Routing Web Traffic to PoPs

Last updated
Save as PDF

Find the IP addresses of the best and second-best available Points of Presence (PoPs) and use them when configuring the primary and secondary IPsec or GRE tunnels.

Secure Web Gateway is delivered from the Skyhigh Security Cloud platform, which consists of globally distributed nodes called Points of Presence (PoPs). The Global Routing Manager (GRM) is a DNS service that is responsible for intelligent traffic routing, load sharing, and failover. The GRM routes traffic to the best available point of presence.

For a global map of PoPs with setup, status, and support information, see Skyhigh Security Status.

Finding the Best-available PoPs

You can find the best-available Points of Presence (PoPs) using the nslookup command-line tool to query the Global Routing Manager (GRM). GRM returns the IP addresses of the best-available PoPs based on your location.

You need these addresses when configuring IPsec or GRE tunnel interfaces on your networking device or in your SD-WAN service.

To find these IP addresses, run the tool from your network, as shown in the examples below. Each of the examples shows two PoPs, which are first and second with regard to their availability.

For IPsec

nslookup 1.network.c<customer_id>.wgcs.skyhigh.cloud
nslookup 2.network.c<customer_id>.wgcs.skyhigh.cloud

For GRE

nslookup 1.c<customer_id>.gre.wgcs.skyhigh.cloud
nslookup 2.c<customer_id>.gre.wgcs.skyhigh.cloud

Use the IP addresses returned by nslookup. Do not use the FQDNs to configure the VPN gateway address in SD-WAN. The use of FQDNs is not supported by all vendors' routers or SD-WAN profile configurations and may result in connectivity issues.

Environment

Secure Web Gateway (replacing the legacy Web Gateway Cloud Service and SaaS Web Protection web security products) as part of the Security Service Edge (SSE) solution.

Summary

The Global Routing Manager (GRM) routes traffic to the best-available Point of Presence (PoP). For example, if a user works from an endpoint in Italy, traffic is routed to the closest PoP in Europe, rather than to North America or Asia. If that same user travels to New York City, traffic is routed to the PoP in New York, unless restricted by your web policy.

The GRM is a DNS-based load-balancing service that returns to the endpoint through the route to the closest PoP. It considers the following information:

Geo-location of the user or endpoint
DNS request IP address
PoP availability
Proxy DNS name

The geo-location is needed to achieve the best performance and provide localized internet content to improve user experience. To achieve a good approximation of the geo-location of the endpoint, the IP address of the endpoint sent with a DNS request to the GRM is important.

The IP address seen on the GRM is typically not the same as the client IP address of an HTTP request. Instead, it is the IP address of the DNS resolver that the endpoint uses.

Problem

If you use cloud DNS services, such as Google DNS or OpenDNS, the geo-location reported for an endpoint might not be the correct geo-location in which the endpoint is located. These cloud DNS services use outbound IP addresses that are geo-located within the United States.

The same behavior applies if you manage your own centralized DNS infrastructure in a specific country or region. This behavior can also impact user experience while receiving webpage content in a foreign language.

NOTE: There is no issue if you are using a decentralized DNS infrastructure.

Solution

When using cloud DNS services or a centralized DNS infrastructure, you can work with prefixes to specify the preference for a Point of Presence (PoP) in a country or a region within a country.

Use prefixes only if needed. Use of a prefix overrules the dynamic routing that would be performed by the GRM. This means that users might experience performance issues when traveling. Network latency, dynamic failover, and load-balancing issues can also occur.

Use of a prefix for proxy settings to specify the preference for a Point of Presence (PoP) in a country or region within a country will result in the following:

Country-specific prefix — The best-available PoP within the country is selected.
Region-specific prefix — The best-available PoP within the region is selected.

Review these examples:

uk.c12345678.wgcs.skyhigh.cloud — Country-specific prefix for the United Kingdom when using SSE
uk.c12345678.hybrid.skyhigh.cloud — Country-specific prefix for the United Kingdom when using the Web Protection Suite Hybrid solution with Skyhigh Client Proxy (SCP)

If no PoP is available in the country or region specified in the proxy host name, the preconfigured fallback is to use the closest PoP regardless of the country or region. It is quite unlikely then that no PoP would be available.

Tables of Prefixes

For your configuration, use the prefixes shown in the following tables.

Africa	Prefix
South Africa	za

Asia	Prefix
Hong Kong	hk
India	in
India North	in-north
India West	in-west
Japan	jp
Korea	kr
Philippines	ph
Singapore	sg
Taiwan	tw
Thailand	th

Europe	Prefix
Austria	at
Belgium	be
Croatia	hr
Czech Republic	cz
Denmark	dk
Finland	fi
France	fr
Germany	de
Greece	gr
Hungary	hu
Ireland	ie
Italy	it
Netherlands	nl
Norway	no
Poland	pl
Portugal	pt
Romania	ro
Serbia	rs
Slovakia	sk
Slovenia	si
Spain	es
Sweden	se
Switzerland	ch
Turkey	tr
United Kingdom	uk

Middle East	Prefix
Israel	il
Saudi Arabia	sa
United Arab Emirates	ae

North America	Prefix
Canada	ca
Mexico	mx
North America East Coast	na-east
North America West Coast	na-west
USA East	us-east
USA Midwest	us-midwest
USA South	us-south
USA West	us-west

Pacific	Prefix
Australia	au
Australia East	au-east
Australia West	au-west
New Zealand	nz

South America	Prefix
Argentina	ar
Bolivia	bo
Brazil	br
Chile	cl
Colombia	co
Paraguay	py
Peru	pe
Uruguay	uy
Venezuela	ve