Skip to main content

Search

How can we help ?

How to Deploy Cloudi-Fi Captive Portal into an Existing Zscaler Tenant - Option Location Only

Alexandre de THOMASSON
  • Updated

This documentation provides step-by-step instructions for setting up the Cloudi-Fi Captive portal with an existing Zscaler tenant using the Location Only integration

                                                            

Overview

The Cloudi-Fi Captive portal is configured into an existing Zscaler tenant, utilizing GRE/IPSEC tunnels. The guest network(s) should be routed into these tunnels.

With the Location Only option, the Zscaler configuration is partially synchronized with Cloudi-Fi, as opposed to a Full setup. However, the Zscaler configuration can be completed in just a few steps outlined below.

 

Key Information to Share with Cloudi-fi Support Team

Attribute Value Where?
Cloudi-fi Guest domain To share Go to Step 2: Add a Cloudi-Fi Guest domain to Zscaler account

Company ID

Name

Domains

 To share Go to Step 4: Provide your Zscaler account information
IDP ID To share Go to Step 1.1: Create Cloudi-Fi Identity Provider

 

 

Prerequisites

Step 1: Authentication check

Before proceeding, verify the following settings to avoid conflicts with Cloudi-Fi integration, especially related to Multiple Authentication Domains:

  1. Go to Zscaler Admin interface > Administrations > Authentications > Authentications Settings > Authentication Profiles
    • User Repository Type: Must be set as Hosted DB
    • User Authentication Type: Must be set as SAML
  2. Go to Zscaler Admin interface > Administrations > Authentications > Authentications Settings > Identify Providers
    • The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address (e.g., user@my-company.com)
    • If the login attribute only returns a username without a domain, Zscaler cannot perform authentications on multiple domains. For example, the ADFS Attribute sAMAccountName only returns a username without a domain

Step 2: Add a Cloudi-Fi Guest domain to Zscaler account

To add a Cloudi-Fi Guest domain to your Zscaler account, you are required to submit a ticket and furnish the following details:

  1. The domain name provided by the Cloudi-Fi team (e.g., your-company.cloudi-fi.net)
  2. Make sure to include the following information in the ticket:
    • Orange: Your Zscaler Company ID
    • Purple: The authentication domain to be added
    • Blue: Your company name

Step 3: Check Subscriptions

In order to perform the Location Only integration, it is necessary to ensure that the following features are activated.

  1. Z_API:
    • Go to your Zscaler Admin interface > Administration > Company Profile > Subscriptions
    • Ensure that the Z_API subscription is activated. If not activated, submit a ticket to Zscaler support

  2. IP_Surrogate:
    • Check if "Enable Internal IP Features" is enabled. If not, submit a ticket to Zscaler support

Step 4: Provide your Zscaler account information

Copy/Paste the following information from your Zscaler Admin interface > Administration > Company Profile:

  • Company ID
  • Name
  • Domains

 

Instructions

Step 1: Zscaler configuration

Step 1.1: Create Cloudi-Fi Identity Provider

  1. Access the Zscaler Admin interface: Go to Authentication > Authentication Settings > Identity Provider.

  2. Add Identity Provider:

    • General Info:

      • Name: Enter the name of your IDP
      • Status: Ensure it is set to Enabled
      • SAML Portal URL:   
        https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net

        • *****  is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
        •  *****  is your Entity id. (zscaler.net or zscloud.net or zscalerthree.net, etc.)
      • Login Name Attribute: Set it to "token"
      • Org-Specific Entity ID: Keep it disabled
      • IdP SAML Certificate: Provide the certificate (Available here)

    • Vendor: Specify the vendor (Any)

    • Criteria:

      • Location: Set it to "None"
      • Authentication domain: Enter the domain provided in step 2 (your-company.cloudi-fi.net)

    • Service Provider (SP) options:

      • Sign SAML Request: Keep it turned off (OFF)

    • Provisioning options:

      • Enable SAML Auto-provisioning: Turn it on (ON)
      • User Display Name Attribute: Set it to "token"
      • Group Name Attribute: Set it to "profile"
      • Department Name Attribute: Set it to "profile"
      • Enable SCIM Provisioning: Keep it turned off (OFF)

  3. Save the settings

 

 

Save the ID assigned to Cloudi-Fi IDP and share it with the Cloudi-Fi team.

