Category     

NCOS: Configuring Zscaler Internet Security

« Go Back

Information

 
Content

NCOS: Configuring Zscaler Internet Security

Products Supported: AER2100, MBR1400v2, IBR11x0, IBR6x0. Click here to identify your router.

NCOS Version: 6.0.0 - for information on upgrading NCOS Versions, click here.


Quick Links

Summary

Configuring the Zscaler Portal

Configuring the Cradlepoint

Use Cases

Troubleshooting

Related Articles


Summary

This document covers the steps and necessary guidelines to enable Cradlepoint routers with Zscaler Internet Security.

Cradlepoint routers work with Zscaler by redirecting DNS queries to the Internet Security DNS Servers. Zscaler  then blocks malicious content, enforces corporate browsing policies, and provides insights into the security posture of the organization.

Enabling Zscaler Internet Security on Cradlepoint routers requires an active subscription license.

IMPORTANT NOTE: When the Zscaler functionality is enabled within a Cradleponit router, the Cradlepoint will modify the EDNS portion of the packets in compliance with RFC 6891 in order to allow Zscaler to apply their filtering service to the each LAN behind the Cradleponit.  Currently, we have seen some very specific servers lack the ability to route packets when a packet's EDNS field has been modified.  Please make sure your server can handle this type of traffic before purchasing the full product.


Configuration

Zscaler Internet Security Portal Configuration

Configuration Difficulty: Intermediate
  • Step 1: Open a web browser to access the admin portal: admin.zscalershift.net.
  • Step 2: Sign in with your Zscaler Internet Security admin e-mail address and password.

User-added image

  • Step 3: On top of the page, choose the Administration tab, then Policies.

User-added image

  • Step 4: Click on the [+] Add New Policy button at the top right to define a new policy. Alternatively, Edit an existing policy by clicking the pencil icon in the right-most column.

User-added image

  • Step 5: Give the new policy a Name. This name will be used to associate the policy with a location later.
  • Step 6: Choose the Content Filter Type from predefined All, Strict, Moderate, or None categories, or define a Custom one.
    • Note: You can click Show Categories for Selected Policy Level to view exactly what is being blocked.

User-added image

  • Step 7: (Optional) If necessary, toggle Threat Security, Safe Search, and SSL Inspection. By default, with the exception of SSL Inspection, these options are enabled.

  • Step 8: (Optional) Specify additional domains to always allow or block by selecting Custom Categories. Domains within these categories will bypass the normal review process and will immediately have the rule applied to them.

    • Note: Custom Categories must first be defined before they will show up in this list. This configuration is described in detail in the Custom Categories Use Case section below.
    • Note: the Always Block and Always Allow boxes are actually dropdown boxes that expand only after being clicked.

User-added image

  • Step 9: (Optional) If you are configuring Multiple Policies for different LANs on your Cradlepoint router, change the Zscaler DNS Service IP Binding to a specific policy. For example, Policy 1 on the router corresponds to anycast-101 on Zscaler.
  • Step 10: Click Save.

User-added image

  • Step 11: On top of the page, choose the Administration tab, then Locations.

User-added image

  • Step 12: Click the [+] Add New Location button at the top right of the screen. Alternatively, Edit an existing location by clicking the pencil icon in the right-most column.

User-added image

  • Step 13: Fill in your location Name. If desired, enter in a Description, Latitude, Longitude, and/or Zip Code.

User-added image

  • Step 14: Select your Cradlepoint's Location Addressing type.
    • If you have a publicly routable static IP address, pick Static IP Address and just enter in your Cradlepoint's WAN IP address.
    • If you have a publicly routable dynamic IP address, or a NATed IP address, you will have to create a custom username and password for this location. These credentials have to be unique, but must utilize the same domain as your primary Zscaler administrator's username. For example, if your administrator username is abcd@cradlepoint.com, the username here must be something ending with @cradlepoint.com as well.
    • If you're not sure what IP address you have, pick TLS Tunnel or review this guide to try to figure it out.

User-added image

  • Step 15: Select the policy created in Step 4 (or another policy of your choice).
    • Note: The policy field can be left blank, but in that case traffic from this location will not be filtered in any way.
  • Step 16: Click Save.

User-added image

Configuring the Cradlepoint

Static IP AND Dynamic DNS

  • Step 3: Click on Networking tab, then select DNS Servers.
  • Step 4: Under DNS Settings, change the mode to Static.
  • Step 5: Enter the IPs for Zscalers Primary and Secondary DNS servers. Currently they are 8.34.34.34 and 8.35.35.35.
  • Step 6: Check Force All DNS Requests to Router to ensure every client will use Zscaler DNS for requests, then click Apply.
  • Step 7: STATIC IP USERS ONLY: The setup is complete. Now you can log back into the Zscaler Portal and review your Dashboard to see what traffic is being analyzed.
  • Step 8: DYNAMIC DNS USERS ONLY: Continue onto step 9 under "Dynamic DNS Only".

