Find the IP addresses of the best and second-best available points of presence and use them when configuring the primary and secondary IPsec or GRE tunnels.
Secure Web Gateway is delivered from the Skyhigh Security Cloud platform, which consists of globally distributed nodes called points of presence (PoPs). The Global Routing Manager (GRM) is a DNS service that is responsible for intelligent traffic routing, load sharing, and failover. The GRM routes traffic to the best available point of presence.
To view a global map of the points of presence and see status, setup, and support information, visit https://status.skyhighsecurity.com/.
Finding the Best Available PoPs
You can find the PoP closest to your location by using the
nslookup tool to query the Global Routing Manager (GRM). GRM returns the IP addresses of the best available points of presence based on your location. You need these addresses when configuring IPsec or GRE tunnel interfaces on your networking device or in your SD-WAN service.
To find the IP addresses of the best and second-best available PoPs, run the
nslookup command-line tool from your network, as shown.
- IPsec example
nslookup 1.network.c<customer_id>.wgcs.skyhigh.cloud nslookup 2.network.c<customer_id>.wgcs.skyhigh.cloud
- GRE example
nslookup 1.c<customer_id>.gre.wgcs.skyhigh.cloud nslookup 2.c<customer_id>.gre.wgcs.skyhigh.cloud
Use the IP addresses returned by nslookup and not the FQDNs to configure the VPN Gateway address in SD-WAN. The use of FQDNs is not supported by all vendors' routers or SD-WAN profile configurations and may result in connectivity issues.
Web Gateway Cloud Service (WGCS; formerly known as McAfee SaaS Web Protection 1.x)
MVISION Unified Cloud Edge (UCE)
The Global Routing Manager (GRM) intelligently routes traffic to the closest Enterprise Point of Presence (PoP). For example, if a user is in Italy, they're routed to the closest PoP in Europe, rather than to North America or Asia. If that same user travels to New York City, they're routed to the PoP in New York, unless restricted by administrative policy.
The GRM is a DNS-based load-balancing service that returns to the endpoint through the route to the closest PoP. It considers the following information:
- Geo-location of the user/endpoint
- DNS request IP address
- PoP availability
- Proxy DNS name
The precise geo-location is needed to achieve the best performance and provide localized internet content to greatly improve user experience. To achieve a good approximation of the geo-location of the user or endpoint, the IP address of the endpoint sending a DNS request to the GRM is essential. The IP address seen on the GRM is typically not the same as the client IP address of the HTTP request. Instead, it's the IP address of the DNS resolver that the endpoint uses.
If you use cloud DNS services, such as Google DNS or OpenDNS, the geo-location reported for an endpoint might not be the correct geo-location in which the endpoint is located. These cloud DNS services use outbound IP addresses that are geo-located within the United States. The same behavior applies to customers who manage their own centralized DNS infrastructure in a specific country or region. This behavior can also impact user experience while receiving webpages (content) in a foreign language.
NOTE: There's no issue for customers who are using a decentralized DNS infrastructure.
When using cloud DNS services or centralized DNS infrastructure to enforce the correct geo-location, you can use special purpose prefixes for the country or region selection. The prefixes are hierarchically organized with continents at the top level, followed by regions, and then countries. Choose a prefix with the widest geographical area coverage because the prefix restricts dynamic load distribution and failover.
IMPORTANT: Use prefixes only when needed. Use of a prefix overrules the dynamic routing logic of GRM. When prefixes are used to enforce the selection of a specific geo-location, users might experience overall performance issues when traveling. An increase in network latency, dynamic failover, and load-balancing issues can occur.
Use a prefix for proxy settings to specify the preference for a PoP from a certain country or region:
- Country-specific prefix: If the host name for a proxy includes a prefix for an individual country, the closest or best PoP within the country is selected.
- Region-specific prefix: If the host name for a proxy includes a prefix for a larger region, the closest or best PoP within that region is selected.
Please refer to the following examples:
- Using the country-specific region prefix for the United Kingdom for Skyhigh Security Service Edge:
- Using the country-specific region prefix for the United Kingdom for WPS Hybrid customers using SCP:
If no PoP is available in the country or region specified in the proxy host name, the preconfigured fallback is to use the closest PoP regardless of the country or region. (It's unlikely that no PoP is available.)
To use the nearest PoP from the selected country or region for the endpoint, use the following predefined set of prefixes (subdomains):
|Pacific island countries||pacific|
|North America East Coast||na-east|
|North America West Coast||na-west|
|Pacific island countries||pacific|
|Middle East / Israel||il|
|United Arab Emirates||ae|