About Advanced Settings


About Advanced Settings

On the Advanced Settings page, you can configure settings for a variety of the Zscaler service's features. 

To adjust the advanced settings:

  1. Go to Administration Advanced Settings
  2. Configure the following:
  3. Complete the following if you have enabled the firewall service

Watch a video about using custom ports for HTTP, HTTPS, DNS, and FTP traffic

By default, the Zscaler service "listens to" port 80 for HTTP traffic, port 443 for HTTPS traffic, port 53 for DNS traffic, and port 21 for FTP traffic. If your organization uses other ports or additional ports for HTTP, HTTPS,  DNS, and FTP traffic, you can enable Zscaler to use custom ports for these services by creating custom network services for these ports, and then configure the service to accept HTTP, HTTPS, DNS or FTP traffic from the ports assigned to the custom services that you created.

  1. Configure the following:
  2. Click Save and activate the change.

Watch a video about Admin Rank

Enable Admin Ranking: Turn on this feature if you want to rank administrators and use the ranks when you manage policies.

Watch a video about Allow Cascading to URL Filtering

Allow Cascading to URL Filtering: Enable this if you want the service to apply the URL Filtering policy even if it has already applied a Cloud App Control policy that explicitly allows a transaction. By default, if a user requests a cloud app that you explicitly allow with a Cloud App Control policy rule, the service only applies the Cloud App Control policy and does not apply the URL Filtering policy. For example, if you have a Cloud App Control rule that allows viewing Facebook, but a URL Filtering policy that blocks www.facebook.com, a user will still be allowed to view Facebook because, by default, the service does not apply the URL Filtering policy if a Cloud App Control rule allows the transaction. However, in the same example, if you allow cascading to URL filtering, the service blocks the user from Facebook because of your URL Filtering policy. 

If a user requests a cloud app for which you have not configured a Cloud App Control policy rule, the service still evaluates and applies the URL filtering policy. To learn more, see How does the Zscaler service enforce policies?

Watch a video about Admin Session Timeout

Session Timeout Duration: Specify how long admins can be inactive on the Zscaler Admin Portal before they must log in again. By default, sessions restart after 30 minutes. You can enter in a different time interval, from 5 minutes to 600 minutes (10 hours).

Watch a video about Authentication Exemptions

Authentication Exemptions: You can enable the service to exempt specific URL categories, URLs, cloud app categories or specific cloud apps from cookie authentication

Enable policies for SSL global exempted domains: Enable SSL Inspection and policy evaluation for URLs and domains on the Zscaler global SSL exemptions list. The global SSL exceptions list is maintained by Zscaler and consists of URLs and domains that are exempted from SSL Inspection and policy evaluation.

Enabling this option might cause SSL connection errors for applications. Before enabling it, contact Zscaler Support to ensure these URLs and domains have appropriate policies defined.

Watch a video about Internal IP Logging

Log Internal IPs from XFF Headers: When the Zscaler service logs a transaction, it includes the source IP address, which is always the public IP address of the firewall or edge router that sent the traffic to the service. But if you use proxy chaining to forward traffic to the Zscaler service, a proxy server can insert an X-Forwarded-For (XFF) header in outbound HTTP requests. The XFF header identifies the IP address of the original client that sent the HTTP request through the proxy server.

If you enable this, the service will log the source IP address that is in the XFF header. Then when the service forwards the traffic to its destination, it will remove the original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to the external world.

Watch a video about Enforce Surrogate IP Authentication

Enforce Surrogate IP Authentication: Some Windows 8 Metro apps use Internet Explorer as their user agent but do not support cookies or redirects, so the service does not allow traffic to these sites. Enable this option to allow the service to use the user-to-device mappings to apply the appropriate user policies to the traffic of the top Windows 8 Metro apps. The Surrogate IP feature must be enabled.

Watch a video about Policy for Unauthenticated Traffic

Enable Policy For Unauthenticated Traffic: For policies where you can specify users and departments in the criteria, the Zscaler service enables you to specify whether you want a rule to apply if the user traffic is unauthenticated. You must turn on this feature here if you want this option to appear when configuring your policy rules. Any rule that applies to unauthenticated traffic must apply to all locations; you cannot apply a rule to unauthenticated traffic and select particular locations. To learn more, see How do I configure the policy for unauthenticated traffic?

