You can configure an IPSec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPSec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPSec VPN tunnel to the backup ZEN.
Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if your organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.
Ensure that you have the following information for each tunnel:
To configure an IPSec VPN to a ZEN:
To learn more, see the Interoperability List.
Zscaler recommends to always send traffic from a router and not a firewall.
Zscaler currently doesn't recommend forwarding traffic from Check Point (GAIA version 77.20) because Check Point doesn't support:
Also be aware that NAT-T encapsulation mode is not supported with Check Point and this setting has to be disabled.
To disable this setting: