ZScaler Secure Web Gateway
Products Supported: AER2100, MBR1400v2, IBR11x0, and IBR6x0. Click here to identify your router.
Firmware Version: 5.4.x - for information on upgrading firmware, click here.
Firmware version 6.0 has been released and introduces a vastly improved GUI for all current Series 3 routers. Cradlepoint has created new Knowledge Base articles with updated screen shots and instructions for the new GUI layout. As a result, this article has received its final update. To view the version of this Knowledge Base article for Firmware 6.0 and Later please click here.
This document is intended to assist users in configuring a Cradlepoint router to use Zscaler Secure Web Gateway.
Zscaler Secure Web Gateway builds a dedicated IPSec tunnel to Zscaler's cloud proxy to bi-directionally inspect every byte of your Internet traffic, block malware and cyber-attacks, prevent intellectual property leakage and enforces your granular business policies.
Click here to find out more about the Cradlepoint and Zscaler Secure Web Gateway solution.
IMPORTANT NOTE: When the Zscaler functionality is enabled within a Cradleponit router, the Cradlepoint will modify the EDNS portion of the packets in compliance with RFC 6891 in order to allow Zscaler to apply their filtering service to the each LAN behind the Cradleponit. Currently, we have seen some very specific servers lack the ability to route packets when a packet's EDNS field has been modified. Please make sure your server can handle this type of traffic before purchasing the full product.
Configuration Difficulty: Intermediate
- Step 1: Log into Zscaler's Secure Web Gateway Portal at admin.zscalertwo.net
- Step 2: First we need to set up a VPN connection for a location. Click the Administration Tab > VPN Credentials > Add.
- Step 3: This article shows the FQDN setup, however you can choose from FQDN, XAUTH, or IP. Select your method, and populate the rest of the fields with the desired information and Click Save.
- Note If you wish to use the IP address option, you must first contact and provide Zscaler with your IP address.
- Step 4: Now we need to tie the VPN credentials to a location. On the left of the screen Click Locations. Next Click Add at the top of the screen.
- Step 5: Once again fill out the desired information, and from the VPN Credentials drop down, Select the VPN Credentials we just created in Step 3 and Click Save.
- Step 6: Lastly we need to configure our filtering policies. To do so Click Policy > URL & Cloud App Control.
Please Note: Once making any changes in the Zscaler Portal, you must Click the notification icon on the top right, and Click Activate to push/submit the setting changes.
- Step 7: Populate the Filtering Rule with your desired information. Set the priority and enable/disable the rule. Set which URL categories, users, groups, departments, locations, and/or time you wish to apply this rule to. Select what to do with the specified traffic, Allow, Caution, or Block, and then Click Save.
Configuration Difficulty: Intermediate
Note: This is a licensed feature. Make sure you have an active Zscaler account prior to beginning configuration.
- Step 1: Log into the router's Setup Page. For help with logging in please click here.
- Step 2: Navigate to the Network Settings tab and select Content Filtering from the drop-down menu.
- Step 3: On the left side of the page click on Cloud Based Filtering/Security section. Click the drop down arrow next to Cloud Provider and select Zscaler Secure Web Gateway.
- Step 4: Fill out the User ID and PreShared Key with what you previously configured in Step 3 of the Zscaler Configuration. The Gateway should have been provided to you from your Zscaler representative.
- Step 5: Click the Add button within the Local Networks box to define which local networks will be tied to Zscaler.
- Step 6: Specify the local Network Address, verify the Netmask, and Click Submit to save the network. As an example, if your router's LAN IP is 192.168.0.1, the network address will be 192.168.0.0
- Step 7: Lastly Click Apply to enable Zscaler filtering.
Please note: This configuration will automatically create a full IPSEC VPN tunnel for traffic utilizing ports 80 and 443, which can be found under Internet > VPN Tunnels. If you notice stability issues with your tunnel, please edit the tunnel and disable Perfect Forward Secrecy on Phase 2 of the VPN Tunnel.
Published Date: 10/7/2015
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at firstname.lastname@example.org.