Configuring Advanced Settings

To configure advanced settings for the Zscaler service:

  1. Go to Administration > Settings > Advanced Settings.
  2. Configure the following:
    • Admin Ranking: Enable this if you want to rank administrators and use the ranks when you manage policies.
    • Allow Cascading to URL Filtering: Enable this if you want the service to apply the URL Filtering policy even if it has already applied a Cloud App Control policy that explicitly allows a transaction. By default, if a user requests a cloud app that you explicitly allow with a Cloud App Control policy rule, the service only applies the Cloud App Control policy and does not apply the URL Filtering policy. For example, if you have a Cloud App Control rule that allows viewing Facebook, but a URL Filtering policy that blocks www.facebook.com, a user will still be allowed to view Facebook because by default, the service does not apply the URL Filtering policy if a Cloud App Control rule allows the transaction. However, in the same example, if you allow cascading to URL filtering, the service blocks the user from Facebook because of your URL Filtering policy.
      NOTE: If a user requests a cloud app for which you have not configured a Cloud App Control policy rule, the service still evaluates and applies the URL filtering policy. See How does the Zscaler service enforce policies? to learn more.
    • Session Timeout Duration: Specify how long admins can be inactive on the Zscaler admin portal before they must log in again. By default, sessions restart after 30 minutes. You can enter in a different time interval, from 5 minutes to 600 minutes (10 hours).
    • Authentication Exemption: Enables the service to exempt specific URL categories, URLs, cloud app categories or specific cloud apps from cookie authentication.
    • Log Internal IPs from XFF Header: When the Zscaler service logs a transaction, it includes the source IP address, which is always the public IP address of the firewall or edge router that sent the traffic to the service. But if you use proxy chaining to forward traffic to the Zscaler service, a proxy server can insert an X-Forwarded-For (XFF) header in outbound HTTP requests. The XFF header identifies the IP address of the original client that sent the HTTP request through the proxy server. If you enable Internal IP Logging, the service will log the source IP address that is in the XFF header. Then when the service forwards the traffic to its destination, it will remove the original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to the external world.
    • Enforce Surrogate IP Authentication: Some Windows 8 Metro apps use Internet Explorer as their user agent but do not support cookies or redirects, so the service does not allow traffic to these sites. Enable this option to allow the service to use the user-to-device mappings to apply the appropriate user policies to the traffic of the top Windows 8 Metro apps. The Surrogate IP feature must be enabled.
    • Enable Policy for Unauthenticated Traffic: For policies where you can specify users and departments in the criteria, the Zscaler service enables you to specify whether you want a rule to apply if the user traffic is unauthenticated. You must turn on this feature here if you want this option to appear when configuring your policy rules. Note that any rule that applies to unauthenticated traffic must apply to all locations; you cannot apply a rule to unauthenticated traffic and select particular locations. See How do I configure policy for unauthenticated traffic?
    • HTTP Tunnel Control: A client can send an HTTP CONNECT method request in order to establish a tunnel connection to a remote server via the Zscaler service. Once the connection is established, the service then tunnels the traffic to the destination server on behalf of the client. The HTTP CONNECT method is typically used to initiate an SSL connection, but it can be used for tunneling purposes as well. By default, the following options to allow the Zscaler service to inspect tunneled HTTP traffic and to restrict the service to accepting CONNECT method requests on ports 80 and 443 only are enabled.
      • Inspect tunneled HTTP traffic
        This option, enabled by default, allows the Zscaler service to enforce configured policies on tunneled HTTP traffic that is sent via a CONNECT method request. For example, with this feature enabled, if the service receives a CONNECT request to www.cnn.com:80, the service will apply the configured web policies to HTTP traffic that it forwards to www.cnn.com. If this option is disabled, then the service will not apply the policies to the traffic to www.cnn.com.
      • Block tunneling to non-HTTP/HTTPS ports:
        This feature is enabled by default. The service restricts HTTP CONNECT method requests to the standard HTTP/HTTPS ports (80 and 443). You can disable this option to allow all HTTP CONNECT requests to non-standard HTTP/HTTPS ports, in addition to ports 80 and 443. For example, a CONNECT request for SSH to port 22 will be allowed if this feature is disabled.
  3. Complete the following if you have enabled the firewall service.
    1. By default, the Zscaler service "listens to" port 80 for HTTP traffic, port 443 for HTTPS traffic, port 53 for DNS traffic, and port 21 for FTP traffic. If your organization uses other ports or additional ports for HTTP, HTTPS,  DNS, and FTP traffic, you can enable Zscaler to use custom ports for these services by creating custom network services for these ports, and then configure the service to accept HTTP, HTTPS, DNS or FTP traffic from the ports assigned to the custom services that you created.
      • Services Forwarded to HTTP Web Proxy
        From the HTTP Services and HTTPS Services lists, choose the custom service that specifies the ports your organization uses for HTTP and HTTPS.
      • Services Applicable to DNS Transaction Policies
        From the DNS Services list, choose the custom service that specifies the ports your organization uses for DNS traffic.
      • Services Applicable to FTP Proxy
        From the FTP Services list, choose the custom service that specifies the ports your organization uses for FTP traffic.
  4. In the Auto Proxy Forwarding for Non-defined Ports section, enable the following to redirect outbound HTTP, HTTPS, FTP, and/or DNS traffic that is destined to a non-standard port and that does not match any predefined network service to the web engine for inspection.  
  5. Click Save and activate the change.