Copyright. Trademark Statements

Transcription

1 Private ZENs

2 Copyright This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc. Copying, reproducing, integrating, translating, modifying, enhancing, recording by any information storage or retrieval system or any other use of this document, in whole or in part, by anyone other than the authorized employees, customers, users or partners (licensees) of Zscaler, Inc. without the prior written permission from Zscaler, Inc. is prohibited. Copyright 2014 Zscaler Trademark Statements Zscaler and NanoLog are trademarks or registered trademarks of Zscaler, Inc. All other trademarked names used herein are the properties of their respective owners, and are used for identification purposes only. Private ZENs - 2 -

3 Contents Private Zscaler Enforcement Nodes (ZENs)... 4 Prerequisites... 4 Deployment Options... 5 Outside Corporate Firewall (Recommended)... 6 Using PAC Files... 7 DMZ (Requires Approval from Zscaler)... 8 Internal Network (Requires Approval from Zscaler)... 9 Deploying Private ZENs Requirements Installing Private ZENs Firewall Configuration Requirements Zscaler Maintains the Private ZENs Customer Responsibilities

4 Private Zscaler Enforcement Nodes (ZENs) A key component of the Zscaler cloud, Zscaler Enforcement Nodes (ZENs) are full-featured inline proxies that inspect all web traffic bi-directionally for malware, and enforce security and compliance policies. Each ZEN can handle hundreds of thousands of concurrent users with millions of concurrent sessions. Zscaler has ZENs worldwide to ensure a seamless user experience. An organization can forward its traffic to any ZEN in the world or use the geo-location capability of the Zscaler service to direct its user traffic to the nearest ZEN. Additionally, Zscaler can extend its patented cloud architecture to an organization's premise by providing private ZENs. Private ZENs are installed in an organization s data center and are dedicated to an organization s traffic, but they are managed and maintained by Zscaler Cloud Operations. Zscaler monitors and maintains the private ZENs with near-zero touch from your organization. Private ZENs typically benefit organizations that have certain geo-political requirements or that use applications that require an organization's IP address as the source IP address. Prerequisites Zscaler can deploy private ZENs in locations that meet the following technical requirements: Latency Requirement: Maximum 300ms round trip latency to the Zscaler Central Authority (CA) The location has a total bandwidth to Zscaler of more than 1Gbps, or for locations in remote areas, a total bandwidth of more than 100Mbps. A location must have a minimum of two concurrently active ZENs, preferably connected to the Internet through at least two discrete Internet providers with redundant Internet service capabilities. * Lower bandwidths can be considered by exception

5 Deployment Options Private ZENs are part of the Zscaler cloud. They communicate with other nodes in the cloud, such as the Central Authority (CA) for user authentication and policy updates, and the cloud routers and Nanolog clusters for logging and reporting. Zscaler Cloud Operations also needs remote access to the ZENs for monitoring and maintenance, as well as updates as the cloud expands. Therefore, Zscaler highly recommends that an organization deploy private ZENs outside the corporate firewall. It is the only option that does not require configuration changes to your firewall to accommodate the extensive communication requirements of the ZENs. If the ZENs are installed behind a firewall or ACL, your organization will have to configure your firewall to allow Zscaler cloud communications and remote access to Zscaler Cloud Operations. Following are the three ways in which an organization can deploy private ZENs: Outside the Corporate Firewall (Recommended) In the DMZ (Requires approval from Zscaler) In the internal network (Requires approval from Zscaler) - 5 -

6 Outside Corporate Firewall (Recommended) Zscaler highly recommends that you deploy the private ZENs outside your corporate firewall and send your HTTP/HTTPS traffic through a GRE or IPsec tunnel from your firewall to the private ZENs. It does not require configuration changes to your firewall to accommodate the communication requirements of the private ZENs. (If you use PAC files to forward your traffic to the ZENs, see Using PAC Files.) Requirements Configure GRE or IPsec VPN tunnels to the private ZENs. Send only HTTP/HTTPS traffic to the private ZENs. Send all other traffic directly to the Internet. Send un-nated traffic through the tunnels for visibility into user traffic. (Refer to the GRE Configuration and Interoperability Guide or to the IPsec VPN Configuration and Interoperability Guide.) Configure backup tunnels to private ZENs at another data center or to Zscaler public ZENs for redundancy. Requires multiple public IP addresses per ZEN. (See Requirements.) Benefits No configuration changes to your firewall. Zscaler data center changes will not affect your configuration

