Defining and Managing Configuration Files for eZ Agent


Defining and Managing Configuration Files for eZ Agent

You can centrally define and manage eZ Agent configuration files from the Zscaler service portal. Zscaler provides one default configuration file and you can create up to 255 files. For example, you could create a configuration file for each department or user group in your organization. The eZ Agent configuration file specifies a number of settings, including how the browser is configured to forward web traffic—through a PAC file or manual proxy configuration. If you plan to use a PAC file, you must define it first so you can reference it when you configure eZ Agent.

To create a new configuration file:

  1. Go to Administration > eZ Agent Configurations.
  2. Click Add eZ Agent Configuration.
  3. In the Add eZ Agent Configuration window, type a Name and Description for the new eZ Agent configuration file and change the default settings as follows:
  • Debug Level: eZ Agent generates a new log file whenever a computer is restarted. For more information on the log file, see Using eZ Agent on a Computer. You can set the verbosity of the log file by entering a number from 0 through 10. By default, the debug level is set to 10. The higher the level, the more detailed the log.
  • Log File Retention (days): You can specify the number of days that logs are retained. The default is two days.
  • Disable Protection Password: You can define the password that is required to disable eZ Agent on a computer. The default password is ZSCALER.
  • Uninstall Password: You can define the password that is required to uninstall eZ Agent on a computer. The default password is ZSCALER.
  • Force Proxy Time-Out (sec): eZ Agent automatically recognizes when a user connects to a “hot spot,” such as an airport or hotel, for which authentication or payment is required. You can specify the time during which the proxy settings are not enforced to allow a user to authenticate or make a payment to a captive portal. For example, if this value is set to 300 seconds (5 minutes), eZ Agent’s proxy settings are ignored during that time. At the end of 300 seconds, the proxy settings are enforced regardless of whether eZ Agent can connect to the Zscaler service. The default is 0 seconds, which mean this field is not used.
  • Proxy Type: Specify whether you are using a PAC file for the proxy server configuration, or if you are specifying the proxy configuration.
    • Use PAC File: When you select this option, you must specify the location of the PAC file. You can accept the default URL, which directs traffic to the ZEN closest to the user or you can type the PAC file URL.\
    • Manual Proxy Configuration: When you select this option, the service displays additional fields where you specify the proxy settings for each type of traffic:
      • HTTP Proxy: This value is entered in the browser’s HTTP proxy address field. You can specify a ZEN (for example, atl1.sme.zscaler.net) host name or accept the default value, which automatically directs traffic to the ZEN closest to the user.
      • HTTP Proxy Port: This value is entered in the browser’s HTTP proxy port field. The default is port 80.
      • HTTPS Proxy: This value is entered in the browser’s Secure proxy address field. You can specify a ZEN host name (for example, atl1.sme.zscaler.net) or accept the default value, which automatically directs traffic to the ZEN closest to the user.
      • HTTPS Proxy Port: This value is entered in the browser’s Secure proxy port field. You can change the default value of 80 to 9443 - a port that ZENs listen to so they can decrypt SSL traffic. This allows the users’ HTTPS traffic to be examined for enforcement of your corporate policies. (If port 9443 is used, browsers must have Zscaler’s Intermediate SSL Certificate installed, so security certificate warnings do not appear in your browsers.
      • FTP Proxy: This value is entered in the browser’s FTP proxy address field. You can specify a ZEN host name (for example, atl1.sme.zscaler.net) or accept the default value, which automatically directs traffic to the ZEN closest to the user.
      • FTP Proxy Port: This value is entered in the browser’s FTP proxy port field. The default is port 80.
      • SOCKS Proxy and SOCKS Proxy Port: You can leave these fields blank. Zscaler is NOT a SOCKS proxy. SOCKS traffic to ZENs are bypassed and allowed
  • Proxy Bypass: Enter the IP addresses of specific hosts or URLs for which you want to bypass the proxies. The values of this parameter are populated in the Exceptions field of Internet Explorer, Mozilla Firefox and Chrome. For example, you can use this option to bypass internal networks. These values must be comma-separated in a single line.
  • Hide Tray Icon: By default, the eZ Agent icon is displayed in the system tray of each user. Select Yes to hide the icon.
  • Configuration Fetch Time (min): This parameter specifies the interval at which eZ Agent checks the service portal for an updated configuration file and downloads it, if there is one. The default is 60 minutes. When you download an eZ Agent configuration file, eZ Agent stores the path to the location of the configuration file. So when you update the configuration in the admin portal, the service uses this path information to replace the existing configuration file with the updated version. If there are multiple configuration files, eZ Agent only replaces the file with the same name.
  • Process Kill-List: You can enter a comma-separated list of programs or processes that are not allowed to run on your users’ computers. Opera is on the kill-list by default. If a user tries to use Opera, a message appears indicating that Opera is not allowed by the organization’s policy. The kill-list is resilient to attempts at evasion where users change file names or locations.
  • Unsupported Browsers: This is a predefined list of web browsers and version numbers that are blocked by the agent. It prevents users from bypassing the Zscaler service by exploiting certain browser versions that may have proxy related bugs. The default value of this field is the following CSV list: firefox 4.0b7, firefox 4.0b8, firefox 4.0b9, firefox 4.0b10, firefox 4.0b11 (these beta releases of Firefox had a proxy setting bug).
  • Protect HOSTS File: This is a Windows file that contains IP address to hostname mappings. Click Yes to prevent users from trying to bypass the proxy servers by adding hostname and IP address pairs to this file.
  • Change Test Connection Settings: These are the settings that eZ Agent uses when it tests connectivity to the Zscaler service. Users can also test connectivity from the eZ Agent icon in the system tray. Zscaler recommends that you do not change these settings.
    • If you click Yes to change the settings, the service displays additional fields:
      • Test Connection Host: The host to which eZ Agent sends the HTTP request. The default value is gateway.zscaler.net.
      • Test Connection Port: The port to which eZ Agent sends the HTTP request. The default value is port 80.
      • Test Connection Request Data: eZ Agent sends an HTTP request for this data. The default is admin.zscaler.net.
      • Test Connection Response Data: Expected location header of the HTTP response. The default is https://admin.zscaler.net.
        eZ Agent sends an HTTP request for the value in Test Connection Request Data to the Test Connection Host on the Test Connection Port, and it must receive an HTTP response with the value in Test Connection Response Data in the location header.
  • Gateway Health Monitor Interval (sec): eZ Agent checks whether the Zscaler service gateway is reachable every 30 seconds. You can change this default value.
  • Disable Protection if Gateway Unreachable: eZ Agent disables protection and allows web traffic to bypass the Zscaler service gateway when it is unreachable. You can click No to block access to the Internet until the Zscaler gateway is reachable.
  1. Click Save, and then activate the change.
  2. Click Download beside the newly created configuration file to download it to your computer.

You can edit or delete files any time.

  • To edit any admin-defined configuration file, point to the file and click the Edit icon. After you make changes to the file, the service automatically downloads the updated file after the configured time period and distributes it to all the agents.
  • To delete an admin-defined eZ Agent configuration file, point to the file and click the Edit icon. Then click Delete at the bottom on the dialog. If you inadvertently delete a configuration file that is in use, you can create a new file with the same name and use it again.