Skip to main content

Zscaler

Overview

Zscaler is a cloud-native security platform that provides secure internet access and application access based on a Zero Trust architecture. It is widely adopted as a next-generation security solution replacing traditional VPNs and firewalls.

Key Services

Zscaler Internet Access (ZIA)

A service that protects corporate internet traffic via the cloud.

Key Features:

  • Secure Web Gateway (SWG): URL filtering, anti-malware, data loss prevention
  • Firewall as a Service: Cloud-based firewall capabilities
  • Sandbox: Analyzes unknown threats in an isolated environment
  • SSL/TLS Inspection: Inspection of encrypted traffic
  • DLP (Data Loss Prevention): Prevents external leakage of sensitive data

Zscaler Private Access (ZPA)

A service that provides Zero Trust access to internal corporate applications.

Key Features:

  • Application Segmentation: Access control per application
  • VPN-less Connectivity: Does not expose the entire network, accesses only necessary applications
  • User/Device Authentication: Context-based access control
  • Micro-segmentation: Prevention of lateral movement

Zscaler Digital Experience (ZDX)

A service that monitors and optimizes the end-user digital experience.

Key Features:

  • Performance monitoring
  • Troubleshooting
  • Visualization of user experience

Zero Trust Architecture

Zscaler adopts a Zero Trust security model, based on the following principles:

  1. Never Trust, Always Verify: Verify every access
  2. Least Privilege Access: Grant only the minimum necessary access privileges
  3. Micro-Segmentation: Isolation per application
  4. Continuous Monitoring: Continuous monitoring and analysis

Architectural Features

Cloud Native

  • Globally distributed data centers
  • Auto-scaling
  • High availability and redundancy

Proxy-based Architecture

User -> Zscaler Cloud -> Internet/Application
        (Inspection/Policy Enforcement)

Agent-based Deployment

  • Zscaler Client Connector: Client installed on devices
  • Cloud Connector: Connection with on-premise networks
  • App Connector: Providing access to private applications

Benefits of Implementation

Improved Security

  • Inspects all traffic
  • Protection from zero-day attacks
  • Data loss prevention

Cost Reduction

  • No need for hardware appliances
  • Simplification of operational management
  • Bandwidth optimization

Improved User Experience

  • Low latency
  • Location-independent connectivity
  • Seamless access

Support for Remote Work

  • VPN-less access
  • Secure connection from anywhere
  • Device type agnostic

Implementation Examples

Example of ZIA Policy Configuration

# URL Filtering Policy
url_filtering_policy:
  name: "Block Malicious Sites"
  action: "BLOCK"
  categories:
    - "Malware"
    - "Phishing"
    - "Command and Control"
  users: "All Users"

Example of ZPA Access Policy

# Application Segment
app_segment:
  name: "Internal CRM"
  domain_names:
    - "crm.internal.company.com"
  tcp_ports:
    - "443"
  health_check_type: "DEFAULT"
  
# Access Policy
access_policy:
  name: "CRM Access Policy"
  action: "ALLOW"
  conditions:
    - user_group: "Sales Team"
    - device_posture: "Compliant"
    - location: "Any"

Security Best Practices

1. Policy Design

  • Principle of Least Privilege: Grant minimum necessary access privileges
  • Group-based Management: Manage policies by user groups
  • Phased Deployment: Start with small groups and gradually expand

2. SSL/TLS Inspection

  • Always inspect critical traffic
  • Consider excluding traffic subject to regulations like medical or financial
  • Proper management of certificates

3. Logging and Monitoring

  • Regular review of security events
  • Integration with SIEM
  • Optimization of alert settings

4. User Training

  • Advance notice of policy changes
  • Improvement of security awareness
  • Establishment of support structure

Comparison with Other Solutions

FeatureZscalerTraditional VPNFirewall
Zero Trust
Cloud Native
SSL Inspection
Global Scale
User ExperienceExcellentMediumMedium
Implementation CostLowMediumHigh

Integration and Collaboration

Zscaler can integrate with many security tools and platforms:

  • ID Providers: Azure AD, Okta, Ping Identity
  • SIEM: Splunk, Microsoft Sentinel, QRadar
  • EDR/XDR: CrowdStrike, Microsoft Defender
  • CASB: Microsoft Cloud App Security
  • Cloud Providers: AWS, Azure, GCP

Best Practices for Preserving Developer Experience

Implementing Zscaler can impact developer workflows. The following best practices help achieve both security and developer experience.

