Isolation (CBI)
What Is Isolation?
Isolation provides an organization the capability to isolate users from potentially harmful content on the internet. This is done by loading the accessed web page on a remote browser in any one of the many Zscaler data centers across the globe, and streaming the rendered content as a stream of pixels to the user’s native browser.
Isolating web pages on an ephemeral, remote browser ensures that the HTML files, CSS files, JavaScript files, and any other active content served by the accessed web page never reach the end user’s machine or the corporate network, thus ensuring an air gap between the end user and the web page accessed.
Isolation not only provides the capability to isolate web pages, but also allows the user to view file types in isolation without requiring a download of the files to their local machine.
This feature is fully integrated with ZIA, allowing the admin of an organization to granularly define what web traffic should be isolated and what policies need to be applied to the isolated traffic. The traffic egressing the isolation browser is also passed through the ZIA Public Service Edges before reaching the internet web page being accessed.
In addition to the security policies enforced by ZIA, Isolation provides additional data exfiltration security controls, which enables an organization to granularly control the level of interaction the user can have with the isolated web page.
Isolation for ZPA
Isolation is also integrated with Zscaler Private Access (ZPA). This allows ZPA admins to create policies that isolate web application traffic for their organization. To learn more, see About the ZPA Admin Portal and About Isolation Policy.
Isolation Traffic Flow
The internet-bound web traffic is forwarded to the ZIA Public Service Edges as usual using a GRE Tunnel, Zscaler Client Connector, or any of the other Zscaler recommended traffic forwarding methods. If the accessed URL hits a URL filtering policy on ZIA created by the admin to isolate the traffic, the HTTP/HTTPS request is redirected to the isolation profile URL with the original URL in the query string.
The user’s browser follows the redirect and makes a request to the isolation profile URL. IIsolation accepts the request and assigns a temporary, remote browser for the user. The remote browser then makes a connection to the original URL that the user intended to access, and the web page is loaded on the remote browser. This request to the original web page is also routed through the nearest ZIA Public Service Edges, and the traffic is evaluated against all the policies defined for the user on ZIA by the admin.
Default isolation profiles are automatically created for all organizations when they have Isolation. You can also manually create multiple isolation profiles for both ZIA and ZPA in their respective admin portals.
Isolation Architecture
The structure of Isolation consists of multiple engines that work together to forward and convert traffic. When the end user’s traffic hits Isolation, Isolation creates an endpoint container for the user on the cloud. The Chromium rendering engine makes a connection to the web page that the user has requested, and renders the content of that web page. The rendered web page is processed by the proprietary experience engine, which then converts it into a stream of images that are delivered to the user’s native browser over a secure HTTPS connection.
Each user redirected to Isolation is allocated an endpoint container, and all subsequent requests hitting the isolation profile use the same container. The containers are destroyed if a user manually logs out of the isolation session or if the default idle timeout of 10 minutes is reached.