ZIA Adaptiva Cloud Configuration

 

Summary

Zscaler Internet security (ZIA) is a software based cloud networking solution that controls internet traffic to either use a direct internet connection or for it to go to the Zscaler cloud before forwarding the traffic to the internet.  Thus the solution effectively creates a centralized firewall/NAT solution for endpoints utilizing a split VPN when clients are not on a corporate VPN at all.  ZIA has a few multiple tunnel types that can be setup based on the client version the customer has installed.  Depending on this and the configuration of the tunnel type.  ZIA will require additional configurations in order for OneSite Anywhere Internet Peer to Peer (IP2P) and CDN downloads to function correctly.  This document includes the required configuration for IP2P/CDN to function for the different Z-Tunnel types.

Adaptiva OneSite Anywhere ZScaler network flow

ZScaler Cloud Polices

ZScaler URL Filtering Policies for Adaptiva

Configure Adaptiva Cloud App Policy

ZScaler clients running the Adaptiva Agent are required to communicate with the Adaptiva URLs.  For Adaptiva Relay communications, a Zscaler a URL Category can be setup for *.Adaptiva.Cloud or added to an existing.  This Category can then be used to allow web access by setting up a URL & Cloud App Control Rule. 

From the ZScaler Administration home menu

• Select Policy
• Select URL & Cloud App Control
• Select Add URL Filtering Rule

In the URL Rule Wizard Select the Rule Order based on your current policy processing and enable the rule under Rule Status. Then select the arrow in URL Categories and then select the plus sign on the URL Selection Screen to add in Adaptiva Cloud Category.

• Select the Rule Order
• Name the Rule in the Rule Name Field
  • Adaptiva Cloud
• Enable the Rule
• Select the Dropdown Arrow in the URL Categories Field
  • Adaptiva Cloud (if exists already)

If needed Create URL Category

• Select the Plus Sign next to the Search Field on the URL Selection Screen (New Page)
• Add the Name
  • Adaptiva cloud
• Under Custom URLs Add
  • .adaptiva.cloud
• Description (Optional)
  • URL category for Adaptiva OneSite Cloud Messaging
• Click Save

 

Scroll down the Wizard to fill in the remaining fields.

• For Request Methods Select CONNECT, HEAD, GET and POST
• For Protocols Select HTTP, and HTTPS
• For Action Web Traffic Select Allow
• Select Save to Complete our Configuration

Configure Adaptiva CDN URL Policy

For CDN downloads to succeed, the Adaptiva CDN URL https://*.adaptivacdn.cloud is required to be allowed through Zscaler.  A Zscaler a URL Category can be setup for *.AdaptivaCDN.Cloud or added to an existing.  This Category can then be used to allow web access by setting up a URL & Cloud App Control Rule. 

From the ZScaler Administration home menu. Select Policy -> URL & Cloud App Control

 

For creating Adaptiva CDN Policy to allow downloads from CDN for client devices if using Zscaler.  Server only needs it to validate CDN functionality from Adaptiva Server.  First launch the Add URL Filtering Wizard by following the below steps.

• Select Policy
• Select URL & Cloud App Control
• Select Add URL Filtering Rule

In the URL Rule Wizard Select the Rule Order based on your current policy processing and enable the rule under Rule Status. Then select the arrow in URL Categories and then select the plus sign on the URL Selection Screen to add in Adaptiva Cloud Category.

• Select the Rule Order
• Name the Rule in the Rule Name Field
  • Adaptiva CDN
• Enable the Rule
• Select the Dropdown Arrow in the URL Categories Field
  • Adaptiva CDN (if exists already)

If need Create new Adaptiva CDN

• Select the Plus Sign next to the Search Field on the URL Selection Screen (New Page)
• Add the Name
  • Adaptiva cloud
• Under Custom URLs Add
  • .adaptivacdn.cloud
• Description (Optional)
  • URL category for Adaptiva Content Distribution Network
• Click Save

Add the additional Configuration for Request Methods and Protocols

• For Request Methods Select CONNECT
• For Protocols Select HTTP Proxy, and SSL
• For Action Web Traffic Select Allow
• Select Save to Complete our Configuration

Configure Adaptiva CDN SSL Inspection Policy

The Adaptiva CDN URLs need to be excluded from SSL Inspection when unique certificate root authorities are used with SSL inspection.  For clients on the internet or in split office configurations, they will need the following configuration to download content from Adaptiva CDN.

From the ZScaler Administration home menu. Select Policy -> SSL Inspection

• Click Add SSL Inspection Rule

SSL Inspection Rule & Criteria

• Select Rule Order of 3 or close to the top for early inspection.
• Add in Adaptiva CDN for the Rule Name
• Add the Adaptiva CDN to the URL categories

SSL Inspection Action

• Set Action to Do Not Inspect
• Click Save

Alternately the Adaptiva CDN can be added into another Do Not Inspect policy as well.

 

Additional Considerations

Adaptiva uses .content File Type which also needs to be allowed if whitelisting if enabled.

 

ZScaler URL Filtering Policies for Adaptiva Server Publishing

If the Adaptiva server will be connecting through ZScaler then create an Adaptiva S3 Bucket Policy Launch the URL Filtering Wizard by following the below steps if Amazon AWS is not currently allowed.  If an Amazon AWS is allowed minimum configuration required for the server to access for the connection will be Protocols HTTP; HTTP Proxy; HTTPS; SSL; Tunnel SSL and Request Methods of Connect; Delete; Get; Options; Put; Post.

• Select Policy
• Select URL & Cloud App Control
• Select Add URL Filtering Rule

 

In the URL Rule Wizard Select the Rule Order based on your current policy processing and enable the rule under Rule Status. Then select the arrow in URL Categories and then select the plus sign on the URL Selection Screen to add in Amazon AWS Category.

• Select the Rule Order
• Name the Rule in the Rule Name Field
  • Amazon AWS
• Enable the Rule
• Select the Dropdown Arrow in the URL Categories Field
  • Amazon AWS (if exists already)

If needed Create Amazon URL Category

• Select the Plus Sign next to the Search Field on the URL Selection Screen (New Page)
• Add the Name
  • Amazon AWS
• Under Custom URLs Add
  • .amazonaws.com
• Description (Optional)
  • URL category for Amazon AWS
• Click Save

Add in Additional configurations for Request and Protocols

Scroll down the Wizard to fill in the remaining fields.

• For Request Methods Select Connect; Delete; Get; Options; Put; Post
• For Protocols Select HTTP; HTTP Proxy; HTTPS; SSL; Tunnel SSL
• For Action Web Traffic Select Allow
• Select Save to Complete our Configuration

Finally Activate Policy Changes

 

ZScaler Client Configuration

ZScaler Client/Tunnel version

Since multiple profiles can be assigned to different devices, it is important to get the client version, tunnel type and profile in use by internet devices.  Contacting the ZScaler administrators can help with this process.  However, this can also be seen from the ZScaler client as a quick check for the client on the internet.

Determining Client version and Tunnel Type from Client

• First launch the ZScaler Client Connector from programs or systray.   

                             

• Select Internet Security, Find the Tunnel Version type in use.

                   

• Then click the More link. Under the About section you will see the app version and app policy currently being utilized. 

                 

Make Note of the Tunnel Type, Client version and App Policy.

 

Determining Client version and Tunnel Type from ZScaler portal

The client version, tunnel type and profile used cab be gather from ZScaler Admin portal by looking at the device details under Policy/ZScaler Client Connector portal/Enrolled Devices.

• In the ZScaler (ZIA) web portal go to the policy – ZScaler client Connector Portal. 

 

• Click on Enrolled devices.                               

• Check the version for the internet device being used.             

 

Make note of the Policy Name, Tunnel type and Version for later use.

 

Adaptiva Configuration

It is recommended to have all Adaptiva IP2P traffic go through the direct internet connection for optimal performance.  Depending on the Z-Tunnel currently configured different configurations maybe need to ensure OneSite Cloud IP2P can function.

 

 

Z-Tunnel 1.0

Configuration for App profile Z-Tunnel 1.0

Determine the forwarding profile used for the app profile assigned to the client that was checked above.

Open the App Profile from the Zscaler Client Connector Portal by clicking the pencil.

Click Cancel

Open the Forwarding Profile used by the App profile for the client by clicking Administration then Forwarding Profile for the Name above by clicking the pencil.  

 

 

Next verify the Tunnel Version Selection is set to Z-Tunnel 1.0

Z-Tunnel version 1 only forwards HTTP/HTTPS traffic, thus access to *.adaptiva.cloud over via HTTP will need to be allowed.  Usually this is a default setting within the proxy used by ZIA tunnel 1.0

Additional the Windows Driver Selection needs to be set to Packet Filter Based.  (Recommended setting of Zscaler).

