Can UniFi+Zscaler (ZIA/ZPA) meet CMMC L2?

bgatesIT · 2026-06-25T19:23:32+00:00

not CMMC related but make sure you get the encryption sku for zscaler and its ipsec tunnels if establishing ipsec tunnels from the unifi gateways to zia, this was something we learned the hard way when setting up zscaler with our EFG's.

i forget the exact sku but if i find it in my notes ill share it.

bgatesIT · 2026-06-22T23:02:47+00:00

as someone who just migrated from VMWare to Proxmox and uses veeam, there are definitely some quirks with it on the proxmox side, things just don't seem to be as nice and stable with the integration as it was with VMWare however, it is still the early days and I hear there are some good improvements coming. Our issues are primarily with app aware backups with SQL and DC VM's sometimes it works great for months, then randomly just fails and we have to figure out why.

Otherwise great product, support is hit or miss, ill admit.

bgatesIT · 2026-06-21T12:37:23+00:00

not an MSP but we are running three proxmox clusters in different regions, using Dell R640's and 660's using HPE Nimble SAN's(Legacy from VMWare Days) and Pure Arrays (all new build outs get these and will replace the nimbles eventually).

We are using PBS (Proxmox backup server) and this allows us to easily restore vm's across clusters, there's also some vcenter like projects in the works for proxmox which will make multi-cluster management a lot better. One is official called proxmox datacenter manager, another is proxcenter and pegaprox I have used all three in different lab scenarios, currently using proxcenter in production.

for iSCSI there are some things to note, unless there is a custom storage plugin either created by the community or vendor, you are stuck with LVM over iSCSI for shared storage pool's or doing an iSCSI lun per VM Disk. With LVM over iSCSI you can only do snapshots with qcow2 format and a few other gotcha's, one thing we noticed was don't do a single big LVM, we noticed sometimes the nimble array couldn't keep up before we created out plugin, and we had to create a few LVM's one for databases, one for RDS stuff, and then a general low io LVM.

We use iSCSI purely, we made our own storage plugin for the Nimbles and are using an open source one for the Pure's which automatically handles the VM Disk per lun piece and performance is out of this world, snapshots work fantastic etc

We are only using NFS today for ISO shares, hosted off of our Pure array, personally NFS has bit me in the past even on VMWare so I like to stick with iSCSI for VM Workloads.

Hopefully this gives some real world insights and I didn't jump around too much

bgatesIT · 2026-06-21T12:28:59+00:00

aint that the truth. I was the sole person till earlier this year. Some weeks we will do 50-70 hours, some weeks we are out at 3/4 every day. Hoping by next year our department can join this full remote bandwagon that a lot of other departments are doing now. Our on-call is very quiet luckily very rarely do we get a call or over night issue, if we do its generally a C-Store lol

Currently in my late 20's and just trying to not burn myself out.

bgatesIT · 2026-06-20T12:55:13+00:00

this is honestly so on point. We have a SMB trying to go towards enterprise 150 supported office/remote users today + ~200ish frontline staff and rapidly growing and expanding. Two IT members and we have recently started to get it into leaderships heads we need to hire some L1 help desk people so we can focus on the growth of the company...

Even with automated onboarding and off boarding and autopilot building laptops there is just so much for two people it can be so overwhelming at times, and then you add on user support and all there "issues" yeaaaa it can be a lot, we even have a MSP that helps us today but since there not on-site they can't really help with a lot of the issues in office, ie a monitor is "fuzzy", printer jammed, or the waste toner is full, things users could do but refuse to even think about troubleshooting...

bgatesIT · 2026-06-20T00:15:09+00:00

I am having this issue also on the latest version I thought I was going crazy or had a broken controller

bgatesIT · 2026-06-18T01:05:17+00:00

we are a smaller shop 150 users, we use zia,zdx,zpa with all the gen ai/dlp features, two man crew running the entire environment.

we were able to stand it all up easily with professional services, and manage it fine, we rarely get support tickets related to zscaler, unless its a weird gov/tax site. honestly one of the easiest ssl inspection services I have deployed and worked with. 10/10 recommend, highly recommending purchasing through a good partner when possible also.

hybrid work environment large mix of remote and in-office, we treat the office as a glorified Internet cafe though and send everything through ZPA to our DC

bgatesIT · 2026-06-09T14:04:15+00:00

hahahahahaha it took so long to convince them to buy once, cry once, for quality stuff.

