Benefit using GRE Tunnel

If using the Z Client Connector app on all desktops and laptops, what benefit is there to using a GRE tunnel?

Thinking if we have a firewall rule with the IP ranges for Zscaler US data centers, then all devices running the Client Connector would just connect to the Zscaler infrastructure.

Just trying to understand the benefits, thanks in advance!

Hello Andy,

A few use cases for GRE tunnels would be to ensure devices that do not support the ZCC agent or when you cannot install that agent that these transactions are still sent to the ZIA service. For instance IOT devices or Guest WiFi networks.

Hope this helps.


1 Like

Thanks Pat!
I guess where my confusion on GRE comes up, a device without the Client Connector, say IoT device, how does it know to route to the GRE tunnel for internet?
Most of these devices cannot handle a PAC file either, is it basically the GRE tunnel is seen as the “internet” to the device or am I just sending to it?

Hey Andy, good question. You can use something like Policy Based Routing (ACLs) to identify the source traffic and ensure VLANs that contain IOT devices enter the GRE tunnel. This would be one way of identifying this traffic and ensuring its next hop is the GRE tunnel. With the ability to configure Sub Locations within a Location in the ZIA portal you can then apply different treatment options once that traffic arrives to the ZEN. For instance, disabling authentication for your IOT Sub Location or disabling SSL Inspection would be two options available to you. Hopefully this makes sense.


1 Like

Makes sense, thank you Pat!

For information purpose, we have a tunnel each for ZCC clients and non ZCC clients. We put logic in PAC file for ZCC clients to return traffic to Zscaler Global VIP. Policy Based Routing (ACLs) is then used to redirect traffic based on its destination (i.e Zscaler Global VIP ) to different Tunnel. But i think Global VIP’s can be traversed only through Tunnels

You may get hide NAT issues for large sites without using GRE. Although this can be solved with multiple IP addresses in NAT pools.

You are also limited to about 500Mb/s of traffic from single IP address as the the Zscaler load-balancers start to struggle after that. GRE also solves this problem.

We had an architectural meeting the other day with Zscaler folks and we were told that the limit of 500 MBps from a single IP is not there any more if we uss ZCC with tunnel 2.0. Can some Zsclaer folk clarify this as we were considering moving all our ZCC traffic out of GRE and send directly to Cloud Vzen’s