Z-Tunnel 2.0

Z-Tunnel version 2.0 requires addition configuration to function since it will filter all types of traffic.  It is recommended to have all Adaptiva Relay communications and IP2P content transfers to use the end point user’s internet connection for optimal performance.  This would include allowing *.adaptiva.cloud and *.adaptivacdn.cloud for TCP port 80 and 443.  Rules located in Appendix A

These additional configurations that need to be done are located in the policy options of App Profiles for the policy/profile name used by the Internet IP2P clients.

 

Zscaler Client 4.2.x or higher

In the policy locate the Source Port-Based Bypasses.  Add in the following bypass definition used for content transfers.

• 34546:udp
• 34750:udp

Zscaler Client 2.0.0 to 4.1.x

In the policy locate the Destination Exclusions under the Z-Tunnel 2.0 Configuration section.  The list of IPs requiring update can be found at the following URL.

https://adaptiva.com/hubfs/AdaptivaCloudServicesIPAddresses.txt

 

Below is a powershell snippet that will create a copy and paste list for easy configuration.

Invoke-WebRequest https://adaptiva.com/hubfs/AdaptivaCloudServicesIPAddresses.txt -outfile "$($env:temp)\AdaptivaCloudServices.txt";"$((Get-content "$($env:temp)\AdaptivaCloudServices.txt") -join ':3478:udp,' -replace 'Adaptiva Cloud Services IP Addresses:3478:udp,',''):3478:udp"

 

Additionally for Internet Peering the following port exclusions also need to be applied.

• *:34546:udp
• *:34750:udp

 

 

Once the exceptions are in place Click Save.

The clients using the policy will eventually update, however under the More section of the Zscaler client you can click update policy or restart the service.

 

Validate Clients

Once the policy has taken affect restart the Adaptiva client and validate the proper public IP is showing in the WebUI.

Test a content push to ensure IP2P/CDN downloads are working as expected.

 

Endpoint Local Peering

By default, the local communication is bypassed which will allow peering across the LAN to other Adaptiva registered clients.  However, if the private IP address exclusions are removed then LAN peering will not function.  This will affect performance of peering when multiple Adaptiva clients are on the internet but in the same location such as a coffee shop or hotel.

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

224.0.0.0/4

 

 

 

 

Troubleshooting

This section has some Issues that maybe experience with ZIA clients when performing IP2P.  Logs useful for troubleshooting issues will be the networklocation.log, NATTraversal.log, Relaydetails.log and Contentdownloader.log.

Issue – Public IP and Internal IP are the same

Symptom – Internet peer does not work for device when ZIA is enabled.  Device registers the Public IP in the WebUI or NetworkLocation.log within the same Class C network as listed in the Zscaler client.

Issue – Lan peering fails with a machine that has ZIA enabled within an internet office.

Remediation -- UDP port RelayIP:3478:udp is not in the list of exclusions.

 

Issue – Unable to download content from Adaptiva CDN

Symptom - Clients on the internet, VPN or split branch office cannot download content from the Adaptiva CDN.  Error message appear in Content download.log "Couldn't get http client instance with proxy or without proxy" and Adaptiva.err "Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" on the device attempting to download.

Issue - Client is not able to validate certificate used with SSL Inspection Firewall\Proxy.

Remediation - Review SSL inspection rule to ensure AdaptivaCDN.cloud is not being inspected.

 

Appendix A

Additional ZScaler Client Rules for allowing communication with Adaptiva Cloud directly to Adaptiva Cloud Relays.

Open Zscaler Mobile Client Connector

Edit Current App Profile

Zscaler Client 3.2.x and above.

Locate Domain Exclusions for DNS Requests.

Add the following.

• .adaptiva.cloud
• .adaptivacdn.cloud

Click Save

Zscaler Client 2.0.x to 3.1.x

https://adaptiva.com/hubfs/AdaptivaCloudServicesIPAddresses.txt

 

Snippet to build a copy and paste list.

Invoke-WebRequest https://adaptiva.com/hubfs/AdaptivaCloudServicesIPAddresses.txt -outfile "$($env:temp)\AdaptivaCloudServices.txt";"$((Get-content "$($env:temp)\AdaptivaCloudServices.txt") -join ':80:tcp,' -replace 'Adaptiva Cloud Services IP Addresses:80:tcp,',''):80:tcp"

Locate Destination Exclusions for IPv4.

Add the powershell result to the list.

Click Save

Appendix B

Additional Adaptiva Cloud Relay Services information.

Adaptiva Cloud Services Planned Outages – Adaptiva Support Portal

IP list

https://adaptiva.com/hubfs/AdaptivaCloudServicesIPAddresses.txt