Microbranch Integration with Zscaler through Cloud Connect Service

Microbranch integration with Zscaler through Cloud Connect service allows you to set up a secure connection between the Microbranch AP, and one or several cloud-hosted enforcement points called Zscaler Internet Access (ZIA) Public Service Edges.

The Cloud Connect service uses the SD-Branch Orchestrator as the transport medium to send configurations to the Microbranch AP. The Microbranch AP connects to ZIA Public Service Edges through the automatically orchestrated IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels—Orch-IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. tunnels, which uses the Internet Key Exchange (IKE) protocol to set up a security association (SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication.) in the IPsec protocol suite with Zscaler. This provides the ability to traverse NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. boundaries and leverage IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. for authentication, while limiting the overhead at the same time. After the tunnels are established between the Microbranch AP and ZIA Public Service Edges, Zscaler uses reverse-pinning technology to ensure that the traffic is sent back through the same tunnel from which the traffic was originated.

The Cloud Connect service continuously looks for new ZIA Public Service Edges. If there are new ZIA Public Service Edges available, the Cloud Connect service pushes the maps of the new ZIA Public Service Edges to the Microbranch AP and ensures that they are always connected to a Public Service Edge at any given time.

  • Zscaler integration through Cloud Connect service is applicable only for Microbranch APs running AOS 10.x.
  • Microbranch APs require an Advanced AP license for Zscaler integration through Cloud Connect service.

To integrate Microbranch with Zscaler through Cloud Connect service, complete the following steps: