-
-
-
Citrix SD-WAN Secure Web Gateway
-
Zscaler integration by using GRE tunnels and IPsec tunnels
-
Firewall traffic redirection support by using Forcepoint in Citrix SD-WAN
-
-
Thank you for the feedback
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Zscaler Integration by using GRE tunnels and IPsec tunnels
The Zscaler Cloud Security Platform acts as a series of security check posts in more than 100 data centers around the world. By simply redirecting your internet traffic to Zscaler, you can immediately secure your stores, branches, and remote locations. Zscaler connects users and the internet, inspecting every byte of traffic, even if it is encrypted or compressed.
Citrix SD-WAN appliances can connect to a Zscaler cloud network through GRE tunnels at the customer’s site. A Zscaler deployment using SD-WAN appliances supports the following functionality:
- Forwarding all GRE traffic to Zscaler, thereby enabling direct Internet breakout.
- Direct internet access (DIA) using Zscaler on a per customer site basis.
- On some sites, you might want to provide DIA with on-premises security equipment and not use Zscaler.
- On some sites, you might choose to backhaul the traffic another customer site for internet access.
- Virtual routing and forwarding deployments.
- One WAN link as part of internet services.
Zscaler is a cloud service. You must set it up as a service and define the underlying WAN links:
- Configure an internet service at the data center and branch through GRE.
- Configure a trusted Public internet link at the data center and the branch sites.
Topology
To use GRE tunnel or IPsec Tunnel traffic forwarding:
-
Log into the Zscaler help portal at: https://help.zscaler.com/submit-ticket.
-
Raise a ticket and provide the static public IP address, which is used as the GRE tunnel or IPsec tunnel source IP address.
Zscaler uses the source IP address to identify the customer IP address. The source IP needs to be a static public IP. Zscaler responds with two ZEN IP addresses (Primary and Secondary) to transmit traffic to. GRE keep alive messages can be used to determine the health of the tunnels.
Zscaler uses the source IP address value to identify the customer IP address. This value must be a static public IP address. Zscaler responds with two ZEN IP addresses [DR1] to which to redirect traffic. GRE keep-alive messages can be used to determine the health of the tunnels.
Sample IP addresses
Primary
Internal Router IP address: 172.17.6.241/30 Internal ZEN IP address: 172.17.6.242/30
Secondary
Internal Router IP address: 172.17.6.245/30 Internal ZEN IP address: 172.17.6.246/30
Configuring an Internet Service
To configure an internet service:
-
Navigate to Connections - Internet Services. Configure internet service.
Configure GRE Tunnel
-
Source IP address is the Tunnel Source IP address. If the Tunnel Source IP address is NATted, the Public Source IP address is the public Tunnel Source IP address, even if it is NATted on a different intermediate device.
-
Destination IP address is the ZEN IP address that Zscaler provides.
-
The Source IP address and the Destination IP address are the router GRE headers when the original payload is encapsulated.
-
Tunnel IP address and Prefix are the IP addressing on the GRE tunnel itself. This is useful for routing traffic over the GRE tunnel. The trafic needs this IP address as the gateway address.
To configure GRE Tunnel:
-
In the configuration editor, navigate to Connections > Site > GRE Tunnels, and configure routes to forward internet prefix services to the Zscaler GRE Tunnels.
The source IP address can only be chosen from the Virtual network interface on trusted links. See, How to configure GRE tunnel.
Configure routes for GRE tunnels
Configure routes to forward internet prefix services to the Zscaler GRE Tunnels.
- The ZEN IP address (Tunnel destination IP, shown as 104.129.194.38 in the above figure) must be set to service-type Internet. This is required so that traffic destined to Zscaler is accounted from the Internet service.
- All traffic destined to Zscaler must matches the default route 0/0 and be transmitted over the GRE tunnel. Ensure that the 0/0 route used for [DR1] the GRE tunnel has a lower Cost than Passthrough or any other Service type.
- Similarly, the backup GRE tunnel to Zscaler must have a higher cost than that of the Primary GRE tunnel.
- Ensure that nonrecursive routes exist for the ZEN IP address.
To configure routes for GRE Tunnel:
-
Navigate to Connections > Site > Routes, and follow the procedures described in Configuring Routes for instructions about creating routes.
Note
If you do not have specific routes for the Zscaler IP address, configure the route prefix 0.0.0.0/0 to match the ZEN IP address and route it through a GRE tunnel encapsulation loop. This configuration uses the tunnels in an active-backup mode. With the values shown in the above figure, traffic automatically switches over to the tunnel with gateway IP address 172.17.6.242. If desired, configure a backhaul virtual path route. Otherwise, set the keep-alive interval of the backup tunnel to zero. This enables secure internet access to a site even if both the tunnels to Zscaler fail.
GRE keep-alive messages are supported. A new field called Public Source IP that provides the NAT address of the GRE Source address is added to the Citrix SD-WAN GUI interface (in the case when SD-WAN appliance Tunnel Source is NATted by an intermediate device). The Citrix SD-WAN GUI includes a field called Public Source IP, which provides the NAT address of the GRE Source address when the Citrix SD-WAN appliance’s Tunnel Source is NATted by an intermediate device.
Limitations
- Multiple VRF deployments are not supported.
- Primary backup GRE tunnels are supported for a high-availability design mode only.
Configure IPsec Tunnels
To configure IPsec Tunnels for intranet or LAN services in the Citrix SD-WAN appliance GUI:
-
In the Configuration Editor, navigate to Connections > <siteName> > IPsec Tunnels and choose a service type (LAN or Intranet).
-
Enter a Name for the service type. For Intranet service type, the configured intranet server determines which Local IP addresses are available.
-
Select the available Local IP address and enter the Peer IP address for the virtual path to the remote peer.
-
Select IKEv1 for IKE Settings. Zscaler supports only IKEv1.
-
Under IPsec Settings, select ESP-NULL for Tunnel type, to redirect traffic to Zscaler through the IPSec tunnel. The IPSec tunnel does not encrypt the traffic.
-
Because internet traffic is redirected, the destination IP/Prefix can be any IP address.
For more information about configuring IPSec Tunnels by using the Citrix SD-WAN web interface, see; the IPsec Tunnels topic.
Configure routes for IPsec tunnels
To configure IPsec routes:
- Navigate to Connections > DC > Routes and follow the procedures described in Configuring Routes for instructions about creating routes.
To monitor GRE and IPSec tunnel statistics:
| In the SD-WAN web interface, navigate to Monitoring > Statistics > [GRE Tunnel | IPsec Tunnel]. |
For more information, see; monitoring IPsec tunnels and GRE tunnels topics.
Thank you for the feedback
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.