Endpoint Agent VPN Support
Last updated
Last updated
The ThousandEyes Endpoint Agent supports end-to-end visibility of network nodes and metrics for traffic that traverses a number of virtual private networks (VPNs). When present, the VPN will be displayed on the path visualization, and the client will populate the VPN Vendor attribute visible in the various Endpoint Agent views. VPN filters can also be applied to each view.
Users can shift between showing the overlay (the path between the VPN gateway and the application) or the underlay (the path between the user and the VPN gateway) path trace, as well as collapse/expand them. This reduces the potentially large number of hops when combining the overlay and underlay in one view.
ThousandEyes supports the following VPNs for the Endpoint Agent:
Cisco AnyConnect
F5 BIG-IP APM VPN
Palo Alto Global Protect
Pulse Secure Connect (versions released after December 1, 2020 are not supported)
ZScaler Internet Access (ZIA)
ZScaler (ZIA) uses proxies, direct-only TCP traffic, and other methods. This results in a number of support limitations, outlined in the table below.
Deployment Type | Visibility to VPN Gateway (Underlay) with TCP | Visibility to VPN Gateway (Underlay) with ICMP | End to End Visibility (Overlay) with TCP | End to End Visibilty (Overlay) with ICMP |
Cisco AnyConnect | Yes* | Yes | Yes* | Yes |
F5 VPN | Yes | Yes | Yes | Yes |
Palo Alto Global Protect | Yes | Yes | Yes | Yes |
Pulse Secure Connect | Yes | Yes | Yes | Yes |
Zscaler via PAC File | Yes | Yes | No | No |
Zscaler Client Connector with Local Proxy | Yes | Yes | No | No |
Zscaler Client Connector with LWF driver (default on Windows) + Tunnel 1.0 | Yes | Yes | No | No |
Zscaler Client Connector with LWF driver + Tunnel 2.0 | Yes | Yes | No | Yes** |
Zscaler Client Connector with Route driver (default on macOS) + Tunnel 1.0 | Yes | Yes | No | No |
Zscaler Client Connector with Route driver + Tunnel 2.0 | Yes | Yes | No | Yes** |
*Due to a Cisco ASA security mechanism, if TCP support is being used in an environment where the underlay is visible correctly, but the overlay is not showing, you will need to contact ThousandEyes Support and request that the appropriate TCP flag is enabled.
**ICMP must be allowed on the local firewall for end-to-end visibility.
No additional configuration is required to enable VPN support.
You can use labels to configure scheduled tests to run only while a user is on a VPN. For more information on configuring labels, see Creating Endpoint Agent Labels.
ThousandEyes recommends using TCP-based testing, as some VPNs block ICMP traffic.
Full-tunnel VPNs will not allow any traffic outside the tunnel. As such, ThousandEyes may be unable to provide visibility to the underlay (the physical connection between the endpoint and the VPN gateway).
The Endpoint Agent passively monitors the VPN’s state by inspecting the VPN client’s logs. If an Endpoint Agent stops working or doesn’t work as expected, ThousandEyes recommends that you open a Support case, and include the specific VPN client version and the VPN client’s logs in the case.