Access the cloud application from only known sources


(Ramesh M) #1

Hi Team,
One of our customer accessing a cloud application through ZScaler and its failing because the cloud Application will accept the traffic only from the know sources.

I have tested by allowing the zscaler node IPs at cloud application end. But the problem is the application is indirectly exposed to all zscaler users.

Do we have any other work around like modifying XFF header or something like that. How others are handled this situation.

Please suggest.

Regards / Ramesh M


(Peter Hayes) #2

Hi Ramesh,

There aren’t many options and we typically see customers go with bypassing the service for this traffic:

Alternatively, the customer could request or see if the application supports the X-Forwarded-For header - we send the customer IP within this header to all websites. It’s unlikely though that an app would already or will add support for it.


(Ramesh M) #3

Hi Peter,

Thanks for you reply.
So I have to check the application capability to handle XFF header.
If a customer using traditional firewall to restrict the access at application end, then how do I handle this. Looking for fortinet or cisco ASA firewall level solutions.

Regards / Ramesh M


(Pablo Smiraglia) #4

they could deploy a VZEn and use PAC files to send those transactions
through their VZEN which, in turn, would present itself with a specific IP
address they can use for their SaaS ACLs.

pablo.


(Scott Bullock) #5

It’s also a use-case for ZPA, where XPA can hijack the Cloud App domain and
send it via a Connector Group behind the customer’s IP.


(Ramesh M) #6

Sorry I am not clear about this. Can you please elaborate. ?


(Scott Bullock) #7

Apologies for the typo and the lack of verbosity.

ZPA can can take over any FQDN, for example an App such as salesforce.com,
by defined a wildcard app like *.salesforce.com ZPA will intercept all
traffic for that domain and send via a customer connector-group. As such,
ZPA may solve this problem too.

DM me if you would like to discuss further.

Cheers,
Scott-


(Ramesh M) #8

Sure we shall discuss about this.