How do I exempt specific URLs or cloud apps from authentication?


How do I exempt specific URLs or cloud apps from authentication?

Some client applications and web sites do not support cookie-based authentication or do not respond when the Zscaler service sends an HTTP 307 code that redirects the browser to authenticate to the Zscaler service. For example, the AIM client application and some Office 365 applications do not respond to the HTTP 307 redirect sent by the service. To enable users to access these applications and web sites, you can add these URLs to an Authentication Bypass list in the admin portal or add the URLs to your PAC file. Note that this applies to traffic from known locations only (that is, locations that are configured on the Zscaler admin portal).

Ensure that you know the URL that the application or web site is trying to use. You can use tools like Fiddler or Wireshark to find the URL.

Configuring the Authentication Bypass List in the Admin Portal

  1. Go to Administration > Settings > Advanced Settings.
  2. In the Authentication Bypass section, complete any of the following:
    • Bypassed URL Categories: Select URL categories that you want to exempt from cookie authentication.
    • Bypassed URLs: Enter URLs that you want to exempt from cookie authentication. See URL format guidelines.
    • Bypassed Applications: Select cloud applications  or cloud application categories that you want to exempt from cookie authentication.
  3. Click Save and activate the change.

Bypassing Authentication in a PAC File

If adding URLs to the authentication bypass list in the admin portal is not feasible, then you can edit the PAC file and add an exception, as shown in the following example.

 if (dnsDomainIs (host, ".zscaler.com") || dnsDomainIs (host, ".aol.com)) return "PROXY ${GATEWAY}:9480; PROXY ${SECONDARY_GATEWAY}:9480; DIRECT";