(Scroll down to download the Administrator Guide)

Introduction to Cloud Security Connectors for Zscaler with PriCPA.

The Cloud Security Connector (CSC) is a device designed for effortless deployment of the Zscaler Internet Access (ZIA) solution in any customer environment. CSC models are readily available for Virtual Platforms such as VMware, Hyper-V, etc., and Public Clouds such as AWS, Azure, and Gcloud, ensuring a smooth setup process.

The CSC for AWS empowers you to connect securely to Zscaler ZIA at a blazing speed of up to 3¹ Gbps, ensuring high security and efficiency without any hassle.

The primary purpose of the CSC family is simplicity. The CSC for AWS comes with all the required configurations and works with the Zscaler API. After launching the CSC from the AWS Marketplace using the CloudFormation template provided, it will automatically select the best ZEN nodes, create the GRE tunnels, and make the Location on your Zscaler console.

The CSC contains the perfect configuration for GRE tunnels, firewall rules, and necessary routing tables.

The CSC provides all Zscaler functionalities, offering a comprehensive view and complete control over all Internet traffic, keeping you fully informed and in control.

In addition to this, the CSC provides high availability by changing the default route to Zscaler when configured as a High Availability pair and an easy way to manage direct bypasses to trusted sites using your public IP.

It includes Private Cloud Private Access (PriCPA) functionality, which allows you to create a full mesh among the CSCs communicating your private traffic on a Zero-Trust model.

It is simple to install and completely manage using DevOps change management tools like Amazon Systems Manager, Rundeck, Ansible etc., and SSH.

Key benefits of the CSC GRE for Zscaler with PriCPA - AWS

The CSC GRE for AWS is an "all-in-one" solution for cloud security networking requirements. The CSC GRE for AWS solves the connectivity to Zscaler and replaces Azure VPN and NAT Gateways, bringing down your cloud communication costs.

The Key benefits are:

• Savings:

  • The CSC reduces communication costs by 80% or more compared to using separate technologies for cloud security networking, such as Direct Connect, Azure Wan, Express Connect, NAT Gateways, VPN Gateways, Firewalls, Service Broker Clouds, SD-WAN or MPLS. The CSC replaces all of them.

  • Reduced TCO

  • It runs on cheap AWS VM Sizes.

• Performance and Scalability:

  • High Performance to Zscaler: up to 3 Gbps.¹

  • High Performance for Private Traffic (cloud to cloud, site to cloud): up to 1 Gbps encrypted traffic with Zero Trust.

  • High Performance for local Outbound Firewall (Advanced NAT Gateway - ex Routed Bypass): 1 Gbps or more.

  • High Performance for local Proxy Bypass (Standard or Advanced): 1 Gbps.

• High Availability:

  • The CSC can be deployed on Availability Zones.

  • Automatic internal Route/s provisioning ("target") via AWS CLI.

  • Automatic configuration of "Floating Public IP" for PriCPA.

• Simplicity:

  • No Networking knowledge required.

  • No operational burden for Administrators.

  • Networking as a code.

  • DevOps automated deployment from AWS Marketplace or Cloudformation templates or Terraform.

  • Zscaler auto-provisioning.

  • 2 Steps configuration for Private Cloud Private Access: Onboard the Node to PriCPA Cloud and Deploy Policies (Single JSON file).

• Security:

  • Full hardened device.

  • All private traffic is encrypted using latest state of the art encryption protocols.²

  • Zero Trust.

  • Outbound Firewall (Advanced NAT Gateway)

  • Blocks Lateral movement.

  • Automatic Security Group provisioning.

• Flexibility: 

  • Any to Any Communications: site-to-site, site-to-cloud, cloud-to-cloud.

  • All protocols are supported.

• Visibility:

  • Traffic Logs and System Logs.

  • Traffic visibility End to End.

  • Source IPs preserved.

  • SNMP Support.

• Simple Management:

  • Local Management: SSH Admin Console with configuration wizards, full status reporting.

  • Remote Management: No proprietary software required. You can use any change management tool to configure and update the CSC, such as Azure CLI "Run Command", AWS System Manager (SSM agent), Ansible, Rundeck, scripting via SSH or similar.

  • SNMP v2c and v3 support.

  • Radius/MFA for SSH Admin Console access.

  • SIEM/Syslog integration for Traffic and Systems Logs.

  • TCPDump integrated in the SSH Admin Console.

  • Linux terminal console allowed (csccli user).

  • Multiple tools for testing and troubleshooting included: Traffic Logs. TCPDump, Speed Test, MTR (MyTraceRoute), Keepalives statuses, Etc.

• Zscaler Project specific features

  • The CSC comes with the optimal values to work with Zscaler ZIA.

  • Full tunnel redundancy.

  • Zscaler Cloud Firewall and Cloud Web Security.

  • Complete visibility of internal IPs on Zscaler Console.

  • All traffic steering options supported:

    • Route all traffic to Zscaler.

    • Use of PAC files.

    • Use of Explicit Proxy.

    • No default Route scenarios.

    • Use of ZCC (Zscaler Client Connector) over tunnel.

  • Multiple options to Bypass Traffic via dedicated Public IP:

    • Layer 7 Proxy Bypass to Trusted Web Sites.

    • Layer 4 Routed Bypass (Outbound FW): TCP, UDP and ICMP per source/destination Network and Port (UDP/TCP)

    • Full Proxy mode for devices with Explicit Proxy settings (i.e. Linux hosts), enabling communications to Zscaler (Location IP based, uplink proxy), direct domain Bypass (ie. .domain.com) and communication with internal systems.