Choosing Traffic Forwarding Methods
Zscaler recommends that organizations use a combination of tunneling, PAC files, Surrogate IP, and Zscaler App to forward traffic to the Zscaler service. If your organization has an internal router or switch that supports GRE and its egress port has a static address, Zscaler recommends that you configure a GRE tunnel to forward all outbound traffic from your location to the Zscaler service. If your router does not support GRE or if you use dynamic IP addresses, you can use an IPsec VPN tunnel instead. Note that IPsec tunnels have additional processing overhead on your equipment, compared to GRE tunnels. Zscaler also recommends that organizations deploy mechanisms such as IP SLA to monitor tunnel health and enable fast failover. In addition to the GRE or IPsec VPN tunnel, Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.
This section describes the supported traffic forwarding mechanisms, including their benefits and requirements. Your organization can use one or a combination of methods, depending on your environment. The following table lists the recommended traffic forwarding mechanisms: GRE tunnels, IPsec VPN tunnels and PAC files.
The following table lists the traffic forwarding mechanism that you can use to quickly start using the Zscaler service for evaluation purposes: Proxy Chaining. Zscaler does not support this mechanism for production environments.
The following table lists the traffic forwarding mechanism that you can use for your road warrior traffic or if your company has less than 1,000 users: Zscaler App. The Zscaler App is also used with Zscaler Private Access (ZPA).