Manual Deployment Workflows
This section describes the configurations needed for manual integrations.
Table of contents
Manual Integration using IPsec tunnels
As described in the overview, the integration with ZIA will require configurations on both the Zscaler admin portal as well as in Aruba Central. These configuration steps, are streamlined by the fact that the ZIA service always sends return traffic through the tunnel from which the original session had come through (removing the need for routing exchanges).
Note: Manual configuration mode is only supported on SD-Branch Gateways.
Pre-requisites
The first step before configuring ZIA is to locate the FQDN of the ZIA instance that will be used. FQDNs representing each node in different Zscaler clouds can be found in this Zscaler page.
Configuring ZIA
The next step would be to configure ZIA to terminate VPN tunnels from Aruba Gateways. As described above, these would be IPSec tunnels using IKEv2 credentials to uniquely identify each Gateway. Each Gateway would therefore have to be assigned a “Location” in the Zscaler admin portal, as well as the corresponding VPN credentials.
To create Location and credentials:
Step 1 Navigate to Administration > Resources > Location Management.
Step 2 Choose Add Location and enter general information about the location
Step 3 Select previously created VPN credentials or create a new set of credentials by clicking the ‘+’ sign.
Step 4 Optionally, enable other features for this location
Configuring Aruba Gateways to establish tunnels to ZIA
As previously explained, Gateways would set up tunnels to ZIA through every WAN interface. This is configured from VPN > Cloud Security page in Aruba Central. Once there, configure the following parameters:
- Name — administrative name for the tunnel.
- Priority— Admin ID for the tunnel.
- Transform — Set ESP-null encryption with esp-md5-hmac or ESP-sha-hmac (recommended) hash.
- Destination Gateway FQDN — Set the FQDN for the ZIA Public Service Edges.
- Source FQDN—Set the user ID created in ZIA (santaclara@arubanetworks.com in the image below).
- Uplink VLAN/VLAN—When tunneling from a Branch Gateway, select Uplink VLAN(s) to be used to bring up tunnels to ZIA. In the case of VPNCs, simply select the VLAN from which tunnels will be initiated.
- IKE Shared Secret— Set the same value created in the Zscaler configuration.
- (optional) Set the Tunnel Monitor FQDN to https://gateway.
/vpntest to allow the gateway to measure tunnel quality.
Note: In case of VPNCs, instead of “Uplink VLAN” simply select the VLAN from which tunnels to the ZIA service would be initiated.
Note: In the unlikely event that a ZIA Public Service Edge may be having any issues, the solution is capable of setting up tunnels to different ZIA Public Service Edges and handle failover as part of the PBR policy, as described in the Reference Architectures and Orchestrated Deployment sections.
Policy Based Routing
Policy Based Routing configuration is the same for manual IPsec tunnels as for the orchestrated integration.
Validation Steps
The validation steps are the same for manual IPsec as for the orchestrated integration.
Manual Integration using GRE tunnels
As previously described, certain use-cases require that integration with Zscaler is done using GRE tunnels, as the BW per tunnel can be higher.
GRE Tunnel Establishment
Pre-requisites
The first step when configuring GRE tunnels between Aruba Gateways and ZIA is to learn what’s the fixed public IP address of the WAN interface that will be used to establish the tunnels. These IPs can be checked from the WAN section of the gateway details page in Aruba Central.
The next step will be to contact your Zscaler representative or Customer Support to have a GRE tunnel provisioned to your account; Provide the public IP address (or addresses) of the tunnel source(s) as well as the physical location of the gateway (source: Zscaler).
ZIA Configuration
Once the service request is closed with the Zscaler Customer Support all that’s left is to create the Location from the Zscaler portal and assign tunnel(s) to it:
- Go to Administration > Locations Management
- Click on “Add Location” and enter general information about the location
- Choose the IP addresses for the location; The Public IP Addresses list displays the IP addresses provisioned through Customer Support. Choose IP addresses for the location.
- Optionally, enable other features for this location
Configuring Gateways to establish GRE tunnels to ZIA
As explained in the overview section, Gateways would set up GRE tunnels to ZIA from interfaces with a fixed public IP to an IP address provided by the Zscaler Customer Support. This is configured from Interfaces > GRE Tunnels, from the “Advanced” configuration mode. The key elements are the following:
- Mode: L3
- Source IP and netmask for GRE tunnel (provided by Zscaler Support)
- Tunnel Destination (provided by Zscaler Support)
- Enable Keepalive (Cisco compatible)
A minimum of two tunnels should be created, pointing to the nearest Zscaler nodes provided by Customer Support. Once those are created, they should be added into a “Tunnel Group”. The key elements are the following:
- Select GRE tunnels. Higher priority tunnels go on top
- Select “Enable preemptive failover mode” to ensure that traffic always goes to the closest available ZIA Public Service Edge
- Mode: L3
Policy Based Routing for GRE Integration
After the Tunnel Group is created, the only remaining step would be to selectively redirect traffic through ZIA. This is done using Policy Based Routing. Please note that the PBR configuration when using GRE tunnels is slightly different than the one that would be used for IPsec tunnels.
PBR Policy to redirect to Tunnel Groups
After the Tunnel Group with the tunnels to ZIA is created, add it to a routing policy in the Routing > Policy-Based Routing.
In the example below, the policy is sending all traffic to corporate subnets (an alias representing 10.0.0.0/8 and 172.16.0.0/12) through the regular path, and it’s sending the rest through ZIA.
Apply Routing Policies
After the routing policy is created, the last step would be to apply it to relevant traffic.
In the case of Branch Gateways, these policies would be applied to the roles or VLANs where we have the devices that have to be sent through the ZIA service:
- To apply a policy to a VLAN, go to Security > Apply Policies and select a policy from the dropdown next to each VLAN.
- To apply a policy to a role, go to Security > Roles and edit the role you want to send through ZIA by adding a routing policy (routing policies always come at the end).
In the case of VPNCs, routing policies would be applied to the incoming SD-WAN traffic. This can be configured in VPN > SDWAN Overlay > Advanced.
Verification Steps
As described in the section about orchestrated tunnels, Aruba Central clearly displays the role of a given user and whether it’s being forwarded through ZIA. The client role can be seen from the client details page, and the policies applied to that client’s traffic can be seen by checking the sessions table for that client:
As an additional verification, client devices can browse to https://ip.zscaler.com described in the orchestrated mode deployment:
From the administrator’s perspective, the Zscaler dashboard shows how there’s traffic coming through the newly created location. This can be observed by going to analytics > web insights > logs and filtering for the appropriate location: