Loading

Sorry

Your web browser doesn't support some required capabilities.

This interactive demo works best with the latest version of Chrome, Firefox, or Safari.

Sorry

An error occurred. Please reload the page or download again from the VMware Demo Library:

For VMware partners:
www.vmware.com/go/partnerdemos

For VMware employees:
www.vmware.com/go/demos

Sorry

Visit the VMware Demo Library
to get more demos!

For VMware partners:
www.vmware.com/go/partnerdemos

For VMware employees:
www.vmware.com/go/demos

Sorry

Unable to initialize the simulation player:

This demo file may be incomplete or damaged. Please reload the page or download again from the VMware Demo Library:

For VMware partners:
www.vmware.com/go/partnerdemos

For VMware employees:
www.vmware.com/go/demos

X

This is an interactive demo

Drive it with your mouse, your finger, or just use the arrow keys.

Use Learn mode to learn the demo. The orange boxes show where to click.

Use Present mode to hide the orange boxes and notes.

Click a Shortcut to jump to a specific part of the demo.

X
Hide notes
Restore notes
Open notes window
Increase font size
Decrease font size

Network Service Insertion using Zscaler:

 

The VeloCloud Solution supports a
platform to host multiple virtualized network functions to eliminate single-function appliances and reduce branch IT complexity.

 

VeloCloud service-chains traffic from the branch to both cloud-based and enterprise regional hub services, with assured performance, security, and
manageability. Branches leverage consolidated security and network services, including those from partners like Zscaler.

 

Summary Steps: 

 

Step 1: From SD-WAN Orchestrator,
Configure Non VeloCloud Site and assign to profile

 

Step 2: From Zscaler management GUI,
Configure Zscaler Gateway with VPN configuration.

 

Step 3: From SD-WAN Orchestrator,
Configure Business policy rules for Internet Connection

 

Step 4: Verification Step: Verify from a Client machine for internet traffic getting redirected to Zscaler site and rules are  working as expected. 

 

 

Detailed Steps: 

 

Scenario: For this demo/lab exercise, Enterprise administrator from the Zscaler management portal has defined the rule for redirecting all Internet traffic on port 80/443 from branch sites to Zscaler for inspection.  Also, Zscaler is configured with a rule denying any Sports website traffic.

 

Step 1: Configuring NVS Site  

From SD-WAN orchestrator, Configure the NVS and attach to the profile

  • From the NSX SD-WAN Orchestrator,

  • click on Configure Network Services, scroll down to Non-Velocloud Site 

  • click on New and give a name to the site. 

    For this demo , name is autofilled.     "Zscaler West"
     
  • click on Type and from the drop down list , select Zscaler

    Next step is to specify the IP address for the Zscaler Primary Gateway.

  • Click & type in the IP address.

    Primary VPN Gateway address is 199.168.148.132. 

  • click on Next button to continue.

  • Next Step is to specify the (a)authentication,
    (b) password (pre-shared key). Also, (c) view the template for IPSec configuration which needs to be done on Zscaler side.

  • Authentication used for Zscaler integration is "User FQDN"
  • click and FQDN is auto filled for you. demo@velocloud.net

  • click on Advanced button. this will give access to more configuration.

  • click to type in the pre-shared key. This key should match the Zscaler Gateway configuration. 

    For this demo, Preshared key is auto filled for the end user

  • click on View IKE/IPSec template to check on the configuration for VPN. This is optional step. This configuration needs to be applied on the other side (ZScaler)

  • click on "Enable Tunnel" checkbox
  • Click on save changes.

    Add the NVS to the Profile. 

    Profile used for this demo is "Branch OSPF Profile"

  • click on Profiles (Configure->Profile) ,
  • click on the Branch OSPF Profile-> Devices
  • click the checkbox , From the Cloud VPN, Branch to Non-veloCloud Site -> Enable the checkbox and from the drop down select the Zscaler site "Zscaler-West" and save changes.
  • click dropdown and select the NVS created in previous step.
  • Confirm Changes.
  • click "Save Changes"
  • click "Confirm"

    Monitor the status for NVS (Non VeloCloud Site)

  • click on Monitor->
  • click on Network Services to check on the status for the NonVeloCloud Site. 
    Wait or 30 seconds or more for the status to get updated.

  • Click on Events (Monitor->Events) to  check for the events related to NVS(Non Velocloud Site)

    Zscaler UI Management Portal

Step  2: From the Zscaler management portal, Configure the VPN, location and rule with URL.

For this demo, VPN, location and URL rule is preconfigured by Zscaler admin. End user will login to confirm the URL.

URL blocked is a sports web site. Also, other configurations like the URL,Location,VPN settings are pre-populated. Zscaler UI showing the URL configation.

  • click on the link to access Zscaler Management portal
  • click "sign in". Username and password are auto populated for this demo.
  • click edit for Policy and check for the URL blocked.

Create and Configure Business Policy for Internet traffic redirection.

Step 3: From the SD-WAN orchestrator, Create and Configure Business policy for Internet traffic. all the internet traffic from 80 and 443 port is forwarded to  Zscaler site.

 

For this demo, End user will configure this rule for a single branch (Chicago Branch). If this rules needs to be pushed for multiple sites, then use the profile to create Business policy.

 

  • click Configure -> Edges--> Branch Site
  • click Chicago Branch Site-->Business Policy -> New Rule 
  • click  Business policy for Chicago Branch

  • click New Rule
  • click Rule name tab
  • click Destination -> define
  • click Internet radio button
  • click Protocol and select TCP
  • click TCP from drop down
  • click ports
  • click and type 443
  • click Network Services 
  • click Internet Backhaul option
  • click to select the NVS 
  • click to select "Zscaler West" from drop down
  • click ok to confirm

    Rule-1: Rule-443 ( auto filled for this demo)
    Destination: Define->Internet-> Protocol=TCP,Ports 443
    Action= Network services-> Internet Backhaul-> Select the Zscaler Site (NVS)

  • click Configure -> Edges--> Branch Site
  • click Chicago Branch Site-->Business Policy -> New Rule 
  • click  Business policy for Chicago Branch

  • click New Rule
  • click Rule name tab "rule-80"
  • click Destination -> define
  • click Internet radio button
  • click Protocol and select TCP
  • click TCP from drop down
  • click ports
  • click and type 80
  • click Network Services 
  • click Internet Backhaul option
  • click to select the NVS 
  • click to select "Zscaler West" from drop down
  • click ok to confirm
  • Similarly create the rule for port 80
    Destination: Define->Internet-> Protocol=TCP, Ports 80
    Action= Network services-> Internet Backhaul-> Select the Zscaler Site (NVS)
    Click Ok to create the rule.

     

    Click and type in "80" when asked for the ports.
  • click Save Changes for the Business Policy.

  • click Monitor->Events to make sure that the configuration is pushed from Orchestrator to the Branch site device

Step 4: Verification Step. Verification will be performed from the client machine connected to Chicago Branch Site. Browser from the Client machine is already opened. End user will type in cnn.com and espn.com to verify that  the internet traffic is redirected to Zscaler site and sports website is getting blocked. 

 

  • from the browser type in cnn.com . This should be allowed as per the Zscaler policy configured by end user.

    type in cnn.com and press enter.
  • Open a new browser tab and enter any sports website.

    For this demo, click on espn icon (espn icon is listed in the browser top sites) 

    As expected, Sports website is blocked. 
  • click the browser tab and type in cnn.com
  • click new browser tab and 
  • from the browser page, top sites
  • click on top sites--> ESPN.com
How likely is it that you would recommend this demo to a friend or colleague?
Not at all likely Extremely likely
Thanks, we appreciate your feedback!
Copyright © 2018 VMware, Inc. All rights reserved.