Zscaler Internet Access
Configuration > Cloud Services > Zscaler Internet Access
Zscaler Internet Access (ZIA) is a cloud security service. EdgeConnect traffic can be service chained to Zscaler for additional security inspection. Orchestrator supports IPSec and GRE tunnel modes for Zscaler.
NOTE: GRE tunnels are not formed across an EdgeHA link.
NOTE: Zscaler’s term for ZEN is now Service Edge.
WARNING: If two or more Orchestrators are connected to a single Zscaler account, you must set the MultipleOrchestratorsForOneZscalerAccount property to “true” on the Advanced Orchestrator Properties dialog box for both Orchestrators. This is service affecting. When you change this property, all Zscaler artifacts will be rebuilt to include the UUID for each Orchestrator connected to the Zscaler account.
The following table describes the fields on the Zscaler Internet Access tab.
Field | Description |
---|---|
Appliance | Name of the appliance to connect to Zscaler. |
Interface Label | Interface label for the interfaces you want to connect to Zscaler. |
Mode | Tunnel mode (IPSec or GRE) for Zscaler. The default mode is IPSec. |
Gateway Options | A feature that enables you to configure sub-locations and various rules for your sub-locations. Gateway Options is an optional add-on. |
Bandwidth | Upload and download bandwidth speeds (in Mbps) to and from Zscaler. |
Zscaler Deployment Status | Status of the Zscaler deployment (Creating, Pending, or Deployed). Deployed indicates successful deployment. |
Zscaler Service Edges | These are the Zscaler endpoints to which the tunnels connect. This field is populated with discovered Public Service Edges based on the appliance’s geographical location. |
Connection Status | Status of the Zscaler connection based on tunnel and IP SLA statuses. |
Zscaler ZDX | When configured, click the link to open a new tab to your ZDX web portal. |
Configure Zscaler
Before you configure Zscaler, you must create a Zscaler account and ensure that you have an established connection with Zscaler.
NOTE: Ensure that both IPSec and GRE services are enabled in your Zscaler subscription so that Orchestrator can download data appropriately from Zscaler.
NOTE: This section represents the automated configuration of IPSec, IKE, and GRE tunnels from EdgeConnect to the Zscaler cloud. To manually configure the tunnels with the Zscaler cloud, refer to the EdgeConnect and Zscaler IPSec Integration Guide and the EdgeConnect and Zscaler GRE Integration Guide.
Subscription
-
Go to https://help.zscaler.com/zia/sd-wan-api-integration and follow the steps to configure your Zscaler account.
-
After configuring your Zscaler account, navigate to the Zscaler Internet Access tab in Orchestrator (Configuration > Cloud Services > Zscaler Internet Access).
-
Click Subscription.
The Subscription dialog box opens.
-
Enter the appropriate information to reflect your Zscaler account.
The following table describes the fields.
Field Description Zscaler Indicates whether you are connected to your Zscaler account. Zscaler Cloud Zscaler cloud URL. For example, zsapi.zscalerthree.net. Partner Username Partner administrator username you created when configuring Zscaler. Partner Password Partner administrator password you created when configuring Zscaler. Partner Key Partner key you created when configuring your Zscaler account. Select Silver Peak from the list of partners. Domain Domain provisioned in Zscaler for your enterprise. SubCloud ID (Optional) A subcloud can be a subset of ZIA Public Service Edges, a subset of Private Service Edges, a subset of PZENs, or a subset of both ZIA Public Service Edges and Private Service Edges or PZENs. If you subscribe to any of these services, you must specify in this field the name of your subcloud (for example, Americas) to obtain a full list of Service Edges for your organization.
WARNING: Because this is service affecting, configure this ID during a maintenance window only. This will cause previously built tunnels to be deleted and rebuilt.Link to Zscaler ZDX (Optional) Provides direct browser access to the Zscaler Digital Experience (ZDX) monitoring service through a popout URL on the Zscaler Internet Access tab or in the appliance tree. To enable this hyperlink, switch on the toggle and enter your ZDX URL.
NOTE: This URL could be customized for your ZDX web portal. Confirm the correct URL in your ZDX account.Configuration Polling Interval Indicates how often Orchestrator should get “other” sublocations of VPN locations from Zscaler. The default polling interval is ten minutes. -
Click Save. The Zscaler field should indicate Connected.
