Zscaler FAQs

A suboptimal MTU for your organization's GRE or IPsec tunnel results in severe performance degradation. Below you canlearn how to determine the optimal MTU for your organization's tunnels.

Overview

When a user from your organization requests a web site, the user's traffic first travels from your organization's edge network appliance (for example, a router or firewall) to a Zscaler Enforcement Node (ZEN) via a primary or secondary GRE or IPsec tunnel. From there, the ZEN sends the traffic out to the requested destination web server if it complies with your organization's security and compliance policies. See the image below.

When you configure a GRE or IPsec tunnel to the ZEN, you must set a Maximum Transmission Unit (MTU) for the tunnel. The MTU determines the maximum packet size that can be sent over that tunnel, and setting an optimal MTU here is crucial. A suboptimal MTU for the tunnel results in significantly poor performance for your users.

An optimal tunnel MTU is equal to or lower than the following key values:

The Network Appliance MTU: The maximum total data per packet allowed by the edge network appliance from which the tunnel is built

The Path MTU: The maximum total data per packet allowed by appliances that stand in the path between your network appliance and the ZEN

If your tunnel MTU is larger than either value, the network or path appliance divides each packet into fragments. The appliance then places each fragment into its own packet, with its own header. (The appliance thus must ensure that the maximum size of each fragment is its own MTU minus the header size.) The appliance also records in the header the following information so that the receiving appliance can properly identify the fragments and reassemble them into the original packet that was sent.

Total Length: The size of the fragment

Identification: The value that identifies the original packet the fragment belongs to.

More Fragments (MF): A flag set to a 1 for all fragments except the last one, which is set to 0. A flag set to a 1 indicates to the receiving appliance that more fragments of this packet are coming, while a flag set to a 0 indicates that the appliance has received the last fragment of the packet.

Fragment Offset: A value that helps the receiving appliance reassemble the packet fragments into the right sequence

When this fragmentation process occurs for each packet sent through your tunnel, your users will experience significant performance issues.

To help avoid this scenario and ensure efficient packet transport, Zscaler recommends you complete the tasks below to determine and set the optimal MTU for your tunnels.

Configuration Instructions

Determine the Network Appliance MTU: the maximum total data per packet allowed by your network appliance

Determine the Maximum Segment Size (MSS): the maximum payload data per packet allowed by appliances that stand in the path between your network appliance and the ZEN

Calculate the path MTU value: the maximum total data per packet allowed by appliances that stand in the path between your network appliance and the ZEN

Compare your Network Appliance MTU and path MTU and set the lesser value as the MTU for your tunnel.

After you complete these tasks, the packets transported through your tunnel will not exceed the network appliance MTU or the path MTU. This helps ensure the most efficient transport for your packets and vastly improves performance.

Determining the Network Appliance MTU

Refer to your network appliance documentation to learn how to determine the appliance MTU. For example, if you have a Cisco appliance, you can find instructions here.

You must determine the network appliance MTU before proceeding to the next step.

Determining the MSS

Prerequisites

Before you begin, make sure you have the following information ready:

Your network appliance MTU (referenced above)

The IP addresses of the primary and secondary ZENs to which your organization forwards traffic. Click to learn how to locate this information for your organization.

Instructions

Proceed with the steps below. You can also refer to the example provided.at the end of this section.

Execute the following ping command to the ZEN or VPN host name using the appliance from which you're building the GRE or IPsec tunnels.

ping -g [network appliance MTU value minus 50] -G 1600 -h 10 -D [destination]

This command allows you to discover a range for the maximum segment size (MSS) -- that is, a range for the maximum payload data per packet allowed by appliances that stand in the path between your network appliance and the ZEN. It directs your appliance to send to the destination sweeping pings -- a sequence of packets that incrementally increase in size (by 10 bytes in this case) -- until the packets reach a specified size, or until the packets reach a point at which adding another 10 bytes would make the packets exceed the MSS.

Below is a more detailed explanation of the command components and the values to use.

-g = Packet size to start with when sending the sweeping ping.The value to plug in for g must equal the network appliance MTU minus 50. For example, if your network appliance MTU is 1450, the value is 1400.

-G = Packet segment size to end with when sending the sweeping ping. For this command, use the value 1600.

-h = Increment (in number of bytes) by which to increase the size of packets when sending the sweeping ping. For this command, use the value 10.

-D = Prevents the tunnel from fragmenting packets. This is critical to ultimately discovering the MSS. Even if the appliance doesn't reach the G value (the size with which to end the sweeping ping), because of this component, the appliance stops sending packets once it finds it has to fragment packets to keep them from exceeding the MSS. Without this limitation, the appliance would simply continue to send packets by fragmenting them -- for example, if the MSS is 1470, and your packet size was 1478, it would fragment that packet into two packets so that the first would be 1400 bytes, and the second packet 8 bytes.

[destination] = This is the packet destination. These are the IP addresses of the primary and secondary ZENs to which your organization forwards traffic.

For example, if your organization's network appliance MTU is 1450, and your destination IP address is 10.10.10.13, your ping command is:

ping -g [1400] -G 1600 -h 10 -D 10.10.10.13

When the appliance ends the sweeping pings, identify the packet size at which your pings stopped. You now know that the MSS is somewhere between this value and this value plus 10.

Execute the same ping command, but change the values entered for -g and -h.

For -g, enter the the packet size at which your appliance stopped sending packets, as identified in step 2.

For -h, use 1 so that the appliance increases the packet size by increments of 1.

ping -g [packet size at which appliance stopped sending packets, identified in step 2] -G 1600 -h 1 -D [destination]

For example, if the value you identified in step 2 was 1450, your ping command would be:

ping -g [1450] -G 1600 -h 1 -D 10.10.10.13

Again, identify the packet size at which your pings stopped. That value is your MSS.

See an example.

Finding VPN host name

GRE Tunnels: If you're building GRE tunnels, Zscaler Customer Support can provide you with the IP addresses of the primary and secondary ZENs to which your organization must forward traffic. See Configuring GRE Tunnels for more information.

IPsec Tunnels: If you're building IPsec tunnels, see How do I locate the ZEN IP addresses for my IPsec VPN tunnels?

Example1

In this example:

The network appliance MTU is 1330

The destination ZEN IP address is 192.152.0.19

The ping command to execute in this case would be:

g 1330 -G 1600 -h 10 -D 192.152.0.19

Upon execution, you may see results similar to the content below.

ping -g 1330 -G 1600 -h 10 -D 192.152.0.19

PING 192.152.0.19 (10.152.0.19): (1330 ... 1600) data bytes

1338 bytes from 192.152.0.19: icmp_seq=0 ttl=121 time=418.883 ms

1348 bytes from 192.152.0.19: icmp_seq=1 ttl=121 time=441.258 ms

1358 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1368 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1378 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1388 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1398 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1408 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1418 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1428 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1438 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1448 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1458 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1468 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

ping: sendto: Message too long

ping: sendto: Message too long

ping: sendto: Message too long

The appliance sent to the IP address 192.152.0.19 pings that start at a packet segment size of 1330 bytes, increasing the size by increments of 10.

The appliance stopped sending packets once they reached 1468 bytes (even before they reached the G value of 1600 bytes). Since the command specified that packets could not be fragmented, the appliance stopped sending packets when adding another 10 bytes to 1468 would have made the packet size exceed the MSS -- in other words, the point at which the appliance would have had to begin fragmenting packets in order to transport them.

From this, it can be deduced that the MSS is somewhere between 1468 and 1478.

With the information from the first ping command, you would execute the following second ping command:

ping -g 1468 -G 1478 -h 1 -D 192.152.0.19

Upon execution, you may see results similar to the content below.

ping -g 1468 -G 1478 -h 1 -D 192.152.0.19

PING 192.152.0.19 (10.152.0.19): (1330 ... 1600) data bytes

1468 bytes from 192.152.0.19: icmp_seq=0 ttl=121 time=418.883 ms

1469 bytes from 192.152.0.19: icmp_seq=1 ttl=121 time=441.258 ms

1470 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1471 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

1472 bytes from 192.152.0.19: icmp_seq=2 ttl=121 time=289.218 ms

ping: sendto: Message too long

ping: sendto: Message too long

ping: sendto: Message too long

From this result, you can conclude that your MSS is 1472 bytes.

Calculate the Path MTU

With your MSS, you can now calculate the path MTU -- the maximum packet size allowed by appliances that stand in the path between your network appliance and the ZEN. The path MTU is the MSS value plus the values for the IP header (20 bytes) and the ICMP header (8 bytes). Use the following calculation.

Path MTU = MSS + 20 Bytes (IP Header) + 8 bytes (ICMP Header)

For example, if your MSS is 1472, your path MTU would be 1500 (that is, 1472 + 20 + 8).

Use the lower value as the MTU for your tunnel

Compare your network appliance MTU and your path MTU. Make your tunnel MTU equal to the lower of these two MTU values.

For example, if your network appliance MTU is 1500, and your path MTU is 1300, the value you set as the tunnel MTU would be 1300. This ensure that packets traveling through your GRE or IPsec tunnel do not exceed the packet size limitations of your network appliance or other appliances in the path between your network appliance and the ZEN.

NOTE: If you experience issues performing the tasks above, Zscaler recommends that you use a tunnel MTU of 1400.

A GRE (Generic Routing Encapsulation) tunnel is ideal for forwarding Internet-bound traffic from your corporate network to the Zscaler service. GRE is a tunneling protocol for encapsulating packets inside a transport protocol. A GRE capable device encapsulates a payload packet inside a GRE packet, which it then encapsulates in a transport protocol, such as IP

Here are the steps you need to perform while configuring the GRE on a Linux device.

1) First, load some modules:

2) Create the GRE interface:

3) Give it an IP address:

4) Add a route to the assigned address space you provided:

5) Here is what it all looks like using Zscaler terminology:

6) And here is a packet dump for protocol 47 on the ethernet interface where the tunnel is established:

From this point on everything works and you can do whatever ie. Policy-based routing to send web traffic through the tunnel or use standard firewall ACLs to prohibit clients, etc.

This section describes how to write a new PAC file from scratch. Zscaler highly recommends that you copy and paste its default PAC file and customize it as necessary. Build your PAC file one element at a time. Save the file and test it after each addition.

Before you begin, ensure that you review Best Practices for Writing PAC Files.

FindProxyForURL Function

A PAC file must start with the opening function FindProxyForURL(url,host) on the first line. This function identifies which URLs, host names or IP addresses are redirected to a proxy. The URL variable must contain the full URL of a destination (for example, http://www.zscaler.com), and the host variable must contain a domain name or its IP address (for example, zscaler.com or 72.249.144.174). Generally speaking, the host variable is preferable to the URL variable. If no URL or host is specified, all web requests will use the return argument.

Return Statements

Enter a return statement in curly brackets after each argument. The return statement directs requests to a proxy or to the specified destination. For example:

function FindProxyForURL(url, host)

{ return "PROXY ${GATEWAY}:9400"; return "DIRECT"; }

A return statement accepts one of two values:

DIRECT tells the browser to bypass the proxy and go directly to the destination server. or

PROXY tells the browser to send the request to a proxy.

The DIRECT or PROXY values must be in uppercase characters and enclosed in quotation marks. Add a semicolon immediately after the closing quotation marks. For example:

return "DIRECT";

return "PROXY ${GATEWAY}:9400";

Each PROXY statement must specify the fully qualified host name or the IP address of the proxy and the port. IP addresses are generally discouraged because they can change at any time. Zscaler recommends that you use the variables ${GATEWAY} and ${SECONDARY_GATEWAY }instead. (If your organization uses a subcloud, use the variables ${GATEWAY.organization_name.zscaler.net} and ${SECONDARY_GATEWAY.organization_name.zscaler.net}.)

The service uses its geo-location technology to automatically find the ZEN closest to you and with the quickest response time. Naming a primary and secondary gateway provides failover in case one of the ZENs is unavailable for any reason.

ZENs accept web requests on ports 80, 443, 9400, 9480 and 9443.

Port 80 is the standard port used by almost all web servers.

Port 443 is the standard port used for encrypted (HTTPS) traffic. Port 9400 can be used instead, if another host between the end user and ZEN attempts to redirect the users traffic before it can reach the ZEN.

Port 9443 can be used for road warriors who need the service to proxy and inspect HTTPS transactions.

Write the opening function FindProxyForURL (url, host) { } followed by a return statement on the next line. For example:

function FindProxyForURL(url, host)

{ return "PROXY ${GATEWAY}:9400"; return "DIRECT"; }

Save the text file and test it. Verify that the PAC file sends your browser to the Zscaler service with no other arguments, if statements, or other elements. Confirm by navigating to ip.zscaler.com, which indicates if you reached the web server directly or through a ZEN.

Adding Arguments

You can add various arguments that identify which internal or external hosts must be proxied. Add one nested argument at a time, and then test and confirm that the PAC file works properly after each addition.

Following is a sample PAC file that contains arguments, each of which is preceded by a comment.

function FindProxyForURL(url, host)

{

//

//Exclude FTP from proxy

//

if (url.substring(0, 4) == "ftp:")

{

return "DIRECT";

}

//

//Bypass proxy for internal hosts

//

if (isInNet(host, "0.0.0.0", "255.0.0.0")||

isInNet(host, "10.0.0.0", "255.0.0.0") ||

isInNet(host, "127.0.0.0", "255.0.0.0") ||

isInNet(host, "169.254.0.0", "255.255.0.0") ||

isInNet(host, "172.16.0.0", "255.240.0.0") ||

isInNet(host, "192.0.2.0", "255.255.255.0")||

isInNet(host, "64.206.157.136", "255.255.255.255"))

{

return "DIRECT";

}

//

//Bypass proxy for this server

//

if (isInNet(host.mail.domain.com))

{

return DIRECT;

}

return "PROXY ${GATEWAY}:9400; ${SECONDARY_GATEWAY}:9400; DIRECT";

}

For the arguments in the sample PAC file above, specify the following:

Exclude FTP traffic.

The following lines exclude FTP traffic from being redirected to the proxy (since the service does not support native FTP):

//

//Exclude FTP from proxy

//

if (url.substring(0, 4) == "ftp:")

{

return "DIRECT";

}

The argument begins with a simple if statement using the built-in function called url.substring. If arguments are always followed by opening and closing parenthesesthey describe the conditions for which the argument must be evaluated and for which a result is required. In the example, the argument specifies that if the URL contains the string ftp: in the first four characters of the URL (from 0 to 4), return DIRECTbypass the proxy named in the line below. Note that the if arguments result must be enclosed within its own set of open and closed curly brackets.

Save this change to the PAC file and upload it to the service portal. Reload the PAC file in your browser and navigate to an FTP download site such as ftp://ftp.hp.com/. After loading this page, log in to the Analytics portal to determine if this transaction was logged. The transaction should not appear in the logs.

Exclude requests for internal hosts.

The following lines in the PAC file example exclude requests for internal hosts from being redirected to a proxy.

//

//Do not send traffic to the following network to Zscaler

//

if (isInNet(host), "192.168.0.0", "255.255.0.0")

{

return "DIRECT";

}

This argument uses the JavaScript function IsInNet(), which is typically used to identify either of the following:

Client IP address (If the request comes from this IP address, use this proxy.) Be aware that this argument returns the first IPaddress on your device, based on its OS. The first IPaddress, shown when you use the ipconfig command, may be the IPv6 address of the device or the IP address of virtual adapters and this can cause conflicts.

Host server IP address (If the request is going to this address, use this proxy.) Be aware that this argument results in a DNS lookup. It can impact performance if the DNS server is not available. Instead, you can use the following to constrain the IsInNet() function based on the host domains being accessed:

If dnsDomainIs(host,internal.net) {

If (isInNet(host,10.0.0.0,255.0.0.0)

Return DIRECT;

}

Save the PAC file and test again. Browse to an internal host and ensure that you can reach it. (If you were proxied through a ZEN, your request would be denied. The request first goes outside your network to the Zscaler proxy but is then blocked as it tries to access an internal host as it comes back in from outside the network.)

Exclude internal networks.

The following lines in the PAC file example exclude requests for multiple internal hosts from being redirected to a proxy.

//

//Bypass proxy for internal hosts

//

if(isInNet(host, "0.0.0.0", "255.0.0.0")||

isInNet(host, "10.0.0.0", "255.0.0.0") ||

isInNet(host, "127.0.0.0", "255.0.0.0") ||

isInNet(host, "169.254.0.0", "255.255.0.0") ||

isInNet(host, "172.16.0.0", "255.240.0.0") ||

isInNet(host, "192.0.2.0", "255.255.255.0")||

isInNet(host, "64.206.157.136", "255.255.255.255"))

{

return "DIRECT";

}

As shown in the example, before closing the IF argument with a final parenthesis, the Boolean or operator (||) is used to concatenate the internal networks. The last isInNet statement does not require the or (||) operator. Instead, it uses an additional parenthesis to close the opening parenthesis.

The last statement is a specific IP address, not a network. To bypass specific hosts, write the exact IP address with a subnet mask of 255.255.255.255.

Use of isInNet() is extremely effective when the host you are trying to reach is an actual IP address. If you try to reach a host by domain name, such as https://zscaler.com your browser must perform a DNS lookup for it. If the host name is not resolvable, the client needs to wait for DNS to time out before moving on. To avoid this and to avoid placing an undue strain on the name server, insert a variable that uses a regular expression immediately above the isInNet() argument to restrict the result just to IP addresses.

Therefore, instead of writing:

if (isInNet(host, "0.0.0.0", "255.0.0.0")||

isInNet(host, "10.0.0.0", "255.0.0.0") ||

isInNet(host, "127.0.0.0", "255.0.0.0") ||

...)

{

return "DIRECT";

}

Write this:

reip = /^\d+\.\d+\.\d+\.\d+$/g;

if (reip.test(host))

{

if (isInNet(host, "0.0.0.0", "255.0.0.0")||

isInNet(host, "10.0.0.0", "255.0.0.0") ||

isInNet(host, "127.0.0.0", "255.0.0.0") ||

...)

{

return "DIRECT";

}

}

Here, the variable reip = /^\d+\.\d+\.\d+\.\d+$/g; is used in the argument if(reip.test(host)) {, and the result is only used if the host is an IP address in one of the networks specified in the nested if argument. Note that this can only be used for URLs that include IP addresses, such as http://192.0.2.3/example.

In some versions of IE, use of the preceding variable may not work. An alternative to this is to use the JavaScript shell expression match function:

if (shExpMatch(host, "/^\d+\.\d+\.\d+\.\d+$/g"))

{

if (isInNet(host, "10.0.0.0", "255.0.0.0") ||

isInNet(host, "192.168.0.0", "255.255.0.0"))

{

return "DIRECT";

}

}

Save this change, reload the PAC file in your browser, and then try browsing to an internal web server in the internal network. If you can reach the server, you have bypassed the Zscaler ZEN.

