Would someone be so kind and explain to me like you would explain to a 5 year old what’s the difference between Tunnel and Tunnel with Local Proxy modes, and which option would be best suitable for us? We’re currently in the process of implementing Zscaler in our environment and we’re running into a few problem. I’m sure it would be better if we would have a better grasp of the whole thing.
I did of course read the documents and searched this topic on the forum, but I am still having problems understanding this.
First of all, let’s start with the background of our environment:
- We are implementing a GRE tunnel to the Zscaler cloud on our internal network. So by default all traffic will go through it.
- At the same time, we have an internal Squid Proxy that we still need to keep because some applications can only be accessed through it.
- Which in general means that we have to use a PAC file to identify which traffic should go direct, and which traffic should go through the Squid proxy.
- For remote Users, we will have IKEv2 VPN using Windows native “client” (specifically, Always-On VPN) implemented in a split-tunneling mode. Only corporate traffic will go over the tunnel, Internet traffic should go over Zscaler.
As of now I’ve been working on implementing a Tunnel with LP, but now I am not sure if this is what we should be doing.
The way I understand Tunnel with LP:
- The Forwarding Profile PAC file is responsible for identifying which traffic goes to the ZAPP, and which goes elsewhere (either Direct or, in our case, to the Squid proxy)
- Traffic to the ZAPP is done through a loopback interface
- The ZAPP then forms a tunnel to the ZENs and pushes the traffic through it
- Operates on the Application Layer
The way I undestand Tunnel (Filter Based)
- Does not use the Forwarding Profile PAC file, but instead directs all traffic to the ZAPP using Windows Filter Driver
- Does not use the loopback interface
- The ZAPP then uses the App Profile PAC file to identify which traffic goes to the ZENs and which is directed elsewhere
- Operates on the Network Layer
Is my reasoning correct? This is what’s confusing me. In both cases, the ZAPP needs to form a tunnel to the ZENs, but in one scenario it operates on Layer 7, in the second scenario it operates on Layer 4. How come?
In this document: https://help.zscaler.com/z-app/best-practices-zscaler-app-and-vpn-client-interoperability it is stated that the recommended option for split-tunnel VPNs is the Tunnel with LP. Why would I use that instead of the Tunnel (Filter Based)?
If I would select Tunnel (Filter Based) would I still need to apply the actions from Step 4, or is this only applicable for a Route Based Tunnel (which I don’t think I’m considering at this moment).
Many thanks in advance for your help on this topic.