Adobe Captivate Wednesday, August 30, 2017

Slide 1 – Introduction to Zscaler – Zscaler Primary Functionalities

Slide notes
Welcome to this training module, in which we will provide more detail on those four primary functional areas of the
Zscaler platform.

Page 1 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 2 - Navigating the eLearning Module

Slide notes
Here is a quick guide to navigating this eLearning module. There are various controls for playback including Play/Pause,
Previous and Next Slide, and Fast Forward. You can also mute the Audio or enable Closed Captioning which will cause a
transcript of the module to be displayed on the screen. Finally, you can click the “X” button if you wish to exit.

Page 2 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 3 - Module Agenda

Slide notes
In this module, we will look at each of the functional areas of the Zscaler platform in turn; Traffic Forwarding, User
Authentication, Policy Management, and finally Reporting and Analytics.

Page 3 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 4 - Zscaler Primary Functionalities

Slide notes
When implementing Zscaler there are four main functional areas that must be considered: the forwarding of traffic to
the Zscaler Cloud in the first place; whether or not to authenticate users; the configuration and application of all the
available Policies, and their enforcement by us; and finally, the reporting and analytics capabilities of the system.

Page 4 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 5 - Traffic Forwarding

Slide notes
In the first section, we will have a look at some of the traffic forwarding options.

Page 5 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 7 - GRE Tunnels – Basic Scenario

Slide notes
This diagram shows the most basic GRE scenario, with the GRE capable router installed outside the firewall. You must
inform us of the static, public IP address of your edge device, by raising a support case as a ‘Task’. Zscaler technical
support will then load this information in the backend to provision your IP address for GRE access. In this example, the
static, routable IP address of the device is 207.47.45.192, and when you log in to the Zscaler Admin Portal and create a
new location for this IP address, you will see the detailed information that you need to configure the tunnel.
Each of your locations (or IP addresses) must connect to two separate ZENs for GRE. In this example, you can connect to
ZENs with the IP addresses 203.116.198.93 and 31.186.227.36. From the point of view of your router, there are two GRE
tunnels, and each also has an internal IP address schema:
• The primary GRE Tunnel: Goes from IP 207.47.45.192 to IP address 203.116.198.93 – the local tunnel IP address is
172.17.1.41, and the destination tunnel IP address is 172.17.1.42.
• The secondary GRE Tunnel: Goes from IP 207.47.45.192 to IP address 31.186.227.36 - the local tunnel IP address
is 172.17.1.45, and the destination tunnel IP address is 172.17.1.46.
Your final configuration step is to configure your edge device to send all internet-bound traffic through the GRE tunnels.

Page 7 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 8 - IPSec VPN Tunnels – Basic Scenarios

Slide notes
IPSec VPN represents another common deployment scenario for offices, and Zscaler supports both aggressive mode,
and main mode VPN access. In order to use main mode VPN, you must have a static and routable IP address associated
to your VPN edge device. For a main mode VPN connection, you will also need to contact technical support to open a
ticket to have your IP address provisioned to your account, similar to GRE.
If your site is using dynamic IP addressing and your edge device supports it you can use aggressive mode, which does
not require you to have support provision your IP address in the system.

Page 8 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 9 - IPSec VPN Tunnels – VPN with Failover

Slide notes
As with GRE, you should always configure your VPN device with at least two tunnels for fault tolerance. You can have
more than two tunnels, for example, if you have multiple Internet connections at a location.

Page 9 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 10 - What Are PAC Files?

Slide notes
A Proxy Auto-Configuration (PAC) file contains a set of rules coded in JavaScript which allows a Browser to determine
whether to send Web traffic direct to the Internet, or that it be sent to a proxy server, to be forwarded to the Internet. A
PAC file can control how a Browser handles HTTP, HTTPS, and FTP traffic, and is the first file fetched by the Browser.

Page 10 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 11 - What Are PAC Files?

Slide notes
A PAC file is a JavaScript file containing the function ‘FindProxyForURL(url, host)’ together with access method
specifications: a ‘Direct’ statement indicates that the target URL can be accessed directly without going through a proxy;
a ‘Proxy’ statement specifies that the URL must be reached through the specified proxy. The PAC file may contain
conditional statements (If | Else ) , and other functions to manage the traffic for different destination hosts, and may
contain domain-, host-, or time-based conditions.

Page 11 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 13 - Generic PAC File Architecture

Slide notes
Here is an overview of how PAC files work in general, in this case we are going to specify that Browser calls to the
Amazon Web Services domain should go direct, while all other calls should go through the Proxy at
‘proxy1.myproxy.com’ on port 8080.
The first step is for the Browser to fetch the PAC file, as it has been directed to do in the Browser settings. The URL for
the PAC file may be statically defined (which is recommended), pushed to the Browser using a Microsoft AD Group Policy
Object (GPO), or discovered using an auto-discovery protocol. The file itself may be hosted on an internally managed
server, or on the Internet. We recommend that you host your PAC files on our infrastructure, for reasons that will
become clear later.

Page 13 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 15 - Generic PAC File Architecture

Slide notes
For any other Website, the PAC file directs that they must be accessed through the Proxy at ‘proxy1.myproxy.com’, using
the destination port 8080.

Page 15 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 16 - Zscaler Default PAC File

Slide notes
This slide shows the default Zscaler PAC file. Each customer can create their own custom PAC files and host them under
their own profile in the Zscaler Cloud. The most significant advantage of hosting the PAC file in the Zscaler cloud is the
availability of the variables ${GATEWAY} and ${SECONDARY_GATEWAY}. These variables tell the Zscaler PAC server to
insert the IP addresses of the closest ZENs based on the user’s IP address. When the user’s Browser requests the PAC file
from the Zscaler PAC server, the server dynamically substitutes the variables for the IP address of the geographically
closest ZENs. This determination is done based on the egress IP address of the client making the request.
The key word DIRECT instructs the Browser to connect directly to the Internet if both primary and secondary ZEN are
unavailable.

Page 16 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 17 - Zscaler App – One App to Connect Them All

Slide notes
The Zscaler App, available at no additional charge, provides another method for forwarding traffic to The Zscaler Cloud
to allow the enforcement of Zscaler Web Security; one that is particularly well suited for your road warriors. The Zscaler
App can be used both to scan and protect data sent to the Internet at large using the Zscaler Internet Access service, and
to provide access to private applications in your own Data Centers, or hosted in a private Cloud, using Zscaler Private
Access.
Some features of the App are: the ability to push it for silent install on PCs and Macs; a one-step enrollment process with
SAML authentication, and on-going user verification using a device fingerprint captured during enrollment; the ability to
block access to the Internet before the user enrolls; current support for PCs and Macs, with mobile support in
development; the App install file is available from the Zscaler App Portal.

Page 17 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 18 - Zscaler App – One App to Connect Them All

Slide notes
For Internet access, the Zscaler APP can establish lightweight HTTP connections to a local ZEN on the Zscaler Internet
Access (ZIA) Cloud, or it can be configured simply to enforce a specified PAC file. You also have the option to specify a
custom PAC file to identify the ZEN to send traffic to, or to specify destinations to be bypassed by the App.
For access to private resources, the App will establish TLS encrypted Ztunnels to the ZPA Cloud infrastructure, to allow
end-to-end Mtunnels to the ZEN Connector virtual machines installed adjacent to the applications. The option is
available to also encrypt the Mtunnels using customer generated PKI, which gives the Zscaler infrastructure no
possibility whatsoever to intercept or decrypt user traffic (the zero-trust option).
The Zscaler App can co-exist with popular VPN software on the client device, to allow either full or split-tunnel VPN
configurations.

Page 18 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 19 - Web Security for all Supported Platforms

Slide notes
There are a number of steps to enabling Web Security for your road warriors using the Zscaler App, as follows:
• Step 1: An Admin must download the appropriate installation file for distribution, and must configure
appropriate App settings for the users or groups.

