Skip to main content

Welcome to our updated site!

Skyhigh Security

Routing Web Traffic to PoPs

Find the IP addresses of the best and second-best available points of presence and use them when configuring the primary and secondary IPsec or GRE tunnels.

Secure Web Gateway is delivered from the Skyhigh Security Cloud platform, which consists of globally distributed nodes called points of presence (PoPs). The Global Routing Manager (GRM) is a DNS service that is responsible for intelligent traffic routing, load sharing, and failover. The GRM routes traffic to the best available point of presence.

To view a global map of the points of presence and see status, setup, and support information, visit https://status.skyhighsecurity.com/.
 

Finding the Best Available PoPs

You can find the PoP closest to your location by using the nslookup tool to query the Global Routing Manager (GRM). GRM returns the IP addresses of the best available points of presence based on your location. You need these addresses when configuring IPsec or GRE tunnel interfaces on your networking device or in your SD-WAN service.

To find the IP addresses of the best and second-best available PoPs, run the nslookup command-line tool from your network, as shown.

  • IPsec example
nslookup 1.network.c<customer_id>.wgcs.skyhigh.cloud
nslookup 2.network.c<customer_id>.wgcs.skyhigh.cloud
  • GRE example
nslookup 1.c<customer_id>.gre.wgcs.skyhigh.cloud
nslookup 2.c<customer_id>.gre.wgcs.skyhigh.cloud
            

Use the IP addresses returned by nslookup and not the FQDNs to configure the VPN Gateway address in SD-WAN. The use of FQDNs is not supported by all vendors' routers or SD-WAN profile configurations and may result in connectivity issues.

Environment 

Web Gateway Cloud Service (WGCS; formerly known as McAfee SaaS Web Protection 1.x)
MVISION Unified Cloud Edge (UCE)

Summary

The Global Routing Manager (GRM) intelligently routes traffic to the closest Enterprise Point of Presence (PoP). For example, if a user is in Italy, they're routed to the closest PoP in Europe, rather than to North America or Asia. If that same user travels to New York City, they're routed to the PoP in New York, unless restricted by administrative policy.
 

The GRM is a DNS-based load-balancing service that returns to the endpoint through the route to the closest PoP. It considers the following information:

  • Geo-location of the user/endpoint
  • DNS request IP address
  • PoP availability
  • Proxy DNS name

The precise geo-location is needed to achieve the best performance and provide localized internet content to greatly improve user experience. To achieve a good approximation of the geo-location of the user or endpoint, the IP address of the endpoint sending a DNS request to the GRM is essential. The IP address seen on the GRM is typically not the same as the client IP address of the HTTP request. Instead, it's the IP address of the DNS resolver that the endpoint uses.

Problem

If you use cloud DNS services, such as Google DNS or OpenDNS, the geo-location reported for an endpoint might not be the correct geo-location in which the endpoint is located. These cloud DNS services use outbound IP addresses that are geo-located within the United States. The same behavior applies to customers who manage their own centralized DNS infrastructure in a specific country or region. This behavior can also impact user experience while receiving webpages (content) in a foreign language.

NOTE: There's no issue for customers who are using a decentralized DNS infrastructure.

Solution

When using cloud DNS services or centralized DNS infrastructure to enforce the correct geo-location, you can use special purpose prefixes for the country or region selection. The prefixes are hierarchically organized with continents at the top level, followed by regions, and then countries. Choose a prefix with the widest geographical area coverage because the prefix restricts dynamic load distribution and failover.

IMPORTANT: Use prefixes only when needed. Use of a prefix overrules the dynamic routing logic of GRM. When prefixes are used to enforce the selection of a specific geo-location, users might experience overall performance issues when traveling. An increase in network latency, dynamic failover, and load-balancing issues can occur.

Use a prefix for proxy settings to specify the preference for a PoP from a certain country or region:

  • Country-specific prefix: If the host name for a proxy includes a prefix for an individual country, the closest or best PoP within the country is selected.
  • Region-specific prefix: If the host name for a proxy includes a prefix for a larger region, the closest or best PoP within that region is selected.  

Please refer to the following examples:

  • Using the country-specific region prefix for the United Kingdom for Skyhigh Security Service Edge:
    uk.c12345678.wgcs.skyhigh.cloud
     
  • Using the country-specific region prefix for the United Kingdom for WPS Hybrid customers using SCP:
    uk.c12345678.hybrid.skyhigh.cloud

If no PoP is available in the country or region specified in the proxy host name, the preconfigured fallback is to use the closest PoP regardless of the country or region. (It's unlikely that no PoP is available.)

 

To use the nearest PoP from the selected country or region for the endpoint, use the following predefined set of prefixes (subdomains):

 

Continents/Regions Prefix
Africa africa
Asia asia
Europe eu
North America na
Pacific island countries pacific
Latin America ltam
Asia Pacific apac

 

NORTH AMERICA Prefix
Canada ca
North America East Coast na-east
North America West Coast na-west
USA East us-east
USA Midwest us-midwest
USA South us-south
USA West us-west

 

LATIN AMERICA Prefix
Argentina ar
Bolivia bo
Brazil br
Chile cl
Colombia co
Mexico mx
Paraguay py
Peru pe
Uruguay uy
Venezuela ve

 

EUROPE Prefix
Austria at
Belgium be
Croatia hr
Czech Republic cz
Denmark dk
Finland fi
France fr
Germany de
Greece gr
Hungary hu
Ireland ie
Italy it
Netherlands nl
Norway no
Poland pl
Portugal pt
Romania ro
Serbia rs
Slovakia sk
Slovenia si
Spain es
Sweden se
Switzerland ch
Turkey tr
United Kingdom uk

 

ASIA/PACIFIC Prefix
Asia asia
Pacific island countries pacific
Middle East / Israel il
Australia au
Australia East au-east
Australia West au-west
Hong Kong hk
India in
India North in-north
India West in-west
Japan jp
Korea kr
New Zealand nz
Philippines ph
Singapore sg
Taiwan tw
Thailand th
United Arab Emirates ae

 

 

AFRICA Prefix
South Africa za

 

  • Was this article helpful?