Zscaler is a network cybersecurity platform used by larger enterprises to help secure their networks and keep end users safe. Zscaler’s default configuration may interfere with network communications to/from the AVOXI Genius platform and lead to call quality issues. To avoid any impact to the AVOXI Genius call performance it is necessary to make adjustments to the default Zscaler configuration.
There are two options for integrating the AVOXI Genius platform and Zscaler. One is to route your AVOXI Genius data (RTC phone calls) through the Zscaler data centers. The other is to leverage your local internet connection directly. The required Zscaler configuration changes will be based on the option chosen.
If you want to route through the Zscaler data centers, see the section, “Bypass Inspection”. If you want to route via your local Internet connection, first determine if you are using ZTunnel 1.0 or ZTunnel 2.0 and then proceed to the corresponding “Direct egress ZTunnel” section below.
AVOXI recommends using your local Internet connection to prevent additional latency traveling to the Zscaler data centers, although the impact is minor and both solutions provide acceptable call quality.
Bypass Inspection
With this configuration, traffic will travel from the Zscaler devices and applications installed locally to Zscaler data centers, however Zscaler’s deep packet inspection will be bypassed.
- Create a custom Destination IP Group.
- Zscaler’s directions on configuring this can be found in the Zscaler Help documentation article “Configuring Destination IP Groups”.
- Use all of the AVOXI/Genius IP addresses. The IP Addresses can be found in the AVOXI Knowledge base guide “AVOXI Genius IP Addresses Whitelist”
-
Configure the SSL Inspection Policy.
- These directions are found at “Configuring SSL Inspection Policy”.
- Provide the Rule Order as high as you can to prevent interference from other rules with less strict criteria.
- For criteria, select the custom Destination IP Group created in the previous step.
-
In the Action section, select the following options:
- “Do Not Inspect”
- “Bypass Other Policies”
- Disable “Block No Server Name Indication (SNI)”
Direct Egress ZTunnel 1.0
This configuration applies to customers using ZTunnel 1.0. In this configuration, traffic will travel from the Zscaler devices and applications directly to AVOXI using the local Internet connection.
Zscaler’s directions on configuring this can be found in the Zscaler Help documentation article “Writing a PAC File”.
If you have a FindProxyForURL function you will need to update your existing function to include the logic below. If you do not have a FindProxyForURL function you can copy the complete snippet.
Use the following logic if you have FindProxyForURL Function:
function FindProxyForURL(url, host){
// Check if host is an IP address
var ip_checker = /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/;
//
// Begin bypass proxy for AVOXI Genius IP Space
//
if (ip_checker.test(host) && (
isInNet(host, "104.196.177.203", "255.255.255.255")|| // US
isInNet(host, "104.196.177.56", "255.255.255.255") ||
isInNet(host, "35.231.51.152", "255.255.255.255") ||
isInNet(host, "35.231.63.162", "255.255.255.255") ||
isInNet(host, "35.196.133.248", "255.255.255.255") ||
isInNet(host, "104.196.96.192", "255.255.255.255") ||
isInNet(host, "35.190.137.142", "255.255.255.255") ||
isInNet(host, "34.73.213.42", "255.255.255.255") ||
isInNet(host, "34.73.56.126", "255.255.255.255") ||
isInNet(host, "34.74.129.35", "255.255.255.255") ||
isInNet(host, "34.74.26.164", "255.255.255.255") ||
isInNet(host, "34.74.55.73", "255.255.255.255") ||
isInNet(host, "34.74.74.172", "255.255.255.255") ||
isInNet(host, "34.75.17.11", "255.255.255.255") ||
isInNet(host, "34.75.197.236", "255.255.255.255") ||
