Best Practices for Testing and Rolling Out SSL Inspection

As a best practice, Zscaler recommends that you enable SSL inspection on a small location or test lab before enabling it on all locations in your organization. This allows you to test your deployment of SSL inspection with a select number of users.

To enable SSL inspection, first deploy the Zscaler or custom intermediate root certificate. Then, enable SSL inspection for the location or sub-location you will use for testing.

Testing SSL Inspection

Before testing SSL inspection, define the set of users you want to use for testing. For example, you can choose users from the IT department, such as application authors and owners, support staff members, proxy team members, or security team members. You can also choose managers and end users from non-IT departments.

To test SSL inspection:

  1. Compile a list of the websites and applications that your organization uses for everyday operations. Remember to include vendor sites and applications.
  2. Enable SSL inspection for the websites and applications from the list by configuring the SSL inspection policy, and then have the users test them.

    Note: When you are configuring the SSL inspection policy, you are specifying the URL categories or applications that you do not want the service to inspect. For example, if you want to enable SSL inspection for the Legal Liability categories only, in the Do Not Inspect Sessions to these URL Categories section, you must select all of the URL categories except the Legal Liability categories. The Zscaler service will not perform SSL inspection on the specified URL categories, but will perform SSL inspection on the Legal Liability categories.
  3. Note that you may need to exempt some sites for SSL inspection permanently, or that you may need to report sites to Zscaler Support to identify the cause of failure.
  4. After testing the list of websites and applications, test SSL inspection for the URL categories. As a best practice, Zscaler recommends that you enable SSL inspection for only certain URL categories at a time, and include the rest of the categories in the list of URL categories for which SSL transactions will not be decrypted. Then, when your organization is ready, enable SSL inspection for all URL categories except Finance and Health, to allay privacy concerns within the organization.

Enable and test SSL inspection for the URL categories in the order of the phases shown below.

Click to see the URL categories in phase 1.

Before testing the URL categories in phase 2, remember to keep SSL inspection enabled for the URL categories in phase 1.

Click to see the URL categories in phase 2.

Before testing the URL categories in phase 3, remember to keep SSL inspection enabled for the URL categories in phases 1 and 2.

Click to see the URL categories in phase 3.

phase 1

phase1
Phase 1
Adult Themes
Alcohol and Tobacco
Anonymizer
Computer Hacking
Copyright Infringement
Drugs
Gambling
Mature Humor
Militancy, Hate and Extremism
Nudity
Other Adult Material
Other Illegal or Questionable
Other Security
Peer-to-Peer Site
Pornography
Profanity
Questionable
Social Networking Adult
Spyware/Adware
Tasteless
Violence
Weapons/Bombs

phase 2

phase1
Phase 2
Adult Sex Education
Alt or New Age
Alternate Lifestyle
Art and Culture
Continuing Education/Colleges
Corporate Marketing
Cult
Dining and Restaurant
Entertainment
Family Issues
Finance
Games
Government
History
Hobbies and Leisure
Job/Employment Search
K-12
K-12 Sex Education
Lingerie/Bikini
Music
Online Auctions
Online Shopping
Other Education
Other Entertainment/Recreation
Other Games
Other Government and Politics
Other Information Technology
Other Internet Communication
Other Religion
Other Shopping and Auctions
Other Social and Family Issues
Other Society and Lifestyle
Politics
Radio Stations
Real Estate
Reference Sites
Science/Tech
Sexuality
Social Issues
Social Networking
Social Networking Games
Special Interests/Social Organizations
Sports
Television/Movies
Traditional Religion
Translators
Travel
Vehicle

phase 3

phase1
Phase 3
Blogs
Classifieds
Discussion Forums
File Host
Image Host
Internet Services
Miscellaneous
News and Media
Online Chat
Other Business and Economy
Other Miscellaneous
Portals
Professional Services
Remote Access
Safe Search Engine
Shareware Download
Streaming Media
Web Banners
Web Host
Web Search
Webmail