Zscaler Quick Start Guide

This guide describes how you can start protecting your web traffic by simply pointing your browser to the Zscaler cloud. It also introduces you to some basic features of the Zscaler service, including anti-virus security and the URL policy, and explains how you can test them.

It describes the following tasks:

A. Logging In to the Portal

B. Forwarding Web Traffic

C. Adding Users

D. Adding Locations

E. Deploying a Root Certificate to Enable SSL Inspection

F. Configuring the SSL Inspection Policy

G. Logging In to the Service

H. Defining and Testing the URL Filtering Policy

I. Defining and Testing the Cloud App Control Policy

J. Testing Anti-Virus Security

K. Analyzing Traffic

Logging In to the Zscaler Service Portal

To log in to the Zscaler service portal and verify your information:

  1. Use the URL, user ID and password that you received from your Zscaler representative or Technical Support to log in to the portal.
    The End User Subscription Agreement (EUSA) appears the first time you log in.
    See image.
  2. Click Accept.
    If you click Cancel, the service will allow you to continue. You’ll be able to configure policies and add users, but the settings won’t take effect and you won’t be able to surf the Internet through the Zscaler service until you accept the EUSA. The EUSA will also appear every time you log in, until you click Accept.
  3. Go to Administration > Settings > Company Profile.
  4. Verify your organization’s information. Zscaler recommends that you provide primary and secondary technical contacts as well, especially if the primary business contact is not the technical administrator of the service.
    See image.
  5. Click Save and activate any changes you made.

Image 1

Image 1

Image 2

Image 2

Forwarding Web Traffic

To redirect your web traffic to the Zscaler cloud, configure your browser to use a PAC file, which is a text file that directs a browser to forward traffic to a proxy server before going to the destination server.

If you were provided a PAC file URL, skip the next two steps. Otherwise, do the following to retrieve the default PAC file URL:

To view the default PAC file, log in to the service portal and do the following:

  1. Go to Administration > Resources > Hosted PAC Files.
  2. Copy the URL of the default PAC file for the Web.
    See image.
  3. Open your browser and paste the PAC file URL in its settings page.

    The following example illustrates how to specify the PAC file URL in the Internet Explorer settings.
    1. Open Internet Explorer and go to the Gear icon and select Internet Options.
    2. In the Internet Options window, click Connections > LAN Settings.
      See image.
    3. In the Local Area Network (LAN) Settings window, select Use automatic configuration script and paste the PAC file URL that you copied from the Zscaler service portal. Click OK to save the configuration.

To change the settings of a different browser, see the following:

B2

B2

B3

B3

Adding Users

To implement group and user policies and to leverage the granular reporting capabilities of the service, you must provision users on the Zscaler database and enable the Zscaler service to authenticate them. Though provisioning and authenticating users is not required, Zscaler highly recommends that you provision your users and enable authentication. Provisioning involves uploading usernames, groups, and departments to the service database. Enabling authentication allows the Zscaler service to identify the traffic that it receives so it can enforce the configured location, department, group and user policies, and provide user and department logging and reporting.The following example illustrates how to add a new user account, group and department. You can use the new account to test the service.

To add a new user:

  1. Navigate to Administration > Authentication > User Management.
  2. Click Add User and specify the following information about the user:
    See image.
    • Enter the User ID. The user ID consists of a user name and domain name in email format. Enter the user name and if your organization has more than one domain, select the domain name.

      If you plan to integrate your enterprise directory at a later date, ensure that you use an email address that is not currently in the directory. For example, you can enter test.user.
    • Enter the User Name.
    • Click the down arrow beside Groups to choose a group or add a new one. You can select more than one group.
      See image.
    • Click the down arrow beside Department to choose a department or add a new one.
      See image.
    • Enter a Password of your choosing.
    • Optionally, enter comments.
  3. Click Save and activate the change.

C0

C0

C1

C1

C2

C2

Adding Locations

To add locations, you must submit your static IP addresses to Zscaler Support, who can then ensure that those IP addresses appear in the admin portal. You can submit your IP addresses by submitting a support ticket.

