When you have assigned a profile to an Edge, the Edge automatically inherits the cloud security service (CSS) and attributes configured in the profile. You can override the settings to select a different cloud security provider or modify the attributes for each Edge.

To override the CSS configuration for a specific Edge, perform the following steps:

  1. In the SD-WAN service of the Enterprise portal, click Configure > Edges. The Edges page displays the existing Profiles.
  2. Click the link to an Edge or click the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
  3. Under the VPN Services category, in the Cloud Security Service area, the CSS parameters of the associated profile are displayed.
  4. In the Cloud Security Service area, select the Override check box to select a different CSS or to modify the attributes inherited from the profile associated with the Edge. For more information on the attributes, see Configure Cloud Security Services for Profiles.
  5. Click Save Changes in the Edges window to save the modified settings.
    Note: For CSS of type Zscaler and Generic, you must create VPN credentials. For Symantec CSS type, the VPN credentials are not needed.

Manual Zscaler CSS Provider Configuration for Edges

At the Edge level, for a selected manual Zscaler CSS provider, you can override the settings inherited from the profile and can configure additional parameters manually based on the tunneling protocol selected for tunnel establishment.

If you choose to configure an IPsec tunnel manually, apart from the inherited attributes, you must configure a Fully Qualified Domain Name (FQDN) and Pre-Shared Key (PSK) for the IPsec session.
Note: As a prerequisite, you should have Cloud security service gateway endpoint IPs and FQDN credentials configured in the third party Cloud security service.
Configure IPsec settings
Note: For cloud security services with Zscaler login URL configured, Login to Zscaler button appears in the Cloud Security Service area. Clicking the Login to Zscaler button will redirect you to the Zscaler Admin portal of the selected Zscaler cloud.

If you choose to configure a GRE tunnel manually, then you must configure GRE tunnel parameters manually for the selected WAN interface to be used as source by the GRE tunnel, by following the steps below.

  1. Under GRE Tunnels, click +Add.
  2. In the Configure Tunnel window appears, configure the following GRE tunnel parameters, and click Update.
    Option Description
    WAN Links Select the WAN interface to be used as source by the GRE tunnel.
    Tunnel Source Public IP Choose the IP address to be used as a public IP address by the Tunnel. You can either choose the WAN Link IP or Custom WAN IP. If you choose Custom WAN IP, enter the IP address to be used as public IP. Source public IPs must be different for each segment when Cloud Security Service (CSS) is configured on multiple segments.
    Primary Point-of-Presence Enter the primary Public IP address of the Zscaler Datacenter.
    Secondary Point-of-Presence Enter the secondary Public IP address of the Zscaler Datacenter.
    Primary Router IP/Mask Enter the primary IP address of Router.
    Secondary Router IP/Mask Enter the secondary IP address of Router.
    Primary Internal ZEN IP/Mask Enter the primary IP address of Internal Zscaler Public Service Edge.
    Secondary Internal ZEN IP/Mask Enter the secondary IP address of Internal Zscaler Public Service Edge.
    Note:
    • The Router IP/Mask and ZEN IP/Mask are provided by Zscaler.
    • Only one Zscaler cloud and domain are supported per Enterprise.
    • Only one CSS with GRE is allowed per Edge. An Edge cannot have more than one segment with Zscaler GRE automation enabled.
    • Scale Limitations:
      • GRE-WAN: Edge supports maximum of 4 public WAN links for a Non SD-WAN Destination (NSD) and on each link, it can have up to 2 tunnels (primary/secondary) per NSD. So, for each NSD, you can have maximum of 8 tunnels and 8 BGP connections from one Edge.
      • GRE-LAN: Edge supports 1 link to Transit Gateway (TGW), and it can have up to 2 tunnels (primary/secondary) per TGW. So, for each TGW, you can have maximum of 2 tunnels and 4 BGP connections from one Edge (2 BGP sessions per tunnel).

