icon-unified.svg
Experience Center

Blocking LAN Access

To prevent users from accessing other endpoints on local area networks, admins can configure Zscaler Client Connector to block traffic. On Windows and Linux devices, admins can block traffic using destination exclusions in Zscaler Tunnel (Z-Tunnel) 2.0. For Mac devices, admins must create a system extension profile via an MDM (mobile device management), configure firewall rules, and also enable firewall settings in the Admin Portal.

  • To block LAN access for Windows and Linux devices:

    1. Go to Infrastructure > Connectors > Client.

    2. Under Platform Settings, select Windows or Linux, and click Add Windows Policy or Add Linux Policy.

      The Add Windows Policy or Add Linux Policy window appears.

    3. In (Optional) For Z-Tunnel 2.0 Configuration:

      Destination Exclusions: Enter the specific subnets of the traffic you want to exclude from Z-Tunnel 2.0

      By default, the Zscaler service includes the RFC 1918 networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) in the exclusions list. See RFC 1918 Address Allocation for Private Internets. Zscaler also includes the multicast range 224.0.0.0/4. Zscaler recommends that you keep these networks in the list, unless explicitly needed, because deleting them causes private network traffic (e.g., DHCP) to be tunneled through the cloud.

    Close

  • To block LAN access for Mac devices, configure these steps based on the MDM you are using.

    Microsoft Intune

      1. In the Microsoft Intune for macOS Admin Portal, go to Devices.
      2. From the options, click Configuration profiles.

      1. Click Create profile.

      1. In the Create a profile section:
      • Platform: Select macOS.
      • Profile type: Select Templates.
      • Template name: Choose Extensions.

      1. Click Create.
      2. In the Basics section:
      • Name: Enter a name for the preference file. For example, Zscaler System Extension.
      • Description: (Optional) Enter a description.

      1. Click Next.
      2. In the Configuration settings section, expand the System extensions section:
      • Block user overrides: Select Yes if you want to block the users from making any changes to the file. The default setting is Not configured.
      • Team identifier: Enter the team identifier PCBCQZJ7S7.
        The team identifier allows the System Extension Profile to be installed on the user's system silently.

      1. Click Next.
      2. In the Assignments section, choose the users, groups, and devices for the profile.

      1. Click Next.
      2. In the Review + create section, review the summary, and click Create.

      If the system extension feature is activated using a command line, you must deactivate it manually. Uninstallation of Zscaler Client Connector does not remove the system extension feature.

      Close
      1. In the Microsoft Intune for macOS Admin Portal, go to Devices.
      2. From the options, click Configuration profiles.
      3. Click Create profile.
      4. In the Create a profile section:
      • Platform: Select macOS.
      • Profile type: Select Templates.
      • Template name: Choose Custom.
      1. Click Create.
      2. In the Basics section:
      • Name: Enter a name for the preference file. For example, Zscaler firewall rules.
      • Description: (Optional) Enter a description.
      1. Click Next.
      2. In the Configuration settings section, upload the ZscalerSample.mobileconfig file.

      You can edit the following values in the copied content based on your needs:

      • action: Defines what action is taken if the rule matches. Select allow or block.
      • apps: Specifies a flow's association with a particular application. This value must exactly match the teamid.bundleid, unless the app has no Team ID, in which case the app must exactly match the bundleid.
      • protos: Specifies the IP protocol that the flow must match. For example, [tcp and/or udp] or icmp.

      System extension does not filter incoming ICMP.

      • ips: Specifies the set of remote IP addresses that the flow must match. Add a space or a comma to the delimited list of IP addresses and/or IP subnets. Mixed IPv4, IPv6 addresses, and lanlocal are allowed.
      • ports: Specifies what UDP or TCP ports cause the rule to match the flow. Add a space or comma to the delimited list of port numbers and/or port ranges. If protos is configured and is set to icmp, the ports attribute is ignored.
      • enforceTrafficViaTunnel: If true, when the tunnel is inactive, prevents circumvention of security by restricting network traffic when the Zscaler tunnel is not running.
      • Persistent: If true, filtering remains on even when the user exits Zscaler Client Connector or turns off Internet & SaaS. The feature is disabled only after the user logs out. If the persistent key is false, filtering stops when the user exits Zscaler Client Connector, turns off Internet & SaaS, or logs out.

