I work for large US-based company and I was directed to replace our legacy on-premise Blue Coats with Zscaler cloud proxy over the last year or so. I successfully deployed Zscaler but was limited to deploying only via PAC file while using the Zscaler Agent on OSX and Laptops. The CISO is happy and I got a bonus for saving us a bunch of money etc.
However, I hate relying on PAC files for many reasons:
- We are still NAT'ing the outbound web traffic on our Juniper Firewalls so I am not getting the true source IP within Zscaler. This breaks IP surrogate and causes issues of course.
- Lots of desktop apps don't follow the PAC configuration, especially malware and other threats. The PAC is easily bypassed and other admins know how to remove the config. (Blue Coats are still online and catching this traffic via WCCP.)
- Our company pays for dozens of third party services which require us to hit them with our own public IP addresses rather than Zscaler's. So our PAC file has dozens and dozens of bypasses in it, many of them by IP, which requires the use of dnsresolve() which causes inefficiencies in the processing of the PAC.
- We are moving to O365 soon and I don't trust that it will work reliably with PAC files, especially without IP surrogate in place.
Solution:
We know that GRE tunnels are the answer to most of our problems, however, we need a way to deploy GRE tunnels but still allow for excepting some web traffic from the GRE tunnels using PBR by FQDN rather than IP. We don't own any network devices today that can do this - we are limited to destination IP's only. We are not getting a NGFW anytime soon. One alternative is to continue to use the PAC file to direct traffic by FQDN either to the GRE tunnel or out DIRECT, but this still leaves us with a large portion of both trusted and malicious traffic that will ignore the PAC and follow the default route.
Questions to you guys: 1. What network devices are you using that can direct traffic into and away from GRE tunnels via FQDN? 2. What network devices are you using to direct traffic to O365 and how are you keeping up with the IP/URL lists without your users seeing issues?
Thank you!
No comments:
Post a Comment