Zscaler and VeloCloud by VMware SD-WAN …...Step 1: Configure VPN credentials and site location (Zscaler Admin) Step 2: Create and Configure a Cloud Security Service – Zscaler (VeloCloud

Copyright ©, Zscaler, Inc.

Page 1 of 31

Zscaler and VeloCloud by VMware SD-WAN Deployment Guide April 2018 Version 2.0

VeloCloud Deployment Guide


Page 1 of 31

Table of Contents

1 About This Document ..................................................................................... 32 Zscaler and VeloCloud .................................................................................... 5

2.1 Prerequisites .................................................................................................................. 5

3 Configuring IPsec from VeloCloud to ZIA .................................................... 63.1 Configuring Zscaler Internet Access .............................................................................. 7

3.1.1 Logging into ZIA .................................................................................................................. 73.1.2 ZIA Dashboard .................................................................................................................... 83.1.3 VPN Credentials ................................................................................................................. 93.1.4 Add VPN Credential .......................................................................................................... 103.1.5 Locations .......................................................................................................................... 113.1.6 Add Location ..................................................................................................................... 123.1.7 Confirm and Activate Changes .......................................................................................... 13

3.2 Configuring VeloCloud Network Orchestrator .............................................................. 153.2.1 Log into VeloCloud Network Orchestrator ......................................................................... 153.2.2 VeloCloud Dashboard ....................................................................................................... 163.2.3 Configure Network Service ................................................................................................ 173.2.4 New Cloud Security Service .............................................................................................. 183.2.5 Configure Profile ............................................................................................................... 193.2.6 Add Credentials ................................................................................................................ 203.2.7 Enter Credentials .............................................................................................................. 213.2.8 Verifying Tunnel State ....................................................................................................... 22

4 Requesting Zscaler Support......................................................................... 234.1 Gather Support Information.......................................................................................... 23

4.1.1 Obtain Company ID ........................................................................................................... 234.1.2 Save Company ID ............................................................................................................. 244.1.3 Open Support Ticket ......................................................................................................... 25

4.2 GRE Provisioning Request (Example) ......................................................................... 264.3 Adding Domain (Example) ........................................................................................... 27

5 Verifying ZIA Configuration .......................................................................... 285.1 Request Verification Page............................................................................................ 28

6 Appendix A: Zscaler Resources .................................................................. 296.1 Zscaler IP Pages .......................................................................................................... 29

7 Appendix B: VeloCloud Resources ............................................................. 30



Page 2 of 31

Terms and Acronyms

Acronym Definition

CA Central Authority (Zscaler)

CSV Comma-Separated Values

DPD Dead Peer Detection (RFC 3706)

GRE Generic Routing Encapsulation (RFC2890)

IKE Internet Key Exchange (RFC2409)

IPSec Internet Protocol Security (RFC2411)

PFS Perfect Forward Secrecy

PSK Pre-Share Key

SSL Secure Socket Layer (RFC6101)

XFF X-Forwarded-For (RFC7239)

ZIA Zscaler Internet Access (Zscaler)

ZEN Zscaler Enforcement Node (Zscaler)

ZPA Zscaler Private Access (Zscaler)



Page 3 of 31

1 About This Document Zscaler Overview Zscaler enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud-first world. Its flagship services, Zscaler Internet Access and Zscaler Private Access, create fast, secure connections between users and applications, regardless of device, location, or network. Zscaler services are 100% cloud delivered and offer the simplicity, enhanced security, and improved user experience that traditional appliances or hybrid solutions are unable to match. Used in more than 185 countries, Zscaler operates a massive, global cloud security platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. For more information on Zscaler, please visit www.zscaler.com or follow them on Twitter @zscaler. VeloCloud Overview VeloCloud by VMware provides Cloud-Delivered SD-WAN, transforming WAN networking by optimizing network traffic such as voice, video and data across all transport options including private, broadband Internet, and LTE links. Built from the ground up to support cloud and cloud applications and services, VeloCloud SD-WAN enables simplified access to the cloud and its benefits, automates branch deployments for customers all sizes, shortens time to market, and delivers an exceptional user experience with unprecedented network visibility and proactive troubleshooting capabilities. For more information, visit www.velocloud.com and follow the company on Twitter, LinkedIn, Facebook, and Instagram.



