Transcription
ZSCALER AND AWSDEPLOYMENT GUIDEOCTOBER 2021, VERSION 2.0BUSINESS DEVELOPMENT GUIDE
ZSCALER AND AWS DEPLOYMENT GUIDEContentsTerms and Acronyms 4About This Document 4Zscaler Overview 4AWS Overview 4Audience 4Software Versions 5Request for Comments 5Zscaler and AWS Introduction 5Zscaler Overview 5Zscaler Internet Access (ZIA) Overview 5Zscaler Resources 5Amazon Workspaces Overview 6AWS Resources 6Amazon Workspaces and Forwarding Traffic to ZIA7Zscaler Client Connector 7PAC Files 7AWS Site-to-Site VPN 9Identifying the Zscaler VPN Endpoint 9Create a Customer Gateway 11Create a Site-to-Site VPN Connection 12Configure Zscaler Internet Access 16Configure Routing for Site-to-Site VPN Connection20Example testing 23 2021 Zscaler, Inc. All rights reserved.2
ZSCALER AND AWS DEPLOYMENT GUIDEAppendix A: Installing Zscaler Certificate on Windows24Appendix B: AWS Transit Gateway (TGW) Lab Environment27Appendix C: Requesting Zscaler Support 28Gather Support Information 28Save Company ID 28Enter Support Section 29 2021 Zscaler, Inc. All rights reserved.3
ZSCALER AND AWS DEPLOYMENT GUIDETerms and ENZPADefinitionCentral Authority (Zscaler)Comma-Separated ValuesDead Peer Detection (RFC 3706)Generic Routing Encapsulation (RFC2890)Internet Key Exchange (RFC2409)Internet Protocol Security (RFC2411)Perfect Forward SecrecyPre-Shared KeySecure Socket Layer (RFC6101)X-Forwarded-For (RFC7239)Zscaler Internet Access (Zscaler)Zscaler Enforcement Node (Zscaler)Zscaler Private Access (Zscaler)About This DocumentZscaler OverviewZscaler (Nasdaq: ZS), enables the world’s leading organizations to securely transform their networks and applications fora mobile and cloud-first world. Its flagship Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services createfast, secure connections between users and applications, regardless of device, location, or network. Zscaler delivers itsservices 100% in the cloud and offers the simplicity, enhanced security, and improved user experience that traditionalappliances or hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloudsecurity platform that protects thousands of enterprises and government agencies from cyberattacks and data loss. Formore information on Zscaler, visit www.zscaler.com or follow Zscaler on Twitter @zscaler.AWS OverviewAmazon Web Services (AWS) (Nasdaq: AMZN) is the world’s most comprehensive and broadly adopted cloud platform,offering over 200 fully featured services from data centers globally. Millions of customers—including the fastest-growingstartups, largest enterprises, and leading government agencies—are using AWS to lower costs, become more agile, andinnovate faster. For more information on AWS, visit aws.amazon.com.AudienceThis guide is for network administrators, endpoint and IT administrators, and security analysts responsible for deploying,monitoring, and managing enterprise security systems. For additional product and company resources, please refer to: Appendix C: Requesting Zscaler Support Zscaler Resources AWS Resources 2021 Zscaler, Inc. All rights reserved.4
ZSCALER AND AWS DEPLOYMENT GUIDESoftware VersionsThis document was authored using the latest version of Zscaler Internet Access, 6.1.Request for Comments For Prospects and Customers: We value reader opinions and experiences. Please contact us at partner-docsupport@zscaler.com to offer feedback or corrections for this guide. For Zscaler Employees: Contact z-bd-sa@zscaler.com to reach the team that validated and authored the integrationsin this document.Zscaler and AWS IntroductionZscaler OverviewOverviews of the Zscaler and AWS applications are described in this section.Zscaler Internet Access (ZIA) OverviewZscaler Internet Access (ZIA) is a secure Internet and web gateway delivered as a service from the cloud. Think of ZIA as asecure Internet on-ramp— just make Zscaler your next hop to the Internet via one of the following methods: Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices). Forwarding traffic via our lightweight Zscaler Client Connector or PAC file (for mobile