Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Extend Site-to-Web Connectivity with IPsec-Firewall Integration

  1. Last updated
  2. Save as PDF

Skyhigh now enables organizations to extend policy enforcement beyond traditional web traffic through the integration of a cloud-based IPSec gateway and a cloud firewall. This integration allows IPSec capable edge devices or gateways to forward all IP traffic, including both web and non-web protocols, over IPSec tunnels to the nearest Skyhigh Point of Presence (PoP). As a result, policy enforcement can be extended beyond web traffic to cover protocols such as DNS, FTP, SSH, and others that were previously outside the scope of Secure Web Gateway (SWG). This capability enables centralized policy enforcement and logging, providing full visibility and control over non-web traffic without requiring any endpoint installation. Consequently, organizations can secure their network edge more comprehensively without disrupting existing workflows or requiring additional client-side software.

Skyhigh used IPSec Site-to-Web (previously called as Site-to-Site) tunnels to securely route web traffic (HTTP/HTTPS over ports 80 and 443) from branch locations to Skyhigh’s Secure Web Gateway (SWG). For more information on IPSec tunnel settings, see About Configuring IPSec Tunnels. Skyhigh’s Cloud Firewall enforced policy controls on all IP packets forwarded by the Skyhigh Client over WireGuard tunnels. For more information on supported protocols and Cloud Firewall settings, see About Skyhigh Cloud Firewall. With the integration of Site-to-Web tunnels and Cloud Firewall, the configuration ensures that web traffic is subjected to both policy enforcement and threat protection, while also enabling administrators to consistently apply access controls across various types of IP traffic.

NOTE: The administrator manages the entire setup through the Skyhigh SSE UI; no action is required from the end users.

Key Benefits of IPsec-Firewall Integration

  • Unified Traffic Routing. All outbound traffic, including web and non-web traffic, routes via IPSec tunnels to the closest Skyhigh PoP near the user’s location.
  • Policy Enforcement. Cloud Firewall enforces security controls across network and application layers using IP addresses, application control, geolocation and transport protocol attributes.
  • Complementary to SWG. Adds additional security coverage for non-web traffic.
  • Agentless Deployment. Provides an ideal environment where installing a Skyhigh Client is not feasible or preferred.

How it Works?

All the outbound traffic initiated from endpoints (laptops or desktops, or IoT devices) within a branch office is routed through an IPSec capable edge device. This device establishes a secure IPSec tunnel with the nearest Skyhigh Point of Presence (PoP). Services in the PoP receive the traffic and enforce configured security controls as per policy, such as allowing or blocking specific ports and protocols. All outbound traffic events are logged and made available to the Administrator for review and analysis.

Use Case

An organization aiming to inspect and control DNS and FTP traffic from branch offices can achieve this without installing Skyhigh Client on every endpoint by configuring an IPSec tunnel from the branch router to the Skyhigh cloud PoP, where all outbound traffic, including DNS and FTP, is routed through the tunnel. At the Skyhigh PoP, firewall policies are applied to allow DNS traffic while blocking FTP uploads containing sensitive data, and logs are generated. Administrator can use these logs for auditing and compliance purposes.

Troubleshot IPSec Tunnel Issues

  • Tunnel connectivity issues. Verify that the IPSec tunnel is correctly configured on the firewall and that it points to the correct Skyhigh PoP endpoint.
  • Policy misconfiguration. Review the firewall policies applied at the PoP if the system does not block or allow traffic as expected.
  • Log visibility. Confirm that logging is enabled and that the Administrator has access to the relevant dashboards.
  • User access issues. Verify that the tunnel is active and that no blocking policies apply if users cannot access the internet.

For more details on connectivity issues and troubleshooting steps, see Troubleshoot IPSec Tunnel issues with Error Codes.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.