 

 

Step 1.2: Creating Cloudi-Fi Custom URL Categories

To create custom URL categories in Cloudi-Fi, follow these steps:

  1. Go to your Zscaler Admin interface and navigate to Administration > Access Control > URL Categories > Add URL Category.

  2. Create the following three custom categories:

 

Category 1: Cloudi-Fi Portal URL

This category contains all URLs to be whitelisted to display our captive portal correctly:

.cloudi-fi.net
.cloudi-fi.com
login.cloudi-fi.net
login-cn.cloudi-fi.net
www.cloudi-fi.com

 

Category 2: Cloudi-Fi Connectivity Check URL

This category contains all the URLs used by guests' devices to detect the presence of a captive portal.

Add the following custom URLs and custom keywords:


Custom URLs

captive.apple.com
clients3.google.com/generate_204
connectivity-check.ubuntu.com
connectivitycheck.gstatic.com/generate_204
detectportal.firefox.com
network-test.debian.org
www.apple.com/library/test/success.html
www.google.com/blank.html
www.msftconnecttest.com
www.msftncsi.com

Custom Keywords

/generate_204
/gen_204

 

Category 3: Cloudi-fi Apple Check URL

This category contains all the URLs used by guests’ devices to detect the presence of a captive portal (only for Apple devices).
Below are the Custom URL and Custom Key Words to be added :

 

Custom URLs:

captive.apple.com
www.apple.com/library/test/success.html

 

Step 1.3: Create an Authentication Bypass

To avoid visitors being redirected to your Authentication IdP, we have set up a bypass for the previously created URL Categories (Cloudi-Fi Connectivity Check URL, Cloudi-fi Portal).

  1. Go to your Zscaler Admin interface > Administration > Cloud Configuration > Advanced Settings.

  2. In the Authentication Exemptions section, add the two custom categories.

  3. In the Policy for unauthenticated traffic, select Enabled.

Zscaler administration - enable policy for Unauthenticated Traffic

Note: If this option was originally disabled in your account, you will need to enable it and add an additional URL policy rule when creating Cloudi-Fi policy rules in the next section (see Rule 7 (optional) - Allow Unauthenticated Traffic).

 

Step 1.4: Dynamic group for Cloudi-Fi location(s)

To streamline the management of guest rules, logs, and policies within your Zscaler account, you can utilize Zscaler Dynamic groups. This will simplify the process of including new Cloud-fi locations or areas with disabled authentication in a specific group.

Follow these steps:

  1. Go to your Zscaler Admin interface > Administration > Location Management > Location Groups > Add Dynamic Group

  2. Configure the dynamic group for Cloudi-Fi location(s) in the Zscaler admin portal

  3. Save the settings

     

     

     

    Zscaler admin portal - Dynamic group for Cloudi-Fi location(s)

 

By creating this dynamic group, any new guest location will automatically be included in the "CLOUDIFI" group. This will ensure that the location is added to relevant policy rules, reports, and logs, while keeping the data and configuration separate from corporate traffic.