employees).No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they getidentical protection. ZIA sits between your users and the Internet and inspects every transaction inline across multiplesecurity techniques (even within SSL).You get full protection from web and Internet threats. The Zscaler cloud platform supports Cloud Firewall, IPS,Sandboxing, DLP, CASB, and Browser Isolation, allowing you to start with the services you need now and activate othersas your needs grow.Zscaler ResourcesThe following table contains links to Zscaler resources based on general topic areas.NameZIA Help PortalZIA Test PageZscaler ToolsZscaler Training and CertificationSubmit a Zscaler Support TicketDefinitionHelp articles for ZIA.Provides information on your Zscaler cloud.Troubleshooting, security and analytics, and browser extensions that helpZscaler determine your security needs.Training designed to help you maximize Zscaler products.Zscaler support portal for submitting requests and issues. 2021 Zscaler, Inc. All rights reserved.5
ZSCALER AND AWS DEPLOYMENT GUIDEAmazon Workspaces OverviewAmazon Workspaces is a fully managed desktop virtualization service for Windows and Linux that enables you to accessresources from any supported device. With Amazon Workspaces, you can: Onboard contingent workers. Easily assign and remove desktops for contractors while keeping your sensitive datasecure in the cloud. Facilitate remote work. Enable work-from-home and remote workers to access fully functional Windows and Linuxdesktops from any location. Run powerful desktops. Provide high-performance desktops for developers and engineers to store and accessproprietary models, designs, and code. Let contact center agents work from anywhere. Enable contact center agents to work from anywhere with a secure,easy-to-use agent experience.AWS ResourcesThe following table contains links to AWS support resources.NameAmazon WorkspacesAmazon Workspaces ClientsAmazon WorkspacesAdministration GuideWorkspaces Bring Your OwnLicenseAWS Site-to-Site VPN ConnectionAWS Transit GatewayAWS Customer GatewayAWS CLIDefinitionHelp documentation for Amazon Workspaces.Help documentation for Amazon Workspaces clients.Workspaces administration guide.Help documentation for third-party licenses.Help documentation for Amazon site-to-site VPN connections.Help documentation for Amazon transit gateway connections.Help documentation for Amazon customer gateway connections.Help documentation for Amazon CLI. 2021 Zscaler, Inc. All rights reserved.6
ZSCALER AND AWS DEPLOYMENT GUIDEAmazon Workspaces and Forwarding Traffic to ZIAAmazon Workspaces provides a cloud-based desktop environment using either Microsoft Windows 10 (Server 2016 orServer 2019) or Amazon Linux. Amazon supports Workspaces clients for several different platforms. For information onsetting up Amazon Workspaces please refer to the Amazon Workspaces Administration Guide.Each Workspaces OS has the Firefox browser installed, while Windows Server 2016 and Server 2019 also has IE installed,for accessing the Web. Zscaler supports several traffic forwarding options for forwarding traffic to the Zscaler InternetAccess (ZIA) service—including Zscaler Client Connector, PAC Files, and IPSec tunnels. Here’s how those options apply toWorkspaces.Zscaler Client ConnectorCurrently, the default Workspaces’ OSes don’t support Zscaler Client Connector. Amazon does support MicrosoftWindows 10 Desktop within Workspaces using their Bring Your Own License option, which is supported by Zscaler ClientConnector.PAC FilesAny current browser can be configured to use a PAC file to forward traffic through a proxy such as ZIA. To uniquelyidentify Workspaces traffic for more granular policy control in ZIA, it is recommended you either use a custom PACfile with a Dedicated Proxy Port and corresponding Location, or define a location using the Elastic IP associated withWorkspaces. This location can then be used as part of the criteria to make policy decisions for Workspaces web traffic.Information on configuring a browser to use a PAC File