Experience Center

Deploying Branch Connector on VMware Platforms

This deployment guide provides information on prerequisites, how to deploy Zscaler Branch Connector as a virtual machine (VM) on VMware platforms, and post-deployment configurations.

This procedure describes the steps for deploying Zscaler Branch Connector on VMware platforms. To learn more about deploying Branch Connector using a Terraform script, see Deployment Templates for Zscaler Branch Connector & App Connector.

Prerequisites

Make sure the following prerequisites are met:

Grant admins full access to Branch Connector Provisioning permissions.
The role that admins are assigned dictates the level of access they have to the Admin Portal. Zscaler provides a default admin account that provides full access to the portal and scope over the entire organization. To learn more, see About Role Management and Adding Admin Roles.
In the Admin Portal, create a dedicated username and password for the Branch Connector deployment. The password must be at least 8 characters in length and include at least one uppercase letter, one number, and one special character. The password must not contain a $ , &, >, <, ;, ', or ". If the password does not meet these requirements, the deployment fails.
Configure a Branch Provisioning Template and copy the Branch Provisioning URL.
Download the Branch Connector OVA image file for VMware ESXi from the Branch Connector Images page.
Branch Connector uses an API key to authenticate and register the VM with Zscaler. If you do not already have an API key, generate a new key. Then copy the API key from the API Key Management page.
The VM requires VMware vSphere Hypervisor (ESXi) version 7.0 or later, or the minimum version stated by Broadcom.

Review the Branch Connector specifications and sizing requirements.
- Small VM: requires 4 GB of memory, two CPU cores, 128 GB data disk size, and two network interface cards (NICs)
- Medium VM: requires 8 GB of memory, 4 CPU cores, 128 GB data disk size, and 4 NICs
Close
Review the virtual machine specifications for Branch Connector deployed in high availability.
- The Promiscuous mode option must be enabled (i.e., set to Accept) on the vSphere switch (vSwitch) or at the port group level. Branch Connector uses the Common Address Redundancy Protocol (CARP) to process traffic across multiple Branch Connector instances. To support this, you must enable promiscuous mode on your service interface.
- The MAC address changes option must be enabled on the vSwitch or port group.
- The Forged transmits option must be enabled on the vSwitch or port group.
- Branch Connectors often share the vSwitch with other corporate VMs, and settings you apply on the vSwitch level are applied to all VMs on the vSwitch. When promiscuous mode is enabled, other VMs might be able to detect traffic going through the service interface. To avoid this risk, Zscaler recommends that you create and use a port group for your Branch Connector service interfaces.
- If multiple physical ports exist on the same vSwitch, then the Net.ReversePathFwdCheckPromisc advanced option must be enabled (i.e., set to 1) on the ESXi host. If it is not enabled, then multicast traffic loops back to the host, causing CARP not to function properly, and link states coalesced messages are sent. To learn more, refer to the VMware documentation.
Close

Creating and Applying User Data

You must create user data information for your Branch Connector VM. For VMware vCenter, user data information is provided during the OVA file import process. For VMware vSphere Hypervisor (ESXi), you must apply the user data information to the VM. This information can either be applied to the VM with an ISO file that you mount via a virtual CD-ROM drive or applied manually to the /etc/cloud/cloud.cfg.d/ directory. For both methods, you must create a text file containing the user data.

Create your user data in a text file named userdata.cfg using one of the following templates, formatted in YAML:

Branch Connector with Management DHCP Template

ZSCALER:
  cc_url: <CC_URL>
  http_probe_port: 50035 #Optional to change the port for load balancer status checks from the default value 50001 to 50035.
  api_key: <API Key>
  password: <Admin Password>
  username: <Admin Username>
network: 
  config:
  - name: vmx0 #For the VMXNet3 driver (required)
    type: physical
    subnets:
    - type: dhcp 
version: '1'
#ssh keys are optional
ssh_authorized_keys: 
  - ssh-rsa <Key>

Example user data with default HTTP probe port and no SSH key

ZSCALER:
  cc_url: connector.zscaler.net/api/v1/provUrl?name=DemoBC
  api_key: adfads2sd
  password: demopass
  username: bac-demoadmin@12345689.zscaler.net
network: 
  config:
  - name: vmx0
    type: physical
    subnets:
    - type: dhcp 
  version: '1'

