Summer 2015 Release Update Summary
- Admin Portal Localized
Admins can now go to their profile and choose to view the admin portal in any of the following languages: English, Spanish, French, Traditional Chinese or Japanese.
- Single Sign-On for Admins
You can now integrate Zscaler admin authentication with your existing SAML single-sign on solution. Zscaler strongly recommends that you integrate Zscaler admin authentication with your existing two-factor system to provide passwordless authentication to the admin portal. Admins will be able to access the Zscaler admin portal from your IdP portal without having to remember or enter another password. You can choose to disable or retain password authentication for specific administrators.
- Admin Email and Updates
Starting with this release, new admin accounts are now required to have a valid email address. An admin can also choose to receive security, service and product updates.
- LDAP Enhancements
You can now specify an FQDN instead of an IP address for an LDAP server. The service will automatically connect to the available server and ignore those that are unavailable. This provides fault tolerance and resiliency against directory server failures.
- Kerberos Enhancements
- Zscaler Kerberos now supports Windows 2003.
- Alias support for Kerberos authentication
Users can now use sAMAccountName to authenticate with Kerberos, even if they are provisioned with a different email address attribute, such as UserPrincipalName. This is useful for organizations whose email domain differs from their Windows domain name.
- Increased PAC File Size
The maximum PAC file size has increased from 64 KB to 256 KB.
- IPsec Enhancement
Zscaler now supports multiple Phase 2 SAs for better interoperability with Cisco ASA.
- Import Sub-Locations
You can now import sub-locations as well as locations when you use the Import function on the Locations page in the admin portal.
- New Bandwidth Control Dashboard and Reports
The new Bandwidth Control dashboard provides real-time visibility into your organization’s bandwidth usage. It has a new time interval, 30 days, so admins can view bandwidth usage for 30 days. The 30-day trend chart of the Total Bandwidth Consumption widget displays the 95th percentile trend line, which is based on the 95th percentile of inbound or outbound traffic; whichever is highest. You can also drill down from a 30-day view to a 5-minute view right on the chart. Additionally, there are new Bandwidth Control standard reports that you can view when you go to Analytics > Interactive Reports, and when you go to Analytics > Web Insights, you can also use the new bandwidth control data types and filters to analyze bandwidth usage.
Note that the Total Bandwidth Consumption widget will display the 95th percentile trend line only 30 days after the Bandwidth Control policy has been enabled.
- Retain Parent URL Categories
Zscaler now provides an option to retain the original parent category of a URL when you move the URL to a custom category or to any other category. In the past, the original parent category mapping was lost when a URL was moved to another category. Starting with this release, when you move a URL to another category, you can choose to retain the original parent category. This change does not impact your current URL categorization.
- Cloud Apps Enhancements
- Cloud Application Identity Proxy
You can now configure the Zscaler service as an Identity Provider for the following cloud apps: Salesforce, Box and Google Apps. This will restrict users on your corporate network to accessing these applications from their corporate accounts only. When they try to access the apps from their personal accounts, the service will not be able to authenticate them, and they won’t be allowed to log in. See Cloud Application Identity Proxy.
- Ability to Block Consumer Google Apps
You can configure the Zscaler service to block access to Google consumer apps and Google accounts that are not associated with an organization. For example, you can allow access to corporate Gmail accounts, but block access to personal Gmail accounts. The service adds the HTTP header provided by Google to whitelist domains from which users can access Google services. See How do I control access to Google apps?
- File Type Policy Enhancements
New file types have been added to the File Type Policy, including: .cgr, .mkv, .webm, .sldprt, .GIF, .JPEG, .PNG. You can now also create rules for unknown file types. Zscaler performs MIME type checks for files it cannot initially identify, and any file that falls outside of well-defined MIME types for common apps is tagged as an unknown file type.
- Enhanced End User Notifications
Zscaler has enhanced end user notifications (EUN) to be more user-friendly and informative. EUNs are now color-coded: red notifications denote blocked content, yellow notifications warn users to exercise caution, orange notifications inform users about FTP violations or quarantined content, and green notifications ask users to authenticate to proceed. Zscaler has also updated the Acceptable Use Policy (AUP) notification. Note that steps to configure notifications have not been altered in any way. You also still have the option to customize your EUNs with your own colors and text, as well as redirect users to an external site that hosts your notification pages. See below for an example of the previous EUN template, followed by examples of new EUNs.
- Behavioral Analysis Enhancements
You can now create multiple rules for the Behavioral Analysis policy. Before this release, you could only create one rule. It now also supports Android Application Packages (APKs) and archive files (ZIP and RAR).
- Blacklist in Advanced Threats Policy
Security teams no longer need access to Access Control policies to manage blacklisted URLs. Instead of managing blacklisted URLs through the URL Filtering Policy, now you can manage blacklisted URLs in the Advanced Threats Protection policy. With this release, Zscaler has also improved the accuracy and coverage of signatures and has enhanced names used for various security threats under Advanced Threats Protection and Malware Protection.