can be found on the Zscaler help portal, including both defaultbrowsers Internet Explorer and Firefox. By default, Firefox in Windows on Workspaces is configured to use the samesystem proxy settings as IE. However, the two browsers handle installing a Certificate for SSL Interception differently: IEuses the system default certificate store, and Firefox uses its own certificate store. SSL interception is an option, usingthe Zscaler Intermediate Certificate or a Custom Intermediate Root Certificate. For information on installing the Zscalercertificate for IE, please refer to Appendix A: Installing Zscaler Certificate on Windows.By default, IE (in the Workspaces Windows Server OS) has Enhanced Security Configuration enabled, and the followingmessage appears when IE is first started.Figure 1. IE Enhanced Security Message 2021 Zscaler, Inc. All rights reserved.7
ZSCALER AND AWS DEPLOYMENT GUIDETo disable the Enhanced Security Configuration and allow ZIA to provide protection instead, start Server Manager andselect Local Server. For the IE Enhanced Security Configuration option, click on On to change the setting.Figure 2. Server Manager local server configuration, enhanced security OnTurn both settings Off and click the OK button to save.Figure 3. IE Enhanced Security Configuration 2021 Zscaler, Inc. All rights reserved.8
ZSCALER AND AWS DEPLOYMENT GUIDEThe new setting for IE Enhanced Security Configuration option should now show as Off.Figure 4. Server Manager local server configuration, enhanced security OffAWS Site-to-Site VPNAWS can send traffic from a VPC to a remote gateway via a Site-to-Site VPN Connection using IPSec tunnels. This featureroutes all traffic from a VPC, such as a Workspaces VPC, to a Zscaler Internet Access Public Service Edge with the followingcaveats: An AWS Site-to-Site VPN provides redundant tunnels to the same destination. Zscaler recommends redundanttunnels to use two geographically disparate data centers for failover. An AWS Site-to-Site VPN does not support NULL encryption for Phase 2, which requires the Zscaler Encrypted VPNsubscription option to allow encrypted IPSec tunnels. An AWS Site-to-Site VPN does not support the Zscaler recommended Security Associations (SA) lifetime values.An AWS site-to-site VPN Connection can use either a Virtual Private Gateway or a Transit Gateway. In this section,we use a Transit Gateway design, but the configuration for the Site-to-Site VPN Connection is the same. Please refer toAppendix B: AWS Transit Gateway (TGW) Lab Environment for a lab environment that can be used for testing.Identifying the Zscaler VPN EndpointFirst, you must determine the VPN endpoint to be used in the Zscaler cloud by going to https://config.zscaler.com/and selecting your cloud at the top (e.g., zscaler.net). In the Cloud Enforcement Node Ranges list, locate the data centerlocation closest to your AWS region and resolve the VPN Host Name to obtain the IP address to use when configuring theAWS VPN Customer Gateway.Figure 5. Cloud Enforcement Node Ranges list 2021 Zscaler, Inc. All rights reserved.9
ZSCALER AND AWS DEPLOYMENT GUIDETo resolve the hostname, use “nslookup” from the command line, as shown in this example:nslookup chi1-2-vpn.zscaler.netNon-authoritative answer:Name:chi1-2-vpn.zscaler.netAddress: 165.225.56.14Alternatively, you can use Method 2 as described on the SD-WAN API Integration for IPSec VPN Tunnel Provisioningpage. Using your Elastic IP address, you can get an automated determination of the closest Zscaler Data Center location tothe AWS region. Using the following URL (with your Zscaler cloud and AWS Elastic IP substituted for Zscaler Cloud and Elastic IP ) the primaryIP value returned is the Zscaler VPN endpoint to use.https://pac. Zscaler Cloud .net/getVpnEndpoints?srcIp Elastic IP To fetch the endpoints, use curl from the command line as shown in the following example:curl https://pac.zscaler.net/getVpnEndpoints?srcIp 3.20.82.111{“primaryIp”: “165.225.56.14”,“primaryMeta”: {“region”: “NorthAmerica”,“country”: “United States”,“city”: “Chicago”,“dcName”: “CHI1”,“latitude”: 41.000000,“longitude”: -87.000000},“secondaryIp”: “104.129.194.33”,“secondaryMeta”: {“region”: “NorthAmerica”,“country”: “United States”,“city”: “Washington, DC”,“dcName”: “WAS1”,“latitude”: 39.000000,“longitude”: -77.000000},“tertiaryIp”: “165.225.208.18”, 2021 Zscaler, Inc. All rights reserved.10
