Find the IP addresses of the best and second-best available Points of Presence (PoPs) and use them when configuring the primary and secondary IPsec or GRE tunnels.
Secure Web Gateway is delivered from the Skyhigh Security Cloud platform, which consists of globally distributed nodes called Points of Presence (PoPs). The Global Routing Manager (GRM) is a DNS service that is responsible for intelligent traffic routing, load sharing, and failover. The GRM routes traffic to the best available point of presence.
For a global map of PoPs with setup, status, and support information, see Skyhigh Security Status.
Finding the Best-Available PoPs
You can find the best-available Points of Presence (PoPs) using the nslookup command-line tool to query the Global Routing Manager (GRM). GRM returns the IP addresses of the best-available PoPs based on your location.
You need these addresses when configuring IPsec or GRE tunnel interfaces on your networking device or in your SD-WAN service.
To find these IP addresses, run the tool from your network, as shown in the examples below. Each of the examples shows two PoPs, which are first and second with regard to their availability.
- For IPsec
nslookup 1.network.c<customer_id>.wgcs.skyhigh.cloud nslookup 2.network.c<customer_id>.wgcs.skyhigh.cloud
- For GRE
nslookup 1.c<customer_id>.gre.wgcs.skyhigh.cloud nslookup 2.c<customer_id>.gre.wgcs.skyhigh.cloud
Use the IP addresses returned by nslookup. Do not use the FQDNs to configure the VPN gateway address in SD-WAN. The use of FQDNs is not supported by all vendors' routers or SD-WAN profile configurations and may result in connectivity issues.
Secure Web Gateway (replacing the legacy Web Gateway Cloud Service and SaaS Web Protection web security products) as part of the Security Service Edge (SSE) solution.
The Global Routing Manager (GRM) routes traffic to the best-available Point of Presence (PoP). For example, if a user works from an endpoint in Italy, traffic is routed to the closest PoP in Europe, rather than to North America or Asia. If that same user travels to New York City, traffic is routed to the PoP in New York, unless restricted by your web policy.
The GRM is a DNS-based load-balancing service that returns to the endpoint through the route to the closest PoP. It considers the following information:
Geo-location of the user or endpoint
DNS request IP address
- Proxy DNS name
The geo-location is needed to achieve the best performance and provide localized internet content to improve user experience. To achieve a good approximation of the geo-location of the endpoint, the IP address of the endpoint sent with a DNS request to the GRM is important.
The IP address seen on the GRM is typically not the same as the client IP address of an HTTP request. Instead, it is the IP address of the DNS resolver that the endpoint uses.
If you use cloud DNS services, such as Google DNS or OpenDNS, the geo-location reported for an endpoint might not be the correct geo-location in which the endpoint is located. These cloud DNS services use outbound IP addresses that are geo-located within the United States.
The same behavior applies if you manage your own centralized DNS infrastructure in a specific country or region. This behavior can also impact user experience while receiving webpage content in a foreign language.
NOTE: There is no issue if you are using a decentralized DNS infrastructure.
When using cloud DNS services or a centralized DNS infrastructure, you can work with prefixes to specify the preference for a Point of Presence (PoP) in a country or a region.
Use prefixes only if needed. Use of a prefix overrules the dynamic routing logic of GRM. This means that users might experience performance issues when traveling. Network latency, dynamic failover, and load-balancing issues can also occur.
Use of a prefix for proxy settings to specify the preference for a Point of Presence (PoP) in a country or region will result in the following:
Country-specific prefix — The best-available PoP within the country is selected.
- Region-specific prefix — The best-available PoP within the region is selected.
Review these examples:
uk.c12345678.wgcs.skyhigh.cloud — Country-specific prefix for the United Kingdom when using SSE
- uk.c12345678.hybrid.skyhigh.cloud — Country-specific prefix for the United Kingdom when using the Web Protection Suite Hybrid solution with Skyhigh Client Proxy (SCP)
If no PoP is available in the country or region specified in the proxy host name, the preconfigured fallback is to use the closest PoP regardless of the country or region. It is quite unlikely then that no PoP would be available.
Use the prefixes shown in the following tables.
|United Arab Emirates||ae|
|North America East Coast||na-east|
|North America West Coast||na-west|