zscaler cloud.
Each cloud consists of ZENs in various geographic regions.
ZENs act as proxy servers that do traffic analysis and filtering.
Automatic ZEN assignment is the default, recommended method; however, you can manually choose a primary ZEN and a secondary ZEN for each site. For example, you might need to select ZENs located in a particular country for certain geographic requirements and regulations, or for users who need to see localized content. For details, see To manually set the ZENs for the site.
Some ZENs apply an additional regional surcharge for their use. SteelConnect 2.10 and later supports ZENs requiring a surcharge. After enabling a ZEN with a surcharge, SCM asks you to confirm the selection.
Selecting a cloud
The first task is to select an active cloud.
To select a cloud
1. In SCM, choose Network Design > Zscaler.
2. Select a cloud from the drop-down list.
The current list of ZENs is updated during SCM startup and reflects ZENs that were added, updated, or deleted according to their availability.
You cannot select the same cloud for Cloudi-Fi and Zscaler. For details on Cloudi-Fi, see Configuring Cloudi-Fi.
Zscaler active cloud
By default, SteelConnect performs automatic ZEN selection. After you select a cloud:
SteelConnect automatically enables Zscaler and sends the list of available ZENs to all gateways.
The ZENs belonging to the selected cloud appear.
SteelConnect creates a Zscaler WAN for the organization.
The gateway measures latency to all of the ZENs. SteelConnect selects the two ZENs with the lowest latency.
SteelConnect pairs the ZENs with the sites in the organization.
Each gateway establishes IPsec VPN tunnels to its primary and secondary ZENs through an internet connection to the assigned ZEN pairs for the sites. Automatic ZEN selection and tunnel creation finish in approximately two minutes.
If the primary IPsec VPN tunnel or an intermediate connection goes down, all traffic is rerouted through the backup IPsec tunnel to the secondary ZEN in approximately 60 seconds. It can take up to 120 seconds.
Because changing ZENs can briefly impact connectivity and change exit IP addresses, SteelConnect assigns the ZENs once and doesn’t update them after the initial assignment. This means that you must trigger automatic ZEN selection after you move a site to another location, change an ISP, and so on.
To trigger automatic ZEN selection
1. Choose Network Design > Sites.
2. Select a site.
3. Select the Zscaler tab.
4. Click the (Re-)Optimize latencies button.
5. Click Confirm.
Viewing the ZEN selections
You can view the IPsec VPN tunnel ZEN selections in SCM.
To view the ZEN selections for the site
1. In SCM, choose Network Design > Zscaler.
2. Select the site.
3. Select the Zscaler tab.
If the automatic ZEN selections are correct, skip ahead to Whitelisting the VPN credential domain.
Setting the ZENs manually
Automatic ZEN assignment is the default and the recommended method; however, you can manually choose a primary ZEN and a secondary ZEN for each site.
You can use any ZEN in the same cloud. All ZENs in a cloud share the same configuration.
ZENs that apply a regional surcharge are disabled by default and aren’t selected during automatic ZEN assignment. After enabling a ZEN with a regional surcharge, you can select the nodes automatically and manually using the same methods as nodes that don’t require a regional surcharge.
When a ZEN that has been assigned to an SCM site manually is removed from the active cloud by Zscaler, SCM changes that site to use automatic selection mode.
ZEN selection
To manually set the ZENs for the site
1. Choose Network Design > Sites.
2. Select a site.
3. Select the Zscaler tab.
4. After ZEN Selection, select Manual from the drop-down list.
The current primary and secondary ZEN settings appear.
5. Click the search selector and select a primary and secondary ZEN.
6. Click Submit.
SCM shows all VPN configuration details under ZEN status as soon as the system creates the third-party VPN connection. The status also reports any tunnel latency.
You can disable Zscaler on a per-site basis.
To enable or disable a ZEN from the active cloud
Next to the ZEN, click On or Off.
Whitelisting the VPN credential domain
The next task is to ask Zscaler support to whitelist your VPN credential domain for successful authentication. After your credentials are whitelisted, you need to add the credentials to the Zscaler admin portal and then link the credentials to a location.
To whitelist the VPN credential domain
1. In SCM, choose Network Design > Zscaler.
2. Click Download Config.
A dialog displays your VPN credential domain.
Zscaler VPN credential domain
You’ll need this VPN credential domain for the Zscaler support representative. Don’t click Download VPN credentials or Download Locations yet. You’ll do that in Step 6.
3. In Zscaler, click the question mark (?) icon at the top of the Zscaler admin portal.
Question mark icon
4. Click Submit a ticket.
5. Ask Zscaler support to whitelist the VPN domain credential for the organization. You only need to add the domain once for the organization. It typically takes about five minutes to receive a response from Zscaler support.
6. After receiving a response from Zscaler support, return to the SCM Zscaler Configuration dialog and click Download VPN credentials.
The configuration file downloads.
To add the VPN credentials to the admin portal
1. In Zscaler, choose Administration > Resources > VPN Credentials.
2. Click Import VPN Credentials.
3. Mouse over the Activation menu and click Activate to save the changes locally.
After adding the VPN credentials to the Zscaler admin portal, the next task is to link the credentials to a location. Linking the VPN credentials to a location is required. Zscaler ignores VPN credentials that are not linked to a location.
