ITDR
Deploying Zscaler ITDR with Zscaler Client Connector for Windows
ITDR uses Deception configuration because there is no separate service entitlement for ITDR in Zscaler Client Connector.
If your organization has a Zscaler Client Connector rollout, you can deploy ITDR on Microsoft Windows machines.
This article provides information on prerequisites and how to deploy ITDR with Zscaler Client Connector for the Microsoft Windows operating system.
Prerequisites
Before deploying ITDR with Zscaler Client Connector, ensure that you have:
- Configured SSO in ZIA.
Downloaded Zscaler Client Connector or updated to the latest supported version:
- 4.3.0.264 or later
- 4.4.0.383 or later
- 4.5.0.344 or later
For Zscaler-recommended best practices to deploy Zscaler Client Connector, see Best Practices for Zscaler Client Connector Deployment.
- Enabled ITDR capabilities on your Zscaler Client Connector by contacting your Zscaler Account team.
Outbound HTTPS access from either or both of your proxy and firewall in your local environment to:
- Zscaler ITDR Admin Portal on port 443, i.e., <your_subdomain>.illusionblack.com on port 443
- dwv281inkfqg3.cloudfront.net on port 443
To learn more, see the Zscaler Client Connector Config page.
Deploying ITDR with Zscaler Client Connector
Follow these steps to deploy ITDR with Zscaler Client Connector:
- Step 1: Enable ITDR in the Zscaler Client Connector Portal
ITDR uses Deception configuration and there is no separate UI for ITDR in the Zscaler Client Connector Portal.
- Log in to the Zscaler Client Connector Portal.
- Go to Zscaler Service Entitlement > Zscaler Deception (Deception).
Enable Zscaler Deception Enabled by Default to enable ITDR for all Zscaler Client Connector users upgraded to 3.9 or later for Windows.
If you want to enable ITDR for a specific group of users, disable Zscaler Deception Enabled by Default, and then select a group from the User Groups drop-down menu. To learn more, see Enabling Deception for a Group of Users.
- Click Save.
- Step 2: Customize the Zscaler ITDR Endpoint Installer
- Log in to the Zscaler ITDR Admin Portal.
- Go to Settings > Endpoint Settings > Agent Configuration.
Customize the Name, Display Name, and Description of the endpoint installer or service to prevent the agent from being fingerprinted. To learn more, see Customizing Endpoint Installer.
- Step 3: Integrate Zscaler Client Connector with ITDR
- Log in to the Zscaler Client Connector Portal.
- Click Administration on the top menu.
- In the left-side navigation, click Zscaler Deception.
Verify if the Zscaler Deception installer settings (Name, Display Name, and Description) you see on this page match the settings you entered in the previous step. If they don't match, click Sync to get the latest values. To learn more, see Zscaler Client Connector Integration with Deception.
- Step 4: Configure a Zscaler Client Connector Profile Policy Rule for Windows
- In the Zscaler Client Connector Portal, click App Profiles on the top menu.
- On the App Profiles page, select Windows.
To add a new policy to configure access to Deception Settings from Zscaler Client Connector, click Add Windows Policy. To edit an existing policy, click the Edit icon for the policy that you want to modify.
In the Add Windows Policy or the Edit Windows Policy window, enter the Logout Password, Exit Password, and Password to access Deception Settings.
If you are adding a new policy, make sure you have configured all necessary fields as required. To learn more, see Adding a Zscaler Client Connector Profile Policy Rule for Windows. If you are editing an existing policy, make sure Enable is selected.
- Click Save.
- Step 5: Verify the Zscaler Deception Service Status in Zscaler Client Connector
In the left-side navigation, click More, and then click Update Policy.
After the policy update is complete, click Update App.
After the app update is complete, click Advanced Settings.
Enter the password you created in the previous step.
Click OK.
The configuration is successful and the Service Status is Running.