Configuring Locations

Configuring Locations

Watch a video about Adding Locations

This article describes how to add a single location. If you have multiple locations, you can import a CSV file that lists your locations and sub-locations. To learn more, see Configuring Multiple Locations and Sub-Locations.

To add a location:

  1. Go to Administration > Locations.
  2. Click Add Location.

The Add Location window appears.

  1. In the Add Location window, in the Location section:
    • Name: Enter a name for the location
    • Country: Select your location's country
    • State/Province: Enter the location's state or province, if applicable
    • Time Zone: Select the location's time zone

When you specify the location in a policy, the service applies the policy according to the location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook between 8 AM and 5 PM, and the rule is applied to locations in Spain and California, users at each location will be blocked during their respective daytime hours.

  • Group: To add this location to a group, search for and choose the location group name. Otherwise, leave the selection as None. You can add up to 5,000 locations to a group, this is inclusive of locations and sub-locations.
  • Managed By: If this location is being managed by an SD-WAN partner, search for and select their name from the drop-down menu. If this location is not being managed by a partner, select Self.

See image.

  1. In the Addressing section:
    • Static IP Addresses: Choose the IP address of your local gateway

      The static IP addresses that appear in the drop-down menu are the same addresses you've already sent to Zscaler. If you have not sent Zscaler your static IP addresses, submit them to Zscaler Support so that they can be properly added to the menu.

    • Proxy Ports: Search for and choose your organization's subscribed ports for the location
    • VPN Credentials: If you are configuring an IPSec VPN tunnel to forward traffic to the Zscaler service, search for and choose IP addresses or FQDNs for the location
    • Virtual ZENs: Search for and choose your organization's VZENs for the location
    • Virtual ZEN Clusters: Search for an choose your organization's VZEN clusters for the location

See image.

  1. In the Gateway Options section:
    • Enable XFF Forwarding: Enable this option if this location uses proxy chaining to forward traffic to the Zscaler service, and you want the service to use the X-Forwarded-For (XFF) headers that your on-premise proxy server inserts in outbound HTTP requests. The XFF header identifies the client IP address, which can be leveraged by the service to identify the client’s sub-location.

Using the XFF headers, the service can apply the appropriate sub-location policy to the transaction, and if Enable IP Surrogate is turned on for the location or sub-location, the appropriate user policy is applied to the transaction. When the service forwards the traffic to its destination, it will remove thr original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to externally.

  • Enforce Authentication: Enable to require users from this location to authenticate to the service. To learn more, see Provisioning and Authenticating Users.
  • Enable AUP: If you disabled Enforce Authentication, you can enable this feature to display an Acceptable Use Policy (AUP) for unauthenticated traffic and require users to accept it. To learn more, see About Acceptable Use Policy and End User Notifications. If you enable this feature:
    • In Custom AUP Frequency (Days) specify, in days, how frequently the AUP is displayed to users
    • First Time AUP Behavior section appears, with the following settings:
      • If Block Internet Access is enabled, the Zscaler service will disable all access to the internet, including non-HTTP traffic, until the user accepts the AUP that is displayed to them
      • If Force SSL Interception is enabled, to make SSL Inspection enforce an AUP for HTTPS traffic

See image.

  • Enable IP Surrogate: If you enabled Enforce Authentication, select this option if you want to map users to device IP addresses. Any sub-locations associated to this location will not inherit this setting. To learn more, see What is Surrogate IP? 

If you enable this feature on a location:

  • In Idle Time to Disassociation, specify how long after a completed transaction the service retains the IP address-to-user mapping.
  • If you want to use the existing IP address-to-user mapping (acquired from the surrogate IP) to authenticate users sending traffic from known browsers, enable Enforce Surrogate IP for Known Browsers.

With this feature enabled, the Zscaler service uses existing IP-to-user mapping for authentication even if users go to sites that support cookies. This allows the service to authenticate without requiring the browser to complete HTTP redirects for every transaction, ensuring performance for users who connect over high-latency satellite links, for example. If the feature is disabled, the service authenticates users on browsers with cookies or other configured authentication mechanisms.

  • If you enabled Enforce Surrogate IP for Known Browsers, in Refresh Time for re-validation of Surrogacy, specify the length of time that the Zscaler service can use IP address-to-user mapping for authenticating users sending traffic from known browsers. After the defined period of time elapses, the service will refresh and revalidate the existing IP-to-user mapping so that it can continue to use the mapping for authenticating users on browsers.

The refresh time for the revalidation of IP surrogacy must be shorter than the DHCP lease time, otherwise the wrong user policies might be applied. Also, Zscaler recommends setting the Refresh Time for re-validation of Surrogacy to a time period shorter than what you specified for Idle Time to Disassociation.

See image.

  • Enable Kerberos Authentication: If you enabled Enforce Authentication, you can enable this feature to enforce Kerberos authentication on all web traffic explicitly forwarded from the location and its associated dedicated ports. To learn more, see How do I deploy Kerberos?
  • Enable SSL Scanning: Enable to apply your SSL Inspection policy to HTTPS traffic in the location and inspect HTTPS transactions for data leakage, malicious content, and viruses. To learn more, see How do I deploy SSL inspection?
  • Enforce Firewall Control: Select to enable the service's firewall controls.

See image.

  1. In the Bandwidth Control section, you can Enforce Bandwidth Control for the location. If enabled, specify the maximum bandwidth limits for Download (Mbps) and Upload (Mbps). All sub-locations will share the bandwidth limits assigned to this location. However, you can override this behavior in order to assign a fixed bandwidth to a sub-location.

See image.

  1. Click Save and activate the change.

Add Location window with general Locations information section

Add Location window with Addressing section

Add Locations window with Gateway Options section

Add Location window with Enable IP Surrogate and Enforce Surrogate IP for Known Browsers settings

Add Locations window with Enable AUP setting

Add Location window within the Admin Portal