Exclude Servers

The following lines in the PAC file example exclude specific servers, such as mail.domain.com, from being redirected to a proxy. In the example, a separate if isInNet() argument lists internal host names.

//

//Bypass proxy for this server

//

if (isInNet(host mail.domain.com)

{

return DIRECT;

}

//To bypass all hosts in a domain, use

dnsDomainIs(host, host.com)

You can also use the following to bypass specific internal hosts:

var bypassHosts = /(remote\.mydomain\.com|mail\.mydomain\.com)/;

if (bypassHosts.test(host))

{

return "DIRECT";

}

The preceding argument includes a variable that contains two hosts: remote.mydomain.com and mail.mydomain.com. Using the JavaScript test(host) function, any host you enter here will return DIRECT, and will not require a DNS lookup. var is the JavaScript function to set a variable. bypassHosts is a JavaScript function. You must use this specific name/function. Forward slashes mark the beginning and ending boundary of the variable. Open and close parentheses in the variable match the parentheses in the argument (test(host)). The periods in the host names must be escaped with a back slash. The variable itself requires a semicolon to close the variable argument.

Deployment Advisory Service (DAS) customers or Zscaler sales engineers would completethis wizard to begin the DAS design process: Deployment Wizard.

You can configure the service to allow users to access Gmail and other Google apps from your organization's domains only. For example, you can allow users to sign in to their Gmail corporate accounts, but block them from signing in to their personal Gmail accounts.

The service intercepts any google.com (or associated Google app) request and adds the HTTP header X-GoogApps-Allowed-Domains, which identifies the domains from which users can access Google services. This prevents users from accessing Gmail and other Google apps from other domains.

This feature does not affect Google apps that do not require users to sign in, such as Google search. But a user who signs in from Google search with an account that is not whitelisted will be blocked.

For additional information from Google, see https://support.google.com/a/answer/1668854?hl=en-uk&hlrm=en

Do the following to use this feature:

Enable SSL inspection.

Enable this feature as follows:

Go to Policy > URL & Cloud App Control.

Go to the Advanced Policy Settings tab.

In the Allowed Domains for Google Apps field, type in corporate domains from which your users can access Gmail and other Google apps and click Add Items.

Click Save and activate the change.

You can use PAC files to forward your traffic to the Zscaler service. When the Zscaler service receives traffic, it checks whether the traffic is from a known location (a location that is configured on the admin portal), or from an unknown location (road warrior traffic). Typically, traffic from a known location is sent to port 80, where the service performs SSL inspection according to the location's policies, and road warrior traffic is forwarded to port 9443, where the service always performs SSL inspection. (Note that the bypassed URLs and URL categories that you specify in the admin portal does not apply to road warrior traffic forwarded to port 9443.)

If your users work from your corporate office and work remotely, you may want to add an argument to the PAC file so that the browser forwards your traffic to a different port on the ZEN, depending on the user's location.

For guidelines for writing PAC files, see Best Practices For Writing PAC Files. To learn how to write a PAC file, see Writing a PAC File. Note that Zscaler highly recommends that you copy and paste its default PAC file and customize it as necessary.

See the links below to learn more about the following options:

Using Fixed Gateway IP Addresses

Using Device IP Addresses

Using DNS

Using Fixed Gateway IP Addresses

If each of your locations has a fixed gateway IP address, you can write an argument in the PAC file stating that if the PAC file receives traffic from the fixed IP addresses, the browser forwards that traffic to port 80. Otherwise, the PAC file forwards traffic to port 9443.

This option is accurate and independent from your computer configuration. However, you must update the list of gateway IP addresses in the PAC file when there are changes to your locations.

To use this option, replace the IP addresses in the following lines with your own gateway IP addresses. Then add the lines to the PAC file you are using:

/*Creating an array which will contain all known gateway IP */

var allGateways= [

"192.0.2.0/24",

"198.51.100.0/24",

"203.0.113.0/24"

];

if ("${SRCIP}"=="192.0.2.0/24"|| "${SRCIP}"=="198.51.100.0/24"|| "${SRCIP}"=="203.0.113.0/24")

return "PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT";

else

return "PROXY ${GATEWAY}:9443; PROXY ${SECONDARY_GATEWAY}:9443

Using Device IP Addresses

Every device that connects to the Internet has an IP address. You can write an argument in the PAC file stating that if the IP address of a user's device falls within your corporate subnetwork, the browser forwards traffic to port 80. Traffic from IP addresses that are not in the subnetwork is forwarded to port 9443.

This option is simple and quick to execute, as it only relies on your computer configuration. However, your private IP address range may overlap with other company networks, such as a wifi hotspot at a coffee shop.

In this example, the subnetworks are 10.10.1.0/24, 172.16.1.0/24, and 192.168.1.0/24. To use this option, replace the subnetworks in the following lines with your own. Then add the lines to the PAC file you are using:

/* If client IP falls in corporate subnet send traffic on regular port 80 */

if (

isInNet(myIpAddress(), "10.10.1.0", "255.255.255.0")||

isInNet(myIpAddress(), "172.16.1.0", "255.255.255.0")||

isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")||

)

return "PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT";

else

return "PROXY ${GATEWAY}:9443; PROXY ${SECONDARY_GATEWAY}:9443;

Using DNS

You can determine the location of a user by referencing an internal DNS server. You can write an argument in the PAC file stating that if an IP address was resolved by an internal DNS server, the browser forwards traffic to port 80. Traffic from IP addresses that were not resolved by an internal DNS server is sent to port 9443.

This option is efficient and works as long as your DNS resolution is the same across all of your company locations. However, it may slow down browsing to the Internet if your DNS servers do not respond quickly enough.

In this example, the internal DNS server is DNS.safemarch.com. To use this option, replace the internal DNS server in the following lines with your own. Then add the lines to the PAC file you are using:

/*Creating a variable hostIP and populating it with the IP address obtained by resolving DNS.safemarch.com*/

var hostIP= dnsResolve("DNS.safemarch.com");

/* If the value of the variable hostIP is not equal to 10.35.3.43 i.e. internal server, send traffic through Zscaler on port 9443 which would enforce SSL scanning else send traffic on regular port 80 */

if (hostIP !== "10.35.3.43")

return "PROXY ${GATEWAY}:9443; PROXY ${SECONDARY_GATEWAY}:9443; DIRECT";

else

return "PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT";

Note: for screenshots with instructions,see PDF

How to distribute the PAC file URL using GPO in Server 2012:

Log in to AD server as an Administrator

Open the GPMC (run gpmc.msc)

In the Group Policy management tree navigate to the domain or organization unit to which you are applying the GPO

Right click on the domain or OU and select Create a GPO in this domain, and Link it here. Alternatively, open the Group Policy Objects Folder and then click New.

In the New GPO dialog, enter a name and leave the Source Starter GPO as (none)

Click OK to exit the dialog box

Right click the newly created GPO and select Edit

Navigate to User Configuration>Preferences>Control Panel Settings>Internet Settings

Right click and select New>Internet Explorer 10 (or whichever version you are creating a GPO for)

In the Properties Editor, select LAN settings

Enter the PAC file address. Make sure the green underline is there denoting it is configurable. If not, press F6 to enable the configuration of the setting

Additionally, you should enforce the PAC file setting so your users will not be able to change it even when they're logged in as an Administrator.

To enforce the PAC file setting:

Open the GPMC

In the Group Policy management tree, navigate to the domain or Organization Unit to which you applied the GPO

Expand the Group Policy Objects item; select the newly created GPO, right-click and select Edit

Go to User Configuration>Policies>Administrative Template>Windows Components>Internet Explorer

From the list of settings on the right panel, enable the following settings:

Disable changing Automatic Configuration settings

Prevent changing proxy settings

While Zscaler has whitelisting agreements for Zscaler App in place with specific endpoint protection vendors such as Trend Micro and Kaspersky Labs, for some endpoint protection products like anti-virus and personal firewall, you may need to perform additional whitelisting to ensure full Zscaler App functionality.

Therefore, Zscaler recommends that your users' Windows and MAC devices have inbound rules that allow the following Zscaler App binaries and processes.

Processes Whitelist

You can use GPO to define rules to allow the following processes.

NOTE: % is a macro that represents the drive where the program files are located. Program files are usually located on the C drive. There are exceptions; for example, on an Amazon WorkSpace (AWS), the program files are on the D drive.

Windows 64-bit

%ProgramFiles(x86)%\Zscaler\ZSATray\ZSATray.exe

%ProgramFiles(x86)%\Zscaler\ZSATunnel\ZSATunnel.exe

%ProgramFiles(x86)%\Zscaler\ZSAService\ZSAService.exe

%ProgramFiles(x86)%\Zscaler\ZSAUpdater\ZSAUpdater.exe

%ProgramFiles(x86)%\Zscaler\Updater\zscalerappupdater.exe

%ProgramFiles(x86)%\Zscaler\Updater\zscalerchecksumverifier.exe

%ProgramFiles(x86)%\Zscaler\ThirdParty\CertUtil\certutil.exe

%ProgramFiles(x86)%\Zscaler\ThirdParty\Filechecksum\fciv.exe

%ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.1.0.exe

%ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.2.0.exe

Windows 32-bit

%ProgramFiles%\Zscaler\ZSATray\ZSATray.exe

%ProgramFiles%\Zscaler\ZSATunnel\ZSATunnel.exe

%ProgramFiles%\Zscaler\ZSAService\ZSAService.exe

%ProgramFiles%\Zscaler\ZSAUpdater\ZSAUpdater.exe

%ProgramFiles%\Zscaler\Updater\zscalerappupdater.exe

%ProgramFiles%\Zscaler\Updater\zscalerchecksumverifier.exe

%ProgramFiles%\Zscaler\ThirdParty\CertUtil\certutil.exe

%ProgramFiles%\Zscaler\ThirdParty\Filechecksum\fciv.exe

%ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.1.0.exe

%ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.2.0.exe

MAC

/Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel

/Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerService

/Applications/Zscaler/Zscaler.app/Contents/MacOS/Zscaler

/Applications/Zscaler/.Updater/autoupdate-osx.app/Contents/MacOS/ZscalerUpdater

Zscaler App Identifier: com.zscaler.Zscaler

Bypasses for Firewall

Additionally, if you have a GPO-managed or AV-managed host firewall, you may configure an inbound firewall rule on your endpoint protection product for ZSATunnel.exe processes for all ports, protocols, and network interfaces.

Windows

ZSATunnel.exe: Inbound and Outbound

ZSATray.exe: Outbound

ZSAUpdater: Outbound

ZSAService.exe: Outbound

Zscalerappupdater.exe: Outbound

MAC

ZscalerTunnel: Inbound and Outbound

ZscalerService: Outbound

Zscaler: Outbound

ZscalerUpdater: Outbound

You can configure an IPsec VPN tunnel between the gateway of your corporate network and a Zscaler Enforcement Node (ZEN). Zscaler recommends configuring two separate VPNs to two different ZENs for high availability. If the primary IPsec VPN tunnel or if an intermediate connection goes down, all traffic is then rerouted through the backup IPsec tunnel to the secondary ZEN.

Prerequisites

Ensure that you have the following information for each tunnel:

IP address or hostname of your local gateway

Shared secret

IP addresses of the Zscaler ZENs. (Learn how to locate the ZEN IP addresses for your organization)

NOTE:

Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three backup VPN tunnels.

For each tunnel, Zscaler supports 8 Phase 2 Security Associations per Phase 1.

Loc

Go to ips.<your cloud name>.netYou can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name?

From the menu on the left, click Cloud Enforcement Node Ranges.

Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel. For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination. See image.

Cloud ENR

Configuration Tasks

Following are the tasks to configure an IPsec VPN to a Zscaler ZEN:

Review the configuration guidelines.

Add VPN credentials to the admin portal.

Link the VPN credentials to a location.

Configure your edge router to forward traffic to the Zscaler service. See some examples:

Configuring an IPsec VPN from a Juniper SSG5

Configuring an IPsec VPN from a Cisco ASA 5505

Configuring an IPsec VPN from a Cisco ISR Appliance

Configuring an IPsec VPN from a Juniper SRX

See the Interoperability List.

Interoperability List

The following vendors and software versions have been tested and verified by the Zscaler QA team.

ipsec_interoperability

Vendor

Model

Software Version

Cisco

ASA

8.2.5

Cisco

ISR 881

15.1 (3) T

Cisco

ISR 2821

12.4 (16)

Juniper

SSG5

6.0.0

Juniper

SRX210, SRX 220

10.4R4.5

Configuration Guidelines

This section lists the IPsec parameters that Zscaler supports. Note that when there are multiple options, the values in bold are the recommended settings.

IKE Phase 1

Mode: Aggressive mode when the authentication method is PSK and the FQDN of the peer is used to identify it. Main mode when the authentication method PSK and the peer has a static IP address.

Encryption algorithm: AES-128, 3DES, DES

Authentication Algorithm: SHA1-128, MD5

Diffie-Hellman Group 2

SA Lifetime: 24 hours

Lifebytes: Unlimited

Authentication: Pre-shared keys, digital signature using RSA, external authentication and pre-shared keys, or external authentication and RSA

NAT-T: NAT-T is supported if the device initiating the IPsec VPN is behind another firewall or router performing NAT.

NAT keepalive interval: 20 secs

Enable dead-peer-detection keepalives (timeout is 20 secs and max retry 5)

IKE Phase 2

Mode: Quick mode

Encryption and Authentication Algorithms: NULL/MD5, AES-128/MD5

Diffie-Hellman Group 2

SA Lifetime: 8 hours

Lifebytes: Unlimited

Perfect Forward Secrecy (PFS) option is disabled. This option enables each IPsec SA to generate a new shared secret through a Diffie-Hellman exchange. This option is not recommended for Zscaler VPNs.

MTU (Maximum Transmission Unit): 1400 bytes (To learn how to determine this value, see Determining the MTU.)

MSS (Maximum Segment Size): 1300 bytes

Add VPN Credentials

Do any of the following to add VPN credentials to the Zscaler admin portal:

Add VPN credentials individually

Import a CSV file with multiple credentials

Add Single VPN Credentials

Go to Administration > Resources > VPN Credentials.

Click Add and complete the following:

Choose which will be used to identify the peer, FQDN or IP, and then enter the FQDN of the peer or select the IP address of your local gateway. The entries here were those you sent to Zscaler beforehand.

Choose XAUTH if you are creating a mobile VPN. Enter the XAuth User ID of the peer.

If you chose FQDN or IP, enter the pre-shared key in the New Pre-Share Key and Confirm New Pre-Share Key text boxes.

If you chose XAUTH, enter the password in the New XAuth Password and Confirm New XAuth Password text boxes.

Optionally, enter additional notes or information. The comments cannot exceed 10,240 characters.

Click Save and activate the change.

Import VPN Credentials

Go to Administration > Resources > VPN Credentials.

Ensure that your CSV file is in the correct format. Click Sample Import CSV file to download a sample.

Once you have the CSV file in the correct format, click Import.

From the Import VPN Credentials dialog, click Choose file, navigate to the CSV file you want to import and click Import.

Link to Location

Log in to the admin portal and do the following:

Go to Administration > Resources > Locations.

Add or edit a location.

From the VPN Credentials menu, choose the IP address or FQDN.

Click Done to exit the dialog.

Click Save and activate the change.

Zscaler recommends that organizations use a combination of tunneling, PAC files, Surrogate IP, and Zscaler App to forward traffic to the Zscaler service. If your organization has an internal router or switch that supports GRE and its egress port has a static address, Zscaler recommends that you configure a GRE tunnel to forward all outbound traffic from your location to the Zscaler service. If your router does not support GRE or if you use dynamic IP addresses, you can use an IPsec VPN tunnel instead. Note that IPsec tunnels have additional processing overhead on your equipment, compared to GRE tunnels. Zscaler also recommends that organizations deploy mechanisms such as IP SLA to monitor tunnel health and enable fast failover. In addition to the GRE or IPsec VPN tunnel, Zscaler recommends that you install a PAC file for each user to ensure coverage outside the corporate network.

This section describes the supported traffic forwarding mechanisms, including their benefits and requirements. Your organization can use one or a combination of methods, depending on your environment. The following table lists the recommended traffic forwarding mechanisms: GRE tunnels, IPsec VPN tunnels and PAC files.

Untitled Document

GRE Tunnel

IPsec VPN

Tunnel

PAC Files

Zscaler

recommends that you configure two GRE tunnels from an internal router

behind the firewall to the ZENs; a primary tunnel to a ZEN in one data

center, and a secondary tunnel to a ZEN in another data center. These

deployments provide visibility

into internal IP addresses, which can be used for security policies and

logging.

Benefits

Supports both HTTP and HTTPS traffic.

Supports failover in case primary ZEN becomes

unavailable.

Minimal overhead.

No configuration on computers or laptops.

Users on your corporate network cannot bypass the

service.

Tunneling can provide internal IP address information

to

Zscaler for use in policy design and logging

Requirements

Zscaler recommends that you install a PAC file for

each user

to ensure coverage outside the corporate network.

Your organizations perimeter edge router must

support GRE and its egress port must have a static IP address.

Zscaler

recommends that you configure two IPsec tunnels from an internal router

behind the firewall to the ZENs; a primary tunnel to a ZEN in one data

center, and a secondary tunnel to a ZEN in another data center. These

deployments provide visibility

into internal IP addresses, which can be used for security policies and

logging.

Benefits

Supports both HTTP and HTTPS traffic.

Supports failover if primary ZEN becomes unavailable.

No configuration on computers or laptops.

Users on your corporate network cannot bypass the

service.

Tunneling can provide internal IP address information

to

Zscaler for use in policy design and logging.

Supports locations with dynamic IP addresses.

Requirements

Zscaler recommends that you install a PAC file for

each user

to ensure coverage outside the corporate network.

Not all vendors provide a VPN failover mechanism to

provide

resilience.

A PAC (Proxy Auto-Configuration) file directs the

browser to

forward traffic to a ZEN.

Benefits

All major browsers support PAC files.

Supports both HTTP and HTTPS traffic.

Users on and off the corporate network are protected

by the

service.

Microsoft Internet Explorer PAC settings can be

enforced

organization-wide using Microsoft Active Directory Group Policies (GPO).

Requirements

Ensure that users do not have admin rights so they

cannot

circumvent the service by installing a nonstandard browser.

Users can have local admin rights, but require

network

admin rights to change the PAC file.

The following table lists the traffic forwarding mechanism that you can use to quickly start using the Zscaler service for evaluation purposes: Proxy Chaining. Zscaler does not support this mechanism for production environments.