Page 19 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 20 - Web Security for all Supported Platforms

Slide notes
• Step 2: The App must be distributed to the users that require it. For Windows users, this can be done using a
Group Policy Object (or GPO), for Macs it can be done using Casper Suite or Tanium, or of course it can be
installed manually. The App installation can also be done silently.

Page 20 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 21 - Web Security for all Supported Platforms

Slide notes
• Step 3: After installation, the device user is prompted to enroll through the App. Currently this is a one-time
enrollment process, that is coupled to the authentication method of your choice. This enrollment can also be
done silently based on the user’s device login, either using Microsoft IWA, or using SAML and the Zscaler IdP.

Page 21 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 22 - Web Security for all Supported Platforms

Slide notes
• Step 4: After a successful enrollment, the App will forward traffic to the Zscaler Internet Access Cloud based on
the settings in the applied Forwarding Profile. Options are: To tunnel all port 80 and port 443 traffic in a Z-Tunnel
to the local (or a designated) ZEN; tunnel all HTTP/HTTPS traffic regardless of port; or to apply the default, or a
specified PAC file. If Z-Tunnels are used, they are established to the ZEN on destination port 443.

Page 22 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 23 - Zscaler App – Private Access

Slide notes
Zscaler Private Access is designed to allow remote users with the Zscaler App installed connectivity to specified private
applications and services located on a corporate network, with access being enabled by a ZEN Connector VM. An
administrator at the customer has access to the ZPA-CA console for their instance, for the configuration of Connectors,
SSO settings, certificates and access policies.
When a user wishes to connect to an application that they are authorized to use, the Zscaler App on their client device,
and the ZEN Connector local to the optimum application instance establish outbound encrypted TLS tunnels (Ztunnels)
to the ZPA-ZEN that the Zscaler App is connected to. TLS 1.2 is used to establish the Ztunnels, with the strongest
encryption cipher that is mutually supported by the Zscaler App and Connector hosts at one end, and the ZPA-ZENs at
the other.
An end-to-end communication channel, or microtunnel (Mtunnel) is then established that runs from the Zscaler App on
the device, through the Ztunnels, to the correct Connector, to allow access to the specific application requested. Note
that this is a per-user, per-application Mtunnel established between the user and requested application, it cannot be
used by other users, nor for accessing other applications. The Mtunnels may also be encrypted (the double encryption
option), in which case TLS 1.2 is again used, with the strongest encryption cipher that is mutually supported by the
Zscaler App and Connector hosts.

Page 23 of 80
Adobe Captivate Wednesday, August 30, 2017

All traffic destined for that specific private application is transported within this tunnel, and delivered to the destination
network by the Connector. The Connector acts on behalf of the client and the application replies to it, so that it can send
the return traffic along the reciprocal path back to the end user. The Mtunnels are only available for use by the
requesting user, and only for access to that specific application. Mtunnels cannot be shared with other users, nor can
they be used to route to other applications that may exist on the destination network. Access to other private
applications would require Mtunnels established specifically for that purpose.

Page 24 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 24 - User Authentication

Slide notes
In the next section, we will have a look at the user authentication methods available.

Page 25 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 25 - User Provisioning

Slide notes
A key concept to understand regarding user authentication in the Zscaler solution is that this is a two part-process.

Page 26 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 26 - User Provisioning

Slide notes
User and Group membership information must be provisioned in the Zscaler Central Authority (CA). The User / Group
provisioning process to the Zscaler CA varies based on the Authentication method you employ in your organization.

Page 27 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 27 - User Provisioning

Slide notes
User Authentication is done so Zscaler can verify the user’s identity and apply the correct User policies.

