Click to watch a video about adding locations.
This article describes how to add a single location. If you have multiple locations, you can import a CSV file that lists your locations and sub-locations. See How do I add or delete multiple locations and sub-locations?
To add a location:
- Go to Administration > Resources > Locations.
- Click Add Location.
- Enter general information about the location:
- Type in its Name.
- Choose the Country.
- Enter a State/Province, if applicable.
- Choose the Time Zone of the location.
When you specify the location in a policy, the service applies the policy according to the location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook between 8 a.m. and 5 p.m., and the rule is applied to locations in Spain and California, users at each location will be blocked during their respective daytime hours.
- Choose the IP addresses for the location:
- Public IP Addresses: Choose the IP address of your local gateway.
These entries are the ones you sent to Zscaler beforehand. If you have not already done so, submit your static IP addresses to Zscaler Support, who can then ensure that those IP addresses appear in the menu under Public IP Addresses.
- Proxy Ports lists your organization's subscribed ports.
- VPN Credentials lists IP addresses or FQDNs if you are configuring an IPsec VPN tunnel to forward traffic to the Zscaler service.
- Virtual ZENs lists your organization's VZENs.
- Virtual ZEN Clusters lists your organization's VZEN clusters.
- Enable features for the location:
- Enable XFF Forwarding: Enable if this location uses proxy chaining to forward traffic to the service, and you want the Zscaler service to use the X-Forwarded-For (XFF) headers that your on-premise proxy server inserts in outbound HTTP requests. The XFF header identifies the client IP address, which can be leveraged by the service to identify the client’s sub-location. Thus, using the XFF headers, the service can apply the appropriate sub-location policy to the transaction, and if Surrogate IP is enabled on the location or sub-location, appropriate user policy to the transaction. Note that when the service forwards the traffic to its destination, it will remove this original XFF header and replace it with an XFF header that contains the IP address of the client gateway (the organization’s public IP address), ensuring that an organization's internal IP addresses are never exposed to the external world.
- Enforce Authentication: Enable to require users from this location to authenticate to the service. See Provisioning and Authenticating Users.
- Enable IP Surrogate: Select if you want to map users to device IP addresses. See What is Surrogate IP?
- If you enabled IP Surrogate, in Idle time to Disassociation, specify how long after a completed transaction the service retains the IP address to user mapping.
- If you enabled IP Surrogate, enable Enforce Surrogate IP for Known Browsers if you want to use existing IP-to-user mapping (acquired from Surrogate IP) to authenticate users sending traffic from known browsers. With this feature enabled, the service uses existing IP-to-user mapping for authentication even if users go to sites that support cookies. This allows the service to authenticate without requiring the browser to complete HTTP redirects for every transaction, ensuring performance even for users who connect, for example, over high-latency satellite links. If the feature is disabled, the service authenticates users on browsers with cookies or other configured authentication mechanisms.
- If you enabled Enforce Surrogate IP for Known Browsers, in Refresh Time for Re-Validation of Surrogacy, specify the length of time that the service can use IP-to-user mapping for authenticating users sending traffic from known browsers. After the defined period of time, the service will refresh and revalidate the existing IP-to-user mapping so that it can continue to use the mapping for authenticating users on browsers. You can enter any value from 1 minute to 8 hours.
- Enable SSL Scanning: Select to enable the service to decrypt HTTPS transactions and inspect them for data leakage, malicious content and viruses, and to enforce policy.
- Enforce Firewall Control: Select to enable the firewall.
- In the Bandwidth Control section, you can Enforce Bandwidth Control for the location. Specify the maximum bandwidth limits of the following:
- Download (Mbps)
- Upload (Mbps)
- Click Save and activate the change.