Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Configure GRE Tunnels on Secure Web Gateway

When configuring GRE tunnels on Secure Web Gateway, you specify an IP address as external IP address for a location within your network. This IP address serves as a collection point for the web traffic that is routed through these tunnels from your network to Secure Web Gateway.

You can also specify more than only one external IP address here.

The traffic is routed to instances of Secure Web Gateway running on nodes in a worldwide network that has been set up by Skyhigh Security. These nodes are referred to as Points of Presence (PoPs). They serve as entry points into the cloud.

After you have saved the external IP address, Secure Web Gateway allocates a primary and a secondary GRE tunnel.

Web traffic is routed through the primary tunnel to an instance of Secure Web Gateway on the PoP that is best available. It is routed through the secondary tunnel to an instance on the PoP that is second best in availability when the best available PoP happens to be inactive.

  1. On the user interface for Secure Web Gateway, place your mouse pointer over the settings icon in the top right corner, then select Infrastructure > Web Gateway Setup from the drop-down menus.
  2. On the setup main page, begin with configuring a location for your network. The GRE tunnels will be mapped to this location.

    • Scroll down to Configure Locations and click New Location.

    • On the Configure Location page, enter a name for the location in the Name field, for example, London.

      clipboard_ecbb11cac19f8bc481b2190502eb93451.png

  3. Configure SAML authentication and log data residency as needed.

    • If you want to add SAML authentication as method for authenticating users who send requests for web access, select a configuration from the list provided under Select SAML Configuration. Users are then authenticated according to the settings of this configuration.

      If you have configured SAML authentication as part of your web policy, select None here. Otherwise, SAML authentication will not use the settings you have configured for your web policy, but the settings of the configuration that you have selected here.

      To use advanced settings for SAML authentication, you need to configure them as part of your web policy.

    • If you want to store log data about web traffic in a particular region, select this region from the list provided under Log Data Residency.

  4. As mapping type for the location that you have configured, select GRE Tunnel Mapping.

    clipboard_e9d8db1eb608e468b423faed045fe9596.png

  5. Optionally specify one or more reserved subnets. Secure Web Gateway will not use an IP address from within these subnets as the external IP address. This prevents issues from arising through conflicting use of the same IP addresses within your network and by Secure Web Gateway. 

    Under Subnet, type the IP address range for each subnet you want to specify, for example, 100.64.0.0/24. You can add a plain-text comment for each subnet. Use the + icon to add more subnets.

    clipboard_e5f72d949bbbb32ba7e20dc1861161666.png

    Or click Add Subnet and select Import CSV from the drop-down menu to import the subnet range in a .csv file using the file manager on your system.

  6. Specify an IP address as external IP address for a location within your network.

    Under External address, enter the IP address you want to use here, for example, 10.60.70.100. You can also add a plain-text comment for this IP address.

    clipboard_e58cb59fd787117a55129f87e92b1ce50.png

    You can also specify more than one IP address as external IP address here. Use the + icon to add IP addresses.

    Or click Add Address and select Import CSV from the drop-down menu. Then, using the file manager on your system, import the external IP address in a .csv file.

  7. Click Save.

    The new location is created and Secure Web Gateway allocates a primary and a secondary GRE tunnel.

    A message informs you that you still need to publish this configuration change.

    clipboard_ea60f21ce9c089cfff365e6dbc507278b.png

  8. Click OK in the message window.

    You are directed to the main setup page again, where the new location that you configured is shown in the Configure Locations section.

    clipboard_e37df8b983e193bd4fb68ab2817020c2d.png

  9. To publish this configuration change, click the yellow shield icon at the right and select Publish in the window that opens.

    clipboard_e681b4d1a07752a2fddf54747d07c3a76.png

    A message informs you about the successful publication.

    clipboard_ee37c6df454cbe0f559e3ac2438b1a5cb.png

  10. Click OK in the message window.

    You are once again directed to the main setup page, where the name of the new location is still shown in the Configure Locations section.

    clipboard_eab01db247e6f4dffab5a7768950fadd3.png

  11. To view IP addresses and domain names that are related to your GRE tunnel configuration, click the name of the new location.

    The Configure Location page appears again. The mapping section now includes a subsection titled Provisioned Tunnels with IP addresses and domain names for your GRE tunnel configuration.

    clipboard_e7995b21b0cd93dee75f6c7a68d4d5c1f.png

    The following table provides more details about these IP addresses and domain names.
     
    Configuration item Description
    External source IP address Address you configured as external IP address for a location in your network

    For example, 10.60.70.100
    Domain name for the first Point of Presence (PoP) Domain name for the PoP that traffic is routed to through the primary GRE tunnel

    For example, c75317554.gre.skyhigh.cloud

    This domain name includes your customer ID, preceded by the letter c. You received this ID when you purchased Secure Web Gateway.

    To find out about the IP address for this PoP, you can perform a lookup with the nslookup command-line tool. Run the lookup command as follows. 
    nslookup 1.c75317554.gre.skyhigh.cloud
    The tool resolves the domain name and returns the IP address for the primary PoP.
    Domain name for the second Point of Presence (PoP) Domain name for the PoP that traffic is routed to through the secondary GRE tunnel

    For example, c75317554.gre.skyhigh.cloud

    This domain name includes your customer ID, preceded by the letter c. You received this ID when you purchased Secure Web Gateway.

    To find out about the IP address for this PoP, you can perform a lookup with the nslookup command-line tool. Run the lookup command as follows. 
    nslookup 2.c75317554.gre.skyhigh.cloud
    The tool resolves the domain name and returns the IP address for the secondary PoP.
    Internal source IP address for the primary GRE tunnel Virtual IP address used to route web traffic originating from your network through the primary GRE tunnel

    For example, 10.64.3.30/32
    Internal destination IP address for the primary GRE tunnel Virtual IP address used to route web traffic to Secure Web Gateway on a PoP through the primary GRE tunnel

    For example, 10.64.3.31/32
    Internal source IP address for the secondary GRE tunnel Virtual IP address used to route web traffic originating from your network through the secondary GRE tunnel

    For example, 10.64.3.32/32
    Internal destination IP address for the secondary GRE tunnel Virtual IP address used to route web traffic to Secure Web Gateway on a PoP through the secondary GRE tunnel

    For example, 10.64.3.33/32

You have now configured a location within your network with two GRE tunnels for routing web traffic from your network to Secure Web Gateway.

  • Was this article helpful?