Zscaler Internet Access Workshop

-Workshop Guide-

1
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Contents
How to Use This Guide ............................................................................................................................ 4
Activity 1: Understand and initiate Workshop environment .................................................................. 4
Task 1 – Log in to Your Workshop Environment ................................................................................. 4
Task 2 - Understand the Workshop Environment Setup..................................................................... 5
Activity 2 – Zscaler Internet Access Administration ................................................................................ 6
Task 1: Log into the Administrative Console ....................................................................................... 6
Task 2: Discover Security Features available on ZIA............................................................................ 8
Task 3: Enable SSL inspection for web traffic. ................................................................................... 12
Task 4: Add URL filtering Rule ........................................................................................................... 14
Task 5: Add a Cloud Application Control policy................................................................................. 15
Task 6: URL and Cloud App Control Advanced Policy Settings .......................................................... 18
Task 7: Configuring the Sandbox to prevent unknown attacks......................................................... 18
Task 8: Configuring Blocked Countries .............................................................................................. 20
Task 9: Configuring a DLP policy ........................................................................................................ 21
Task 10: Configuring a Cloud Browser Isolation policy ..................................................................... 25
Task 11: Activate Changes ................................................................................................................. 27
Activity 3 – Zscaler Client Connector Administration............................................................................ 29
Task 1: Configuring the Zscaler Client Connector ............................................................................. 29
Activity 4 – Enrolling your VM with Zscaler Client Connector............................................................... 32
Task 1: Confirm the user device is not using Zscaler ......................................................................... 32
Task 2: Install Zscaler Client Connector on your Windows virtual machine ..................................... 32
Task 3: Enroll Zscaler Client Connector ............................................................................................. 34
Task 4: Confirm device is using Zscaler ............................................................................................. 35
Activity 5 – Test your Policies ................................................................................................................ 36
SSL Inspection .................................................................................................................................... 36
Internet Access Control Policies ........................................................................................................ 36
Testing DLP Policy .............................................................................................................................. 37
Testing Threat Prevention ................................................................................................................. 38
Testing Cloud Browser Isolation policy ............................................................................................. 39
Activity 6 – Discover Reporting features ............................................................................................... 40
Task 1: Add a widget to the Web Overview dashboard .................................................................... 40
Task 2: View an Interactive Report.................................................................................................... 42
Task 3: Review the Zscaler web logs ................................................................................................. 44
Activity 7 – Discover Zscaler Cloud Access Security Broker (CASB)....................................................... 48
Task 1: Introduction on Zscaler CASB (SaaS Security API) ................................................................. 48

2
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 Inline security for data in motion .................................................................................................. 48
Out-of-band security for data at rest ............................................................................................ 48
Task 2: SaaS tenant Onboarding process on Zscaler ......................................................................... 48
Task 3: Discover SaaS Security API Configured Policies .................................................................... 50
Task 4: Examine Scan Results, Discovered Assets and Policies Violations ........................................ 53
Activity 8 – Discover Zscaler SaaS Security Posture Management........................................................ 60
Task 1: Discover SSPM Policies .......................................................................................................... 60
Task 2: Discover SSPM Results for Microsoft 365 and GitHub tenants............................................. 61

3
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
How to Use This Guide
The activities outlined in this Workshop Guide are meant to contain all the information necessary to
navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the LAB environment. This guide is meant to be used in conjunction with the information
and guidance provided by your instructor.

Using this guide, you will be able to configure same features of Zscaler Internet Access solution to
provide access to internet with the most secure way. You will configure some policies on ZIA and test
them on a user machine that’s hosted on a Cloudshare environment. You will learn how to navigate
on Zscaler Internet Access Admin portal and how to create and apply some security rules.

You instructor will provide you all required information and credentials to be used to log on ZIA UI and
user credentials for Zscaler Client Connector.

Using Zscaler Client Connector (formerly Zscaler App or Z App), users can get all the benefits of the
Zscaler service for Internet traffic, as well as granular, policy-based access to internal resources from a
single point.

● With Zscaler Client Connector's Internet Security feature, you can protect your users' web
traffic even when they are outside your corporate network. You can also protect your users’
mobile traffic, whether they are connected to Wi-Fi or cellular networks. The app forwards
user traffic to the Zscaler service and ensures that your organization's security and access
policies are enforced wherever they might be accessing the internet.

