Creating a XaaS Connection (Zscaler) Resource
This page explains how to use the OCX Portal to create a XaaS Connection that connects to the Zscaler security service/SASE.
Connectable Services
By creating a XaaS Connection (Zscaler), secure internet connection using Zscaler Internet Access (ZIA) becomes possible.
※ Traffic for Zscaler Private Access (ZPA) is not supported in XaaS Connection (Zscaler).
Preparation
Please check the following before creating a XaaS Connection resource:
- Your User Role is either
adminoruser.
Procedure for Creating a XaaS Connection Resource
-
Log in to the OCX Portal.
-
Click [XaaS Connections] from the left navigation bar.
-
From the XaaS Connections list page, click [+Create], select Security Service/SASE from the menu, and then select Zscaler.
※Refers to the+Createbutton next to the XaaS Connections title. -
You will proceed to the XaaS Connection resource creation step. Configure the input items as follows and click [Create].
-
Name
- Enter an arbitrary name. Entering a name that is easy to identify will make management easier.
- The maximum number of characters is 40.
- Leading and trailing whitespace characters in the resource name are automatically removed.
-
NAT Location
- Select an arbitrary NAT Location from the pull-down menu. Please note that the NAT Location cannot be changed after creation.
NAT Location Tokyo Osaka - Please note that if you select Osaka while 2Gbps or 3Gbps is selected for Speed (Bandwidth), the Speed (Bandwidth) will be changed to 1Gbps.
-
Speed (Bandwidth)
- If the NAT Location is Tokyo, select an arbitrary value from 1, 2, or 3 Gbps.
- If created with 1Gbps, the Speed (Bandwidth) cannot be changed later.
- If created with 2Gbps or 3Gbps, it cannot be changed to 1Gbps later.
- If the NAT Location is Osaka, it is fixed at 1Gbps.
- If the NAT Location is Tokyo, select an arbitrary value from 1, 2, or 3 Gbps.
-
Target XaaS
- The Zscaler selected in Step 3 is displayed.
-
IPv4 Gateway Address
- Enter the IPv4 address to be used as the gateway for the XaaS connection in CIDR (IPv4/mask) format. (Example: 192.168.0.1/24)
※Refer to the [Remarks] section for unusable IP addresses.
- Enter the IPv4 address to be used as the gateway for the XaaS connection in CIDR (IPv4/mask) format. (Example: 192.168.0.1/24)
-
Local ASN
- Enter the AS number to operate on the XaaS Connection. 4-byte ASNs are supported. It operates as eBGP.
※Refer to the [Remarks] section for unusable AS numbers.
※The Local ASN will be added once or twice to the AS-Path of the route information.
- Enter the AS number to operate on the XaaS Connection. 4-byte ASNs are supported. It operates as eBGP.
-
-
A creation confirmation popup will appear. Check the cost involved in creation and click [Create].
-
The XaaS Connections list page will be displayed. Confirm that the status next to the created resource becomes available.
※You can refresh the status by clicking [Refresh] at the top right.
This completes the creation of the XaaS Connection resource.
Once a XaaS Connection resource is created, you can perform Adding NAT IP Addresses.
Please check each operation page for details.
Remarks
Usage Notes
- For XaaS Connection (Zscaler), only connections via IPsec tunnel or via Zscaler Client Connector (ZCC) are supported. Please note that connections via GRE tunnel are not supported.
- Only one IPsec tunnel can be configured per XaaS Connection (Zscaler). If you wish to configure redundancy with two IPsec tunnels, you need to purchase two XaaS Connections (Zscaler).
- If you use ZCC, you need to provide a separate connection to DNS.
- You are responsible for designing and configuring IPsec VPN settings and route control, including redundancy configurations, in your environment.
NAT Location
NAT Location refers to the location of the equipment providing the NAT function. Subsequent communication follows BBIX communication specifications.
NAT IP Address
When a XaaS Connection resource is created, one initial assigned NAT IP address is provided.
Please check the NAT IP Address tab at the bottom of the screen.
The initial assigned NAT IP address cannot be deleted.
Unusable IP Addresses
-
The following IPv4 address ranges cannot be used for the IPv4 Gateway Address.
Address Range Remarks 0.0.0.0/8 RFC1122 this network 127.0.0.0/8 RFC1122 localhost 192.0.0.0/24 RFC5736 IETF protocol Assignments 192.0.2.0/24 RFC5737 TEST-NET-1 192.88.99.0/24 RFC7526 6to4 anycast relay 198.18.0.0/15 RFC2544 benchmarking 198.51.100.0/24 RFC5737 TEST-NET-2 203.0.113.0/24 RFC5737 TEST-NET-3 240.0.0.0/4 Multicast Address 224.0.0.0/4 Multicast Address
Unusable ASNs
- The following AS numbers cannot be used as they are reserved by RFC.
- 0
- 23456
- 65535
- 4294967295