Automated Zscaler CSS Provider Configuration for Edges

At the Edge level, VMware SD-WAN and Zscaler integration supports: For a selected automated Zscaler CSS provider at the Edge level, you can override the CSS settings inherited from the profile, establish automatic IPsec/GRE tunnels for each Edge Segment, create Sub-locations, and configure Gateway options and Bandwidth controls for Location and Sub-locations.

IPsec/GRE Tunnel Automation

IPsec/GRE tunnel automation can be configured for each Edge segment. Perform the following steps to establish automatic tunnels from an Edge.
  1. In the SD-WAN service of the Enterprise portal, click Configure > Edges.
  2. Select an Edge you want to establish automatic tunnels.
  3. Click the link to an Edge or click the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
  4. Under the VPN Services category, in the Cloud Security Service area, the CSS parameters of the associated profile are displayed.
  5. In the Cloud Security Service area, select the Override check box to select a different CSS or to modify the attributes inherited from the profile associated with the Edge. For more information on the attributes, see Configure Cloud Security Services for Profiles.
  6. From the Cloud Security Service drop-down menu, select an automated CSS provider and click Save Changes.

    The automation will create a tunnel in the segment for each Edge's public WAN link with a valid IPv4 address. In a multi-WAN link deployment, only one of the WAN Links will be utilized for sending user data packets. The Edge choses the WAN link with the best Quality of Service (QoS) score using bandwidth, jitter, loss, and latency as criteria. Location is automatically created after a tunnel is established. You can view the details of tunnel establishment and WAN links in the Cloud Security Service section

    Note: After automatic tunnel establishment, changing to another CSS provider from an Automated Zscaler service provider is not allowed on a Segment. For the selected Edge on a segment, you must explicitly deactivate Cloud Security service and then reactivate CSS if you want to change to a new CSS provider from an Automated Zscaler service provider.

Zscaler Location/Sub-Location Configuration

After you have established automatic IPsec/GRE tunnel for an Edge segment, Location is automatically created and appears under the Zscaler section of the Edge Device page.
Note: Prior 4.5.0 release, the Sub-location configuration is located in the Cloud Security Service section for each segment. Currently, the Orchestrator allows you to configure the Zscaler configurations for Location and Sub-location for the entire Edge from the Zscaler section of the Device Settings page. For existing user of CSS Sub-location automation, the data will be migrated as part of Orchestrator upgrade.
In the Zscaler section, if you want to update the Location or create Sub-locations for the selected Edge, make sure:
  • you check that the tunnel is established from the selected Edge and Location is automatically created. You will not be allowed to create a Sub-location if the VPN credentials or GRE options are not set up for the Edge. Before configuring Sub-locations, ensure you understand about Sub-location and their limitations. See https://help.zscaler.com/zia/about-sub-locations.
  • you select the same Cloud Subscription that you used to create the Automatic CSS.
To update the Location or create Sub-locations for the selected Edge, perform the following steps:
  1. In the SD-WAN service of the Enterprise portal, click Configure > Edges.
  2. Select an Edge and click the icon under the Device column. The Device Settings page for the selected Edge appears.
  3. Go to the Zscaler section and turn on the toggle button.
  4. From the Cloud Subscription drop-down menu, select the same Cloud Subscription that you used to create the Automatic CSS. The Cloud Name associated to the selected Cloud Subscription automatically appears.
    Note: Cloud Subscription must have same Cloud name and Domain name as CSS.
    Note: If you want to change provider for "Cloud Subscription", you must first remove the "Location" by deactivating CSS and Zscaler, and then perform the creation steps with the new provider.
  5. After you have established automatic IPsec/GRE tunnel for an Edge segment, Location is automatically created and appears under the Location table. Note that the Zscaler Location name now includes the Edge name at the beginning so it can be easily identified especially on the Zscaler portal where they can search for the Edge name to find the location.

    If you want to configure the Gateway options and Bandwidth controls for the Location, click the Edit button. For more information, see Configure Zscaler Gateway Options and Bandwidth Control.

