I sat in on a recent sales pitch and was quite impressed but a tad bit skeptical.
The solution appears sound and the problem it hopes to address is very real. That said, how much of it is marketing hot air and can they truly delivery?
It just seems to good to be true… route us all your internet bound traffic and we will take care of proxy, ips, dlp, ssl break/inspect. Ditch traditional VPN architecture and let us be your be your remote user network SaaS to compliment cloud based apps/data.
If only they knew my org just spent millions in any-connect licensing for the huge work from home ramp up. Then again maybe that is why they are talking to us… cue sunk cost fallacy.
don’t take their word for it. ask for a poc. they will put you on their production cloud with a test account and you can test all the hype for yourself.
I use it for a huge client. Just a heads up, if you do use zscaler if the tunnels go down it can brick your internet for users. Ideally you’ll have double tunnels with sla to zscaler, but if latency starts being an issue and triggering the sla, that’s as good as killing the internet as well.
It can mess with sip and o365, also. The support for zscaler isn’t bad, but you need to be ready for pcap after pcap. Also not sure what the traditional way of deploying the pac files is, but I use an F5 with a script that marks users down via location through ZPA. Very elegant but not easy to implement
Shared IP space, generally a /23 that very few vendors are willing to whitelist when you need to provide your public IP so we have no choice but to bypass
Just like any other cloud service it can go down with no warning and you are scrambling to figure out the issue until you call support and they tell you “oh yeah we’re having issues”
SSL inspection could be PITA with some services that don’t play nice with the Zscaler cert. Be prepared to have a streamlined process for whitelisting once users start reporting access issues to some site that suddenly stop working
The biggest benefit versus UTM on-prem is ability to cater for remote users (they call them Road Warriors). If you have the Zscaler App on a device it will automatically tunnel back to the nearest ZEN (or a predefined list by you) and proxy all user traffic so they’re protected regardless of location. As of the later versions of ZApp and ZTunnel 2.0 you can now tunnel all user traffic back instead of just catching 80/443 like you were previously limited to.
For your branch sites, you basically wanna stand up a GRE tunnel to the ZENs and forward traffic to them this way.
Main issues are that you share a public IP address with any users of the same ZEN and this can cause issues for IP whitelisting. Then you have to do direct Internet routing from the data centre, or use an on-prem self-hosted ZEN, etc.
Personally speaking, I still greatly prefer an on-prem gateway but so far it’s been the best solution for users who have remote-working considerations and no protection otherwise. I’m aware things like PAN GlobalProtect and FortiClient, etc. exist but the latter specifically relies on a client version of filtering and doesn’t give you true filtering at the gateway like Zscaler does.
Tales from the current user. I would look very carefully at your specific use case. If your Internet needs are quite generic, you’ve got a number of road warriors and your organisation is at a maturity level that demands that level of control and visibility then yes - definitely use them.
If your organisation has really detailed requirements, are using applications that require non standard ports and have a high rate of change, then you then fall into one of two categories:
You’re big enough to be able to afford ALL ZScaler that you need to make it work
You’re not and maybe look elsewhere.
SRC: I’m in a mid size org that is stuck at 1.5. We need the protection that ZScaler offers, but we’re also diverse enough that ZScaler can be the problem. Constantly falling over certification inspection problems, constantly needing to bypass ZScaler with sites or ports that it just doesn’t like.
When my contract renewal is up I’ll be doing some serious soul searching and looking to see if there is a better way before committing again.
I run both of there core products in prod. ZIA (Internet Access) and ZPA (Private Access/VPN).
ZPA - best VPN I have ever used, not a true VPN but an SDP, the granularity and clarity to what’s accessing what etc is amazing, as a former AnyConnect guy this was crazy.
ZIA - pretty dope, using both ZIA and ZPA together is nice, SSL decrypt shortcoming is you can’t send to other security tools. But pretty granular and great reporting.
I’ve used it in a previous role and it works by and large. We never used the DLP or cloud firewall services thought. Just a SSL decrypt + web filtering of nasty or blocked content. We went through several deployment scenarios through the years with them. Pacs then GRE tunnel and finally Zscaler agent for remote users.
