The Zscaler service can enforce web and firewall policies by location, department, group, and user, and it can track Internet usage by location, department and user. To leverage the ability to enforce granular policies and the powerful reporting capabilities of the Zscaler service, provisioning and authenticating users are required. Provisioning involves uploading usernames, groups and departments to the service database. Enabling authentication allows the Zscaler service to identify the traffic that it receives so it can enforce the configured location, department, group and user policies, and provide user and department logging and reporting.
When a user from an organization with Zscaler deployed opens a browser and sends an HTTP request to a site, the request is redirected to the nearest Zscaler gateway, the Zscaler Enforcement Node (ZEN). The ZEN first checks if the request is from a location defined in the Zscaler admin portal (that is, a known location), or from a location that was not configured on the admin portal (that is, an unknown location).
When the Zscaler service receives traffic from a known location or at a dedicated proxy port that is associated with a location, the service automatically applies the location's policies and tracks Internet activity by location. But to leverage the granular department, group and user policies and the ability to track usage trends by department and user, an organization must provision its users and enable authentication.
When the Zscaler service receives traffic from a location that it cannot identify, it automatically requires users to authenticate themselves because it cannot associate the traffic with a location. In this case, users must be provisioned on the service, so it can successfully authenticate them, apply the appropriate department, group and user policies, and track Internet usage.
Provisioning involves uploading username, group and department information to the Zscaler service database. The Zscaler service supports various provisioning mechanisms, as described in Choosing Provisioning and Authentication Methods. Following are some guidelines for provisioning users:
The following diagram illustrates how ZENs handle HTTP traffic from known locations.
*For example, when applications don't support cookies or when an unknown user agent is used.
**See What is IP surrogate?
***See About SAML.
The following diagram illustrates how ZENs handle HTTP traffic from locations that are not configured on the Zscaler service.
**For example, when applications don't support cookies or when an unknown user agent is used.