Category     

Configuring Zscaler Internet Security

« Go Back

Information

 
Content

Configuring Zscaler Internet Security

Products Supported: Series 3. Click here to identify your router.

Firmware Version: 5.3.0 - for information on upgrading firmware, click here.

Firmware version 6.0 has been released and introduces a vastly improved GUI for all current Series 3 routers.  Cradlepoint has created new Knowledge Base articles with updated screen shots and instructions for the new GUI layout.  As a result, this article has received its final update.  To view the version of this Knowledge Base article for Firmware 6.0 and Later please click here.


Quick Links

Summary

Configuration

Troubleshooting

Related Articles


Summary

This document covers the steps and necessary guidelines to enable Cradlepoint Routers with Zscaler Internet Security.

This integration guide is to be used in addition with the Zscaler Internet Security and Cradlepoint configuration guides. Please work with the respective company’s sales and support engineers should you need further assistance.

Technology Integration between: Cradlepoint Routers (All routers & software versions supported) and Zscaler Internet Security

Solution Components

Businesses are undergoing transformation brought on by the consumerization of mobile devices and cloud applications. Zscaler has transformed the enterprise IT security market with a cloud-based solution built from the ground up that enables enterprises to embrace innovation securely, while delivering a superior user experience. Zscaler Internet Security extends this radical security architecture to businesses of all sizes so that with a few simple clicks, they too can enjoy the same peace of mind.

Zscaler Internet Security routes traffic by enforcing corporate policies and applying intelligence on the security posture of sites on the Internet. It is powered by DNS and integrates with Zscaler’s existing network of 100+ global proxy data centers. With a few simple clicks, a business can define their corporate policy in a web based user interface and change the DNS settings on their edge device to point to Zscaler Internet Security. The defined policies and security are instantly enforced and employees are safe to go about their business.

It blocks malicious content, enforces corporate browsing policies, and provides insights into the security posture of the organization. Configured in minutes, Zscaler Internet Security leverages the threat intelligence harnessed from the Zscaler cloud. Now any business, regardless of size, can connect to the Internet with confidence.

IMPORTANT NOTE: When the Zscaler functionality is enabled within a Cradleponit router, the Cradlepoint will modify the EDNS portion of the packets in compliance with RFC 6891 in order to allow Zscaler to apply their filtering service to the each LAN behind the Cradleponit.  Currently, we have seen some very specific servers lack the ability to route packets when a packet's EDNS field has been modified.  Please make sure your server can handle this type of traffic before purchasing the full product.


Configuration

Configuration Difficulty: Intermediate

Zscaler Internet Security Portal Configuration

Enabling Zscaler Internet Security on Cradlepoint routers requires an active subscription license. Please contact your sales rep. should you need assistance with that license.

User-added image

  • Step 2: Sign in with your Zscaler Internet Security admin e-mail address and password. Click “Sign in”.
  • Step 3: On the top of the page choose the Administration tab and then Policies.

User-added image

Policies: Add new or Edit existing Policies under the Administration tab at the top of the page. Configure Internet security settings by choosing from pre-defined policies or choose “Custom” to build a custom bundle from XX categories Zscaler has. You can also manage individual domains using the “Always Allow” or “Always block”.

Create a new Policy: Click on the ‘+’ sign in the top right corner of the page.

User-added image

  • Admin can choose from pre-defined Strict, Moderate, Minimal, None or Custom Policies.

  • Admin can also edit the existing pre-defined policies within the UI

  • Admin can view the pre-defined policies by clicking the ‘show categories’ and make changes if needed.

  • Threat security and Safe search features are turned ON by default.

  • Certain domains and categories can be configured to ‘Always allow’ or ‘Always block’. Basically this will by-pass the process and the rule will be applied to the category the moment we receive the traffic.

  • Please provide a NAME to the new policy that you create (This same name will be used to associate the created policy to a specified location for security)

User-added image

Locations: Add new or Edit existing locations under the Administration tab at the top of the screen.

Create a new location: Click on the ‘+’ sign in the top right corner of the page.

User-added image

Fill in your Location name, description, Policy, and Zip code as the necessary fields. Then chose either "Static IP Address", "Dynamic IP Address" or "TLS Tunnel" depending on your need.

  • For "Dynamic IP Address" and "TLS Tunnel" you will need to create a Username and Password here for you routers configuration to use. This is a unique set of credentials of the router. However, the username must match the domain of you administrator's credentials. Example: If you administrator username is: xxxx@cradlepoint.com, the username here must end with @cradlepoint.com.

User-added image

NOTE: Unless there is a Policy name associated with the location, NO SECURITY policy will be applied to the traffic coming from that location. Please ensure to create a policy first and then add it within the location to start protecting the location.

Configuring the Cradlepoint

Zscaler Internet Security

To enable Zscaler Internet Security security, Cradlepoint routers redirect DNS queries to the Internet Security DNS Servers.

Static IP

If you have a location in Zscaler configured for Static IP you only need to configure the Cradlepoint DNS servers.

  • Step 1: Log into the router's Setup Page. For help with logging in please click here.
  • Step 2: Click on the Network Settings tab, then select DNS Settings from the sub-menu.
  • Step 3: Change the Mode to Static.
  • Step 4: Enter the IPs for Zscalers Primary and Secondary DNS servers. Currently they are 8.34.34.34 and 8.35.35.35.
  • Step 5: Check Force All DNS Requests to Router to ensure every client will use Zscaler DNS for requests, then click Apply.

User-added image

Dynamic DNS
  • Step 1: Log into the router's Setup Page. For help with logging in please click here.
  • Step 2: Click on the Network Settings tab, then select Content Filtering from the sub-menu. Then Cloud Based Filtering/Security
  • Step 3: Under Cloud Provider choose Zscaler Internet Security.
  • Step 4: For Mode select DynDNS.
  • Step 5: Choose the connection failure option you prefer.
  • Step 6: Enter your Username and Password (these will be the same as you entered in the Zscaler Location configuration) then click Apply.

Your client status should now be: Successfully logged in.

User-added image

TLS Tunnel

This setting should be used if you have a RFC 1918 address on you WAN Interface, or if your ISP requires use of their DNS Servers

  • Step 1: Log into the router's Setup Page. For help with logging in please click here.
  • Step 2: Click on the Network Settings tab, then select Content Filtering from the sub-menu. Then Cloud Based Filtering/Security
  • Step 3: Under Cloud Provider choose Zscaler Internet Security.
  • Step 4: For Mode select TLS Tunnel.
  • Step 5: Choose the connection failure option you prefer.
  • Step 6: Enter your Site Authentication User name and Site Authentication Password (these will be the same as you entered in the Zscaler Location configuration).
  • Step 7: Leave the remainder of the settings default and click Apply

Your client status should now be: Successfully logged in.

User-added image


Troubleshooting

Traffic not being sent to Zscaler:

Check if you have a publicly routable IP address … Public vs. Private IP Address. Ensure you are using the correct settings for you IP address type.

Make sure you added a policy to the location you are working on in the ‘Policy’ field.

Not filtering the websites I want to filter:

Check the ‘categories’ inside Zscaler, you may need to set a more strict policy, or create a custom one.


Related Articles/Links


Published Date: 12/11/2015

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com
 


 
Knowledge Home | Product