Best Practices for Testing and Rolling Out SSL Inspection
As a best practice, Zscaler recommends that you enable SSL inspection on a small location or test lab before enabling it on all locations in your organization. This allows you to test your deployment of SSL inspection with a select number of users.
Testing SSL Inspection
Before testing SSL inspection, define the set of users you want to use for testing. For example, you can choose users from the IT department, such as application authors and owners, support staff members, proxy team members, or security team members. You can also choose managers and end users from non-IT departments.
To test SSL inspection:
- Compile a list of the websites and applications that your organization uses for everyday operations. Remember to include vendor sites and applications.
- Enable SSL inspection for the websites and applications from the list by configuring the SSL inspection policy, and then have the users test them.
Note: When you are configuring the SSL inspection policy, you are specifying the URL categories or applications that you do not want the service to inspect. For example, if you want to enable SSL inspection for the Legal Liability categories only, in the Do Not Inspect Sessions to these URL Categories section, you must select all of the URL categories except the Legal Liability categories. The Zscaler service will not perform SSL inspection on the specified URL categories, but will perform SSL inspection on the Legal Liability categories.
- Note that you may need to exempt some sites for SSL inspection permanently, or that you may need to report sites to Zscaler Support to identify the cause of failure.
- After testing the list of websites and applications, test SSL inspection for the URL categories. As a best practice, Zscaler recommends that you enable SSL inspection for only certain URL categories at a time, and include the rest of the categories in the list of URL categories for which SSL transactions will not be decrypted. Then, when your organization is ready, enable SSL inspection for all URL categories except Finance and Health, to allay privacy concerns within the organization.
Enable and test SSL inspection for the URL categories in the order of the phases shown below.
Before testing the URL categories in phase 2, remember to keep SSL inspection enabled for the URL categories in phase 1.
Before testing the URL categories in phase 3, remember to keep SSL inspection enabled for the URL categories in phases 1 and 2.