Untitled Document

Proxy

Chaining

Configure your proxy server to forward traffic to a ZEN.

Benefits

Easy to setup.

Multiple rules offer full redundancy.

Supported by every major web proxy.

Users on your corporate network cannot bypass the

service.

If available, X-Forwarded-For headers can be used

to provide internal IP addresses to Zscaler.

Requirements

Users off the corporate network must use another

method, such as PAC files, to forward traffic to the service.

The latency of the proxy server will affect the

traffic forwarding latency.

If the proxy server also performs caching, downstream

authentication could be an issue.

If the local proxy has a cache, it could affect

policy enforcement and reporting.

The following table lists the traffic forwarding mechanism that you can use for your road warrior traffic or if your company has less than 1,000 users: Zscaler App. The Zscaler App is also used with Zscaler Private Access (ZPA).

Untitled Document

Zscaler App

With Zscaler App's web security feature, you can protect

your users' web traffic even when they are outside your corporate

network. The app forwards user traffic to the Zscaler service and

ensures that your organization's security and access policies are

enforced wherever they may be accessing the Internet. With ZPA, you

can enable your users to securely access enterprise applications from

outside the corporate network. The ZPA service establishes secure

transport for accessing your enterprise apps and services.

Benefits

Supports PC, MAC, iOS, Android, and virtual computing

environments.

Supports all authentication mechanisms supported by

the Zscaler service.

Provides device fingerprinting and reporting.

Easy to enforce.

Supports auto and managed updates.

Detects trusted networks and can disable its service

automatically.

Requirements

An authentication mechanism installed and users

provisioned on the Zscaler service.

If you are using the app for ZPA, your

organization must use SAML authentication.

If you are using the app for Web Security, your

firewall must be configured to allow the necessary connections.

The app currently supports Window 7, 8,

8.1, and 10, and MAC OS X 10.10 and later.

Release Date: April 27, 2017

Zscaler App 1.2.3 includes the following fixes:

Zscaler App in Tunnel mode now better interoperates with AV, firewall, and DLP clients. This also fixes the Blue Screen of Death (BSOD) issues observed when using AV with Zscaler App.

Fixes an issue where keepalives and exporting logs failed when UTF-8 characters were involved.

For the ZPA service, fixes an issue where Zscaler App sometimes displayed an error when users reauthenticated to ZPA.

Fixes an issue where the Notifications window of the Zscaler App displayed distorted text.

Fixes an issue where some websites did not lead because the web servers did not allow proxies on the path.

Fixes an issue where the Zscaler App showed up as a blank window when users tried to log in to the app.

Now the Mac OS X version of the Zscaler App does not autofill the username on the SAML form when the userDomain installer option is enabled.

With the proliferation of mobile devices, both corporate and user owned, security for mobile devices has become increasingly critical. The Zscaler iOS solution extends the Zscaler security service to Apple iOS devices, whetherthey'reconnected to Wi-Fi or cellular networks. It enforces the policies that you set in the Admin portal to protect web and mobile traffic, and provides the ability to define policies that protect mobile devices as well. For example, you can control whether users can use the camera or install apps on the mobile device. This comprehensive solution secures every aspect of your users mobile usage, covering the device and its browser and app traffic as well.

From the Zscaler admin portal where you define administrative settings and policies for web and mobile traffic, you can go to the Zscaler App Portal to manage mobile devices. On the Zscaler App Portal, you can define policies that control how a device forwards traffic to the Zscaler service and which apps, functionality and content can be accessed from a device. The portal also has a Dashboard where you can monitor the mobile devices and view their compliance status. Additionally, you can define an Acceptable Use Policy (AUP) and notifications specifically for mobile devices.

Zscaler SecureAgent is an app that is installed on mobile devices to authenticate the mobile device users and forward their traffic to the Zscaler service. When you run SecureAgent, it installs the policy that you configured on the Mobile portal as a profile on your mobile device. Additionally, it enrolls the device to the Zscaler service. Once the device is enrolled, the device establishes a VPN tunnel to the Zscaler gateway on demand whenever the user surfs the Internet. As the browser retrieves web pages, the service scans all inbound and outbound traffic to protect devices from malware and malicious apps that can compromise the security of your data.

Deployment Methods

The Zscaler iOS solution offers an enforceable, intelligent on-demand IPsec VPN through which users can forward all mobile traffic (browser and apps) over cellular or Wi-Fi networks to the Zscaler service. The VPN can be used by both supervised and non-supervised iOS devices.

Forwarding Traffic from Supervised Devices

Forwarding Traffic from Non-Supervised Devices

Forwarding Traffic from Supervised Devices

Apple iOS devices support the ability to configure devices as supervised. Supervising devices is a useful option for corporate-owned devices because it provides tighter control over devices. Admins configure supervised devices over the air using the Apple Device Enrollment program or by using Apple Configurator. (For more information on supervising devices, refer to the Apple iOS documentation.)

Supervised devices support Global HTTP Proxy, a feature that redirects all mobile traffic to a proxy server. You can leverage the Global HTTP Proxy feature to ensure that Internet connectivity over Wi-Fi or cellular networks is always redirected to the Zscaler service, when the IPsec VPN is not in use.

You can use the following traffic forwarding mechanisms for supervised devices:

Enforceable VPN: Zscaler recommends this solution, which combines forwarding mobile traffic through the IPsec VPN and defining the Zscaler service as the proxy server in a Global HTTP Proxy profile. If users turn off the VPN, the device automatically uses the Global HTTP Proxy profile to forward its traffic to the Zscaler service. This mechanism prevents users from circumventing the Zscaler service. Using the Global HTTP Proxy, you can be assured that all traffic to/from the iOS device is directed to the service. Note: Bypasses defined in a PAC file will not work with a VPN.

Global HTTP Proxy + Surrogate IP: This solution combines defining the Zscaler service as the proxy server in a global HTTP proxy profile to enforce forwarding all mobile traffic to the Zscaler service and leveraging the Zscaler Surrogate IP feature to map users to device IP addresses. The service then uses this mapping to apply the appropriate group and user policies and for logging purposes. (To learn more about Surrogate IP, see What is Surrogate IP? )This is useful, for example, for schools that want to protect student devices when they are on the school Wi-Fi network.

NOTE: The Global HTTP Proxy + Surrogate IP forwarding mechanism can only be used in Wi-Fi networks. It cannot be used in cellular networks.

Forwarding Traffic from Non-Supervised Devices

You can configure non-supervised devices to use the IPsec VPN to forward traffic to the Zscaler service. If your organization has an existing MDM solution, Zscaler recommends that you work with your MDM solution provider to define a profile to push SecureAgent on mobile devices for enforceability. Note: Bypasses defined in a PAC file will not work with a VPN.

Requirements

You will need the following:

A Zscaler SecureAgent subscription

An iOS device (iPhone, iPod, or iPad) that runs iOS 6.0 or higher

In addition, configure your firewall to allow the following necessary connections:

Used for the Apple Push Notification Service: Port 5223, 2195, 2196, 443.

Used to connect with the Zscaler Enforcement Node (ZEN): 8080 (outbound only)

Web ports: 80, 443, any dedicated ports (if your organization is subscribed)

Configuration Tasks

Below are the tasks necessary to secure the mobile devices of current Zscaler users. It assumes that the users have been provisioned on the service, an authentication mechanism has been installed, and the policies have been configured on the admin portal.

A. On the Zscaler App Portal, configure the app profile, and optionally, AUP and reminders.

B. You can supervise devices and deploy a Global HTTP Proxy over the air using Apple's Device Enrollment Program or by using Apple Configurator.

C. Install SecureAgent on a mobile device (manually or with an MDM) and register the mobile device to the Zscaler service.

D. Enable SecureAgent to push notifications.

E. If applicable, enable Surrogate IP for the location.

F. If applicable, enable SSL Inspection.

After you complete these tasks, you can view the status of devices by going to the dashboard.

A. On the Zscaler App Portal, configure the app profile, and optionally, AUP and reminders.

About the Zscaler App Portal

In addition to the admin portal where you manage users and policies that control web and mobile traffic, the service also provides the Zscaler App Portal where you manage mobile devices.

The Zscaler App Portal provides the following:

A dashboard where you can track mobile devices and their compliance status.

An App Profiles tab where you can define Secure Agent policies that control and secure mobile devices.

An Administration tab where you can create a custom AUP just for mobile devices and where you can define reminders to users who may need to update their security profile.

Configuring a SecureAgent App Profile

The SecureAgent app profile policy controls the functions, apps, and media content that a device can access and controls how the device forwards traffic to the Zscaler service. The policy is installed as a profile on a mobile device when the Secure Agent app is installed.

The SecureAgent policy specifies the following:

The user group to which the policy applies

The PAC file URLMobile devices use a PAC file to forward traffic to the service. The service provides a default PAC file that sends all browser traffic to port 8080 of the nearest Zscaler Enforcement node (ZEN). Note: The PAC file is only applicable to devices using Global HTTP Proxy.

The traffic forwarding mechanism

Apps and content users can access

The service provides a default policy that specifies the default PAC file hosted on the Zscaler cloud for mobile devices. This default policy applies to all groups and cannot be changed or deleted.

To add a new policy for iOS devices:

Go to Policy > Zscaler App Portal.

From the Zscaler App Portal, go to the App Profiles tab.

Click on iOS from the menu on the left and click Add iOS Policy.

Complete the following in the General tab:

Enter a name for the policy and optionally, a description.

Enable the rule.

The service automatically sets the rule order, which you can change, as necessary.

Enter a passcode that users need to enter before they can remove the profile from their device.

Enter the URL from which the device fetches the PAC file.

Do the following in the Traffic Forwarding tab:

Enable traffic forwarding.

Choose a traffic forwarding mechanism.

URL String Probe: Enter a URL from your internal network. If the device tries to access this URL, then the mobile device won't send the traffic through the VPN.

SSID Match: Enter the SSID of your internal wireless local-area network (WLAN). When the device uses this SSID, then it will not send the traffic through the VPN.

By default, users are allowed to access all available apps, functionality, and media content. To restrict access, go to the Restrictions tab, click Enable Restrictions, and select the items you want to block.

If the Apple devices are supervised, select any additional restrictions you want to place.

Additionally, you can restrict the content that your users can access. For example, you can allow them to view only PG-rated movies and TV shows and to install a specific number of apps.

Click Save.

Configuring the Acceptable Use Policy (AUP)

You can create an Acceptable Use Policy (AUP) statement specifically for mobile devices and require users to accept it before the Zscaler service allows them to browse the Internet from their mobile devices. To configure:

Go to Policy > Zscaler App Portal.

From the Zscaler App Portal, go to Administration.

Go to Zscaler App Notifications from the menu on the left.

In the Acceptable Usage Policy (AUP) Settings tab, complete the following:

Choose how often the service displays the AUP page. You can choose one of the predefined intervals or select Custom and enter the number of days, between 1 and 180 inclusive. The service tracks the AUP acceptance time and expiration for the user.

Type in or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can click Preview AUP Message to view the AUP as your users would see it.

Click Save.

Configuring Reminder Notifications

You can send reminders on demand or schedule reminders to users who turn off the Zscaler VPN or who need to update their SecureAgent profile.

To schedule reminders:

Go to Policy > Zscaler App Portal.

From the Zscaler App Portal, go to Administration.

Go to Zscaler App Notifications from the menu on the left.

In the Reminder Notification Settings tab, complete the following:

Choose how often the service sends the reminders.

Type in or paste text for the reminder. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet.

Click Save to exit the dialog.

To send a reminder to a user:

Go to Policy > Zscaler App Portal.

From the Zscaper App Portal, go to Enrolled Devices.

Choose Device Overview from the menu on the left.

Point to the user and click the Device Details icon.

Click Send Reminder.

B. Supervise and Deploy a Global HTTP Proxy over the air

You can supervise devices and deploy a Global HTTP Proxy over the air using Apple's Device Enrollment Program or by using Apple Configurator.

For information about the Device Enrollment Program, go to https://www.apple.com/business/dep/

For information about Apple Configurator, go to http://help.apple.com/configurator

C. Install SecureAgent on a mobile device and register the mobile device to the Zscaler service.

About SecureAgent

The Zscaler SecureAgent app is used in conjunction with the Zscaler service to secure every aspect of your users mobile usage. SecureAgent is required on all mobile devices that forward traffic to the Zscaler service.

When a user installs SecureAgent on a mobile device, SecureAgent authenticates the user using your corporate authentication mechanism and does the following:

Installs the appropriate SecureAgent profile, which includes the VPN settings and certificates. The service generates a unique per-user VPN certificate which establishes the user context.

Registers the mobile device to the Zscaler service.

The device then establishes a VPN tunnel to the Zscaler gateway on demand whenever the user surfs the Internet. The Zscaler service can now enforce group and user policies and provide per-user and per-department logging and reporting.

Additionally, SecureAgent displays notifications to users when the service blocks transactions due to policy or malware that it detected. The service issues notifications to mobile devices via the Apple Push Notification Service. Zscaler SecureAgent then displays the notifications and stores them until the user clears them. These notifications inform the user about the transactions blocked from specific apps, including the reasons. You can customize the notifications that are displayed to the user on the Zscaler Admin Portal.

Users can download and install SecureAgent from the iTunes App store. If your organization has an MDM, Zscaler recommends that you use your MDM solution provider to define a profile to push SecureAgent to mobile devices.

Installing SecureAgent on a Device

Zscaler SecureAgent for Apple iOS devices is available for download on the iTunes App store.

When you download it, ensure that SecureAgent is allowed to push notifications to your iOS device.

Registering the Device

On the mobile device, click the installed SecureAgent app.

When it displays the login form, enter the user's Zscaler credentials.

SecureAgent starts the registration process.

When SecureAgent is ready to install the profile, click Install.

You may be required to enter the pin code, if it was set on the device.

When the app displays the warning, click Install.

SecureAgent displays a page similar to the one shown below after the profile is successfully installed.

Installing SecureAgent with an MDM

For non-supervised devices, Zscaler recommends that you work with your MDM solution provider to push SecureAgent to mobile devices.

Your MDM provider will need to do the following:

Deploy a certificate for each user.

Optionally, configure a PIN to restrict the removal of the profile.

Configuration Example: Airwatch

The admin must complete the following tasks:

Create an iOS device supervision and device enrollment plan.

For information about the Device Enrollment Program, go to https://www.apple.com/business/dep/

For information about Apple Configurator, go to http://help.apple.com/configurator

Configure SecureAgent profiles on the Zscaler App Portal. See Configuring a SecureAgent App Profile.

Configure Airwatch Profiles to push the Zscaler SecureAgent app. See Configure Airwatch Profiles to Push SecureAgent.

On the iOS device, users must do the following:

Enroll the device to Airwatch. For information about this task, refer to the Airwatch documentation.Note that once the device is enrolled to the Airwatch MDM, Zscaler SecureAgent will be installed on the device automatically.

Register the iOS device to the Zscaler service. See Registering the Device.

Configure Airwatch Profiles to Push SecureAgent

This document assumes that the Airwatch MDM is already deployed and user/group configuration and other related configurations required to enroll the device to the MDM are already completed. Please contact Airwatch Support for the deployment instructions.

This section provides guidelines on how to push the SecureAgent app using the Airwatch MDM. For additional information on the steps and questions related to Airwatch MDM, please contact Airwatch Support.

Configure 'Apps & Books' profile for 'Zscaler SecureAgent' iOS App, such that it is installed on the user's device when the user enrolls with Airwatch MDM. Please note that in certain conditions, it may not be possible to install SecureAgent silently and will need user approval. Please contact Airwatch Support for the exact steps. Please note the following:

Zscaler SecureAgent for iOS devices is available on the iTunes AppStore. The Airwatch profile can be configured to install the app using the AppStore Link, as shown below.

On supervised devices, the app is installed silently.

For non-supervised devices, please contact Airwatch Support for instructions on how to install the app silently.

D. Enable SecureAgent to push notifications to users.

The Zscaler service can push notifications to users when it blocks or restricts mobile apps from accessing certain sites, files, or Internet applications. For example, the Zscaler service will send a notification when an app tries to access a site that has certain vulnerabilities or when an app is blocked because it is known to leak information to third parties. The Zscaler service can send notifications when it blocks or restricts known apps as well as those that it cannot identify. After the initial notification, you can suppress subsequent notifications for a selected number of minutes, to avoid users receiving multiple successive notifications from a single app. You can specify the number of minutes per app and per user.

To configure notifications for the SecureAgent app:

From the admin portal, go to Administration > Resources > SecureAgent Notifications.

Complete the following:

Enable Send Push Notifications.

You can enable the service to suppress the notification for a certain time period so the user sees the notification at certain intervals only and not after every blocked transaction.

Enable Send Notifications for Unknown Apps to allow the service to send notifications when it blocks or restricts access to apps that it cannot identify.

Enter the text for the Notification Message (up to 128 bytes).

Click Save and activate the change.

E. If applicable, enable Surrogate IP for the location.

If you are using the Global HTTP Proxy + Surrogate IP traffic forwarding mechanism, go to the Admin Portal and enable Surrogate IP for the location.

F. If applicable, enable SSL Inspection.

You can enable SSL inspection to allow the Zscaler service to decrypt and inspect HTTPS traffic to and from the browser on a mobile device, and to and from the destination server. SecureAgent installs the Zscaler intermediate certificate by default. If you would like to use an intermediate certificate signed by your own CA, install that certificate on the mobile devices. For more information on SSL inspection, see How do I deploy SSL inspection?

Enabling SSL Inspection

To enable SSL inspection for mobile devices:

From the admin portal, go to Policy > SSL Inspection.

In the Policy for Mobile Traffic section, select Enable SSL Scanning for Mobile Traffic.

Click Save and activate the change.

Exempting URLs from SSL Inspection

To exempt specific URLs from SSL inspection, add them to the Bypassed URLs list. The service does not decrypt transactions to sites in this list. The following instructions describe how to create a custom category for the URLs and how to add the custom category to the Bypassed URLs list. If you already have a custom category for bypassed URLS, edit the category and add the URLs.

To create a custom URL category:

From the admin portal, go to Administration > URL Categories.

Click Add and do the following:

Enter a name for the category.

Add the following to the Custom URLs field:

itunes.apple.com

.mzstatic.com

gs.apple.com

albert.apple.com

phobos.apple.com

securemetrics.apple.com

.phobos.apple.com

mzstatic.com

deimos.apple.com

.deimos.apple.com

.albert.apple.com

.gs.apple.com

ax.itunes.com

.ax.itunes.com

.securemetrics.apple.com

.itunes.apple.com

Click Save and activate the change.