Page 28 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 28 - Provisioning and Authentication Flow

Slide notes
So the first step in the authentication of users, is to ensure that Zscaler has knowledge of them up front through
provisioning. The only exception here is for SAML authentication, which allows the auto-provisioning of users as they
authenticate, which is a major reason for us to recommend that method.
Users, groups, and departments can be pre-populated as necessary through a number of mechanisms:
• Users can be manually added to the Zscaler database, whether through the Admin Portal UI, or by CSV import;
• Users can be sync’d from an existing LDAP directory, although that requires a port to be opened inbound at the
Firewall;
• The Zscaler Authentication Bridge (or ZAB), removes the need to open a port inbound to sync the LDAP, as it is a
VM installed next to AD that syncs the directory in the outbound direction;
• Finally there is the SAML auto-provisioning process previously mentioned, which simplifies the process of
adding users to Zscaler enormously.

Page 29 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 29 - Provisioning and Authentication Flow

Slide notes
Once users, departments and groups are defined on the Zscaler system, the administrator can start to create and assign
any and all of the available policies to those entities. Policies can be assigned en-masse to a department, or more
selectively by group, or even right down to the user level.

Page 30 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 30 - Provisioning and Authentication Flow

Slide notes
Once the user has authenticated, by whatever method they must do that, the system sees to it that the correct policy is
assigned to the user (directly or through their department or group memberships). This then determines what access
privileges the user is to have.

Page 31 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 31 - Authentication – Types

Slide notes
There are four methods for users to authenticate with the Zscaler solution:
1. The first method is the Hosted Database. With this method the user database with both username and
password, is stored within the database of the Zscaler service. This is only really useful for small organizations
where SAML, LDAP, or Kerberos are not an option. The Zscaler administrator must create the required users,
departments, and groups directly in the CA through the Admin Portal.

Page 32 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 32 - Authentication – Types

Slide notes
2. SAML, the Security Assertion Markup Language, is one of the most effective and secure authentication and
provisioning methods that we support. With SAML, users authenticate once to an Identity Provider (IdP) to allow
access to multiple services with Single Sign-On (SSO).

Page 33 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 33 - Authentication – Types

Slide notes
3. With Lightweight Directory Access Protocol (or LDAP), the Zscaler service queries a directory server to verify the
user’s password, for example a Microsoft Active Directory (AD) server. The LDAP Sync capability must be used to
provision users to Zscaler.

Page 34 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 34 - Authentication – Types

Slide notes
4. Kerberos is an industry standard secure protocol that is widely used to authenticate users to network services,
and enable SSO for applications that do not support cookies, such as Office365.

Page 35 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 35 - Authentication Flow – SAML

Slide notes
Let’s take a look t the authentication process using SAML, as this is our recommended method. SAML authentication
does not require the SAML identity provider (IdP) and the Zscaler Cloud to exchange any data directly. It is a token-
based authentication mechanism by which Zscaler trusts the user request that is correctly signed by the Identity
Provider. This is possible as a trust relationship is established between Zscaler and the chosen SAML provider as the
systems are integrated.
The process is as follows:
1. The user makes an initial HTTP request for a page out on the Internet, which of course first hits the local ZEN.

Page 36 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 36 - Authentication Flow – SAML

Slide notes
2. The Zscaler ZEN sees that authentication is enabled and redirects the Browser or agent to the Zscaler Central
Authority for authentication.

Page 37 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 37 - Authentication Flow – SAML

Slide notes
3. The Browser contacts the Zscaler CA requesting authentication.

Page 38 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 38 - Authentication Flow – SAML

Slide notes
4. The Zscaler CA redirects the Browser to the IdP (SAML server) specified in the SAML configuration.

Page 39 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 39 - Authentication Flow – SAML

Slide notes
5. Typically at this point a login page will be displayed to the user for them to authenticate to the IdP.

Page 40 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 40 - Authentication Flow – SAML

Slide notes
6. On a successful authentication, the IdP gives the Browser or agent the SAML Assertion identity (a
cryptographically secure Token) to take back to Zscaler.

Page 41 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 41 - Authentication Flow – SAML

Slide notes
7. The Browser is redirected back to Zscaler, and presents the SAML Assertion from the IdP.

Page 42 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 42 - Authentication Flow – SAML

Slide notes
8. Because of the trust relationship between Zscaler and the IdP, Zscaler can validate the Token, and sees that
the user has successfully authenticated. Zscaler then issues an authentication token to the user’s Browser or
agent.

