NetScaler SD-WAN and Zscaler - Using GRE Tunnels and IPsec Tunnels
To secure traffic and enforce policies, enterprises often use MPLS links to backhaul branch traffic to the corporate data center. The data center applies security policies, filters traffic through security appliances to detect malware, and routes the traffic through an ISP. Such backhauling over private MPLS links is expensive. It also results in significant latency, which creates a poor user experience at the branch site. There is also a risk that users will bypass your security controls.
An alternative to backhauling is to add security appliances at the branch. However, the cost and complexity increases as you install multiple appliances to maintain consistent policies across the sites. And if you have a large number of branch offices, cost management becomes impractical.
The ideal solution to enforce security without adding cost, complexity, or latency is to route all branch Internet traffic from the Citrix NetScaler SD-WAN appliance to the Zscaler Cloud Security Platform. You can then use a central Zscaler console to create granular security policies your users. The policies are applied consistently whether the user is at the data center or a branch site. Because the Zscaler security solution is cloud based, you don’t have to add additional security appliances to the network.
The Zscaler Cloud Security Platform acts as a series of security check posts in more than 100 data centers around the world. By simply redirecting your internet traffic to Zscaler, you can immediately secure your stores, branches, and remote locations. Zscaler connects users and the internet, inspecting every byte of traffic, even if it is encrypted or compressed.
NetScaler SD-WAN appliances can connect to a Zscaler cloud network through GRE tunnels and IPsec tunnels at the customer’s site. A Zscaler deployment using SD-WAN appliances supports the following functionality:
- Forwarding all GRE traffic to Zscaler, thereby enabling direct Internet breakout.
- Direct internet access (DIA) using Zscaler on a per customer site basis.
- On some sites, you might want to provide DIA with on-premises security equipment and not use Zscaler.
- On some sites, you might choose to backhaul the traffic to another customer site for internet access.
- Virtual routing and forwarding deployments.
- One WAN link as part of internet services.
Zscaler is a cloud service. You must set it up as a service and define the underlying WAN links:
- Configure an internet service at the data center and branch through GRE tunnels.
- Configure a trusted Public internet link at the data center and the branch sites.
Internet traffic forwarding to Zscaler through GRE and IPsec Tunnels:
Log into the Zscaler help portal at: https://help.zscaler.com/submit-ticket.
Raise a ticket and provide the static public IP address, which is used as the GRE tunnel or IPsec tunnel source IP address.
Zscaler uses the source IP address value to identify the customer IP address. This value must be a static public IP address. Zscaler responds with two ZEN IP addresses to which to redirect traffic. GRE keep-alive messages can be used to determine the health of the tunnels.
Sample IP addresses
Internal Router IP address: 172.17.6.241/30
Internal ZEN IP address: 172.17.6.242/30
Internal Router IP address: 172.17.6.245/30
Internal ZEN IP address: 172.17.6.246/30
Configuring an Internet Service
To configure an internet service:
- Navigate to Connections - Internet Services. Configure internet service.
Configure GRE Tunnel
Source IP address is the Tunnel Source IP address. If the Tunnel Source IP address is NATted, the Public Source IP address is the public Tunnel Source IP address, even if it is NATted on a different intermediate device.
Destination IP address is the ZEN IP address that Zscaler provides.
The Source IP address and the Destination IP address are the router GRE headers when the original payload is encapsulated.
Tunnel IP address and Prefix are the IP addressing on the GRE tunnel itself. This is useful for routing traffic over the GRE tunnel. The trafic needs this IP address as the gateway address.
To configure GRE Tunnel:
In the configuration editor, navigate to Connections > **Site **> **GRE Tunnels, **and configure routes to forward internet prefix services to the Zscaler GRE Tunnels. The source IP address can only be chosen from the Virtual network interface on trusted links. See, How to Configure GRE Tunnel.
Configure Routes for GRE Tunnels
Configure routes to forward internet prefix services to the Zscaler GRE Tunnels.
- The ZEN IP address (Tunnel destination IP, shown as 126.96.36.199 in the above figure) must be set to service-type Internet. This is required so that traffic destined to Zscaler is accounted from the Internet service.
- All traffic destined to Zscaler must match the default route 0/0 and be transmitted over the GRE tunnel. Ensure that the 0/0 route used for the GRE tunnel has a lower Cost than Passthrough or any other Service type.
- Similarly, the backup GRE tunnel to Zscaler must have a higher cost than that of the Primary GRE tunnel.
- Ensure that nonrecursive routes exist for the ZEN IP address.
To configure routes for GRE Tunnel:
Navigate to Connections > Site > Routes, and follow the procedures described in Configuring Routes for instructions about creating routes.
If you do not have specific routes for the Zscaler IP address, configure the route prefix 0.0.0.0/0 to match the ZEN IP address and route it through a GRE tunnel encapsulation loop. This configuration use the tunnels in an active-backup mode. With the values shown in the above figure, traffic automatically switches over to the tunnel with gateway IP address 172.17.6.242. If desired, configure a backhaul virtual path route. Otherwise, set the keep-alive interval of the backup tunnel to zero. This enables secure internet access to a site even if both the tunnels to Zscaler fail.
GRE keep-alive messages are supported. A new field called Public Source IP that provides the NAT address of the GRE Source address is added to the NetScaler SD-WAN GUI interface (in the case when SD-WAN appliance Tunnel Source is NATted by an intermediate device). The NetScaler SD-WAN GUI includes a field called Public Source IP, which provides the NAT address of the GRE Source address when the NetScaler SD-WAN appliance’s Tunnel Source is NATted by an intermediate device.
- Multiple VRF deployments are not supported.
- Primary backup GRE tunnels are supported for a high-availability design mode only.
Configure IPsec Tunnels
To configure IPsec Tunnels for intranet or LAN services:
Use the NetScaler SD-WAN GUI to do the following:
In the Configuration Editor, navigate to Connections > <siteName> > IPsec Tunnels and choose a service type (LAN or Intranet).
Enter a Name for the service type. For Intranet service type, the configured intranet server determines which Local IP addresses are available.
Select the available Local IP address and enter the Peer IP address for the virtual path to the remote peer.
Select IKEv1 for IKE Settings. Zscaler supports only IKEv1.
Under IPsec Settings, select ESP-NULL for Tunnel type, to redirect traffic to Zscaler through the IPSec tunnel. The IPSec tunnel does not encrypt the traffic.
Because internet traffic is redirected, the destination IP/Prefix can be any IP address.
For more information about configuring IPSec Tunnels by using the NetScaler SD-WAN web interface, see; the IPsec Tunnels topic.
Configure Routes for IPsec Tunnels
To configure IPsec routes
Configure default route through Intranet service to redirect all internet traffic through Intranet service which is associated with IPsec Tunnel.
Navigate to Connections > DC > Routes and follow the procedures described in Configuring Routes for instructions about creating routes.
To monitor GRE and IPSec tunnel statistics:
|In the SD-WAN web interface, navigate to Monitoring > Statistics > [GRE Tunnel||IPsec Tunnel].|