What is proxy mode?
In explicit mode, a browser is configured to send its traffic directly to a ZEN. The user either manually configures the browser’s settings or configures the browser to use a PAC file to send traffic to a ZEN (See Forwarding Traffic to the Zscaler Service). Then when the browser sends an HTTPS request, it inserts the ZEN IP address as the destination IP address in the TCP header and sends the HTTP CONNECT method request directly to the ZEN, before it initiates the SSL handshake.
The CONNECT request includes the requested domain, as shown in the following figure, allowing the Zscaler service to immediately identify the destination host.
HTTP 270 CONNECT mail.google.com:443 HTTP/1.1
In transparent mode, the browser is not configured to send traffic to a ZEN. Instead, the traffic is directed to a ZEN through some other means, such as a GRE or IPsec tunnel configured at your organization’s router. In this case, the destination IP address in the TCP header of the request contains the IP address of the destination server. The entire HTTP message is encrypted, including the headers and the request/response load. The actual hostname and domain name being accessed are not visible.
The ZEN identifies the destination host in either of two ways.
- If the initial HTTPS request (client hello) includes the Server Name Indication (SNI), an extension to the TLS protocol that includes the requested hostname, as shown below, then the ZEN uses the SNI extension to immediately identify the destination host. See image.
Most browsers use SNI when a server uses a common certificate for multiple sites. ZENs use SNI, for example, to apply a policy to block traffic to drive.google.com, but allow traffic to mail.google.com and google.com. All sites use a common *.google.com certificate.
- If the HTTPS request does not include the SNI extension, the Zscaler service identifies the hostname when the destination server sends its certificate during the SSL handshake.