You can link multiple credentials to one location to speed up configuration of multiple sites. For details, see To link the VPN credentials to multiple locations.
To link the VPN credentials to a location
1. In Zscaler, choose Administration > VPN Credentials > Locations.
2. Click Add VPN Credentials.
3. Enter the name, state/province, country, and time zone for the branch office location.
4. In the Addressing section, enter the public IP address for SteelConnect.
5. Click the down arrow beside VPN Credentials and select the credentials you created to associate with this branch location.
6. Click Save to store the changes locally.
7. Mouse over the Activation menu and click Activate.
This action pushes the configuration changes to the Central Authority (CA) immediately. The CA serves as the central repository for policies and configuration settings. The ZENs retrieve the policies from the CA and apply them to your organization’s internet traffic. Because all policies are centrally stored on the CA, the latest policies are always applied, no matter which ZEN your users connect to.
To link the VPN credentials to multiple locations
1. In SCM, choose Network Design > Zscaler.
2. Click Download Config.
3. Click Download Locations.
4. In Zscaler, choose Administration > VPN Credentials > Locations.
5. Click Import.
6. Click Apply Changes to store the changes locally.
7. Mouse over the Activation menu and click Activate.
Activation menu
This action pushes the configuration changes to the Central Authority (CA) immediately. The CA serves as the central repository for policies and configuration settings. The ZENs retrieve the policies from the CA and apply them to your organization’s internet traffic. Because all policies are centrally stored on the CA, the latest policies are always applied, no matter which ZEN your users connect to.
The final task is described in Setting traffic policies.
Customizing the VPN domain name
For test environments or troubleshooting, you can customize the whitelisted VPN domain name with another name without submitting a request to Zscaler support to whitelist the domain name manually.
In SteelConnect 2.10 and later, the default domain name is the name of the SCM domain. This is a change from previous SteelConnect versions, which used the organization ID. This new default domain name doesn’t impact previous configurations. If you have already configured Zscaler for an organization using SteelConnect 2.9.x, your configuration will continue to work with no further changes.
To change the VPN domain name
1. In SCM, choose Network Design > Zscaler.
2. Click the down arrow next to Download Config in the upper-right corner.
3. Select Change credentials.
Change the VPN credentials
4. Specify a new domain name.
5. Specify the preshared key for the domain.
6. Click Submit.
7. Repeat Step 1 through Step 6 if you’d like to return the VPN domain name to its original setting after you’re finished testing or troubleshooting.
Setting traffic policies
The final task is to steer traffic through Zscaler using internet breakout preferences, traffic rules, or both.
Configuring the Zscaler WAN as the internet breakout
When Zscaler is enabled, SCM creates a Zscaler WAN. You can configure the Zscaler WAN as the default internet breakout (as the organization’s default, as the site’s default, or for specific zones). For details, see Networking Defaults.
Defining traffic rules
Zscaler can also be used as a breakout preference in traffic rules. Traffic rules determine which traffic is sent to the internet breakout or other VPNs. For example, you could send all Facebook traffic to the Zscaler WAN and the rest of the traffic to the internet or backhaul it. For details, see Directing traffic using traffic rules.
Only traffic rules doing application detection based on the first packet can be used.
Viewing Zscaler tunnels
You can check the status of Zscaler tunnels in SCM.
The SCM dashboard shows the Zscaler VPN tunnels between sites; it doesn’t show the tunnel endpoints for Zscaler.
To view Zscaler tunnels
1. Choose Visibility > Troubleshooting.
2. Select a site.
The Tunnels tab shows the tunnel status for each site.
Zscaler tunnel status
You can also view Zscaler Analytics dashboards for reporting and analysis.
Viewing the VPN ID
You can view the VPN ID credential used for tunnel authentication in SCM. This can be useful for determining whether a site has a configured VPN credential.
To view the VPN ID
1. Choose Network Design > Sites.
2. Select a site.
3. Select the Zscaler tab.
The ID derived from Zscaler appears under VPN ID.
Zscaler VPN credential for a site
Troubleshooting Zscaler
If a Zscaler tunnel status is offline, check these items:
Is the configuration on Zscaler up to date? Try importing the configuration file into Zscaler again. Ensure that the VPN credentials are linked to locations. Make sure to click Activate changes.
Could the ZEN be down? Has it moved to another location? The current list of ZENs is updated during SCM startup and reflects ZENs that were added, updated, or deleted according to their availability. You can also check the current node list: for example, https://ips.zscaler.net/cenr (this link varies for each cloud). If the node is problematic, disable it in the ZEN list. Under Network Design > Zscaler, click Off to disable the problematic node. For sites with manually configured ZENs, choose a different ZEN manually.
If the Zscaler tunnels are up, but traffic is not going through Zscaler:
Check the internet breakout configuration in the organization, site, zone, or traffic rule.
If you’re testing a recent change, make sure that the browser is using a new connection. Changes only apply to new connections. Be aware that browsers usually attempt to reuse existing connections.
Make sure that the traffic rules use the first packet to detect the application.
The client must be using the SteelConnect gateway as the DNS server. This only applies to some types of traffic rules and doesn’t apply to organization, site, or zone breakout preferences.