Before Configuring an IPsec Tunnel
Before configuring an IPsec tunnel from a location within your network to Secure Web Gateway, review the following information.
-
Routing only HTTP and HTTPS traffic — Configure your networking device or SD-WAN service to route only web traffic under HTTP and HTTPS through an IPsec tunnel. Secure Web Gateway only handles IPsec traffic directed to ports 80 and 443 and drops any other traffic that it receives through the tunnel.
-
Configuring two IPsec tunnels for a location — Best practice is to configure a primary and secondary IPsec tunnel for each location. The primary tunnel is connected to the best available Point of Presence (PoP), while the second tunnel is connected to the second-best. This ensures continuous IPsec support in case one Point of Presence is not available.
-
Configuring IPsec tunnels for each location — If you are connecting more than one location, you can improve traffic protection and network latency by creating IPsec tunnels from each location to Secure Web Gateway.
- Configuring SAML authentication — You can also configure SAML authentication for a location where you have configured an IPsec tunnel. Secure Web Gateway then uses this method to authenticate requests that it receives through the tunnel.
When changing the configuration for an already existing IPsec tunnel, be sure to complete the following high-level steps.
-
Before you change the configuration, close down the connection from your edge device to the IPsec tunnel on the edge device. Follow the instructions provided for this device on how to complete the close-down.
-
Change the configuration for the IPsec tunnel on the user interface for Secure Web Gateway as needed.
-
Restart the connection.