How do I deploy SSL inspection?
Following are the tasks required to enable SSL inspection:
- Zscaler intermediate certificate
- Custom intermediate certificate
F. Optionally, you can customize the notification that the Zscaler service displays when it blocks or restricts access to certain sites, files or Internet applications.
A. Best Practices for Deploying SSL Inspection
Before deploying SSL inspection for your organization, consider the following best practices:
- Enable SSL inspection on a small location or test lab before enabling it on all locations in your organization to understand how this feature works.
- If you are using the Zscaler intermediate certificate, ensure that the Zscaler root certificate is distributed to all users and that it is installed in their browsers before enabling SSL in a location.
- You may also update your end user notification to inform users of your organization's SSL interception policy.
- When you define SSL inspection policy, you can create a list of URLs/URL categories and cloud apps/cloud app categories for which SSL transactions will not be decrypted. Configure this list carefully because it is applied globally throughout an organization and takes precedence over per-location SSL scanning.
- Start by enabling SSL inspection for "risky" URL categories only, such as Privacy Risk and Legal Liability categories such as Adult Themes and Gambling. Include the rest of the categories in the list of URL categories for which SSL transactions will not be decrypted. Then, when your organization is ready, enable SSL inspection for all URL categories except Finance and Health, to allay privacy concerns within the organization.
- The list of URL categories and cloud apps for which SSL transactions will not be decrypted does not apply to road warriors who configure their browsers or PAC files to send traffic to port 9443. To use this feature, your organization must subscribe to a dedicated proxy port.
- Firefox browsers do not accept SSL certificates installed in Internet Explorer browsers. You must install SSL certificates on Firefox browsers separately if your organization allows Firefox browsers. Google Chrome, however, uses the same certificate store as Internet Explorer.
- Certain client applications, like Dropbox, use a technique called Certificate Pinning, where the client application is hard coded to accept only one specific client certificate. Apps that use certificate pinning might not work with SSL inspection. They should be included in the list of URL categories for which SSL transactions will not be decrypted.
- Enable user authentication as well, to allow the service to apply user policies.
- To see how SSL inspection impacts what policies are enforced by the service, see How does the Zscaler service enforce policies?
B. Configure a Zscaler or custom intermediate root certificate
When SSL interception is enabled, the Zscaler service establishes a separate SSL tunnel with the destination server and with the user’s browser. This allows the service to decrypt and inspect the HTTPS traffic coming to and going from the user’s browser, as well as all traffic coming to and going from the destination server. To establish an SSL tunnel and return content to the user's browser, the service uses either the Zscaler intermediate certificate or a custom intermediate certificate signed by your own trusted CA. Click below for instructions for each option:
Configuring a Zscaler Certificate
For an overview of the process that takes place when you configure a Zscaler intermediate certificate, see SSL Inspection Using a Zscaler Intermediate Certificate in How does Zscaler protect SSL traffic?
To configure the Zscaler certificate:
- Go to Policy > Web > SSL Inspection.
- In Intermediate Root Certificate Authority for SSL Interception > Zscaler's Default Certificate, click Download Zscaler Root Certificate.
- Navigate to the ZscalerRootCerts.zip file and unzip it.
- Import the Zscaler certificate into the certificate store of your browser.
NOTE: To enable your users' browsers or systems to automatically trust all certificates signed by the Zscaler Certificate Authority, your users must install the Zscaler Root CA certificate on their workstations. Otherwise, they will receive an error stating that there is a problem with the website’s security certification. Click here for an example of how users can do this with IE 11. In Microsoft AD environments, you can use the Active Directory GPO feature to facilitate installing the certificate on multiple computers.
NOTE: Your organization does not need to install the Zscaler intermediate certificate because the Zscaler service sends it together with the certificate the service generated for the destination site.
Configuring a Custom Intermediate Root Certificate
For an overview of the process that takes place when you configure a Zscaler intermediate certificate, see SSL Inspection Using a Custom Intermediate Root Certificate in How does Zscaler protect SSL traffic?
To configure a custom certificate:
Complete the following tasks to configure the Zscaler service to use your organization’s certificate during the SSL negotiations:
Generating the CSR
To generate the CSR, log in to the Zscaler service portal and do the following:
A. Go to Policy> Web > SSL Inspection.
B. In Intermediate Root Certificate Authority for SSL Interception > CSR for Custom Certificate, click Generate New CSR to create a Certificate Signing Request (CSR).
C. Fill out the CSR page as follows and click Save.
- Enter a name for the certificate.
