Link Search Menu Expand Document
calendar_month 07-Mar-24

Manual Deployment Workflows

This section describes the configurations needed for manual integrations.

Table of contents

Manual Integration using IPsec tunnels

As described in the overview, the integration with ZIA will require configurations on both the Zscaler admin portal as well as in Aruba Central. These configuration steps, are streamlined by the fact that the ZIA service always sends return traffic through the tunnel from which the original session had come through (removing the need for routing exchanges).

Note: Manual configuration mode is only supported on SD-Branch Gateways.


The first step before configuring ZIA is to locate the FQDN of the ZIA instance that will be used. FQDNs representing each node in different Zscaler clouds can be found in this Zscaler page.

Configuring ZIA

The next step would be to configure ZIA to terminate VPN tunnels from Aruba Gateways. As described above, these would be IPSec tunnels using IKEv2 credentials to uniquely identify each Gateway. Each Gateway would therefore have to be assigned a “Location” in the Zscaler admin portal, as well as the corresponding VPN credentials.

To create Location and credentials:

Step 1 Navigate to Administration > Resources > Location Management.

Step 2 Choose Add Location and enter general information about the location

Step 3 Select previously created VPN credentials or create a new set of credentials by clicking the ‘+’ sign.

Step 4 Optionally, enable other features for this location

Create Location

Configuring Aruba Gateways to establish tunnels to ZIA

As previously explained, Gateways would set up tunnels to ZIA through every WAN interface. This is configured from VPN > Cloud Security page in Aruba Central. Once there, configure the following parameters:

  • Name — administrative name for the tunnel.
  • Priority— Admin ID for the tunnel.
    • Transform — Set ESP-null encryption with esp-md5-hmac or ESP-sha-hmac (recommended) hash.
    • Destination Gateway FQDN — Set the FQDN for the ZIA Public Service Edges.
  • Source FQDN—Set the user ID created in ZIA ( in the image below).
  • Uplink VLAN/VLAN—When tunneling from a Branch Gateway, select Uplink VLAN(s) to be used to bring up tunnels to ZIA. In the case of VPNCs, simply select the VLAN from which tunnels will be initiated.
    • IKE Shared Secret— Set the same value created in the Zscaler configuration.
  • (optional) Set the Tunnel Monitor FQDN to https://gateway./vpntest to allow the gateway to measure tunnel quality.

Cloud Security Configuration

Note: In case of VPNCs, instead of “Uplink VLAN” simply select the VLAN from which tunnels to the ZIA service would be initiated.

Note: In the unlikely event that a ZIA Public Service Edge may be having any issues, the solution is capable of setting up tunnels to different ZIA Public Service Edges and handle failover as part of the PBR policy, as described in the Reference Architectures and Orchestrated Deployment sections.

Policy Based Routing

Policy Based Routing configuration is the same for manual IPsec tunnels as for the orchestrated integration.

Validation Steps

The validation steps are the same for manual IPsec as for the orchestrated integration.

Manual Integration using GRE tunnels

As previously described, certain use-cases require that integration with Zscaler is done using GRE tunnels, as the BW per tunnel can be higher.

GRE Tunnel Establishment


The first step when configuring GRE tunnels between Aruba Gateways and ZIA is to learn what’s the fixed public IP address of the WAN interface that will be used to establish the tunnels. These IPs can be checked from the WAN section of the gateway details page in Aruba Central.

Obtain Gateway WAN IP

The next step will be to contact your Zscaler representative or Customer Support to have a GRE tunnel provisioned to your account; Provide the public IP address (or addresses) of the tunnel source(s) as well as the physical location of the gateway (source: Zscaler).

ZIA Configuration

Once the service request is closed with the Zscaler Customer Support all that’s left is to create the Location from the Zscaler portal and assign tunnel(s) to it:

  • Go to Administration > Locations Management
  • Click on “Add Location” and enter general information about the location
  • Choose the IP addresses for the location; The Public IP Addresses list displays the IP addresses provisioned through Customer Support. Choose IP addresses for the location.
  • Optionally, enable other features for this location

Create locatio

Configuring Gateways to establish GRE tunnels to ZIA

As explained in the overview section, Gateways would set up GRE tunnels to ZIA from interfaces with a fixed public IP to an IP address provided by the Zscaler Customer Support. This is configured from Interfaces > GRE Tunnels, from the “Advanced” configuration mode. The key elements are the following:

  • Mode: L3
  • Source IP and netmask for GRE tunnel (provided by Zscaler Support)
  • Tunnel Destination (provided by Zscaler Support)
  • Enable Keepalive (Cisco compatible)

GRE Tunnel Configuration

A minimum of two tunnels should be created, pointing to the nearest Zscaler nodes provided by Customer Support. Once those are created, they should be added into a “Tunnel Group”. The key elements are the following:

  • Select GRE tunnels. Higher priority tunnels go on top
  • Select “Enable preemptive failover mode” to ensure that traffic always goes to the closest available ZIA Public Service Edge
  • Mode: L3

Tunnel Group Configuration

Policy Based Routing for GRE Integration

After the Tunnel Group is created, the only remaining step would be to selectively redirect traffic through ZIA. This is done using Policy Based Routing. Please note that the PBR configuration when using GRE tunnels is slightly different than the one that would be used for IPsec tunnels.

PBR Policy to redirect to Tunnel Groups

After the Tunnel Group with the tunnels to ZIA is created, add it to a routing policy in the Routing > Policy-Based Routing.

In the example below, the policy is sending all traffic to corporate subnets (an alias representing and through the regular path, and it’s sending the rest through ZIA.

PBR Policy

Apply Routing Policies

After the routing policy is created, the last step would be to apply it to relevant traffic.

In the case of Branch Gateways, these policies would be applied to the roles or VLANs where we have the devices that have to be sent through the ZIA service:

  • To apply a policy to a VLAN, go to Security > Apply Policies and select a policy from the dropdown next to each VLAN.
  • To apply a policy to a role, go to Security > Roles and edit the role you want to send through ZIA by adding a routing policy (routing policies always come at the end).

Apply policy to the role

In the case of VPNCs, routing policies would be applied to the incoming SD-WAN traffic. This can be configured in VPN > SDWAN Overlay > Advanced.

Apply Policy to the Overlay

Verification Steps

As described in the section about orchestrated tunnels, Aruba Central clearly displays the role of a given user and whether it’s being forwarded through ZIA. The client role can be seen from the client details page, and the policies applied to that client’s traffic can be seen by checking the sessions table for that client:

Client Session View

As an additional verification, client devices can browse to described in the orchestrated mode deployment:

ZIA verification portal

From the administrator’s perspective, the Zscaler dashboard shows how there’s traffic coming through the newly created location. This can be observed by going to analytics > web insights > logs and filtering for the appropriate location:

Zscaler Browsing Logs

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.