We have a branch office in Santiago de Chile, Chile, South America. We have App Connectors running at this office, allowing remote users access to applications which are hosted at this location as well.
ZCC uses the Public Service Edge in Sao Paulo, Brasil for - as far as I can see - 90% of the users in South America. This has a negative impact on application latency.
To solve this we have installed a ZPA Private Service Edge in the Santiago office. The SE is connected and uses Public Service Edge SA-BR-8568 (Sao Paul, Brasil).
The public IP of the Private Service Edge is the WAN IP of the internet connection of the Santiago office. So it seems all is running properly.
However, when I check the ZPA diagnostics logs for user activity for users working remotely in Chile I still see that they connect via one of the Public Service Edges in Sao Paulo. When I filter the logs for “Service Edge Type = Private” I get no results.
My question: how do I enforce that the Private Service Edge is used? I’ve correctly specified the location of the Private Service Edge.
Private Service Edge Group configuration: Status: Enabled Publicly Accessible: Disabled Client Connector Trusted Networks: our company’s trusted networks Service Edge Location: Santiago, Santiago Metropolitan Region, Chile (shows correctly on the map)
Service Edge configuration: Publish IPs or Domains: no values entered Listen IPs: no values entered
Do you see the Public and Private IP addresses when you check the PSE health, or when you validate configuration under service edges the public and private ip should be shown.
I cleared my PSE config of publish ip and listen IPs, and the PSE shows correctly.
When connected to trusted network that has been configured for the Service edge group the client connector will show Network type “trusted Network” and the broker as the private service edge.
If the client connector is unable to connect to the private service edge, it will connect to the public service edge. Client connector logs will show this.
User activity logs will show the service edge, and using the filter as you’ve described will filter logs as appropriate.
Are you testing from a trusted location? If so, if the traffic from client to PSE traverses a firewall to check that traffic is permitted.
If testing for a user off-network the PSE must be configured to be publically accessible, and inbound firewall policy must be configured to allow traffic towards the listener.
Yes, I see the public- and private IP address of the PSE when I check it’s health in ZPA dashboard. The dashboard shows that the PSE is online (green arrow)
I’m new to PSE and you’re reply has made things a bit more clear. I hope you don’t mind me posing a few follow-up questions:
We don’t need the PSE to be accessible from trusted networks. We only need it to be accessible from untrusted networks (i.e. remote workers) so that their ZCC can use a service edge which is geographically closer to the applications than the Public Service Edges which Zscaler hosts in South America.
I’m guessing I would then firstly need to clear the Client Connector Trusted Network values. And secondly to enable the Publicly Accessible setting. Is that correct?
If so: which other settings will I need to enable/ enter a value for: Listen IP? (if so, which IP would I specify here) And which inbound traffic would I need to allow on our firewall? I couldn’t find any specifics for this on http://config.zscaler.com/
App connectors and client Connector will use this pse, if incming ports are opened.Decide the deployment model like whether the pse is only for internal users and within local network or publicly available the same.
The PSE will only be publicly available. We want to provide our users a PSE which is geographically close than the Public SE’s hosted by Zscaler. Which incoming ports would I need to open in this scenario?
Geographically availability can ensure by configuring the pse group with right location details. Zscaler cloud will get those location cordinates decides which pse is nearer to the user and app connector.
You should enable inbound access to expose the pse to public.
I’ve created a firewall rule which allows inbound TCP/443 to the PSE. At which point will ZCC know that this PSE is available for connecting to?
Thus far I don’t see any incoming traffic from Zscaler IP addresses. I fo see other incoming HTTPS traffic, which is due to the rule allowing incoming HTTPS from any remote host (for testing ourposes)
Have you configured this, this will be after pse ready abd shown in portal. Edit it and do the config…
Publish IPs or Domains: The IP addresses and domains that clients and App Connectors can use to open a connection to the ZPA Private Service Edge. If this is not specified, then the clients and App Connectors will try to connect using the Listen IPs. The primary use case is where you want to specify a ZPA Private Service Edge by name and use a Domain Name System (DNS) to find it. Another use case is where the IP address that clients and App Connectors use to connect to the ZPA Private Service Edge isn’t actually apart of the ZPA Private Service Edge; it is a static external IP the Service Edge system (e.g., AWS) controls.
You can add or remove IPs and domains when editing a ZPA Private Service Edge.
Listen IPs: The interface addresses for the Service Edge system that the ZPA Private Service Edge listens to for connection requests from clients and App Connectors only at set addresses. If not configured, the ZPA Private Service Edge automatically listens to all interfaces. The common use case is to not specify any Listen IPs.
You can add or remove IPs when editing a ZPA Private Service Edge.
Many thanks for your help! After assigning the public IP address the PSE became available. We see in the logs that this PSE is used by ZCC in that region.
