ZCC or GRE Tunnel in Office network

Which is best ZCC or GRE tunnel inside office network ?

What are advantages/disadvantages of using ZCC / GRE tunnel for web traffic routing via Zscaler Cloud?


The short answer is: Use both.

Using both will bring the following benefits:

1 - GRE will bring more speed (1 Gbps and sometimes more) than when using ZCC + NAT via single Public IP. (~ 300 Mbps).
2 - GRE will provide complete visibility of internal IPs. Perfect for FW rules or “Sublocation” creations.
3 - GRE will protect devices that cannot use ZCC (Some servers, Linux boxes, or other devices).
4 - ZCC will alleviate the maintenance of “Authentication Bypasses”. Authentication Bypass is not a minor point. The ZCC tunnel is authenticated, and all traffic inside the ZCC tunnel will be authenticated as well. Without ZCC, you will find that some scripts or software that do not support “cookies” will be required to be bypassed manually. (and this is can be an arduous task)

I hope this helps.

Adrian Larsen
Maidenhead Bridge
Cloud Security Connectors for Zscaler (AWS, Azure, Gcloud and VMware)

1 Like

Thanks much for the quick reply. Really appreciate it.

If you are running Tunnel 1.0 that’s fine to bring across the tunnel. If you’re running Tunnel 2.0 let that specific traffic pass out without using the tunnel, it’s not necessary. If needed you can create a profile to downshift to Tunnel 1.0 or disable ZCC (other than for auth) while in the office or a physical location that has a GRE tunnel.

This all really depends on the use case - hands down a GRE tunnel using policy based routing will be faster than an IPsec VPN tunnel or the native Zscaler Client Connector.

GRE tunnel bonuses device monitoring for things that can not run an agent, but can install a certificate for trust, allow for authentication on devices or force authentication for visibility and tracking of where the device/user is going (server OS, Appliance, non standard devices.) These GRE tunnels allow for Location level policy, IPs, Firewall, Sandbox, and bandwidth policies.

However, the strength of the Zscaler client connector is really seen in the flexibility of the engine to supply authentication, which can raise a user up out of the standard tunnel traffic policies - especially in an environment where agents everywhere are not needed, (VDI deployments (non persistent), or only on devices that leave the four walls of the enterprise sites.

There are several simple policy adjustments that can be made to tailor the ZCC application to the network it detects, and run appropriately with in those confines or restrictions.

In the end the two are symbiotic each can compliment the other and provide extend protections to multiple devices and users that would not normally be able to use the one solution or the other,

1 Like

Be careful of NAT Exhaustion and Hide NAT Failures if not using GRE.

Hi Adrian -

Follow up question on this for you -

Currently have GRE tunnel in place, together with policy based routing - which is working well for us.

If we were to deploy ZCC at the same time, does this still use the GRE tunnel for connectivity - or do we need to have access for the clients to the Zscaler Cloud Enforcement nodes / Zscaler PAC IPs etc in place - as defined in the Config | Zscaler document?

Hi Tom,

ZCC will use the GRE tunnel for connectivity if you do policy based routing of the traffic. Nothing else will be needed.

Of course, it will be good to have the rules on your FW (to Zscaler destinations: ZEN nodes, PAC files and ZCC services) ready in case the GRE tunnels are down. At least, people with ZCC will continue working.

Best regards

Adrian Larsen
Maidenhead Bridge
Cloud Security Connectors for Zscaler Internet Access (on AWS, Azure, Gcloud and VMware)

1 Like