Configuring Shift Policies


Configuring Shift Policies

Watch a video about how to add a single policy to a location

Watch a video about how to add multiple policies to a location

Watch a video about SSL inspection

Shift offers multiple layers of security for your organization, including content filtering, threat security, Safe Search, and SSL inspection. In the Admin Portal, you can configure policies and specify how you want to implement these security features for users in your organization.

Furthermore, you can either configure a single policy for your location or, if you prefer, you can configure up to four policies for each location in your organization, so that you can enforce different policies for different groups of users at the location.

Below you can read how Shift supports multiple policies for a given location and step-by-step instructions for policy configuration in the Admin Portal.

Multiple Policies per Location

You can create up to four different policies for a given location and apply them to different groups of users at the location. For example, if you are an admin in a retail business setting, you may want to create one policy for your Point-of-Sale (POS) network, one policy for employee network, and another policy for your guest Wi-Fi network. Below is a diagram that illustrates how Shift can enable multiple policies for such a location, followed by an explanation.

Diagram showing how to configure Shift for multiple locations

Shift provides you with four different DNS IP addresses to which your organization's edge device can forward traffic:

  • 8.34.34.34 (primary) / 8.35.35.35 (secondary)
  • 8.34.34.101 (primary) / 8.35.35.101 (secondary)
  • 8.34.34.102 (primary) / 8.35.35.102 (secondary)
  • 8.34.34.103 (primary) / 8.35.35.103 (secondary)

To enforce multiple policies for a given location, you must complete the following tasks:

  1. In the Admin Portal, create a separate policy for each group of users at the location, and tie each policy to one of the IP addresses above (step-by-step instructions are given in step 10 of Policy Configuration). For example, in the retail setting above, an admin creates one policy for your POS network, one for employees, and one for the guest Wi-Fi network.
  2. In the Admin Portal, add the policies you created in the appropriate location. In the retail setting illustrated above, the admin would add the three policies they created to the location, "New York."
  3. Configure your network so that:
    a. Different groups of users at the location (each of whom will have a different policy) send traffic from different VLANs. In the example above:
    • The POS network sends traffic from VLAN 10.
    • The employee network sends traffic from VLAN 20.
    • The guest Wi-Fi network sends traffic from VLAN 30.
    b. Each VLAN sends DNS requests to the DNS IP address that you have tied to the appropriate policy in Step 1. In the example above:
    • VLAN 10 sends DNS requests to 8.34.34.101
    • VLAN 20 sends DNS requests to 8.34.34.102
    • VLAN 30 sends DNS requests to 8.34.34.103

Once you’ve completed these tasks, when Shift receives traffic from one of your users at one of its four DNS IP addresses, it will know which policy to apply to the traffic by looking at the source IP address of the traffic. In the example above, if Shift receives traffic from the address 1.1.1.1 at its 8.34.34.102 DNS IP address, it knows that the traffic is coming from one of the employees at the location and applies the employee policy the admin has configured.

Policy Configuration

Follow the instructions below for configuring single or multiple policies for a location.

  1. From the Administration menu, select Policies
  2. In the upper-right corner, click Add New Policy to open the New Policy window
  3. Enter a Name for the policy
  4. Click and select a Content Filter Type. To see which URL categories are blocked by a specific Content Filter Type:
    • Select a Content Filter Type
    • Click Show Categories for Selected Policy Level. The URL categories blocked by that Content Filter Type appears in red, while the allowed URL categories appear in green
      To see a complete list of content filters, read Content Filters
  5. Enable or disable Threat Security. The feature is enabled by default
  6. Enable or disable Safe Search. The feature is enabled by default
  7. Enable or disable SSL Interception. The feature is disabled by default. SSL inspection is not recommended for guest Wi-Fi and other deployments where devices are unmanaged or installing a certificate on user devices is not feasible. If you enable SSL interception, the following dialog appears. See image.
    You must: 
    • Download the SSL Inspection Root Certificate from the link provided in the dialog
    • After completing policy configuration, install the certificate either manually on user devices or if your organization uses Active Directory, you can use the Active Directory Group Policy Object (GPO) feature to distribute the certificate. Different operating systems and browsers handle SSL Inspection Root Certificates in different ways. For example, Firefox (including version, 42.0) uses its own certificate store rather than the certificate store of the device operating system. You must install the root certificate manually in the Firefox browser. Refer to the documentation for the browsers your organization uses to ensure that you correctly install the Zscaler root certificate.
      The user will receive a warning when visiting HTTPS websites through Shift if the root certificate is not installed.
       
  8. If you want to blacklist or whitelist any URL categories for this policy:
    • You must add the URLs you want to blacklist or whitelist to custom categories. For more information on this topic, see Adding Custom Categories to Whitelist or Blacklist URLs. You cannot move forward to the next two steps without first completing this task.
    • Under Custom Category Selection Always Block Categories, select from the drop-down menu the custom categories which contain the URLs you want to blacklist
    • Under Custom Category Selection Always Allow Categories, select from the drop-down menu the custom categories which contain the URLs you want to whitelist
  9. If you are configuring this policy for a location that will have just one policy for all users, you can skip this step and leave the selection as "anycast-main."

    If the policy you are configuring will be one of multiple policies for a location, under Multiple Policy > Zscaler DNS Service IP Binding, select from the drop-down menu the DNS IP address that you want to be affiliated with this policy. The options in the drop-down menu correspond to the following four Shift DNS IP addresses to which you can send your users' traffic:
    • anycast-main: 8.34.34.34 (primary) / 8.35.35.35 (secondary)
    • anycast-101: 8.34.34.101 (primary) / 8.35.35.101 (secondary)
    • anycast-102: 8.34.34.102 (primary) / 8.35.35.102 (secondary)
    • anycast-103: 8.34.34.103 (primary) / 8.35.35.103 (secondary)
    To ensure you select the correct DNS IP address for the policy, read the Multiple Policies per Location overview above. As explained there, tying the DNS IP address to the policy is just one step in enabling multiple policies for a location. You must also complete the following tasks after configuring your policies.
    • In the Admin Portal, add the multiple policies to the appropriate location.
    • Configure the routers in your network so that:
      • Different groups of users at the location (each of whom will have a different policy) send traffic from different VLANs.
      • Each VLAN sends DNS requests to the DNS IP address that you have tied to the appropriate policy.
  10. Click Save

Screenshot of the SSL Inspection Dialog Box