Example user data with non-default HTTP probe port and SSH key

ZSCALER:
  cc_url: connector.zscaler.net/api/v1/provUrl?name=DemoBC
  http_probe_port: 50035
  api_key: adfads2sd
  password: demopass
  username: bac-demoadmin@12345689.zscaler.net
network: 
  config:
  - name: vmx0
    type: physical
    subnets:
    - type: dhcp 
  version: '1'
ssh_authorized_keys: 
  - ssh-rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCh3ru9CCnEow69WlQyJuxvZJGHcjhcgJzp8XnoKTJk6o1bit+rq4BNyjS0orauMF6fNMHAyGZqDWw6RICvoeh386xNqnD7+AGE9VGz4cPv0CjoV2HvkKnA2Dj8KZFFJ/bBV0BndNdGATsbDnhq0wkJ+WXFmamb9kx4dSDL5ZD15SybFop0b/3JoqXoU+9pxFc0bQ/cediaifCztliI9i7NAmvIUinLy2OlDW/uPEcB8nBgXhAAc9ALe6+Q4wZt8JUdrcF04bgoAHYsNuzyEk4dNvov97JyExCAwzSLomiHFtdzhGw7/o6KhfhxxBRodKy4wQBwDzPbD6EbN9iCqoK8DY4HZ2L7HyQKRjhnnY/Y0uldO0tleogElbk+4LsoyAPjPAbogu89xSOa6D7sl2G+dPpqTlFBmO/3m/2JhBnGU= admin@branchpc

Branch Connector with Static Management IP Template

ZSCALER:
  cc_url: <CC_URL>
  http_probe_port: 50035 #Optional to change the port for load balancer status checks from the default value 50001 to 50035.
  api_key: <API Key>
  password: <Admin Password>
  username: <Admin Username>
network: 
  config:
  - name: vmx0
    type: physical
    subnets:
    - address: <IP Address/Netmask>
      gateway: <Gateway>
      type: static
  - type: nameserver
    address: 
    - <IP Address>
    - <IP Address>
    search:
    - zscaler.net
  version: '1'
#ssh keys are optional 
ssh_authorized_keys:  
- ssh-rsa <Key>

Example user data with default HTTP probe port and no SSH key

ZSCALER:
  cc_url: connector.zscaler.net/api/v1/provUrl?name=DemoBC
  api_key: adfads2sd
  password: demopass
  username: bac-demoadmin@12345689.zscaler.net
network: 
  config:
  - name: vmx0
    type: physical
    subnets:
    - address: 10.66.118.71/24
      gateway: 10.66.118.254

      type: static
  - type: nameserver
    address:
    - 8.8.8.8
    - 8.8.4.4
    search:
    - zscaler.net
  version: '1'

Example user data with non-default HTTP probe port and SSH key

ZSCALER:
  cc_url: connector.zscaler.net/api/v1/provUrl?name=DemoBC
  http_probe_port: 50035
  api_key: adfads2sd
  password: demopass
  username: bac-demoadmin@12345689.zscaler.net
network: 
  config:
  - name: vmx0
    type: physical
    subnets:
    - address: 10.66.118.71/24
      gateway: 10.66.118.254

      type: static
  - type: nameserver
    address:
    - 8.8.8.8
    - 8.8.4.4
    search:
    - zscaler.net
  version: '1'
ssh_authorized_keys:  
  - ssh-rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCh3ru9CCnEow69WlQyJuxvZJGHcjhcgJzp8XnoKTJk6o1bit+rq4BNyjS0orauMF6fNMHAyGZqDWw6RICvoeh386xNqnD7+AGE9VGz4cPv0CjoV2HvkKnA2Dj8KZFFJ/bBV0BndNdGATsbDnhq0wkJ+WXFmamb9kx4dSDL5ZD15SybFop0b/3JoqXoU+9pxFc0bQ/cediaifCztliI9i7NAmvIUinLy2OlDW/uPEcB8nBgXhAAc9ALe6+Q4wZt8JUdrcF04bgoAHYsNuzyEk4dNvov97JyExCAwzSLomiHFtdzhGw7/o6KhfhxxBRodKy4wQBwDzPbD6EbN9iCqoK8DY4HZ2L7HyQKRjhnnY/Y0uldO0tleogElbk+4LsoyAPjPAbogu89xSOa6D7sl2G+dPpqTlFBmO/3m/2JhBnGU= admin@branchpc

Apply your user data to the VM in one of the following ways:
- ISO Method
  1. Apply the user data to the VM as an ISO image:
    On Centos, install the genisoimage:
    sudo yum install genisoimage
    On Ubuntu, install the genisoimage:
    sudo apt install genisoimage
  2. Configure the required user data.
    The user data file must be named user-data.
    zuser@hostname:~$ mkdir isodir zuser@hostname:~$ cat > isodir/user-data <<EOF #cloud-config <TEXT FROM TEXT FILE> EOF user@hostname:~genisoimage -o user-data.iso -r isodir/user-data
    You attach the ISO to your Branch Connector VM in the Deploying on VMware vSphere Hypervisor (ESXi) procedure.
  Close
- Manual Method
  You apply your user data at the end of the Deploying on VMware vSphere Hypervisor (ESXi) procedure.
  Close

Deploying the Branch Connector

Perform one of the following procedures to deploy your Branch Connector.