● With Zscaler Private Access (ZPA), you can enable your users to securely access enterprise
applications from outside the corporate network. ZPA establishes a secure transport for
accessing your enterprise apps and services.

● With Zscaler Digital Experience (ZDX), you can monitor your organization’s user devices to
detect user experience and productivity issues. ZDX relies on Zscaler Client Connector to
perform synthetic probing to a desired Software-as-a-Service (SaaS) application or internet-
based service (e.g., OneDrive, Gmail, etc.).

Activity 1: Understand and initiate Workshop environment

In this activity, you will:
• Log in to the Workshop environment from your laptop.
• Learn the layout of the environment and its various components

Task 1 – Log in to Your Workshop Environment

Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox®, Chrome, or Internet Explorer®/Edge®.

Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Enter your email address and the class passphrase.

Step 3: Complete the registration form and click Login at the bottom.

4
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 4: Once you have logged in, the system will create a unique Lab environment for you. Please note
that this process may take a while, as indicated by the green progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page. Click Start Using
This Environment to begin.
This will display a list of all virtual systems that constitute the Lab environment.

Take note of the shortcut menu at the top of your browser window. You will use this menu throughout
the workshop to switch between the available desktops.

Task 2 - Understand the Workshop Environment Setup

This Workshop environment consists of the following components:

Windows10: Windows 10 VM running on CloudShare environment. Please note that Zscaler Client
Connector isn’t installed. You will manually install it later this lab. After installing Zscaler Client
Connector, each student will be logged on with their own unique login. Zscaler Client Connector will give
you access to ZIA Security services, ZPA and ZDX. You will use credentials provided by your instructor
to log in. After log in to ZIA using the Client Connector, network traffic sourced by Windows10 VM will
be inspected by Zscaler Internet Access and your configured security policies will be applied.

Review the diagram below to better understand the LAB environment setup.

5
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note: SSO with SAML is already configured and ready to be used.

Each student will be assigned a unique Student-ID which will be used to log in on the Zscaler Client
Connector and in your policies configuration.

Example of username to be provided by your instructor and to use on SAML authentication on the
Client Connector: student<ID>@westconcloudlab<tenant-ID>.com.

End of Activity 1

Activity 2 – Zscaler Internet Access Administration

In this activity, you will:
• Connect to Zscaler Internet Access Administration Portal
• Discover Security Features available on ZIA.
• Add new policy rules for: SSL Inspection, URL Filtering, App Control, Sandbox, File Type
Control, and others.
• Create Data Loss Prevention rule.

Task 1: Log into the Administrative Console

Step 1: Using your machine or your Windows10 VM, open a browser and go to the Westcon 3DLAB
Portal via, https://3dlab.westconsecurity.eu

Step 2: Sign in with credentials provided by you instructor. Login should be in this format:
student<ID>@westconcloudlab<tenant-ID>.com. Password is also provided by your instructor.

6
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note: Do not use login showed in the screenshot. It is just an example.

Step 3: After Sign in, Click on ZIA Admin Portal

Note: if you don’t have installed Okta Browser Plugin before on your browser, you will prompt to
install it on your Browser. Okta Browser Plugin is mandatory to access your Admin Portal.

Step 4: If okta Browser Plugin is installed, go back to ZIA Admin Poral App and Click on it. Your Zscaler
Internet Access Portal will open in a new tab.

7
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 2: Discover Security Features available on ZIA

Step 1: Go to Policy Menu and discover what are the security features that are available to configure
and customize based on your requirements.

The first Section is Web Policy: You can set up all your web policies at this level. You can customize
and configure Security policies, Access control Rules and DLP Policies.

For Security Configuration, note that you can configure:

• Malware Protection: The Zscaler service uses an industry-leading AV vendor for signature-
based detection and protection so it can provide comprehensive web security. In addition to
virus and spyware protection, the service uses malware feeds from its trusted partners, such
as Microsoft and Adobe, as well as its own technologies to detect and block malware. The
Malware policy applies globally to all an organization's locations.
• Advanced Threat Protection: Today, web pages don't just contain plain text nested inside
HTML tags. Instead, they are filled with Java applets, flash videos, ActiveX and other objects
designed to run programs. Hackers routinely embed malicious scripts and applications not only

