icon-isolation.svg
Isolation (CBI)

Creating Isolation Profiles for ZIA

Watch a video about creating a ZIA Profile for Isolation.

When creating a Zscaler Internet Access (ZIA) policy with the action as Isolate, you must reference an isolation profile in the policy you're creating. These profiles determine certain attributes and specifications about how the user interacts with the isolated web page, where the isolation containers are spun up, and what the isolation experience looks like to the user.

You can use ZPA isolation profiles to create policies in Zscaler Private Access (ZPA) to isolate specific web applications. To learn more, see About Isolation Policy.

For any organization that is using Isolation, ZIA and ZPA automatically create default isolation profiles. You can use the default isolation profiles or manually create isolation profiles to use in ZIA and ZPA policies. To learn more, see Default Isolation Profiles in Isolation.

For certain levels of ZIA and Isolation integration access, admins are provided with preconfigured profiles that are only partially editable. To learn more, see Understanding Isolation Miscellaneous and Unknown Category in ZIA and Editing Your Isolation Profile for ZIA.

Prerequisites

Before creating an isolation profile for ZIA, ensure the following:

  • For isolation policies to be applied, the Zscaler service must authenticate the web traffic. Unauthenticated traffic or traffic from locations with authentication disabled is not subjected to isolation policies.
  • For HTTPS web pages to be isolated, the Zscaler service must SSL inspect the traffic.

Creating an Isolation Profile for ZIA

To create a new isolation profile:

  1. Go to Administration > Secure Browsing > Browser Isolation.

The Isolation Profiles menu appears and displays the ZIA profiles view.

  1. Click Add Profile.

The Add Isolation Profile window appears.

  1. In the Add Isolation Profile window:
    1. On the General tab:
      • Name: Enter a name for the ZIA isolation profile.
      • Turbo Mode: Enable or disable Turbo Mode. To learn more, see Using Turbo Mode for Isolation.
      • Description: (Optional) Enter a description of the profile.

Click Next.

  1. On the Company Settings tab:
    1. Choose to use either the recommended PAC file URL or your own manually configured PAC file URL:
      • If you select Use recommended PAC file URL, the Automatic proxy configuration URL field is populated by default with the recommended PAC file from your Hosted PAC Files list in ZIA. The isolation browser configures the PAC file within the endpoint experience containers, and any traffic to the internet from the isolated browser is also forwarded through the ZIA cloud.
      • Enable or disable Override PAC file and return traffic to the ZIA Public Service Edge. The ZIA Public Service Edges use auto-geoproximity, meaning that the traffic is returned to the service edge closest to the location of the user, not the location of the isolation browser. To see the full list of ZIA Public Service Edges, see the Zscaler Configuration Portal.

  1. Enable or disable Debug Mode. If you enable it, you must set a password for the ZIP file that is created at the end of a debug troubleshoot. Make sure to share the password with the user associated with the isolation profile. To learn more, see Using Debug Mode for Isolation.

  1. From the Root Certificate drop-down menu, select at least one file. The Zscaler Root Certificate that ZIA uses for SSL inspection appears by default in the drop-down menu. If your organization uses custom root certificates for SSL inspection, you can add them before creating isolation profiles. You can add up to 10 root certificates for your organization. To learn more, see About ZIA Root Certificates for Isolation.

  1. Click Done.

Click Next.

  1. On the Security tab:
    • Enable or disable to Allow copy & paste to and from your computer and the isolation browser.
    • Enable or disable to Allow file transfers to and from your computer and the isolation browser. If you enable for isolation to local computer, select whether the file transfer will be a Flattened PDF, Sandbox Scanned File, or the Original File. To learn more, see Sandbox Integration with Isolation.
    • Enable or disable to Allow printing of web pages and inline content from isolation.
    • Enable or disable to restrict keyboard/text input to isolated web pages to be Read-Only.
    • Enable or disable to allow the View of Office files in isolation.
    • Enable or disable to Allow local browser rendering while in isolation.
    • Enable or disable the options for Votiro CDR Integration.
      • Enable Votiro CDR: Enable to allow Votiro to sanitize all uploaded and downloaded files by default.
      • Download: Enable or disable Votiro sanitizing files that you download.
      • Upload: Enable or disable Votiro sanitizing files that you upload.
      • Votiro Policy Name: Select the Votiro policy to enforce the sanitization. If you do not select a policy, a default Votiro policy is applied. To learn more, see Configuring Votiro Integration for Isolation and About Partner Integrations.
    • Enabling Application Deep Linking allows the user to open applications from their local machine via the rendered deep link data on an isolated web page. From there, the user can click the rendered link in the isolated browser and open the application for use on their machine. If you enable this option, add the specific links for the allowed applications to the list. If you disable this feature for the isolation profile, or an application is not on the list in the isolation profile, the user sees an error message explaining that the application isn't allowed by policy.
  2. On the Regions tab:
    1. From the drop-down menu, select at least two regions. The isolation containers are leased to the user only from the selected regions based on the least network latency.
    2. Click Done.
    3. Click Next.

  1. On the Isolation Experience tab:
    1. From the drop-down menu, select an Isolation Banner. The option you choose shows a preview banner in the window. Choose from existing banners, or create custom isolation banners to use for your isolation profiles. To learn more, see Adding a Banner Theme for the Isolation End User Notification in ZIA.
    2. Enable or disable the option to have a persisting isolation URL bar.
    3. Select the Isolation Experience mode:
      • Native browser experience: This mode provides the user with a browsing experience similar to accessing the native web page with a typical browser. The user can customize this view.
      • Browser-in-browser experience: This mode provides the user with the complete look and feel of an isolated session experience. To learn more, see User Experience Modes in Isolation.

  1. Enable or disable the option to use a watermark while in isolation. Admins can enable watermarking per isolation profile and choose to display the user ID, date and timestamp (in UTC), and a custom message.

  1. (Optional) Enable Persistent State: Enabling this option causes the data from a user's active session to carry over to their new session each time they enter an isolated session. If you enable this feature, the Enable Persistent State window displays a consent message for you to read before confirming enablement. Click Enable. If you do not enable it, the data does not persist, meaning it is destroyed with the container when the user logs out or exceeds the session timeout. To learn more, see Using Persistent State for Isolation.

  1. (Optional) Enable Language Translation. This option allows the user to translate any text from isolated web pages to the language of the user's choice. To learn more, see Using the Isolation Bar in Native Browser Experience.

  1. Click Save.

After you save your new isolation profile, it appears in the list of ZIA isolation profiles. To edit a profile directly from the list, click the Edit icon. To learn more, see Editing Your ZIA Isolation Profile and Deleting Your ZIA Isolation Profile.

You can use this isolation profile to create a policy in ZIA to allow traffic forwarding through browser isolation. To learn more, see Configuring ZIA for Isolation.

Related Articles
Creating Isolation Profiles for ZIAEditing Your Isolation Profile for ZIADeleting Your Isolation Profile for ZIA