Interface Labels
Select the WAN interfaces you want to use for Zscaler internet traffic. You can specify primary and backup interfaces as described below. If a primary interface is unavailable, Orchestrator will use a backup interface if specified. Optionally, you can specify secondary interfaces as well. In this case, the fallback order is primary, secondary, and then backup.
-
On the Zscaler Internet Access tab, click Interface Labels.
The Build Zscaler Tunnels Using These Interfaces dialog box opens.
-
Drag the interfaces you want to use from the right side of the dialog box to the Primary and Backup areas. The interfaces are grayed out until you move them into the areas.
-
If you want to specify secondary interfaces, click Show Secondary to display the Secondary area, and then drag the appropriate interfaces to this area.
-
Click Save.
WARNING: This is service affecting. Any changes to the interface selection can cause previously built tunnels to be deleted and rebuilt.
Tunnel Settings
The Tunnel Settings button opens the Zscaler Tunnel Setting dialog box, enabling you to define the tunnels associated with Zscaler and EdgeConnect. The Mode field on the General tab allows you to select IPSec or GRE as the tunnel protocol for the specified WAN interface label. Use Zscaler defaults for tunnel settings defined by the system.
NOTE: For IPSec mode, you can configure General, IKE, and IPSec tunnel settings. For GRE mode, you can configure General tunnel settings. Settings are automatically generated, but you can change them if you want to.
Service Edge Override
You can override the automatically selected Service Edge pair for specific sites. You have the option to add this exception to one or more sites within your network.
NOTE: Orchestrator does not support Service Edge Override for GRE tunnels.
-
On the Zscaler Internet Access tab, click Service Edge Override.
The Service Edge Override dialog box opens.
-
Enter the appliance name, the interface label, and the primary and secondary IP addresses. Orchestrator will build tunnels to those Service Edges.
Field Description Appliance Appliance for which to override Zscaler Service Edges. Interface Label Interface label from which tunnels are built. Primary IP IP address of the primary Zscaler Service Edge. Secondary IP IP address of the secondary Zscaler Service Edge. -
Click Save.
IP SLA
Configure IP SLA for Zscaler tunnels. This configuration ensures tunnel connectivity and internet availability between Zscaler and Orchestrator. If the tunnel cannot reach Zscaler, the tunnel is considered DOWN.
-
On the Zscaler Internet Access tab, click IP SLA.
The Zscaler IP SLA Configuration dialog box opens.
-
If all fields are dimmed, click Enable IP SLA rule orchestration.
-
Complete the following fields.
Field Description Monitor Ping or HTTP/HTTPS. Address URL to the Zscaler endpoint that the IP SLA subsystem will ping. You can configure up to three addresses. Source Interface Select an orchestrated loopback label. -
Accept the default values for the remaining fields and click Save.
Orchestrator builds the tunnels.
Country / Timezone
You can use the Zscaler Country / Timezone dialog box to configure standard ISO Country Codes to Zscaler Country Enums and standard Time Zones to Zscaler Time Zone Enums. On the Zscaler Internet Access tab, click Country / Timezone to open the dialog box. Make changes, and then click Save.
NOTE: If the Zscaler VPN Location request fails with an invalid request body, you can use this dialog box to change the ISO Country Code to the correct Zscaler Country Enums. The Zscaler enum list is available in the Zscaler documentation and this Zscaler Trust post.
Gateway Options
You can configure gateway options and rules for Zscaler sub-locations. Orchestrator uses location and sub-locations to better define a branch site in the Zscaler cloud. Sub-locations are LAN-side segments within each branch. They can be identified by LAN interfaces, zones, or a collection of LAN subnets.
Enable Gateway Options
To enable gateway options:
-
On the Zscaler Internet Access tab, click Gateway Options.
The Zscaler Gateway Options dialog box opens.
-
Click Add.
The Location / Sub-Location Match Criteria dialog box opens.
-
Enter a name for the new rule in the Rule Name field.
WARNING: If two rules have the same sub-location name or IP address, Orchestrator picks the first match and considers the order of the rules.