- Enter the distinguished name of your organization, such as zscaler.com.
- Enter the name of your organization or company.
- Enter the division or department name.
- Enter the city, state and country where your organization is located.
- Choose the size of the hash for the SHA (Secure Hash Algorithm). See image.
D. In Intermediate Root Certificate Authority for SSL Interception > CSR for Custom Certificate, click Download CSR.
Signing the CSR
After you download the CSR, send it to your CA for signing. Ensure that the CSR is signed as a Subordinate Certification Authority or Intermediate Certification Authority.
NOTE: If you use OpenSSL, ensure that the following attributes are set during signing:
basicConstraints=CA:TRUE keyUsage=keyCertSign, cRLSign
Click here to see an example of how the CSR can be signed using the Active Directory Certificate Services.
Upload Chain Certificate
Optionally, you can upload the certificate chain that includes any other intermediate certificates that complete the chain to the intermediate root certificate you will upload.When you upload the certificate chain, the Zscaler service sends the intermediate root certificate along with this key chain and the signed server certificate to your users’ machines during SSL inspection. If you do not upload the certificate chain, the Zscaler service sends only your organization’s intermediate root certificate and its signed server certificate to the user’s machine. You can read more about the benefits of uploading the certificate chain in How does Zscaler protect SSL traffic?
- Go to Policy > Web > SSL Inspection.
- In Intermediate Root Certificate Authority for SSL Interception > Chain Certificate, click Upload.
The file must be in .pem format.
Upload the Certificate to the Service
- In Intermediate Root Certificate Authority for SSL Interception > Custom Certificate, click Upload New Certificate.
- Click Save and activate the change.
- Ensure that your organization’s root certificate is installed on the browsers of your users. Browsers will trust the new intermediate certificate and any certificate signed by it. Note that if you upload a custom certificate that is invalid, for example,the common name in the certificate does not match, the Zscaler service will not use the Zscaler root certificate. Instead, it will continue to use the previously uploaded self-signed certificate.
C. Configure URL filtering and Cloud App Control policies.
D. Enable SSL Inspection for each location.
Log in to the Zscaler service portal and do the following:
1. Go to Administration > Resources > Locations.
2. Point to the location and click the Edit icon.
3. In the Gateway Options section, select Enable SSL Scanning. See image.
4. Click Save and activate the change.
E. Define your organization's policy for SSL inspection.
To see the recommended policy for SSL inspection, click here.
To define your organization's policy for SSL Inspection:
1. Go to Policy > Web > SSL Inspection.
2. In the Policy for SSL Decryption section, configure the following:
- Block Undecryptable Traffic: Enable this to block traffic from applications that use non-standard encryption methods and algorithms.
- Do Not Inspect Sessions to these URL Categories: If you don't want the service to decrypt sessions to certain URL categories, specify them here. For the setting to apply to road warriors, you must have a dedicated proxy port or the Zscaler App in use. You can select any number of categories and also search for URL categories.
- Do Not Inspect Sessions to these Hosts: If you don't want the service to decrypt sessions to certain hosts, specify them here. For guidance on entering URLs, see URL format guidelines. For the setting to apply to road warriors, you must have a dedicated proxy port or the Zscaler App in use.
- Do Not Inspect these Applications: If you don't want the service to decrypt transactions to certain cloud apps or cloud app categories, specify them here. You can select any number of cloud apps and also search for cloud apps.
Untrusted Server Certificates: Select how the service handles certificates from untrusted issuers (if certificate issuer is unknown, or certificate has expired, or if Common Name in the certificate does not match).
- Allow: The service allows access to sites with untrusted certificates. Certificate warnings are not displayed to users.
- Pass Through: Certificate warnings are displayed to users, and they can decide to proceed to the site.
- Block: The service blocks access to sites with untrusted certificates.
- Block Site with Revoked Server Certificate: Enable to block access to sites with revoked certificates. The service uses the OCSP (Online Certificate Status Protocol) to obtain the revocation status of a certificate. When users are blocked, the service displays a notification and logs these transactions with 'bad server cert' in the policy field.
- Policy for Mobile Traffic: Enable this option to allow SSL inspection for roaming devices. This must be enabled if you want the service to perform SSL inspection for traffic sent to the service with the Zscaler App.
3. Click Save and activate the change.
F. Optionally, configure end user notifications.
Optionally, you can customize the notification that the Zscaler service displays when it blocks or restricts access to certain sites, files or Internet applications.