Zscaler Quick Start Guide

Zscaler Quick Start Guide

This guide describes how you can start protecting your web traffic by simply pointing your browser to the Zscaler cloud. It also introduces you to some basic features of the Zscaler service, including anti-virus security and the URL policy, and explains how you can test them.

It describes the following tasks:

To log in to the Admin Portal and verify your information:

  1. Use the URL, user ID, and password that you received from your Zscaler representative or Technical Support to log in to the Admin Portal. The End User Subscription Agreement (EUSA) appears the first time you log in. 
    See image.
  2. Click Accept.
    If you click Cancel, the service will allow you to continue. You’ll be able to configure policies and add users, but the settings won’t take effect and you won’t be able to surf the internet through the Zscaler service until you accept the EUSA. The EUSA will also appear every time you log in, until you click Accept.
  3. Go to Administration > Company Profile.
  4. Verify your organization’s information. Zscaler recommends that you provide primary and secondary technical contacts as well, especially if the primary business contact is not the technical administrator of the service. 
    See image.
  5. Click Save and activate the change.

Screenshot of Zscaler End User Subscription Agreement

 Screenshot of Organization tab in Company Profile page of Zscaler portal. Tab shows fields used to manage company information.

To redirect your web traffic to the Zscaler cloud, configure your browser to use a PAC file, which is a text file that directs a browser to forward traffic to a proxy server before going to the destination server.

To view the default PAC file:

If you were provided a PAC file URL, skip the first two steps.

  1. Go to Administration > Hosted PAC Files.
  2. Copy the URL of the default PAC file for the Web.
    See image.
  3. Open your browser and paste the PAC file URL in its settings page. 

The following steps illustrate how to specify the PAC file URL for Internet Explorer:

  1. Open Internet Explorer and go to the Gear icon and select Internet Options.
  2. In the Internet Options window, click Connections > LAN Settings.
    See image.
  3. In the Local Area Network (LAN) Settings window, select Use automatic configuration script and paste the PAC file URL that you copied from the Admin Portal.
    See image.
  4. Click OK to save the configuration.

To learn more, see:

Screenshot of Hosted PAC Files page highlighting the URL of the default PAC file

 Screenshot of Connections tab on Internet Options in Internet Explorer. LAN settings button is highlighted.        

Screenshot of LAN Settings window highlighting Use automatic configuration script option. PAC file URL is entered in Address field. 

To implement group and user policies and to leverage the granular reporting capabilities of the service, you must provision users on the Zscaler database and enable the Zscaler service to authenticate them. Though provisioning and authenticating users is not required, Zscaler highly recommends that you provision your users and enable authentication.

Provisioning involves uploading usernames, groups, and departments to the service database. Enabling authentication allows the Zscaler service to identify the traffic that it receives so it can enforce the configured location, department, group and user policies, and provide user and department logging and reporting. The following example illustrates how to add a new user account, group and department. You can use the new account to test the service.

To add a new user:

  1. Navigate to Administration > User Management.
  2. Click Add User and specify the following information about the user:
    See image.
    • Enter the User ID. The user ID consists of a user name and domain name in email format. Enter the user name and if your organization has more than one domain, select the domain name.
      If you plan to integrate your enterprise directory at a later date, ensure that you use an email address that is not currently in the directory. For example, you can enter test.user.
    • Enter the User Name.
    • Within the Groups drop-down menu, choose a group or add a new one. You can select more than one group.
      See image.
    • Within the Department drop-down menu, choose a department or add a new one.
      See image.
    • Enter a Password of your choosing.
    • (Optional) Enter any Comments.
  3. Click Save and activate the change.

 Screenshot of Zscaler Add User dialog box showing fields used to add a new user

 Screenshot of Group drop-down menu in Add User dialog box. The add icon is highlighted to show that its use is to add a new group.

 Screenshot of Department drop-down menu in Add User dialog box. The add icon is highlighted to show that its is to as a department.

To add locations, you must submit your static IP addresses to Zscaler Support, who can then ensure that those IP addresses appear in the Admin Portal. You can submit your IP addresses by submitting a support ticket.

To submit a support ticket:

  1. Point to the Help icon at the left side of the UI to open the help menu. In the help menu, click on Submit a Ticket
    See image.
  2. The Submit Ticket page will open in a new tab.  
    See image.
  3. After completing the fields in the Submit Ticket page, click Submit. The time it takes Zscaler Support to provision the IP addresses is 30 minutes.  

Once your IP addresses have been provisioned, you can add them as locations.