7 Using PAC Files Following are some additional requirements if your organization uses PAC files to forward traffic to the private ZENs: If your organization uses PAC files to forward Internet traffic from users in the internal network to the private ZENS, you must configure your corporate firewall to allow devices to retrieve PAC files from the Zscaler PAC servers. (See Firewall Configuration Requirements.) If the PAC files are used only when users are on the road, then this step is not required. When an organization uses private ZENs, Zscaler creates a sub-cloud that maps the domain names GATEWAY.organization_name.zscaler_cloud and SECONDARY_GATEWAY.organization_name.zscaler_cloud to the IP addresses of your private ZENs and any public ZENs that you want to use. This ensures that your web traffic is sent to the specified ZENs only. Therefore, ensure that the PROXY statement in your PAC file specifies ${GATEWAY.organization_name.zscaler_cloud } and ${SECONDARY_GATEWAY.organization_name.zscaler_cloud}. For example: return "PROXY ${ GATEWAY.example.com.zscaler.net }:80; PROXY ${ SECONDARY_GATEWAY.example.com.zscaler.net }:80; DIRECT"; - 7 -

8 DMZ (Requires Approval from Zscaler) If deploying private ZENs outside of your firewall is not a viable option for your organization, then you can install the ZENs in the DMZ of your organization. Note that this can impact firewall performance because, as shown in the diagram below, the Internet traffic is sent through the firewall to the private ZENs in the DMZ, and then through the firewall again to the Internet. This option requires configuration changes to your firewall to allow Zscaler cloud communications. Requirements Configure the firewall to allow the ZENs to communicate with the other nodes in the Zscaler cloud and Zscaler Operations to maintain and monitor the ZENs. Also requires ongoing maintenance as the Zscaler cloud expands. For the firewall requirements, see Firewall Configuration Requirements. Configure a backup tunnel to private ZENs at another data center or to Zscaler public ZENs for redundancy. Requires multiple public IP addresses per ZEN. (See Requirements.) - 8 -

9 Internal Network (Requires Approval from Zscaler) Alternatively, you can install the private ZENs in your internal network, behind your firewall. This option also requires configuration changes to your firewall to allow the Zscaler nodes to communicate with each other and Zscaler Cloud Operations remote access to the private ZENs. Requirements Configure the firewall to allow the ZENs to communicate with the other nodes in the Zscaler cloud and Zscaler Operations to maintain and monitor the ZENs. Also requires ongoing maintenance as the Zscaler cloud expands. For the firewall requirements, see Firewall Configuration Requirements. Configure a backup tunnel to private ZENs at another data center or to Zscaler public ZENs for redundancy. Requires multiple public IP addresses per ZEN. (See Requirements.) - 9 -

10 Deploying Private ZENs Complete the following tasks to deploy private ZENs: 1. Review the deployment options and determine the best one for your environment. See Deployment Options. 2. Ensure that you provide Zscaler with the necessary information. See Requirements. 3. Upon receipt of the private ZENs, install them and inform Zscaler. See Installing Private ZENs. 4. If the private ZENs are deployed in the DMZ of your organization or in your internal network, ensure that your firewall is configured to allow the necessary traffic. Refer to Firewall Configuration Requirements. 5. Zscaler Cloud Operations provisions the ZENs and informs your organization once the ZENs are operational. Zscaler Cloud Operations is responsible for the ongoing maintenance of the private ZENs. (See Zscaler Maintains Private ZENs.) 6. Test the deployment: If authentication is enabled for your location, browse to an external site and verify that the Zscaler service requests your credentials before it allows access to the Internet. Ensure that your policies are enforced. Verify that the service blocks access to a site due to policy. View the Dashboard and check the logs. 7. If your organization uses PAC files to forward traffic to the Zscaler service, edit the PAC files and ensure that the variables that point to the ZENs specify the sub-cloud that Zscaler configured for your organization. If applicable, ensure that your firewall allows the devices from your internal network to reach the Zscaler PAC servers. See Firewall Configuration Requirements

11 Requirements Zscaler offers both single-instance and multi-instance ZENs. A multi-instance ZEN can host up to three ZEN instances and includes a load balancer that distributes traffic evenly across the instances. Each instance processes up to 1 Gbps of HTTP/HTTPS traffic, so a multi-instance ZEN at full capacity can process up to 3 Gbps of HTTP/HTTPS traffic. Zscaler Cloud Operations activates each instance depending on your location's capacity requirements. Before Zscaler Cloud Operations ships the private ZENs, your organization must provide the appropriate number of IP addresses, as follows: Single-instance ZENs require seven IP addresses: three IP addresses per ZEN and an IP address for the virtual IP address (VIP) that the two ZENs share. For multi-instance ZENs, the IP addresses required depends on the number of ZEN instances that are enabled. As shown in the diagram, the first instance requires seven IP addresses: three IP addresses per ZEN and an IP address for the virtual IP address (VIP) that the two ZENs share. Each additional instance requires an IP address. If the ZEN Load Balancer is activated, than an additional IP address for each ZEN is required. So if all three instances are activated, you would need a total of 13 IP addresses. Note that if your organization uses a VPN, then three additional IP addresses are required; one IP address per ZEN and an IP address for the VIP of the VPN

12 Additionally, provide the following network information to Zscaler: Gateway address The IP addresses of your organization s NTP servers. Otherwise, Zscaler will use public NTP servers. The IP addresses of your organization s DNS servers. Otherwise, Zscaler will use public DNS servers. Installation location address and contact details

