As an Enterprise/Partner customer, perform the following steps to configure your respective Edges to forward traffic to the SD-WAN Gateways using the pre-established GRE tunnel (cloud-to-cloud-interconnect (CCI) to reach Zscaler network.

Procedure

  1. Login to the SD-WAN Orchestrator as an Enterprise/Partner customer.
  2. Configure Zscaler Cloud Subscription and API credentials.
    1. In the Enterprise portal, click Manage Customers and select a customer.
    2. Go to Configure > Network Services.
    3. In the Services page, go to Cloud Subscriptions area and click New. The Configure Cloud Subscription dialog box appears.
    4. From the Subscription Type drop-down menu, select Zscaler Subscription.
    5. In the Subscription Name box, enter a name for the cloud subscription.
    6. From the Zscaler Cloud drop-down menu, select the Zscaler cloud.
    7. Enter the Partner Admin username, password, API key and Domain provisioned for the “zsdevel.net” cloud.
    8. Click Validate Subscription to validate the cloud subscription details.
    9. Click Save Changes.
  3. Enable the Zscaler MT-GRE feature for the selected Edge.
    Note: Currently, the troubleshooting of the MT-GRE feature is supported only at the Edge level.
    1. Click Edges > Device.
    2. Go to the Zscaler area and turn on the Zscaler toggle button.
    3. Select your Zscaler cloud subscription from the Cloud Subscription drop-down menu. Once you select the cloud subscription, the cloud name gets populated automatically.
    4. Select the MT-GRE checkbox and click Save Changes.
      Once the MT-GRE is enabled for the selected Edge, the Zscaler location and VPN credentials are automatically configured for the MT-GRE tunnel.
  4. Create a Business policy rule to route the traffic to the desired destination. For example, to route all Internet-bound traffic to the Edge through the Gateway and from the Gateway to the MT-GRE tunnels (cloud-to-cloud-interconnect (CCI) tunnels) to Zscaler, configure business policy rule as follows.
    • MT-GRE CCI tunnel automation feature is not supported for CDE segments. Do not create a CCI business policy for a CDE segment.
    • MT-GRE CCI tunnel automation feature is only supported for IPv4 and not for IPv6.
  5. The MT-GRE routes from the CCI Gateways will not be advertised to the Edges associated with the Customer without performing rebalancing of CCI Gateways. So, you must explicitly configure “Rebalance Gateways” at the Enterprise or at the Edge levels.
  6. You can view the Edge actions that are carried out to steer traffic via CCI tunnels, in the Enterprise/Partner Events page.
  7. Deselecting the MT-GRE checkbox on the Edge Device settings page will delete the routes to the Edge.
    Note: On the Edge Device settings page, deactivating the Zscaler button will result in no operation.