8
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 on their own websites but on legitimate websites that they have hacked as well. To ensure
your organization's web security, the Zscaler service can identify a variety of these objects and
scripts and prevent them from downloading to the end user's browser. The Advanced Threats
Protection policy protects your traffic from fraud, unauthorized communication, and other
malicious objects and scripts.
• Sandbox: Cloud Sandbox provides an additional layer of security against zero-day threats and
Advanced Persistent Threats (APTs) through Sandbox analysis, an integrated file behavioral
analysis. To ensure your organization's web security, the Zscaler service runs and analyzes files
in a virtual environment to detect malicious behavior. It propagates a hash of malicious files
to all ZIA Public Service Edges (formerly Zscaler Enforcement Nodes or ZENs) throughout the
cloud, effectively maintaining a real time denylist so it can prevent users anywhere in the world
from downloading malicious files.
• Secure Browsing: You can define a Browser Control policy to warn users from going out to the
Internet when they are using outdated or vulnerable browsers, plugins, and applications. The
service examines browser versions and patches (including beta browsers), internet
applications (for example, Adobe Flash, Sun Java, Apple QuickTime), and media download
applications (for example, Windows Media Player). You can also reduce the security risk of
your organization by blocking the use of browsers or specific browser versions that are older
or that have known vulnerabilities. The ZIA Admin Portal displays the last 12 versions for most
browsers.

For Access Control policies, you can configure:

• URL Filtering: Through URL filtering, you can limit your exposure to liability by managing
access to web content based on a site's categorization. The URL Filtering policy consists of
rules that you define. When you add a rule, you specify criteria, such as URL categories, users,
groups, departments, locations, and time intervals. There is also a recommended policy for
URL Filtering.
• Cloud App Control: The Cloud App Control policy provides granular control over popular
websites and applications. They are organized by function into categories for easy reference
and to facilitate defining rules for similar apps. You can create rules to control how your users
access specific cloud applications. For example, you can define a rule for Instant Messaging
apps that allows chatting, but blocks file transfers. Additionally, you can define a daily quota
by bandwidth or time. When users browse to these sites after their quota has been reached,
the Zscaler service displays a message that explains that the content cannot be viewed
because they exceeded their daily quota.
• File Type Control: By default, the Zscaler service allows the upload and download of all file
types. Use the File Type Control policy to restrict the upload and download of various types of
files. For example, you can block audio (.mp3, .wav, etc.) and video files (.avi, .mp4, .mpeg,
etc.) so they do not interfere with your bandwidth utilization. You can define rules to restrict
the transmission of various files and apply them to individuals, groups, departments, and
locations. Zscaler also has a recommended policy for File Type Control.
• Bandwidth Control: Bandwidth control allows you to preserve access to your business-critical
applications regardless of your internet pipe consumption. This enables you to do things like
adding more restrictive rules around social media and streaming media. For example, you can
allocate a maximum of 10% of the bandwidth to the Streaming Media, Social Media, and File

9
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 Share bandwidth classes. When bandwidth is restricted, these classes are not guaranteed any
bandwidth and are restricted to 10% of the bandwidth when it is available.
• SSL Inspection: The Zscaler service can inspect HTTPS traffic from your organization. The
service can scan data transactions and apply policies to it. It functions as a full SSL proxy, or
SSL man-in-the-middle (MITM) proxy.

And finally, Corporate data can be leaked in different ways, i.e., through web mail, cloud storage, social
media, and a variety of other applications. You can use Zscaler's DLP policy to protect your organization
from data loss.

If your organization had a third party DLP solution, Zscaler can forward information about transactions
that trigger DLP policies to your third-party solution. Zscaler uses secure Internet Content Adaptation
Protocol (ICAP) to do this. However, the Zscaler service does not take ICAP responses from your DLP
solution. Zscaler only monitors or blocks content according to the policy you configure, then forwards
information about transactions so that your organization can take any necessary remediation steps.

Step 2: SaaS Security API

With this submenu, you can configure Out-Of-Band CASB and SSPM (SaaS Security Posture
Management) for all Supported SaaS application:

• SaaS Security API Control: The SaaS Security API Control policy consists of the Data Loss
Prevention (DLP) and Malware Detection policies.
• SaaS Configuration: here you can schedule scanning of SaaS application. The scheduled Scan
will scan the SaaS app via API and apply Malware Policies and DLP Policies defined on you scan
rules.
• SaaS Security Posture Control: In the SaaS Security Posture Report, the Zscaler service
provides recommended security policies to decrease security risks for your organization’s SaaS
applications. with the SaaS Security Posture Control policy, you can configure the number of
recommended security policies that the report includes in its analysis of your organization’s
security posture. This allows you to ignore a policy without ZIA applying the Fail status to that
policy. The SaaS Security Posture Control page shows you a list of all policies for the chosen
SaaS application. You can also search for a specific policy using the Search bar.

