Endpoint Agent VPN Support
Last updated
Last updated
The ThousandEyes Endpoint Agent supports end-to-end visibility of network nodes and metrics for traffic that traverses a number of virtual private networks (VPNs). When present, the VPN will be displayed on the path visualization, and the client will populate the VPN Vendor attribute visible in the various Endpoint Agent views. VPN filters can also be applied to each view.
Users can shift between showing the overlay (the path between the VPN gateway and the application) or the underlay (the path between the user and the VPN gateway) path trace, as well as collapse/expand them. This reduces the potentially large number of hops when combining the overlay and underlay in one view.
ThousandEyes supports the following VPNs for the Endpoint Agent:
Cisco AnyConnect
F5 BIG-IP APM VPN
Palo Alto Global Protect
Pulse Secure Connect (versions released after December 1, 2020 are not supported)
ZScaler Internet Access (ZIA)
ZScaler (ZIA) uses proxies, direct-only TCP traffic, and other methods. This results in a number of support limitations, outlined in the table below.
Deployment Type
Visibility to VPN Gateway (Underlay) with TCP
Visibility to VPN Gateway (Underlay) with ICMP
End to End Visibility (Overlay) with TCP
End to End Visibilty (Overlay) with ICMP
Cisco AnyConnect
Yes*
Yes
Yes*
Yes
F5 VPN
Yes
Yes
Yes
Yes
Palo Alto Global Protect
Yes
Yes
Yes
Yes
Pulse Secure Connect
Yes
Yes
Yes
Yes
Zscaler via PAC File
Yes
Yes
No
No
Zscaler Client Connector with Local Proxy
Yes
Yes
No
No
Zscaler Client Connector with LWF driver (default on Windows) + Tunnel 1.0
Yes
Yes
No
No
Zscaler Client Connector with LWF driver + Tunnel 2.0
Yes
Yes
No
Yes**
Zscaler Client Connector with Route driver (default on macOS) + Tunnel 1.0
Yes
Yes
No
No
Zscaler Client Connector with Route driver + Tunnel 2.0
Yes
Yes
No
Yes**
*Due to a Cisco ASA security mechanism, if TCP support is being used in an environment where the underlay is visible correctly, but the overlay is not showing, you will need to contact ThousandEyes Support and request that the appropriate TCP flag is enabled.
**ICMP must be allowed on the local firewall for end-to-end visibility.
No additional configuration is required to enable VPN support.
You can use labels to configure scheduled tests to run only while a user is on a VPN. For more information on configuring labels, see Creating Endpoint Agent Labels.
ThousandEyes recommends using TCP-based testing, as some VPNs block ICMP traffic.
Full-tunnel VPNs will not allow any traffic outside the tunnel. As such, ThousandEyes may be unable to provide visibility to the underlay (the physical connection between the endpoint and the VPN gateway).
The Endpoint Agent passively monitors the VPN’s state by inspecting the VPN client’s logs. If an Endpoint Agent stops working or doesn’t work as expected, ThousandEyes recommends that you open a Support case, and include the specific VPN client version and the VPN client’s logs in the case.