Page 43 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 43 - Authentication Flow – SAML

Slide notes
9. The Browser responds with an access request together with the user’s identity and a Hash Message
Authentication Code ID.

Page 44 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 44 - Authentication Flow – SAML

Slide notes
10. The user is now authenticated to the Zscaler service, and any other service that uses that same IdP, so has a
‘single sign-on’ experience for all Web services that use this IdP. As a final step Zscaler sends an Authentication
cookie to the user’s Browser.

Page 45 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 45 - Authentication Flow – SAML

Slide notes
11. The user is now permitted to access the original URL that they requested, and any other Web site that they
are authorized to access based on the applied policies. Access will be permitted for the duration of this
authentication session.
Note that from the user perspective, their experience of this whole process is:
A. They try to go to a page on the Internet.
B. They see a login page instead, presented by the IdP.
C. The authenticate to the IdP.
D. They are taken to that original page that they requested, and can browse to any other permitted pages until
their authentication session times out.

Page 46 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 46 - Authentication Flow – SAML

Slide notes
Note that once we receive, and have validated the SAML Assertion from the IdP, we can automatically add the user to
the Zscaler database, if they are not already in there. In addition, we can look at any authorization attributes included in
the Token, and add the user to the department, and any groups specified. If the department, or a group do not already
exist in the Zscaler database, we will add it, and add the user to it. This is the power of the SAML auto-provisioning
capability in action.

Page 47 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 47 - Policy Management

Slide notes
In the next section, we will have a look at the policies available to apply to users, and at some important considerations
when applying policies.

Page 48 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 48 - Policy Areas

Slide notes
The Policy configuration area can be found by clicking on the ‘Policy’ menu in the admin portal, the ‘Policy’ menu is
then broken down into the ‘Web’, ‘Mobile’, and ‘Firewall’ areas. The ‘Web’ policy area is the most extensive and allows
the creation of ‘Security’, ‘Access Control’, and ‘Data Loss Prevention’ policies.
• The ‘Security’ policies available to be configured are: ‘Malware Protection’, for configuring protection from
viruses, Trojans, Worms, Adware, Spyware and other unwanted applications; ‘Advanced Threat Protection’
(ATP), to detect and block malicious activity, spyware call-backs, or command and control traffic (CC);
‘Sandbox’, that allows the quarantining of suspect files for scanning in a protected sandbox environment; and
‘Browser Control’, that allows the specification of minimum Browser versions, and Browser vulnerability
protections.
• The ‘Access Control’ policies available are: ‘URL & Cloud App Control’, that can be used to control access to
destination Websites or applications; ‘File Type Control’, to specify the file types that may be uploaded, or
downloaded; ‘Bandwidth Control’, for assigning maximum, and minimum bandwidth percentages for classes of
traffic; ‘SSL Inspection’, with settings and resources for intercepting and inspecting SSL traffic; and ‘FTP
Control’, for restricting access using the FTP protocol.

Page 49 of 80
Adobe Captivate Wednesday, August 30, 2017

• The ‘Data Loss Prevention’ policy area allows the creation of policies to monitor, and if necessary block, the
unauthorized exfiltration of data using Zscaler internal, or external DLP engines. It also allows the streaming of
data to an on-site ICAP server for analysis.

Page 50 of 80
Adobe Captivate Wednesday, August 30, 2017

• Slide 49 - Policy Areas

Slide notes
Note, that brief Policy Information, and links to Recommended Policy settings are shown on each Policy page.

Page 51 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 50 - Policy Areas

Slide notes
The ‘Mobile’ policy area also has three policy categories; ‘Zscaler App Configuration’, ‘Security’, and ‘Access Control’.
• The ‘Zscaler App Configuration’ category contains a link to the ‘Zscaler App Portal’, where configurations and
policies for the Zscaler App, and secure agent for mobile can be defined.
• The ‘Security’ category contains the ability to setup a policy for ‘Mobile Malware Protection’.
• The ‘Access Control’ category allows the definition of policy rules for ‘Mobile App Store Control’.