To add the custom category to the Bypassed URL Categories list:

From the admin portal, go to Policy > SSL Inspection.

From Bypassed URL Categories, choose the URL category that contains the URL that are exempted from decryption.

Click Save and activate the change.

About the Dashboard

The Dashboard provides information about the mobile devices that have SecureAgent in your corporate network. The Dashboard provides multiple views so you can monitor the status of the mobile devices and take action when you see unregistered devices or devices with outdated profiles.

To learn more about the Dashboard, see About the Zscaler App Portal.

Removing a Profile

You can remove a profile from a device if, for example, an employee leaves the company. To remove a profile:

Go to the Zscaler App Portal, go to the Enrolled Devices tab.

Choose Device Overview from the menu on the left.

Point to the user and click the Device Details icon.

Click Remove.

This example illustrates how to configure a GRE tunnel between a Cisco 881 ISR and ZENs in the Zscaler service. As shown in the figure, two GRE tunnels are configured between the gateway WAN port, fa4, which has a static public IP address, 192.0.2.2, and two ZENs in two different data centers (216.66.5.49 and 199.168.149.179).

Zscaler has assigned the following IP addresses for the GRE tunnels:

Tunnel Source IP: 192.0.2.2

Internal Range: 172.18.58.120 - 172.18.58.127

Primary Destination: 216.66.5.49

Internal Router IP: 172.18.58.121/30

Internal ZEN IP: 172.18.58.122/30

Secondary Destination: 199.168.149.179

Internal Router IP: 172.18.58.125/30

Internal ZEN IP: 172.18.58.126/30

The router receives ingress traffic on ports fa0, fa1, fa2 and fa3. They forward Internet traffic to the WAN gateway port, fa4, which uses the GRE tunnel interfaces tunnel 2700 and tunnel 2800 to send the Internet traffic through the GRE tunnel to the Zscaler service. The router performs NAT on the other traffic that it sends directly to the Internet.

Following are the steps and commands that were used to configure the GRE tunnels in this example, from a Cisco 881 ISR router running iOS version 15.1 to ZENs in different data centers. Refer to the Cisco documentation for information about the commands.

The sample configuration shows how to configure the following on two tunnel interfaces (tunnel 2700 and tunnel 2800) on the gateway WAN port FastEthernet4 (fa4). (Note that the tunnel names are arbitrary and you can use different tunnel names in your configuration.):

Tunnel 2700 with an IP address of 172.18.58.121 and its destination address is 216.66.5.49

Tunnel 2800 with an IP address of 172.18.58.125 and its destination address is 199.168.149.179

Set the max segment size (mss) to an appropriate value, depending on your network. In this example, the MSS value is set to 1300

NAT is not configured on the interface so the Zscaler service can log internal IP addresses and you can configure sub-locations

interface Tunnel2700

ip address 172.18.58.121 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1300

tunnel source FastEthernet4

tunnel destination 216.66.5.49

end

interface Tunnel2800

ip address 172.18.58.125 255.255.255.252

ip virtual-reassembly

ip tcp adjust-mss 1300

tunnel source FastEthernet4

tunnel destination 199.168.149.179

end

In Cisco iOS routers, policy-based routing (PBR) is implemented using route maps.

Note that Cisco routers forward PBR traffic in software instead of hardware, which may lead to CPU spikes. You can use 'ip route' instead of PBR to decrease CPU usage.

The following sample configuration creates an access list that specifies the outbound traffic and defines the route map that sends that traffic over Tunnel 2700 first, then Tunnel 2800:

Sample Configuration

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq 23

access-list 101 permit tcp any any eq 22

access-list 101 permit udp any any eq 53

access-list 101 permit tcp any any eq 8800

route-map zscaler-tunnel permit 10

match ip address 101

set interface Tunnel2700 Tunnel2800

Note that you can exclude traffic from specific sources from being redirected to the GRE tunnel. The following example excludes traffic from a host (192.168.1.1) from being redirected to the tunnel:

access-list 101 deny ip any host 192.168.1.1

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

In this example, we assume that the ingress traffic is received by the router on port fa-0 to fa-3 in VLAN 2. The IP addresses on these ports are assigned by DHCP and their traffic is forwarded to the GRE tunnels 2700 and 2800. NAT is performed on the remaining traffic.

interface FastEthernet0

switchport access vlan 2

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

switchport access vlan 2

!

interface FastEthernet4

description $ES_WAN$

ip address dhcp client-id FastEthernet4 hostname 10.35.3.41

ip access-group 80 in

ip access-group 80 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address

ip access-group 100 in

ip access-group 100 out

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 10.65.199.129 255.255.255.128

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map zscaler-tunnel

! !

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

! !

ip nat inside source list NAT interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 10.96.13.254

!

ip access-list extended NAT

permit ip 10.65.199.0 0.0.0.255 any

deny ip any any

!

!

logging esm config

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 30.30.30.0 0.0.0.7

access-list 23 permit 10.65.199.0 0.0.0.255

access-list 80 permit any

access-list 100 permit ip any any

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq 23

access-list 101 permit tcp any any eq 22

access-list 101 permit udp any any eq 53

access-list 101 permit tcp any any eq 8800

access-list 120 permit ip any any

access-list 180 permit ip 10.0.0.0 0.255.255.255 any

no cdp run

route-map zscaler-tunnel permit 10

match ip address 101

set interface Tunnel2700 Tunnel2800

!

Enable IPSLAs to monitor the tunnels. You can set a threshold for HTTP page load times so traffic can switch from the primary to the secondary tunnel when the threshold is exceeded. Zscaler recommends that you use the ZEN IP address as the IP address that is used for monitoring, to ensure that the IP address is reachable and routable through the tunnel. This SLA is defined as #1 & #2, which may conflict with an existing SLA that uses the same number. If so, we recommend changing the sequence number to avoid conflicts. Additionally, Zscaler recommends that you specify the following URL gateway.zscaler_cloud.net/vpntest. In the example below, the cloud name is zscalertwo.net. For information on how to determine your Zscaler cloud name, see What is my cloud name?

ip sla 1

http raw http://172.18.58.122

timeout 300

threshold 300

http-raw-request

GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n

User-Agent: Cisco IP SLA\r\n

end\r\n

\r\n

\r\n

\r\n

exit

ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3

ip sla schedule 1 life forever start-time now

ip sla 2

http raw http://172.18.58.126

timeout 300

threshold 300

http-raw-request

GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n

User-Agent: Cisco IP SLA\r\n

end\r\n

\r\n

\r\n

\r\n

exit

ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3

ip sla schedule 2 life forever start-time now

Troubleshooting the Configuration

Following are some sample commands that you can use to monitor and troubleshoot the GRE tunnel.

Ping the Zscaler internal tunnel IP address to validate the tunnel is up and routing is correct.

ping 172.18.58.122

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.58.122, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ping 172.18.58.126

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.18.58.126, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ensure that the tunnel interface and protocol are up using show int tunnel command as shown below:

show int tun 2800

Tunnel2800 is up, line protocol is up

Hardware is Tunnel

Internet address is 172.18.58.125/30

MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive set (5 sec), retries 3

Tunnel source 192.0.2.2 (FastEthernet4), destination 199.168.149.179

\ Tunnel Subblocks:

src-track:

Tunnel2800 source tracking subblock associated with FastEthernet4

Set of tunnels with source FastEthernet4, 19 members (includes iterators), on interface <OK>

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

\ Checksumming of packets disabled

Tunnel TTL 255, Fast tunneling enabled

Tunnel transport MTU 1476 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input never, output 00:00:02, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

5450 packets input, 3690507 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

588861 packets output, 29175729 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

View the track status.

VPN-test#show track

Track 1

IP SLA 1 reachability

Reachability is Down

3 changes, last change 00:16:23

Latest operation return code: Timeout

Track 2

IP SLA 2 reachability

Reachability is Up

2 changes, last change 01:01:27

Latest operation return code: OK

Latest RTT (millisecs) 1

View the SLA statistics.

VPN-test#show ip sla statistics

IPSLAs Latest Operation Statistics

IPSLA operation id: 1

Latest RTT: NoConnection/Busy/Timeout

Latest operation start time: *02:29:07.511 UTC Sat May 19 2012

Latest operation return code: Timeout

Number of successes: 0

Number of failures: 2

Operation time to live: Forever

IPSLA operation id: 2

Latest RTT: 1 milliseconds

Latest operation start time: *02:29:10.719 UTC Sat May 19 2012

Latest operation return code: OK

Number of successes: 2

Number of failures: 0

Operation time to live: Forever

Ensure that the router applies the route-map to the appropriate traffic:

show route-map zscaler-tunnel

route-map zscaler-tunnel, permit, sequence 10

Match clauses:

ip address (access-lists): 101

Set clauses:

interface Tunnel2700 Tunnel2800

Policy routing matches: 76258 packets, 17131024 bytes

The Zscaler Private Access (ZPA) service enables organizations to provide access to internal applications and services while ensuring the security of their networks. ZPA is an easier to deploy, more cost-effective, and more secure alternative to VPNs. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. With ZPA, application access does not require network access.

To learn more about ZPA and to request a demo, go to Zscaler Private Access.

Zscaler supports only VZEN clusters for production environments, though you can configure a standalone VZEN for testing purposes.

Following are the steps to configure a VZEN cluster:

Ensure that you have all the requirements.

On the Zscaler admin portal, add the VZENs and VZEN cluster, and download the VZEN VMs and certificates.

On the vSphere client, configure and start the VZEN VM.

After you configure a VZEN cluster, you can then forward your Internet traffic to it using one of the mechanisms described in Forwarding Traffic to a VZEN Cluster. For information about monitoring the VZEN cluster, see Monitoring VZEN Clusters.

To learn about additional deployment features, such as configuring a virtual service interface, see VZEN Advanced Deployment.

Requirements

A VZEN cluster must contain at least two VZENs, up to a maximum of 20 VZEN instances. You will need a subscription for each VZEN in a cluster. Additionally, ensure that all VZENs in a cluster have the same subscription type.

VZENs require only outbound connections to the Zscaler cloud. Configure your firewall to allow the necessary outbound connections. To view the firewall requirements, log in to the Zscaler admin portal and from the Help menu, click Cloud Configuration Requirements and go to the Virtual ZEN Requirements page. See image.

Optionally, if you want to enhance the performance of VZEN-MEDIUM or VZEN-LARGE when decrypting SSL traffic, you can install a Cavium NITROX SSL card (NITROX CNN3510-500-C5-NHB-2.0-G is the supported card). Note that Zscaler does not sell this card. Visit http://www.cavium.com/sales.html to purchase the card.

Virtual Machine specs for a VZEN cluster:

Hypervisor: VMware ESX/ESXi v5.0 and above

Promiscuous Mode must be enabled

CPUs: 4 CPUs assigned as follows:

1 for the Load Balancer

3 for the VZEN

RAM: 32 GB for production (16 GB RAM for testing)

Disk: 500 GB (thin provisioned)

Zscaler recommends SSDs

Network Interfaces: 3 interfaces as follows:

1 for Management

1 for the VZEN

1 for the load balancer

The IP addresses listed in the following table:

VZEN IP Addresses

IP Address

Purpose

Requirements

Management

This is used to make an SSH connection to the VZEN VM for management. It is also used to download VZEN builds from the Zscaler cloud.

Proxy

This is used for the following:

Outbound data connection (proxied traffic)

Outbound control connection to the Zscaler cloud

Health monitoring by the load balancer

In a VZEN standalone, it is used to listen for user traffic

It must be in the same subnet as the load balancer and cluster IP addresses.

Load Balancer

This is used to make an outbound control connection to Zscaler cloud.

It must be in the same subnet as the proxy and cluster IP addresses. It is not required for a VZEN standalone.

Cluster

In a VZEN cluster, it provides fault tolerance and is used to listen for user traffic.

It must be in the same subnet as the proxy and load balancer IP addresses. It is not required for a VZEN standalone.

Help

Configure VZENs on the Admin Portal

If you are configuring a VZEN cluster, you must create at least two VZEN instances and download their respective certificates.

Add VZEN instances.

Download the VZEN certificates.

Download the VZEN VM.

Create the VZEN cluster.

Bind the VZEN cluster to a location.

Add VZENs

To add a VZEN instance:

Go to Administration > Virtual ZENs.

Click Add and do the following in the Add Virtual ZEN dialog box:

Enter the VZEN Name.

In Virtual ZEN Type, select a VZEN subscription type, based on the amount of traffic that the VZEN will process. Note that the VZENs in a cluster must be all the same type.Zscaler shows the total and available subscriptions of each VZEN type.

The default Status is Enabled.

In the Proxy IP Address field, enter the IP address to which youll forward traffic. Enter the corresponding Subnet Mask.

Enter the IP address of the Default Gateway to the Internet.

The default deployment mode is Cluster, which is the only mode that Zscaler supports in production environments. If you are adding a VZEN for testing purposes, select Standalone.

If the deployment mode is Cluster, enter the load balancer IP address.

Click Save to close the dialog.

Add at least one more VZEN instance if you are deploying a cluster.

Activate the changes.

Download the VZEN Certificates

Download the certificate of each VZEN instance that you created. This certificate is used to authenticate each instance to the Zscaler cloud. You will upload the certificate to the vSphere client.

Go to Administration > Virtual ZENs.

Click Download in the SSL Certificate column of the VZEN that you added, and then save the certificate.

If you are downloading multiple certificates, you might want to change the certificate name so you can differentiate between them. For example, if the VZEN instances in a cluster are called VZEN1 and VZEN2, you can rename the certificate zip files to VZEN1.zip and VZEN2.zip.

Download VZEN VM

Download a VZEN VM for each VZEN in a cluster.

Go to Administration > Virtual ZENs.

Click Download Virtual ZEN VM.The dialog box displays the technical specifications of the VM.

Click Download Virtual ZEN VM.

Create a VZEN Cluster

A VZEN cluster must contain at least two VZEN instances.

To create a VZEN cluster:

Go to Administration > Virtual ZENs.

From the Virtual ZEN Clusters tab, click Add.

Enter a Name for the cluster.

Choose the VZENs you want to include in the cluster.

Enter the Cluster IP Address, Subnet Mask and Default Gateway IP address.

Ensure that the VZEN cluster, proxy, load balancer and gateway IP addresses are in the same subnet.

Bind the VZEN cluster

Add a location and bind the VZEN cluster (or standalone VZEN) to it, so your organization can enable features, such as authentication, firewall, SSL inspection and location-level policies. The service associates the traffic that it receives on the VZEN with its location and applies the features and policies configured for the location.

To bind a VZEN or a VZEN cluster to a location:

Go to Administration > Resources > Locations.

Add a location or edit an existing location.

Do one of the following to link the location to a VZEN or cluster:

If you are binding the location to a VZEN standalone, choose it from the Virtual ZENs list.

If you are binding the location to a VZEN cluster, choose the cluster from the Virtual ZEN Clusters list.

Enable any additional features for the location.

Click Save to exit the dialog and activate the change.

Configure the VZEN VM

If you are deploying a VZEN cluster, you must configure each VZEN instance as a VM on the ESX/ESXi server.

To configure the VZEN on the ESX/ESXi server, log in to the vSphere client and do the following:

Import the VZEN VM

Go to File > Deploy OVF Template and use the Deploy OVF Template wizard to deploy the VZEN VM. Accept all defaults.

Ensure that you enable promiscuous mode on the portgroup of the VZEN. See image.

Configure the network:

Select the VZEN VM and click either the Power On button or Power On the virtual machine.

On the Console tab, log in at the FreeBSD command prompt with the following credentials:Username: zsrootPassword: zsrootNote the following:

Zscaler strongly recommends that you change this default password by running the command passwd.

Direct root login is not permitted. Administrators must use the utility sudo to run a command with higher privileges.

Configure the network by entering sudo vzen configure-network and specify the following:

Address of the DNS server that will be used for name resolution of Zscaler cloud domains and also for domain names in the proxy trafficFor example: 10.84.0.100

Management interface IP with CIDR netmask. You will use the management IP address for SSH or FTP. For example: 10.84.0.110/24

Default gateway IP addressFor example: 10.84.0.200

Hostname of the VZEN

Install the SSL certificates of the VZEN instances in the cluster. These are the certificates that you downloaded from the Zscaler admin portal. A VZEN uses this certificate to authenticate itself to the Zscaler service. When you configure a cluster VZEN, ensure that you upload the correct certificate for each VZEN instance.

Navigate to the SSL certificate that you saved.

Use SCP or SFTP to upload it to the management IP address of the VZEN.

On the vSphere client, click the Console tab, and log in with the following credentials:Username: zsroot Password: zsroot

Go to the Console tab or use SSH to connect to the management IP address.

Run the command sudo vzen install-cert <cert-bundle.zip>

Specify the path to the uploaded certificate bundle.

If you installed the Cavium NITROX card in your server, do the following:

On the vSphere client, click the Configuration tab.

Click Edit... In the Mark devices for passthrough window, select the Cavium NITROX card. See image.

Select the VZEN. Ensure that the VZEN is powered off. Then click Edit virtual machine settings. In the Virtual Machine Properties window, click Add... See image.

Select PCI Device, then click Next. See image.

Select the Cavium NITROX card from the dropdown menu, then click Next. See image.

Click Finish to add the Cavium NITROX card. See image.

Click OK to finish the setup. See image.

Run the following command to configure the card: sudo vzen install-nitrox

Optionally configure SNMP parameters if you would like to use an SNMP management system to monitor the VZEN cluster. Note that VZENs support SNMPv3 only.

Run the command sudo vzen snmp-admin-configure

Enter a user name for the SNMPv3 management system that will send queries to the VZEN. The VZEN will accept queries from this user name only.

Enter a password that the VZEN will use to authenticate the SNMP management system.

Specify which authentication protocol the VZEN will use to authenticate the SNMP user. Enter either MD5 or SHA1.

Specify the encryption method the VZEN will use to authenticate the SNMP user. Enter either DES or AES.

Run the command sudo vzen snmp-trap-configure

When asked which traps you want to configure, specify v3 traps.

Enter the IP address of the SNMP trap management system to which the VZEN will send traps.

Enter a user name for the SNMP management system.

Enter a password that the VZEN will use to authenticate the SNMP management system.

Specify which authentication protocol the VZEN will use to authenticate the SNMP user: Enter either MD5 or SHA1.

Specify the encryption method the VZEN will use to authenticate the SNMP user: Enter either DES or AES.

Download the VZEN build and start the VZEN.

On the vSphere client, click the Console tab or use SSH to connect to the management IP address.

Run the following command to download the VZEN build: sudo vzen download-buildThe initial build is around 1 GB, so it may take a while depending on your Internet connection. The downloaded build is automatically installed. The VZEN automatically starts after the installation is complete.

