I’ve been comparing SSL decryption services and devices, and Zscaler is much more than that.  It’s an all-in-one Content Filtering, SSL decrypting, DLP, Bandwidth controlling(quota), IPS, Malware preventing(including sandbox) awesome cloud based solution.

AND, It works with mobile devices even if they’re roaming!

The solution consists of GRE tunnels out to multiple Zscaler cloud environments.  Customers use policy based routing to send classes of outbound traffic over the tunnels, and Zscaler performs their magic.  The solution then sends logs and data back to wherever in whatever format is desired.  They also have INLINE cloud presences at every major provider.  The mobile solution consists of an app that proxies web traffic to their clouds.

More info.  https://www.zscaler.com/

Lab Diagram:

 

Here are some of the things you can do with the solution.

Lab router config:

interface Tunnel1
 ip address 172.X.X.X 255.255.255.252
 ip tcp adjust-mss 1300
 tunnel source GigabitEthernet1
 tunnel destination Z.Z.Z.Z
 ip virtual-reassembly
!
interface Tunnel2
 ip address 172.Y.Y.Y 255.255.255.252
 ip tcp adjust-mss 1300
 tunnel source GigabitEthernet1
 tunnel destination ZZ.ZZ.ZZ.ZZ
 ip virtual-reassembly
!
interface GigabitEthernet1
 description ###OUTSIDE###
 ip address B.B.B.B 255.255.255.0
 ip nat outside
 ip access-group 80 in
 ip access-group 80 out
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet2
 description ###INSIDE###
 ip address A.A.A.A 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 ip policy route-map zscaler-tunnel
 negotiation auto
 ip virtual-reassembly
!
ip nat inside source list NAT interface GigabitEthernet1 overload
!
ip route 0.0.0.0 0.0.0.0 B.B.B.1
!
ip access-list extended NAT
 permit ip A.A.A.0 0.0.0.255 any
 deny ip any any
!
ip sla 1
 http raw http://172.X.X.b
 http-raw-request
 GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n
 User-Agent: Cisco IP SLA\r\n
 end\r\n
 \r\n
 \r\n
 \r\n
 exit
 threshold 300
 timeout 300
ip sla schedule 1 life forever start-time now
!
ip sla 2
 http raw http://172.Y.Y.b
 http-raw-request
 GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n
 User-Agent: Cisco IP SLA\r\n
 end\r\n 
 \r\n
 \r\n
 \r\n
 exit
 threshold 300
 timeout 300
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3
!
access-list 80 permit any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 22
access-list 101 permit udp any any eq domain
!
route-map zscaler-tunnel permit 10
 match ip address 101
 set interface Tunnel1 Tunnel2
!
end

2 Comments

Don Juan · September 8, 2017 at 7:04 pm

Does it work with office 365?

Leave a Reply

Your email address will not be published. Required fields are marked *