Deploying on VMware vCenter
After you have met all the prerequisites, perform the following steps to deploy your Branch Connector on VMware vCenter:
1. Log in to the vCenter Server with the vSphere Client.
2. Locate the VMware host on which you want to deploy the Branch Connector, then right-click and select Deploy OVF Template.
See image.
Close
1. On the Select an OVF template page, select Local file. Then, upload the Branch Connector OVA image file that you previously downloaded from the Branch Connector Images page. Then, click Next.
See image.
Close
1. On the Select a name and folder page, enter a unique name and select a target location for the VM. Then, click Next.
See image.
Close
1. On the Select a compute resource page, select the destination compute resource. Then, click Next.
See image.
Close
1. On the Review details page, verify the template details. Then, click Next.
See image.
Close
1. On the Configuration page, select a deployment configuration for the Branch Connector. Then, click Next.
See image.
Close
1. On the Select storage page, select the storage for the configuration and disk files. Then, click Next.
See image.
Close
1. On the Select networks page, select a destination network for each source network. Then, click Next.
See image.
Close
1. On the Customize template page, configure the following Branch Connector deployment properties:
  - Provisioning Template URL: Enter the Branch Connector Provisioning URL.
  - API Key: Enter the API Key from the API Key Management page.
  - username: Enter the username created for the Branch Connector deployment role in the Zscaler Cloud & Branch Connector Admin Portal.
  - password: Enter the password for the Branch Connector deployment role in the Zscaler Cloud & Branch Connector Admin Portal.
  - Management Interface IP Address: Enter the IP address for the management interface.
  - Management Interface Subnet Mask: Enter the subnet mask for the management interface.
  - Management Interface Default Gateway: Enter the default gateway for the management interface.
  - Domain: Enter the domain suffix.
  - DNS Information: Enter the primary and secondary DNS servers that the Branch Connector should use for DNS resolution.
  - ssh login public key: Enter the SSH public key for logging in without a password.
2. On the Ready to complete page, review all of your configurations. Then, click Finish to deploy.
To avoid any time sync issues, Zscaler recommends enabling the Synchronize guest time with host option after deploying Branch Connector. To learn more, see the VMware product documentation.
Close
Deploying on VMware vSphere Hypervisor (ESXi)
After you have met all the prerequisites, created user data, and applied user data to the VM (if you used the ISO method), perform the following steps to deploy your Branch Connector on vSphere Hypervisor (ESXi):
1. Log in to the vSphere Hypervisor (ESXi) Server with the vSphere Client.
2. Locate the VMware host on which you want to deploy the Branch Connector and click Create/Register VM.
See image.
Close
The New virtual machine window appears.
1. On the Select creation type page, select Deploy a virtual machine from an OVF or OVA file. Then, click Next.
See image.
Close
1. On the Select OVF and VMDK files page, enter a unique name for the VM and upload the Branch Connector OVA image file you previously downloaded from the Branch Connector Images page. Then, click Next.
See image.
Close
1. On the Select storage page, select Standard as the storage type and select the datastore for the VM's configuration files. Then, click Next.
See image.
Close
1. On the Deployment options page, select the Network mappings, Deployment type, and Disk provisioning. Ensure that the Power on automatically option is disabled. Then, click Next.
See image.
Close
1. On the Additional Settings page, skip the additional properties for the VM, because values you enter on this page will not be configured. Click Next.
See image.
Close
1. On the Ready to complete page, review all of your configurations. Then, click Finish.
See image.
Close
1. After the VM has fully deployed, locate the VM and click Edit.
See image.
Close
The Edit settings window appears.
1. If you applied user data to the VM using the ISO Method:
  1. In the Edit settings window, select Virtual Hardware. From the CD/DVD Drive 1 drop-down menu, select Datastore ISO file.
    See image.
    Close
  2. In the Datastore browser window that opens, click Upload to upload the user-data.iso file created in the ISO Method procedure. Then, click Select.
    See image.
    Close
  3. Select the Connect and Connect at power on checkboxes. Then, click Save.
    See image.
    Close
  4. Locate the deployed Branch Connector under Virtual Machines and click Power on.
    See image.
    Close
2. If you are using the Manual Method to apply user data to the VM:
  1. In the VM console, create a new userdata.cfg file:
    zsroot@zscaler_node : ~ > sudo ee /etc/cloud/cloud.cfg.d/userdata.cfg
  2. Paste in the contents of your user data file.
  3. Press ESC to exit the editor.
  4. Press a to leave the editor.
  5. Press a to save the file.
  6. Reboot the VM:
    zsroot@zscaler_node : ~ > sudo reboot
To avoid any time sync issues, Zscaler recommends enabling the Synchronize guest time with host option after deploying Branch Connector. To learn more, refer to the VMware product documentation.
Close

Managing the Branch Connector

After your VM is fully deployed, you can manage the Branch Connector VM from the Admin Portal. A deployed VM is displayed in the dashboard. The Cloud & Branch Connector Monitoring page provides information on the name, group, location, geolocation, and status of your VMs deployed in your branch account.

After verifying deployment, you can configure the following policies: