How do I configure VZEN clusters?

Zscaler supports only VZEN clusters for production environments, though you can configure a standalone VZEN for testing purposes.

Following are the steps to configure a VZEN cluster:

  1. Ensure that you have all the requirements.
  2. On the Zscaler admin portal, add the VZENs and VZEN cluster, and download the VZEN VMs and certificates.
  3. On the vSphere client, configure and start the VZEN VM.

After you configure a VZEN cluster, you can then forward your Internet traffic to it using one of the mechanisms described in Forwarding Traffic to a VZEN Cluster. For information about monitoring the VZEN cluster, see Monitoring VZEN Clusters.

To learn about additional deployment features, such as configuring a virtual service interface, see VZEN Advanced Deployment.

Requirements

  • A VZEN cluster must contain at least two VZENs, up to a maximum of 20 VZEN instances. You will need a subscription for each VZEN in a cluster. Additionally, ensure that all VZENs in a cluster have the same subscription type.
  • VZENs require only outbound connections to the Zscaler cloud. Configure your firewall to allow the necessary outbound connections. To view the firewall requirements, log in to the Zscaler admin portal and from the Help menu, click Cloud Configuration Requirements and go to the Virtual ZEN Requirements page. See image.
  • Optionally, if you want to enhance the performance of VZEN-MEDIUM or VZEN-LARGE when decrypting SSL traffic, you can install a Cavium NITROX SSL card (NITROX CNN3510-500-C5-NHB-2.0-G is the supported card). Note that Zscaler does not sell this card. Visit http://www.cavium.com/sales.html to purchase the card.
  • Virtual Machine specs for a VZEN cluster:
    • Hypervisor: VMware ESX/ESXi v5.0 and above
      • Promiscuous Mode must be enabled
    • CPUs: 4 CPUs assigned as follows:
      • 1 for the Load Balancer
      • 3 for the VZEN
    • RAM: 32 GB for production (16 GB RAM for testing)
    • Disk: 500 GB (thin provisioned)
      • Zscaler recommends SSDs
    • Network Interfaces: 3 interfaces as follows:
      • 1 for Management
      • 1 for the VZEN
      • 1 for the load balancer
  • The IP addresses listed in the following table:
VZEN IP Addresses
IP Address Purpose Requirements
Management This is used to make an SSH connection to the VZEN VM for management. It is also used to download VZEN builds from the Zscaler cloud.  
Proxy This is used for the following:
  • Outbound data connection (proxied traffic)
  • Outbound control connection to the Zscaler cloud
  • Health monitoring by the load balancer
  • In a VZEN standalone, it is used to listen for user traffic
It must be in the same subnet as the load balancer and cluster IP addresses.
Load Balancer This is used to make an outbound control connection to Zscaler cloud. It must be in the same subnet as the proxy and cluster IP addresses. It is not required for a VZEN standalone.
Cluster In a VZEN cluster, it provides fault tolerance and is used to listen for user traffic. It must be in the same subnet as the proxy and load balancer IP addresses. It is not required for a VZEN standalone.

Help

Help

Configure VZENs on the Admin Portal

If you are configuring a VZEN cluster, you must create at least two VZEN instances and download their respective certificates.

  1. Add VZEN instances.
  2. Download the VZEN certificates.
  3. Download the VZEN VM.
  4. Create the VZEN cluster.
  5. Bind the VZEN cluster to a location.

Add VZENs

To add a VZEN instance:

  1. Go to Administration > Virtual ZENs.
  2. Click Add and do the following in the Add Virtual ZEN dialog box:
    • Enter the VZEN Name.
    • In Virtual ZEN Type, select a VZEN subscription type, based on the amount of traffic that the VZEN will process. Note that the VZENs in a cluster must be all the same type.
      Zscaler shows the total and available subscriptions of each VZEN type.
    • The default Status is Enabled.
    • In the Proxy IP Address field, enter the IP address to which you’ll forward traffic. Enter the corresponding Subnet Mask.  
    • Enter the IP address of the Default Gateway to the Internet.
    • The default deployment mode is Cluster, which is the only mode that Zscaler supports in production environments. If you are adding a VZEN for testing purposes, select Standalone.
    • If the deployment mode is Cluster, enter the load balancer IP address.
  3. Click Save to close the dialog.
  4. Add at least one more VZEN instance if you are deploying a cluster.
  5. Activate the changes.
Add VZENs

Download the VZEN Certificates

Download the certificate of each VZEN instance that you created. This certificate is used to authenticate each instance to the Zscaler cloud. You will upload the certificate to the vSphere client.

  1. Go to Administration > Virtual ZENs.
  2. Click Download in the SSL Certificate column of the VZEN that you added, and then save the certificate.

If you are downloading multiple certificates, you might want to change the certificate name so you can differentiate between them. For example, if the VZEN instances in a cluster are called VZEN1 and VZEN2, you can rename the certificate zip files to VZEN1.zip and VZEN2.zip.

Download the VZEN Certificates

Download VZEN VM

Download a VZEN VM for each VZEN in a cluster.

  1. Go to Administration > Virtual ZENs.
  2. Click Download Virtual ZEN VM.
    The dialog box displays the technical specifications of the VM.
  3. Click Download Virtual ZEN VM.

Create a VZEN Cluster

A VZEN cluster must contain at least two VZEN instances.

To create a VZEN cluster:

  1. Go to Administration > Virtual ZENs.
  2. From the Virtual ZEN Clusters tab, click Add.
  3. Enter a Name for the cluster.
  4. Choose the VZENs you want to include in the cluster.
  5. Enter the Cluster IP Address, Subnet Mask and Default Gateway IP address.

Ensure that the VZEN cluster, proxy, load balancer and gateway IP addresses are in the same subnet.  