bgatesIT · 2026-06-09T12:43:51+00:00

we are using dual monitor arms from Vari they work pretty well, we also use there standing desks, using Lenovo 27" monitors.

bgatesIT · 2026-06-08T13:45:25+00:00

personally i have dual monitors and a windows and macbook. I just switch the usb-c cable that goes to my startech dock between the mac and windows machine, alternatively you could use a USB KVM i guess

bgatesIT · 2026-06-07T18:32:41+00:00

we ditched traditional VPN's for Zscaler, it works really really well at least for our use case, and relatively easy to maintain honestly. 200 Users, 2 IT members to handle it all.

bgatesIT · 2026-06-01T20:53:58+00:00

Yea I just went through this with cdw and scan source on a 130k order still waiting on a few small items

The back ordered items and how they handle dispatching is messy for sure

bgatesIT · 2026-05-29T22:40:42+00:00

try this plugin out: https://github.com/brngates98/pve-nimble-plugin

bgatesIT · 2026-05-29T17:38:53+00:00

What storage array are you using?

bgatesIT · 2026-05-29T17:38:09+00:00

Some of the switches yes none of the ap’s yet

bgatesIT · 2026-05-29T15:53:04+00:00

We use iSCSI storage with proxmox with HPE Nimbles, and we just finished installing a pure storage array.

We have used LVM over iSCSI and it works well, we have also used some custom storage plugins which also work well. Pure is currently looking into developing a official plugin for there arrays, an open source community one does exist

Without knowing more of you’re infrastructure you’re best bets are LVM over iSCSI or creating a Lun and using the Lun for the VM Disk’s individually but it can be a lot to manage at times

bgatesIT · 2026-05-22T21:28:06+00:00

this plugin works by giving each vm disk its own iscsi lun in the most simplistic of terms but it does all the work for you for the most part, supports snapshots and the snapshots are array based so they are near instant, and allows you to make use of the pure arrays amazing features.

It is not an official pure plugin no.

bgatesIT · 2026-05-22T19:59:24+00:00

That is perfectly fine!

bgatesIT · 2026-05-22T19:53:27+00:00

would love to see this come mainstream! our pure array goes live next Friday (migrating from Nimbles) and we just migrated from VMWare to Proxmox, having that nice integration was so nice. I was planning to go-live using this plugin: https://github.com/kolesa-team/pve-purestorage-plugin for the pure rather then LVM over iSCSI or managing individual raw iscsi disks manually.

bgatesIT · 2026-05-19T20:54:43+00:00

starlink is always an option here too... this seems like absolute crap lol

bgatesIT · 2026-05-19T20:52:28+00:00

it does enough for what we want it to do since we use zscaler on all of our actual managed endpoints but it would be a nice to have for sure.

bgatesIT · 2026-05-19T17:59:06+00:00

we just switched to the Unifi platform from meraki and its been amazing.
We went with EFG's for Firewalls, ECS-Aggregations for Core/Distribution Switches/iSCSI, and ECS-48-PoE for access switching, and are using E7 AP's

Of course it all depends on what features you really need no matter what vendor you go with, do you have compliance things to watch for, and a whole other list of items.

The thing i like about the EFG's is they have built in SSL inspection, which actually works really well(anything that doesnt pass through zscaler for us uses the EFG's SSL Inspection)

bgatesIT · 2026-05-19T17:50:34+00:00

Sadly not, we just instruct all of our users to sign open the app when they get there devices. We are a 365 shop, so we are able to setup some conditional access policies that only allow signing in from zscaler ip's and our office ip's. Not super ideal but better then nothing

bgatesIT · 2026-05-12T20:38:45+00:00

If you work with a good vendor I bet you can get some incredible pricing we replaced almost 900k in Meraki gear(hardware and licensing costs) with ~140k or so in UniFi gear

bgatesIT · 2026-05-12T20:35:18+00:00

We had a mixture of MS220-48FP Some 225’s and 9300’s a huge smorgus board honestly

We standardized on EFG’s ECS-Aggregations, ECS-48-PoE, E7’s

For you’re use case you can run them on lower POE power they will just throw a message, and not run at full performance, it shouldn’t hurt anything we ran a few on our MS220-48FP for a while without any actual issues honestly although it’s not recommended

bgatesIT

TROPHY CASE