IPSec VPN to Zscaler Cloud

evangoulden · March 6, 2025, 9:03pm

We’ve been asked to configure an IPSec VPN to Zscaler Cloud, which is fine, but what if any benefits are there to doing this and not just using the Zscaler agent to tunnel traffic to Zscaler Cloud?

redditspaniard · March 6, 2025, 9:03pm

Only real benefit is that you can route egress traffic from things you may not be able to install the Zscaler client connector on. E.g., Guest WiFi, OT/IoT, Server traffic, etc. If you don’t care or those are out of scope, then stick with client connector for user traffic. If you are going to use a tunnel, do you have anything you can build a GRE tunnel from? Higher throughput (400 Mbps vs. 1000 Mbps) and better redundancy capabilities (DPD vs. IPSLA)…

danhuling · March 6, 2025, 9:03pm

https://trust.zscaler.com/zscalertwo.net/posts/18976

Zscaler Trust

planedrop · March 6, 2025, 9:03pm

Is this on a firewall so you can use it as a gateway for all traffic? Or are you talking IPsec configurations on the client side?

Khue · March 6, 2025, 9:03pm

If you’re talking about Zscaler Private Access, I use it to steer IT staff into Azure/AWS to manage and maintain cloud specific infrastructure. Examples of this include things like managing VM/Server infrastructure, managing SQL databases, managing CosmosDB, and managing content on Storage Accounts.

Doing this gives me an RBAC management plane and prevents me from having to publish public IPs for internal resources.

Anonymous · March 6, 2025, 9:03pm

from a user perspective the client connector’s a flaky PITA, I would have greatly preferred an openvpn profile

TimmyMTX · March 6, 2025, 9:03pm

Additional benefit is you can define bandwidth limits for your site when using a tunnel - so you can only allow 40mb of your 100mb circuit for web traffic for example.

One thing to bear in mind when setting up a tunnel is that zscaler don’t recommend routing client connector traffic over a tunnel. It can result in poor performance. You can either disable the connector when on tunnel, or choose to send client connector traffic direct and only use the tunnel for non client connector traffic.

Avas_Accumulator · March 6, 2025, 9:03pm

This. It would be weird if it was on the client (PC) side. Two different use cases; one to connect your gateways to egress to Zscaler and one to have your roaming devices do the same

planedrop · March 6, 2025, 9:03pm

Yeah agreed, no need to connect via IPsec on a per client basis, but if this is a gateway then it makes sense.