To add a location:

  1. Go to Administration > Locations.
  2. Click Add Location.
    See image.
  3. Enter general information about the location:
    • Type in its Name.
    • Choose the Country.
    • Enter a State/Province, if applicable.
    • Choose the Time Zone of the location.
      When you specify the location in a policy, the service applies the policy according to the location's time zone. For example, if a Cloud App Control policy blocks posting to Facebook between 8 a.m. and 5 p.m., and the rule is applied to locations in Spain and California, users at each location will be blocked during their respective daytime hours.
  4. Choose the IP addresses for the location:
    • Public IP Addresses lists the IP addresses that you sent to Zscaler. Choose IP addresses for the location from the drop-down menu.
  5. Enable the following features for the location:
    • Enable Enforce Authentication to require users from this location to authenticate to the service. This feature is disabled by default.
    • Enable Enable SSL Scanning to allow the service to decrypt HTTPS transactions and inspect them for data leakage, malicious content, and viruses, and to enforce policy.

      A subscription is required for this feature. Zscaler recommends using SSL inspection because it can encrypt and protect sensitive information, such as credit card numbers, usernames, and passwords, from being seen by intermediate devices that are not the intended recipients. If you choose not to enable SSL inspection, you can configure a global block of specific HTTPS content. To learn more, see How do I block HTTPS traffic without SSL inspection?

  6. If your organization is subscribed to one or more ports, you can associate them with a location and then forward your remote user traffic to those ports. To learn more, see What is a dedicated proxy port?

 Screenshot showing the Help menu of the Zscaler UI. Submit a Ticket option is highlighted.

 Screenshot of the Submit a Ticket page showing each field used to submit a ticket

 Screenshot of Add Location dialog box showing Enforce Authentication and Enable SSL Scanning turned on

To establish an SSL tunnel and return content to the user's browser, the service can use either the Zscaler intermediate certificate or a custom intermediate certificate signed by your own trusted CA. See below for instructions on how to configure a Zscaler certificate:

  1. Go to Policy > SSL Inspection.
  2. Under Intermediate Root Certificate Authority for SSL Interception > Zscaler's Default Certificate, click Download Zscaler Root Certificate
    See image.
  3. Navigate to the ZscalerRootCerts.zip file and unzip it.
  4. Import the Zscaler certificate into the certificate store of your browser. 
    You must then import the Zscaler certificate into your user’s browsers. To facilitate deployment in Microsoft Active Directory (AD) environments, use the GPO feature to deploy the certificate to all users in your network.

To enable your users' browsers or systems to automatically trust all certificates signed by the Zscaler Certificate Authority, your users must install the Zscaler Root CA certificate on their workstations. Otherwise, they will receive an error stating that there is a problem with the website's security certification. For a configuration example of how users can do this, see Importing the Zscaler Root Certificate into IE 11. In Microsoft AD environments, you can use the Active Directory GPO feature to facilitate installing the certificate on multiple computers.

To learn how to configure a custom intermediate root certificate, see How do I use a custom certificate for SSL inspection?

Screenshot of SSL Inspection page of Zscaler UI with Zscaler Default Certificate section highlighted

To configure the SSL Inspection policy, do the following:

  1. Go to Policy > SSL Inspection.
  2. In the Policy for SSL Decryption section:
    See image.
    • Enable Block Undecryptable Traffic to protect against applications that use nonstandard encryption methods and algorithms.
    • In Do Not Inspect Sessions to these URL Categories, choose URL categories to exempt from SSL inspection. The service does not decrypt transactions to sites in this category.
    • In Do Not Inspect Sessions to these Hosts, enter URLs you want to exempt from SSL inspection.
    • In Do Not Inspect these Applications, choose applications to exempt from SSL inspection.
    • In Policy for Mobile Traffic, turn on Enable SSL Scanning for Mobile Traffic to allow the service to inspect mobile traffic.
  3. In the Policy for Road Warriors with Kerberos section, turn on Enable SSL Scanning for Road Warriors with Kerberos to allow the service to inspect roaming devices.
  4. In the Policy for Z App section, enable to perform SSL inspection for Zscaler App users on each relevant platform.
  5. Click Save and activate the change.

 Screenshot of SSL Decryption page with Policy for SSL Decryption and Policy for Mobile Traffic sections highlighted

 To log in to the Zscaler service:

  1. Browse to any external site (for example, www.zscaler.com).
  2. The service displays a Login window where you are prompted to authenticate.
  3. Enter the newly created user ID and click Sign in.
  4. Enter your password and click Sign in.
    See image.

The service allows you to continue to the site. Then, as your browser retrieves web pages, the service scans them for a range of malware threats and delivers clean traffic.

Screenshot of Zscaler Service’s Sign In window with User Name field. Second Sign In window shows User Name and Password fields. 

The URL Filtering policy contains sample rules that are disabled. You can customize these rules and add new ones based on the guidelines of your organization.