Step 3: Firewall Filtering

10
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
The Zscaler service provides integrated cloud-based next-generation firewall capabilities that allow
granular control over your organization’s outbound TCP, UDP, and ICMP traffic.

You can configure the following firewall policies:

• Firewall Filtering Policy: Add rules to allow or block specified types of traffic from your
network to the internet. You can also specify how the sessions are logged.
• NAT Control Policy: Add rules to perform destination NAT. You can redirect traffic to specific
IP addresses or ports.
• DNS Control Policy: Add rules to allow or block DNS requests, redirect requests to a different
DNS server, or redirect DNS responses by substituting the IP address in a DNS response with a
preconfigured IP address.
• IPS Control Policy: Add rules to control and protect your traffic from intrusion over all ports
and protocols using signature-based detection.

Configuring Firewall Policies requires configuring the four policies above as applicable and enabling the
firewall for your locations. You might also need to create source and destination IP groups, modify
network services, create network application groups, and configure custom ports.

Step 4: Mobile

You can define a Mobile App Store Control policy to restrict sites from which users can download apps
for their mobile devices. This reduces the likelihood of users downloading apps from sites that may
contain vulnerabilities or downloading fake copies of well-known apps.

When no policy is configured, the default action is to allow app downloads from all app stores.

You can define a list of blocked app stores. Users can browse the app stores in the list, but they are
blocked from downloading apps from the app stores.

11
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
If your organization has the Mobile Security subscription, you can also define a policy to prevent users
from downloading malicious apps.

Task 3: Enable SSL inspection for web traffic.

In this task you will create a Zscaler policy to inspect encrypted web traffic for all URL categories. At
times, you may find a need to not inspect HTTPS traffic, such as when an application will only accept a
certain certificate (commonly known as public key pinning). Should that happen, you can elect to not
inspect the URL category (including custom categories) but still retain the ability to apply other policies
such as URL filtering.

1. From the Administrative Console, go to Policy -> SSL Inspection.

2. Create a rule.
• Select Add SSL Inspection Rule.

• Rule Name: Student<ID> TLS Policy.

• Select the following URL Categories and make sure you select all the subcategories for each
category. The search bar can hide some subcategories (the total number of select items should
be 49)
o Adult Material
o Drugs
o Gambling

12
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 o Games
o Illegal or Questionable
o Internet Communication
o Miscellaneous
o Security
o Society and Lifestyle
o Tasteless
o Weapons/Bombs

• On Cloud Applications, Select PasteBin Application

o PasteBin
• On Users, Select the user that matches your Student<ID>
• Set Action: Inspect.

• Save.

13
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 4: Add URL filtering Rule

In the following steps, you will create a URL filtering rule that will apply to all users and block
commonly chosen URL categories.

1. From the Administrative Console, go to Policy -> URL & Cloud App Control.

2. Select Add URL Filtering Rule.

• Name the rule Student<ID> Block Policy

• Choose the following URL Categories:
o Adult Material
o Drugs
o Gambling
o Games
o Illegal or Questionable
o Miscellaneous
o Society and Lifestyle
o Tasteless
o Weapons/Bombs
• On Users, Select the user that matches your Student<ID>

14
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 • Set Action to Block
• Save the policy.

Task 5: Add a Cloud Application Control policy

In this task you will create a policy to allow the marketing department to access LinkedIn while
continuing to prevent access to all other social media sites.

1. Click Policy-> URL & Cloud App Control.

2. Click the Cloud App Control Policy tab.

15
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
3. Click the Add drop down menu and select Social Networking.

4. Name the rule Student<ID>LinkedIn – Allow.

5. Change the Rule Order to 1

6. Select the drop down for Cloud Applications, type LinkedIn in the search field, check the box
for the application, then click Done.

7. Select the Users drop down option.

a. Select the user that matches your Student<ID>
b. Click Done

16
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
8. Scroll down to the Action section of the policy to confirm that viewing and posting are set to
Allow.

9. Save the policy.

17
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 6: URL and Cloud App Control Advanced Policy Settings
1. While in the URL and Cloud App Control section, select the Advanced Policy Settings.