Verify the configuration.

On the vSphere client, click the Console tab or use SSH to connect to the management IP address.

Run sudo vzen statusThe output should show that the VZEN service and load balancer are running. See image.

Run sudo vzen troubleshoot connection | grep 9422The output should show an established connection

promiscuous mode

NITROX card 1

NITROX card 2

NITROX card 3

NITROX card 4

NITROX card 5

NITROX card 6

sudo vzen status

About Fail-Open Settings

There may be situations, such as the following, in which the Zscaler App must automatically disable its web security service and allow users to bypass the app and access the web directly:

Your users may try to access the web from an airport or a caf where a captive portal configured on the network requires users to pay or accept an acceptable use policy before connecting. You can configure your App Fail-Open settings so that when the Zscaler App detects a captive portal, it automatically disables its services for a specified period of time, allowing users first to complete the steps necessary to access the network.

The Zscaler App may run into issues reaching Zscaler Enforcement Nodes (ZEN). If so, you can choose to allow users to bypass the app and access the web directly, or if you prefer, disable users access to the Internet altogether.

The Zscaler App may run into issues properly setting up its Z-tunnel (the lightweight tunnel it uses to forward traffic to ZENs). If so, you can choose to allow users to bypass the app and access the web directly, or if you prefer, disable users access to the Internet altogether.

See below for instructions on configuring these settings in the Zscaler App Portal.

Configuring Fail-Open Settings

From the Zscaler admin portal, go to Policy > Zscaler App Portal.

In the Zscaler App portal, go to Administration from the top menu, then from the left menu, go to Zscaler App Support.

In the App Fail Open tab, do the following:

Under If Captive Portal detected, then disable Web Security for: Enter the number of minutes the Zscaler App must keep its services disabled upon detection of a captive portal. You can enter any value from 1 to 60 minutes. After the specified period of time, the Zscaler App will enable its services automatically and traffic will be forwarded to the Zscaler service through the app.

Under If Zscaler Proxy Node (ZEN) is not reachable, then, select one of the following options:

Fail Open to Bypass: Users are allowed to bypass the app and access the web directly

Disable Internet Access: Users are blocked from accessing the web The app will continue to attempt reaching the ZEN in the background and automatically re-enable itself once it successfully reaches the ZEN.

Under If Zscaler App Tunnel Setup Fails, select one of the following options:

Fail Open to Bypass: Users are allowed to bypass the app and access the web directly

Disable Internet Access: Users are blocked from accessing the webThe app will continue to attempt establishing the tunnel in the background and automatically re-enable itself once it successfully establishes the tunnel.

Click Save.

You can use the EXE file to manually install the Zscaler App on a device, or if you're deploying the Zscaler App to your users via device management methods that do not support MSI files. After downloading the Zscaler App EXE installer file, you can simply deploy the file as is with your device management method.

You can also add to the file install options to customize the Zscaler App for your organization via one of the following methods:

If you're deploying the Zscaler App in an AD environment, you can add these options as parameters when assigning a computer startup script to install the Zscaler App. See Deploying the EXE file to install the Zscaler App in How do I deploy the Zscaler App for Windows with Active Directory?

You can also run the EXE file with command-line options. See below for instructions.

In addition to the custom features enabled by the install options below, you can also modify the EXE file to allow users to log into the Zscaler App without entering domain name. See configuration instructions for this option at the end of this article.

Running the EXE File with Command-Line Options

You can add options while running the EXE with a command line. To begin:

Start a command prompt as an administrator.

Click Start.

In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.

If the User Account Control dialog box appears, confirm that you want to continue.

Enter the complete path of the EXE install file followed by the options you want. Available options are as follows (click to learn more about how to add the option):

-- cloudName

-- deviceToken

-- hideAppUIOnLaunch

-- mode

-- policyToken

-- reinstallDriver

-- strictEnforcement

-- unattendedmodeui

-- userDomain

The image below is an example of a command line that uses all the available options above, where:

The complete path of the EXE file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-install.exe

The cloud on which the organization is provisioned is zscalertwo.net

The device token value is 123456789

The policy token value is 987654321

The organization's domain name is safemarch.com

The image has been annotated to show the different components.

cn

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

NOTE: This install option is required if you enable the --strictEnforcement option.

To add the option: Enter --cloudName <your organization's cloud name in lowercase letters>. See What is my cloud name? to learn how to find your cloud name.

Example (where an organization's cloud is zscalertwo.net): --cloudName zscalertwo

cn2image

dt

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

NOTE: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the option: Enter --deviceToken <appropriate device token from the Zscaler App Portal>. You must obtain the appropriate device token from the Zscaler App Portal.

Example (where device token is 123456789): --deviceToken 123456789

hu

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

To add this option, enter --hideAppUIOnLaunch 1

mode

This allows you to install the Zscaler App in silent mode.

To add this option, enter --mode unattended

pt

This install option is only applicable (and required) if you enable --strictEnforcement and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

NOTE:

In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App. Once you configure an App Profile policy, the Zscaler App Portal automatically generates a policy token. You must use this policy token as the value for this option (see image below).

To add this option, enter --policyToken <policy token from the Zscaler App Portal>. Note that you must also add --strictEnforcement 1 and --cloudName <your organization's cloud name in lower case letters>.See the example below. In the example, the organization's cloud name is zscalertwo.

Example (where policy token is 123456789 and the cloud is zscalertwo.net): --strictEnforcement 1 --policyToken 123456789 --cloudName zscalertwo

rd

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To add this option, enter the following: --reinstallDriver 1

se

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

Note, with the --strictEnforcement option, you must add the --policyToken and --cloudName options. See more about the --policyToken and --cloudName options above.

To add this option, enter --strictEnforcement 1

Example (where policy token is 123456789 and the cloud is zscalertwo.net): --strictEnforcement 1 --policyToken 123456789 --cloudName zscalertwo

umi

This allows you to control what's displayed to users if you are performing an unattended installation of the Zscaler App.

To add the option:

In the Script Parameters field, enter the following: --unattendedmodeui <none, minimal, or minimalWithDialogs>, where:

none: Nothing is displayed to users and no interaction is required. If you add a mode --unattended option (see above), this is the default value, and you do not need to add this option.

minimal: Very little is displayed to the user (for example, a small progress bar showing installation progress).

minimalWithDialogs: More information is displayed to the user with some dialogs that require user interaction.

Example: --unattendedmodeui minimal

ud

This allows users to skip the Zscaler App enrollment page (see image). Users are taken right to your organization's SSO login page.

NOTES:

SSO must be enabled for your organization.

If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

An alternative to using this install option is to change the name of the installer file. See instructions.

To add this option, enter the following: --userDomain <your organization's domain>

Example (where organization's domain name is zscaler.com): --userDomain zscaler.com

udmi2

Allow Users to Log into the Zscaler App Without Entering Domains

This configuration achieves the same function as the install option --userDomain above. Note:

SSO must be enabled for your organization.

If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To allow users to log into the Zscaler App without entering domains, and do the following:

Locate the EXE file you downloaded.

Prefix the installer file name with your organization's domain name. For example, if the installer file name is "Zscaler-windows-1.1.0.000213-installer" and your organization's domain is "safemarch.com" you would rename the installer file to: "safemarch.com-Zscaler-windows-1.1.0.000213-installer".

This article provides instructions for uninstalling the Zscaler App using the MSI installer file when a password is required to uninstall the app.

When configuring the Zscaler App profile, in the Logout Password (Optional) field, you can provide a password that users must enter to log out of the app, exit the app from the system tray, and uninstall the app.

The Zscaler App can also be uninstalled manually from individual computers. If a password has been configured in the app profile, the password must be entered to uninstall the Zscaler App. See Uninstall the Zscaler App Manually from Individual Computers.

For instructions on how to uninstall the Zscaler App from your users' devices when a password has been configured with the MST file, choose one of the following options:

Run the MSI File with a Command Line Option

Remove the MST File from the GPO

Uninstall the Zscaler App Manually from Individual Computers

For instructions on how to uninstall the Zscaler App manually from individual computers, see below:

Windows

Mac OS X

Windows

Navigate to the Zscaler folder on the device.

Open the ZSAInstaller folder, and then click the uninstall application to uninstall the Zscaler App.

Mac OS X

Navigate to the Zscaler folder on the device.

Click UninstallApplication to uninstall the Zscaler app.

Run the MSI File with a Command Line Option

To uninstall the Zscaler App from your user's device, open the device's command prompt. Then run the MSI file with command line option msiexec /x <complete_path> /quiet UNINSTALLPASSWORD=<logout_password>

Replace <complete_path> with the complete path of the MSI installer. For example, C:\Users\User\Downloads\Zscaler-windows-1.1.0.000213-installer.msi

Note that "/quiet" specifies uninstalling the Zscaler App in silent mode.

Replace <logout_password> with the password that is configured in the Zscaler App profile. In this example, the organization's password is safemarch123.

Remove the MST File from the GPO

Complete the following steps to uninstall the MST file from your users' devices in an AD environment:

Right-click the GPO Policy and click Edit.

Go to User Configuration > Policies > Software Settings > Software installation. Right-click the MST file and click All Tasks.

Click Remove to uninstall the Zscaler App.

NOTE: If you have first entered the uninstall password with a MST file and deployed it when deploying the Zscaler App in an Active Directory (AD) environment, ensure that the password is the same as the password configured in the Zscaler App profile. To learn how to enter an uninstall password, see Enter the uninstall password for uninstalling the Zscaler App with the MST in How do I deploy the MSI Installer Package to install the Zscaler App?

Overview

The Zscaler App Portal can function as an identity provider (IdP) for the Zscaler service. With this feature, users do not need to be tied to your organizations standard identity provider (IdP) in order to authenticate to the Zscaler service. Instead, if your organization uses SAML-based single sign-on (SSO), the Zscaler App can use a device token to auto-provision and silently authenticate users and devices for the Zscaler service.

You can generate the device token in the Zscaler App Portal and pass the token to the App in an installer option. In addition, in the Zscaler admin portal, you must upload the Zscaler App IdP certificate and add the Zscaler App IdP URL as your SAML Portal URL. The App is then able to gather user ID and other relevant parameters from devices and send the information to the Zscaler cloud in SAML requests. The Zscaler App Portal parses and verifies the SAML requests, enabling the Zscaler cloud to provision and silently authenticate users.

Configuration

You must complete the following tasks to begin using the Zscaler App Portal as an IdP for Zscaler.

In the Zscaler App Portal:

Obtain the Zscaler App IdP URL.

Download the Zscaler App IdP Certificate.

Create the device token.

In the Zscaler admin portal:

Add the Zscaler App IdP URL as the SAML Portal URL.

Upload the Zscaler App IdP Certificate.

When installing the Zscaler App:

Pass the device token in an installer option.

Zscaler App Portal Steps:

From the Zscaler admin portal, go to Policy > Zscaler App Portal.

In the Zscaler App Portal, go to Administration from the top menu, then from the left menu, select Zscaler App IDP.

Note the URL under IDP URL. You must enter this URL in the SAML Portal URL field in the Zscaler admin portal (as described in Zscaler Admin Portal Steps below).

Click Download under Zscaler App IdP Certificate. You must upload this certificate to the Zscaler admin portal (as described in Zscaler Admin Portal Steps below).

Under Manage Device Tokens, click Create Device Token.

In the Create Device Token window, do the following:

Enter Password: Enter a password that is at least six characters and includes an alphabetic character and a number.

Token Description: Enter a description that helps you track each token.

Click Create Token.

The token you generate appears in the table under Manage Device Tokens. You can create up to 8 tokens.

Zscaler Admin Portal Steps

In the Zscaler admin portal:

Go to Administration > Authentication > Authentication Settings.

In Authentication Type, choose SAML and click Configure SAML to open the New SAML or Edit SAML window.

In the Identity Provider (IDP) Options section, complete the following:

SAML Portal URL: Enter the IDP URL obtained from the Zscaler App Portal.

Public SSL Certificate: Click Upload, and then click Choose File to navigate to the Zscaler App IdP certificate you downloaded from the Zscaler App Portal.

In the Auto-Provisioning Options section:

Select Enable SAML Auto-Provisioning.

Click Save and activate the change.

Passing the Device Token

To use the Zscaler App as an IdP for your users, you must pass the device token to users' devices during installation. Below are instructions for passing the device token for Windows and Mac with the available installation options.

Windows: MSI Installer

Command line option when running an MSI File

Passing the device token in an MST file

Windows: EXE Installer

Command line option when defining the system start-up script

Command line option when running the EXE installer file

Mac: Installer App

Command line option with the installer app

Pass the Device Token in an MST File

Complete the following steps to use Orca to create an MST file that includes the device token.

After opening Orca, click File, then Open. Double-click the MSI file.

Click Transform, then click New Transform.

In the Tables column, click Property. See image.

Click Tables, then click Add Row.

In the Add Row menu, enter the following and click OK:

Property: DEVICETOKEN

Value: Enter the device token you created in the Zscaler App Portal. See image.

To save your changes, click Transform, and the click Generate Transform.

In the Save Transform As menu, enter a file name and click Save. Note: You can use as many MSI Installer options as you need. To learn about additional MSI Installer options, see Create an MST File with Orca and Deploy It in "How do I deploy the MSI Installer Package to install the Zscaler App?"

You can then deploy the MST file.

i1

i2

Run the MSI File with a Command Line Option

To deploy the MSI file and install the Zscaler App, use the following command line option with the property and values you want to configure:

msiexec /i "<complete_path>" /quiet DEVICETOKEN=<device_token> USERDOMAIN=<your_organization's_domain>

Replace <complete_path> with the complete path of the MSI installer. For example, "C:\Users\User\Downloads\Zscaler-windows-1.1.2.000025-installer.msi"

Note that "/quiet" specifies deploying the Zscaler App in silent mode.

Replace <device_token> with the device token you created in the Zscaler App Portal. Note: You can add as many MSI Installer options as you need. To learn about additional MSI Installer options, see Run the MSI File with a Command Line Option in "How do I deploy the MSI Installer Package to install the Zscaler App?"

Define the System Start-up Script to Install the Zscaler App

While deploying the Zscaler App in an AD environment, you can enter the command line option when you define the system start-up script to install the Zscaler App. In this example, Windows Server 2012 R2 is used.

Select the GPO Policy and go to Computer Configuration > Policies > Windows Settings > Scripts > Startup. Double-click to open.

Select Add to open a new wizard.

In the Script Name field, specify the complete path of the Zscaler App installer. For example: '\\SERVER\\share\Zscaler-windows-1.1.2.000025-installer.exe'.

Enter the following script parameters in the Script Parameters field:

To install the Zscaler App in silent mode, use: --mode unattended

To pass the device token, use: --deviceToken <device_token> --userDomain <your_organization's_domain>

Replace <device_token> with the device token you created in the Zscaler App Portal.

Replace <your_organization's_domain> with your organization's domain. In this example, the organization's domain is "safemarch.com".Note that you can add as many parameters as you need. To learn about additional script parameters, see Define the System Start-up Script to Install the Zscaler App in "How do I deploy the EXE installer file to install the Zscaler App?"

Click OK. See image.

Click Apply to apply the changes to the policy and execute gpupdate.exe /force.

Remotely reboot the OU computers on which you want to install the Zscaler App with the following command:shutdown.exe r m \\Remote-Computer-Name t 0

i4

Run the EXE Installer File with a Command Line Option

To deploy the EXE file and install the Zscaler App, use the following command line options with the complete path of the EXE installer. In this example, the complete path is "C:\Users\User\Downloads\Zscaler-windows-1.1.2.000025-installer.exe".

To install the Zscaler App in silent mode, run the EXE installer file with the following command line option: --mode unattended

To pass the device token, run the EXE installer file with the following command line option: --deviceToken <device_token> --userDomain <your_organization's_domain>

Replace <device_token> with the device token you created in the Zscaler App Portal. Note that you can add as many command line options as you need. To learn about additional command line options, see Run the EXE Installer File with a Command Line Option in "How do I deploy the EXE installer file to install the Zscaler App?"

Mac OS X

To pass the device token, use the following command line: sudo sh <download_location>/Contents/MacOS/installbuilder.sh --deviceToken <device_token> --cloudName <zscaler_cloud>

Replace <download_location> with the location of the unzipped installer app.

Replace <device_token> with the device token you created in the Zscaler App Portal.

Replace <zscaler_cloud> with your cloud name. For example, if your cloud name is zscalertwo.net, use "--cloudName zscalertwo"To learn how to find your Zscaler cloud, see What is my cloud name?

To remove the Zscaler app from a users device:

From the Zscaler admin portal, go to Policy > Zscaler App Portal.

In the Zscaler App Portal, go to the Dashboard tab.

Select Enrolled Devices from the top menu.

Point to the user device that you want to remove the Zscaler app and click the Device Details icon.

Select Remove as shown in the figure below.

Below are best practices to follow if your users are running the Zscaler App in conjunction with a corporate VPN client.

A. Select Tunnel with Local Proxy as the Forwarding Profile Action

B. Ensure that VPN Clients Don't Change Device Proxy Settings

C. Check if VPN Runs in Full-Tunnel or Split-Tunnel Mode

D. Steps to Take if Selecting Tunnel for Forwarding Profile Action

A. Select Tunnel with Local Proxy as the Forwarding Profile Action

If your users have a corporate VPN client installed on their devices in addition to the Zscaler App, Zscaler recommends you select Tunnel with Local Proxy as the forwarding profile action for all networks in your forwarding profile. This ensures maximum interoperability between the VPN client and the Zscaler App.

At the least, Zscaler recommends you do not select Tunnel as the forwarding profile action for VPN Trusted Network. Zscaler advises this because VPN clients work at the network (IP) layer, which is the same layer the App works in if you select Tunnel mode. Both the VPN and the Zscaler App working at the same layer increases the likelihood of interoperability problems.

Zscaler recommends selecting Tunnel with Local Proxy as the forwarding profile action because in this mode, the Zscaler App works at the application layer. Users don't experience interoperability issues because the App is not competing with the VPN client at the IP layer. Instead, the App allows the VPN to take traffic as needed, but sets proxy settings to ensures that all user traffic is still protected by Zscaler. Note that if you are using Zscaler App version 1.1.1 or later, you are not required to add a custom PAC file when selecting Tunnel with Local Proxy. See more details about the different forwarding profile actions Zscaler App can use.

If your users have a corporate VPN, and you still decide to use the Tunnel mode as your forwarding profile action, you must take some key steps to ensure that users do not experience connectivity issues. See D. Steps to Take if Selecting Tunnel for Forwarding Profile Action, below.