Page 4 of 31

Audience This guide is written for network administrators, network analysts, and IT administrators responsible for deploying, monitoring and managing Enterprise branch network. For additional product and company resources, please refer to the Appendix section. Software Revisions This document was written using Zscaler Internet Access v5.5 and VeloCloud by VMware SD-WAN components running v3.2.0. Request for Comments We value the opinions and experiences of our readers. To offer feedback or corrections for this guide, please contact us at [email protected].



Page 5 of 31

2 Zscaler and VeloCloud 2.1 Prerequisites This guide will provide GUI examples for configuring Zscaler Internet Access and VeloCloud Orchestrator. All examples in this guide presumes the reader has a basic comprehension of IP Networking. All examples in this guide will explain how to provision new service with Zscaler and with VeloCloud. The prerequisites to use this guide are: Zscaler Internet Access (ZIA)

§ A working instance of ZIA (any cloud) § Administrator login credentials

VeloCloud Orchestrator

§ Enterprise account access to VeloCloud Orchestrator § Administrator login credentials § One or more VeloCloud Edge appliances with “Online” status in VeloCloud Orchestrator



Page 6 of 31

3 Configuring IPsec from VeloCloud to ZIA This guide is designed to walk you through the configuration of both Zscaler and VeloCloud, using their respective admin portals. These steps will require access to the:

§ Zscaler admin for configuring Zscaler Internet Access (ZIA)

§ VeloCloud Orchestrator for configuring VeloCloud Edge devices

Configuring Zscaler and VeloCloud will require four major steps. All steps must be completed to achieve a working configuration.

§ Step 1: Configure VPN credentials and site location (Zscaler Admin)

§ Step 2: Create and Configure a Cloud Security Service – Zscaler (VeloCloud Admin)

§ Step 3: Verify Connectivity



Page 7 of 31

3.1 Configuring Zscaler Internet Access In this section, we will configure the Zscaler side first before configuring VeloCloud. 3.1.1 Logging into ZIA Log into Zscaler using your administrator account, as show in Figure 1. If you are unable to log in using your administrator account, please contact support: https://help.zscaler.com/submit-ticket.

Figure 1: Log Into Zscaler



Page 8 of 31

3.1.2 ZIA Dashboard After logging into Zscaler, you will arrive at the Zscaler Dashboard, as shown in Figure 2. From here we want to navigate to Administration -> Resources -> VPN Credentials. Note: Just above “VPN Credentials” is “Locations”. We will need to navigate here shortly, so remember this location.

Figure 2: Navigate to Resources -> VPN Credentials



Page 9 of 31

3.1.3 VPN Credentials After navigating to VPN credentials, select “Add VPN Credentials”, as shown in Figure 3. This is where we will create our FQDN credentials and pre-share keys for our IPsec tunnels.

Figure 3: Add VPN Credentials



Page 10 of 31

3.1.4 Add VPN Credential After selecting “Add VPN Credential”, as shown in Figure 4, the following fields with red boxes around them must be filled in. First, a user ID must be specified as a FQDN. Second, a pre-share key (PSK) must be specified as well. Note: store the PSK in a secure location. You will need them once we start configuring the VeloCloud site of our service.

Figure 4: Add VPN Credentials Note: It is a best practice to use a unique User ID and PSK, per site. Once you have entered this data, please select “Save”. Next, as mentioned prior, we want to navigate to “Locations”.



Page 11 of 31

3.1.5 Locations After navigating to locations, select “Add”, as shown in Figure 5. This is where we will associate the VPN Credentials we configured to a Location.