Page 52 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 51 - Policy Areas

Slide notes
The ‘Firewall‘ area contains ‘Access Control‘ policies allowing the configuration of ‘Firewall Control‘, or ‘DNS Control‘
policies. Note that the ‘Firewall‘ policy configuration is for both the Basic, and Next Generation Firewall configuration,
depending on your subscription.

Page 53 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 52 - Policy Enforcement Order

Slide notes
Some of the policies that you can define are implemented immediately a connection request from a client device
reaches the ZEN. If the Browser used does not match the ‘Browser Control’ policy, we can block access immediately; if
FTP requests are disallowed by an ‘FTP Control’ policy, they can be immediately blocked;
if the Cloud App requested, or the URL match filters setup up in a ‘URL & Cloud App Control’ policy, the user can be
blocked or warned straight away; and of course, if Zscaler is to inspect SSL traffic, we must terminate the outbound
connection from the user before we can do anything else.

Page 54 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 53 - Policy Enforcement Order

Slide notes
If the outbound request is allowed to proceed, we can then move on to perform the outbound scans to check for other
policy matches, this includes scans for:
• ‘Malware Protection’;
• ‘Advanced Threat Protection’;
• ‘File Type Control’;
• ‘Bandwidth Control’;
• ‘Data Loss Prevention’;
• As well as ‘Firewall’ and ‘DNS Control’ policies.

Page 55 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 54 - Policy Enforcement Order

Slide notes
Once the connection is established to the destination server or host, policies are applied to the return traffic, including:
• ‘Malware Protection’;
• ‘Advanced Threat Protection’;
• ‘Cloud Sandbox’;
• ‘File Type Control’;
• And ‘Bandwidth Control’.

Page 56 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 55 - URL & Cloud App Control Policy

Slide notes
The ‘URL Filtering & Cloud App Control’ pages are where you will probably spend most of your time, as this is where you
will define what kinds of sites and applications your users are allowed to use. There are a couple things to note here:
1. Firstly, by default the policies are evaluated like a firewall, top-down, first match, with an implicit ‘Allow All’ at
the end.
2. Secondly, that the ‘Cloud App Control’ policies are evaluated first, and then the ‘URL Filtering’ policies.
What does this mean in practice? Let’s say that you block Webmail access in the ‘Cloud App Control Policy’, then in the
‘URL Filtering Policy’ you allow Webmail. What will be the result? Webmail will be blocked because the ‘Cloud App
Policy’ is processed first.
Conversely, what if you allow Webmail in the ‘Cloud App Control Policy’, and block it under ‘URL Filtering’? This time
Webmail will be allowed, because once the system sees the allow in the ‘Cloud App Policy’, that traffic will be permitted
and no further rules will be processed. We will talk more about how important it is to order your rules correctly as we go
through the rest of this module.

Page 57 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 56 - URL & Cloud App Control Policy

Slide notes
When trying to block, or allow a specific site or app, always check first to see if it is listed under ‘Cloud App Control’, and
use that to allow or block. Only if the site or app is not listed in ‘Cloud App Control’ should you create a ‘URL Filter’, as
this will save you from creating custom categories to block individual sites.
It also gives you the benefit of Zscaler keeping the filters up to date - for example, if you want to block YouTube and use
a ‘Cloud App Control Policy’ to do so, it doesn’t matter what URL the user uses to access YouTube, we will block or allow
regardless of the URL called.

Page 58 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 57 - URL & Cloud App Control Policy

Slide notes
This default behavior can be modified if necessary using the ‘Allow Cascading to URL Filtering’ option in the ‘Advanced
Settings’. This removes the `first match‘ condition when evaluating ‘Cloud Apps and URL Filtering’, and allows you to
enforce both types of rule.
We will check first for ‘Cloud Apps’, then also evaluate the ‘URL Filtering’ rules even if there was a ‘Cloud App’ match. In
the example above, this would have the effect of ensuring that Webmail is allowed, even though the ‘Cloud App’ rule
blocks it.