Watch a video about HTTP Tunnel Control

HTTP Tunnel Control: A client can send an HTTP CONNECT method request in order to establish a tunnel connection to a remote server via the Zscaler service. Once the connection is established, the service then tunnels the traffic to the destination server on behalf of the client. The HTTP CONNECT method is typically used to initiate an SSL connection, but it can be used for tunneling purposes as well. By default, the following options to allow the Zscaler service to inspect tunneled HTTP traffic and to restrict the service to accepting CONNECT method requests on ports 80 and 443 only are enabled.

  • Inspect tunneled HTTP traffic 

This option, enabled by default, allows the Zscaler service to enforce configured policies on tunneled HTTP traffic that is sent via a CONNECT method request. For example, with this feature enabled, if the service receives a CONNECT request to www.cnn.com:80, the service will apply the configured web policies to HTTP traffic that it forwards to www.cnn.com. If this option is disabled, then the service will not apply the policies to the traffic to www.cnn.com.

  • Block tunneling to non-HTTP/HTTPS ports:

This feature is enabled by default. The service restricts HTTP CONNECT method requests to the standard HTTP/HTTPS ports (80 and 443). You can disable this option to allow all HTTP CONNECT requests to non-standard HTTP/HTTPS ports, in addition to ports 80 and 443. For example, a CONNECT request for SSH to port 22 will be allowed if this feature is disabled.

Watch a video about DNS optimization

Settings for DNS Optimization: A Zscaler Enforcement Node (ZEN) can help ensure that your DNS resolution is optimized. If this feature is enabled, the DNS resolution process will proceed normally. However, when the client makes its initial HTTP or HTTPS request to the IP address returned by the DNS server, the Zscaler proxy will intercept the request, and perform its own DNS resolution. The proxy will then override the destination IP if the answers are different. 

DNS optimization does not operate on the DNS packets themselves, rather the action is performed based on the HTTP header for unencrypted HTTP traffic, or on the SNI field in the TLS Hello if the traffic is encrypted (HTTPS). If you wish to learn how to control individual DNS queries, see About DNS Control.

Optimization provides the benefit of ensuring that the destination IP is set based on a DNS view that is local to the ZEN. This reduces the geographic distance that the query and response will travel and provides an increase in performance due to a reduction in latency. As well as improving user experience, this feature provides added security to customers who are concerned that their client machine DNS is compromised. 

When this feature is enabled, the default is to not optimize the resolution for any traffic. However, if you desire greater granular control you can include or exclude specific categories, applications, and FQDNs from optimization.

Using auth bypass or SSL bypass has no impact. You can still see the domain name through SNI.

This setting is applicable only with transparent mode connectivity to the ZEN (i.e., GRE or IPSec tunnels with no PAC file).

By default, ZENs do not perform DNS optimization. To enable this feature:

  1. Click the Optimize DNS Resolution checkbox and complete the following:
    • Optimize These URL Categories: (Optional) Select the URL categories that you want to perform DNS optimization on.
    • Optimize These Cloud Applications: (Requires the Advanced Firewall license) (Optional) Select the cloud applications that want to perform DNS optimization on.
    • Optimize These FQDN: (Optional) Select the individual FQDNs that want to perform DNS optimization on.
    • Do Not Optimize These URL Categories: (Optional) Select the URL categories that you do not want to perform DNS optimization on.
    • Do Not Optimize These Cloud Applications: (Optional) Select the cloud applications that you do not want to perform DNS optimization on.
    • Do Not Optimize These FQDN: (Optional) Select the individual FQDNs that you do not want to perform DNS optimization on.
  2. Click Save and activate your changes.
    See image.

    From the HTTP Services and HTTPS Services lists, choose the custom service that specifies the ports your organization uses for HTTP and HTTPS.

    From the DNS Services list, choose the custom service that specifies the ports your organization uses for DNS traffic.

    From the FTP Services list, choose the custom service that specifies the ports your organization uses for FTP traffic.

      Watch a video about Auto Proxy Forwarding

      Enable to redirect outbound HTTP, HTTPS, FTP, and DNS traffic that is destined to a non-standard port and that doesn't match any predefined network service to the web engine for inspection. HTTP, HTTPS, and FTP are applicable only with transparent mode connectivity to the ZEN (i.e., GRE or IPSec tunnels with no PAC file).

      Requires the Advanced Firewall license. To learn more, see Zscaler Internet Access Bundles.

      Screenshot of the DNS optimization option