Source Ip Anchoring

Hello Zscaler community ,

I have requirement where my client has 40 third party sites which allows access only from 2 specific IP’s of my company . I have proposed them to use SIPA feature of Zscaler ZPA but I am confused on some points . I do know that client needs to buy app connector and install it in their data centre but

  1. I am not clear the traffic flow , will my users will go to ZPA cloud and then back to app connector

  2. where do i install App connector ? will it be inside DC ? In current schenario , public ip is configured on bluecoat proxy , so where should I install connector in DC ? I know connector has to be given internet to talk to cloud .

  3. Very imp , I am not able to find out in zscaler documentation how connector helps specific traffic destined for www.xyz.com to get source ip as specific ( ex-1.1.1.1) . I am aasking this as eventually the perimeter device is always a firewall or proxy and NATing is always done there , then how app conector can instruct specific traffic to take specified source ip ??

Need advise

Hi,

traffic flow is like ZCC <-> ZS cloud <->SIPA connector <->www.xyz.com.
You will only ever reach the connector if ‘the cloud’ gives its blessings, means all policies etc. allow you. Then the established link your SIPA and your ZCC client have to the cloud are interconnected.

The IP www.xyz.com ‘sees’ will be the public IP you assigned to your SIPA connector (or the NAT in front of it uses for it).

SIPA connectors can be placed more or less everywhere in your network and you can install as much as you want.
But you need to consider eg bandwidth needs. All traffic to www.xyz.com will be seen twice - inbound to the connector and outbound to the real destination.
Another thing to consider is that in some cases 3rd parties are more relaxed than others.

Some may only require ‘we allow you just one/two IPs’ - these are the easy ones; doesn’t matter where you have a connector for them, any can handle this task.

Others may require ‘we only allow IPs from country XY’ - in this case you need to setup a connector in that country.

And there are the picky ones ‘we only allow IPs owned by your company’ - here you have a problem when you do not have an own IP range you can use.

The worst ones use a combination of ‘only IPs from this country AND IP must be owned by your company’.

hope this helps
tS

1 Like

Hi Thomas,

Thanks for sharing your inputs. I need some more clarity on some of the points you highlighted:-

  1. traffic flow is like ZCC <-> ZS cloud <->SIPA connector <->www.xyz.com
    What does ZS cloud means ? My understanding says flow should be like ZCC–> ZIA → ZPA–SIPA connector —> xyz.com . do you mean the same ?

  2. The IP www.xyz.com ‘sees’ will be the public IP you assigned to your SIPA connector (or the NAT in front of it uses for it).
    Now this is the place where I am confused . Does my app connector act as a natting device and NAT’'s the source IP to the preferred IP ? or it just simply forwards the traffic towards perimeter device i.e Firewall and then firewall NATs the source to IP which needs to be whitelisted ?

Both your SIPA connector and your ZCC client will connect to their nearest ZPA cloud SE.
So could be that say your client connects to ZIA SE and ZPA SE in FRA, while your SIPA has a connection to ZPA in AMS. ZIA (together with ZPA) will figure out the shortest path from your client to the SIPA.
Not sure if SIPA connector itself can do NAT. In my setup the SIPA has only an internal IP configured and the FW in front does the NAT to one of our public IPs.
When you check in ZPA portal you will see that your SIPA as two IP addresses.
When talking about a ‘full ZPA connector’ the internal IP is the IP internal systems see when a users comes in via ZPA.
(and yes, getting used to how SIPA/ZPA works and to setup the first (few) connectors is a bit … challenging)

1 Like

In your setup , if firewall is doing NAT . Then that means connectors are just forwarding default traffic towards firewall . So it acting just a medium which helps traffic from all over the world to land up in DC and sending everything towards firewall. correct?

I also assume that in your setup , you must be having a NAT policy on firewall which says that if traffic is destined to xyz.com , then assign only preferred IP to it. right ?

actually my connector has a default route pointing to the FW and dedicated routes to internal network.
So both traffic to ZPA cloud and towards www.xyz.com use the very same IP.