Zscaler Integration by using GRE tunnels and IPsec tunnels
The Zscaler Cloud Security Platform acts as a series of security check posts in more than 100 data centers around the world. By simply redirecting your internet traffic to Zscaler, you can immediately secure your stores, branches, and remote locations. Zscaler connects users and the internet, inspecting every byte of traffic, even if it is encrypted or compressed.
Citrix SD-WAN appliances can connect to a Zscaler cloud network through GRE tunnels at the customer’s site. A Zscaler deployment using SD-WAN appliances supports the following functionality:
- Forwarding all GRE traffic to Zscaler, thereby enabling direct Internet breakout.
- Direct internet access (DIA) using Zscaler on a per customer site basis.
- On some sites, you might want to provide DIA with on-premises security equipment and not use Zscaler.
- On some sites, you might choose to backhaul the traffic another customer site for internet access.
- Virtual routing and forwarding deployments.
- One WAN link as part of internet services.
Zscaler is a cloud service. You must set it up as a service and define the underlying WAN links:
- Configure an internet service at the data center and branch through GRE.
- Configure a trusted Public internet link at the data center and the branch sites.
Topology
To use GRE tunnel or IPsec Tunnel traffic forwarding:
-
Log into the Zscaler help portal at: https://help.zscaler.com/submit-ticket.
-
Raise a ticket and provide the static public IP address, which is used as the GRE tunnel or IPsec tunnel source IP address.
Zscaler uses the source IP address to identify the customer IP address. The source IP needs to be a static public IP. Zscaler responds with two ZEN IP addresses (Primary and Secondary) to transmit traffic to. GRE keep alive messages can be used to determine the health of the tunnels.
Zscaler uses the source IP address value to identify the customer IP address. This value must be a static public IP address. Zscaler responds with two ZEN IP addresses [DR1] to which to redirect traffic. GRE keep-alive messages can be used to determine the health of the tunnels.
Sample IP addresses
Primary
Internal Router IP address: 172.17.6.241/30 Internal ZEN IP address: 172.17.6.242/30
Secondary
Internal Router IP address: 172.17.6.245/30 Internal ZEN IP address: 172.17.6.246/30
Configuring an Internet Service
To configure an internet service through Citrix SD-WAN Orchestrator service, see Delivery services. For more information about enabling Internet service for a site, see Direct Internet Breakout.
Configure GRE Tunnel
-
Source IP address is the Tunnel Source IP address. If the Tunnel Source IP address is NATted, the Public Source IP address is the public Tunnel Source IP address, even if it is NATted on a different intermediate device.
-
Destination IP address is the ZEN IP address that Zscaler provides.
-
The Source IP address and the Destination IP address are the router GRE headers when the original payload is encapsulated.
-
Tunnel IP address and Prefix are the IP addressing on the GRE tunnel itself. This is useful for routing traffic over the GRE tunnel. The traffic needs this IP address as the gateway address.
To configure GRE Tunnel through Cirix SD-WAN Orchestrator service, see GRE tunnel.
Configure routes for GRE tunnels
Configure routes to forward internet prefix services to the Zscaler GRE Tunnels.
- The ZEN IP address (Tunnel destination IP, shown as 104.129.194.38 in the above figure) must be set to service-type Internet. This is required so that traffic destined to Zscaler is accounted from the Internet service.
- All traffic destined to Zscaler must match the default route 0/0 and be transmitted over the GRE tunnel. Ensure that the 0/0 route used for [DR1 the GRE tunnel has a lower Cost than Passthrough or any other Service type.
- Similarly, the backup GRE tunnel to Zscaler must have a higher cost than that of the Primary GRE tunnel.
-
Ensure that nonrecursive routes exist for the ZEN IP address.
Note
If you do not have specific routes for the Zscaler IP address, configure the route prefix 0.0.0.0/0 to match the ZEN IP address and route it through a GRE tunnel encapsulation loop. This configuration uses the tunnels in an active-backup mode. With the values shown in the above figure, traffic automatically switches over to the tunnel with gateway IP address 172.17.6.242. If desired, configure a backhaul virtual path route. Otherwise, set the keep-alive interval of the backup tunnel to zero. This enables secure internet access to a site even if both the tunnels to Zscaler fail.
GRE keep-alive messages are supported. A new field called Public Source IP that provides the NAT address of the GRE Source address is added to the Citrix SD-WAN GUI interface (in the case when SD-WAN appliance Tunnel Source is NATted by an intermediate device). The Citrix SD-WAN GUI includes a field called Public Source IP, which provides the NAT address of the GRE Source address when the Citrix SD-WAN appliance’s Tunnel Source is NATted by an intermediate device.
Limitations
- Multiple VRF deployments are not supported.
- Primary backup GRE tunnels are supported for a high-availability design mode only.
To monitor GRE and IPsec tunnel statistics:
| In the SD-WAN web interface, navigate to Monitoring > Statistics > [GRE Tunnel | IPsec Tunnel]. |
For more information, see; monitoring IPsec tunnels and GRE tunnels topics.