Zscaler recommends that organizations use a combination of GRE tunneling, PAC files, Surrogate IP, and Zscaler App to forward traffic to the Zscaler service. Zscaler recommends that you configure two GRE tunnels from an internal router behind the firewall to provide visibility into internal IP addresses, which can be used for security policies and logging. (See Deployment Scenarios.) Zscaler also recommends that organizations deploy mechanisms such as IP SLA to monitor tunnel health and enable fast failover. Additionally, Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.
A GRE (Generic Routing Encapsulation) tunnel is ideal for forwarding Internet bound traffic from your corporate network to the Zscaler service. GRE is a tunneling protocol for encapsulating packets inside a transport protocol. A GRE capable router encapsulates a payload packet inside a GRE packet, which it then encapsulates in a transport protocol, such as IP, as shown in the following figure.
A GRE tunnel functions like a VPN but without the encryption; it transports packets from one endpoint through the public network to another endpoint.
GRE tunnels typically use keepalive packets to determine if a tunnel is up. The GRE tunnel source creates a keepalive request packet and a keepalive response packet that it encapsulates and sends to the tunnel destination together with the response packet. When the tunnel destination receives the request packet, it just decapsulates the original packet and forwards the inner response packet back to the originating peer. For more information about GRE, refer to RFC 2784, Generic Routing Encapsulation (GRE).
If your corporate router supports GRE and its egress port has a static IP address, Zscaler recommends that you configure a GRE tunnel to forward Internet traffic from your corporate network to the Zscaler service. It provides the following benefits:
- Supports Internet traffic
- Supports failover in case the primary ZEN becomes unavailable
- Requires minimal overhead
- No configuration on computers or laptops
- Users on your corporate network cannot bypass the service
- Tunneling can provide internal IP address information to Zscaler for use in policy design and logging