Zscaler APP Traffic forwarding


(Rajeev Srikant) #1

I have the users in branch who are mobile users (mostly)
My branch will be configured for local internet break out.(GRE / IPSec)
Since the users will be mobile planning to have zAPP installed (so that even if they connect via non corporate network their traffic will be protected via Zscaler)

I have the below questions.

  1. When the users is connected to the corporate network, how will the traffic flow ?
    - It should take the GRE/IPSec tunnel to reach Zscaler via local breakout. Is this possible ?
    - ZApp should be used only when connecting to untrusted network.

  2. Also for certain SAAS application like Sales force, it should not go via Zscaler, instead it should forward to our existing proxy (No internet breakout)
    - Is this possible ?


(Shameel Ahmed) #2

Hi Rajeev,

  1. When the users is connected to the corporate network, how will the traffic flow ?
  • It should take the GRE/IPSec tunnel to reach Zscaler via local breakout. Is this possible ?
  • ZApp should be used only when connecting to untrusted network.

A) Yes, you can set a trusted network condition in the forwarding profile and set the ZApp to none on Trusted network.
This will turn the ZApp Off when on a trusted network and use the GRE/IPSec to reach Zscaler.

  1. Also for certain SAAS application like Salesforce, it should not go via Zscaler, instead it should forward to our existing proxy (No internet breakout)
  • Is this possible?

A) You can use Tunnel with Local Proxy as a mechanism to forward the traffic to Zscaler and in the PAC File that will be added, use youe exceptions to send traffic for salesforce etc. to the internal proxy.

Hope this helps.

Regards
Shameel


(Rajeev Srikant) #3

Thanks Shameel

  1. When the users is connected to the corporate network, how will the traffic flow ?
  • It should take the GRE/IPSec tunnel to reach Zscaler via local breakout. Is this possible ?
  • ZApp should be used only when connecting to untrusted network.

A) Yes, you can set a trusted network condition in the forwarding profile and set the ZApp to none on Trusted network.
This will turn the ZApp Off when on a trusted network and use the GRE/IPSec to reach Zscaler.
Rajeev - Understood that in trusted network, the zAPP will be off & it will use the tunnel for internet breakout.
In this scenario how can i achieve the below.

  1. How the users traffic will be to zsclaer. The user PC will not have any PAC or zAPP running. In this case how exactly Zscaler acts as proxy. How will the end use PC will know that Zscaler is the proxy in GRE/IPSEC tunnel mode.

  2. Office 365 will bypass Zscaler & directly go to 0365

  3. Sales force will go through our Data center proxy

  4. Rest internet traffic will be through breakout via Zscaler.

I am not clear how to achieve this.
Should i configure my SD-WAN to send sales forace traffic to my exising proxy & configure my SD-WAN to send O365 directly.

I am not clear whether Zscaler needs to segreegate the traffic or at SD-WAN level.


(Shameel Ahmed) #4

So in a transparent mode scenario, your machine will send the traffic to the default gateway(in this case your edge device which has GRE/IPSec tunnel).
The bypasses for SalesForce/O365 need to be added in your edge device in such a way that the traffic destined to Salesforce/O365 goes directly/to your DC.
and the rest of the traffic takes the tunnel.

Hope this helps.

Regards
Shameel


(Rajeev Srikant) #5

Thanks Shameel

Sorry for asking many questions.
So in this case I don’t need any PAC file in the end user PC right ?
Only zAPP.

In tunnel mode there is no requirement for PAC in the end user PC ?


(Shameel Ahmed) #6

No, if you are using Zscaler in tunnel mode then there is no need for the PAC in the browser, you can put any exception in the App Profile PAC in case you need any exceptions that the APP needs to take care.

As for Zscaler Recommendation
Use Tunnel mode with LWF or Use Tunnel with Local Proxy(this involves a PAC which is pushed by the ZApp itself)

Regards
Shameel


(Rajeev Srikant) #7

Thanks. Then in GRE mode, where there is no pac file for the end PC (only zAPP which will be turned off while in trusted network) is it required to publish the DNS into our network so that the user can reach the web site via Zscaler.
Question not clear is that how DNS resolution works ?


(Shameel Ahmed) #8

Yes in Transparent mode TF. The DNS resolution happens on the client machine so yes, you will need to have a legitimate DNS server on your machines which can resolve the FQDNs.

Regards
Shameel


(Rajeev Srikant) #9

Thanks Shameel

Is there any document which explains the zAPP will be turned off when connecting to the trusted network.
If so can you please share the same.


(Shameel Ahmed) #10

Hello Rajeev,

https://help.zscaler.com/z-app/zscaler-app-step-step-configuration-guide

https://help.zscaler.com/z-app/configuring-forwarding-profiles-zscaler-app

Hope these help


(Rajeev Srikant) #11

Thanks Shameel

I have gone through the link & below is my understanding.
The network type will be selected as "On Trusted Network* & its corresponding forwarding profile should be set as “None”

Let me know if my understanding is right.
IF this is right, does it really turn off the zAPP or it just ignores the zAPP configuration.
I am not able to exactly look where it is mentioned about zAPP off in trusted network


(Shameel Ahmed) #12

Hello Rajeev,

So basically it does not do anything after you login to ZApp when it’s set to None. It will NOT create any tunnel or apply any PAC file. You can also open a support ticket so that an engineer can hop onto a quick call with you and address any concerns that you may have.

Regards
Shameel