ZCC or GRE Tunnel in Office network

Which is best ZCC or GRE tunnel inside office network ?

What are advantages/disadvantages of using ZCC / GRE tunnel for web traffic routing via Zscaler Cloud?


1 Like

The short answer is: Use both.

Using both will bring the following benefits:

1 - GRE will bring more speed (1 Gbps and sometimes more) than when using ZCC + NAT via single Public IP. (~ 300 Mbps).
2 - GRE will provide complete visibility of internal IPs. Perfect for FW rules or “Sublocation” creations.
3 - GRE will protect devices that cannot use ZCC (Some servers, Linux boxes, or other devices).
4 - ZCC will alleviate the maintenance of “Authentication Bypasses”. Authentication Bypass is not a minor point. The ZCC tunnel is authenticated, and all traffic inside the ZCC tunnel will be authenticated as well. Without ZCC, you will find that some scripts or software that do not support “cookies” will be required to be bypassed manually. (and this is can be an arduous task)

I hope this helps.

Adrian Larsen
Maidenhead Bridge
Cloud Security Connectors for Zscaler (AWS, Azure, Gcloud and VMware)

1 Like

Thanks much for the quick reply. Really appreciate it.

If you are running Tunnel 1.0 that’s fine to bring across the tunnel. If you’re running Tunnel 2.0 let that specific traffic pass out without using the tunnel, it’s not necessary. If needed you can create a profile to downshift to Tunnel 1.0 or disable ZCC (other than for auth) while in the office or a physical location that has a GRE tunnel.

This all really depends on the use case - hands down a GRE tunnel using policy based routing will be faster than an IPsec VPN tunnel or the native Zscaler Client Connector.

GRE tunnel bonuses device monitoring for things that can not run an agent, but can install a certificate for trust, allow for authentication on devices or force authentication for visibility and tracking of where the device/user is going (server OS, Appliance, non standard devices.) These GRE tunnels allow for Location level policy, IPs, Firewall, Sandbox, and bandwidth policies.

However, the strength of the Zscaler client connector is really seen in the flexibility of the engine to supply authentication, which can raise a user up out of the standard tunnel traffic policies - especially in an environment where agents everywhere are not needed, (VDI deployments (non persistent), or only on devices that leave the four walls of the enterprise sites.

There are several simple policy adjustments that can be made to tailor the ZCC application to the network it detects, and run appropriately with in those confines or restrictions.

In the end the two are symbiotic each can compliment the other and provide extend protections to multiple devices and users that would not normally be able to use the one solution or the other,

1 Like

Be careful of NAT Exhaustion and Hide NAT Failures if not using GRE.

Hi Adrian -

Follow up question on this for you -

Currently have GRE tunnel in place, together with policy based routing - which is working well for us.

If we were to deploy ZCC at the same time, does this still use the GRE tunnel for connectivity - or do we need to have access for the clients to the Zscaler Cloud Enforcement nodes / Zscaler PAC IPs etc in place - as defined in the Config | Zscaler document?

Hi Tom,

ZCC will use the GRE tunnel for connectivity if you do policy based routing of the traffic. Nothing else will be needed.

Of course, it will be good to have the rules on your FW (to Zscaler destinations: ZEN nodes, PAC files and ZCC services) ready in case the GRE tunnels are down. At least, people with ZCC will continue working.

Best regards

Adrian Larsen
Maidenhead Bridge
Cloud Security Connectors for Zscaler Internet Access (on AWS, Azure, Gcloud and VMware)

1 Like

Does the Maidenhead Bridge support the zscalergov cloud? Also, will it forward traffic to ZPA for apps where we have a created App Segment?

Hi Dan

Yes, Maidenhead Bridge Cloud support zscalergov cloud, but the Cloud Security Connector (CSC) is for Zscaler Internet Access (ZIA) only. Traffic to ZPA cloud requires to have ZPA connectors.

Best regards

Adrian Larsen
Maidenhead Bridge

Okay, perfect! For a little bit of context regarding my question about ZPA, we’re trying to get traffic from AWS AppStream apps into ZIA and ZPA for enforcement. We have App Connectors installed in the two customer data centres, so all apps are reachable from the Zscaler cloud as a whole. Would Maidenhead allow us to achieve that based on that additional context?

Ok. I understood. We have customers using AWS AppStream with the default route via the CSC and accessing internal applications via ZPA Browser Access. With this design, the customer can achieve ZIA (FW & Web) & ZPA protection without installing any client on AWS AppStream.

Perfect, thanks for confirming!

What devices can’t use Client connector? Be specific please.
What is worst case scenarios, if we use only Client connector (without GRE or PAC) ?
What is the list of things that GRE can and Client Connector can’t ?
Is it so regardless of size of company?

Devices that do not run Windows, macOS, iOS, Android, and certain versions of Linux cannot use ZCC. This means things like IoT devices, switches, routers, virtual hosting infrastruture, etc.

Personally, I think you should use ZCC whenever possible because of the enhanced visibility you gain and only use GRE to enforce traffic from devices that cannot run ZCC.