Introduction:


This article shows how to protect Servers and Virtual Desktops with Zscaler using Cloud Security Connectors from Azure Cloud.


The following example is a real case scenario of a customer with the following challenges:

  • For Virtual Desktops
    • To achieve speeds of 1 Gbps (or more) to Zscaler from Azure Cloud
    • To reach Okta from their own IP (and not Zscaler's IPs) for seamless Single Sign On (disabling MFA for VDI). 
    • To reach Trusted Web Sites from their own Public IP and not Zscaler.
    • To achieve High Availability using Availability Sets.
    • To Load Balance the traffic among several IPsec tunnels
    • To achieve multiple redundancies to Zscaler: ZEN node redundancy, Tunnel Redundancy, CSC redundancy, etc. 


Solution: To deploy a "CSC Pool" using the Azure Template provided in this guide.


  • For Servers
    • To achieve High Availability to Zscaler for Servers using Explicit Proxy. [Note: Explicit Proxy is when you have only one IP (or hostname) as a proxy destination. If this IP (or hostname) is not reachable, the server will lost communication to Zscaler.]
    • To achieve High Availability using Availability Sets.
    • To have full visibility of Internal IPs on Zscaler in order no to ask Authentication for Server Subnets.
    • To achieve multiple redundancies to Zscaler: ZEN node redundancy, Tunnel Redundancy, CSC redundancy, etc. 


Solution: To deploy a "CSC HA Pair" using the Azure Template Provided in this guide. 

%3CmxGraphModel%3E%3Croot%3E%3CmxCell%20id%3D%220%22%2F%3E%3CmxCell%20id%3D%221%22%20parent%3D%220%22%2F%3E%3CmxCell%20id%3D%222%22%20value%3D%22CSC%20Internal%20Subnet%22%20style%3D%22text%3Bhtml%3D1%3BstrokeColor%3Dnone%3BfillColor%3Dnone%3Balign%3Dcenter%3BverticalAlign%3Dmiddle%3BwhiteSpace%3Dwrap%3Brounded%3D0%3BfontColor%3D%237EA6E0%3B%22%20vertex%3D%221%22%20parent%3D%221%22%3E%3CmxGeometry%20x%3D%22855%22%20y%3D%22546.11%22%20width%3D%22130%22%20height%3D%2220%22%20as%3D%22geometry%22%2F%3E%3C%2FmxCell%3E%3C%2Froot%3E%3C%2FmxGraphModel%3

Video 1: Introduction:




Network Diagram:


(Click on the image to enlarge)


Deployment instructions:


  • Prerequisites:
    1. Subnet for the CSCs: Create (or chose) the External and Internal Subnet for the CSCs. In this example the names are: csc-external-East-US and csc-internal-East-US.
    2. On Zscaler console create:
      1. One VPN credential (Email and Key) for the "CSC HA Pair".
      2. One Location for the "CSC HA Pair" and attach the corresponding VPN credentials.
        • Create a "Sublocation" under Location "CSC HA Pair", add the Server Subnet IP range and select "Enforce Authentication=Disabled"
      3. One VPN credential (Email and Key) for the "CSC Pool".
      4. One Location for the "CSC Pool" and attach the corresponding VPN credentials.
      5. The "CSC Bypass" PAC file. Attached and example of the "CSC Bypass" PAC file. The file is called: az-csc-bypass.pac (click here to download). This PAC is to allow certain domains and subdomains to pass via the CSC Bypass, and to reach the destination from your own public IP.  
    3. A Small Ubuntu VM available to run Azure-cli.  Install Azure CLI following this instructions:  Azure CLI install on Ubuntu . Also, install the Automation Script: csc-lb-pac.generator.sh  as shown on the video. 


Video 2 - Prerequisites



  • Deployment Steps - A) CSC deployment and common settings. 
    1. Using Azure Portal:
      1. Go to "Templates" and create a template using: csc-lb-availabilty-set-3c.json
        1. Deploy the Template to create 2 x CSC (HA pair) for Servers.
        2. Deploy the Template to create 4 x CSC (CSC Pool) for Virtual Desktops.
      2. Security: Choose your Primary and Secondary Zscaler Node and create a Network Security Group as shown on the video. Associate the Security Group with CSC External Subnet.
      3. Routing: Create a Route Table and associated the CSC External Subnet to reach the ZEN nodes via "Internet" Next-Hop and the rest via the FW
      4. Housekeeping: Dissociate and Delete the Bypass Public IPs. This deployment will send all Bypass traffic via Firewall. The Bypass Public IPs are named: <cscName>-eth0-1-PublicIp<#> 

Video 3 - CSC deployment and common settings



  • Deployment Steps - B) CSC HA Pair Configuration. 
    1. Using the Linux VM, run the Automation Script for the CSC HA pair. As results, you will obtain a PAC file for servers and the gateway IPs of each CSC.
    2. Create a Route Table with the Server and the CSC internal Subnets Associated. On the route table, create a Route for the Global Proxy 185.46.212.88 (type virtual appliance) using Next-Hop any CSC Gateway IP and the default route via FW, as shown in the video.
    3. Assign the "Contributor" Role the each CSC on the pair.
    4. Assign Identity to each CSC to manage the route table and to read the status each other as shown on the video.
    5. SSH the each CSC and Run the Initial Wizard. The CSC will reboot.
    6. SSH again each CSC and Run the High Availability Wizard. 


Video 4 - CSC HA Pair Configuration




  • Deployment Steps - C) CSC Pool Configuration
    1. Using the Linux VM, run the Automation Script for the CSC Pool. As results, you will obtain a PAC file for servers and the gateway IPs of each CSC.
    2. SSH the each CSC and Run the Initial Wizard. The CSC will reboot.


Video 5 - CSC Pool Configuration