Zero Trust Device Segmentation
Deploying on a VMware Virtual Machine
Zero Trust Device Segmentation gateways can be deployed as a virtual machine (VM) over VMware ESXi.
Prerequisites
- Hardware RequirementsClose
Option 1 Option 2 Option 3 CPU 4 vCPU 8 vCPU 16 vCPU Memory 16 GB 32 GB 64 GB Storage 256 GB 256 GB 256 GB Ports 4x vNICs 4x vNICs 4x vNICs Throughput (64KB HTTP) 10 Gbps 20 Gbps 40 Gbps Sessions 500K 1 million 2 million Number of Endpoints 500 2,000 4,000 - Software Requirements
VM deployment of Zscaler Device Segmentation gateways has two interfaces (LAN and WAN). Hypervisor ESXi must be configured as follows:
- LAN/Airgap Port Group: A new port-group is created for the Airgapping VLAN, and the Airgap LAN interface/NIC1 is part of this newly created port group. Configure the following security settings on the newly created port group:
- Enable Promiscuous Mode.
- Enable MAC Address Change.
- Enable Forged Transmits.
- If deployed for multiple VLANs, the VLAN ID for the port group is 4095 (Trunk VLAN).
- WAN Port Group: Device Segmentation connects back to the existing network and interfaces via NIC2/WAN interface. Either the existing port group or new port group that has untagged access on the ESXi servers is used to connect back to the existing network.
- LAN/Airgap Port Group: A new port-group is created for the Airgapping VLAN, and the Airgap LAN interface/NIC1 is part of this newly created port group. Configure the following security settings on the newly created port group:
- Internet Connectivity
Device Segmentation gateways need internet connectivity to be activated, retrieve the configuration, synchronize policies, and stream logs with the Device Segmentation Admin Portal. Ensure the gateways are allowed to send the outbound TCP and UDP packets over the following ports and protocols:
hub3.goairgap.com
(TCP:1883)wg.goairgap.com
(UDP:51820)
- Typical Setup
Configuration
Follow these steps to configure Device Segmentation on a VM:
- Step 1: Configure VMware ESXi.
- Create two port groups (e.g. LAN and WAN port group). The LAN port group must be configured as a trunk port group (e.g., VLAN ID = 4095) and the WAN port group as an access port group (specific VLAN ID).
- Ensure the security settings for the LAN port group allow promiscuous mode, forged transmits, and MAC address change.
- The WAN port group must be in the same VLAN as the upstream firewall/router.
This recording shows how to create two port groups: "Airgap WAN" with VLAN ID 150, and "Airgap LAN" with VLAN ID 4095. Note that if Device Segmentation protection is deployed across multiple VLANs, the VLAN ID for the LAN port group must be 4095.
Close - Step 2: Provision the Device Segmentation gateway and install.
Follow these steps to create a new VM in the ESXi server:
- Ensure that the VM specifications meet the requirements listed in Hardware Requirements.
- Select Linux and Ubuntu 64-bit as the OS type during the Create new VM workflow.
- Ensure that two NICs are attached to the VM. The first NIC must be in the LAN port group, and the second NIC must be in the WAN port group.
- During the installation, select eth1 as the preferred interface for connecting to the internet. This allows security updates to be downloaded during the installation.
This recording shows the provisioning process.
Close - Step 3: Configure the WAN port.
Zscaler recommends that you connect the WAN port group to the network and ensure internet connectivity is active. Do the following:
- Log in to the Device Segmentation gateway via the VMware console using the default credentials.
- Device Segmentation gateways communicate with various AWS public cloud services such as RDS, ALB, and Elastic over the WAN uplink. These connections can be aggregated into a single outgoing connection via Device Segmentation-hosted forward proxy (e.g.,
hub3.goairgap.com
on TCP port 1883). To configure this proxy setting, select option2
in the Configure Gateway menu of the gateway command line interface. - After configuring the IP address and proxy, and establishing internet connectivity for the Device Segmentation gateway, a 6-digit code displays in the gateway command line interface.
This recording shows the WAN configuration process.
Close - Step 4: Activate Device Segmentation gateways.
Device Segmentation configuration, policy management, logging, and reporting are managed via the SaaS-based Device Segmentation Admin Portal.
To activate the Device Segmentation gateway:
- Go to Networking > Gateways.
Click Add Gateway.
In the Add Gateway panel, complete the following information:
- Location: Select the location for this Device Segmentation gateway, or select Add New Location.
- Name: (Optional) If adding a new location, enter a name for the location.
- Gateway Name: Enter a name for the Device Segmentation gateway.
- DHCP Service: Select DHCP Server or DHCP Relay, based on whether the Device Segmentation gateway is a DHCP server or relay to your existing DHCP server.
- NAT Enable: (Optional) Select this checkbox if your Device Segmentation gateway uses NAT to route all the traffic leaving the Device Segmentation appliance toward the non-Device Segmentation network.
- Activation Code: Enter the code you received when you configured the WAN port. It can take 5 to 10 minutes to activate and provision the appropriate microservices.
- WAN Virtual IP: Enter the floating IP address to be used between two Device Segmentation gateways.
- WAN VRRP Group ID (1 - 255): Enter a number between 1–255 to uniquely identify the WAN router.
- Click Add.
- Similarly, create another VM and activate it as a standby:
- On the Gateway page, click the Gear icon for the gateway that you want to make a standby.
- Select Add Standby Gateway from the menu.
- Provide the standby gateway name and 6-digit code from the newly installed VM.
- Step 5: Configure VLAN.
Device Segmentation deployment is not complete until the VLAN to be protected is enabled in the Device Segmentation Admin Portal. Ensure that a LAN port is connected to the switch and that it is in the same VLAN as the devices (broadcast packets from the devices must reach the LAN port).
- Go to Networking > VLANs.
Select the site where the Device Segmentation-protected VLAN is configured, and click Add VLAN.
In the Add VLAN panel, complete the information for this VLAN. For an untagged port, enter
1
in the VLAN Tag field.If you are using an existing production VLAN, make sure that the default gateway IP address is the same as the existing Switch Virtual Interface (SVI) address for that VLAN.
This recording shows how to add a VLAN.
Log in to your existing L2/L3 switch, router, or firewall, and shut down the SVI/VLAN interface. Add a return route for VLAN with Device Segmentation WAN Virtual IP address as a next hop. Here are sample Cisco commands (for VLAN 226 with subnet mask 10.16.226.0/24):
#conf t #int vlan 226 #shutdown #exit #ip route 10.16.226.0 255.255.255.0 < airgap-wan-vip >
Turn on the VLAN in the Device Segmentation Admin Portal.
By default, the VLANs are created in the staged state. Each VLAN must be enabled to configure it into the Device Segmentation gateways.
The DHCP Service option provides DHCP service ON/OFF and non-airgapped options:
- DHCP Service ON: The Device Segmentation gateway assigns the IP address and
/32
net mask and ringfences the endpoints in the VLAN. - DHCP Service OFF: The Device Segmentation gateway acts as a DHCP relay and modifies the DHCP response to
/32
net mask and ringfences all the endpoints in the VLAN. - Non-Airgapped: The Device Segmentation gateway assigns the net mask as per the default configured network subnet mask or network mask received from the DHCP servers. It does not ringfence the endpoints. However, the admin can still create segmentation policies based on network and group-level policies.