Secure Internet and SaaS Access (ZIA)
Adding a Collaboration & Online Meetings Rule for Cloud App Control
You can create rules to control access to specific cloud applications. Cloud Apps are organized into categories to facilitate defining rules for similar applications.
Organizations use cloud applications to connect users around the world. They're using applications, such as WebEx and GoToMeeting, to meet online and share information; and they're using enterprise social network applications, such as Yammer, so their teams can collaborate and share their knowledge.
You can create rules for the Collaboration & Online Meetings policy to control these types of cloud applications. You can specify which applications your users are allowed to access and define a daily quota by bandwidth or time.
When users browse to these sites after their quota has been reached, the Zscaler service displays a message that explains that the content cannot be viewed because they exceeded their daily quota. If a user exceeds the daily quota while in a web video conference over an SSL/TLS connection, the service allows the user to finish the meeting but blocks additional video conferences. If the video conference is not over an SSL/TLS connection (HTTP connection), the service ends the connection immediately.
Adding a Rule for Collaboration & Online Meetings Apps
To add a rule for Collaboration & Online Meetings apps:
- Go to Policy > URL & Cloud App Control.
- From the Cloud App Control Policy tab, click Add and select Collaboration & Online Meetings.
- Enter the rule attributes:
- Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
- Admin Rank: Enter a value from 0-7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
- Rule Name: Enter a unique name for the rule or use the default name.
- Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
- Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Label.
- Define the criteria:
Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
By default, this field displays the first 100 cloud applications. The subsequent 100 cloud applications are displayed when you click the Click to see more link at the bottom of the list. You can repeat this process to view the remaining cloud applications.
To allow Slack audio and video calls, you must include both Amazon Chime and Slack under Cloud Applications in the allow rule. To learn more, see Slack Help Center.
Cloud Application Instances: Select the cloud application instances to which the rule applies. You can select a maximum of 8 instances per rule.
The cloud application instance appears only if its parent application is selected as the cloud application.
Cloud Application Risk Profile: Select a profile to which the rule applies.
You can either select the Cloud Application Risk Profile or the Cloud Applications field for the rule.
- Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
- Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
Departments: Select Any to apply the rule to all departments, or select up to 8 departments. If you've enabled the Policy for Unauthenticated Traffic, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
Any rule that applies to unauthenticated traffic must apply to all Groups and Departments. So, if you have chosen to apply this rule to unauthenticated traffic for either Users or Departments, select Any from the drop-down menus for Groups and Departments.
- Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location.
- Location Groups: Select Any to apply the rule to all location groups, or select up to 32 location groups. You can also search for a location group.
- Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
- Devices: Select the devices to which the rule applies. You can also search for a device. Selecting no value ignores this criterion in the policy evaluation.
Device Groups: Select the device groups to which the rule applies. For Zscaler Client Connector traffic, select the appropriate group based on the device platform. Select Cloud Browser Isolation or No Client Connector to apply the rule to the Cloud Browser Isolation traffic or for traffic that is not tunneled through Zscaler Client Connector, respectively. You can also search for a device group. Selecting no value ignores this criterion in the policy evaluation.
The Cloud Browser Isolation group is available only if Cloud Browser Isolation is enabled for your organization.
Device Trust Level: Select the device trust level values (High Trust, Medium Trust, Low Trust, or Unknown) to which the rule applies. While the High Trust, Medium Trust, or Low Trust evaluation is applicable only to Zscaler Client Connector traffic, Unknown evaluation applies to all traffic. Selecting no value ignores the criterion in the policy evaluation.
The trust levels assigned to the devices are based on your posture configurations in the Zscaler Client Connector Portal.
- User Agent: Select Any to apply the rule to all user agents, or select any number of user agents. You can also search for an agent.
User Risk Profile: Select the user risk score levels to which the rule applies. Selecting no value ignores this criterion in the policy evaluation.
Users are assigned a risk score based on their browsing activities. A range of risk scores is grouped as a risk score level.
