Configuring traffic redirection to a Secure Web Gateway
The purpose of this function is to enable the connection to a Zscaler Web Security Gateway delivered from the cloud. The Zscaler platform defends against malware, advanced threats, phishing, browser exploits, malicious URLs and botnets. As well as web security, the service offers web filtering, firewalls and anti-spam functions.
This section describes how to configure this gateway in your network, from a Branch Office appliance over the Internet.
One tunnel is created after you have defined the appropriate parameters in both ExtremeCloud SD-WAN and in Zscaler.
Create a Secure Web Gateway
|
1
|
In the Settings -> Policy Configuration -> Security pane, select the Secure Web Gateway tab. |
|
3
|
Enter the Name of the Secure Web gateway. |
|
4
|
Enter the gateway Primary Public IP Address. |
|
5
|
Enter the gateway Secondary Public IP Address. Traffic will be routed through the secondary tunnel as soon as the primary tunnel goes down. |
|
6
|
Define the IPsec tunnel parameters as follows: |
IKE policy
Internet Key Exchange (IKE) is a key management protocol that is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security associations (SAs). Refer to RFC 5996.
|
•
|
Encryption: drop-down list to choose the encryption algorithm (mandatory) |
|
•
|
Authentication: integrity drop-down list to choose the data integrity hash method |
|
•
|
DH Group drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit), 5 (1536-bit), 14, 19, 20, 21 and 24 |
|
•
|
SA Lifetime (seconds) Security Association lifetime (86,400 (= 24 h) by default). The authorized range of values is [120 -172800]. |
IPsec policy
|
•
|
Encryption: drop-down list to choose the encryption algorithm (mandatory). The available options are the same as for IKE policy encryption plus NULL |
|
•
|
Authentication: integrity drop-down list to choose the data integrity hash method (mandatory); see IKE policy integrity |
|
•
|
DH Group (PFS only): drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2 (1024-bit) or 5 (1536-bit), 14, 19, 20, 21, 24 and PFS disabled (PFS ensures that the same key will not be generated again, so forces a new Diffie-Hellman key exchange. Both sides of VPN should support PFS in order for PFS to work. Therefore using PFS provides a more secure VPN connection) |
|
•
|
SA lifetime (seconds) Security Association lifetime (86,400 s that is: 24 hours by default; mandatory). The authorized range of values is [120 -172800] |
|
•
|
You must enter an Initiator ID which corresponds to the information you defined on the Zscaler Portal (when specifying an FQDN for the VPN credentials) if the connected appliance public IP address is dynamic and unknown from ExtremeCloud SD-WAN. For example, 'test@myzscaler.com'. |
Note that defining an Initiator ID is irrelevant if the appliance Public IP address is static; in that case, ExtremeCloud SD-WAN uses that IP address.
|
•
|
Use the IPsec Pre-Shared key field as follows: |
|
•
|
If on the Zscaler Portal, the Secure Web gateway is configured with only one default Pre-Shared Key for all the tunnels connected to this gateway, enter this key in ExtremeCloud SD-WAN. Specifying a Pre-Shared key is mandatory with a Zscaler Secure Web gateway. |
|
•
|
You can override this default Pre-Shared Key with a new key when configuring the connection between the appliance and the gateway. |
The new Secure Web Gateway is displayed in the section of the Policy Configuration window. Click any gateway to edit its parameters. Use View All if you want to delete any element(s).
Apply the Secure Web Gateway to the Appliance
|
1
|
From the main menu, select Appliances. |
|
2
|
Select the Spoke appliance and the WAN tab. |
|
3
|
Select the appropriate WAN interface in Router mode and from the Security Gateway list, select the Secure Web Gateway that will establish the VPN tunnel. |
|
4
|
You can define the following Tunnel Customization parameters: |
|
•
|
Click the Edit icon for the primary Destination. |
|
•
|
You must enter an Initiator ID which corresponds to the information you defined on the Zscaler Portal (when specifying an FQDN for the VPN credentials) if the appliance public IP address is dynamic and unknown from ExtremeCloud SD-WAN. For example, 'test@myzscaler.com'. |
Note that defining an Initiator ID is irrelevant if the appliance Public IP address is static; in that case, ExtremeCloud SD-WAN uses that IP address.
|
•
|
Use the IPsec Pre-Shared key field as follows: |
If on the Secure Web Gateway Platform (Zscaler), the gateway is configured with only one default Pre-Shared Key for all the tunnels connected to this gateway, leave this field blank.
If in Zscaler, the gateway has a specific PSK value for each tunnel, you should enter a Pre-Shared Key for this tunnel of the appliance. You can either display or hide the key.
|
•
|
Inside Local IP address of the tunnel termination interface |
|
•
|
Inside Remote IP address |
|
•
|
Click the Edit icon for the secondary Destination and follow the same procedure as for the first Destination. The second destination is used as a backup tunnel when the primary destination fails. |
|
5
|
Save your settings. The tunnel is created. |