<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=7086586&amp;fmt=gif">
Skip to content
Kostenlose Beratung anfordern

Setup VPN tunnels from Ubiquiti to Zscaler

  • Problem: Many IoT/OT devices, servers and legacy systems do not support agents (e.g. Zscaler Client Connector).
  • Solution: IPSec tunnels from UniFi Gateways to Zscaler (ZIA) to centrally inspect and filter HTTP/HTTPS traffic - without an agent on the endpoint device.
  • Added value: Unified SSE security controls (web filtering, threat protection, DLP, CASB), consistent egress IP handling, easy rollout and high availability across two Zscaler data centers.

    Zscaler VPN via Ubiquiti Architecture

Architecture in 60 seconds

  • UniFi gateway (HA cluster here) establishes redundant IPSec tunnels to the two closest Zscaler DCs (primary/backup).
  • Policy-Based Routing (PBR) on the Ubiquiti routes defined traffic (e.g. IoT VLANs → Web) into the tunnel (i.e. as a transparent proxy), internal destinations (RFC1918) and Zscaler agent traffic is bypassed.
  • Zscaler (ZIA) inspects/processes the traffic according to the policies.
  • Depending on the resilience and performance requirements, any number of tunnels can be set up via any ISPs at any Zscaler data centers with any priorities.

Requirements (checklist)

1. IPSec from Ubiquiti to Zscaler

  1. Determine the next Zscaler-DC and note the VPN host name (e.g. zrh1-... or fra4-...). The overview/table is shown in the SOP, page 2.
  2. Register static IP: ZIA Admin Portal → Administration → Static IPs & GRE Tunnels → Add Static IP (enter UniFi WAN IP). Page 2.
  3. Create VPN Credential: ZIA Admin Portal → Administration → VPN Credentials → Add VPN Credentials → Select Static IP, set Pre-Shared Key, save. Page 2-3, incl. mask.
  4. Assign location: Administration → Location Management → Add credential to the desired location. Page 3.
  5. Configure policies (SSL inspection for IoT and OT must be switched off in most cases, for servers the Zscaler Root CA can be rolled out on the servers)

2. configure UniFi side (Tunnel 1 - Primary DC)

  1. UniFi Network → Settings → VPN → Site-to-Site VPN → Create New.
  2. VPN Type: IPSec, VPN Method: Route-Based.
  3. Remote IP/Hostname: the Zscaler VPN host name from step 1 (e.g. zrh1-2-vpn.zscaler.net).
  4. IKE/ESP (see screenshot):
  5. Key Exchange: IKEv2
  6. AES-256 / SHA1, DH group 14, PFS active, SA-Lifetime IKE 28800s / ESP 3600s
  7. Tunnel IP: /31 according to UniFi mask (default in screenshot).
  8. Remote Networks: set so that the failover pair matches Tunnel 2 (see next step).
  9. Route Distance (metric): smaller value = preferred (e.g. 30 for primary).

3. configure UniFi side (Tunnel 2 - Backup-DC)

  1. Repeat step 2 with second DC hostname (e.g. fra4-vpn.zscaler.net).
  2. Remote Networks identical to the first tunnel - this way UniFi recognizes the failover pair.
  3. Route Distance higher than the primary tunnel (e.g. 60).

4. configure UniFi side (Tunnel 2 - Backup-DC)

  1. Bypass RFC1918 (10/8, 172.16/12, 192.168/16) → not in the tunnel.
  2. Bypass Zscaler backends/ZCC infrastructure (e.g. config.zscaler.com aggregated ranges).
  3. ANY → Tunnel for the predefined source VLANs/networks (IoT/OT/Server).
  4. Then check whether both tunnels are "online"
Important:
  • UniFi cannot (yet) reorder PBR rules. Create them in the correct order specific → general and build placeholder rules for different use cases, which should be updated later if necessary.
  • For exclusions, the exception and ANY rule must have the same source
  • Do not activate the kill switch in the exception (otherwise the failover to the other tunnels will no longer work)

Verification & operation

  • Check egress IP in ZIA (Log/Insights) - is it assigned to your static IP/location?
  • Test SSE policies (URL filter, DLP, upload controls, SSL inspection).
  • Monitoring: Tunnel status, latency to the DCs, MTU/MSS clamp (in case of fragmentation).
  • Key hygiene: rotate PSK regularly, audit admin access.

Best practices from projects

  • VLAN-based onboarding: dedicated IoT/OT VLANs via PBR in the tunnel - minimizes blast radius.
  • Cleanly separate "web only": Do not tunnel internal services (e.g. OT HMIs) to the internet; RFC1918 bypass helps.
  • Select two regional DCs (e.g. Zurich + Frankfurt) → failover with clear priority (route distance).
  • Schedule a change window: SSL inspection or DLP can have app side effects; start with a pilot group.
  • Maintain documentation: DC lists, PBR exceptions (e.g. ZCC/update CDNs), responsible VLANs, emergency rollback.

Conclusion

With IPSec UniFi → Zscaler, non-agent-capable IoT/OT assets and servers can be connected to modern SSE controls easily, scalably and cost-effectively - without any intervention on the end device. The combination of two DC tunnels, clean PBR and consistent policy checking quickly delivers measurable security gains - exactly where agents do not fit.
, , ,

You might like

Ubiquiti Logo
Wie man VPN Tunnel von Ubiquiti zu Zscaler konfiguriert
Problem: Viele IoT/OT-Geräte, Server und Legacy-Systeme unterstützen keine Agenten (z. B. Zscaler Client Connector).Lösung: IPSec-Tunnels von UniFi Gateways zu Zscaler (ZIA), um HTTP/HTTPS-Traffic zentral zu inspizieren und zu filtern – ohne Agent auf dem Endgerät.Mehrwert: Einheitliche...