Best Practices for Testing and Rolling Out SSL Inspection


Best Practices for Testing and Rolling Out SSL Inspection

As a best practice, Zscaler recommends that you enable SSL inspection on a small location or test lab before enabling it on all locations in your organization. This allows you to test your deployment of SSL inspection with a select number of users. 

To enable SSL inspection, first deploy the Zscaler or custom intermediate root certificate. Then, enable SSL inspection for the location or sub-location you will use for testing.

Testing SSL Inspection

Before testing SSL inspection, define the set of users you want to use for testing. For example, you can choose users from the IT department, such as application authors and owners, support staff members, proxy team members, or security team members. You can also choose managers and end users from non-IT departments.

To test SSL inspection:

  1. Compile a list of the websites and applications that your organization uses for everyday operations. Remember to include vendor sites and applications.
  2. Enable SSL inspection for the websites and applications from the list by configuring the SSL inspection policy, and then have the users test them.

Note: When you are configuring the SSL inspection policy, you are specifying the URL categories or applications that you do not want the service to inspect. For example, if you want to enable SSL inspection for the Legal Liability categories only, in the Do Not Inspect Sessions to these URL Categories section, you must select all of the URL categories except the Legal Liability categories. The Zscaler service will not perform SSL inspection on the specified URL categories, but will perform SSL inspection on the Legal Liability categories. 

  1. Note that you may need to exempt some sites for SSL inspection permanently, or that you may need to report sites to Zscaler Support to identify the cause of failure.
  2. After testing the list of websites and applications, test SSL inspection for the URL categories. As a best practice, Zscaler recommends that you enable SSL inspection for only certain URL categories at a time, and include the rest of the categories in the list of URL categories for which SSL transactions will not be decrypted. Then, when your organization is ready, enable SSL inspection for all URL categories except Finance and Health, to allay privacy concerns within the organization.

Enable and test SSL inspection for the URL categories in the order of the phases shown below.

Phase 1

Adult Themes

Alcohol and Tobacco

Anonymizer

Computer Hacking

Copyright Infringement

Drugs

Gambling

Mature Humor

Militancy, Hate and Extremism

Nudity

Other Adult Material

Other Illegal or Questionable

Other Security

Peer-to-Peer Site

Pornography

Profanity

Questionable

Social Networking Adult

Spyware/Adware

Tasteless

Violence

Weapons/Bombs

Before testing the URL categories in phase 2, remember to keep SSL inspection enabled for the URL categories in phase 1. 

Phase 2

Adult Sex Education

Alt or New Age

Alternate Lifestyle

Art and Culture

Continuing Education/Colleges

Corporate Marketing

Cult

Dining and Restaurant

Entertainment

Family Issues

Finance

Games

Government

History

Hobbies and Leisure

Job/Employment Search

K-12

K-12 Sex Education

Lingerie/Bikini

Music

Online Auctions

Online Shopping

Other Education

Other Entertainment/Recreation

Other Games

Other Government and Politics

Other Information Technology

Other Internet Communication

Other Religion

Other Shopping and Auctions

Other Social and Family Issues

Other Society and Lifestyle

Politics

Radio Stations

Real Estate

Reference Sites

Science/Tech

Sexuality

Social Issues

Social Networking

Social Networking Games

Special Interests/Social Organizations

Sports

Television/Movies

Traditional Religion

Translators

Travel

Vehicle

Before testing the URL categories in phase 3, remember to keep SSL inspection enabled for the URL categories in phases 1 and 2. 

Phase 3

Blogs

Classifieds

Discussion Forums

File Host

Image Host

Internet Services

Miscellaneous

News and Media

Online Chat

Other Business and Economy

Other Miscellaneous

Portals

Professional Services

Remote Access

Safe Search Engine

Shareware Download

Streaming Media

Web Banners

Web Host

Web Search

Webmail