Performance monitoring of private applications accessed remotely via VPN has always been a challenge. The encrypted tunnel between the user and the data center blocked the ability to truly understand what might have been causing performance issues on those network connections. Without a proper flashlight, this dark tunnel often hid the root cause of persistent problems.
This is the bane of any VPN administrator’s existence—the all-too-predictable support ticket: “my experience accessing this app over the VPN is extremely slow! But it works fine when I’m at my desk…” How do you even begin to troubleshoot? It could be a memory or CPU constraint on the user’s device, slow local WiFi, congestion in the local ISP, problems on the backbone, congestion in the data center or cloud hosting environment, or latency on the back-end app server. Enter Zscaler...
The Zscaler Zero Trust Exchange (ZTE) provides seamless, zero trust access to private applications running on public cloud or within the data center, and Zscaler Private Access (ZPA), ensures that applications are never exposed to the internet, making them completely invisible to unauthorized users and traditional monitoring tools. With the integration of Zscaler Digital Experience (ZDX) and ZPA, it is now possible to understand user experience accessing internal applications, from both the application and network perspective.
Visibility is the foundation of zero trust; you can’t protect what you don’t know. Replacing your legacy VPN with ZPA allows ZDX to shine a bright light into that dark tunnel, an area where even traditional monitoring tools have no visibility.
Figure 1: Traditional monitoring tools cannot monitor the performance of private applications, but ZDX uniquely provides deep visibility
Using ZDX, application, network performance, and device health statistics are collected for every employee every few minutes and are used to calculate a ZDX score that reflects the user’s experience with that private (or public) application. The health data is aggregated across all regions, offices, and users to provide macro-level visibility into company-wide performance and degradations.
Figure 2: ZDX shows the performance of both public and private applications, by calculating the ZDX score of individual users
This ZDX score is combined with hop-by-hop network path analytics using CloudPath to provide segment-by-segment latency and loss breakdowns to easily isolate the network’s contribution to performance degradations (see Figure 3).
Figure 3: CloudPath calculates segment latency every few minutes from every employee for both private and public applications
CloudPath leverages Zscaler’s integrated Client Connector agent and the Zero Trust Exchange itself to measure network performance. This allows CloudPath to make use of ZDX’s unique 360-degree monitoring (see my recent blog here). The network path analysis is done from the client endpoint, outbound, and also takes advantage of the Zscaler cloud to view network path from the Zscaler cloud, inbound. This is combined with the network path between the Zscaler cloud and the private application, including the App Connector hop. All in all, CloudPath creates an end-to-end view of network path by stitching these path traces together (see Figure 4).
Figure 4: ZDX exposes hop-by-hop network details for an internal application protected by ZPA
ZDX exposes the hops and network details of the connection between the user’s device, their gateway, and the connection to their ISP. These hops would be invisible to traditional monitoring tools and in VPN environments.
Figure 5: ZDX displays the connection between the user device and their gateway and ISP
ZDX also identifies each of the hops between the user’s ISP and the Zscaler cloud, showing which backbone providers the private application traffic is connecting through.
Figure 6: Peer into the connection between the user’s ISP and the Zscaler ZPA Public Service Edge
Zscaler Private Access provides zero trust access to private applications through the use of an App Connector. App Connectors provide the secure authenticated interface between a customer’s servers and the ZPA cloud. ZDX highlights the network hops between the ZPA Public Service Edge and the App Connector with any unusual latency hops on that path.
Figure 7: Look into the connection between ZPA Public Service Edge and App Connector
Finally, ZDX can provide details into the hops and latency between the App Connector and the private application. While App Connectors are typically deployed very close to the application host, there may be circumstances where this is not the case as seen in Figure 8.
Figure 8: Peer into the connection between the App Connector and the application host
We finally have the tool we need to address that painful support ticket and identify exactly why access to an application may be slow for a remote user when it works fine on premises. ZDX and ZPA, working together, illuminate the invisible by shining a bright light into zero trust environments.