The cloud security service establishes a secure tunnel from an Edge to the cloud security service sites. This ensures secured traffic flow to the cloud security services.
Procedure
- In the Enterprise portal, click Configure > Network Services.
- In the Cloud Security Service section, click New.
- In the New Cloud Security Provider window, provide the required details to configure a new Cloud Security Provider.
Option Description Service Name Enter a descriptive name for the cloud security service. Service Type Select one of the following: - Generic Cloud Security Service
- Symantec Web Security Service
- Zscaler Cloud Security Service
Primary Point-of-Presence/Server Enter the IP address or hostname for the Primary server. Secondary Point-of-Presence/Server Enter the IP address or hostname for the Secondary server. This is optional. If you have selected Zscaler Cloud Security Service as the Service Type, then you can configure additional settings such as Zscaler Cloud and Layer 7 (L7) Health Check details to determine and monitor the health of Zscaler Server. You can also choose between manual deployment and automation deployment by selecting the Automate Cloud Service Deployment checkbox.Note: IPsec Automation from Edge to Zscaler is only supported and the GRE Automation from Edge to Zscaler is not currently supported in 4.3 release, but will be available in the future releases.Note: In the Maual deployment, if you have selected Zscaler Cloud Security Service as the Service Type and planning to assign a GRE tunnel, it is recommended to enter only IP address in the Primary and Secondary Server, and not the hostname, as GRE does not support hostnames. - Configure the following additional details if you choose to automate the cloud service deployment.
Note: The L7 Health Check feature tests HTTP reachability to the Zscaler backend server. Upon enabling L7 Health Check, HTTP L7 probes are sent from the Edge to a Zscaler destination (Example: http://<zscaler cloud>/vpntest) which is Zscaler's backend server for the HTTP health check. This method is an improvement over using network level keep-alive (GRE or IPsec) as that method only tests for network reachability to the frontend of a Zscaler server.
If an L7 response is not received after 3 successive retries, or if there is an HTTP error, the Primary Tunnel will be marked as 'Down' and the Edge will attempt to failover Zscaler traffic to the Standby Tunnel (if one is available). If the Edge successfully fails over Zscaler traffic to the Standby Tunnel, the Standby becomes the new Primary Tunnel.
In the unlikely event that the L7 Health Check marks both the Primary and Standby tunnels as 'Down', the Edge would route Zscaler traffic using a Conditional Backhaul policy (if such a policy has been configured).
The Edge only sends L7 probes over the Primary Tunnel towards the Primary Server, never over the Standby Tunnel.
Option Description Zscaler Cloud Select a Zscaler cloud service from the drop-down menu or enter the Zscaler cloud service name in the textbox. Partner Admin Username Enter the provisioned username of the partner admin. Partner Admin Password Enter the provisioned password of the partner admin. Partner Key Enter the provisioned partner key. Domain Enter the domain name on which the cloud service would be deployed. L7 Health Check Select the checkbox to enable L7 Health Check for the Zscaler Cloud Security Service provider, with default probe details (HTTP Probe interval = 5 seconds, Number of Retries = 3, RTT Threshold = 3000 milliseconds). By default, L7 Health Check is disabled. Note: Configuration of health check probe details is not supported.HTTP Probe Interval The duration of the interval between individual HTTP probes. The default probe interval is 5 seconds. Number of Retries Specifies the number of probes retries allowed before marking the cloud service as DOWN. The default value is 3. RTT Threshold The round trip time (RTT) threshold, expressed in milliseconds, used to calculate the cloud service status. The cloud service is marked as DOWN if the measured RTT is above the configured threshold. The default value is 3000 milliseconds. Zscaler Login URL Enter the login URL and then click Login to Zscaler. This will redirect you to the Zscaler Admin portal of the selected Zscaler cloud. Note: The Login to Zscaler button will be enabled if you have entered the Zscaler login URL.Note: For a given Edge/Profile, the user cannot override the L7 health check parameters configured in the Network Service. - Click Add.
- Repeat the above steps to configure more cloud security services.
Note: For more information about Zscaler CSS automation, see Zscaler and VMware SD-WAN Deployment Guide.Note: For specific details on how Zscaler determines the best data center Virtual IP addresses (VIPs) to use for establishing IPsec VPN tunnels, see SD-WAN API Integration for IPSec VPN Tunnel Provisioning.
Results
What to do next
- Associate the cloud security service with a profile. See Configure Cloud Security Services for Profiles.