Integrate Citrix SD-WAN and Zscaler using Citrix SD-WAN Center
Citrix SD-WAN and Zscaler help enterprises transform their WAN for cloud migration by providing secure local breakouts to applications and resources hosted on the Internet. New WAN infrastructure technologies such as SD-WAN increase network agility and scale while lowering cost and complexity for an improved user experience in distributed organizations.
SD-WAN solutions simplify routing by allowing traffic destined for the cloud to breakout to the Internet locally. SD-WAN provides flexibility for routing traffic to the Internet (remove central DC environment) by using application steering features. However, exposing the network to the Internet poses significant security risks. A centralized approach to securing local breakout through a cloud service eliminates the overhead of maintaining security infrastructure in the branches. All traffic is reliably and securely routed to Zscaler (cloud-based security platform) with Citrix SD-WAN in the branch network. You can eliminate costly infrastructure and protect your network from threats and vulnerabilities.
Citrix SD-WAN helps enterprises move to the cloud by securely enabling local branch-to-Internet breakouts with a built-in stateful firewall for creating policies that can allow or deny Internet access directly from the branch. Citrix SD-WAN identifies applications through a combination of an integrated database of over 4,000 applications, including individual SaaS applications, and uses deep packet inspection technology for real-time discovery and classification of applications. It uses this application knowledge to steer traffic from the branch to the Internet, cloud or SaaS.
Zscaler is the leading cloud-based security platform, which delivers superior security without the need for on-premises hardware, appliances, or software. Zscaler puts a perimeter around the Internet, so that enterprises do not need to put a security perimeter around every office. The Zscaler Cloud Security Platform acts as a series of security check posts in more than 100 data centers around the world. By redirecting internet traffic to Zscaler, enterprises can instantly secure stores, branches, and remote locations. Zscaler connects users and the Internet, inspecting every byte of traffic—even if it is encrypted or compressed—so that users are secure and all hidden threats are identified before they can infiltrate the enterprise network.
Citrix SD-WAN allows creating policies that enable direct Internet breakout from the branch and Zscaler’s Cloud Security Platform ensures security for IT by inspecting all internet-bound traffic in a cloud service close to where users connect.
Zscaler enforcement nodes (ZENs)
Citrix SD-WAN supports Zscaler APIs for automating creation of IPsec tunnels between Citrix SD-WAN and Zscaler Enforcement Nodes (ZENs) in Zscaler’s cloud network. ZENs are full-featured, inline Internet security gateways that inspect all Internet traffic bi-directionally for malware, and enforce security and compliance policies.
The Zscaler API provides the two closest data center locations to each branch, allowing SD-WAN to steer traffic effectively. Organizations can allow Zscaler to automatically pick the closest ZEN to the branch by having ZEN look at IP addresses of WAN links configured on Citrix SD-WAN or can manually select the ZENs.
Both the routes always be in active mode if the tunnel is UP. If any tunnel goes down the corresponding route becomes unreachable and the other route stay UP in that case.
The benefits of integrating Citrix SD-WAN and Zscaler include:
- Faster adoption of SaaS and cloud in a distributed enterprise.
- Centralizing security as a cloud service eliminates the need to have it in each branch.
- Eliminating the need to backhaul internet-destined traffic allowing local Internet breakout at the branch.
- Simplified IT management with automated connectivity to a secure web gateway.
- API support automates configuration of secure tunnels to Zscaler
- Improved user experience by reducing latency from backhauling SaaS traffic.
- Eliminates hub-and-spoke model dependency for security purposes
- Elimination of costly security stacks at branches
- Reduce the overhead of having to deploy and manage firewalls at the branches.
- Assurance that internet-bound traffic is always secure.
- Security policies do not tie users to a physical location.
- Provides sandboxing, inspection of all ports and protocols, including SSL, URL filtering, advanced threat protection, and more to protect against zero-day attacks.
A Zscaler deployment using SD-WAN appliances supports the following functionality:
- Forwarding user-defined Internet traffic to Zscaler, thereby enabling direct Internet breakout.
- Direct internet access (DIA) using Zscaler on a per customer site basis.
- On some sites, you might want to provide DIA with on-premises security equipment and not use Zscaler.
- On some sites, you might choose to backhaul the traffic another customer site for internet access.
- Virtual routing and forwarding deployments.
- One WAN link as part of internet services.
Zscaler is a cloud service. You must set it up as a service and define the underlying WAN links:
- Configure a trusted Public internet wan link at the data center and the branch sites.
- Auto configure IPsec Tunnels for intranet services.
Deploying Zscaler in Citrix SD-WAN Center workflow
The following are the high-level steps that define the workflow to deploy Zscaler in SD-WAN Center.
Configure Zscaler subscription to SD-WAN Center (onetime). Log into the Zscaler site to obtain subscription information.
Select Deploy in Citrix SD-WAN Center GUI.
- Deploy configuration for site using internet wan-link and preconfigured application object.
- Establish Connectivity.
- Get/Update of IPsec status.
Before you proceed with configuring Zscaler in SD-WAN Center, you need to log into the Zscaler portal.
Log into the Zscaler site to obtain subscription information. The Dashboard page opens.
Click Administration > Partner Integrations.
Select SD-WAN on the Partner Integrations page. Click Add Partner Key.
Choose Citrix SDWAN for the partner key and click Generate. Store the key.
Configure Zscaler in Citrix SD-WAN Center
In the Citrix SD-WAN Center GUI, navigate to the Configuration > Security page. The Zscaler Configured Sites page opens.
Click Subscription. Enter the Zscaler API (partner key) which created in the preceding steps. Provide your Zscaler Username and Password. Select the Zscaler Cloud Name, Zscaler Log Level, and click Apply.
Zens provides the list of available VPN endpoints for this Zscaler cloud subscription.
After entering the Zscaler subscription and ZEN details, you can start adding sites to Zscaler. Click Add.
In the Configure Sites to Zscaler dialog box, add Site, WAN Link, and Application Objects. By default, the Auto assign ZEN option is selected.
You can Manually Select ZEN. However, the following message appears notifying that unsaved changes are lost.
Select required sites and click Deploy. You can choose to add multiple sites by selecting Add Multiple. The selected sites are deployed and the configuration page is displayed.
Observe that the primary and secondary ZEN IP addresses are populated and the deployment status is Connection Active.
Click Re-Deploy, if you make changes to the configured site’s VPN endpoints or application objects. Any changes to the configured sites in the SD-WAN Center trigger a Change Management process on the appliances configured at the branch sites and DC sites.
Deleting sites also triggers the change management process.
Monitoring and troubleshooting
Select configured sites to view more information about Application Objects and Primary/Secondary IP addresses. You can click on the Details icon to view complete information about the configured sites.
IPsec tunnel configuration
The Details page in SD-WAN Center GUI provides information about the IPsec tunnel configuration to Primary and Secondary endpoints. The Peer IP is obtained from Zscaler. Verify IPsec tunnel configuration in the SD-WAN appliance GUI configuration editor.
The following IKE/IPSec settings are chosen for IPsec tunnel configuration in the SD-WAN appliance. For more information about configuring IPsec tunnel – IKE settings, see; How to configure IPsec tunnel between SD-WAN and third-party devices topic.
- IKE version - IKEv2
- IKE Identity – User FQDN
- Hash Algorithm - SHA-256
- Integrity Algorithm – SHA-256
- Encryption Mode – AES 256 Bits
- IPsec – Tunnel Mode
- IPsec Encryption – Null
For more information about configuring IPsec tunnel settings, see How to configure IPsec tunnel between SD-WAN and third-party devices topic.
Ensure that application objects are configured. For more information about configuring application routes, see Application classification topic.