Link Search 菜单 Expand 文档

ZScalerInternet Access

配置> Cloud Services > Zscaler Internet Access

Zscaler Internet访问(ZIA)是云安全服务。可以将EdgeConnect流量连接到ZScaler,以进行其他安全检查。乐队为Zscaler提供了IPSEC和GRE隧道模式。

NOTE:GRE隧道不会在Edgeha链接上形成。

NOTE:ZScaler的术语ZEN就是现在Service Edge.

The following table describes the fields on the Zscaler Internet Access tab.

Field 描述
器具 Name of the appliance to connect to Zscaler.
接口标签 要连接到Zscaler的接口的接口标签。
模式 隧道模式(ipsec或者GRE) for Zscaler. The default mode is IPSec.
Gateway Options 您可以为子位置配置子位置和各种规则的功能。网关选项是可选的附加组件。
Bandwidth Upload and download bandwidth speeds (in Mbps) to and from Zscaler.
ZScalerDeployment Status Status of the Zscaler deployment (Creating,待办的, orDeployed)。Deployedindicates successful deployment.
ZScalerService Edges These are the Zscaler endpoints to which the tunnels connect. This field is populated with discovered Public Service Edges based on the appliance’s geographical location.
连接状态 基于隧道和IP SLA状态的ZScaler连接状态。

配置Zscaler

Before you configure Zscaler, you must create a Zscaler account and ensure that you have an established connection with Zscaler.

NOTE:This section represents theautomatedIPSEC,IKE和GRE隧道的配置从EdgeConnect到Zscaler云。要用Zscaler云手动配置隧道,请参阅EdgeConnect and Zscaler IPSec Integration Guideand theEdgeConnect and Zscaler GRE Integration Guide.

Subscription

  1. Go tohttps://help.zscaler.com/zia/sd-wan-api-integration并按照步骤配置您的Zscaler帐户。

  2. 配置Zscaler帐户后,导航到架子环中的Zscaler Internet访问选项卡(配置> Cloud Services > Zscaler Internet Access)。

  3. 点击Subscription按钮。

    订阅对话框打开。

  4. 输入适当的信息以反映您的Zscaler帐户。

    The following table describes the fields.

    Field 描述
    ZScaler Indicates whether you are connected to your Zscaler account.
    ZScaler云 ZScalercloud URL. For example, admin.zscalerthree.net.
    Partner Username 伙伴管理员用户名在配置Zscaler时创建的。
    Partner Password Partner administrator password you created when configuring Zscaler.
    合作伙伴密钥 Partner key you created when configuring your Zscaler account. Select Silver Peak from the list of partners.
    Domain Domain provisioned in Zscaler for your enterprise.
    订阅云ID (可选)子云可以是Zia公共服务边缘的子集,私人服务边缘的子集,Pzens的子集或Zia公共服务边缘和私人服务边缘或Pzens的子集。如果您订阅了这些服务中的任何一项,则必须在此字段中指定子云的名称(例如,美洲),以获取组织的完整服务边缘列表。

    WARNING:因为这是影响服务的,所以仅在维护窗口中配置此ID。这将导致先前建造的隧道被删除和重建。
    配置Polling Interval 指示编排器应多久检查ZScaler中的配置更改。默认的轮询间隔为十分钟。

  5. Click节省. The Zscaler field should indicate连接的.

接口标签s

选择您要流量的主标签。如果主要是无法实现的话,备份标签将被用作第二个选项。

  1. 点击接口标签sZscaler Internet访问选项卡上的按钮。

    The Build Tunnels Using These Interfaces dialog box opens.

  2. 拖the Interface labels you want to use into the Primary and Backup areas in the dialog box.

  3. Click节省.

WARNING:This is service affecting. Any changes to the interface selection can cause previously built tunnels to be deleted and rebuilt.

Tunnel Settings

TheTunnel Settingsbutton opens the Zscaler Tunnel Setting dialog box, enabling you to define the tunnels associated with Zscaler and EdgeConnect. The Mode field on the General tab allows you to selectipsec或者GRE作为指定WAN接口标签的隧道协议。使用ZScaler默认设置用于系统定义的隧道设置。

NOTE:For IPSec mode, you can configure General, IKE, and IPSec tunnel settings. For GRE mode, you can configure General tunnel settings. Settings are automatically generated, but you can change them if you want to.

服务边缘覆盖

您可以覆盖特定站点的自动选择的服务边对。您可以选择将此异常添加到网络中的一个或多个站点。

NOTE:管弦乐队does not support Service Edge Override for GRE tunnels.

  1. 点击服务边缘覆盖Zscaler Internet访问选项卡上的按钮。

    The Service Edge Override dialog box opens.

  2. 输入设备名称,接口标签以及主要和辅助IP地址。乐队将为这些服务边缘建造隧道。

    Field 描述
    器具 覆盖Zscaler服务边缘的设备。
    接口标签 建造隧道的接口标签。
    Primary IP IP address of the primary Zscaler Service Edge.
    Secondary IP 次级Zscaler服务边缘的IP地址。

IP SLA

Configure IP SLA for Zscaler tunnels. This configuration ensures tunnel connectivity and internet availability between Zscaler and Orchestrator. If the tunnel cannot reach Zscaler, the tunnel is considered DOWN.

  1. 点击IP SLAZscaler Internet访问选项卡上的按钮。

    The Zscaler IP SLA Configuration dialog box opens.