ZSCALER AND AWS DEPLOYMENT GUIDE“tertiaryMeta”: {“region”: “NorthAmerica”,“country”: “Canada”,“city”: “Toronto”,“dcName”: “YTO3”,“latitude”: 44.000000,“longitude”: -79.000000}}Create a Customer GatewayAfter logging into your AWS management console, select VPC Service. On the AWS portal VPC Service page selectCustomer Gateways under the Virtual Private Network (VPN) section and click on the Create Customer Gatewaybutton.Figure 6. AWS Create Customer GatewayOn the Create Customer Gateway screen, enter a name for your Customer Gateway, select Static for Routing, andenter the IP address for your closest Zscaler VPN endpoint (determined above), and then click on the Create CustomerGateway button at the bottom.Figure 7. AWS Create Customer Gateway configuration 2021 Zscaler, Inc. All rights reserved.11
ZSCALER AND AWS DEPLOYMENT GUIDECreate a Site-to-Site VPN ConnectionOn the VPC Service page select Site-to-Site VPN Connections under the Virtual Private Network (VPN) section andclick on the Create VPN Connection button.Figure 8. AWS Site-to-Site VPN ConnectionsOn the Create VPN Connection screen:1. Enter a Name tag for your VPN Connection.2. Select Transit Gateway for the Target Gateway Type.3. Select your Transit Gateway. Select the Customer Gateway you just created under Customer Gateway ID.4. Select Static for Routing Options.Figure 9. AWS Create VPN Connection configuration 2021 Zscaler, Inc. All rights reserved.12
ZSCALER AND AWS DEPLOYMENT GUIDENext, scroll down to Advanced Options for Tunnel 1 and select Edit Tunnel 1 Options and set the following options toonly these values: Phase 1 Encryption Algorithms: AES256 Phase 2 Encryption Algorithms: AES256 Phase 1 Integrity Algorithms: SHA2-256 Phase 2 Integrity Algorithms: SHA2-256 Phase 1 DH Group Numbers: 14 Phase 2 DH Group Numbers: 14 IkeVersion: ikev2 DPD Timeout Action: Restart Startup Action: StartFigure 10. AWS advanced tunnel options (Tunnel 1) 2021 Zscaler, Inc. All rights reserved.13
ZSCALER AND AWS DEPLOYMENT GUIDENext, scroll down to Advanced Options for Tunnel 2 and select Edit Tunnel 2 Options and set the same options andvalues as Tunnel 1.Figure 11. AWS advanced tunnel options (Tunnel 2)Then click on the Create VPN Connection button at the bottom. This automatically creates a Transit GatewayAttachment—the Name tag is empty, but Resource type is set to VPN. You should name the attachment (something likeVPN-Attachment) for ease of identification later.Select your newly created VPN Connection and click on the Tunnel Details tab to see the Elastic IPs assigned to thetunnels in the Outside IP Addresses column. Notice that the Status is currently DOWN because you still need toconfigure the Zscaler side.Figure 12. AWS Site-to-Site Connection Tunnel Details 2021 Zscaler, Inc. All rights reserved.14
ZSCALER AND AWS DEPLOYMENT GUIDEClick on the Download Configuration button at the top and choose Generic for the Vendor, ikev2 for the Ike Version,and click the Download button to download the configuration.Locate the Pre-Shared Keys for Tunnel 1 and Tunnel 2 in the downloaded file. The Elastic IPs for the tunnels and theircorresponding Pre-Shared Keys are needed in the next section.Figure 13. Downloaded tunnel configuration 2021 Zscaler, Inc. All rights reserved.15
ZSCALER AND AWS DEPLOYMENT GUIDEConfigure Zscaler Internet AccessIn the ZIA Admin Portal, go to Administration Static IPs & GRE Tunnels Add Static IP. For Static IP Address enter theOutside IP Address for Tunnel 1 and a description and click Next.Figure 14. Add Static IP Configuration pageVerify that the geographic location makes sense based on your AWS region and click Next and then Save. If thegeographic location is not accurate, you can manually set it by City or Latitude and Longitude. Repeat for the Tunnel 2 IP.Figure 15. Static IP location 2021 Zscaler, Inc. All rights reserved.16
