The CSC Mux for Azure is an "all-in-one" solution for cloud security networking requirements. The CSC Mux for Azure solves the connectivity to Zscaler and replaces Azure VPN and NAT Gateways, bringing down your cloud communication costs.
Attached to this article is the Administrator Guide for version 4.2 (see below)
The Key Benefits of the CSC Mux are:
- Solves the limitation of speed to Zscaler (ZIA) when using IPsec tunnels. The CSC Mux comes in four models:
- CSC Mux 1 (1 x IPsec, 400 Mbps to Zscaler, 1 Gbps PriCPA)
- CSC Mux 2 (2 x IPsec, 800 Mbps to Zscaler, 1 Gbps PriCPA)
- CSC Mux 4 (4 x IPsec, 1.6 Gbps to Zscaler, 1 Gbps PriCPA)
- CSC Mux 8 (8 x IPsec, 3.2 Gbps to Zscaler, 1 Gbps PriCPA)
Savings:
The CSC reduces communication costs by 80% or more compared to using separate technologies for cloud security networking, such as Azure Wan, Express Connect, NAT Gateways, VPN Gateways, Firewalls, Service Broker Clouds, SD-WAN or MPLS. The CSC replaces all of them.
Reduced TCO
It runs on cheap Azure VM Sizes.
Performance and Scalability:
- High Performance to Zscaler: up to 3.2 Gbps.
- High Performance for Private Traffic (cloud to cloud, site to cloud): up to 1 Gbps encrypted traffic with Zero Trust.
- High Performance for local Outbound Firewall (Advanced NAT Gateway - ex Routed Bypass): 1 Gbps or more.
- High Performance for local Proxy Bypass (Standard or Advanced): 1 Gbps.
- High Availability:
- The CSC can be deployed on Availability Zones or Availability Set.
- Automatic internal Route/s provisioning ("next-hop") via Azure CLI.
- Automatic configuration of "Floating Public IP" for PriCPA.
- Simplicity:
- No Networking knowledge required.
- No operational burden for Administrators.
- Networking as a code.
- DevOps automated deployment from Azure Marketplace or Azure ARM templates or Terraform.
- Zscaler auto-provisioning.
- 2 Steps configuration for Private Cloud Private Access: Onboard the Node to PriCPA Cloud and Deploy Policies (Single JSON file).
- Security:
- Full hardened device.
- All private traffic is encrypted using latest state of the art encryption protocols.1
- Zero Trust.
- Outbound Firewall (Advanced NAT Gateway)
- Blocks Lateral movement.
- Automatic Security Group provisioning.
- Flexibility:
- Any to Any Communications: site-to-site, site-to-cloud, cloud-to-cloud.
- All protocols are supported.
- Visibility:
- Traffic Logs and System Logs.
- Traffic visibility End to End.
- Source IPs preserved.
- SNMP Support.
- Simple Management:
- Local Management: SSH Admin Console with configuration wizards, full status reporting.
- Remote Management: No proprietary software required. You can use any change management tool to configure and update the CSC, such as Azure CLI "Run Command", AWS System Manager (SSM agent), Ansible, Rundeck, scripting via SSH or similar.
- SNMP v2c and v3 support.
- Radius/MFA for SSH Admin Console access.
- SIEM/Syslog integration for Traffic and Systems Logs.
- TCPDump integrated in the SSH Admin Console.
- Linux terminal console allowed (csccli user).
- Multiple tools for testing and troubleshooting included: Traffic Logs. TCPDump, Speed Test, MTR (MyTraceRoute), Keepalives statuses, Etc.
- Zscaler Project specific features:
- The CSC comes with the optimal values to work with Zscaler ZIA.
- Full tunnel redundancy.
- Zscaler Cloud Firewall and Cloud Web Security.
- Complete visibility of internal IPs on Zscaler Console.
- All traffic steering options supported:
- Route all traffic to Zscaler.
- Use of PAC files.
- Use of Explicit Proxy.
- No default Route scenarios.
- Use of ZCC (Zscaler Client Connector) over tunnel.
- Multiple options to Bypass Traffic via dedicated Public IP:
- Layer 7 Proxy Bypass to Trusted Web Sites.
- Layer 4 Routed Bypass: TCP, UDP and ICMP per source/destination Network and Port (UDP/TCP).
- Full Proxy mode for devices with Explicit Proxy settings (i.e. Linux hosts), enabling communications to Zscaler (Location IP based, uplink proxy), direct domain Bypass (ie. .domain.com) and communication with internal systems.