icon-unified.svg
Experience Center

Creating Isolation Profiles for Internet & SaaS

When creating an Internet & SaaS policy with the action as Isolate, you must reference an isolation profile in the policy you're creating. These profiles determine certain attributes and specifications about how the user interacts with the isolated web page, where the isolation containers are spun up, and what the isolation experience looks like to the user.

You can use Private Applications Isolation profiles to create policies in Private Applications to isolate specific web applications. To learn more, see About Isolation Policy.

For any organization that is using Isolation, Internet & SaaS and Private Applications automatically create default isolation profiles. You can use the default isolation profiles or manually create isolation profiles to use in Internet & SaaS and Private Applications policies. To learn more, see Default Isolation Profiles in Isolation.

Prerequisites

  • For isolation policies to be applied, the Zscaler service must authenticate the web traffic. Unauthenticated traffic or traffic from locations with authentication disabled is not subjected to isolation policies.
  • For HTTPS web pages to be isolated, the traffic must be SSL inspected by the Zscaler service.

Creating an Isolation Profile for Internet & SaaS

To create a new isolation profile:

  1. Go to Policies > Common Configuration > Resources > Browser Isolation.

    The Isolation Profiles menu appears and displays the Internet & SaaS profiles view.

  2. Click Add Profile.

    The Add Isolation Profile window appears.

  3. In the Add Isolation Profile window:
    1. On the General tab:
      • Name: Enter a name for the Internet & SaaS isolation profile.
      • Description: (Optional) Enter a description of the profile.

    2. Click Next.

    3. On the Company Settings tab:
      1. Choose to use either the recommended PAC file URL or your own manually configured PAC file URL:
        • If you select Use recommended PAC file URL, the Automatic proxy configuration URL field is populated by default with the recommended PAC file from your Hosted PAC Files list in Internet & SaaS. The isolation browser configures the PAC file within the endpoint experience containers, and any traffic to the internet from the isolated browser is also forwarded through the Internet & SaaS cloud.
        • Enable or disable Override PAC File and return traffic to the ZIA Public Service Edge. The Internet & SaaS Public Service Edges use auto-geoproximity, meaning that the traffic is returned to the service edge closest to the location of the user, not the location of the isolation browser. To see the full list of Internet & SaaS Public Service Edges, see the Zscaler Configuration Portal.
      2. Enable or disable Debug Mode. If you enable it, you can optionally create a Debug File Password for the ZIP file that is created at the end of a debug troubleshoot. Make sure to share the password with the user associated with the isolation profile.

      3. From the Root Certificate drop-down menu, select at least one file. The Zscaler Root Certificate that Internet & SaaS uses for SSL inspection appears by default in the drop-down menu. If your organization uses custom root certificates for SSL inspection, you can add them before creating isolation profiles. You can add up to 10 root certificates for your organization. To learn more, see About Root Certificates for Isolation in Internet & SaaS.

      4. Click Done.
      5. Click Next.

    4. On the Security tab:

      1. Enable or disable Allow copying and pasting to and from your computer and the isolation browser.
      2. Enable or disable Allow file transfers to and from your computer and the isolation browser. If you enable for isolation to local computer, select whether the file transfer will be a Flattened PDF, Sandbox Scanned File, or the Original File. To learn more, see Sandbox Integration with Isolation.
      3. Enable or disable Allow printing of web pages and inline content from isolation.
      4. Enable or disable Restrict keyboard/text input to isolated web pages.
      5. Enable or disable Allow viewing Office files while in isolation.
      6. Enable or disable Allow local browser rendering while in isolation.

    5. On the Regions tab:

      1. From the drop-down menu, select at least two regions. The isolation containers are leased to the user only from the selected regions based on the least network latency.
      2. Click Done.
      3. Click Next.

    6. On the Isolation Experience tab:
      1. From the drop-down menu, select an Isolation Banner. The option you choose shows a preview banner in the window. Choose from existing banners, or create custom isolation banners to use for your isolation profiles. To learn more, see Adding a Banner Theme for the Isolation End User Notification in Internet & SaaS.
      2. Enable or disable the option to have a persisting isolation URL bar.

      3. Select the Isolation Experience mode:

        • Native browser experience: This mode provides the user with a browsing experience similar to accessing the native web page with a typical browser. The user can customize this view.
        • Browser-in-browser experience: This mode provides the user with the complete look and feel of an isolated session experience.

      4. Enable or disable the option to use a watermark while in isolation. Admins can enable watermarking per isolation profile and choose to display the user ID, date and timestamp (in UTC), and a custom message.

      5. (Optional) Enable Cookie Persistence: If you enable this feature, the Enable Cookie Persistence window displays the consent message for you to read to confirm enablement. This action means the cookies that the websites set, and that the user accesses through isolation, persist across browsing sessions. If you enable this option, the cookies are stored in encrypted storage. If you do not enable it, cookies do not persist, meaning they are destroyed with the container when the user logs out or exceeds the session timeout.

      6. (Optional) Enable Language Translation: This allows the user to translate any text from isolated web pages to the language of the user's choice.

  4. Click Save.

After you save your new isolation profile, it appears in the list of Internet & SaaS Isolation Profiles. To edit a profile directly from the list, click the Edit icon. To learn more, see Editing Your Isolation Profiles for Internet & SaaS and Deleting Your Isolation Profile for Internet & SaaS.

You can use this isolation profile to create a policy in Internet & SaaS to allow traffic forwarding through browser isolation. To learn more, see Configuring Internet & SaaS for Isolation.

Related Articles
Creating Isolation Profiles for Internet & SaaSEditing Your Isolation Profile for Internet & SaaSDeleting Your Isolation Profile for Internet & SaaS