icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Best Practices for Testing and Rolling Out SSL Inspection

As a best practice, Zscaler recommends that you enable SSL inspection on a small location or test lab before enabling it on all locations in your organization. This allows you to test your deployment of SSL inspection with a select number of users.

To enable SSL inspection, first deploy the Zscaler or custom intermediate root certificate. Then, enable SSL inspection for the location or sub-location you are using for testing.

Testing SSL Inspection

Before testing SSL inspection, define the set of users you want to use for testing. For example, you can choose users from the IT department, such as application authors and owners, support staff members, proxy team members, or security team members. You can also choose managers and end users from non-IT departments.

To test SSL inspection:

  1. Compile a list of the websites and applications that your organization uses for everyday operations. Remember to include vendor sites and applications.
  2. Enable SSL inspection for the websites and applications from the list by configuring the SSL Inspection policy, and then have the users test them.

When you are configuring the SSL Inspection policy, you are specifying the URL categories or applications that you do not want the service to inspect. For example, if you want to enable SSL inspection for the Legal Liability categories only, then select the Do Not Inspect action for all of the URL categories except the Legal Liability categories in your SSL inspection rule. The Zscaler service does not perform SSL inspection on the specified URL categories, but does perform SSL inspection on the Legal Liability categories.

  1. You might need to exempt some sites for SSL inspection permanently, or you might need to report sites to Zscaler Support to identify the cause of failure.

Zscaler recommends not to exempt the Miscellaneous or Unknown category for SSL inspection if the traffic forwarded to Zscaler uses transparent proxy mode. In transparent mode, policies on both SNI as well as IP addresses are evaluated for exemption from SSL inspection. Exempting SSL inspection for the Miscellaneous or Unknown category exempts almost all traffic from SSL inspection as most IP addresses are categorized as miscellaneous or unknown. However, in the case of explicit traffic forwarding, Zscaler evaluates the policies only based on SNI and does not exempt traffic from SSL inspection based on IP address categories. To learn more, see Choosing Traffic Forwarding Methods.

  1. After testing the list of websites and applications, test SSL inspection for the URL categories. As a best practice, Zscaler recommends that you enable SSL inspection for only certain URL categories at a time, and include the rest of the categories in the list of URL categories for which SSL transactions are not to be decrypted. Then, when your organization is ready, enable SSL inspection for all URL categories.

Some organizations choose to bypass SSL inspection for Finance and Health URL categories due to privacy concerns. Zscaler recommends that you enable SSL inspection for all URL categories.

Enable and test SSL inspection for the URL categories in the following order of phases.

  • Phase 1
    Adult Themes
    Alcohol and Tobacco
    Anonymizer
    Computer Hacking
    Copyright Infringement
    Drugs
    Gambling
    Mature Humor
    Militancy, Hate and Extremism
    Newly Registered and Observed Domains
    Non Categorizable
    Nudity
    Other Adult Material
    Other Illegal or Questionable
    Other Security
    Peer-to-Peer Site
    Pornography
    Profanity
    Questionable
    Social Networking Adult
    Spyware/Adware
    Tasteless
    Violence
    Weapons/Bombs
    Close

Before testing the URL categories in phase 2, remember to keep SSL inspection enabled for the URL categories in phase 1.

  • Phase 2
    Adult Sex Education
    Alt or New Age
    Alternate Lifestyle
    Art and Culture
    Continuing Education/Colleges
    Corporate Marketing
    Cult
    Dining and Restaurant
    Entertainment
    Family Issues
    Government
    History
    Hobbies and Leisure
    Job/Employment Search
    K-12
    K-12 Sex Education
    Lingerie/Bikini
    Music
    Online Auctions
    Online Shopping
    Other Education
    Other Entertainment/Recreation
    Other Games
    Other Government and Politics
    Other Information Technology
    Other Internet Communication
    Other Religion
    Other Shopping and Auctions
    Other Social and Family Issues
    Other Society and Lifestyle
    Politics
    Radio Stations
    Real Estate
    Reference Sites
    Science/Tech
    Body Art
    Social Issues
    Social Networking
    Social Networking Games
    Special Interests/Social Organizations
    Sports
    Television/Movies
    Traditional Religion
    Translators
    Travel
    Vehicle
    Close

Before testing the URL categories in phase 3, remember to keep SSL inspection enabled for the URL categories in phases 1 and 2.

  • Phase 3
    Blogs
    Classifieds
    Content Delivery Networks
    Discussion Forums
    File Host
    Image Host
    Internet Services
    Miscellaneous or Unknown
    News and Media
    Online Chat
    Other Business and Economy
    Portals
    Professional Services
    Remote Access
    Safe Search Engine
    Shareware Download
    Streaming Media
    Advertising
    Web Host
    Web Search
    Webmail
    Close
Related Articles
About Secure Sockets Layer (SSL)About SSL InspectionSupported Cipher Suites in SSL InspectionSafeguarding SSL Keys and Data Collected during SSL InspectionAdding Custom Certificate to an Application-Specific Trust StoreAbout SSL Inspection PolicyConfiguring SSL Inspection PolicyAbout Intermediate CA CertificatesChoosing the CA Certificate for SSL InspectionSigning a CSR Using the Active Directory Certificate ServicesDeploying SSL InspectionConfiguring Software Protection Intermediate CA CertificateConfiguring Cloud HSM Protection Intermediate CA CertificateDeployment Scenarios for SSL InspectionCertificate Pinning and SSL InspectionBest Practices for Testing and Rolling Out SSL Inspection