To submit a support ticket:

  1. Point to the Question Mark icon at the top right corner of the UI to open the help menu. In the help menu, click on Submit a Ticket.
    See image.
  2. The Submit Ticket page will open in a new tab.  
    See image.
  3. After completing the fields in the Submit Ticket page, click Submit. The time it takes Zscaler Support to provision the IP addresses is 30 minutes.  

Once your IP addresses have been provisioned, you can add them as locations.

To add a location:

  1. Go to Administration > Resources > Locations.
  2. Click Add Location.
    See image.
  3. Enter general information about the location:
    • Type in its Name.
    • Choose the Country.
    • Enter a State/Province, if applicable.
    • Choose the Time Zone of the location.
      When you specify the location in a policy, the service applies the policy according to the location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook between 8 a.m. and 5 p.m., and the rule is applied to locations in Spain and California, users at each location will be blocked during their respective daytime hours.
  4. Choose the IP addresses for the location:
    • Public IP Addresses lists the IP addresses that you sent to Zscaler. Choose IP addresses for the location from the drop down menu.
  5. Enable the following features for the location:
    • Enable Enforce Authentication to require users from this location to authenticate to the service. This feature is disabled by default.
    • Enable Enable SSL Scanning to allow the service to decrypt HTTPS transactions and inspect them for data leakage, malicious content and viruses, and to enforce policy. Note that a subscription is required for this feature. Zscaler recommends using SSL inspection, because it can encrypt and protect sensitive information, such as credit card numbers, usernames, and passwords, from being seen by intermediate devices that are not the intended recipients.  

      If you choose not to enable SSL inspection, you can configure a global block of specific HTTPS content. To learn more, see How do I block HTTPS traffic without SSL inspection?
  6. If your organization is subscribed to one or more ports, you can associate them with a location and then forward your road warrior traffic to those ports. To learn more, see What is a dedicated proxy port?

D1

D1

D2

D2

D3

D3

Deploying a Root Certificate

To establish an SSL tunnel and return content to the user's browser, the service can use either the Zscaler intermediate certificate or a custom intermediate certificate signed by your own trusted CA. See below for instructions on how to configure a Zscaler certificate:

  1. Go to Policy > Web > SSL Inspection.
  2. Under Intermediate Root Certificate Authority for SSL Interception > Zscaler's Default Certificate, click Download Zscaler Root Certificate.
    See image.
  3. Navigate to the ZscalerRootCerts.zip file and unzip it.
  4. Import the Zscaler certificate into the certificate store of your browser.
    You must then import the Zscaler certificate into your user’s browsers. To facilitate deployment in Microsoft Active Directory environments, use the GPO feature to deploy the certificate to all users in your network.

Note: To enable your users' browsers or systems to automatically trust all certificates signed by the Zscaler Certificate Authority, your users must install the Zscaler Root CA certificate on their workstations. Otherwise, they will receive an error stating that there is a problem with the website's security certification. Click here for an example of how users can do this with Internet Explorer 11. In Microsoft AD environments, you can use the Active Directory GPO feature to facilitate installing the certificate on multiple computers.

To learn how to configure a custom intermediate root certificate, see How do I use a custom certificate for SSL inspection?

E1

E1

Configuring an SSL Inspection policy

To configure the SSL Inspection policy, do the following:

  1. Go to Policy > Web > SSL Inspection.
  2. In the Policy for SSL Decryption section, configure the following.
    See image.
    • Enable Block Undecryptable Traffic to protect against applications that use nonstandard encryption methods and algorithms.
    • In Bypassed URL Categories, choose URL categories to exempt from SSL inspection. The service does not decrypt transactions to sites in this category.
    • In Bypassed URLs, enter URLs you want to exempt from SSL inspection.
    • In Bypassed Applications, choose applications yo exempt from SSL inspection.
    • In Policy for Mobile Traffic, turn on Enable SSL Scanning for Mobile Traffic to allow the service to inspect mobile traffic.
  3. Click Save and activate the change.

F2

F2

Logging In to the Zscaler Service

To log in to the Zscaler service:

  1. Browse to any external site (for example, www.zscaler.com).
  2. The service displays a Login window where you are prompted to authenticate.
  3. Enter the newly created user ID and click Sign in.
  4. Enter your password and click Sign in.
    See image.
    The service allows you to continue to the site. Then, as your browser retrieves web pages, the service scans them for a range of malware threats and delivers clean traffic.