ZSCALER AND AWS DEPLOYMENT GUIDENext go to Administration VPN Credentials Add VPN Credentials.1. For Authentication Type select IP.2. Select your AWS Tunnel 1 IP address in the pull-down menu.3. Paste the associated Pre-Shared Key in the New Pre-Shared Key and Confirm New Pre-Shared Key fields.4. Add a comment5. Click Save.Repeat for the second tunnel IP and associated Pre-Shared Key.Figure 16. Add VPN Credentials 2021 Zscaler, Inc. All rights reserved.17
ZSCALER AND AWS DEPLOYMENT GUIDENext go to Administration Location Management Add Location. At a minimum, provide: A Name for the location A Location Type (required) Select the Tunnel 1 IP address under both the Static IP Addresses and GRE Tunnels and the VPN Credentials pulldown menus. Click Save.Repeat for the Tunnel 2 IP and then Activate the changes.Zscaler does not respond to tunnel initiation requests from AWS until the location configuration is activated.Figure 17. Add location configuration page 2021 Zscaler, Inc. All rights reserved.18
ZSCALER AND AWS DEPLOYMENT GUIDETo verify that the tunnels are established, go to Analytics Tunnel Insights Logs Apply Filters. After a short periodof time (you may need to refresh a few times) both tunnels should show as up (IPSec tunnel up) in the Tunnel Statuscolumn.If needed, add a filter for the AWS tunnel locations to limit the number of logs returned.Figure 18. Tunnel Insights Logs pageOn the AWS portal in the Site-to-Site VPN Connection section under the Tunnel Details tab for your VPN Connection,the Status should now show UP as well.Figure 19. AWS Site-to-Site Connection Tunnels Details 2021 Zscaler, Inc. All rights reserved.19
ZSCALER AND AWS DEPLOYMENT GUIDEConfigure Routing for Site-to-Site VPN ConnectionYou now need to route traffic to and from the active tunnels for your VPCs before traffic is sent to ZIA.On the AWS portal VPC Service page under Transit Gateway Route Tables, click on the Create transit gateway routetable button. Create a Transit Gateway route table for the VPN connection with an appropriate Name and select theTransit gateway ID from the drop-down menu and click on the Create transit gateway route table button.Figure 20. AWS Create transit gateway route tableClipboard-listThe Transit gateway ID drop-down menu was broken for me, so I used the AWS CLI to create a Transit GatewayRoute Table for my Transit Gateway ID:aws ec2 create-transit-gateway-route-table --region us-east-2 --transit-gatewayid Your Transit gateway ID --tag-specifications “ResourceType transit-gatewayroute-table,Tags [{Key Name,Value VPN-RouteTable}]”Once the state of the newly created VPN Transit Gateway Route Table is Available, select it and click on the Associationstab and create an association by clicking on the Create association button.Select your VPN attachment in the drop-down menu under Choose attachment to associate and then click the Createassociation button.Clipboard-listIf you named the attachment earlier, look for that name.Figure 21. AWS Create associations page 2021 Zscaler, Inc. All rights reserved.20
ZSCALER AND AWS DEPLOYMENT GUIDENext click on the Routes tab and add a static route for the VPC subnet CIDR range you want to send through the VPNtunnels to ZIA. Choose the appropriate Transit Gateway attachment for that VPC subnet from the Choose attachmentdrop-down menu and click Create static route. Repeat for any other VPCs that send their traffic through the VPN tunnelsto ZIA.This allows the traffic returning from the VPN tunnels to flow back to the subnet that initiated the traffic via the associatedattachment.As an example, if you are using the lab environment from Appendix B: AWS Transit Gateway (TGW) Lab Environment,the following routes would need to be added for the App1 and App2 VPCs.Figure 22. AWS Create static route details 2021 Zscaler, Inc. All rights reserved.21
