On the Advanced Settings page, you can configure settings for a variety of the Zscaler service's features.
To adjust the advanced settings:
By default, the Zscaler service "listens to" port 80 for HTTP traffic, port 443 for HTTPS traffic, port 53 for DNS traffic, and port 21 for FTP traffic. If your organization uses other ports or additional ports for HTTP, HTTPS, DNS, and FTP traffic, you can enable Zscaler to use custom ports for these services by creating custom network services for these ports, and then configure the service to accept HTTP, HTTPS, DNS or FTP traffic from the ports assigned to the custom services that you created.
Enable Admin Ranking: Turn on this feature if you want to rank administrators and use the ranks when you manage policies.
Allow Cascading to URL Filtering: Enable this if you want the service to apply the URL Filtering policy even if it has already applied a Cloud App Control policy that explicitly allows a transaction. By default, if a user requests a cloud app that you explicitly allow with a Cloud App Control policy rule, the service only applies the Cloud App Control policy and does not apply the URL Filtering policy. For example, if you have a Cloud App Control rule that allows viewing Facebook, but a URL Filtering policy that blocks www.facebook.com, a user will still be allowed to view Facebook because, by default, the service does not apply the URL Filtering policy if a Cloud App Control rule allows the transaction. However, in the same example, if you allow cascading to URL filtering, the service blocks the user from Facebook because of your URL Filtering policy.
If a user requests a cloud app for which you have not configured a Cloud App Control policy rule, the service still evaluates and applies the URL filtering policy. To learn more, see How does the Zscaler service enforce policies?
Session Timeout Duration: Specify how long admins can be inactive on the Zscaler Admin Portal before they must log in again. By default, sessions restart after 30 minutes. You can enter in a different time interval, from 5 minutes to 600 minutes (10 hours).
Enable policies for SSL global exempted domains: Enable SSL Inspection and policy evaluation for URLs and domains on the Zscaler global SSL exemptions list. The global SSL exceptions list is maintained by Zscaler and consists of URLs and domains that are exempted from SSL Inspection and policy evaluation.
Enabling this option might cause SSL connection errors for applications. Before enabling it, contact Zscaler Support to ensure these URLs and domains have appropriate policies defined.
Log Internal IPs from XFF Headers: When the Zscaler service logs a transaction, it includes the source IP address, which is always the public IP address of the firewall or edge router that sent the traffic to the service. But if you use proxy chaining to forward traffic to the Zscaler service, a proxy server can insert an X-Forwarded-For (XFF) header in outbound HTTP requests. The XFF header identifies the IP address of the original client that sent the HTTP request through the proxy server.
If you enable this, the service will log the source IP address that is in the XFF header. Then when the service forwards the traffic to its destination, it will remove the original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to the external world.
Enforce Surrogate IP Authentication: Some Windows 8 Metro apps use Internet Explorer as their user agent but do not support cookies or redirects, so the service does not allow traffic to these sites. Enable this option to allow the service to use the user-to-device mappings to apply the appropriate user policies to the traffic of the top Windows 8 Metro apps. The Surrogate IP feature must be enabled.
Enable Policy For Unauthenticated Traffic: For policies where you can specify users and departments in the criteria, the Zscaler service enables you to specify whether you want a rule to apply if the user traffic is unauthenticated. You must turn on this feature here if you want this option to appear when configuring your policy rules. Any rule that applies to unauthenticated traffic must apply to all locations; you cannot apply a rule to unauthenticated traffic and select particular locations. To learn more, see How do I configure the policy for unauthenticated traffic?
HTTP Tunnel Control: A client can send an HTTP CONNECT method request in order to establish a tunnel connection to a remote server via the Zscaler service. Once the connection is established, the service then tunnels the traffic to the destination server on behalf of the client. The HTTP CONNECT method is typically used to initiate an SSL connection, but it can be used for tunneling purposes as well. By default, the following options to allow the Zscaler service to inspect tunneled HTTP traffic and to restrict the service to accepting CONNECT method requests on ports 80 and 443 only are enabled.
This option, enabled by default, allows the Zscaler service to enforce configured policies on tunneled HTTP traffic that is sent via a CONNECT method request. For example, with this feature enabled, if the service receives a CONNECT request to www.cnn.com:80, the service will apply the configured web policies to HTTP traffic that it forwards to www.cnn.com. If this option is disabled, then the service will not apply the policies to the traffic to www.cnn.com.
This feature is enabled by default. The service restricts HTTP CONNECT method requests to the standard HTTP/HTTPS ports (80 and 443). You can disable this option to allow all HTTP CONNECT requests to non-standard HTTP/HTTPS ports, in addition to ports 80 and 443. For example, a CONNECT request for SSH to port 22 will be allowed if this feature is disabled.
Settings for DNS Optimization: A Zscaler Enforcement Node (ZEN) can help ensure that your DNS resolution is optimized. If this feature is enabled, the DNS resolution process will proceed normally. However, when the client makes its initial HTTP or HTTPS request to the IP address returned by the DNS server, the Zscaler proxy will intercept the request, and perform its own DNS resolution. The proxy will then override the destination IP if the answers are different.
DNS optimization does not operate on the DNS packets themselves, rather the action is performed based on the HTTP header for unencrypted HTTP traffic, or on the SNI field in the TLS Hello if the traffic is encrypted (HTTPS). If you wish to learn how to control individual DNS queries, see About DNS Control.
Optimization provides the benefit of ensuring that the destination IP is set based on a DNS view that is local to the ZEN. This reduces the geographic distance that the query and response will travel and provides an increase in performance due to a reduction in latency. As well as improving user experience, this feature provides added security to customers who are concerned that their client machine DNS is compromised.
When this feature is enabled, the default is to not optimize the resolution for any traffic. However, if you desire greater granular control you can include or exclude specific categories, applications, and FQDNs from optimization.
Using auth bypass or SSL bypass has no impact. You can still see the domain name through SNI.
This setting is applicable only with transparent mode connectivity to the ZEN (i.e., GRE or IPSec tunnels with no PAC file).
By default, ZENs do not perform DNS optimization. To enable this feature:
Enable to redirect outbound HTTP, HTTPS, FTP, and DNS traffic that is destined to a non-standard port and that doesn't match any predefined network service to the web engine for inspection. HTTP, HTTPS, and FTP are applicable only with transparent mode connectivity to the ZEN (i.e., GRE or IPSec tunnels with no PAC file).
Requires the Advanced Firewall license. To learn more, see Zscaler Internet Access Bundles.