G4

G4

Defining and Testing the URL Policy

The URL Filtering policy contains sample rules that are disabled. You can customize these rules and add new ones based on the guidelines of your organization.

Add two rules to do the following:

A.  Block users from accessing gambling sites. To add a rule that blocks access to gambling sites:

  • From the Zscaler service portal, go to Policy > Web > URL & Cloud App Control.
  • On the URL Filtering Policy tab, click Add URL Filtering Rule and do the following.
    See image.
    • There is one default rule. So when you create a new rule, the Rule Order is automatically set to 2. Do not change it.
    • Rule Status is Enabled by default. Do not change it.
    • From the URL Categories menu, choose Gambling.
    • For the Action, choose Block.
  • Click Save and activate the change.  

B.  Caution users who access shopping sites. To add a rule that cautions against access to shopping sites, repeat the preceding steps, but select the Shopping and Auctions category and Caution action.
See image.

Rules that are enabled are evaluated in the order they are listed. You can change the Rule Order of rules to ensure that they are evaluated in the appropriate order. Following are the configured rules:

See image.

To test the rules you defined in the URL policy, open a browser and do the following:

  • Try to access a gambling site, such as gambling.com. The service blocks access to the site and displays a message, similar to the following image.
    See image.
  • Try to access a shopping site. The service displays a caution message, similar to the following image.
    See image.

H2

H2

H3

H3

H4

H4

H5

H5

H6

H6

Defining the Cloud App Control policy

The Cloud App Control policy contains rules that control access to specific cloud applications. You can customize these rules and add new ones based on the guidelines of your organization. Note that Cloud App Control policy takes priority over the URL Filtering policy.

Add two rules to do the following:

A. Block users from using all instant messaging (IM) applications except Google Talk. To add a rule that blocks usage of IM applications and exempt Google Talk:

  • From the Zscaler service portal, go to Policy > Web > URL & Cloud App Control.
  • On the Cloud App Control Policy tab, click Add. Choose Instant Messaging as the cloud applications category.
    See image.
    • There is one default rule. So when you create a new rule, the Rule Order is automatically set to 2. Do not change it.   
    • Rule Status is Enabled by default. Do not change it.
    • From the Cloud Applications menu, select all of the apps except Google Talk.
    • Under Action, choose to Block Chatting.
  • Click Save and activate the change.

B. Block users from accessing Tumblr. To add a rule that blocks access to Tumblr, repeat the preceding steps, but select Social Networking & Blogging as the cloud application category, select only Tumblr from the Cloud Applications menu, and choose to Block Viewing.
See image.

To test the rule you defined in the Cloud App Control policy, open a browser and do the following:

  • Try to access tumblr.com. The service blocks access to the site and displays a message, similar to the following image.
    See image.

I2

I2

I3

I3

I4

I4

Testing Anti-Virus Security

EICAR is a test virus that is completely harmless. You can try to download this test virus to test the anti-virus protection of the service. Note that browser cached files are not blocked. You must clear your browser cache if testing includes enabling and disabling protection.

To test anti-virus protection:

  1. Open your browser and go to http://www.eicar.org/download/eicar.com
  2. Try to download a test virus. The service blocks it and displays a message similar to the following image.
    See image.

Note: You can customize the notification pages that the service displays to your users by going to Administration > Resources > End User Notifications in the service portal.

J2

J2

Analyzing Traffic

To view reports and transactions:

  1. From the Dashboard, choose Web Browsing to view the browsing activity of your organization.
    Each widget shows a different facet of the traffic. Note the following:
    • The Top Blocked URL Categories widget shows that URLs in the Online Shopping and Gambling categories were blocked.
    • The newly created user test_user appears in the Top Users and Top Blocked Users widgets.
      See image.
  2. Click test_user in the Top Users widget and choose Analyze Chart.
    In Web Insights, you can define filters on the left panel or select data types to interactively drill down to specific transactions.
    See image.
  3. Choose View Logs.
    The logs show that the service blocked the gambling URL and allowed access to the shopping URL after a caution notification.
    See image.

K1

K1

K2

K2

K3

K3