1. SSL/TLS Inspection Exclusion Settings

SSL/TLS inspection can cause issues with development tools and services. Consider excluding the following domains from inspection.

# SSL Inspection Bypass List (Example)
ssl_inspection_bypass:
  # Package Managers
  - "*.npmjs.org"
  - "*.pypi.org"
  - "*.nuget.org"
  - "*.maven.org"
  - "registry.npmjs.org"
  - "registry.yarnpkg.com"
  
  # Container Registries
  - "*.docker.io"
  - "*.docker.com"
  - "gcr.io"
  - "*.azurecr.io"
  - "*.amazonaws.com"
  
  # Git Related
  - "*.github.com"
  - "api.github.com"
  - "raw.githubusercontent.com"
  - "*.gitlab.com"
  - "*.bitbucket.org"
  
  # Cloud Provider APIs
  - "*.azure.com"
  - "*.microsoft.com"
  - "*.aws.amazon.com"
  - "*.googleapis.com"
  
  # Developer Services
  - "*.stackoverflow.com"
  - "*.visualstudio.com"
  - "*.vscode-cdn.net"
  - "marketplace.visualstudio.com"

2. Leveraging PAC (Proxy Auto-Config) Files

In development environments, configure specific traffic to connect directly without going through Zscaler.

// PAC File Example
function FindProxyForURL(url, host) {
  // Direct connection for local development environment
  if (isPlainHostName(host) ||
      shExpMatch(host, "*.local") ||
      isInNet(host, "127.0.0.0", "255.0.0.0") ||
      isInNet(host, "10.0.0.0", "255.0.0.0") ||
      isInNet(host, "172.16.0.0", "255.240.0.0") ||
      isInNet(host, "192.168.0.0", "255.255.0.0")) {
    return "DIRECT";
  }
  
  // Direct connection for development tool domains
  if (shExpMatch(host, "localhost") ||
      shExpMatch(host, "*.docker.internal") ||
      shExpMatch(host, "*.azurewebsites.net") ||
      shExpMatch(host, "*.azurestaticapps.net")) {
    return "DIRECT";
  }
  
  // Others go through Zscaler
  return "PROXY zscaler-proxy.company.com:80";
}

3. Certificate Management

Properly install Zscaler's intermediate CA certificate in the development environment.

Windows Environment

# Install Zscaler Certificate
certutil -addstore -enterprise -f "Root" ZscalerRootCA.crt

# Set Node.js Environment Variable
[System.Environment]::SetEnvironmentVariable("NODE_EXTRA_CA_CERTS", "C:\Certificates\ZscalerRootCA.crt", "User")

macOS/Linux Environment

# Add to system certificate store
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ZscalerRootCA.crt

# Set Node.js Environment Variable
export NODE_EXTRA_CA_CERTS=/path/to/ZscalerRootCA.crt
echo 'export NODE_EXTRA_CA_CERTS=/path/to/ZscalerRootCA.crt' >> ~/.bashrc

Python Environment

# pip configuration
pip config set global.cert /path/to/ZscalerRootCA.crt

# requests library
export REQUESTS_CA_BUNDLE=/path/to/ZscalerRootCA.crt

4. Local Development Environment Configuration

Docker Desktop Settings

// Docker Desktop daemon.json
{
  "registry-mirrors": [],
  "insecure-registries": ["localhost:5000"],
  "debug": false,
  "experimental": false,
  "proxies": {
    "http-proxy": "http://zscaler-proxy:80",
    "https-proxy": "http://zscaler-proxy:80",
    "no-proxy": "localhost,127.0.0.1,.local,.internal"
  }
}

VS Code Settings

// settings.json
{
  "http.proxy": "http://zscaler-proxy:80",
  "http.proxyStrictSSL": false,
  "http.proxySupport": "on",
  "http.noProxy": [
    "localhost",
    "127.0.0.1",
    "*.local",
    "*.internal"
  ]
}

5. CI/CD Pipeline Considerations

GitHub Actions

# .github/workflows/build.yml
name: Build

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      # Install Zscaler Certificate
      - name: Setup Zscaler CA
        run: |
          echo "${{ secrets.ZSCALER_CA_CERT }}" | base64 -d > /usr/local/share/ca-certificates/zscaler.crt
          sudo update-ca-certificates
          export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/zscaler.crt
      
      - name: Install dependencies
        run: npm ci

Azure DevOps

# azure-pipelines.yml
steps:
- task: Bash@3
  displayName: 'Setup Zscaler Certificate'
  inputs:
    targetType: 'inline'
    script: |
      echo "$(ZSCALER_CA_CERT)" | base64 -d > zscaler.crt
      export NODE_EXTRA_CA_CERTS=$(pwd)/zscaler.crt
      echo "##vso[task.setvariable variable=NODE_EXTRA_CA_CERTS]$(pwd)/zscaler.crt"

- task: Npm@1
  displayName: 'npm install'
  inputs:
    command: 'install'

6. Troubleshooting Guide

Common Issues and Solutions

IssueCauseSolution
npm install failsSSL certificate error due to SSL inspectionSet NODE_EXTRA_CA_CERTS, or npm config set strict-ssl false (deprecated)
Docker pull is slowDownloading images via ZscalerExclude Docker Hub domains from inspection
Git clone failsSSL certificate verification errorSpecify certificate path in Git config: git config --global http.sslCAInfo /path/to/cert.crt
Connection error during API developmentLocal API server going through proxyAdd localhost to no-proxy list
Kubernetes connection errorkubectl going through proxySet NO_PROXY environment variable

Debug Commands

# Check proxy settings
echo $HTTP_PROXY
echo $HTTPS_PROXY
echo $NO_PROXY

# Check certificate chain
openssl s_client -connect registry.npmjs.org:443 -showcerts

# Check certificates in Node.js
node -e "console.log(require('https').globalAgent.options)"

# Connection test with Curl
curl -v --proxy http://zscaler-proxy:80 https://api.github.com

7. Documentation for Developers

Prepare the following documents within the organization to help developers work smoothly in the Zscaler environment:

  • Setup Guide: Certificate installation procedures
  • Troubleshooting FAQ: Common issues and solutions
  • Exclusion List: List of domains excluded from SSL inspection
  • Support Contact: Contact information for issues

8. Performance Optimization

# Zscaler Client Connector Configuration Optimization
client_connector_config:
  # Enable local cache
  enable_cache: true
  cache_size_mb: 500
  
  # Split tunneling
  split_tunnel:
    enabled: true
    exclude_domains:
      - "*.local"
      - "*.internal.company.com"
      - "localhost"
  
  # Bandwidth control
  bandwidth_control:
    limit_mbps: 0  # Unlimited
    priority: "high"  # Prioritize developer traffic

9. Balancing Security and Productivity

Recommended Approach:

  1. Phased Deployment: Start with developer groups and collect feedback
  2. Flexible Policies: Create dedicated policies for development environments
  3. Regular Reviews: Review exclusion lists and policies quarterly
  4. Listen to Developers: Establish feedback channels
  5. Continuous Improvement: Monitor performance metrics

Summary

Zscaler is a comprehensive cloud security platform for realizing modern Zero Trust security architectures. As remote work spreads and cloud migration accelerates, it supports the departure from traditional perimeter defense security models and provides safer and more efficient network access.