13 Installing Private ZENs Zscaler ships the private ZENs with a bare operating system installed. The Zscaler software and security certificates are not installed in case there are shipping or transit issues, such as lost or compromised systems. As a result, the ZENs are not ready for service when they are delivered to your site. Upon receipt of the hardware, install the pair of ZENs according to the instructions provided. NOTE: Both ZENs must be installed in the same location. Do the following to install the private ZENs: 1. Rack mount each ZEN using the included rail kit. 2. A ZEN has 1Gbps Ethernet ports and must be connected to a GigE switch. Connect CAT 6 network cables from the ports on the ZENs to a GigE switch. They must all be connected to the same switch. IPMI port: Used for out-of-band management. OS/Management port: Used for network management. Zscaler service port: Used by the Zscaler service for both incoming and outgoing web traffic. It hosts the IP address of a ZEN instance. Load Balancer port: Used in multi-instance ZENs only when the load balancer is enabled. Currently, Zscaler ships single-instance and multi-instance ZENS, depending on the capacity requirements of an organization. The following picture shows the ports in a single instance ZEN: IPMI EM0: Management port EM1: ZEN service port The following picture shows the ports in a multi-instance ZEN: IPMI IGB0: Management port EM0: Load Balancer EM1: ZEN service port EM2: ZEN service port EM3: ZEN service port

14 3. Connect the power cables. Each ZEN must be connected to a different power source. 4. Turn on each ZEN. 5. Send to ops@zscaler.com with Subject: <Your company name> new ZEN ready to be provisioned Once Zscaler receives the from your organization, Zscaler Cloud Operations does the following to provision the private ZENs: Installs the Zscaler software. Activates the ZEN in the Zscaler cloud. Sets up a sub-cloud for the ZENs. Installs the Zscaler security certificates. Activates the proactive monitoring capability. Tests and ensures that the ZENs are ready for service. NOTE: Because the communication requirements of the Zscaler cloud are extensive, if the ZENs are installed behind a firewall or ACL there often are policy/configuration issues on the customer s side that require troubleshooting and delays in the activation of the system

15 Firewall Configuration Requirements Your organization must configure your firewall to allow the necessary traffic: If the private ZENs are deployed in the DMZ of your organization or in your internal network If your organization uses PAC files to forward traffic from your internal network to the private ZENS To view the firewall requirements, log in to the Zscaler service and go to Help > Cloud Configuration Requirements. Review the Firewall Configuration Requirements and Cloud Enforcement Node Ranges sections. For the list of PAC server IP addresses, go to PAC IP Addresses

16 Zscaler Maintains the Private ZENs The ZENs are part of the Zscaler security cloud infrastructure. Therefore, Zscaler is responsible for monitoring, maintaining, and managing the ZENs. It provides optimum service with minimal effort on your part. The Zscaler Operations team maintains the ZENs, as follows: Upgrades or replaces ZENs to maintain the operational standards of Zscaler. Zscaler will ship the hardware to customers, who are then responsible for installing them. Alerts customers when Zscaler requires their assistance, such as when a ZEN needs to be rebooted. Monitors the private ZENs to determine the health of the device in the customer s environment. Maintains the technical refresh status of the private ZENs during the life of the agreement. Provides periodic remote management of the ZENs, including remote upgrades of software, on a schedule in conformance with the standard release and maintenance practices of Zscaler. Customer Responsibilities For Zscaler Cloud Operations to manage the ZENs and ensure their smooth operation, Zscaler requires that an organization do the following: Ensure that the ZENs are not moved from one physical location to another without prior approval from Zscaler. Provide remote connectivity access to the ZENs at all times. Notify Zscaler of any maintenance windows that could impact the ability of Zscaler to establish connectivity to the ZENs. Ensure that ZENs connect to the Zscaler service only and are not used for any other purpose. No additional routes can be configured on the ZEN. Ensure that only Zscaler staff access or service the ZENs. Your organization or any third party cannot make any repair attempts or other changes to the ZENs, unless they have the express approval of Zscaler. Ensure that no one, without the consent of Zscaler, makes any alterations, updates, enhancements, or additions to the ZENs. Assign at least one technical representative and provide contact information to Zscaler. The technical representative will be fully trained, at the customer s expense, and qualified to maintain the integrity of the ZENs at the customer s location. Ensure that someone can respond 24x7 to requests from Zscaler, in case there is an issue with the data center. Manage all network related issues. Use the ZENs only in accordance with instructions prescribed by Zscaler and only with hardware and software provided by Zscaler. Ensure that the ZENs are installed and operated according to applicable Zscaler specifications and recommendations that have been provided to the organization. The ZENs are the property of Zscaler. An organization cannot sell, lease, transfer, or attempt in any other manner to dispose of them

17 Your organization must periodically make and store in a safe place archival copies of all valuable data residing on or affected by the operation or malfunction of the ZENs. These and other requirements are detailed in the ZEN Terms and Conditions that your organization must review and sign before Zscaler ships the ZENs to you organization