  6. To create a Sub-location, click Add.
    1. In the Sub-Location Name textbox, enter a unique name for the Sub-location. The Sub-location name should be unique across all segments for the Edge. The name can contain alphanumeric with a maximum word length of 32 characters.
    2. From the LAN Networks drop-down menu, select a VLAN configured for the Edge.
    3. In the Subnets textbox, add subnets for the selected LAN network.

      In prior Orchestrator versions, for the Zscaler sub-location configuration, the Subnets field that takes in subnets ignores the user input if the subnet being added is not directly connected to the Edge device, and users could not modify these subnets using the Orchestrator UI. This limitation presented a challenge for a branch offices where the LAN-side subnets were one hop away due to the presence of a layer 3 switch between the Edge and LAN devices. Release 6.0.0 allows users to add both direct and non-direct subnets.

      Note: For a selected Edge, Sub-locations should not have overlapping Subnet IPs.
    4. Click Save Changes.
      Note: After you create at least one Sub-location in the Orchestrator, an “Other” Sub-location is automatically created in the Zscaler side, and it appears in the Orchestrator UI. You can also configure the “Other” Sub-location’s Gateway options by clicking the Edit button under Gateway Options in the Sub-Locations table. For more information, see Configure Zscaler Gateway Options and Bandwidth Control.
    5. After creating a Sub-location, you can update the Sub-location configurations from the same Orchestrator page. Once you click Save Changes, the Sub-location configurations on the Zscaler side will be updated automatically.
    6. To delete a Sub-location, click Delete.
      Note: When the last Sub-location is deleted from the table, the "other" Sub-location will also be deleted automatically.

Configure Zscaler Gateway Options and Bandwidth Control

To configure Gateway options and Bandwidth controls for the Location and Sub-location, click the Edit button under Gateway Options, in the respective table.

The Zscaler Gateway Options and Bandwidth Control window appears.

Configure the Gateway options and Bandwidth controls for the Location and Sub-location, as needed, and click Save Changes.