isInNet(host, "34.75.227.126", "255.255.255.255") ||
isInNet(host, "34.75.42.140", "255.255.255.255") ||
isInNet(host, "34.75.49.119", "255.255.255.255") ||
isInNet(host, "34.75.61.225", "255.255.255.255") ||
isInNet(host, "34.75.97.143", "255.255.255.255") ||
isInNet(host, "35.185.23.34", "255.255.255.255") ||
isInNet(host, "35.190.170.102", "255.255.255.255") ||
isInNet(host, "35.196.156.208", "255.255.255.255") ||
isInNet(host, "35.196.163.148", "255.255.255.255") ||
isInNet(host, "35.196.177.134", "255.255.255.255") ||
isInNet(host, "35.196.59.183", "255.255.255.255") ||
isInNet(host, "35.196.97.117", "255.255.255.255") ||
isInNet(host, "35.227.42.112", "255.255.255.255") ||
isInNet(host, "35.227.70.158", "255.255.255.255") ||
isInNet(host, "35.231.143.46", "255.255.255.255") ||
isInNet(host, "35.231.244.203", "255.255.255.255") ||
isInNet(host, "35.237.150.40", "255.255.255.255") ||
isInNet(host, "35.237.210.244", "255.255.255.255") ||
isInNet(host, "35.237.212.40", "255.255.255.255") ||
isInNet(host, "35.237.221.3", "255.255.255.255") ||
isInNet(host, "35.243.176.215", "255.255.255.255") ||
isInNet(host, "35.243.199.92", "255.255.255.255") ||
isInNet(host, "35.243.241.228", "255.255.255.255") ||
isInNet(host, "34.96.219.253", "255.255.255.255") || // HK
isInNet(host, "34.92.127.143", "255.255.255.255") ||
isInNet(host, "34.92.174.171", "255.255.255.255") ||
isInNet(host, "34.96.245.147", "255.255.255.255") ||
isInNet(host, "34.96.206.113", "255.255.255.255") ||
isInNet(host, "34.92.130.145", "255.255.255.255") ||
isInNet(host, "34.92.190.82", "255.255.255.255") ||
isInNet(host, "34.96.234.90", "255.255.255.255") ||
isInNet(host, "34.150.105.215", "255.255.255.255") ||
isInNet(host, "34.150.67.194", "255.255.255.255") ||
isInNet(host, "34.150.89.83", "255.255.255.255") ||
isInNet(host, "34.92.121.200", "255.255.255.255") ||
isInNet(host, "34.92.127.48", "255.255.255.255") ||
isInNet(host, "34.92.192.51", "255.255.255.255") ||
isInNet(host, "34.92.230.37", "255.255.255.255") ||
isInNet(host, "34.92.230.42", "255.255.255.255") ||
isInNet(host, "34.92.48.216", "255.255.255.255") ||
isInNet(host, "34.92.74.10", "255.255.255.255") ||
isInNet(host, "34.92.83.126", "255.255.255.255") ||
isInNet(host, "34.96.137.99", "255.255.255.255") ||
isInNet(host, "35.220.131.218", "255.255.255.255") ||
isInNet(host, "35.220.179.43", "255.255.255.255") ||
isInNet(host, "35.220.179.55", "255.255.255.255") ||
isInNet(host, "35.241.116.163", "255.255.255.255") ||
isInNet(host, "35.241.87.227", "255.255.255.255") ||
isInNet(host, "199.244.98.0", "255.255.254.0") || // AU, BR, ME, UK
isInNet(host, "154.65.66.0", "255.255.254.0")) || // DE, SG, future
dnsDomainIs(host, "genius.avoxi.com"))
{
return "DIRECT";
}
return "PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT";
}
Direct Egress ZTunnel 2.0
This configuration applies to customers using ZTunnel 2.0. In this configuration, traffic will travel from the Zscaler devices and applications directly to the AVOXI Genius platform using the local Internet connection.
-
Define an IP-Based application.
- For directions see the article “Adding IP-Based Applications to Bypass Traffic”.
- For the configuration you will need all the AVOXI IP Addresses from “AVOXI Genius IP Addresses Whitelist”.
- For Port and Protocol you should enter asterisk (*).
-
Configure the application to connect directly to the Internet instead of routing to the Zscaler data centers.
- For directions on how to configure the application defined in step 1, see the article, “Configuring Zscaler Client Connector App Profiles”
- Within the article, select the relevant device platform, then “Traffic Steering”-->“App and IP Bypass", → “IP Bypass”
- Follow the directions for the Custom IP-Based Application Bypass created in the previous step.