Create a VZEN Cluster

Bind the VZEN cluster

Add a location and bind the VZEN cluster (or standalone VZEN) to it, so your organization can enable features, such as authentication, firewall, SSL inspection and location-level policies. The service associates the traffic that it receives on the VZEN with its location and applies the features and policies configured for the location.

To bind a VZEN or a VZEN cluster to a location:

  1. Go to Administration > Resources > Locations.
  2. Add a location or edit an existing location.
  3. Do one of the following to link the location to a VZEN or cluster:
    • If you are binding the location to a VZEN standalone, choose it from the Virtual ZENs list.
    • If you are binding the location to a VZEN cluster, choose the cluster from the Virtual ZEN Clusters list.
  4. Enable any additional features for the location.
  5. Click Save to exit the dialog and activate the change.

 

Bind the VZEN cluster

Configure the VZEN VM

If you are deploying a VZEN cluster, you must configure each VZEN instance as a VM on the ESX/ESXi server.

To configure the VZEN on the ESX/ESXi server, log in to the vSphere client and do the following:

  1. Import the VZEN VM
    • Go to File > Deploy OVF Template and use the Deploy OVF Template wizard to deploy the VZEN VM. Accept all defaults.
  2. Ensure that you enable promiscuous mode on the portgroup of the VZEN. See image.
  3. Configure the network:
    1. Select the VZEN VM and click either the Power On button or Power On the virtual machine.
    2. On the Console tab, log in at the FreeBSD command prompt with the following credentials:
      Username: zsroot
      Password: zsroot
      Note the following:
      • Zscaler strongly recommends that you change this default password by running the command passwd.
      • Direct root login is not permitted. Administrators must use the utility sudo to run a command with higher privileges.
  4. Configure the network by entering sudo vzen configure-network and specify the following:
    • Address of the DNS server that will be used for name resolution of Zscaler cloud domains and also for domain names in the proxy traffic
      For example: 10.84.0.100  
    • Management interface IP with CIDR netmask. You will use the management IP address for SSH or FTP.
      For example: 10.84.0.110/24
    • Default gateway IP address
      For example: 10.84.0.200
    • Hostname of the VZEN
  5. Install the SSL certificates of the VZEN instances in the cluster. These are the certificates that you downloaded from the Zscaler admin portal. A VZEN uses this certificate to authenticate itself to the Zscaler service.
    When you configure a cluster VZEN, ensure that you upload the correct certificate for each VZEN instance.
    1. Navigate to the SSL certificate that you saved.
    2. Use SCP or SFTP to upload it to the management IP address of the VZEN.
    3. On the vSphere client, click the Console tab, and log in with the following credentials:
      Username: zsroot
      Password: zsroot
    4. Go to the Console tab or use SSH to connect to the management IP address.
    5. Run the command sudo vzen install-cert <cert-bundle.zip>
    6. Specify the path to the uploaded certificate bundle.
  6. If you installed the Cavium NITROX card in your server, do the following:
    1. On the vSphere client, click the Configuration tab.
      1. Click Edit...
        In the Mark devices for passthrough window, select the Cavium NITROX card.
        See image.
      2. Select the VZEN. Ensure that the VZEN is powered off. Then click Edit virtual machine settings. In the Virtual Machine Properties window, click Add...
        See image.
      3. Select PCI Device, then click Next.
        See image.
      4. Select the Cavium NITROX card from the dropdown menu, then click Next.
        See image.
      5. Click Finish to add the Cavium NITROX card.
        See image.
      6. Click OK to finish the setup.
        See image.
    2. Run the following command to configure the card: sudo vzen install-nitrox
  7. Optionally configure SNMP parameters if you would like to use an SNMP management system to monitor the VZEN cluster. Note that VZENs support SNMPv3 only.
    1. Run the command sudo vzen snmp-admin-configure
      1. Enter a user name for the SNMPv3 management system that will send queries to the VZEN. The VZEN will accept queries from this user name only.
      2. Enter a password that the VZEN will use to authenticate the SNMP management system.
      3. Specify which authentication protocol the VZEN will use to authenticate the SNMP user. Enter either MD5 or SHA1.
      4. Specify the encryption method the VZEN will use to authenticate the SNMP user. Enter either DES or AES.
    2. Run the command sudo vzen snmp-trap-configure
      1. When asked which traps you want to configure, specify v3 traps.
      2. Enter the IP address of the SNMP trap management system to which the VZEN will send traps.
      3. Enter a user name for the SNMP management system.
      4. Enter a password that the VZEN will use to authenticate the SNMP management system.
      5. Specify which authentication protocol the VZEN will use to authenticate the SNMP user: Enter either MD5 or SHA1.
      6. Specify the encryption method the VZEN will use to authenticate the SNMP user: Enter either DES or AES.
  8. Download the VZEN build and start the VZEN.
    1. On the vSphere client, click the Console tab or use SSH to connect to the management IP address.
    2. Run the following command to download the VZEN build: sudo vzen download-build
      The initial build is around 1 GB, so it may take a while depending on your Internet connection. The downloaded build is automatically installed. The VZEN automatically starts after the installation is complete.
  9. Verify the configuration.
  10. On the vSphere client, click the Console tab or use SSH to connect to the management IP address.
    • Run sudo vzen status
      The output should show that the VZEN service and load balancer are running. See image.
    • Run sudo vzen troubleshoot connection | grep 9422
      The output should show an established connection

promiscuous mode

promiscuous mode

NITROX card 1

NITROX card 1

NITROX card 2

NITROX card 2

NITROX card 3

NITROX card 3

NITROX card 4

NITROX card 4

NITROX card 5

NITROX card 5

NITROX card 6

NITROX card 6

sudo vzen status

sudo vzen status