  2. If all fields are dimmed, clickEnable IP SLA rule orchestration.

  3. 完成以下字段s.

    Field 描述
    监视器 ping或http/https。
    Address URL to the Zscaler endpoint that the IP SLA subsystem will ping. You can configure up to three addresses.
    Source Interface Select an orchestrated loopback label.

  4. Accept the default values for the remaining fields and click节省.

    管弦乐队builds the tunnels.

国家 /时区

您可以使用Zscaler country / TimeZone对话框将标准的ISO国家代码配置为Zscaler国家枚举,并将标准时区与Zscaler时区枚举一起。点击国家 /时区button on the Zscaler Internet Access tab to open the dialog box. Make changes, and then click节省.

Gateway Options

您可以为Zscaler子位置配置网关选项和规则。乐队使用位置和子位置来更好地定义Zscaler云中的分支站点。子位置是每个分支内的局域网段。可以通过LAN接口,区域或LAN子网集合来识别它们。

Enable Gateway Options

To enable gateway options:

  1. 点击Gateway OptionsZscaler Internet访问选项卡上的按钮。

    ZScaler网关选项对话框打开。

  2. ClickAdd.

    位置 /子位置匹配条件对话框打开。

  3. 输入新规则的名称规则名称field.

    WARNING:如果两个规则具有相同的子站点名称或IP地址,则编排者选择第一个匹配项并考虑规则的顺序。

  4. 通过输入设备名称,区域或组中的位置器具sfield.

  5. 输入WAN标签Location Labelfield.

  6. 如果您选择Sub-Locationcheck box:

    1. Enter the sub-location name in theNamefield.

    2. 输入子网地址(LAN标签,防火墙区域或子网)Internal IPsfield.

  7. Click节省.

    NOTE:可以使用这些接口对话框将子位置应用于在构建隧道中选择的所有WAN链接(通过单击ZScaaler Internet访问选项卡上的接口标签按钮访问)。

如果您选择显示子位置复选框在ZScaler Internet访问选项卡上,在网关选项中配置的子位置显示在Zscaler表中。

Configure Bandwidth Control

You can set up bandwidth controls for your Zscaler sub-locations configured in Gateway Options. Select from bandwidth control options that use fixed amounts of bandwidth, inherit bandwidth values from parent locations, or use percentages of deployment bandwidth.

  1. 点击Gateway OptionsZscaler Internet访问选项卡上的按钮。

    ZScaler网关选项对话框打开。

  2. 在表中,找到要配置带宽控件的规则名称行,然后单击链接的文本Gateway Optionscolumn.

    打开ZScaler网关选项和带宽控制对话框。

  3. 从该选项中选择以下选项之一Bandwidth Control下拉列表:

    Bandwidth Control Option 描述
    离开 请勿使用带宽控件。这是默认设置。
    Fixed bandwidth Use fixed amounts of bandwidth for the sub-location. Specify amounts for download and upload in Mbps.
    Inherit (parent) location bandwidth 继承父位置的带宽值。
    Use deployment WAN label bandwidth Use percentages of the deployment WAN label’s bandwidth. Specify amounts for download and upload as percentages. Each specified percentage cannot exceed 100%. Orchestrator will automatically translate percentages into Mbps and send them to Zscaler. Sub-locations will use these values as percentages of deployment bandwidth.

  4. Click节省.

    “更改网关选项”对话框打开。

    WARNING:Changing Gateway Options is service affecting. Make changes during a maintenance window.

  5. Click更改网关选项.

    您的更改应用于编排和Zscaler。这个过程需要时间才能完成。

ZScaler协会

The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances to Zscaler.

  1. 在编排设备树中,选择一个或多个电器与Zscaler关联。

  2. 点击ZScaler协会Zscaler Internet访问选项卡上的按钮。

    ZScaler设备协会对话框打开。

  3. In the table, select one or more appliances you want to associate with Zscaler, and then select theAddcheck box.

    选择消除check box to remove Zscaler association from selected appliances in the table.

  4. 验证更改,然后单击节省.

Pause Orchestration

故障排除时,您可以单击Pause Orchestrationand save to pause orchestration. To restart, clickResume Orchestration.

Using Zscaler for Breakout Traffic

最后,您需要在至少一个业务意图覆盖分组流量策略中选择ZScaler服务以引导流量。

  1. Navigate to the Business Intent Overlays tab in Orchestrator (配置>覆盖层和安全>业务意图覆盖)。

  2. 单击将流量淘汰到Zscaler的覆盖层。

    打开“覆盖配置”对话框。

  3. 点击Breakout Traffic to Internet & Cloud Servicestab.

  4. ZScaler云来自可用的政策column to thePreferred Policy Ordercolumn.

验证Zscaler部署

配置ZScaler Internet访问后,部署将自动开始。导航到Zscaler Internet访问选项卡以验证成功的部署。Zscaler部署状态列应具有绿色状态Deployed, and the Connection status column should have a green status ofUp. The Connection Status column indicates the status of the Zscaler connection based on tunnel and IP SLA statuses.

NOTE:ZScaler由基于Zscaler设备协会对话框的设备进行部署和精心策划。业务意图叠加层(BIOS)用于将突破性的互联网政策配置为Zscaler。这用于自动负载分配和故障转移。

You can also verify that your Zscaler tunnels have been successfully deployed on the Tunnels tab. The Passthrough Tunnel column should list your Zscaler tunnels, and the Status column should have a green status of向上 - 活动.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go toAruba EULA.

Baidu