Before configuring IPsec tunnels from a location or site to Skyhigh Web Security Gateway Service, review these considerations.
- Routing only HTTP and HTTPS traffic — Configure the networking device or SD-WAN service to route only HTTP and HTTPS traffic through the IPsec tunnel. WGCS only handles IPsec traffic directed to ports 80 and 443 and drops any other traffic that it receives through the tunnel.
- Configuring two IPsec tunnels per location — Best practice is to configure primary and secondary IPsec tunnels. The primary tunnel is connected to the best available point of presence, while the second tunnel is connected to the second-best point of presence. This practice ensures continuous IPsec support in case one point of presence is not available.
- Configuring IPsec tunnels for multiple locations — If you are connecting more than one location, you can protect traffic and improve network latency by creating IPsec tunnels from each location to WGCS.
- Adding SAML authentication — You can add a SAML configuration to a location configured with IPsec mapping. WGCS uses SAML to authenticate requests received through the IPsec tunnel.