To create and configure a Non SD-WAN Destination of type Zscaler, perform the following steps:

  1. From the navigation panel in the SASE Orchestrator, go to Configure > Network Services. The Services screen appears.
  2. In the Non SD-WAN Destinations via Gateway area, click the +New button.

    The New Non SD-WAN Destinations via Gateway dialog box appears.

  3. In the Name text box, enter the name for the Non SD-WAN Destination.
  4. From the Type drop-down menu, select Zscaler.
  5. Enter the IP address for the Primary VPN Gateway (and the Secondary VPN Gateway if necessary) and click Next. A Non SD-WAN Destination of type Zscaler is created and a dialog box for your Non SD-WAN Destination appears.
  6. To configure tunnel settings for the Non SD-WAN Destination’s Primary VPN Gateway, click the Advanced Settings expand button.
  7. In the Primary VPN Gateway area, under Tunnel Settings, you can configure the Pre-Shared Key (PSK), which is the security key for authentication across the tunnel. The Orchestrator generates a PSK by default. If you want to use your own PSK or password, then you can enter it in the textbox.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
  8. If you want to create a Secondary VPN Gateway for this site, then click the +Add button next to Secondary VPN Gateway. In the pop-up window, enter the IP address of the Secondary VPN Gateway and click Save Changes. The Secondary VPN Gateway will be created immediately for this site and will provision a VMware VPN tunnel to this Gateway.
  9. Select the Redundant VMware Cloud VPN checkbox to add redundant tunnels for each VPN Gateway. Any changes made to PSK of Primary VPN Gateway will also be applied to the redundant VPN tunnels, if configured. After modifying the tunnel settings of the Primary VPN Gateway, save the changes and then click Sample IKE/IPSec to view the updated tunnel configuration.
  10. Under the Location area, click the Edit link to update the location for the configured Non SD-WAN Destination. The latitude and longitude details are used to determine the best Edge or Gateway to connect to in the network.
  11. Local authentication ID defines the format and identification of the local gateway. From the Local Auth Id drop-down menu, choose from the following types and enter a value that you determine:
    • FQDN - The Fully Qualified Domain Name or hostname. For example, google.com.
    • User FQDN - The User Fully Qualified Domain Name in the form of email address. For example, [email protected].
    • IPv4 - The IPv4 address used to communicate with the local gateway.
    • IPv6 - The IPv6 address used to communicate with the local gateway.
    Note:

    For Zscaler Non SD-WAN Destination, it is recommended to use FQDN or User FQDN as the local authentication ID.

  12. When the Zscaler Cloud Security Service is selected as the Service type, to determine and monitor the health of Zscaler Server, you can configure additional settings such as Zscaler Cloud and Layer 7 (L7) Health check.
    1. Select the L7 Health Check checkbox to enable L7 Health check for the Zscaler Cloud Security Service provider, with default probe details (HTTP Probe interval = 5 seconds, Number of Retries = 3, RTT Threshold = 3000 milliseconds). By default, L7 Health Check is deactivated.
      Note: Configuration of health check probe details is not supported.
    2. From the Zscaler Cloud drop-down menu, select a Zscaler cloud service or enter the Zscaler cloud service name in the textbox.
  13. To login to Zscaler portal from here, enter the login URL in the Zscaler Login URL textbox and then click Login to Zscaler. This will redirect you to the Zscaler Admin portal of the selected Zscaler cloud. The Login to Zscaler button will be enabled if you have entered the Zscaler login URL.

    For more information, see Configure a Cloud Security Service.

  14. Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the Zscaler VPN gateways.
  15. Click Save Changes.
    Note: A Zscaler tunnel is established with IPsec Encryption Algorithm as NULL and Authentication Algorithm as SHA-256 irrespective of whether Customer Export Restriction is activated or deactivated.

The configured network service appears under the Non SD-WAN Destinations via Gateway area in the Network Services window. You can associate the network service to a Profile. For more information, see Associate a Non SD-WAN Destination to a Configuration Profile.

You can view the L7 health status along with the L7 health check RTT from Monitor > Network Services > Non SD-WAN Destinations via Gateway > Service Status.