This article describes how to add a single location. If you have multiple locations, you can import a CSV file that lists your locations and sub-locations.

For each location you add, you can specify different features, such as the public IP addresses for that location, or whether to enable authentication or firewall.

To add a location:

  1. Go to Administration > Resources > Locations.
  2. Click Add.
  3. Enter general information about the location:
  • Type in its Name.
  • Choose the Country.
  • Enter a State/Province, if applicable.
  • Choose the Time Zone of the location.
    When you specify the location in a policy, the service applies the policy according to the location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook between 8 a.m. and 5 p.m., and the rule is applied to locations in Spain and California, users at each location will be blocked during their respective daytime hours.
  1. Choose the IP addresses for the location:
  • Public IP Addresses lists the IP addresses that you sent to Zscaler. Choose IP addresses for the location.
    • NOTE: If you have not already done so, submit your static IP addresses to Zscaler Support, who can then ensure that those IP addresses appear in the menu under Public IP Addresses.
  • Proxy Ports lists your organization's subscribed ports. If applicable, choose the port for the location.
  • VPN Credentials lists IP addresses or FQDNs if you are configuring an IPsec VPN tunnel to forward traffic to the Zscaler service. If applicable, choose the VPN credentials for the location.
  • Virtual ZENs lists your organization's VZENs. Note that you can choose e a standalone VZEN for testing purposes only. Zscaler supports only VZEN clusters for production environments.
  • Virtual ZEN Clusters lists your organization's VZEN clusters. If applicable, choose the VZEN cluster for your  organization.
  1. Enable features for the location:
  • Enable XFF Forwarding: Turn on if this location uses proxy chaining to forward traffic to the service, and you want the Zscaler service to use the X-Forwarded-For (XFF) headers that your on-premise proxy server inserts in outbound HTTP requests. The XFF header identifies the client IP address, which can be leveraged by the service to identify the client’s sub-location. Thus, using the XFF headers, the service can apply the appropriate sub-location policy to the transaction, and if Surrogate IP is enabled on the location or sub-location, appropriate user policy to the transaction. Note that when the service forwards the traffic to its destination, it will remove this original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to the external world.
  • Enforce Authentication: Turn on to require users from this location to authenticate to the service. (See Provisioning and Authenticating Users.)
    • Enable IP Surrogate: This field appears if you turn on Enforce Authentication. Enable IP Surrogate if you want to map users to device IP addresses. See What is Surrogate IP?
      • Idle Time to Disassociation: This field appears if you Enable IP Surrogate. Specify how long after a completed transaction the service retains the IP address to user mapping.
      • Enforce Surrogate IP for Known Browsers: This field appears if you Enable IP Surrogate. Turn on this feature if you want to use existing IP-to-user mapping (acquired from Surrogate IP) to authenticate users sending traffic from known browsers. With this feature enabled, the service uses existing IP-to-user mapping for authentication even if users go to sites that support cookies. This allows the service to authenticate without requiring the browser to complete HTTP redirects for every transaction, ensuring performance even for users who connect, for example, over high-latency satellite links. If the feature is disabled, the service authenticates users on browsers with cookies or other configured authentication mechanisms.  
        • Refresh Time for Re-Validation of Surrogacy: This field appears if you turn on Enforce Surrogate IP for Known Browsers. Specify the length of time that the service can use IP-to-user mapping for authenticating users sending traffic from known browsers. After the defined period of time, the service will refresh and revalidate the existing IP-to-user mapping so that it can continue to use the mapping for authenticating users on browsers. You can enter any value from 1 minute to 8 hours.
  • Enable SSL Scanning: Turn on to enable the service to decrypt HTTPS transactions for this location and inspect them for data leakage, malicious content and viruses, and to enforce policy.
  • Enforce Firewall Control: Turn on to enable the firewall for this location.
  1. Enforce Bandwidth Control: Turn on to set bandwidth controls for the location. Specify the maximum bandwidth limits of the following:
    • Download (Mbps)
    • Upload (Mbps)
  2. Click Save and activate the change.