Figure 5: Locations



Page 12 of 31

3.1.6 Add Location There are several fields we need to populate to add a location, as shown in Figure 6. First, we need to specific the “Name” of this location, which “Country” it is located, the “State/Province”, and the “Time Zone”. Second, we need to select “VPN Credentials”, which will appear as a pop up window. After, select the VPN credentials we just created. Once completed, select “Done”, and finally “Save”.

Figure 6: Add Location



Page 13 of 31

3.1.7 Confirm and Activate Changes After selecting “Save”, a message should appear at the top of the page that states “All changes have been saved”, as shown in Figure 7. Note: these changes are not active at this point. These changes are candidate changes that are pending activation. If you look in the upper-right of Figure 7, you will notice a number. This number indicates the amount of changes that are pending activation.

Figure 7: Confirm Changes Navigate to the pending activation number and select it, as shown in Figure 8. A pull-down window will appear. After, navigate down to “Active” and select it. This will then activate all pending changes.

Figure 8: Activate Changes



Page 14 of 31

Finally, a message should appear at the top of the page that states “Activation Completed”, as shown in Figure 9. If you encounter an error message, please contact support: https://help.zscaler.com/submit-ticket.

Figure 9: Confirm Activation



Page 15 of 31

3.2 Configuring VeloCloud Network Orchestrator 3.2.1 Log into VeloCloud Network Orchestrator Open a web browser and enter the URL to your VeloCloud Network Orchestrator instance. When the page loads, you should see the screen in Figure 10: VeloCloud Network Orchestrator Portal Login.

Figure 10: VeloCloud Network Orchestrator Portal Login If you are unable to log into VeloCloud Network Orchestrator, you can contact VeloCloud support: http://www.velocloud.com/customers/support.



Page 16 of 31

3.2.2 VeloCloud Dashboard After logging into the VeloCloud Network Orchestrator, you will arrive at a dashboard, which is shown in Figure 11. The VeloCloud dashboard will display a geographic map of your sites. On the left side of the screen, you will see drop-down menus to navigate through the VeloCloud Network Orchestrator.

Figure 11: VeloCloud Dashboard In the lower part of Figure 11, we have added a red box around the status area. The Green circles indicates that both of our VeloCloud Edge devices are online and functional. For the purpose of this guide, we will only use VCE-Site-A.



Page 17 of 31

3.2.3 Configure Network Service We now want to navigate to “Configure” -> “Network Services” -> “Cloud Security Service” – “New”, as shown in Figure 12. This is where we will configure the VeloCloud side of our IPsec tunnel.

Figure 12: Configure Network Service



Page 18 of 31

3.2.4 New Cloud Security Service You should now see a pop-up window, as shown in Figure 13. If the fields do not match, select “Zscaler Web Security Service” in the “Service Type” pull-down menu. After, we will need to specify a name for this service. It is a best practice to match site names so they can be easily correlated. This name will be needed in the following sections, so make a note of it. Next, specify the hostname of the Zscaler ZENs (Server) you wish you use. These ZENs must match where your Zscaler instance is provisioned. Note: Although only one ZEN is required, it is a best practice to configure a second for redundancy.

Figure 13: New Cloud Security Service If you do not know which VPN gateways to use, please refer to Section 6.1 in this document, and use the URL for your Zscaler cloud. If you do not know which cloud you are provisioned in, please contact Zscaler support: https://help.zscaler.com/submit-ticket. Once completed, select “Save Changes” to proceed to the next window.



Page 19 of 31

3.2.5 Configure Profile We now want to navigate to “Configure” -> “Profile, and select the profile name. In our example, we are using “Quick Start Profile”, but you may already have a profile defined. After selecting the profile, select “Device”.

Figure 14: Configure Profile Scroll down to “Cloud Security Service” and enable it, as shown in Figure 14. After, go to “Cloud Security Service” and select the Service Name in the prior section. Next, you will need to select “Redirect all Internet bound traffic to Cloud Security Service”. The other settings should match Figure 14. Once you are completed, select “Save Changes”.