Add two rules to do the following:

  1. Block users from accessing gambling sites. To add a rule that blocks access to gambling sites:
    1. Go to Policy > URL & Cloud App Control.
    2. On the URL Filtering Policy tab, click Add URL Filtering Rule and do the following:
      • There is one default rule. So when you create a new rule, the Rule Order is automatically set to 2. Do not change it.
      • Rule Status is Enabled by default. Do not change it.
      • From the URL Categories menu, choose Gambling.
        See image.
      • For the Action, choose Block.
    3. Click Save and activate the change.  
  2. Caution users who access shopping sites. To add a rule that cautions against access to shopping sites, repeat the preceding steps, but select the Shopping and Auctions category and Caution action. 
    See image.

Rules that are enabled are evaluated in the order they are listed. You can change the Rule Order of rules to ensure that they are evaluated in the appropriate order. Following are the configured rules:
See image.

To test the rules you defined in the URL policy, open a browser and do the following:

  • Try to access a gambling site, such as gambling.com. The service blocks access to the site and displays a message, similar to the following image:
    See image.
  • Try to access a shopping site. The service displays a caution message, similar to the following image:
    See image.

 Screenshot of Add URL Filtering Rule dialog box and URL Categories drop-down menu with “Gambling” option checked.

 Screenshot of Add URL Filtering Rule dialog box and URL Categories drop-down menu with all of “Shopping and Auctions” options checked.

 Screenshot of URL Filtering Policy Page showing Other Adult Material and Gambling as blocked and Other Shopping and Auctions as caution.

 Screenshot of message that tells Zscaler user they’ve accessed a blocked website

 Screenshot of caution message for Zscaler user asking if they’re sure they want to visit a site categorized as Streaming Media

The Cloud App Control policy contains rules that control access to specific cloud applications. You can customize these rules and add new ones based on the guidelines of your organization. The Cloud App Control policy takes priority over the URL Filtering policy.

Add two rules to do the following:

  1. Block users from using all instant messaging (IM) applications except Google Talk. To add a rule that blocks usage of IM applications and exempts Google Talk:
    1. Go to Policy > URL & Cloud App Control.
    2. On the Cloud App Control Policy tab, click Add. Choose Instant Messaging as the cloud applications category. 
      See image.
    3. There is one default rule. So when you create a new rule, the Rule Order is automatically set to 2. Do not change it.   
    4. Rule Status is Enabled by default. Do not change it.
    5. From the Cloud Applications menu, select all of the apps except Google Talk.
    6. Under Action, choose to Block Chatting.
    7. Click Save and activate the change.
  2. Block users from accessing Tumblr. To add a rule that blocks access to Tumblr, repeat the preceding steps but select Social Networking & Blogging as the cloud application category, select only Tumblr from the Cloud Applications menu and choose to Block Viewing

See image.

To test the rule you defined in the Cloud App Control policy, open a browser and try to access tumblr.com. The service blocks access to the site and displays a message, similar to the following image:
See image.

Screenshot of Add Instant Messaging Control Rule dialog box and Cloud Applications drop-down menu with Instant Messaging options checked off except Google Talk

 Screenshot of Edit Social Networking & Blogging Control Rule dialog box and Cloud Applications drop-down menu with Tumblr checked

 Screenshot of message that tells Zscaler user they’ve accessed a blocked website

EICAR is a test virus that is completely harmless. You can try to download this test virus to test the anti-virus protection of the service. Browser cached files are not blocked. You must clear your browser cache if testing includes enabling and disabling protection.

To test anti-virus protection:

  1. Open your browser and go to http://www.eicar.org/download/eicar.com.
  2. Try to download a test virus. The service blocks it and displays a message similar to the following image:
    See image.

You can customize the notification pages that the service displays to your users by going to Administration > End User Notifications in the Admin Portal.

 Screenshot telling Zscaler user that a security threat has been found in the form of a virus

To view reports and transactions:

  1. From the Dashboard, choose Web Browsing to view the browsing activity of your organization. 
    Each widget shows a different facet of the traffic.
    • The Top Blocked URL Categories widget shows that URLs in the Online Shopping and Gambling categories were blocked.
    • The newly created user test.user appears in the Top Users and Top Blocked Users widgets. 
      See image.
  2. Click test.user in the Top Users widget and choose Analyze Chart
    In Web Insights, you can define filters on the left panel or select data types to interactively drill down to specific transactions. 
    See image.
  3. Choose View Logs
    The logs show that the service blocked the gambling URL and allowed access to the shopping URL after a caution notification. 
    See image.

     Screenshot of Web Browsing dashboard on Zscaler UI highlighting a test user email and the “Analyze Chart” option

     Screenshot of Web Insights showing Filter drop-down menu, a user email, and View Logs option to view user’s logs.

     Screenshot of user’s URL logs