Skip to main content

Zscaler deployment - into an existing Zscaler tenant

Alexandre de THOMASSON
  • Updated

Describes how to add guest security into an existing Zscaler ZIA tenant

                                                            

Zscaler Deployment into an existing tenant on cloudi-Fi captive portal:

Cloudi-Fi Captive portal is configured into an existing Zscaler tenant leveraging existing GRE/IPSEC tunnels. The source guest network(s) should be routed into the tunnels.

 

Zscaler security policies: quota, time, and duration can be configured for each profile

Guests can be profiled based on how they authenticate in the captive portal. Daily guests, consultants, employees, and directory groups can all have different policies in Zscaler. Security policies and quota, time, and duration can be configured for each profile.

 

Manage compliance for your captive portal deployed on Zscaler:

In many countries, Internet logs should be kept for a specific duration and matched with the user. The authentication and Internet logs should be correlated to process the government request. All logs are hosted in the cloud. Authentication logs (in Cloudi-Fi) and pseudonymized Internet logs (in Zscaler) can be correlated in the Cloudi-Fi administration interface and menu Visits. This menu should be restricted to a few administrators with administration profiles.

 

Zscaler configuration with Zscaler:

Zscaler configuration is not synchronized with Cloudi-Fi compared to a setup with a dedicated Zscaler tenant. However, Zscaler configuration is done in a few steps and described below.

 

0) Prerequisites for Eligibility

Some parameters may conflict with Cloudi-Fi integration, especially regarding the capability to use Multiple Authentication Domains.

Below are the settings to be verified:

Administration Authentication Settings :

  • User Repository Type: Must be Hosted DB

  • User Authentication Type: Must be SAML

Login Attribute of your existing IdP :

The login attribute returned by your existing Identity Provider (IdP) must be unique and in the form of an email address.

Example: user@my-company.com

 

If it returns only a username without any domain, Zscaler cannot perform authentications on multiple domains.

Example: The ADFS Attribute sAMAccountName only returns a username without a domain.

 

1) Provide your Zscaler account information

Go to your Zscaler Admin interface Administration Company Profile

Copy/Paste the following information:

  • Company ID

  • Name

  • Domains

  • Cloudi-Fi IDP ID, when available

2) Add a Cloudi-Fi Guest domain to your Zscaler account

Submit a ticket to Zscaler support to add the Cloudi-Fi authentication domain. The domain name is provided by the Cloudi-Fi team.
Example : your-company.cloudi-fi.net

 

3) Create Cloudi-Fi Identity Provider

Go to Administration Authentication Settings Identity Provider tab
Add Identity Provider :

  • IdP SAML Certificate: Available here

  • SAML Portal URL: Provided by the Cloudi-Fi team

  • Login Name Attribute: token

  • Location: None

  • Domain: Cloudi-Fi dedicated domain

  • Auto-provisioning: ON

  • User Display Name Attribute: token

  • Group Name Attribute: profile

  • Department Name Attribute: profile

  • Save

Zscaler admin portal - Identity provider configuration : general information
Zscaler admin - Identity provider configuration : Provisioning options
Zscaler - list of Identity providers configured

Save the ID assigned to Cloudi-Fi IDP and share it with Cloudi-Fi team.

 

4) Create Cloudi-Fi Custom URL Categories

Go to Administration URL Categories Add URL Category :

We need to create two custom categories:

  • Cloudi-Fi Portal URL: This category contains all URLs to be whitelisted to display our captive portal correctly:

.cloudi-fi.net
.cloudi-fi.com

 

Cloudi-Fi Connectivity Check URL: This category contains all the URLs used by guests' devices to detect the presence of a captive portal.

Below are the Custom URL and Custom Key Words to be added :

- Custom URLs: 

captive.apple.com
www.apple.com/library/test/success.html
detectportal.firefox.com
www.msftconnecttest.com
www.msftncsi.com

- Custom Keywords:

/generate_204
/gen_204

5) Create an Authentication Bypass

To prevent visitors from being redirected to your Authentication IdP, we configure a bypass for the 2 URL Categories we created previously.

Go to Administration Advanced Settings:

  • In the Authentication Exemptions section, add our two custom categories.

Zscaler portal - Authentication By-pass for the captive portal URLs

  • Enable Policy for Unauthenticated Traffic: Enabled

Zscaler administration - enable policy for Unauthenticated Traffic
Note : If this option was initially disabled in your account,
an additional URL policy rule should be added when you will create
Cloudi-Fi policy rules in the next section.

 

6) URL filtering policies for guests:

Configure this bundle of rules to redirect your guests to your captive portal, allow authentication users to browse the Internet, and prevent them from accessing forbidden categories.

The Cloudi-Fi team can help you create these rules.

 

And thanks to dynamic groups, you don’t need to update these rules every time you deploy a new Guest location (more information in the next section).

Zscaler - List of url filtering policies configured for guests

 

Note: if the option Enable Policy for Unauthenticated Traffic was disabled in Advanced Settings (see the previous section), you must add the following rule at the end of Cloudi-Fi rules:

Zscaler admin - Allow unauthenticated traffic rule

 

7) Dynamic group for Cloudi-Fi location(s)

Zscaler Dynamic group can be leveraged to simplify the management of guest rules, logs, and policies into an existing Zscaler account.

This will dynamically allow any new location named Guest to belong to this Group. Alternatively, the condition would be to include all areas with authentication disabled.

From now, any new guest location will belong automatically to the group “CLOUDIFI.” This will automatically add it to policy rules, reports, and logs and segregate the data and configuration between the guest and the corporate traffic. (see section 9 for more information about it)

 

Define a condition for your Guest location.

Go to Administration Location Management Location Groups tab Create New.

 

Zscaler admin portal - Dynamic group for Cloudi-Fi location(s)

 

Zscaler - Add locations to Dynamic grou Cloudi-Fi

8) Create your Guest location/sub-location

You can create a location (dedicated VPN tunnel for Guest traffic) or sub-locations (reuse an existing location and define the Guest private IP range).

 

Go to Administration Location Management

  • For new location: Create a new Location

  • For sub-location: Select an existing location and click on this icon on the right.

How to configure your Guest location:

  • Name: Must match the condition of your Cloudi-Fi dynamic group

  • Enforce Authentication: ON

  • Enable IP Surrogate (both options): Timers should be equal to Cloudi-FI lifetime session

  • Enforce Firewall control: ON

Zscaler admin portal - Configure the Guest location/sub-location

9) Create the Guest Firewall policy rules

Notes: We recommend configuring these rules at the beginning of your Firewall Policy.

Go to Policy Firewall control.

Zscaler admin portal - Configure Guest Firewall policy rules

 

10) Administration and reporting

Administrators can restrict the scope to the dynamic location and only see guest (or non-guest) data.

Zscaler portal - Create an admin account for administration and reporting

Alternatively, an administrator with all access can build specific reports /insights/log views for guest (or, by extension, non-guest) data.

Custom reports built for guests only.

Zscaler portal - Custom reports for guests

Custom logs research

Zscaler portal - Custom log research

You can learn more about our solutions integrated with Zscaler, a how-to video, and a full solution brief from our partner page here.

Related articles

Comments

0 comments