Details

The Zscaler App can work either at the Network (IP) layer, or the Application layer. You can specify which layer the App uses to tunnel traffic (or whether the App tunnels traffic at all) with the forwarding profile action you choose for forwarding profiles.

In Tunnel mode, the App tunnels traffic at the Network (IP) layer. It captures user traffic by setting IP routes on user devices.

In Tunnel with Local Proxy mode, the App tunnels traffic at the Application layer. It captures traffic by applying proxy settings on user devices. This option has advantages over the Enforce Pac option below because the App transparently handles authentication for users. This way, users don't have to reauthenticate for applications when they open new browsers and are less likely to run into issues accessing applications that aren't browser-based.

In Enforce Pac mode, the App does not tunnel any traffic. It only sets proxy settings for browsers on the user device, and prohibits users from changing those proxy settings.

In None mode, the Zscaler App does not tunnel any traffic at all. It performs no actions on the user device.

B. Ensure that VPN Clients Don't Change Device Proxy Settings

Even if you select Tunnel with Local Proxy as the forwarding profile action for VPN Trusted Network, you must ensure that the VPN client is not configured to change proxy settings on user devices. If VPN clients tamper with proxy settings in any way, the Zscaler App does not forward traffic properly.

C. Check if VPN Runs in Full-Tunnel or Split-Tunnel Mode

Your VPN can run in full-tunnel mode or split-tunnel mode. Each mode requires different configurations for the Zscaler App.

In full-tunnel mode, all of a user's traffic is routed to the VPN client. When your VPN runs in this mode, the Zscaler App treats the network as a VPN Trusted Network. It applies the forwarding profile action you chose for that network in the forwarding profile. Note, however, the important caveats below:

Zscaler strongly recommends against choosing Tunnel as the forwarding profile action for VPN Trusted Network. As explained above, because the Zscaler App in tunnel mode works at the same layer (IP layer) as the VPN client, interoperability issues have been observed with the App in this mode.

The Zscaler App detects a full-tunnel VPN by looking for a default route in the routing table. If the VPN doesn't set a default route and uses a different mechanism to capture all user traffic, the Zscaler App doesn't consider the VPN a full-tunnel VPN, and therefore, doesn't treat the user as connected to a VPN Trusted Network. Instead, the Zscaler App treats the user as Off Trusted Network and applies the corresponding forwarding profile action. If your VPN doesn't set a default route, it's particularly important that you do not select Tunnel as the forwarding profile action.As noted above, Zscaler recommends Tunnel with Local Proxy instead.

To detect a VPN Trusted Network, the Zscaler App also looks for the words Cisco, Juniper, Fortinet, PanGP, and VPN in the default interface description. If these words are missing, the Zscaler App treats the user as Off Trusted Network.

In split-tunnel mode, only some of your users traffic is routed to the VPN client. For example, the VPN may set routes only for specific subnets, such as 10/8 or 192.168/16. Additionally, the VPN may set DNS on the device to capture traffic for internal hosts. If your VPN client runs in split-tunnel mode:

The Zscaler App treats the device as Off Trusted Network and applies the forwarding profile action you chose for that network when configuring forwarding profiles for the App.

Again, for ease of configuration, Zscaler recommends you select Tunnel with Local Proxy mode in this scenario. However, if you choose to run the Zscaler App in Tunnel mode, and your VPN client is running in split-tunnel mode, you must take some steps to ensure the App interoperates with your VPN client. See the first item under D. Steps to Take if Selecting Tunnel for Forwarding Profile Action, below.

D. Steps to Take if Selecting Tunnel for Forwarding Profile Action

Should your organization decide to use the Tunnel mode, below are key steps to take to ensure users do not experience connectivity issues.

If your VPN runs in split-tunnel mode, you must allow traffic destined for the VPN gateway to bypass the Zscaler App. See instructions. NOTE: As mentioned above, if your VPN runs in full-tunnel mode, Zscaler strongly recommends against selecting Tunnel for the forwarding profile action.

If the VPN client runs in split-tunnel mode, ensure that any DNS used by the VPN can resolve both internal and external domains. See explanation.

If your VPN has any firewall functionality, ensure that this functionality is disabled, or whitelist the Zscaler App in the firewall. Otherwise, the VPN firewall can interfere with Zscaler App tunnel processes.

When you configure the Trusted Network Criteria in forwarding profiles, Zscaler recommends that you use the DNS Server and DNS Search Domains conditions. See explanation.

Keep in mind that users may see some momentary network instability when a VPN client initially launches while the Zscaler App is running. See explanation.

VPN clients in Split Tunnel Mode

If you select Tunnel mode as the forwarding profile action, and your VPN clients run in split-tunnel mode, the Zscaler App can only forward traffic properly if you allow traffic destined for the VPN gateway to bypass the Zscaler App.

You can do this in the Hostname/IP Address bypass for VPN Gateway field when configuring your App Profiles. Specify in that field the hostnames or IP addresses for all your VPN gateways. The Zscaler App sets the routing table to exclude any traffic destined for the VPN gateway, ensuring that this traffic is allowed to bypass the App tunnel and properly go to the VPN. To ensure against connectivity issues, it is critical that you include all VPN hostnames, or all IP addresses to which these hostnames might resolve.

Trusted Network Detection

To detect whether a network is a trusted, untrusted, or VPN-trusted network, the Zscaler App examines the network interface properties. Zscaler recommends selecting DNS Server and DNS Search Domains for trusted network criteria because they are static properties on the network interface.

Hostname and IP resolution, in contrast, is a dynamic property, because the Zscaler App must take the step of resolving a hostname to see if it resolves to the IP address specified in the Trusted Network Criteria. There is a chance that a resolution might fail because of network transition processes, or if a VPN connection is unstable. If a resolution fails, then the Zscaler App can incorrectly determine the network is an untrusted one, in which case it applies the wrong forwarding profile action.

Split Tunnel Mode - configure DNS properly

On Windows devices, when the Zscaler App runs in Tunnel mode, the Zscaler App sets DNS on the interface to point to 100.64.0.3, 100.64.0.4, and 100.64.0.5. When a user launches a VPN connection, the Zscaler App detects this network change and responds accordingly.

If the VPN client runs in full-tunnel mode, the Zscaler App removes all of its own DNS settings to allow all traffic to properly go to the VPN.

If the VPN client runs in split-tunnel mode, the App applies the forwarding profile action for Off Trusted Network in the forwarding profile. While this is the expected behavior, the following scenario has occasionally been observed when a VPN sets its own DNS on the interface, but the DNS is configured only to resolve internal domains. Upon launch, the VPN client sets its own DNS on the interface to make it the prioritized DNS for resolving internal domains. The Zscaler App detects this change and reverts it, so that 100.64.0.3 (Zscaler's DNS) is again the prioritized DNS for the user device However, the Zscaler App redirects any DNS query that comes to 100.64.0.3 to the original prioritized DNS (the VPN client DNS). At this point, if the DNS query is for an external domain, and the original VPN DNS is configured only to resolve internal domains, the DNS query should continue to be redirected to the DNS server next in the priority list, until it finds a DNS server that can resolve the requested external domain. However, some Windows programs do not redirect DNS queries to DNS servers that are next in the priority list. In this scenario, the DNS query remains unable to find a DNS server to resolve the requested external domain, and the user is left unable to reach the external domain. To prevent this, ensure that all VPN clients set DNS servers that can resolve both internal and external domains.

Network Instability when Launching VPN Connection

On Windows devices, when the Zscaler App runs in Tunnel mode, the Zscaler App sets DNS on the interface to point to 100.64.0.3, 100.64.0.4, and 100.64.0.5.

When a user launches a VPN connection, the Zscaler App detects this network change and responds accordingly. If the VPN client runs in full-tunnel mode the App removes all of its own DNS settings to allow all traffic to properly go to the VPN. If the VPN client runs in split-tunnel mode, the App reconfigures DNS settings so it can properly apply the forwarding profile action for Off Trusted Network.

While that is the ultimate expected outcome, the user may experience some temporary network instability. When the Zscaler App removes its own DNS settings, this is detected as a network change by the VPN client. In response, the VPN client may disconnect and attempt to reestablish the connection. The user may experience some connectivity issues until this process is complete and the Zscaler App and VPN client reach equilibrium.

You can use the MSI file to manually install the Zscaler App on a device, or if you're deploying the Zscaler App to your users via GPO, SSCM, or other device management methods that support MSI files. After downloading the Zscaler App MSI installer file, you can simply deploy the file as is with your device management method.

You can also add to the file install options to customize the App for your organization via one of the following methods. See below to learn more.

C reat e a n MST and deploy it via GPO or a compatible device management tool

R un the MSI with command-line options

Create an MST File

Complete the following steps to create an MST file with Orca:

After opening Orca, click File, then Open. Double-click the MSI file.

Click Transform, then click New Transform.

In the Tables column, click Property.

From here, you can edit values for install options or add more options. Click below for more details.

CLOUDNAME

DEVICETOKEN

HIDEAPPUIONLAUNCH

INSTALLDRIVERCERT

POLICYTOKEN

REINSTALLDRIVER

STRICTENFORCEMENT

UNINSTALLPASSWORD

USERDOMAIN

CLOUDNAME

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

NOTE: This install option is required if you enable the STRICTENFORCEMENT install option. To add the option:

Click Tables from the top menu, and then click Add Row.

In the Add Row window, do the following:

For Property, enter CLOUDNAME.

Hit Enter or click the Value field.

For Value, enter the name of the cloud on which your organization is provisioned, in lowercase letters. For example, if your cloud is zscalertwo.net, you would enter zscalertwo. See What is my cloud name? to learn how to find your cloud name.

Click OK.

The install option appears as a new line.

select a cloud

(see image).

DEVICETOKEN

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

NOTE: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the option:

Click Tables from the top menu, and then click Add Row.

In the Add Row window, do the following:

For Property, enter DEVICETOKEN.

Hit Enter or click the Value field.

For Value, enter the appropriate device token from the Zscaler App Portal. See Using the Zscaler App Portal as an IdP to learn more.

Click OK.

The install option appears as a new line.

HIDEAPPUIONLAUNCH

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

The default value is 0. To enable the option, change the value to 1 directly in the table by double-clicking the field and entering your new value.

INSTALLDRIVERCERT

This allows you to silently install the network adapter signature certificate along with the App so that users are not prompted to accept the certificate themselves when you install the Zscaler App.

NOTE: Starting with Zscaler App 1.2 this network adapter is automatically installed with the App. If you are using version 1.2 or later, you don't need to add this option. However, if you're using an earlier version than Zscaler App 1.2, or if you have a strict GPO policy restricting the certificates, see below.

If you're using an earlier version than 1.2: Change the value to 1 directly in the table by double-clicking the field and entering your new value.

If you're using version 1.2 or later but have a GPO policy restricting the certificates that can be installed on your organization's devices: Change the value to 0 directly in the table by double-clicking the field and entering your new value. You must also complete the steps described in How do I push the network adapter signature certificate for Zscaler App using GPO?

POLICYTOKEN

This install option is only applicable (and required) if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

NOTES:

In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App.

This install option is only applicable, and required, if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet.

To add the option:

Click Tables from the top menu, and then click Add Row.

In the Add Row window, do the following:

For Property, enter POLICYTOKEN.

Hit Enter or click the Value field.

For Value, enter the policy token associated with the policy you want to enforce before enrollment. See Configuring Zscaler App Profiles to learn more.

Click OK.

The install option appears as a new line.

REINSTALLDRIVER

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

The default value is 0. To enable the option, change the value to 1 directly in the table by double-clicking the field and entering your new value.

STRICTENFORCEMENT

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

NOTE: Adding this install option requires that you provide values for CLOUDNAME and POLICYTOKEN install options as well.

The default value is 0. Change the value to 1 to enable this install option.

UNINSTALLPASSWORD

This allows you to silently uninstall the Zscaler App from user devices using device management methods like GPO. This option is available only with MSI. The password you add for this option must match the Logout password configured in the Zscaler App profiles. With the password, you'll be able to uninstall the Zscaler App from your users' devices by removing the MST file from the GPO.

NOTES:

Your users must be enrolled in the Zscaler App. If users have the App installed on their devices but have not enrolled, you cannot uninstall the App with this method.

You must have a Logout Password configured in the Zscaler App profiles. See Configuring Zscaler App Profiles to learn more.

To add the option:

Click Tables from the top menu, and then click Add Row.

In the Add Row window, do the following:

For Property, enter UNINSTALLPASSWORD.

Hit Enter or click the Value field.

For Value, enter the Logout Password from the App Profile policy.

Click OK.

The install option appears as a new line.

USERDOMAIN

This allows users to skip the Zscaler App enrollment page (see image). Users are taken right to your organization's SSO login page.

NOTES:

SSO must be enabled for your organization.

If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To add the option:

Click Tables from the top menu, and then click Add Row.

In the Add Row window, do the following:

For Property, enter USERDOMAIN.

Hit Enter or click the Value field.

For Value, enter your organization's domain name.

Click OK.

The install option appears as a new line.

userdomain

To save your changes after adding the options you want, click Transform, and then click Generate Transform.

In the Save Transform As menu, enter a file name and click Save.

After creating the MST, you can use it when deploying the Zscaler App to your users with Active Directory.

Run the MSI File with Command-Line Options

Zscaler recommends using the MST file to install the Zscaler App with custom options. But if you have a device management tool that does not support MST (for example, SCCM or PSEXEC), or you're manually installing the MSI file on your system, you can run the MSI file with a command line and add the options you want with the following steps:

Start a command prompt as an administrator.

Click Start.

In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.

If the User Account Control dialog box appears, confirm that you want to continue.

Use the following command line: msiexec /i "<complete_path>" /quiet followed by the options you want.

Replace <complete_path> with the complete path of the MSI install file. For example, "C:\Users\User\Downloads\Zscaler-windows-1.0.2.000018-install.msi"

Add "/quiet" to install the Zscaler App in silent mode.

Available options are as follows (click each option for more details).

CLOUDNAME

DEVICETOKEN

HIDEAPPUIONLAUNCH

INSTALLDRIVERCERT

POLICYTOKEN

REINSTALLDRIVER

STRICTENFORCEMENT

USERDOMAIN

The image below is an example of a command line that uses all the available options above (except INSTALLDRIVERCERT), where:

The complete path of the MSI file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-install.msi

/quiet is used to enforce silent installation

The cloud on which the organization is provisioned is zscalertwo.net

The device token value is 4e36647447326e5a553335303232416e6279784b51513d3d

The policy token value is 32343A343A312E31204D6967726174696F6E

The organization's domain name is safemarch.com

The image has been annotated to show the different components.

CLOUDNAME2

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

NOTE: This install option is required if you enable the STRICTENFORCEMENT install option.

To add the option, enter CLOUDNAME=<your organization's cloud name in lowercase letters>. For example, if your cloud is zscalertwo.net, you would enter zscalertwo. See What is my cloud name? to learn how to find your cloud name.

seeimage2

DEVICETOKEN2

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

NOTE: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the option, enter DEVICETOKEN=<the appropriate device token from the Zscaler App Portal>

HIDEAPPUIONLAUNCH2

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

To add this option, enter HIDEAPPUIONLAUNCH=1

INSTALLDRIVERCERT2

This allows you to silently install the network adapter signature certificate along with the App so that users are not prompted to accept the certificate themselves when you install the Zscaler App.

NOTE: Starting with Zscaler App 1.2 this network adapter certificate is automatically installed with the App. If you are using version 1.2 or later, you don't need to add this option. However, if you're using an earlier version than Zscaler App 1.2, or if you have a strict GPO policy restricting the certificates that can be installed on organizational devices, see below.

If you're using an earlier version than 1.2: Enter INSTALLDRIVERCERT=1 to silently install the network adapter signature certificate.

If you have a GPO policy restricting the certificates that can be installed on organizational devices: Enter INSTALLDRIVERCERT=0. You must also complete the steps described in How do I push the network adapter signature certificate for Zscaler App using GPO?

POLICYTOKEN2

This install option is only applicable (and required) if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

NOTES:

In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App.

This install option is only applicable, and required, if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet.

To add this option, enter POLICYTOKEN=<appropriate policy token from the Zscaler App Portal>

NOTE: This install option is only applicable (and required) if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet.

REINSTALLDRIVER2

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To add this option, enter REINSTALLDRIVER=1

STRICTENFORCEMENT2

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

NOTE: Adding this install option requires that you provide values for CLOUDNAME and POLICYTOKEN install options as well.

To add this option, enter STRICTENFORCEMENT=1

USERDOMAIN2

This allows users to skip the Zscaler App enrollment page Users are taken right to your organization's SSO login page.

NOTES:

SSO must be enabled for your organization.

If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To add the option, enter USERDOMAIN=<your organization's domain name>.

userdom2image

Overview

The Device Posture feature is relevant only if your organization is using the Zscaler App for Private Access (ZPA).

The device posture profile is a set of criteria that a users device must meet in order to access applications with ZPA. You can select a device posture profile when configuring access policies or application group policies in the ZPA admin portal.

However, you must configure these device posture profiles in the Zscaler App Portal. For each posture profile you add, you must do one of the following:

Upload a valid certificate trusted by your users' systems.

Specify a file path that can be found in your users system.

When a user requests an application through ZPA, the ZEN provides access only if the user has permission to the requested application and the users device meets the required posture profile -- in other words, the user's system trusts the certificate or has the file specified in the posture profile.

Configuration Instructions

From the Zscaler admin portal, go to Policy > Zscaler App Portal.

In the Zscaler App Portal, go to Administration from the top menu, then from the left menu, select Device Posture.

Click Add Device Posture Profile to open the Add Device Posture window.

Name: Enter a name for the device posture profile.

Platform: Select Windows or Mac or both.NOTE: If you select both, you can only select the certificate as your posture type. You will not be able to select a file path.

Posture Type: Do one of the following.

Select Certificate from the dropdown menu and upload a certificate trusted by your organization's users. Zscaler accepts .pem and .cer files, and you can upload any one of the following:

A client certificate

An intermediate certificate

A certificate chain

A root CA certificate

Select FilePath from the dropdown menu and enter a file path that can be found on your users' systems. For example, you can enter C:\Program Files(x86)\Example\AV.txt.

Add a Device Posture Description (optional).

Click Save.

As a last step, ensure that your users' systems are properly configured:

If using the certificate posture type, ensure your users' systems trust the certificate you uploaded for the device posture profile.

If using the file path posture type, ensure your users' systems have the file in the correct location.

The Zscaler App is an application installed on your device to ensure that your Internet traffic and access to your organization's internal apps are secure and in compliance with your organizations policies, even when you're off your corporate network.

No matter where you're accessing the web, the app ensures that your traffic is forwarded to and protected by the Zscaler web security service.

