Choosing Traffic Forwarding Methods


Choosing Traffic Forwarding Methods

Zscaler recommends that organizations use a combination of tunneling, PAC files, Surrogate IP, and Zscaler App to forward traffic to the Zscaler service. If your organization has an internal router or switch that supports GRE and its egress port has a static address, Zscaler recommends that you configure a GRE tunnel to forward all outbound traffic from your location to the Zscaler service. If your router does not support GRE or if you use dynamic IP addresses, you can use an IPsec VPN tunnel instead. Note that IPsec tunnels have additional processing overhead on your equipment, compared to GRE tunnels. Zscaler also recommends that organizations deploy mechanisms such as IP SLA to monitor tunnel health and enable fast failover. In addition to the GRE or IPsec VPN tunnel, Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.

This section describes the supported traffic forwarding mechanisms, including their benefits and requirements. Your organization can use one or a combination of methods, depending on your environment. The following table lists the recommended traffic forwarding mechanisms: GRE tunnelsIPsec VPN tunnels, and PAC files

GRE Tunnel IPSec VPN Tunnel PAC Files

Zscaler recommends that you configure two GRE tunnels from an internal router behind the firewall to the ZENs; a primary tunnel to a ZEN in one data center, and a secondary tunnel to a ZEN in another data center. These deployments provide visibility into internal IP addresses, which can be used for security policies and logging.

Zscaler recommends that you configure two IPsec tunnels from an internal router behind the firewall to the ZENs; a primary tunnel to a ZEN in one data center, and a secondary tunnel to a ZEN in another data center. These deployments provide visibility into internal IP addresses, which can be used for security policies and logging. 

A PAC (Proxy Auto-Configuration) file directs the browser to forward traffic to a ZEN.

Benefits Benefits Benefits
  • Supports both HTTP and HTTPS traffic.
  • Supports failover in case primary ZEN becomes unavailable.
  • Minimal overhead.
  • No configuration on computers or laptops.
  • Users on your corporate network cannot bypass the service.
  • Tunneling can provide internal IP address information to Zscaler for use in policy design and logging
  • Supports both HTTP and HTTPS traffic.
  • Supports failover if primary ZEN becomes unavailable.
  • No configuration on computers or laptops.
  • Users on your corporate network cannot bypass the service.
  • Tunneling can provide internal IP address information to Zscaler for use in policy design and logging.
  • Supports locations with dynamic IP addresses.
  • All major browsers support PAC files.
  • Supports both HTTP and HTTPS traffic.
  • Users on and off the corporate network are protected by the service.
  • Microsoft Internet Explorer PAC settings can be enforced organization-wide using Microsoft Active Directory Group Policies (GPO).
Requirements Requirements Requirements
  • Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.
  • Your organization’s perimeter edge router must support GRE and its egress port must have a static IP address.
  • Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.
  • Not all vendors provide a VPN failover mechanism to provide resilience.
  • Ensure that users do not have admin rights so they cannot circumvent the service by installing a nonstandard browser.
  • Users can have local admin rights, but require network admin rights to change the PAC file.

 

The following table lists the traffic forwarding mechanism that you can use to quickly start using the Zscaler service for evaluation purposes: Proxy Chaining. Zscaler does not support this mechanisms for production environments.

Proxy Chaining

Configure your proxy server to forward traffic to a ZEN.

Benefits
  • Easy to setup.
  • Multiple rules offer full redundancy.
  • Supported by every major web proxy.
  • Users on your corporate network cannot bypass the service.
  • If available, ‘X-Forwarded-For’ headers can be used to provide internal IP addresses to Zscaler.
Requirements
  • Users off the corporate network must use another method, such as PAC files, to forward traffic to the service.
  • The latency of the proxy server will affect the traffic forwarding latency.
  • If the proxy server also performs caching, downstream authentication could be an issue.
  • If the local proxy has a cache, it could affect policy enforcement and reporting.

 

The following table lists the traffic forwarding mechanism that you can use for your road warrior traffic or if your company has less than 1,000 users: Zscaler App. The Zscaler App is also used with Zscaler Private Access (ZPA).  

Zscaler App

With Zscaler App's web security feature, you can protect your users' web traffic even when they are outside your corporate network. The app forwards user traffic to the Zscaler service and ensures that your organization's security and access policies are enforced wherever they may be accessing the Internet. With ZPA, you can enable your users to securely access enterprise applications from outside the corporate network. The ZPA service establishes secure transport for accessing your enterprise apps and services.

Benefits
  • Supports PC, MAC, iOS, Android, and virtual computing environments.
  • Supports all authentication mechanisms supported by the Zscaler service. 
  • Provides device fingerprinting and reporting.
  • Easy to enforce.
  • Supports auto and managed updates. 
  • Detects trusted networks and can disable its service automatically.
Requirements
  • An authentication mechanism installed and users provisioned on the Zscaler service.
    •  If you are using the app for ZPA, your organization must use SAML authentication.
  • If you are using the app for Web Security, your firewall must be configured to allow the necessary connections.
  • The app currently supports Window 7, 8,  8.1, and 10, and MAC OS X 10.10 and later.