This topic explains the Zscaler configuration and the steps to configure a Non SD-WAN Destination of type Zscaler in the SD-WAN Orchestrator.

Configure Zscaler

Complete the following steps on the Zscaler website:
  1. From the Zscaler website, create a Zscaler web security account.

    complementary-config-zscaler-cloud-portal

  2. Set up your VPN Credentials:
    1. At the top of the Zscaler screen, hover over the Administration option to display the drop-down menu. (See the image below).
    2. Under Resources, click VPN Credentials.

      complementary-configuration-zscaler-administration-drop-down

    3. Click Add VPN Credentials, located at the top left corner.

      complementary-config-zscaler-add-location

    4. From the Add VPN Credential dialog box:
      1. Choose FQDN as the Authentication Type.
      2. Type the User ID and Pre-Shared Key (PSK). You can obtain this information from your Non SD-WAN Destination's dialog box in the SD-WAN Orchestrator.
      3. If necessary, type in any comments in the Comments section.

        complementary-config-add-vpn-credentials

      4. Click Save.
  3. Assign a location:
    1.  At the top of the Zscaler screen, hover over the Administration option to display the drop-down menu.
    2.  Under Resources, click Locations.
    3.  Click Add Location, located at the top left corner.
    4. In the Add Location dialog box: 
      1. Complete the text boxes in the Location area (Name, Country, State/Province, Time Zone).
      2. Choose None from the Public IP Addresses drop-down menu.
      3. In the VPN Credentials drop-down menu, select the credential you just created.
        complementary-config-zscaler-location2
      4. Click Done.
      5. Click Save.

Configure a Non SD-WAN Destination of Type Zscaler

Once you have created a Non SD-WAN Destination configuration of the type Zscaler, you are redirected to an additional configuration options page:
You can configure the following tunnel settings, and then click Save Changes:
Option Description
General
Name You can edit the previously entered name for the Non SD-WAN Destination.
Type Displays the type as Zscaler. You cannot edit this option.
Enable Tunnel(s) Click the toggle button to initiate the tunnel(s) from the SD-WAN Gateway to the Zscaler VPN Gateway.
Tunnel Mode Displays Active/Hot-Standby, indicating that if the Active tunnel goes down, the Standby (Hot-Standby) tunnel takes over and becomes the Active tunnel.
Primary VPN Gateway
Public IP Displays the IP address of the Primary VPN Gateway.
PSK The Pre-Shared Key (PSK) is the security key for authentication across the tunnel. The SD-WAN Orchestrator generates a PSK by default. If you want to use your own PSK or password, enter it in the text box.
Redundant VMware Cloud VPN Select the check box to add redundant tunnels for each VPN Gateway. Changes made to Encryption, DH Group, or PFS of Primary VPN Gateway also apply to the redundant VPN tunnels, if configured.
Secondary VPN Gateway Click the Add button, and then enter the IP address of the Secondary VPN Gateway. Click Save Changes.

The Secondary VPN Gateway is immediately created for this site and provisions a VMware VPN tunnel to this Gateway.
Local Auth Id Local authentication ID defines the format and identification of the local gateway. From the drop-down menu, choose from the following types and enter a value:
  • FQDN - The Fully Qualified Domain Name or hostname. For example: vmware.com
  • User FQDN - The User Fully Qualified Domain Name in the form of email address. For example: [email protected]
  • IPv4 - The IP address used to communicate with the local gateway.
  • IPv6 - The IP address used to communicate with the local gateway.
Note: For Zscaler Non SD-WAN Destination, it is recommended to use FQDN or User FQDN as the local authentication ID.
Sample IKE / IPsec Click to view the information needed to configure the Non SD-WAN Destination Gateway. The Gateway administrator should use this information to configure the Gateway VPN tunnel(s).
Location Click Edit to set the location for the configured Non SD-WAN Destination. The latitude and longitude details are used to determine the best Edge or Gateway to connect to in the network.
Zscaler Settings
Zscaler Login URL To login to Zscaler portal from here, enter the login URL in the text box, and then click the Login to Zscaler button. This redirects you to the Zscaler Admin portal of the selected Zscaler cloud. The Login to Zscaler button is activated only if you have entered the Zscaler login URL. For more information, see Configure API Credentials.
L7 Health Check Select the check box to activate L7 Health check for the Zscaler Cloud Security Service provider, with default probe details (HTTP Probe interval = 5 seconds, Number of Retries = 3, RTT Threshold = 3000 milliseconds). By default, L7 Health Check is deactivated.
Note: Configuration of health check probe details is not supported.

A Zscaler tunnel is established with IPsec Encryption Algorithm as NULL and Authentication Algorithm as SHA-256, irrespective of whether Customer Export Restriction is activated or deactivated.