Feature Request - Integrations to Zscaler and Microsoft Azure
We are looking to move away from on-premise data centres and MPLS and using public cloud IaaS like Microsoft Azure, local Internet break-out and security as a service such as Zscaler. We are looking at SD-WAN products to provide connectivity to such services and I am keen to know the roadmap for Meraki's SD-WAN offering and whether it will integrate with xaaS such as Azure and Zscaler. Note. I know the vMX100 is in Azure which is great (no resilience is not so great)
1. Zscaler integration. Cisco Viptela, Velocloud, Aruba etc have partnered with Zscaler to provide SD-WAN GRE breakout to Zscaler. Are Meraki looking to partner with Zscaler? Or GRE tunnelling in the MX series would be good so this could be manually configured. IPsec is supported but not ideal for this traffic. Note. I know the MX has some security features but the lack of SSL inspection is not good when the majority of web traffic is now encrypted.
2. Microsoft Azure Virtual WAN integration. Riverbed and Citrix have partnered with Microsoft to integrate with their SD-WAN solutions with Azure so an NVA (Network Virtual Appliance, like the vMX100) is not required in Azure as it can integrate natively with their SD-WAN using the Azure Virtual WAN gateway. I appreciate this has just been released but is Meraki looking at this integration like Checkpoint and Palo Alto are.
What I'm trying to ascertain is where Meraki's SD-WAN sits in the enterprise space and if its going to meet our requirements like the other SD-WAN vendors mentioned above.
Meraki have actually played with SSL inspection, but it is highly possible it will never get released. The small amount of extra things you can catch over simple connection monitoring, considering the massive amount of CPU it burns, and the pain of having to install root certificates onto ever device behind the SSL inspection device, makes it not worth while.
I have seen very few sites deploy SSL inspection, and everyone one of those eventually turned it off. Managing the certificates becomes just too hard,
We have similar requirements to support ZScaler ZIA product. The requirement is to forward the traffic from the branch to ZScaler for firewall and url filtering. Ideally Meraki MX products needs to support GRE and/or IP-Sec tunnels (not sure if they already do).
I must disagree strongly. It is the lack of Merki supporting SSL deep inspection and the limited support of non Meraki VPN that rules out Meraki for a lot of the customer projects that I design solutions for. Enabling a proper integration with Zscaler (either via GRE or IPSEC) would eliminate one of the big obstacles I face when designing solutions based on Meraki SD-WAN. And, sorry to say so, Cisco Umbrella is simply not an alternative yet.
I am not seeing any Azure Virtual WAN projects yet but they will be coming and putting a vmx100 in each region is not an alternative.
1) Why would you - as a company, Cisco / Meraki in this regard - build in support for a competing product? Umbrella is going to be a "real" Securite Internet Gateway (SIG) very soon and definitely will add more security to the stack than zScaler - depending on which feature you're looking at. At least zScaler will never be able to have that vast pool of information regarding DNS security.
2) Of course you can further toot the "we need to decrypt everything that's encrypted"-horn. At some point in the future you'll (hopefully) find that it simply doesn't work and creates more burden and problems that you're trying to solve. But I guess this is getting more or less religious here. I can only second what @PhilipDAth wrote, and he did it way better than I could.
Why not just use a real SD-WAN then? We use Velocloud SD-WAN + Zscaler + Meraki switches and APs. It has been my experience that SSL inspection is actually important. Zscaler has blocked malicious files from known good services. It is not enough just to trust a 3rd party provider to secure all the content on their service. Zscaler also has cloud sandboxing with patient zero protection and a desktop/mobile client so you get a single dashboard for analysis of network and client events. We have a Velocloud branch template and a Meraki switch/AP template. Setting up a site is pretty easy even with managing two systems. Hopefully the Viptela stuff will be integrated into Meraki in the future so we can combine the stacks but for now, I find MX too limiting. I wouldn't hold my breath on zscaler integration though. Zscaler and cloudlock have already split and Cisco is trying to add more zscaler functionality to opendns/umbrella.
I fully agree. Ther Meraki VPN tunels to 3rd party peers leaves a lot to be desired. (No backup peer IP, no granularity for configuring different sets of source IPs to different destination IPs, no IKEv2).
I respectfully disagree with @PhilipDAth on the SSL inspection. Our DLP policy enforced by zScaler allows us to grant users access to read documents shared from sources like Dropbox, Google Drive, Office 365, without allowing them to upload documents/files to those destinations. That requires SSL inspection and a much more sophisticated policy set than is offered with Meraki. Not to mention, the tunnel config options I mentioned above are all just standard boiler plate Site to Site VPN tunnel options, which would let a solution like zScaler work just fine.