How to provide internet access to on-prem servers?


We are studying Zscaler solutions (ZIA & ZPA) and one of our usecases consist in providing internet access to servers located in our datacenters on-premise.

After failing to find any relevant documents in the zscaler website for several days, I have decided to shoot the question here… Hoping that someone will be able to answer this one.

I’m guessing that a GRE or IPSec tunnel is needed from the datacenter edge device to the closest Zscaler edge node in order to establish the physical connectivity to the ZIA services… But that’s all I know so far.

I dont know if we can deploy Z Client Connector on servers as it is supposed to be for users. And I dont think the App Connector serves that purpose either as it seems to be only for ZPA (ie remote clients accessing on-prem servers).

You are correct, GRE/IPsec is the best way to handle server traffic from your DC today. For Servers into IaaS you can use Cloud Connector. App Connector you are right is on the destination side, not on the initiator side and is only for ZPA.

ZCC wasn’t necessarily designed for servers and getting ZCC enrolled could be challenging on a server as ZCC is enrolled via SAML auth. That being said for some use cases like VDI into AWS, you can install latest version of ZCC on Server OS since this is what their VDI solution use. But I would not install it on real server.

Once you have your GRE/IPsec in place you have two solutions, either your server is using a Proxy setting and you find a way to route that traffic (Proxy IP destination) to your tunnel, either you use your routing policy to transparently send the server traffic to your tunnel. You can definitely send all your Internet traffic to Zscaler since it can enforce policy on any type of traffic using the Cloud-Gen Firewall (you also have the IPS, DNS Control, etc.).

Also don’t forget to check with your sales rep/partner that you have necessary licensing/edition to send your workload traffic to Zscaler.

Hope it helps.

1 Like

Hi David,

Yes, GRE or IPSEC tunnels to Zscaler would accomplish what you are trying to achieve. Please see the following help article about design considerations:

Thanks but this link provide general info about deployment of gre tunnels.

My understanding is that there 's no way to provide precise zia access to on-prem servers and thus apply group based and/or server based policies (as tunnels are only location based)

David - if you drill down on that link, you can get further information about configuring the tunnels, but it sounds like you are referring to policy or more specifically, firewall policy for your servers. This is not a function of the tunnel itself, or as you noted, the location/sub-location settings, but of the firewall policy IMO. I would figure out what it is you are trying to accomplish with your servers and take a look at the firewall and advanced firewall rules to see if that makes sense. Filtering and control can be done by individual or groups of IP addresses/servers if you want, although the point of the Zscaler platform is use multiple layers of security and avoid individual, per-server policies if at all possible. And in today’s threat environment, the user and server traffic threats are significantly different and so too the security policies applied to them.

1 Like

I’m just trying to find out how the usecase of providing internet access to on-prem servers is addressed by zscaler. If the same level of granularity as the one provided to clients by zcc can be provided to on-prem servers by any zscaler products.

We already implemented this scenario and used a custom PAC File to forward traffic as we needed to bypass some Domain URLs. (this replaces the ZCC)

GRE is the recommended option as suggested by @Charles_Repain

You can use the combination of both PAC and GRE.

From Zscaler you enable and disable Zscaler features based on the IP address (e.g Turn off SSL inspection for a specific server)

You can use the above scenario without the need for user Authentication.


Thanks a lot. Very helpful.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.