 

Step 1.5: URL filtering policies for guests

Configure the following set of rules to achieve the following objectives:

  1. Redirect guests to the captive portal
  2. Allow authenticated users to browse the Internet
  3. Prevent access to forbidden categories

To set up the Cloudi-Fi Captive portal with an existing Zscaler tenant using the Location Only integration:

  1. Go to your Zscaler Admin interface
  2. Navigate to Policy > Access Control > URL & Cloud App Control
  3. Create the following rules:

Rule 1: Apple captive portal URL

URL Filtering Rule

  • Rule Name: for instance Apple Captive Portal 
  • Rule status: enabled

Criteria

  • URL categories: Cloudi-fi Apple Check URL
  • Department: Unauthenticated Transactions
  • Request Methods: CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE, 
  • Time: Always
  • Location Group: CLOUDIFI
  • Web Traffic: Block
  • Allow override: OFF
  • Redirect URL
https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net?source=transient
    • *****  is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
    •  *****  is your Entity ID (zscaler.net or zscloud.net or zscalerthree.net or etc.)

And Save

 

Rule 2: Walled Garden

URL Filtering Rule

  • Rule Name: for instance, Walled Garden
  • Rule status: enabled

Criteria

  • URL categories: Cloudi-fi Apple Check URL, Cloudi-fi Portal
  • Request Methods: CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE, 
  • Time: Always
  • Location Group: CLOUDIFI

Action

  • Web Traffic: Allow

And Save

 

Rule 3: Cloudi-fi redirection

URL Filtering Rule

  • Rule Name: for instance, Cloudi-fi Redirection
  • Rule status: enabled

Criteria

  • Department: Unauthenticated Transactions, Wallguard(*)
  • Request Methods: CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE, 
  • Time: Always
  • Location Group: CLOUDIFI

Action

  • Web Traffic: Block
  • Allow override: OFF
  • Redirect URL
https://login.cloudi-fi.net/start/ch/************/sp/spzscaler.net
    • *****  is your Cloudi-fi public key (Go to your Cloudi-fi Admin interface > Settings > Company Account)
    •  *****  is your Entity ID (zscaler.net or zscloud.net or zscalerthree.net, etc)

And Save

 

(*) the Wallguard Department will be available after your first test of authentications. It cannot be created manually, so you will have to update this rule after your first tests.

 

Rule 4: Denied Categories

URL Filtering Rule

  • Rule Name: for instance, Denied Categories
  • Rule status: enabled

Criteria

  • URL Categories: add the categories you want to block for your Guests. For instance: Adult Sex Education, Adult Theme, Nudity, etc.
  • Request Methods: CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE, 
  • Time: Always
  • Location Group: CLOUDIFI

Action

  • Web Traffic: Block
  • Allow override: OFF
  • Redirect URL
https://login.cloudi-fi.net/eun.php

And Save

 

Rule 5: Department Allow

URL Filtering Rule

  • Rule Name: for instance, Department Allow
  • Rule status: enabled

Criteria

  • Department: Guest, etc. (*)
  • Request Methods: CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE, 
  • Time: Always
  • Location Group: CLOUDIFI

Action

  • Web Traffic: Allow
  • Allow override: OFF
  • Redirect URL

(*) The department here will be the Guest profiles you will create in Cloudi-fi > Users > Profiles. These Departments will be available after your first test of authentications. It cannot be created manually, so you will have to update this rule after your first tests.

 

Rule 6: Block (default)

URL Filtering Rule

  • Rule Name: for instance, Block
  • Rule status: enabled

Criteria

  • Request Methods: CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE, 
  • Time: Always
  • Location Group: CLOUDIFI

Action

  • Web Traffic: Block
  • Allow override: OFF
  • Redirect URL
https://login.cloudi-fi.net/eun.php

And Save

 

Rule 7 (optional) - Allow Unauthenticated Traffic

If the option "Enable Policy for Unauthenticated Traffic" was initially disabled in Advanced Settings (see Step 1.3: Create an Authentication Bypass ), add the following rule at the end of Cloudi-Fi rules:

 

URL Filtering Rule

  • Rule Name: for instance, Allow Unauthenticated Traffic 
  • Rule status: enabled

Criteria

  • Department: Unauthenticated Transactions
  • Request Methods: CONNECT, DELETE, GET, HEAD, OPTIONS, OTHER, POST, PUT, TRACE, 
  • Time: Always

Action

  • Web Traffic: Allow

 

Step 1.6: Create the Guest Firewall policy rules

It is recommended to configure these rules at the beginning of your Firewall Policy.