Additionally, with Zscaler Private Access (ZPA) enabled, you can also securely access your organization's internal resources from any location.

The Zscaler App is designed to provide a seamless user experience. It automatically recognizes when you are connected to a trusted network (for example, your corporate office network) and depending on your organization's configuration, can disable its web security service and ZPA accordingly. It can also recognize when you connect to wifi hotspots (for example, at airports, hotels, and cafs) where you must pay or accept a use policy before connecting. The app disables its services for a period of time and re-enable itself after you've had a chance to complete the steps necessary to connect.

Once you log in with your user ID and complete a one-step device enrollment process, you can begin safely connecting to the web and to your organization's internal applications and services with the Zscaler App.

This guide takes you through the features of the Zscaler App. Each section links you to the appropriate article for each feature.

A. Enrolling with the Zscaler Service

Before you can use the Zscaler App, you must enroll with the Zscaler service. For instructions on how to enroll, see How do I enroll with the Zscaler service on the Windows version of Zscaler App?

B. Zscaler App Features

Once you have enrolled with the Zscaler service on the Zscaler App, you can view the following features.

You can click the following buttons:

Click the log out button on the top right-hand corner to log out of the app. You may be required to enter a password your organization's admin has set for the app. Note that if you log out of the app, you must complete enrollment again when you log back in.

Click the minimize button to minimize the window without closing it.

Click the maximize button to maximize the window.

Click the close button to close the window. Note however that this does not log you out of the app.

The app features Zscaler App's services in the menu on the left. The example above shows the menu options for an organization that has subscribed both to the Zscaler Private Access (ZPA) and Zscaler Web Security services. If your organization is not subscribed to one of those services, you will not see that option in the left menu.

See below for further details about the tasks you can perform with the Zscaler App.

View information about Private Access

View information about Web Security

View notifications

Configure system tray notification settings

Troubleshoot Zscaler App

View app information

C. Tray Icon Options

The Zscaler App displays an icon in the system tray. To learn about tray icon options, see What are the Zscaler App tray icon options for Windows?

The directory groups you configured in the Zscaler admin portal are automatically available for selection in the Zscaler App Portal, allowing you to create different Zscaler A pp profiles for different groups in your organization.

The groups in the Zscaler App Portal sync with groups in the Zscaler admin portal every 6 hours.

In the Zscaler App Portal, you can check when the next sync will occur. You can also manually sync groups between the two portals. See below for instructions.

Checking Next Sync Time and Performing Manual Sync

From the Zscaler admin portal, go to Policy > Zscaler App Portal.

In the Zscaler App Portal, go to Administration from the top menu.

Select Zscaler App Support from the menu on the left.

Go to the Advanced Configuration tab.

The next sync time is listed under Next Directory Group Sync Time.

To manually sync directory groups between the Zscaler admin portal and the Zscaler App Portal, click Sync Groups.

Zscaler App displays error messages in the Status row.

Following is a list of possible error messages, along with an explanation of the error, and the action users can take to resolve the error.

Error

Message

Explanation

Required

Action

Intermediate

Authentication Error

A tunnel

authentication error has occurred because an intermediate proxy service

has intercepted the app authentication request.

None

Chaining

Authentication Error

A tunnel

authentication error has occurred due to proxy chaining.

None.

Authenticating...

A tunnel

authentication error has occurred because the SME is waiting for user

configuration.

None.

Network Error

No network

interface can be detected.

Click Retry to resolve the error.*

Internal Error

Internal socket

problem has been detected.

Click Retry to resolve the error.*

Connection Error

The ZEN cannot be

reached.

Click Retry to resolve the error.*

Driver Error

A Windows driver

installation issue has been detected, and the tunnel interface cannot

be started.

In the More window, click Repair App.**

Local FW/AV Error

The device has a

firewall or antivirus program blocking Zscaler App traffic.

Contact your

administrator for any required configuration changes on the device.

Trusted Network

Detected

The device is

connected to a trusted network.

None

VPN Trusted Network

The Zscaler App is

in a fail-open state because a VPN connection taking all routes has

been detected.

None

Captive Portal

Detected

The Zscaler App is

in a fail-open state because a captive portal has been detected.

Click Retry to resolve the error.*

Capitve Portal

Error

The user has not

resolved the captive portal within the time configured in the Zscaler

App Portal. The error message disappears when the user reconnects.

Click Retry to resolve the error.*

*Retry

**Repair App

This article provides instructions on enrolling with the Zscaler service using the Windows version of the Zscaler App.

When the Zscaler App is installed on your device, you can open the app with one of the following options:

Double-click the Zscaler App desktop icon.

OR

Right-click the Zscaler App tray icon, then select Open Zscaler.

An enrollment page appears, as shown below. Note the menu at the top right-hand corner, which enables you to do the following:

View the license agreement

View information about the Zscaler App, including the version number.

You must enter a username and click Login. The username must be in email format, unless your organization's admin configured settings so that you can log in without entering your organization's domain.

Based on your organizations authentications mechanism, you may be prompted to complete one of the following steps:

You may simply be required to enter a password and click Login (see image below).

You may be redirected to your organizations SSO form (see example below, in which Okta is the SSO provider). Enter your credentials and log in.

If your organization has configured an Acceptable Use Policy (AUP), the AUP window will appear. You must accept the AUP to proceed to enrollment. If your organization does not have an AUP, the app will proceed directly to enrollment.

Once the app completes enrollment, the app is ready for use.

For information about Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Windows.

You can use the application package to manually install the Zscaler App on a device, or if you're deploying the Zscaler App to your users via device management methods that support Mac devices.

After downloading the Zscaler App package, you can simply install the file as is.

You can also install the Zscaler App with various command line options to customize the Zscaler App for your organization. See below for instructions.

Install the Package with Command-Line Options

You can add options in Mac with the following steps:

Open the Applications folder.

Open the Utilities folder .

Double-click on the Terminal icon.

Enter the command below followed by the options you want:

sudo sh <package file location>/Contents/MacOS/installbuilder.sh The available options are:

-- cloudName

-- deviceToken

-- hideAppUIOnLaunch

-- mode

-- policyToken

-- reinstallDriver

-- strictEnforcement

-- unattendedmodeui

-- userDomain

The image below is an example of a command line that uses all the available options above, where:

The package file location is /Users/Grace/Downloads/Zscaler-osx-1.2.0.000259-installer.app

The cloud on which the organization is provisioned is zscalertwo.net

The device token value is 123456789

The policy token value is 987654321

The organization's domain name is safemarch.com

The image has been annotated to show the different components.

(see image).

cnm

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

NOTE: This install option is required if you enable the --strictEnforcement option.

To add the option, enter --cloudName <your organization's cloud name in lowercase letters>. See What is my cloud name? to learn how to find your cloud name.

Example (where an organization's cloud is zscalertwo.net):

--cloudName zscalertwo

cnmac

dtm

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

NOTE: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP. See image below.

To add the option, enter --deviceToken <appropriate device token from the Zscaler App Portal>. You must obtain the appropriate device token from the Zscaler App Portal. See image below.

Example (where device token is 123456789):

--deviceToken 123456789

haum

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

To add this option, enter --hideAppUIOnLaunch 1

mm

This allows you to install the Zscaler App in silent mode.

To add this option, enter --mode unattended

Note, for Mac, if you add this option, you must also add the unattendedmodeui option with the value none.

ptm

This install option is only applicable (and required) if you enable --strictEnforcement and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

NOTE:

In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App. Once you configure an App Profile policy, the Zscaler App Portal automatically generates a policy token. You must use this policy token as the value for this option (see image below).

To add the option, enter --policyToken <policy token from the Zscaler App Portal>. Note that you must also add --strictEnforcement 1 and --cloudName <your organization's cloud name in lower case letters>.

Example (where policy token is 123456789 and the cloud is zscalertwo.net): --strictEnforcement 1 --policyToken 123456789 --cloudName zscalertwo

rdm

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To add this option, enter the following: --reinstallDriver 1

se

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

NOTE: Adding this install option requires that you provide values for --cloudName and --policyToken options as well. See more about the --policyToken and --cloudName options above.

To add this option, enter --strictEnforcement 1 --policyToken <policy token from the Zscaler App Portal> --cloudName <your organization's cloud name in lower case letters>

Example (where policy token is 123456789 and the cloud is zscalertwo.net): --strictEnforcement 1 --policyToken 123456789 --cloudName zscalertwo

umi

This allows you to control what's displayed to users if you are performing an unattended installation of the Zscaler App.

To add this option, enter the following: --unattendedmodeui <none, minimal, or minimalWithDialogs>, where:

none: Nothing is displayed to users and no interaction is required. If you add a mode --unattended option (see above), you must also add this option with the value none to ensure nothing is displayed to users.

minimal: Very little is displayed to the user (for example, a small progress bar showing installation progress).

minimalWithDialogs: More information is displayed to the user with some dialogs that require user interaction.

Example: --unattendedmodeui none

udm

This allows users to skip the Zscaler App enrollment page Users are taken right to your organization's SSO login page.

NOTES:

SSO must be enabled for your organization.

If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To add this option, enter the following: --userDomain <your organization's domain>

Example (where organization's domain name is zscaler.com): --userDomain zscaler.com

udmi3

The Zscaler App is an application installed on your device to ensure that your Internet traffic and access to your organization's internal apps are secure and in compliance with your organizations policies, even when you're off your corporate network.

No matter where you're accessing the web, the app ensures that your traffic is forwarded to and protected by the Zscaler web security service.

Additionally, with Zscaler Private Access (ZPA) enabled, you can also securely access your organization's internal resources from any location.

The Zscaler App is designed to provide a seamless user experience. It automatically recognizes when you are connected to a trusted network (for example, your corporate office network) and depending on your organization's configuration, can disable its web security service and ZPA accordingly. It can also recognize when you connect to wifi hotspots (for example, at airports, hotels, and cafs) where you must pay or accept a use policy before connecting. The app disables its services for a period of time and re-enable itself after you've had a chance to complete the steps necessary to connect.

Once you log in with your user ID and complete a one-step device enrollment process, you can begin safely connecting to the web with the Zscaler App.

This guide takes you through the features of the Zscaler App. Each section links you to the appropriate article for each feature.

A. Enrolling with the Zscaler Service

Before you can use the Zscaler App, you must enroll with the Zscaler service. For instructions on how to enroll, see How do I enroll with the Zscaler service on the Mac version of Zscaler App?

B. Zscaler App Features

Once you have enrolled with the Zscaler service on the Zscaler App, you can view the following features.

You can click the following buttons:

Click the log out button on the top right-hand corner to log out of the app. You may be required to enter a password your organization's admin has set for the app. Note that if you log out of the app, you must complete enrollment again when you log back in.

Click the minimize button to minimize the window without closing it.

Click the maximize button to maximize the window.

Click the close button to close the window. Note however that this does not log you out of the app.

The app features Zscaler App's services in the menu on the left. The example above shows the menu options for an organization that has subscribed both to the Zscaler Private Access (ZPA) and Zscaler Web Security services. If your organization is not subscribed to one of those services, you will not see that option in the left menu.

See below for further details about the tasks you can perform with the Zscaler App.

View information about Private Access

View information about Web Security

View notifications

Configure menu bar notification settings

Troubleshoot Zscaler App

View app information

C. Menu Bar Options

The Zscaler App displays an icon in the menu bar. To learn about menu bar options, see What are the Zscaler App menu bar options for Mac OS X?

Release Date: January 25, 2016

Zscaler App provides a lightweight and enforceable agent to connect your organizations users to the Zscaler web security service on a variety of device platforms, including Windows PC (Win 7 and above), Mac OS X (version 10.10 and above) and virtual computing platforms such as Amazon Workspaces and VMware Horizons. Zscaler App uses an HTTP Tunnel (called the Z-Tunnel) for traffic forwarding and supports all authentication methods supported by the Zscaler service. Following are some key Zscaler App features:

Enforceable web security: The Zscaler App can protect against users uninstalling, logging out of, and tampering with software.

Forwards all web traffic for scanning: The Zscaler App does not rely on PAC files for traffic forwarding or cookies for authentication. A tunnel-based approach ensures that all Internet-bound web traffic is sent to Zscalers cloud service and that apps are not bypassing security controls.

Trusted network detection: This capability provides an option to detect when users are on a corporate network and turn off the Z-Tunnel automatically. The app also supports captive portal detection and fail-open configuration in case of remote connectivity issues.

Device-level reporting and fingerprinting: The Zscaler App Portal maps devices to users and provides device-level details. The app also fingerprints each device and provides an option to remotely remove the security profile from any enrolled device.

Auto-update support: The Zscaler App supports auto-updates to new versions, along with an option to update the app manually in a controlled manner.

Enhanced support options: The Zscaler App provides an option to report issues your users submit through the app to your organizations help desk, and optionally, send encrypted logs to Zscaler Support for further analysis.

Inter-operability with major VPN clients: If your VPN supports split tunneling, the Zscaler App can handle all Internet-bound routes without interfering with traffic sent to your internal network.

Zscaler App documentation is available now .

This article provides an overview of the Private Access window of the Windows version of the Zscaler App.

This window features connectivity information and traffic statistics for Zscaler Private Access (ZPA).

Connectivity

Username: Displays the username with which you are logged into the app.

Status: Displays the app connection status. You can click Turn Off if you want to turn off the Z-tunnel and disable the ZPA service while remaining logged in to the app. Depending on your organization's policies, you may be required to enter a password. The ZPA service will be disabled until you click Turn On.

Time Connected: Displays your initial connection time for the present session.

Statistics

Total Bytes Sent: Displays in real time bytes of traffic sent from your computer through the Z-tunnel.

Total Bytes Received: Displays in real time bytes of traffic received by your computer through the Z-tunnel.

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Windows.

To allow users to bypass the Zscaler App when they browse to your organizations identity federation URL for authentication, add a custom file in your app profile with the following steps:

From the Zscaler admin portal, go to Policy > Zscaler App Portal.

In the Zscaler App portal, go to App Profiles from the top menu.

Click Personal Computers from the left menu, then click Mac OS X or Windows.

If youre adding a new policy, click Add [OS X Policy or Windows] Policy. If youre editing an existing policy, locate the relevant policy and click the Edit icon.

Under Custom PAC URL, enter the PAC file.

Click Save.

Release Date: March 15, 2016

The Zscaler App Portal now provides simplified configuration for VPN interoperability with an option to define the VPN Gateway by hostname or IP address in the Zscaler App profile.

You can find an explanation of error messages displayed by the Zscaler App, along with remediation steps, in the Zscaler Help Portal.

The app now supports Caution and Block Override policy actions.

You can now find authenticated user information on ip.zscaler.com.

The app now supports querying the Windows PC registry to check the status of the proxy service.

Maintenance bug fixes include:

Fix for Blue Screen of Death on certain Windows 7 clients.

VPN interoperability bug fixes.

Other bug fixes.

This article provides instructions on enrolling with the Zscaler service using the Mac OS X version of the Zscaler App.

Open the Zscaler App window by clicking Open on the Zscaler App icon in the menu bar.

An enrollment page appears, as shown below. Note the menu at the top right-hand corner, which enables you to do the following:

View information about the Zscaler App, including the version number.

View the license agreement

You must enter a username and click Login. The username must be in email format, unless your organization's admin configured settings so that you can log in without entering your organization's domain.

Based on your organizations authentications mechanism, you may be prompted to complete one of the following steps:

You may simply be required to enter a password and click Login (see image below).

You may be redirected to your organizations SSO form (see example below, in which Okta is the SSO provider). Enter your credentials and log in.

If your organization has configured an Acceptable Use Policy (AUP), the AUP window will appear. You must accept the AUP to proceed to enrollment. If your organization does not have an AUP, the app will proceed directly to enrollment.

Once the app completes enrollment, the app is ready for use.

For information about Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Mac OS X.

This article provides an overview of the Web Security window of the Windows version of the Zscaler App.

This window features connectivity information and traffic statistics for Zscaler App.

Connectivity

Username: Displays the username with which you are logged into the app.

Status: Displays the app connection status. Click Turn Off if you want to disable the web security service while remaining logged in to the app. Depending on your organization's policies, you may be required to enter a password. The web security service will be disabled until you click Turn On.

Server: Displays the host name of the server to which your traffic is being forwarded.

Client: Displays your client IP address.

Time Connected: Displays your initial connection time for the present session.

Statistics

Total Bytes Sent: Displays in real time bytes of traffic sent from your computer through the app.

Total Bytes Received: Displays in real time bytes of traffic received by your computer through the app.

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Windows.

This article provides an overview of the Private Access window of the Mac OS X version of the Zscaler App.

This window features connectivity information and traffic statistics for Zscaler Private Access (ZPA).

Connectivity

Username: Displays the username with which you are logged into the app.

Status: Displays the app connection status. You can click Turn Off if you want to turn off the Z-tunnel and disable the ZPA service while remaining logged in to the app. Depending on your organization's policies, you may be required to enter a password. The ZPA service will be disabled until you click Turn On.

Time Connected: Displays your initial connection time for the present session.

Statistics

Total Bytes Sent: Displays in real time bytes of traffic sent from your computer through the Z-tunnel.

Total Bytes Received: Displays in real time bytes of traffic received by your computer through the Z-tunnel.

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Mac OS X.

Release Date: April 7, 2016

The Zscaler App now supports MSI installer, which allows for easier deployment of the app with Active Directory. Both the MSI and EXE versions of the app file are available to download.

This article provides an overview of the Notifications window of the Windows version of the Zscaler App. It also provides details on how to enable the app to show notifications in the system tray.

This window provides the following information about the notifications that have been displayed to you.

Application:

Web Security: Displays the name of the application relevant to the action that triggered the notification. In the example above, Zscaler is listed in the column because the notification was relevant only to the Zscaler App (you received the notification after disabling the app's web security service). As another example, if you attempt to upload content to Dropbox.com in violation of one of your organization's cloud app control policies, you would receive a notification and would see Dropbox.com in the Application column.

Time: Displays the time the notification was displayed.

Message: Displays the notification message.

Click Clear All to clear all notifications from this page.

Show notifications in the system tray

To show notifications from the system tray icon:

Click the More icon.

In Settings, you can enable or disable system tray notifications. The setting is enabled by default. If notifications are enabled, you will see notifications in the tray icon as shown below.

To learn more about the system tray icon, see What are the Zscaler App tray icon options for Windows?

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Windows.

This article provides an overview of the Web Security window of the Mac OS X version of the Zscaler App.

This window features connectivity information and traffic statistics for Zscaler App.

Connectivity

Username: Displays the username with which you are logged into the app.

Status: Displays the app connection status. Click Turn Off if you want to disable the web security service while remaining logged in to the app. Depending on your organization's policies, you may be required to enter a password. The web security service will be disabled until you click Turn On.