      The VendorConfig section of the ZscalerSample.mobileconfig has several dictionaries that determine the logic for the traffic.

      The top-level dictionaries are inbound, outbound, and general. Within each dictionary are dictionaries for untrusted or trusted networks. Each trusted and untrusted key contains an optional array of rule dictionaries. Within each rule dictionary, you can define specific actions.

      The following is an empty example of this structure for inbound:

      <key>inbound</key>
                                                            <dict>
                                                                <key>trustednet</key>
                                                                <array>
                                                                    <dict>
                                                                        <key>action</key>
                                                                        <string>allow</string>
                                                                    </dict>
                                                                </array>
                                                                <key>untrustednet</key>
                                                                <array>
                                                                    <dict>
                                                                        <key>action</key>
                                                                        <string>allow</string>
                                                                    </dict>
                                                                </array>
                                                            </dict>

      Actions include allow and block. Possible network specifications include applications (apps), IP addresses (ips), and ports (ports).

      To block the browser Opera from communicating outbound, block traffic to 1.2.3.4 and any local network traffic, and port 5432 traffic on an untrusted network, see the following example:

      <key>outbound</key>
                                                            <dict>
                                                                <key>trustednet</key>
                                                                <array>
                                                                    <dict>
                                                                        <key>action</key>
                                                                        <string>allow</string>
                                                                    </dict>
                                                                </array>
                                                                <key>untrustednet</key>
                                                                <array>
                                                                    <dict>
                                                                        <key>apps</key>
                                                                        <string>A2P9LX4JPN.com.operasoftware.Opera</string>
                                                                        <key>action</key>
                                                                        <string>block</string>
                                                                    </dict>
                                                                    <dict>
                                                                        <key>ips</key>
                                                                        <string>1:2:3:4:: 1.2.3.4 lanlocal</string>
                                                                        <key>action</key>
                                                                        <string>block</string>
                                                                    </dict>
                                                                    <dict>
                                                                        <key>ports</key>
                                                                        <string>5432</string>
                                                                        <key>action</key>
                                                                        <string>block</string>
                                                                    </dict>
                                                                </array>
                                                            </dict>

      How are Rules Evaluated?

      The above untrustednet array has three separate rules (apps, ips, ports). Each rule is independent of the other two. For example, if traffic from Opera is detected, it matches only the first rule (apps), where the second rule (ips) and third rules (ports) are not evaluated. Similarly, if the second rule is matched because the traffic is not from Opera, but the remote address is 1.2.3.4, then the third rule is not evaluated. Only if the traffic is not from Opera, and is also not destined for 1:2:3:4::, 1.2.3.4, or lanlocal, then the third rule is evaluated.

      You can combine key types for more specific rules, such as disallowing Opera traffic only if the destination is 1.2.3.4:5432:. For example:

      <dict>
                                                            <key>apps</key>
                                                            <string>A2P9LX4JPN.com.operasoftware.Opera</string>
                                                            <key>ips</key>
                                                            <string>1:2:3:4:: 1.2.3.4 lanlocal</string>
                                                            <key>ports</key>
                                                            <string>5432</string>
                                                            <key>action</key>
                                                            <string>block</string>
                                                            </dict>
      1. Click Next.
      2. In the Assignments section, choose the users, groups, and devices for the profile.
      3. Click Next.
      4. In the Review + create section, review the summary, and click Create.
      Close

    • To create a property list file, see Configuring a Custom Settings Profile.

      Close
      1. In the Admin Portal, go to Infrastructure > Connectors > Client.