Go to your Zscaler Admin interface > Policy > Firewall control and and create the following rules:

Zscaler admin portal - Configure Guest Firewall policy rules

 

Rule 1: Allow Web Guest locations

Firewall Filtering Rule

  • Rule Name: for instance, Allow Web Guest locations
  • Rule status: enabled

Who, Where, When

  • Criteria
    • Location Group: CLOUDIFI
  • Action
    • Network traffic: Allow

Services

  • Criteria
    • Network Services: DNS, HTTP, HTTP Proxy, HTTPS
  • Action
    • Network traffic: Allow

And Save

 

Rule 2: Deny all Guest

Firewall Filtering Rule

  • Rule Name: for instance, Deny All Guests
  • Rule status: enabled

Who, Where, When

Criteria

  • Location Group: CLOUDIFI

Action

  • Network traffic: Block

And Save

 

Step 1.7: Create your Guest location/sub-location

You have the flexibility to create either a location (dedicated VPN tunnel for Guest traffic) or sub-locations (reuse an existing location and define the Guest private IP range).

  1. Go to your Zscaler Admin interface and navigate to Administration > Location Management > Locations

  2. For a new location: Create a new location

  3. For a sub-location: If you want to reuse an existing location, select the location and click on the icon located on the right side to add Sub-location.

     

     

  4. Configure the settings for your guest location:

  • Name: Make sure the name matches the condition of your Cloudi-Fi dynamic group
  • Enforce Authentication: ON
  • Enable IP Surrogate: ON
  • Enable IP Surrogate for known Browsers: ON
  • Enforce Firewall Control: ON
  • Idle Time to Disassociation:Set this value to match the Cloudi-Fi lifetime session. Refer to your Cloudi-Fi Admin interface under Portals > Template > Session Lifetime for the correct value
  • Refresh Time for re-validation of Surrogacy: Set this value to match the Cloudi-Fi lifetime session. Refer to your Cloudi-Fi Admin interface under Portals > Template > Session Lifetime for the correct value

 

Step 2: Synchronization between Cloudi-fi and Zscaler

To ensure seamless integration between your Cloudi-fi and Zscaler tenants, follow these steps:

Step 2.1: Creation/Collection of API Key

Access your Zscaler Admin interface and navigate to Administration > Authentication > Cloud Service API Security. Create or collect the API key from this section.

Step 2.2: Creation of an Admin account

  1. In the Zscaler Admin interface, go to Administration > Authentication > Administrator Management > Administrators. Click on "Add Administrators" to create a new admin account.

  2. Specify the following details for the admin account:

    • Login ID: For instance provisioning.api@your-company.cloudi-fi.net. This should match the domain provided in 0.2 when adding a Cloudi-Fi Guest domain to your Zscaler account
    • Role: Select "Super Admin" for the admin role
    • Password-Based Login: Enable this option and set a password. Ensure that the Zscaler password matches the password used in Cloudi-fi

  3. Save the settings

 

Step 2.3: Synchronize your Cloudi-fi tenant with your Zscaler tenant

  1. Access your Cloudi-fi Admin interface and navigate to Configurations > Integrations > Zscaler. Enable the Zscaler integration

  2. Fill in the following details:
  3. Click on "Connect" to establish the synchronization between Cloudi-fi and Zscaler

Troubleshooting

Once you have completed the configuration steps, you are now ready to start using the Cloudi-fi captive portal solution. If you encounter any issues or have any questions, please do not hesitate to reach out to our Support team.

Additionally, you can consult the Cloudi-Fi and Zscaler Troubleshooting guide for further assistance.

What’s Next?

For more information about our solutions integrated with Zscaler, including a how-to video and a comprehensive solution brief, please visit our partner page.