I’ll just say that, being tier 3 support/engineering for an ITSP, whenever a customer has trouble with their SIP trunk or hosted PBX and I hear they’re using zscaler I cringe. Have had multiple experiences with them modifying signaling and SDP which is the recipe for a bad time with VoIP.
If you intend to send any VoIP traffic through the zscaler make sure you do thorough testing before rolling out to production users.
They’re a pleasure to work with. All engineers, TAMs etc. that were ever assigned to us were capable and spent a lot of time debugging issues with us that were for the most part found to be on the other end. ZIA is a well-designed solution with very few flaws. We use it for all our traffic (not just as web proxy), and implementation on their side of things was quite smooth.
Do your research on how you’ll be integrating though. You talk about ZPA which I’m trained for but haven’t had the privilege to deploy. With ZIA however I am intimately familiar at this point.
What is your scope? Just for VPN or for remote site internet bound traffic as well? It’s a cool solution.
Pros: Unlimited bandwidth as it’s licensed by user, fast web based gui, simple config, some cool automatic things around SSL bypass, lots of SDWAN integrations, good messaging to users on content blocks, SSL decrypt is in the cloud so you don’t have to worry about your capacity, roaming user functionality provides seamless single policy
Cons: Logging is not the simplest to get what you want as filters take a while to get to know and gui is a bit harder to manipulate, SSL decrypt has some visibility limitations, cloud only is never going to be what you need for a data center or campus so you’ll be running something different there. Objects don’t really seem all that fully featured but that could have been my implementation. Shared egress IPs
ZIA the web proxy is a more mature product and we see less issues, but have used it for a few years. Early on we saw similar issues as we see in ZPA now.
ZPA is fairly new and we’ve experienced some growing pains on their side as well as some areas I’d like to see some more focus. Overall its what’s allowed us to deal with covid, so it’s definitely a viable solution, but be prepared to relearn troubleshooting application access remotely.
In regards to scalability, we saw some hiccups at the beginning of covid, but nothing astronomical at the scale they’ve needed to grow.
Good product and really helps for road warriors, especially now where we have a much higher percentage of people off network than usual. The protection and policies follow them.
SSL scanning is a pain in the ass, you need to test all of your external SaaS applications and make exceptions for things that break.
Can’t really do SSL scanning for iOS due to cert pinning.
Once you’re up and running though it’s a great product.
We’re a several thousand seat corporate user. If you want any specifics, feel free to PM me.
In general they have historically strong cloud based content filtering and user firewalling. The shift into becoming a cloud based internal applications provider is more recent, I can’t speak to that much.
Understand that the key pieces that get data to them to even manage require tunneling out of your organization (VPN/GRE/Hardware,) and from your clients (a specific client application that runs at all times.) Both parts of that solution can take some time to implement in your organization, depending on your client and egress location count.
I’m not sure I would just all in with their VPN avoidance, but truly as quickly as the old school client VPN market is changing, it’s worth considering I guess.
I’m not a network engineer, nor managed/implemented it. However I’ve been the end user. Here are is what I remember
If zscaler goes down. So does your internet, ouch
Due to their MITM SSL inspection, you need to install additional certs on everything, which can be painful (I vaguely remember an issue where an application refused to accept zscaler trust chain too)
We saw really weird disconnect issues on our client’s managed Macs, apparently due to DHCP leases. We had to manually reconnect the zscaler agent , it was very annoying and frequent
Just started using ZPA. I was skeptical too but am impressed with the deployment so far. It works. Just a few bugs here and there…mainly with the ZApp.
We had a lot of issues with it ‘forgetting’ it’s policy for road warriors requiring a back door for our support people to constantly fix. It worked well enough for 1000 users but ultimately we went the global protect (palo) route so we could have machine tunnels and enforce windows updates with sccm from local repo.
Does anyone have approximate pricing for ZPA/ZIA for about 10k users. Also, does Zscaler charge for capacity as well? If we need to send backups or VDi over their backbone, will they charge for that and does the cost change depending on local demand and/or location of their POP?
We’re using it at some sites that were low bandwidth mpls to offload as much traffic to the internet as possible.
We also piloted it with some users during covid vs traditional VPN. The difference was night and day. My laptop performed better, and it was an immeasurably better experience.
I dunno what the sales pitch was, I was just a tester/early adopter but it goes into the game changer category for me.