Note: The Zscaler Gateway Options and Bandwidth Control parameters that can be configured for the Locations and Sub-locations are slightly different, however; the Gateway Options and Bandwidth Control parameters for the Locations and Sub-locations are the same ones that one can configure on the Zscaler portal. For more information about Zscaler Gateway Options and Bandwidth Control parameters, see https://help.zscaler.com/zia/configuring-locations
Option Description
Gateway Options for Location/Sub-Location
Use XFF from Client Request Enable this option if the location uses proxy chaining to forward traffic to the Zscaler service, and you want the service to discover the client IP address from the X-Forwarded-For (XFF) headers that your on-premises proxy server inserts in outbound HTTP requests. The XFF header identifies the client IP address, which can be leveraged by the service to identify the client’s sub-location. Using the XFF headers, the service can apply the appropriate sub-location policy to the transaction, and if Enable IP Surrogate is turned on for the location or sub-location, the appropriate user policy is applied to the transaction. When the service forwards the traffic to its destination, it will remove the original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to externally.
Note: This Gateway option is only configurable for Parent location.
Enable Caution If you have not enabled Authentication, you can enable this feature to display a caution notification to unauthenticated users.
Enable AUP If you have not enabled Authentication, you can enable this feature to display an Acceptable Use Policy (AUP) for unauthenticated traffic and require users to accept it. If you enable this feature:
  • In Custom AUP Frequency (Days) specify, in days, how frequently the AUP is displayed to users.
  • A First Time AUP Behavior section appears, with the following settings:
    • Block Internet Access - Enable this feature to deactivate all access to the Internet, including non-HTTP traffic, until the user accepts the AUP that is displayed to them.
    • Force SSL Inspection - Enable this feature to make SSL Inspection enforce an AUP for HTTPS traffic.
Enforce Firewall Control Select to enable the service's firewall control.
Note: Before enabling this option, user must ensure if its Zscaler account has subscription for "Firewall Basic".
Enable IPS Control If you have enabled Enforce Firewall Control, select this to enable the service's IPS controls.
Note: Before enabling this option, user must ensure if its Zscaler account has subscription for "Firewall Basic" and "Firewall Cloud IPS".
Authentication Enable to require users from the Location or Sub-location to authenticate to the service.
IP Surrogate If you enabled Authentication, select this option if you want to map users to device IP addresses.
Idle Time for Dissociation If you enabled IP Surrogate, specify how long after a completed transaction, the service retains the IP address-to-user mapping. You can specify the Idle Time for Dissociation in Mins (default), or Hours, or Days.
  • If the user selects the unit as Mins, the allowable range is from 1 through 43200.
  • If the user selects the unit as Hours, the allowable range is from 1 through 720.
  • If the user selects the unit as Days, the allowable range is from 1 through 30.
Surrogate IP for Known Browsers Enable to use the existing IP address-to-user mapping (acquired from the surrogate IP) to authenticate users sending traffic from known browsers.
Refresh Time for re-validation of Surrogacy If you enabled Surrogate IP for Known Browsers, specify the length of time that the Zscaler service can use IP address-to-user mapping for authenticating users sending traffic from known browsers. After the defined period of time elapses, the service will refresh and revalidate the existing IP-to-user mapping so that it can continue to use the mapping for authenticating users on browsers. You can specify the Refresh Time for re-validation of Surrogacy in minutes (default), or hours, or days.
  • If the user selects the unit as Mins, the allowable range is from 1 through 43200.
  • If the user selects the unit as Hours, the allowable range is from 1 through 720.
  • If the user selects the unit as Days, the allowable range is from 1 through 30.
Bandwidth Control Options for Location
Bandwidth Control Enable to enforce bandwidth controls for the location. If enabled, specify the maximum bandwidth limits for Download (Mbps) and Upload (Mbps). All sub-locations will share the bandwidth limits assigned to this location.
Download If you enabled Bandwidth Control, specify the maximum bandwidth limits for Download in Mbps. The allowable range is from 0.1 through 99999.
Upload If you enabled Bandwidth Control, specify the maximum bandwidth limits for Upload in Mbps. The allowable range is from 0.1 through 99999.
Bandwidth Control Options for Sub-Location (if Bandwidth Control is enabled on Parent Location)
Note: The following bandwidth control options are configurable for sub-location only if you have bandwidth control enabled on the parent location. If the bandwidth control is not enabled on the parent location, then the bandwidth control options for sub-location are the same as location (Bandwidth Control, Download, Upload).
Use Location Bandwidth If you have bandwidth control enabled on the parent location, select this option to enable bandwidth control on the sub-location and use the download and upload maximum bandwidth limits as specified for the parent location.
Override Select this option to enable bandwidth control on the sub-location and then specify the maximum bandwidth limits for Download (Mbps) and Upload (Mbps). This bandwidth is dedicated to the sub-location and not shared with others.
Disabled Select this option to exempt the traffic from any Bandwidth Management policies. Sub-location with this option can only use up to a maximum of available shared bandwidth at any given time.

Limitations

  • In 4.5.0 release, when a Sub-location is created, Orchestrator automatically saves the "Other" Sub-location. In earlier version of Orchestrator, the Zscaler "Other" Sub-location was not saved in Orchestrator. After upgrading Orchestrator to 4.5.0 release, the "Other" Sub-location will be imported automatically only after a new normal (non-Other) Sub-location is created using automation.
  • Zscaler Sub-locations cannot have overlapping IP addresses (subnet IP ranges). Attempting to edit (add, update, or delete) multiple Sub-locations with conflicting IP addresses may cause the automation to fail.
  • Users cannot update the bandwidth of Location and Sub-location at the same time.
  • Sub-locations support Use Location Bandwidth option for bandwidth control when its Parent Location bandwidth control is enabled. When user turns off the Location bandwidth control on a Parent Location, the Orchestrator does not check or update the Sub-location bandwidth control option proactively.

Related links