Endpoint Agent VPN Support
The ThousandEyes Endpoint Agent supports end-to-end visibility of network nodes and metrics for traffic that traverses a number of virtual private networks (VPNs). When present, the VPN will be displayed on the path visualization, and the client will populate the VPN Vendor attribute visible in the various Endpoint Agent views. VPN filters can also be applied to each view.
Users can shift between showing the overlay (the path between the VPN gateway and the application) or the underlay (the path between the user and the VPN gateway) path trace, as well as collapse/expand them. This reduces the potentially large number of hops when combining the overlay and underlay in one view.

Supported VPNs

ThousandEyes supports the following VPNs for the Endpoint Agent:
    Cisco AnyConnect
    F5 FirePass SSL VPN
    Palo Alto Global Protect
    Pulse Secure Connect
    ZScaler Internet Access (ZIA)
ZScaler (ZIA) uses proxies, direct-only TCP traffic, and other methods. This results in a number of support limitations, outlined in the table below.
Deployment Type
Visibility to Proxy (Underlay)
End to End Visibility (Overlay)
Cisco AnyConnect
Yes*
Yes*
F5 VPN
Yes
Yes
Palo Alto Global Protect
Yes
Yes
Pulse Secure Connect
Yes
Yes
Zscaler via PAC File
Yes
No
Zscaler Client Connector with Local Proxy
No (proxy on loopback)
No
Zscaler Client Connector with LWF driver (default on Windows) + Tunnel 1.0
Yes
No
Zscaler Client Connector with LWF driver + Tunnel 2.0
No
Yes**
Zscaler Client Connector with Route driver (default on macOS) + Tunnel 1.0
Yes
No
Zscaler Client Connector with Route driver + Tunnel 2.0
Yes
Yes**
*Due to a Cisco ASA security mechanism, if TCP support is being used in an environment where the underlay is visible correctly, but the overlay is not showing, you will need to contact ThousandEyes Support and request that the appropriate TCP flag is enabled.
**ICMP must be allowed on the local firewall for end-to-end visibility.

VPN Configuration

No additional configuration is required to enable VPN support.

Labels

You can use labels to configure scheduled tests to run only while a user is on a VPN. For more information on configuring labels, see Creating Endpoint Agent Labels.

Limitations and Caveats

    ThousandEyes recommends using TCP-based testing, as some VPNs block ICMP traffic.
    Full-tunnel VPNs will not allow any traffic outside the tunnel. As such, ThousandEyes may be unable to provide visibility to the underlay (the physical connection between the endpoint and the VPN gateway).

Additional Information

The Endpoint Agent passively monitors the VPN’s state by inspecting the VPN client’s logs. If an Endpoint Agent stops working or doesn’t work as expected, ThousandEyes recommends that you open a Support case, and include the specific VPN client version and the VPN client’s logs in the case.
Last modified 1mo ago