      2. Under Platform Settings, select macOS and click Add macOS Policy.

        The Add macOS Policy window appears.

      3. In Add macOS Policy window, enable Zscaler Firewall to determine which network traffic is allowed and blocked. This setting is disabled by default.

      Zscaler Firewall setting in macOS policy

      Close

    JAMF Pro

    • Zscaler system extension is built into Zscaler Client Connector, but it should be configured in JAMF to activate it. To add a configuration profile for system extension:

      1. In the JAMF Pro portal, go to the Computers tab.
      2. In the left-side navigation, select Configuration Profiles.

      1. Click New to create a new configuration profile.
      2. In the General section:
      • Name: Enter a name. For example, Zscaler System Extension Deployment.
      • Description: (Optional) Add a description.
      • Category: (Optional) Choose a category based on the JAMF categories you configured.
      • Level: Choose a level per your requirements.
      • Distribution method: Choose a distribution method per your requirements.
      1. Click Save.
      2. On the Options tab, click Application & Custom Settings to reveal the Upload option.

      1. Click Upload > Add.
      2. In the Upload window:

      1. Click Save.
      2. On the Options tab, select Content Filter.
      3. In the Content Filter section:
      • Filter Name: Enter a name for your filter.
      • Identifier: Enter com.zscaler.zscaler
      • Service Address: zscaler.com.
      • Organization: Enter Zscaler
      • User Name: (Optional) Enter a username.

      Content Filter sectionClose

      • Socket Filter Bundle Identifier: Enter com.zscaler.zscaler.pktfilter
      • Socket filter Designated Requirement: Enter identifier: "com.zscaler.zscaler.pktfilter" and anchor apple generic

      1. Click Save.
      Close

    • You can define system extension settings, such as setting up a team identifier to configure system extension profiles in the JAMF Pro portal. This step ensures the user's device automatically trusts the system extension, instead of prompting them for acceptance.

      1. In the JAMF Pro portal, go to the Computers tab.
      2. In the left-side navigation, select Configuration Profiles.
      3. Click Configure.

      1. Under System Extensions:
        • Display Name: Enter a display name. For example, Zscaler Filter System Extension.
        • System Extension Types: Select Allowed Team Identifiers from the drop-down menu.
        • Team Identifier: Enter PCBCQZJ7S7.

      1. Click Save.
      2. To bind the Configuration Profile to particular computers, select the necessary information for Targets, Limitations, and Exclusions under the Scope tab.

      Close
    Close
Related Articles
Understanding Zscaler Client Connector App DownloadsCustomizing Zscaler Client Connector with Install Options for MSICustomizing Zscaler Client Connector with Install Options for EXECustomizing Zscaler Client Connector with Install Options for macOSCustomizing Zscaler Client Connector with Install Options for LinuxCustomizing Zscaler Client Connector with Install Options for AndroidCustomizing Zscaler Client Connector with Install Options for iOSDeploying Zscaler Client Connector with Active Directory for WindowsDeploying Zscaler Client Connector with MaaS360 for AndroidDeploying Zscaler Client Connector with MaaS360 for iOSDeploying Zscaler Client Connector with Microsoft Intune for AndroidDeploying Zscaler Client Connector with Microsoft Intune for macOSDeploying Zscaler Client Connector with Microsoft Intune for iOSDeploying Zscaler Client Connector with MobileIron for iOSDeploying Zscaler Client Connector with MobileIron for AndroidDeploying Zscaler Client Connector with Jamf Pro for macOSDeploying Zscaler Client Connector with Jamf Pro for iOSDeploying Zscaler Client Connector with Workspace ONE UEM for AndroidDeploying Zscaler Client Connector with Workspace ONE UEM for iOSBlocking LAN AccessBest Practices for Zscaler Client Connector DeploymentBest Practices for Updating Latest Versions of Zscaler Client Connector ApplicationUninstalling Zscaler Client ConnectorReverting Zscaler Client Connector to the Previous VersionUpgrading Zscaler Client Connector