Page 59 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 58 - Target Criteria Considerations

Slide notes
When you are creating Policy rules, you have the option to apply them to the entire organization, or to a subset of users
based on a variety of criteria.
• The first criteria, ‘Users’, is pretty self-explanatory, you can enter specific usernames in the policy and it will only
apply to those users.
• Next you have the option to select ‘Groups’, or ‘Departments’, these are dependent on the authentication
method that you use. For instance, if you are using LDAP to authenticate users, you must tell Zscaler what
attribute in your directory structure should be used for the ‘Group’ and ‘Department’ fields, although
configuring those fields is beyond the scope of this module. Once those fields are defined then the groups and
departments will show up in the drop-down list when you’re building policy rules. Note that to able to use the
‘User’, ‘Group’, or ‘Department’ options for targeting policy, or for filtering Logs, users MUST authenticate to
Zscaler.

Page 60 of 80
Adobe Captivate Wednesday, August 30, 2017

• Locations allow you to assign policy based on specific sites. A ‘Location’ can be a site that has a direct
connection via GRE or VPN to the Zscaler cloud, such as a branch office, headquarters site, or even a dedicated
TCP proxy port if one was purchased. When a user is coming in through one of these methods we consider them
to be from a ‘Known Location’ and you can set policy based on the user’s location. You will also see a ‘Location’
with the name ‘Road Warrior’, this location applies to all users who are not connecting to the Zscaler service
from a known location, so these are effectively your roaming users.
• The next option is ‘Time’, although using timeframes can be tricky especially when applied to your roaming
users. The system will apply a timeframe based on the time zone of the ZEN through which the user is
connecting. For known locations, the ZENs are generally statically assigned and so you know the time zone of
the ZEN to which you’re connecting. But for roaming users the ZEN through which they are connecting may or
may not be in the same time zone and so the system may not behave in the way the user is expecting.

Page 61 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 59 - Target Criteria Considerations

Slide notes
It is critical that you understand how the who, where, and when logic is applied when creating policy rules. The logic is
shown here: the ‘User’, ‘Group’, and ‘Department’ fields all use a logical ‘OR’ function; but the ‘Location’, and ‘Time’
fields use a logical ‘AND’. Let’s look at a couple examples to demonstrate this…
• In the first example, we create a rule that lists User ‘John’, Group ‘Americas’, and Department ‘Sales’. In this
example, the rule will match User ‘John’, OR anyone in the Group ‘Americas’, OR anyone in the Department
‘Sales’.
• In the second example, we create a rule that lists User ‘John’, Group ‘Americas’, Department ‘Sales’, Location
‘NYC1’, and Time ‘any weekday’. In this example, the rule will match User ‘John’, OR anyone in the ‘Americas’
Group, OR anyone in the ‘Sales’ Department, but ONLY if they are connecting from the ‘NYC1’ location on a
weekday. If ‘John’, or a user in the ‘Americas’ Group, or ‘Sales’ Department connects from a different location, or
at the weekend then this rule will not apply.

Page 62 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 60 - Target Criteria Considerations

Slide notes
The last item we’ll cover here is the ordering of your rules. Remember that the rules are processed from the top down,
with a first match logic, and a default ‘Allow All’ at the bottom. So just like when building Firewall rules, you want your
most-specific rules at the top, and your least-specific rules at the bottom. Here is an example that illustrates the
importance of the ordering of your rules.
You may have rules that are out of order and everything working fine, until you have a user that moves from one site to
another. In this case, Bob Smith works in Social Media Marketing and is based in New York, and there is a specific rule
granting Bob access to Social Media.
There are also more general rules blocking all Social Media access from particular locations, in this case New York
(where Bob is based) and Seattle. However, the general rule for Seattle is listed before the specific rule for Bob.
Everything will work fine as long as Bob is in New York, but what will happen if Bob visits the Seattle office? Since Bob’s
location is now Seattle, the general rule blocking Social Media access will trigger and block access for Bob. This
illustrates why you need to have the most specific rules listed up front, also that you’ll typically want your location-
based rules at the end.

