How do I block HTTPS traffic without SSL inspection?


How do I block HTTPS traffic without SSL inspection?

If SSL inspection is not a feasible option for your organization, you can block traffic to sites that use HTTPS connections through:

  • Using a Global HTTPS Block: You can globally block access to HTTPS sites in predefined or custom URL categories for all the configured locations in your organization. For example, you can block access to HTTPS sites in the Adult Material URL category as well as create a custom URL category for HTTPS sites that you would like to block. (Note that the global block does not apply to road warriors.) You have the option to configure the service to display an end user notification when it blocks HTTPS transactions with this feature. For instructions on configuring the service to globally block HTTPS sites in predefined or custom URL categories, see Configuring a Global HTTPS Block below.
  • URL filtering and Cloud App Policies: The service can enforce user, group, department, and location URL and Cloud Application Control policies (if authentication and Surrogate IP are enabled). However, for sites that use SSL (note that many popular sties like Gmail or Facebook use SSL), the service does not enforce granular URL and Cloud App Control policies if SSL inspection is disabled. 

To leverage this option:

  • You can determine which URL categories and Cloud Apps to block and optionally, configure a custom category for the URLs that you would like to block.
  • Configure URL filtering and cloud app control policies.

Deployment Scenarios without SSL Inspection

If you block HTTPS traffic without enabling SSL inspection, two common deployment scenarios are possible.

  • HTTPS Traffic from Known Locations: When an organization’s traffic is forwarded from a known location (an Internet gateway configured in the Zscaler service portal), your organization can block access to HTTPS sites as follows:
    • Authentication Enabled: When user authentication is enabled, you can use URL filtering and Cloud App Control policies to block access to specific sites and specify users, groups, departments, and locations as criteria. When authentication is enabled, Zscaler recommends that you enable the Surrogate IP feature for the location as well. The Surrogate IP feature enables the service to associate an authenticated user with an internal IP address and apply the user's URL and Cloud App Control policies accordingly. Note that Surrogate IP can be enabled only when a GRE or IPsec tunnel is used to forward un-NATed traffic to the Zscaler service.
    • Authentication Disabled: Zscaler recommends that you globally block predefined or custom URL categories. The surrogate IP feature cannot be used in this deployment because it requires user authentication to be enabled.
  • HTTPS Traffic from Road Warriors: For road warriors or roaming users who use PAC files or who explicitly set their browsers to send traffic to the service from outside known locations, the Zscaler service supports globally blocking specific HTTPS sites only under specific circumstances:
    • If traffic is forwarded to port 80/9400: The Zscaler service does not support blocking the HTTPS transactions of road warriors who send traffic to port 80/9400.
    • If traffic is forwarded to a dedicated proxy port: An organization can subscribe to one or more ports and associate them with a location. In this scenario, Zscaler recommends that you globally block predefined or custom URL categories. To apply user, group, department and location URL Filtering and Cloud App Control policies, you must enable the Surrogate IP feature for the location associated with the dedicated port.

      NOTE: Road warriors who are sending traffic to the Zscaler service for the first time must browse to a non-HTTPS site first so the service can white-list their IP addresses. Road warriors who try to access an SSL site the first time their traffic goes through the service may receive a “Closed Proxy” or “Reset Connection” message.

Configuring a Global HTTPS Block

To configure the service to globally block sites in predefined or custom URL categories, log in to the service and do the following:

1. Go to Policy > Web > SSL Inspection.

2. Under If SSL Inspection is Disabled, Block HTTPS to these Sites, configure the following:

  • Blocked URL Categories: Select URL categories for which you want HTTPS sites blocked. The HTTPS block applies globally to all configured locations. For the setting to apply to road warriors, you must have a dedicated proxy port or the Zscaler App in use. You can select any number of categories and also search for URL categories.
  • Blocked URLs: Enter the URLs of the HTTPS websites you want blocked. The block applies globally to all configured locations. For the setting to apply to road warriors, you must have a dedicated proxy port or the Zscaler App in use. See URL format guidelines.
  • Show Notifications for Blocked Traffic: Turn this on to display notifications to users when HTTPS transactions are blocked. Note that the Zscaler root certificate must be installed in users' browsers to display the notification. If the certificate is not installed, or if you do not enable this option, the browser only displays to the user a 'Page Not Found' error when HTTPS sites are blocked.

3. Click save and activate the change.