Looking for experiences with Z-scaler in China


(Patrik Jonsson) #1

Hi!
I used to live in China and I know that you can’t take anything for granted there with the Great Firewall.

We’re considering using Z-scaler Internet Access in China and I would like to know if someone here has attempted it. Has it been stable? Any issues accessing sites outside, or even inside China? Any input is good input.

Thanks in advance!

Kind regards,
Patrik


(Jones Leung) #2

Hi Patrick,

How are you?

As you can tell from my job title, I am one of the staff who is focusing on the China business.

We do have customers headquartered in China using our Zscaler Internet Access services from our public cloud for over a year. No need to mention other large multinational enterprises with large presence in China.

Zscaler has built two data centers in China, using local internet links partnering with local hosting companies, in order to follow the local regulations.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler


(Andreas Kopplinger) #3

Hi,

two of my customers have also severe issues with the performance in China. Performance decreases significantly, if traffic is routed to ZENs in Shanghai or Tianjin. Without Zscaler, there are no issues. There are also no differences between web pages in China and out of China, like Europe.

They also experimented with different ISPs on their locations, but without succes.

My information on the ZEN ISP providers:
Tianjin: China Unicom
Shanghai: China Telecom

My questions:

Can anybody confirm the ISP providers of the ZENs?

Has anybody also experienced such performance issues in China and was able to solve this?

Does China generally limit proxy traffic via the “Great Firewall”?

Thanks in advance.

Best regards

Andreas


(Patrik Jonsson) #4

Thanks guys! Will be interesting to read the reply from Jones.

Kind regards,
Patrik


(Jones Leung) #5

Hi Andreas,

Sad to hear your bad experience with our China nodes.

We are using local ISP links within China, which means the traffic will stay inside the Great Firewall.

When you see the issue, may I know if there is any support ticket opened? Sometimes the issue may due to unoptimized routing between ISP, which we can use Z Analyzer to get more insight to it and improve it. That’s possible no matter it’s inside or outside China.

To Patrik,

If you really want to get more ideas about the experience of our China datacenters, we can always arrange a simple trial for it.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler, Inc


(Andreas Kopplinger) #6

Hi,
thanks for your reply.
yes, there were tickets opened:
#698299 - this was opened by the customer, I don’t have access to the content.

The ticket number of the second customer is #592542.
This should contain MTRs and also Zscaler Analyzer results.
Best regards
Andreas


(Jones Leung) #7

Thanks Andreas.

I don’t have the access to those full case details, but for the case opened by your customer, it seems the issue is to access of some of the overseas sites hosting pretty far away from Asia, instead of a general datacenter issue.

I can see that the case is still active and there are a lot of back and forth communications. I kindly encourage you to work with the customer and our support to see if it is any routing issue specifically to those sites, or if it is the case that customer original ISP actually has done something value added to make the direct access much better than normal access speed when zscaler is applied.

Feel free to get your local SE involved if any escalation is needed. I am sure they will be more than happy to help.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler


(Andreas Kopplinger) #8

Hi,

thanks for your assistance. I will ask both customers about routing optimization.

I will update this threat, if we either get useful infromation or find a solution.
Best regards
Andreas


(Jones Leung) #9

Thx a lot Andreas!

Please do come back so that we can always get the latest feedback to improve our service.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler


(Andreas Kopplinger) #10

Hi,

i just saw this on trust.zscaler.com
Posted on: Mon, 25 Feb 2019 08:20:00 UTC
We are investigating an issue with our Tianjin and Shanghai datacenters. Users in China may experience intermittent performance degradation to sites outside mainland China, including Office365, going directly or through Zscaler. We are engaged with multiple service providers in China to resolve the issue.

This issue could be related to the behaviour my customers have seen.
Best regards
Andreas


(Mark Fellows) #11

Not sure if this is still active but our TAM informed us that there are current issues with Zscaler Tiajin and Shanghai nodes accessing resources that are external to China.

The reason that we were given is a political one as China have “Locked Down” the great firewall even further due to political conferences and ISPs and providers are effectively in a change freeze during that period.

Obviously we cannot verify this ourselves and when we route to other zscaler nodes and our VZENs access is fine, so the issue seems to be localized to China. I guess that is a risk of operating in China if you are a Global Business, you cannot have "“unrestricted” access like most of the world.


(Johan Wouters) #12

Hello,

I want to share my experience and how we resolved some major performance issue’s regarding Zscaler ZENs in China.

We derived performance is much better when you address your ZEN configuration based on IP-address, which is not recommended by Zscaler but at least did the trick for our major accounts.

Eventually the philosophy is to keep everything as simple as possible and to avoid any DNS resolution or hitting the great China firewall with other protocols used to create tunnels.

Therefore the best way out is to create a separate pac-file for Chinese locations and have them use IP instead of DNS-names. Traffic forwarding will be pac-file based on IP location OR …over IPSEC/GRE

Whatever you do make sure it’s directed like below:

		 return "PROXY 221.122.91.34:10313; PROXY 165.225.102.34:10313; DIRECT";

Hopefully this helps, like it did for us.

Kr,

Johan Wouters
BT - Security Consultant


(Thomas Quinlan) #13

Hi Johan,

You should be aware that this may have impact with respect to service level agreements, one of the reasons it is not recommended.