Introducing the Cloud Security Connector (GRE) (CSC-GRE)
The Cloud Security Connector - GRE (CSC-GRE) solves the problems when connecting to Zscaler using legacy LAN / WAN / Internet technology that is not ready for connecting to Cloud Services.
Firewalls, routers and SD-WAN devices are not the right tool when you need to provide high availability to proxy servers. An Application Delivery Controller is the right tool. The Cloud Security Connector was designed to provide the best user experience, like Application Delivery Controllers . The CSC has a resilient algorithm that validates several parameters to guarantee that the best choice to deliver traffic was selected.
The CSC-GRE is a Virtual Machine that works on VMware, KVM, XEN or Hyper V. We also provide a Hardware version when needed, using small industrial grade servers.
No configuration is required. When buying the CSC-GRE, you need just to fill your IP addressing information and you will receive a link where to download the VM full configured with the correct parameters for Zscaler Web Security Services.
With several years of experience connecting Zscaler customers using major Firewall and Routing vendors we learnt that a new device is needed. No one major vendor can provide the right solution.
Benefits of the Cloud Security Connector (GRE)
- No Networking knowledge required to connect to Zscaler.
- Direct replacement of your current appliance Web Security Appliance.
- Enables any Location to be connected to Zscaler Cloud Security Services up to 1 Gbps.
- Full tunnel redundancy.
- Full local redundancy (Clustering)
- VIP proxy to direct the traffic to Zscaler.
- Bypass Proxy to send the traffic direct to Internet.
- Configuration as a service: Just fill a form with your IPs and GWs and you will receive in 24 hs your CSC ready for use.
- All parametrization required for Zscaler is already configured with the optimal values.
- All Zscaler functionalities can be used: Firewall and Web Security.
- Full visibility of internal IPs.
- No operational burden for Administrators.
- Full hardened device.
- No dedicated public IPs required. Works behind a NAT.
- All virtual platform supported: Vmware, KVM, Virtual Box, etc.
- Hardware version available if required.
- One click Status and Configuration. This shows 25 values and does 14 checks.
- Amazon AWS management.
- Zscaler API Ready.
- MTR (MyTraceRoute) test to the Zscaler nodes and in the reverse path as well.
- Speedtest.net integrated.
- Works with No default Route Scenarios.
- No changes on your network is required. You can place the internal interface of the CSC on the same subnet than your current Web Security Solution.
- Small OVA instance: 1 CPU, 1 GB RAM, 4 GB Disk
Challenges when connecting to Zscaler's datacenters
When connecting to Zscaler's datacenters, the best way is to use GRE tunnels because you can achieve full speed and visibility.
Unfortunately, to do GRE tunnels is not available in major Firewall vendors.
Here the three main methods to connect a branch to Zscaler and their capabilities or restrictions:
- GRE tunnels: No limits on bandwidth, full visibility of internal IP.
- IPSec tunnels: Up to 200 Mbps bandwidth, full visibility of internal IP.
- No tunnel (using PAC files and Public Source IP): Up to 300 Mbps bandwidth, no visibility of internal IP (*)
(*) IMPORTANT: Without visibility of internal IP is not possible to identify infected (zombies) machines.
In addition to this, most (near all) FW vendors doesn't provide the proper way to do Layer 7 keepalives to validate the status of the ZENs and are not able to provide redundant tunnels.