-
Specify a location by entering an appliance name, region, or group in the Appliances field.
-
Enter the WAN label in the Location Label field.
-
If you select the Sub-Location check box:
-
Enter the sub-location name in the Name field.
-
Enter the subnet address (LAN label, Firewall Zone, or subnet) in the Internal IPs field.
-
-
Click Save.
NOTE: Sub-locations can be applied to all WAN links selected in the Build Tunnels Using These Interfaces dialog box (accessed by clicking the Interface Label button on the Zscaaler Internet Access tab).
If you select the Show sub-locations check box on the Zscaler Internet Access tab, the sub-locations configured in Gateway Options appear in the Zscaler table.
Configure Bandwidth Control
You can set up bandwidth controls for your Zscaler sub-locations configured in Gateway Options. Select from bandwidth control options that use fixed amounts of bandwidth, inherit bandwidth values from parent locations, or use percentages of deployment bandwidth.
-
On the Zscaler Internet Access tab, click Gateway Options.
The Zscaler Gateway Options dialog box opens.
-
In the table, locate the rule name row for which you want to configure bandwidth control, and then click the linked text in the Gateway Options column.
The Zscaler Gateway Options & Bandwidth Control dialog box opens.
-
Select one of the following options from the Bandwidth Control drop-down list:
Bandwidth Control Option Description OFF Do not use bandwidth control. This is the default setting. Fixed bandwidth Use fixed amounts of bandwidth for the sub-location. Specify amounts for download and upload in Mbps. Inherit (parent) location bandwidth Inherit the parent location’s bandwidth values. Use deployment WAN label bandwidth Use percentages of the deployment WAN label’s bandwidth. Specify amounts for download and upload as percentages. Each specified percentage cannot exceed 100%. Orchestrator will automatically translate percentages into Mbps and send them to Zscaler. Sub-locations will use these values as percentages of deployment bandwidth. -
Click Save.
The Change Gateway Options dialog box opens.
WARNING: Changing Gateway Options is service affecting. Make changes during a maintenance window.
-
Click Change Gateway Options.
Your changes are applied to Orchestrator and Zscaler. This process takes time to complete.
Zscaler Association
The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances to Zscaler.
-
In the Orchestrator appliance tree, select one or more appliances to associate with Zscaler.
-
On the Zscaler Internet Access tab, click Zscaler Association.
The Zscaler Appliance Association dialog box opens.
-
In the table, select one or more appliances you want to associate with Zscaler, and then select the Add check box.
Select the Remove check box to remove Zscaler association from selected appliances in the table.
-
Verify the changes, and then click Save.
Pause Orchestration
When troubleshooting, you can click Pause Orchestration and then click Save to pause orchestration. To restart, click Resume Orchestration.
Using Zscaler for Breakout Traffic
Finally, you need to select the Zscaler service in at least one Business Intent Overlay Breakout Traffic Policy to steer traffic to it.
-
Navigate to the Business Intent Overlays tab in Orchestrator (Configuration > Overlays & Security > Business Intent Overlays).
-
Click the overlay that breaks out traffic to Zscaler.
The Overlay Configuration dialog box opens.
-
Click the Breakout Traffic to Internet & Cloud Services tab.
-
Drag Zscaler Cloud from the Available Policies column to the Preferred Policy Order column.
Verify Zscaler Deployment
After Zscaler Internet Access is configured, deployment will begin automatically. Navigate to the Zscaler Internet Access tab to verify successful deployment. The Zscaler Deployment Status column should have a green status of Deployed, and the Connection status column should have a green status of Up. The Connection Status column indicates the status of the Zscaler connection based on tunnel and IP SLA statuses.
NOTE: Zscaler is deployed and orchestrated for an appliance based on the Zscaler Appliance Association dialog box. Business Intent Overlays (BIOs) are used to configure breakout internet policies to Zscaler. This is used for automatic load distribution and failover.
You can also verify that your Zscaler tunnels have been successfully deployed on the Tunnels tab. The Passthrough Tunnel column should list your Zscaler tunnels, and the Status column should have a green status of up – active.
You can view the Audit Log to check for orchestration errors. Navigate to Orchestrator > Audit Logs and enter zscaler
in the search field above the table.