Page 63 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 61 - Reporting and Analytics

Slide notes
In the final section, we will look at some of our reporting and analytics capabilities.
This section has been created to include an interactive demo to give you a feel for the navigation of the Zscaler Admin
Portal UI. You will be asked to select the appropriate menu options to navigate the UI. You may also use the Play control
to proceed to the next step.

Page 64 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 62 - Zscaler Dashboards

Slide notes
Zscaler provides extremely powerful tools to report on, and analyze user connectivity and activity. There are several
standard Dashboard views accessible from the ‘Dashboard’ menu, each configured with a standard set of widgets.
Dashboards are available for: ‘Web Overview’, ‘Security’, ‘Web Browsing’, ‘Cloud Applications’, ‘Mobile Applications’,
‘DNS Overview’, ‘Firewall Overview’, ‘Bandwidth Control’, and ‘Office 365’.

Page 65 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 63 - Zscaler Dashboards

Slide notes
Each of the Dashboards is fully configurable, and you have the ability to add or remove Widgets as you like, and to edit
them to ensure that the Dashboard reflects exactly the data you require, in your preferred presentation format.

Page 66 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 64 - Zscaler Dashboards

Slide notes
All of the charts, on each of the Dashboards provides a drill-down capability…

Page 67 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 65 - Zscaler Dashboards

Slide notes
…simply click on a chart segment, user, application, or other item, and click ‘View Logs’…

Page 68 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 66 - Zscaler Dashboards

Slide notes
…to see a complete list of all the log entries for that entity.

Page 69 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 67 - Zscaler Analytics – Reports

Slide notes
The ‘Analytics’ menu gives access to the standard ‘Reporting’ and ‘Insights’ engines. The standard report sets available
are; ‘Interactive Reports’, ‘Executive Reports’, and ‘Scheduled Reports’. The Insights categories available are; ‘Web
Insights’, ‘Mobile Insights’, ‘Firewall Insights’, and ‘DNS Insights’.

Page 70 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 68 - Zscaler Analytics – Reports

Slide notes
An extensive set of standard reports are available to choose from, or you can create your own custom reports. This
example is a bandwidth report for all allowed traffic from all locations.

Page 71 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 69 - Zscaler Analytics – Reports

Slide notes
This example shows blocked transactions by Department…

Page 72 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 70 - Zscaler Analytics – Reports

Slide notes
…and this example is a browsing history report for a specific user.

Page 73 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 71 - Zscaler Analytics – Reports

Slide notes
You can of course drill down within any of these reports, just click on a chart segment, or item of interest and click ‘View
Logs’…

Page 74 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 72 - Zscaler Analytics – Reports

Slide notes
…to see the detailed list of transactions or activity.

Page 75 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 73 - Zscaler Analytics – Insights

Slide notes
The ‘Insights’ options provide detailed and dynamic analytics engines, for the ‘Web, ‘Mobile’, ‘Firewall’, and ‘DNS’
categories.

Page 76 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 74 - Zscaler Analytics – Insights

Slide notes
For each category, you can:
• Select the data to view.
• Specify a standard or custom time interval to view.
• Add one or more of the many filters available.

Page 77 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 75 - Zscaler Analytics – Insights

Slide notes
Having created the chart that meets your requirements, you also have a drill down capability…

Page 78 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 76 - Zscaler Analytics – Insights

Slide notes
…and a bread crumb trail, with each of the charts that you have configured to get to this point. This allows you to step
back to an earlier view if necessary, so you can change the data, timeframe, or filters.

Page 79 of 80
Adobe Captivate Wednesday, August 30, 2017

Slide 77 - Thank you & Quiz

Slide notes
Thank you for following this Zscaler training module, we hope this module has been useful to you and thank you for
your time.
What follows is a short quiz to test your knowledge of the material presented during this module. You may retake the
quiz as many times as necessary in order to pass.

Page 80 of 80