User-added image

Dynamic DNS Only

  • Step 9: Follow above steps to set the DNS settings to static. 
  • Step 10: Click on the Security tab, then Content Filtering, and finally select Cloud-Based Filtering.
  • Step 11: In the Cloud Provider drop-down, choose Zscaler Internet Security.
  • Step 12: For Mode select DynDNS.
  • Step 13: Choose the preferred connection failure option.
  • Step 14: Enter the location Username and Password.
    • Note: These will be the same credentials as the ones in the Zscaler Location configuration. These are NOT your actual Zscaler login credentials.
  • Step 15: Click Save.
  • Step 16: The setup is complete. The Zscaler Client Status will change to: Successfully logged in. Now you can log back into the Zscaler Portal and review your Dashboard to see what traffic is being analyzed.

User-added image

TLS Tunnel

  • Step 3: Click on the Security tab, then Content Filtering, and finally select Cloud-Based Filtering.
  • Step 4: In the Cloud Provider drop-down, choose Zscaler Internet Security.
  • Step 5: For Mode select TLS Tunnel.
  • Step 6: Choose the preferred connection failure option.
  • Step 7: Enter your Site Authentication User Name and Site Authentication Password.
    • Note: These will be the same credentials as the ones in the Zscaler Location configuration. These are NOT your actual Zscaler login credentials.
  • Step 8: (Optional) If you are configuring different filter policies for multiple LANs, define them in the Zscaler Policy Tagging section. This configuration is described in detail in the Multiple Policies Use Case section below.
  • Step 9: Click Save.
  • Step 10: The setup is complete. The Zscaler Client Status will change to: Successfully logged in. Now you can log back into the Zscaler Portal and review your Dashboard to see what traffic is being analyzed.

User-added image


Use Cases

Custom Filter Categories

Custom Filter Categories allow us to specify our own lists of domains to be allowed or blocked. These can be used in conjunction with Zscaler policies to provide exceptions to how certain traffic is handled (always allowed or blocked).

  • Step 1: Within the Zscaler portal, navigate to Administration>Categories>Custom Categories.

User-added image

  • Step 2: Click the [+] New Custom Category button.
    • Note: Existing categories can be edited by clicking the pencil icon which becomes visible on the right while hovering over the category.

User-added image

  • Step 3: Give your custom policy a Name and a description, then Save it.

User-added image

  • Step 4: Click the Custom Categories tab at the top.
  • Step 5: Click the pencil icon to the right of the category name to edit it.

User-added image

  • Step 6: Click the eye icon to specify the domains, or click Select File to upload a CSV file with multiple domain entries.

User-added image

  • Step 7: Type in the desired domain, then click Add. Repeat for all desired domains, then click the [X] icon at the top right to close the Edit Domain window.
    • Note: Use a wildcard (*) to block all subdomains, such as www.x, beta.x, m.x, etc.

User-added image

  • Step 8: Click Save.

This custom category is now ready for use for filter policies.

Multiple Policies Per Location

This use case describes how to set up multiple Zscaler policies on a Cradlepoint router. In this case we are setting up a Cradlepoint router to have two LANs with different filtering policies with custom categories.

Cradlepoint Configuration

  • Step 1: Build the LANs that will have the different policies assigned to them. To keep our naming scheme descriptive, we created the LANs to include their corresponding SSIDs in the name.

User-added image

  • Step 2: Enter the Zscaler configurations within the Cloud-Based Filtering tab. Since we are defining the tagging policies in the Cradlepoint first, it doesn't matter which policy number we choose for each LAN, but we'll want to remember these for later, when we complete the configuration in the Zscaler Portal.

User-added image

Zscaler Configuration

  • Step 1: (Optional) Define custom categories. This configuration is described in detail in the Custom Categories Use Case section above.
    • Note: This isn't necessary for multiple policy functionality, but this allows us to conveniently see that Zscaler has different policies.
  • Step 2: Define policies under Administration>Policies. In our example, we're naming the policies to match the Cradlepoint LANs. Note that Zscaler and Cradlepoint use slightly different naming conventions:

User-added image

  • Step 2b: Since we previously assigned Desk LAN (SSID: JakesDesk) with Policy 1 in Cradlepoint, we now want to make sure that within Zscaler we assign the policy we named Desk LAN (SSID: JakesDesk) to anycast-101. And the same for Guest LAN (SSID: JakesGuest) and anycast-102.

User-added image

  • Step 3: In our Desk LAN we define a custom filter and don’t use any custom categories:

User-added image

User-added image

  • Step 4: In our Guest LAN we use a Strict Filter and block the two custom Categories we created (Skiing and Mountain biking):

User-added image

User-added image

  • Step 5: Add the two policies to a location by going to Administration>Locations.

User-added image

User-added image

  • Step 6: The location will display all policies it is actively using.

User-added image


Troubleshooting

Traffic not being sent to Zscaler

  • Check if you have a publicly routable IP address - Public vs. Private IP Address

  • Ensure you are using the correct settings for your IP address type.

  • Make sure you added a policy to the location you are working on in the 'Policy' field.

Not filtering the websites I want to filter

  • Check the categories inside Zscaler, you may need to set a more strict policy, or create a custom one.

Related Articles/Links


Published Date: 07/14/2017


 
Knowledge Home | Product