On the Advanced Settings page, you can configure settings for a variety of the Zscaler service's features.
To configure advanced settings, follow the instructions below.
Enable Admin Ranking: Turn on this feature if you want to rank administrators and use the ranks when you manage policies.
Allow Cascading to URL Filtering: Enable this if you want the service to apply the URL Filtering policy even if it has already applied a Cloud App Control policy that explicitly allows a transaction. By default, if a user requests a cloud app that you explicitly allow with a Cloud App Control policy rule, the service only applies the Cloud App Control policy and does not apply the URL Filtering policy. For example, if you have a Cloud App Control rule that allows viewing Facebook, but a URL Filtering policy that blocks www.facebook.com, a user will still be allowed to view Facebook because by default, the service does not apply the URL Filtering policy if a Cloud App Control rule allows the transaction. However, in the same example, if you allow cascading to URL filtering, the service blocks the user from Facebook because of your URL Filtering policy.
NOTE: If a user requests a cloud app for which you have not configured a Cloud App Control policy rule, the service still evaluates and applies the URL filtering policy. See How does the Zscaler service enforce policies? to learn more.
Session Timeout Duration: Specify how long admins can be inactive on the Zscaler admin portal before they must log in again. By default, sessions restart after 30 minutes. You can enter in a different time interval, from 5 minutes to 600 minutes (10 hours).
Log Internal IPs from XFF Headers: When the Zscaler service logs a transaction, it includes the source IP address, which is always the public IP address of the firewall or edge router that sent the traffic to the service. But if you use proxy chaining to forward traffic to the Zscaler service, a proxy server can insert an X-Forwarded-For (XFF) header in outbound HTTP requests. The XFF header identifies the IP address of the original client that sent the HTTP request through the proxy server.
If you enable this, the service will log the source IP address that is in the XFF header. Then when the service forwards the traffic to its destination, it will remove the original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to the external world.
Enforce Surrogate IP Authentication: Some Windows 8 Metro apps use Internet Explorer as their user agent but do not support cookies or redirects, so the service does not allow traffic to these sites. Enable this option to allow the service to use the user-to-device mappings to apply the appropriate user policies to the traffic of the top Windows 8 Metro apps. The Surrogate IP feature must be enabled.
Enable Policy For Unauthenticated Traffic: For policies where you can specify users and departments in the criteria, the Zscaler service enables you to specify whether you want a rule to apply if the user traffic is unauthenticated. You must turn on this feature here if you want this option to appear when configuring your policy rules. Note that any rule that applies to unauthenticated traffic must apply to all locations; you cannot apply a rule to unauthenticated traffic and select particular locations. See How do I configure policy for unauthenticated traffic?
A client can send an HTTP CONNECT method request in order to establish a tunnel connection to a remote server via the Zscaler service. Once the connection is established, the service then tunnels the traffic to the destination server on behalf of the client. The HTTP CONNECT method is typically used to initiate an SSL connection, but it can be used for tunneling purposes as well. By default, the following options to allow the Zscaler service to inspect tunneled HTTP traffic and to restrict the service to accepting CONNECT method requests on ports 80 and 443 only are enabled.
This option, enabled by default, allows the Zscaler service to enforce configured policies on tunneled HTTP traffic that is sent via a CONNECT method request. For example, with this feature enabled, if the service receives a CONNECT request to www.cnn.com:80, the service will apply the configured web policies to HTTP traffic that it forwards to www.cnn.com. If this option is disabled, then the service will not apply the policies to the traffic to www.cnn.com.
This feature is enabled by default. The service restricts HTTP CONNECT method requests to the standard HTTP/HTTPS ports (80 and 443). You can disable this option to allow all HTTP CONNECT requests to non-standard HTTP/HTTPS ports, in addition to ports 80 and 443. For example, a CONNECT request for SSH to port 22 will be allowed if this feature is disabled.
By default, the Zscaler service "listens to" port 80 for HTTP traffic, port 443 for HTTPS traffic, port 53 for DNS traffic, and port 21 for FTP traffic. If your organization uses other ports or additional ports for HTTP, HTTPS, DNS, and FTP traffic, you can enable Zscaler to use custom ports for these services by creating custom network services for these ports, and then configure the service to accept HTTP, HTTPS, DNS or FTP traffic from the ports assigned to the custom services that you created.
Enable the following to redirect outbound HTTP, HTTPS, FTP, and/or DNS traffic that is destined to a non-standard port and that does not match any predefined network service to the web engine for inspection.