- SSL Enhancements
The Zscaler service now supports the OCSP protocol to verify the validity of server certificates and block access to sites with revoked server certificates. You can set this option in the SSL Inspection policy. Additionally, the service displays an EUN when it blocks access to a site due to a bad certificate (if certificate issuer is unknown, or certificate has expired, or if Common Name in certificate does not match). The service logs these transactions with “bad server cert” in the policy field.
- DLP Enhancements (See Overview: Data Loss Prevention (DLP))
Zscaler’s DLP solution has been enhanced with the following new features:
- Zscaler’s DLP can now be integrated with on-premise DLP solutions using Internet Content Adaptation Protocol (ICAP). In the admin portal, you can configure policies to bypass Zscaler scanning and instead use Zscaler only as a filter for content (filtering, for example, by file types or cloud apps) before forwarding content to your on-premise DLP solution for scanning. You can also configure policies to have Zscaler perform scanning and allow or block content, then forward the captured content to on-premise DLP solutions.
- Zscaler has added more matching criteria for applying DLP policies, including cloud applications and file types.
- Configuration for custom dictionaries is now more user-friendly. Custom dictionaries now allow a maximum of 120 phrases (up from 50) and bulk uploads of phrases. In addition to phrases, you can define alphanumeric patterns for custom dictionaries. Custom dictionaries now also have a more simplified scoring method that includes the following enhancements:
- The “Confidence Threshold” has been replaced with a "Number of Violations Threshold,” where you can specify a number to dictate that the dictionary can trigger only if the number of violations it finds exceeds the number you specify. For example, if you specify 7 as the Number of Violations Threshold, the dictionary will only trigger upon finding 8 or more violations.
- “Weight Value” for phrases has been replaced with “Actions” that you can assign to phrases:
- Ignore: The dictionary will ignore a match of the phrase,
- Count: The dictionary will count a unique match of the phrase toward the Number of Violations Threshold, and
- Trigger: The dictionary will immediately trigger upon a match of the phrase.
- NOTE: Zscaler has automatically migrated your custom dictionaries with the new scoring method. The changes to the scoring method have had the following impact on your current custom dictionaries:
- Phrases that had “Weight Values” of Low, Medium, or High have been changed to have the “Action” Count.
- “Confidence Threshold" values of Low, Medium, or High have been replaced with an equivalent numeric value for "Number of Violations Threshold."
- Because the scoring method has changed, the dictionary may not trigger on the same content as before migration. Some tuning of the threshold may be required to obtain the desired results.
- You can specify a minimum size requirement for outbound data within individual rules, rather than with an outbound dictionary that applies globally to all rules. The Outbound Data Dictionary has been removed.
NOTE: For existing DLP policy rules that depended on the Outbound Data Dictionary, the minimum data size of those rules have been set to the same value set previously in the Outbound Data Dictionary. (Note that the old value was in bytes, while the new value is in kilobytes). Other than round-off changes, there is no difference in the firing behavior of those rules. In addition, if a policy rule did not depend on any other DLP dictionaries and only referenced the Outbound Data Dictionary, the rule has been converted to an “External DLP Engine” rule that has a matching minimum data size requirement and applies to all file types.
- Email notifications now do not include any attachments by default. You do, however, have the option of including attachments of blocked files to email notifications.
NOTE: Since previously the content was automatically attached, all migrated notification templates have been configured to include attachments.
- Firewall Enhancements
The Zscaler firewall has been enhanced as follows:
- You can now define up to 1,024 rules in your Firewall and NAT Control policy.
- You can now configure up to 1,024 network services.
- It now supports DNS queries sent over TCP, in addition to UDP.
- To facilitate rule creation for Microsoft Office365 apps, there is now a predefined Application Group for Office365.
- NSS for Firewall
You can now configure an NSS to stream firewall logs. It requires an additional virtual machine and is a separate subscription from the NSS for web logs. The setup and operations are similar to the NSS for web logs.
- Zscaler App
The new Zscaler App can be installed on users’ devices to ensure that all web traffic flows through the Zscaler service, enforcing your organization’s security and access policies even when the user is off the corporate network. User experience on the Zscaler app is seamless. The app supports your organization’s authentication mechanism so that once users install the app, log in with their SAML user ID, and complete a one-step device enrollment process, they can connect to the web without logging in again. The app establishes a lightweight HTTP tunnel on demand to connect to the Zscaler service whenever the user connects to the web, and no PAC files are required. Admin management is also simple. Apps can be managed through the mobile portal, with device fingerprint and device reporting available through its dashboard. The app also supports auto-updates. The Zscaler app currently supports PC and Mac computers and can replace eZ Agent.
The Zscaler Enforcement Node (ZEN) is now available as a virtual machine. You can easily download it from the admin portal, install it as a VM on your premises. It functions as a full-featured inline proxy that inspects all your organization’s web traffic bi-directionally for malware. It is connected to the Zscaler cloud so it can always get the latest policies and enforce security and compliance policies. Virtual ZENs typically benefit organizations that have certain geo-political requirements or that use applications that require an organization's IP address as the source IP address.