NCOS: Zscaler Secure Web Gateway
Products Supported: AER31x0, AER21x0, MBR1400, IBR11x0, IBR6x0. Click here to identify your router.
NCOS Version: Written using 6.0 - for information on upgrading NCOS, click here.
This document is intended to assist users in configuring a Cradlepoint router to use Zscaler Secure Web Gateway.
Zscaler Secure Web Gateway builds a dedicated IPSec tunnel to Zscaler's cloud proxy to bi-directionally inspect every byte of your Internet traffic, block malware and cyber-attacks, prevent intellectual property leakage and enforces your granular business policies.
Click here to find out more about the Cradlepoint and Zscaler Secure Web Gateway solution.
IMPORTANT NOTE: When the Zscaler functionality is enabled within a Cradleponit router, the Cradlepoint will modify the EDNS portion of the packets in compliance with RFC 6891 in order to allow Zscaler to apply their filtering service to the each LAN behind the Cradleponit. Currently, we have seen some very specific servers lack the ability to route packets when a packet's EDNS field has been modified. Please make sure your server can handle this type of traffic before purchasing the full product.
Configuration Difficulty: Intermediate
- Step 1: Log into Zscaler's Secure Web Gateway Portal at admin.zscalertwo.net
- Step 2: First we need to set up a VPN connection for a location. Click the Administration Tab > VPN Credentials > Add.
- Step 3: This article shows the FQDN setup, however you can choose from FQDN, XAUTH, or IP. Select your method, and populate the rest of the fields with the desired information and Click Save.
- Note If you wish to use the IP address option, you must first contact and provide Zscaler with your IP address.
- Step 4: Now we need to tie the VPN credentials to a location. On the left of the screen Click Locations. Next Click Add at the top of the screen.
- Step 5: Once again fill out the desired information, and from the VPN Credentials drop down, Select the VPN Credentials we just created in Step 3 and Click Save.
- Step 6: Lastly we need to configure our filtering policies. To do so Click Policy > URL & Cloud App Control.
- Step 7: Populate the Filtering Rule with your desired information. Set the priority and enable/disable the rule. Set which URL categories, users, groups, departments, locations, and/or time you wish to apply this rule to. Select what to do with the specified traffic, Allow, Caution, or Block, and then Click Save.
Please Note: Once making any changes in the Zscaler Portal, you must Click the notification icon on the top right, and Click Activate to push/submit the setting changes.
Configuration Difficulty: Intermediate
Note: This is a licensed feature. Make sure you have an active Zscaler account prior to beginning configuration.
- Step 1: Log into the NCOS Setup Page. For help with logging in please click here.
- Step 2: Navigate to the SECURITY tab and select the Content Filtering sub-menu and then choose Cloud-Based Filtering.
- Step 3: Click the drop down arrow next to Cloud Provider and select Zscaler Secure Web Gateway.
- Step 4: Fill out the User ID and PreShared Key with what you previously configured in Step 3 of the Zscaler Configuration. The Gateway should have been provided to you from your Zscaler representative.
- Step 5: Click the Add button within the Local Networks box to define which local networks will be tied to Zscaler.
- Step 6: Specify the local Network Address, verify the Netmask, and Click Submit to save the network. As an example, if your router's LAN IP is 192.168.0.1, the network address will be 192.168.0.0
- Step 7: Lastly Click Save to enable Zscaler filtering.
** Please note: ** That this configuration will automatically create a full IPSEC VPN tunnel for traffic utilizing ports 80 and 443, which can be found under Internet > VPN Tunnels. If you notice issues with your tunnel, please edit the tunnel and disable Perfect Forward Secrecy on Phase 2 of the VPN Tunnel.
Published Date: 9/14/2015
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.