Page 20 of 31

3.2.6 Add Credentials After the changes are saved, refresh the page, and scroll back down to “Cloud Security Group”. You should now see an option to “Add Credentials”, as shown in Figure 15. Select it and a popup window should appear.

Figure 15: Add Credentials



Page 21 of 31

3.2.7 Enter Credentials After you select “Add Credentials”, a popup window should appear, as shown in Figure 16. Now enter the FQDN you configured in the Zscaler Admin UI and Pre-Shared Key (PSK).

Figure 16: Add Credentials Once you have entered both, select “Save Changes”.



Page 22 of 31

3.2.8 Verifying Tunnel State You now want to navigate to “Monitor” -> “Edges”. It may take 30-60 seconds, but after, you should see green under “Cloud Services”, as shown in Figure 17.

Figure 17: Verifying Tunnel State If you move your mouse to this area, a popup will appear that will provide additional detail. Note: Alternately, you can also navigate to “Monitor” -> “Events”



Page 23 of 31

4 Requesting Zscaler Support 4.1 Gather Support Information Zscaler support is sometimes required for the provisioning of certain services. Zscaler support is also available to help troubleshoot configuration and service issues. Zscaler support is available 24/7 hours a day, year-round. 4.1.1 Obtain Company ID First, let’s grab our Company ID, which is how Zscaler uniquely identifies a given customer. The navigation is: Administration -> Settings -> and then click Company profile.

Figure 21: Obtaining Company ID



Page 24 of 31

4.1.2 Save Company ID Your company ID can be found in the red box below. Please copy this ID somewhere convenient as we will need it in subsequent screens.

Figure 22: Save Company ID



Page 25 of 31

4.1.3 Open Support Ticket Now that we have our company ID, we are ready to open a support ticket. The navigation is: “?” -> Support -> and then click Submit a Ticket. You can also go directly to the Submit Ticket page by visiting https://help.zscaler.com/submit-ticket.

Figure 23: Enter Support Section



Page 26 of 31

4.2 GRE Provisioning Request (Example) Figure 23 shows an example of how a support ticket is generally made. Each support ticket will ask targeted questions as a Ticket Type is defined. In this example below, we are requesting GRE service be provisioned with our public IP information.

Figure 24: GRE Provisioning Example



Page 27 of 31

4.3 Adding Domain (Example) Figure 24 shows an example of how a support ticket is generally made. Each support ticket will ask targeted questions as a Ticket Type is defined. In this example below, we are requesting a domain be added to our ZIA instance.

Figure 25: Adding Domain Example



Page 28 of 31

5 Verifying ZIA Configuration 5.1 Request Verification Page The URL https://ip.zscaler.com can be used to validate if you are transiting ZIA. In Figure 25 and Y below, you will see examples of what the page output should display if you are or are not transiting ZIA. Note: the IP information presented in both figures should not match and instead should be your client IP address when attempting this page view.

Figure 26: Non-working Example If you are transiting ZIA, you should see the following:

Figure 27: Working Example



Page 29 of 31

6 Appendix A: Zscaler Resources Zscaler Knowledge Base: https://support.zscaler.com/hc/en-us/?filter=documentation Zscaler Tools: https://www.zscaler.com/tools Zscaler Training and Certification: https://www.zscaler.com/resources/training-certification-overview Zscaler Submit a Ticket: https://help.zscaler.com/submit-ticket ZIA Test Page http://ip.zscaler.com/ 6.1 Zscaler IP Pages https://ips.zscaler.net/cenr/ https://ips.zscalerbeta.net/cenr/ https://ips.zscalerone.net/cenr/ https://ips.zscalertwo.net/cenr/



Page 30 of 31

7 Appendix B: VeloCloud Resources VeloCloud http://www.velocloud.com/ VeloCloud Support http://www.velocloud.com/customers/support

Documents

Zscaler and VeloCloud by VMware SD-WAN …...Step 1: Configure VPN credentials and site location (Zscaler Admin) Step 2: Create and Configure a Cloud Security Service – Zscaler (VeloCloud