Server: Displays the host name of the server to which your traffic is being forwarded.

Client: Displays your client IP address.

Time Connected: Displays your initial connection time for the present session.

Statistics

Total Bytes Sent: Displays in real time bytes of traffic sent from your computer through the app.

Total Bytes Received: Displays in real time bytes of traffic received by your computer through the app.

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Mac OS X.

Web Security Enhancements

The Zscaler App MSI file now provides the following options:

You can require users to log in to the Zscaler App before they can access the Internet from their computers.

You can allow users to bypass the initial Zscaler login screen if your organization uses SAML based identity federation to authenticate to the Zscaler service.

You can install a network adapter signature certificate with the option INSTALLDRIVERCERT=1. When you use this option, you will not have to push certificates and the users will not be prompted to accept certificates themselves. (See How do I deploy the MSI Installer Package to install the Zscaler App? )

When you configure Forwarding Profiles from the Zscaler App portal, you can now specify how the Zscaler App forwards traffic based on the network to which the user is connected.

Following are the network types:

On Trusted Network: The device is connected to a network that the Zscaler App has identified as a trusted network.

On Trusted VPN Network: The device is connected to a trusted network through a third party VPN client.

Off Trusted Network: The device is not connected to a trusted network.

You can define any of the following traffic forwarding modes:

Tunnel Mode: Zscaler App establishes an HTTP Connect mode tunnel with a Zscaler Enforcement Node (ZEN). This mode forwards all port 80/443 traffic to the Zscaler service from a device.

Tunnel with Local Proxy Mode: Zscaler App sets up an HTTP Connect tunnel with a ZEN for all port 80/44 traffic that follows System proxy configuration. Please ensure that the PAC file used with this mode is configured with a loopback IP socket (127.0.0.1:9000 or 127.0.01:9001 must be added in PAC file as gateway).

PAC Enforcement Mode: Zscaler App uses a PAC file without setting up an HTTP tunnel. Users may need to authenticate again with Zscaler service in this deployment mode.

None: Traffic forwarding to the ZEN is turned off.(See How do I configure forwarding profiles for the Zscaler App? )

From the Zscaler App portal, you can now specify multiple support admins to receive a copy of request emails and tickets when your users report an issue with the Zscaler App. (See How do I configure in-app support settings for the Zscaler App? )

Users can refresh their Web Security policies and PAC file anytime by clicking Update Policyin the Troubleshoot menu in the More tab of the Zscaler App. (See Troubleshooting Zscaler App: Windows and Troubleshooting Zscaler App: Mac OS X.)

Zscaler App has been verified to interoperate with an F5 VPN client in split tunnel as well as full tunnel mode.

Zscaler Private Access Enhancements

Zscaler App now supports UDP traffic for Zscaler Private Access (ZPA). UDP support provides coverage for real-time, connectionless application traffic, such as VoIP.

In the Zscaler App portal, you can configure a Forwarding Profile for ZPA that specifies whether the Zscaler App enables or disables ZPA when it determines that the user is connected to a trusted network directly or through a VPN, and when the user is connected to an untrusted network.

Zscaler App now supports wildcard search domains to resolve all domains associated with phrase and wildcard characters.

Zscaler App supports SRV records for DNS resolution to support clients that perform an SRV query. This can be used, for example, with Kerberos authentication.

Known Issues

Some users may encounter the 'Blue Screen of Death (BSOD)' on their Windows computer when they run Zscaler App in Tunnel mode with certain versions of a third party anti-virus client. This can be resolved by using either the Tunnel with Local Proxy or PAC Enforcement Forwarding profile of the Zscaler App.

Some users may encounter VoIP applications that may work erroneously. This can be resolved by using either the Tunnel with Local Proxy or PAC Enforcement Forwarding profile of the Zscaler App.

The instructions below are relevant only if you have a strict GPO policy restricting the certificates that can be installed on your organization's devices.

Starting with Zscaler App 1.2, the network adapter certificate is automatically installed with the App. If you are using an earlier version of the App, you must add an install option (see details for MSI or EXE ) to silently install the network adapter signature certificate along with the App.

If you have a strict GPO policy restricting the certificates that can be installed on your organization's devices, you must download the network adapter signature certificate from the Zscaler App Portal then import it into your system trust store to enable silent installation of the Zscaler App on your OU computers. See the instructions below.

Download the Network Adapter Signature Certificate

From the Zscaler admin portal, go to Policy > Zscaler App Portal.

In the Zscaler App portal, go to Administration, then to Zscaler App Store.

Click Download Client Certificates at the top right hand corner.

Save the certificates to a location of your choice.

Add the Zscaler Network Adapter Signature Certificate to system trust store.

Select the OU GPO policy you created for the Zscaler App and click Edit.

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers. Right-click and click Import. Locate and import the Zscaler Network Adapter Signature Certificates (both SHA-1 and SHA-2).

Execute the command gpupdate.exe /force to update.

Verify that the certificate has been imported to the trust store of the OU's Windows computers with the following steps:

Log in to a remote Windows computer and go to Run > certmgr.msc.

Go to Trusted Publishers and verify that the certificates defined with the GPO Policy have been imported into the trust store of the computer.

Following are further details about the Troubleshoot menu features of the Windows version of the Zscaler App.

Report an Issue: If your organization's admin enabled in-app support access, you can use this feature to report an issue. When you submit the form, depending on your organization's set-up, the app may either send an email to your organization's support admin or submit a ticket directly to Zscaler Support (your support admin will receive a copy of this ticket as well). After you submit the form, you will receive an email acknowledging the support request. For instructions on completing the form, see How do I report an issue with the Windows version of Zscaler App?

Restart Service: You can click to restart the app. Restarting does not impact security enforcement.

Update Policy: You can click to manually refresh your web security policies and PAC file.

Repair App: If you select this option, the app will attempt to repair itself by reinstalling app drivers and services. Zscaler recommends you try this option before reporting an issue.

Clear Logs: You can clear stored logs.

Log Mode: You can change the mode in which the app generates logs, but the change is effective for that connection session only. At the start of the next connection session, the app returns to the default log mode set by your organization. Below is a description of each log mode.

Error: Logs only when the app encounters an error and functionality is affected.

Warn: Logs when a) the app is functioning but is encountering potential issues or b) when conditions for the Error log mode are met.

Info: Logs a) general app activity or b) when conditions for the Warn log mode are met.

Debug: Logs a) all app activity that could assist Zscaler Support in debugging issues or b) when conditions for the Info log mode are met.

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Windows.

This article provides an overview of the Notifications window of the Mac OS X version of the Zscaler App. It also provides details on how to enable the app to show notifications in the menu bar.

This window provides the following information about the notifications that have been displayed to you.

Application: Displays the name of the application relevant to the action that triggered the notification. In the example above, Zscaler is listed in the column because the notification was relevant only to the Zscaler App (you received the notification after disabling the app's web security service). As another example, if you attempt to upload content to Dropbox.com in violation of one of your organization's cloud app control policies, you would receive a notification and would see Dropbox.com in the Application column.

Time: Displays the time the notification was displayed.

Message: Displays the notification message.

Click Clear All to clear all notifications from this page.

Show notifications in the menu bar

To show notifications from the menu bar icon:

Click the More icon.

In Settings, you can enable or disable menu bar notifications. The setting is enabled by default. If notifications are enabled, you will see notifications on the app icon as shown below.

To learn more about the menu bar icon, see What are the Zscaler App menu bar options for Mac OS X?

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Mac OS X.

Release Date: August 5, 2016

Zscaler App 1.1.1 includes the following improvements and fixes:

Improves the Z-Tunnel in local proxy mode to support dynamic port handling and caching of the local proxy PAC file. For more details, see How do I configure forwarding profiles for the Zscaler App?

Fixes an issue where Windows devices were not able to enroll with the Zscaler App when FIPS mode was enabled for cryptography. The Zscaler App now uses FIPS-compliant cryptographic APIs in MSDN framework.

Fixes an issue where the Zscaler App periodically displayed an Intermediate Authentication Error upon restarting. This was due to the deletion of the Zscaler App configuration file during log rollovers.

Note: Users who experienced this with the previous version and had their App configuration file deleted will see this error even after updating to version 1.1.1. To resolve the issue, users need to log out and log in again.

Fixes an issue where the Mac OS X version of the Zscaler App did not launch automatically if users upgraded their Mac OS X devices.

Fixes an issue where if multiple users logged on and used the app on the same Mac OS X device in a short period of time, the Z-tunnel occasionally stopped functioning.

Fixes an issue where the Zscaler App was periodically unable to connect to Zscaler Enforcement Nodes (ZENs) due to errors in the Apps network adaptor DNS settings.

Fixes an issue where users were not able to connect to the Box.com Sync client if the Zscaler App was deployed in local proxy mode.

Fixes an issue where the Zscaler App periodically failed to receive regular App profile updates on non-English versions of Windows PC.

Fixes an issue where the Zscaler App was unable to apply proxy settings to PPP adaptors on Windows devices.

Fixes an issue where a raw socket error occurred periodically when users Mac OS X devices woke from sleep mode, preventing the Zscaler App from connecting to ZENs and leaving the device with no Internet connectivity.

Fixes an issue where the Zscaler App automatically logged out if the system keychain was locked on Mac OS X devices.

Improves Zscaler App interoperability with the Charles Proxy for users on Mac OS X devices. The App now enforces Zscaler Proxy on the Charles Proxy application.

Note: If installing the Charles Proxy after installing the Zscaler App, users must restart the Charles Proxy twice after installation so that the Zscaler App can automatically modify the Charles Proxy configuration for proxy chaining. If the Charles proxy was already installed on a users device before the Zscaler App is installed, the Zscaler App works seamlessly and users do not need to restart the Charles Proxy. For more details, please see How does the Zscaler App interoperate with the Charles Proxy?

Known Issues

In certain cases, when users uninstall the Zscaler App, users may be prompted for a system restart. If the user cancels the system restart prompt and installs the App again without restarting the system, the App will not launch. To avoid this issue, upon the system restart prompt, the user must restart the system and install the App.

Under certain conditions on Windows devices, users with the Zscaler App may receive exception alerts while logging out of their devices.

If users have Symantec AV installed on their device, the Zscaler App may not auto-update to the latest version.

On Mac OS X devices, the Zscaler App is interoperable with the web debugging proxy application Charles. If the Charles Proxy is detected, the Zscaler App creates a proxy chain. The Zscaler App automatically configures External Proxy Settings in the Charles application so that the user's system routes all traffic through the Charles Proxy first, then sends the traffic on to the Zscaler App.

NOTE:

If installing the Charles Proxy after installing the Zscaler App: users must restart the Charles Proxy twice after installation so that the Zscaler App can automatically modify the Charles Proxy configuration for proxy chaining.

If the Charles proxy was already installed on a users device before the Zscaler App is installed, the Zscaler App works seamlessly and users do not need to restart the Charles Proxy.

Admins can control whether users can request support directly from the Zscaler App. The Report an Issue option will appear in the app user interface and as a tray icon option only if the admin has enabled it in your Zscaler App Support configuration.

To open the Report an Issue form, you can use one of the following options.

Open the Zscaler App and click the More icon. From the Troubleshoot menu, click Report an Issue.

OR

Right-click the Zscaler App tray icon, then select Report An Issue.

Completing the Report an Issue Form

To complete the Report an Issue form, specify the following information.

Name: Enter a name.

The field to the right of the Name field is prepopulated with the email addresses of your organization's designated support admins.

CC: If you want to copy anyone else on this support request, you can enter the email address here (if entering multiple addresses, they should be separated by commas). Note that your organization's support admins are always copied on support requests, even if you leave this field blank.

Problem: You can select a category that describes the problem. Other is selected by default.

Authentication: Select if you are having problems logging into the app.

User Interface: Select if app features are not responding as expected.

Network Connectivity:Select if the app is showing connectivity issues.

Other: Select if you are unsure of the problem, or if the problem does not relate to the categories above.

Priority: You can select a severity level for the problem. Normal is selected by default.

Urgent: App cannot be used at all.

High: App can be partially used but critical functions are not working.

Normal: App can be used but some functions are not working.

Low: App can be used but minor functions are not working.

Comments: You can enter additional comments to describe the issue.

Attach File: You can attach an applicable file (for example, a screenshot showing an error message).

Show/Hide logs: You can show or hide logs in the Report an Issue window. Note that logs will always be automatically attached when you report an issue.

Release Date: August 30, 2016

Zscaler App 1.1.2 includes the following improvements and fixes:

Limited Availability: The Zscaler App Portal has been enhanced to act as an Identity Provider (IdP) for the Zscaler service. This feature provides support for silent authentication with Hosted Database and SAML-based single sign-on by enabling the Zscaler App to auto-provision devices and users for the Zscaler service. The App does this by gathering the user ID from a device when it enrolls with the Zscaler service and employs a device token parameter that must be predefined in the Zscaler App Portal.

Fixes an issue where Windows devices could not reach some IP routes because older routes were not removed after the Zscaler App tunnel changed states from Connected to Fail Open, or vice versa. This was due to a known issue where, after such tunnel state changes, the Windows OS could not follow updated routes in the routing table. Cached routes are now removed from the device when adding new routes.

Fixes an issue on the Mac OS X version of the Zscaler App where user login failed due to an error that prevented the web browser engine, WebKit, from redirecting URLs to the Zscaler App.

Fixes an issue where HTTPS sites on non-443 ports were not loading through the Zscaler App when it was in Tunnel with Local Proxy mode. The Zscaler App considered CONNECT requests on non-443 ports to be HTTP requests in local proxy mode, leading to connection failures that resulted from the lack of a port for Server Name Indication (SNI).

Fixes an issue where PAC files on Internet Explorer browsers were being removed after system restart (PAC files on Chrome and Firefox browsers were not affected). Now the Zscaler App removes the existing PAC file, if any, after restart, and then enforces the PAC file as configured in the Zscaler App profile.

Fixes an issue where a user may encounter an Intermediate Authentication Error when the Zscaler App auto-updates immediately after login. This issue was reported only when the Zscaler Central Authority (CA) experienced high loads and the registering device failed. As a workaround, the Zscaler App attempts to authenticate again after one minute when it encounters this error.

Fixes an issue where the Zscaler App was not returning the correct local proxy PAC file when running in Tunnel with Local Proxy mode.

Fixes an issue where the Zscaler App was incorrectly responding to DNS SRV record queries for Zscaler Private Access when the number of DNS resolution requests dropped in volume.

Fixes an issue with the ZPA service where requests for access to an internal application occasionally received a response from a different internal application provisioned for the user.

Fixes an issue with the ZPA service where Kerberos authentication failed for certain applications.

Fixes an issue with the ZPA service where users intermittently could not reauthenticate after an expired session.

Fixes an issue with the ZPA service where DNS resolution for applications intermittently failed.

On September 6, 2016, Zscaler App 1.1.2.000025 was released and included the following minor fixes.

Fixes an issue where the Zscaler App returned invalid characters in Unique Device Identifiers (udid) for Windows devices.

Fixes an issue where the latest version of the Zscaler App was not installed during auto-updates on Windows devices.

Fixes an issue where on Windows devices, the Zscaler App icon was visible in the system tray and taskbar, but users could not launch the App with the icon.

Fixes an issue where the Windows version of the Zscaler App experienced configuration file corruption in certain cases.

On September 26, 2016, Zscaler App 1.1.2.000036 was released and included the following fix:

Fixes an issue users faced upon fresh installation of Zscaler App version 1.1.2.000025, where Windows 7 PCs did not support Zscaler App Network Adaptors signed with SHA-2 certificates. Before this version, the Network Adaptor was signed with a SHA-1 certificate. For improved security, in App version 1.1.2.000025, the Network Adaptor was signed with a SHA-2 certificate. However, to support SHA-2 certificates, Windows 7 PCs require installation of the Windows 7 Service Pack 2, and even after installation, users see an Untrusted Publisher dialog box because Windows 7 does not support SHA-2 certificates for kernel mode drivers. To avoid this issue, Zscaler recommends that organizations with Windows 7 PCs in their organization skip version 1.1.2.000025 and deploy this newly released version, 1.1.2.000036.

The Zscaler App now sends CONNECT requests to www.zscaler.com to check the health of Zscaler Enforcement Nodes (ZEN). Previously, the App sent CONNECT requests to www.google.com for this purpose, but users in China faced issues due to the country's block on google.

Following are further details about the Troubleshoot menu features of the Mac version of the Zscaler App.

Report an Issue: If your organization's admin enabled in-app support access, you can use this feature to report an issue. When you submit the form, depending on your organization's set-up, the app may either send an email to your organization's support admin or submit a ticket directly to Zscaler Support (your support admin will receive a copy of this ticket as well). After you submit the form, you will receive an email acknowledging the support request. For instructions on completing the form, see How do I report an issue with the Mac version of Zscaler App?

Update Policy: You can click to manually refresh your web security policies and PAC file.

Restart Service: You can click to restart the app. Restarting does not impact security enforcement.

Clear Logs: You can clear stored logs.

Log Mode: You can change the mode in which the app generates logs, but the change is effective for that connection session only. At the start of the next connection session, the app returns to the default log mode set by your organization. Below is a description of each log mode.

Error: Logs only when the app encounters an error and functionality is affected.

Warn: Logs when a) the app is functioning but is encountering potential issues or b) when conditions for the Error log mode are met.

Info: Logs a) general app activity or b) when conditions for the Warn log mode are met.

Debug: Logs a) all app activity that could assist Zscaler Support in debugging issues or b) when conditions for the Info log mode are met.

For information about other Zscaler App features, see B. Zscaler App Features in Using the Zscaler App: Mac OS X.

If you find that the Zscaler App is not getting updated for some users, even if you've enabled auto-update or have pushed an update from the Zscaler App Portal, you must deploy Zscaler App 1.1.4 to your users (via Active Directory or the MDM of your choice) to resolve the issue.

Checking for Outdated Versions

You can check which devices are running outdated version of the App in the Zscaler App Portal with one of the following steps:

From the Zscaler admin portal, go to Policy > Zscaler App Portal. On the Dashboards page, you can check which devices have outdated versions of the app by using the Device Policy Status widget.

From the Zscaler admin portal, go to Policy > Zscaler App Portal. Go to the Enrolled Devices page, then Device Overview from the menu on the left. Do one of the following:

Filter the table to see Outdated devices

Export device fingerprints and filter by Agent Version.

If you see devices that have not been updated, you must manually deploy the Zscaler App again to your users (via Active Directory or the MDM of your choice). This ensures that Zscaler App 1.1.4 is properly installed on user devices, and the app's update feature will function as expected thereafter.