ZSCALER AND AWS DEPLOYMENT GUIDENext, you should change your App VPC route table’s default route to point to the VPN Attachment instead of the EgressVPC.As an example, if you are using the lab environment from Appendix B: AWS Transit Gateway (TGW) Lab Environment,the following default route attachment would need to be replaced to point to the VPN attachment.Figure 23. AWS Replace static route detailsClipboard-listIf you are using the lab environment from Appendix B: AWS Transit Gateway (TGW) Lab Environment, you needto add a route for 192.168.0.0/16 in your App VPC route table pointing to the Egress-Attachment to allow trafficback to the Bastion host before you can connect to the App EC2 instances from the Bastion host (otherwise thedefault route would send it through the VPN tunnels). 2021 Zscaler, Inc. All rights reserved.22
ZSCALER AND AWS DEPLOYMENT GUIDENow you can test from an EC2 instance in the App VPC that is now routing through the Site-to-Site VPN Connection toZscaler Internet Access.Example testingThe following is a quick test to determine the source IP that can be done using “curl” and the JSON output from ip.zscaler.com.Testing from EC2 instance in App VPC with default route pointing to Egress attachment (clientip shown is egress Elastic IP):curl 111”,”clientip”:”3.20.82.111”}Testing from EC2 instance in App VPC with default route pointing to VPN attachment (clientip is Tunnel 1 Outside IPaddress):curl e”:”zsn-chi1-4e1 �clientip”:”3.141.109.232”} 2021 Zscaler, Inc. All rights reserved.23
ZSCALER AND AWS DEPLOYMENT GUIDEAppendix A: Installing Zscaler Certificate on WindowsDownload the Zscaler Intermediate Root Certificate to the Windows system and navigate to it in Explorer.Figure 24. Root Certificate in Windows ExplorerDouble click on the certificate file and click on the Open button.Figure 25. Windows File Warning 2021 Zscaler, Inc. All rights reserved.24
ZSCALER AND AWS DEPLOYMENT GUIDEClick on the Install Certificate button on the Certificate Information page.Figure 26. Windows certificate install dialogSelect Current User as the Store Location in the Import Wizard and click Next.Figure 27. Windows certificate store location install dialog 2021 Zscaler, Inc. All rights reserved.25
ZSCALER AND AWS DEPLOYMENT GUIDESelect Place all certificates in the following store and click Browse to select Trusted Root Certification Authorities forthe Certificate Store and click Next and then click Finish.Figure 28. Windows certificate install finish 2021 Zscaler, Inc. All rights reserved.26
ZSCALER AND AWS DEPLOYMENT GUIDEAppendix B: AWS Transit Gateway (TGW) Lab EnvironmentThe following GitHub page details a Transit Gateway lab based off an example AWS blog post, with an included diagramand Cloudformation template. This can be used to test the Site-to-Site VPN Connection. Instructions on testing can befound on the AWS blog post.Transit Gateway lab on GitHubTransit Gateway lab environment diagram:Figure 29. Example transit gateway lab diagram 2021 Zscaler, Inc. All rights reserved.27
ZSCALER AND AWS DEPLOYMENT GUIDEAppendix C: Requesting Zscaler SupportGather Support InformationYou might need Zscaler support for provisioning certain services, or to help troubleshoot configuration and service issues.Zscaler support is available 24/7 hours a day, year-round. To contact Zscaler support, select Administration Settings Company profile.Figure 30. Collecting details to open support case with Zscaler TACSave Company IDCopy your Company ID.Figure 31. Company ID 2021 Zscaler, Inc. All rights reserved.28
ZSCALER AND AWS DEPLOYMENT GUIDEEnter Support SectionWith your company ID information, you can open a support ticket. Navigate to Dashboard Support Submit a Ticket.Figure 32. Submit a ticket 2021 Zscaler, Inc. All rights reserved.29
Overviews of the Zscaler and AWS applications are described in this section. Zscaler Internet Access (ZIA) Overview Zscaler Internet Access (ZIA) is a secure Internet and web gateway delivered as a service from the cloud. Think of ZIA as a secure Internet on-ramp— just make Zscaler your next hop to the Internet via one of the following methods:
