We are currently in the process of reviewing various secure web gateways. What we did was come up with a short list of vendors to review.
We then came up with a list of business requirements and put them into A and B groups. A group is “must have feature” B group is “nice to have.”
- Centralized management of content filtering
- Active Directory or SAML supported
- SSL decryption inbound and outbound
- Policy stays with users onsite or offsite
- Little to low setup time
- If user is remote the traffic should not route back to the enterprise to go out to the internet
Based on the requirements (and the title of this post) we picked Zscaler. I will not talk about the marketecture of Zscaler and just jump into the setup.
Your account rep. will provide a username and password for you to login to the portal. After login the 1st thing to setup is basic technical, billing and business contact.
You then setup your authentication profile either a hosted DB, Active Directory, or OpenLDAP. The AD setup has a simple setup wizard. Zscaler’s setup wizard has a small client you install on a member server in your domain. After you install the client you enter some metadata found in the portal and it sync your AD users and group into the cloud. We opt’d for form’s based authentication to move the POC along and not introduce a SAML dependency. The forms based prompts the user for there enterprise email and AD password before allowing access to the web.
We next tackled the legal and IT operations side. Again zScaler makes this pretty easy. We set the the Acceptable Use Policy (AUP) to show up daily. The AUP is just another inline process to ensure the end users are accountable for where they go to. Secondly it is a subtle way for them to know “oh something is watching me.”
The one downside is the URL used for the AUP has to be internet accessible. Some enterprises might not want to make there AUP public so it will be a decision point for the executive team to make.
After the AUP is setup you will fill out the IT support and Caution Notification Setting. Again zScaler makes setting this up rather trivial. We picked the caution interval to show up every hour along with some verbiage to display if you go to website categorized with caution. The IT support data will show up if a user goes to a blocked or caution flagged website.
The last thing for Part 1 is setting up SSL inspection. I have had enough experience with PKI and certificates to know how painful it can be. I was really surprised at how easy Zscaler had made the setup of SSL inspection. Please talk with your Legal prior to enabling SSL inspection. Based on general guidelines any website Zscaler categorized as Finance or Health we did not enable SSL inspection. The risk of having health or financial data sitting in some log file is just a bit too high for me to recommend to enable that. Once that was set in the portal we downloaded the Zscaler root certificate. In an effort to move the POC forward we did not use a custom enterprise certificate. After we downloaded the Zscaler root certificate we deployed it via AD GPO to our test group.
This concluded part 1 of my Zscaler review. Part 2 will be focused on how we deployed Zscaler to our pilot group.