By default, the following user risk score levels are available:
- Low: Level with user risk scores ranging from 0 to 29
- Medium: Level with user risk scores ranging from 30 to 59
- High: Level with user risk scores ranging from 60 to 79
- Critical: Level with user risk scores ranging from 80 to 100
Contact Zscaler Support to customize the user risk score range of these levels for your organization.
- Define the rule expiry:
- Enable Rule Expiration: Enable this option to set a validity period for the rule.
- Start Date and Time: Select a start date and time. The rule will be valid starting on this date and time.
- End Date and Time: Select an end date and time. The rule will cease to be valid on this date and time.
- Time Zone: Select the time zone in which the rule should be valid.
- Enable Rule Expiration: Enable this option to set a validity period for the rule.
- Specify the action for the rule:
Application Access: Choose one of the following options:
- Allow
Choose to allow the users to access the selected applications.
The following applications support additional granular actions, which you can Allow or Block:
- For Webex Meetings, the granular actions include Sharing, Editing, Creating, Downloading, Chatting, Uploading, Inviting, and Meeting.
- For Slack, the granular actions include Editing, Creating, Downloading, Deleting, Chatting, Uploading, Inviting, and Huddle.
- For SharePoint Online, the granular actions include Sharing, Editing, Renaming, Creating, Downloading, Deleting, and Uploading.
- For Microsoft Teams, the granular actions include Chatting and Screen Sharing.
If these applications are selected together, only the common granular actions among them appear.
- Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, groups, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for remote users, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100,000 MB.
- Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 minutes.
Tenant Profiles: Appears only when Google Calendar, Google Keep, Google Meet, Google Sites, Slack, Webex Teams, Webex Meetings, or Zoom is selected as the cloud application. You can select the tenant profiles for which you want to apply the rule. To learn more, see About Tenant Profiles.
Ensure that the applications selected under the tenant profiles are not exempted from SSL Inspection.
- Caution
Choose to display an EUN that cautions users before allowing them access to the selected applications.
You can select this action for only one of the following request methods: CONNECT, GET, or HEAD.
- Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, groups, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for remote users, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100,000 MB.
- Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 minutes.
- Block
Choose to block the users from accessing the selected applications.
Close - Isolate
Choose to isolate all the traffic that matches the cloud app control rule through a remote browser. To learn more, see What Is Isolation?.
Isolation Profile: Appears when you select Isolate. You can choose the isolation profiles to which the rule applies.
Ensure to create isolation profiles for your organization.
- Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, groups, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for remote users, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100,000 MB.
- Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 minutes.
Tenant Profiles: Appears only when Google Calendar, Google Keep, Google Meet, Google Sites, Slack, Webex Teams, Webex Meetings, or Zoom is selected as the cloud application. You can select the tenant profiles for which you want to apply the rule. To learn more, see About Tenant Profiles.
Ensure that the applications selected under the tenant profiles are not exempted from SSL Inspection.
The Isolate option is available only if Isolation is enabled for your organization.
- Allow
Cascade to URL Filtering: Enable if you want to enforce the URL Filtering policy on a transaction, even after it's explicitly allowed by the Cloud App Control policy. However, the URL Filtering policy doesn't apply if the Cloud App Control policy blocks the transaction.
This field appears only when the Allow Cascading to URL Filtering option is disabled on the Advanced Settings page (Administration > Advanced Settings).
- (Optional) Define the notification settings:
Browser Notification Template: Select a browser-based EUN message from the drop-down menu to display the message on the browser when the user activity triggers the Cloud App Control Policy rule.
This field appears when the application access is set to either Caution or Block.
- End User Notification: Appears when a granular action is blocked for the selected application or a tenant profile is selected. Select Show to show the Zscaler Client Connector-based EUN message on endpoints when the user activity triggers the Cloud App Control Policy rule, or select Hide if you don't want an EUN message to appear. This field is set to Show by default.
- Custom Message: Select a custom notification message that you want to show as the Zscaler Client Connector-based EUN. This field is set to the Default notification message if no message is selected from the drop-down menu.
- (Optional) In the Description field, enter additional notes or information. The description cannot exceed 10,240 characters.
- Click Save and activate the change.
To see how this policy fits into the overall order of policy enforcement, see Understanding Policy Enforcement.