Zscaler's China Premium Internet Access feature provides fast and secure internet access for users residing in mainland China. The feature enables users to access international sites or applications such as Salesforce, Office 365, etc. If you are looking for China Premium Service for Zscaler Private Access (ZPA), see Managing ZPA Use in China.

Premium Services

The following premium services are available for organizations whose users work from mainland China and are required to access international sites:

• China Premium

  The China Premium service uses Private Service Edge hosted at a partner site within China, which has a premium Chinese internet service provider (ISP) with access to both the domestic internet in China and premium access to international websites and Software as a Service (SaaS) applications. This service allows you to break and inspect traffic within China, and use the partner premium fabric for any destination (domestic or international). There is no traffic forwarding limitation with this service. With this service, you can establish Internet Protocol Security (IPSec) or Generic Routing Encapsulation (GRE) tunnels from any endpoint to a Private Service Edge managed by Zscaler partners in China. You can use this service similar to a public Zscaler data center (DC).

  

  Zscaler manages the partner premium fabric.

  The key benefits of this solution are:

  • Shared premium bandwidth
  • Multiple ingress tunnels are possible (GRE/IPSec)
  • Z-Tunnel 1.0
  • Z-Tunnel 2.0 (any traffic, any port)
  • No traffic split is required at the branch offices
  • You can break and inspect traffic within China
  • Access to domestic and international traffic
  • International traffic is routed via the China Great Firewall (GFW)
  • Compliant with the regulations in China and SLA
  • Backup is available. To enable it, contact Zscaler Support.

  Enabling the Service

  To enable the service for your organization, you must:

  1. Purchase this service and have Zscaler provision it.
  2. Limit the bandwidth at the source or use the Zscaler bandwidth controls to limit traffic.

  Provisioning the Service

  To provision the service for your organization:

  1. Open a Zscaler Support ticket to provide the source tunnel IP to the China POP for GRE.

     Zscaler associates the virtual IP (VIP) with the service and makes the required changes to the ZIA Public Service Edge within 48 hours.

  2. Set the bandwidth limit for the IPSec/GRE tunnel to avoid exceeding the bandwidth purchased for the service.

     You can view the bandwidth purchased in the purchase order.

  3. After your organization is provisioned, set up the tunnel to the VIP.
  4. Work with Zscaler Support to forward traffic and ensure that the traffic is flowing.

  China Premium Backup

  Zscaler allows you to send your traffic to an alternate site (secondary DC) within China as a redundancy to your primary DC. You can access DCs in Beijing and Shanghai and use either one as your primary DC, based on your users' location. You can also request for either of the DCs to be assigned. Zscaler reviews the situation and assigns an appropriate DC. If the primary DC (e.g., Beijing) fails, the traffic is forwarded to the secondary DC (e.g., Shanghai). You must ensure that you do not exceed the bandwidth purchased for the China Premium service. For example, if you require 100 Mbps bandwidth in Beijing, then the overall bandwidth for Shanghai and Beijing shouldn't exceed 100 Mbps.

  • You can purchase backup bandwidth only if you have China Premium service. If you require China Premium Backup, Contact Zscaler Support.
  • Be sure to tell the Zscaler Account team how you want to split the bandwidth between Beijing and Shanghai, or tell them the distribution of users close to Beijing and Shanghai.

  When you configure and deploy the backup solution, you must:

  • Define the primary and secondary DCs in the GRE/IPSec tunnel configuration (e.g., for offices in Beijing, when you forward the traffic to Zscaler Private Service Edge in Beijing, then define it as the primary DC and Shanghai as the secondary DC in the GRE/IPSec tunnel configuration).
  • Define the subcloud for both the Beijing and Shanghai DCs in the PAC file for remote users, so based on the users' location they are connected to the closest DC.

  Close
• China Premium Plus

  The China Premium Plus service uses Private Service Edge hosted at a partner site within China, which has a premium Chinese ISP with access to both the domestic internet in China and a dedicated link to international websites and SaaS applications. This service allows you to break and inspect traffic within China, and use the partner premium fabric for any destination (domestic or international). There is no traffic forwarding limitation with this service. This service is best suited for organizations with the highest bandwidth and user counts. You can use this service similar to a public Zscaler DC.

  

  Zscaler manages the partner premium fabric.

  The benefits of China Premium Access Plus are:

  • Dedicated international bandwidth
  • Bandwidth control option
  • Ability to have multiple ingress tunnels (GRE/IPSec)
  • Z-Tunnel 1.0
  • Z-Tunnel 2.0 (any traffic, any port)
  • No traffic split is required at the branch offices
  • Break and inspect traffic within China
  • Access to domestic and international traffic
  • Compliant with the regulations in China and SLA
  • (Optional) Support for content filtering
  • Backup is available. To enable it, contact Zscaler Support.

  Enabling the Service

  To enable the service for your organization, you must:

  1. Purchase this service and have Zscaler provision it.
  2. Limit the bandwidth at the source or use the Zscaler bandwidth controls to limit traffic.

  Provisioning the Service

  To provision the service for your organization:

  1. Open a Zscaler Support ticket to provide the source tunnel IP to the China POP for GRE.

     Zscaler associates the VIP with the service and makes the required changes to the ZIA Public Service Edge within 48 hours.

  2. Set the bandwidth limit for the IPSec/GRE tunnel to avoid exceeding the bandwidth purchased for the service.

     You can view the bandwidth purchased in the purchase order.

  3. After your organization is provisioned, set up the tunnel to the VIP.
  4. Work with Zscaler Support to forward traffic and ensure that the traffic is flowing.

  China Premium Plus Backup

  Zscaler allows you to send your traffic to an alternate site (secondary DC) within China as a redundancy to your primary DC. You can access DCs in Beijing and Shanghai and use either one as your primary DC, based on your users' location. You can also request for either of the DCs to be assigned. Zscaler reviews the situation and assigns an appropriate DC. If the primary DC (e.g., Beijing) fails, the traffic is forwarded to the secondary DC (e.g., Shanghai). You must ensure that you do not exceed the bandwidth purchased for the China Premium Plus service. For example, if you require 100 Mbps bandwidth in Beijing, then the overall bandwidth for Shanghai and Beijing shouldn't exceed 100 Mbps.

  • You can purchase backup bandwidth only if you have China Premium Plus service. If you require China Premium Plus Backup, contact Zscaler Support.
  • Be sure to tell the Zscaler Account team how you want to split the bandwidth between Beijing and Shanghai, or tell them the distribution of users close to Beijing and Shanghai.

  When you configure and deploy the backup solution, you must:

  • Define the primary and secondary DCs in the GRE/IPSec tunnel configuration (e.g., for offices in Beijing, when you forward the traffic to Zscaler Private Service Edge in Beijing, then define it as the primary DC and Shanghai as the secondary DC in the GRE/IPSec tunnel configuration).
  • Define the subcloud for both the Beijing and Shanghai DCs in the PAC file for remote users, so based on the users' location they are connected to the closest DC.

  Close

To learn more about ZIA in China, see Deploying Zscaler Internet Access in China.

To access websites with DNS issues, you must forward DNS traffic to Zscaler. If the issue has been identified as DNS poisoning, Zscaler needs time to change the policy. Contact Zscaler Support for any DNS change. It takes a maximum of three days for the changes to be made.