Zscaler Internet Access (ZIA) and Application Layer Gateway (ALG) enabled applications

The best practice for customers using IPSEC/GRE tunnels is to send all ports and protocols through the tunnels. However, there are some protocols that currently cannot be properly handled by the Zscaler nodes. These protocols require an “Application Layer Gateway” feature in order to be properly handled by a firewall.

What is the Application Layer Gateway feature?

Some protocols use separate data and communication channels for the transmission. The communication channel can contain information about ephemeral TCP/UDP ports used by the data channel and information about client/server IP address. In general, the Application Layer Gateway (ALG) allows the network device to check the application payload in order to convert the network layer address information, synchronize between multiple streams/sessions of data between two hosts exchanging data or recognize application-specific commands and offer granular security controls over them. The ALG feature can be used for multiple protocols like MSRPC, SUNRPC, SQL, SIP, RTSP, H323, MGCP, SCCP, FTP etc.
Here is an example of how the ALG feature handles SIP/H323 protocol:
SIP/H323 protocol requires special handling when passing through a Stateful Packet Inspection (SPI) firewall. Firewalls need ALG to handle SIP/H323 protocols. When the phone starts the call, it makes a connection to the PBX server on UDP port 5060. This is used as the control connection to exchange the audio connection ports between the phone and PBX. The SPI firewall needs to intercept this connection and learn the audio exchange ports/IP addresses and open the inbound and outbound ports dynamically. This is handled by the ALG feature.

More information about the ALG can be found in the articles below:


How Zscaler handles the traffic which requires the ALG feature?
Currently, Zscaler Cloud Firewall supports the ALG feature for the following two protocols:
-Passive FTP
-PPTP

The ALG support for other protocols is in our road-map, but currently, protocols for which the ALG feature is not implemented on the Zscaler cloud firewall (like Active FTP, SIP or VOIP) should be bypassed from Zscaler.

Hi Robert,

Thanks for sharing this information. Could I kindly ask for a estimated implementation of ALG feature for the SIP?

Thanks,
Patrick

Hello Robert,
we are also interested for the current roadmap for ALG feature SIP/VOIP.
Is there any possibility to see the current road map?

Kind Regards
Stephen

Hi Stephen,

For me the SIP works now with Zscaler.

I use Polycom telephones which are connected via UDP Port 5060 with SIP to a Asterisk PBX and use a RTP stream for the calls. I had to set the NAT keepalive to 30 seconds and RTP ip address filter to disabled on the Polycom have a stable connection.

Best Regards,
Patrick

Hello,
Could someone help me
Using zscaler to connect remoteley and connecting my jabber to the CUCM,
Jabber connect properly to the CUCM and showing the status connected and sending messages well. BUT when making a call, no voice heard from both sides
I noticed that all zscaler users registered on the CUCM with the same IP address. Is this the problem?
Thanks in advance

Hello,

Is Active FTP now supported on ZIA? I can’t find an article outlining that it’s not supported. I could find one for ZPA, but nothing for ZIA.

Thanks!