I’ve been comparing SSL decryption services and devices, and Zscaler is much more than that. It’s an all-in-one Content Filtering, SSL decrypting, DLP, Bandwidth controlling(quota), IPS, Malware preventing(including sandbox) awesome cloud based solution.
AND, It works with mobile devices even if they’re roaming!
The solution consists of GRE tunnels out to multiple Zscaler cloud environments. Customers use policy based routing to send classes of outbound traffic over the tunnels, and Zscaler performs their magic. The solution then sends logs and data back to wherever in whatever format is desired. They also have INLINE cloud presences at every major provider. The mobile solution consists of an app that proxies web traffic to their clouds.
More info. https://www.zscaler.com/
Lab Diagram:
Here are some of the things you can do with the solution.
Lab router config:
interface Tunnel1 ip address 172.X.X.X 255.255.255.252 ip tcp adjust-mss 1300 tunnel source GigabitEthernet1 tunnel destination Z.Z.Z.Z ip virtual-reassembly ! interface Tunnel2 ip address 172.Y.Y.Y 255.255.255.252 ip tcp adjust-mss 1300 tunnel source GigabitEthernet1 tunnel destination ZZ.ZZ.ZZ.ZZ ip virtual-reassembly ! interface GigabitEthernet1 description ###OUTSIDE### ip address B.B.B.B 255.255.255.0 ip nat outside ip access-group 80 in ip access-group 80 out negotiation auto ip virtual-reassembly ! interface GigabitEthernet2 description ###INSIDE### ip address A.A.A.A 255.255.255.0 ip nat inside ip tcp adjust-mss 1452 ip policy route-map zscaler-tunnel negotiation auto ip virtual-reassembly ! ip nat inside source list NAT interface GigabitEthernet1 overload ! ip route 0.0.0.0 0.0.0.0 B.B.B.1 ! ip access-list extended NAT permit ip A.A.A.0 0.0.0.255 any deny ip any any ! ip sla 1 http raw http://172.X.X.b http-raw-request GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n User-Agent: Cisco IP SLA\r\n end\r\n \r\n \r\n \r\n exit threshold 300 timeout 300 ip sla schedule 1 life forever start-time now ! ip sla 2 http raw http://172.Y.Y.b http-raw-request GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n User-Agent: Cisco IP SLA\r\n end\r\n \r\n \r\n \r\n exit threshold 300 timeout 300 ip sla schedule 2 life forever start-time now ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3 ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3 ! access-list 80 permit any access-list 101 permit tcp any any eq www access-list 101 permit tcp any any eq 443 access-list 101 permit tcp any any eq 22 access-list 101 permit udp any any eq domain ! route-map zscaler-tunnel permit 10 match ip address 101 set interface Tunnel1 Tunnel2 ! end
2 Comments
Don Juan · September 8, 2017 at 7:04 pm
Does it work with office 365?
Matt Clemons · September 8, 2017 at 8:58 pm
Sure does.
https://zscaler-alt.zendesk.com/hc/en-us/articles/216349648-How-do-I-configure-Office-365-support-