How Does ZCC over GRE Works

How Does ZCC over GRE Works ?
we have deployed ipsec tunnel and also using ZCC with forwarding mode as TWLP.
Will be helpful if we get easy explanation for this and not KB article

Hi,
do you have any specific issues?
From a GRE perspective I would just make sure that

  • PAC server IP addresses are routed “direct via local breakout”, so that pac server sees the "real source IP
  • combined network ranges from Config | Zscaler are routed into GRE/IPSec (make sure that you use the page related to your cloud)
    *Firewall requirements for ZCC are considered - especially the update servers can be reached.
  • other firewall policies are in place, e.g, webtraffic is blocked that tries to avoid ZCC or Zscaler.
  • make sure that off-trusted / on-trusted settings are correct, if your Z-tunnels are configured differently, like Tunnel1 on-trusted and Tunnel2 off-trusted.

Best regards
Andreas

Hey @amir03 ,

Just wanted to follow up and make sure that your questions were answered. Or if you uncovered any additional information.

Hi @Ben_Garrison ,

Appreciate for taking follow-up
My Query was How Does ZCC over GRE Works ?If you can provide any related kb that would be helpful
And Also can you help me to understand what is the benefit of using two forwarding method (ZCC over GRE) if we can use and forward traffic using only GRE or ZCC alone.

Look forward for your response.

Hi @amir03,

To answer this question

ZCC will allow your user information to be carried over the GRE tunnel. Best practice is to utilize Tunnel 1.0 or no forwarding from ZCC when a location has GRE tunnel. This is because tunnel 2.0 can cause issues with load balancing at the ZEN.

The other option, which requires more work, would be to create a route policy on your device where your GRE tunnel is created, to send all ZCC traffic directly out the internet and to bypass the GRE tunnel. To do this, you’d have to include the Zscaler ZEN IP addresses.

1 Like

Thanks for your detailed response.