2. Under Advanced URL Filtering Options:

• Enable “Enable Suspicious New Domains Lookup”.
• Enable “Enable embedded sites categorization”.

3. Select Save.

To know more about the options you just enabled, you can always check the help:
https://help.zscaler.com/zia/configuring-advanced-url-policy-settings

Task 7: Configuring the Sandbox to prevent unknown attacks

1. From the Administrative Console, go to Policy -> Sandbox.

18
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
2. Select Add Sandbox Rule.

• Name: Student<ID>Catchall
• Select all the File Types.
• On Users Drop Down Menu, Select the user that matches your Student<ID>
• Set the First Time Action to Quarantine and select to enable AI Quarantine.

19
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 3. Save.

Task 8: Configuring Blocked Countries

1. From the Administrative Console, go to Policy -> Advanced Threat Prevention

2. Scroll down to SUSPICIOUS DESTINATIONS PROTECTION

20
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 3. Select the dropdown under Blocked Countries

• Search for and select the following countries.

o Cuba
o Iran
o Iraq
o North Korea
o Russia
o Syria
o Ukraine
4. Done.

Task 9: Configuring a DLP policy

1. From the Administrative Console, go to Administration -> DLP Dictionaries & Engines -> DLP
Engines

21
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
2. Click on “Add DLP Engine”

a. Name the Engine Student<ID>DLP Engine

b. On Select a Dictionary, Select Credit Cards and put 0 as value
c. Click on Save
d. Activate your changes.

22
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
3. Go to Policy -> Data Loss Prevention.

4. On Add Drop Down menu, Select Rule with Content Inspection.

5. Set the policy name to Student<ID> DLP Policy.

6. Select Student<ID>DLP Engine on the DLP Engines Drop down Menu and click on done.

7. On Cloud Application, Select PasteBin Application and click on done.

8. On Users Drop Down Menu, Select the user that matches your Student<ID>.

23
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
9. On Actions, select Block and Save your configuration.

24
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 10: Configuring a Cloud Browser Isolation policy

1. From the administrative console, on the left side panel, go to “Policy → URL & Cloud App
Control” and go to "Cloud App Control Policy”:

2. Click on “Add” to add a “Consumer” rule:

25
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
3. Define next values:

a. Rule Name Student<ID>CBI Consumer

b. On Cloud Applications, Select IKEA
c. On Users Drop Down Menu, Select the user that matches your Student<ID>.
d. On “User Agent” Drop Down Menu, Select the agents: “Chrome, Firefox, Microsoft
Edge, Microsoft Internet Explorer, Opera, Safari”.

4. On Action, select “ISOLATE”.

5. On Isolation Profile, select the “Default Isolation Profile” and click “Save”.

26
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 Note that you can define your own “Isolation Profile” and its security settings (allow
copy/paste, allow file transfer, allow printing, etc.) under “Administration → Browser
Isolation”.

Task 11: Activate Changes

1. From the administrative console, on the left side panel, hover your mouse over the Activation
button and select Activate to apply the policy changes that you have made.

27
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Congratulations! You have enabled your first policies in Zscaler Internet Access. Now we will want to
see how to setup the Zscaler Client Connector for client machines.

End of Activity 2

28
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 3 – Zscaler Client Connector Administration
In this activity, you will:

• Connect to Zscaler Client Connector Administration portal.

• See basic configuration of Client Connector

Task 1: Configuring the Zscaler Client Connector

Forwarding traffic to Zscaler can be accomplished from your devices by using the Zscaler Client
Connector.

Let us start by navigating to the Zscaler Client Connector portal. It is accessible from the administrative
portal of the product you are using. For today’s lesson, we will be using the Zscaler Internet Access
Console, but you could use ZPA or ZDX as needed.

From the Zscaler Internet Access administrative console

1. Go To: Policy -> Zscaler Client Connector Portal

2. Select Administration

29
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 Note: From here, you will be on the Update Settings tab. This is where you can determine how
the Zscaler Client Connector is maintained: always update the client to the latest version; limit
it to a specific version but still use the Zscaler cloud for client updates; or fully disable cloud
rollouts of the Zscaler Client Connector if it is going to be maintained through another method.

Note: By selecting the Personal Computers tab from this location, you can download the
Zscaler Client Connector for Windows, Linux and Macintosh.

3. Select Forwarding Profile in the left column.

4. Select the eye icon for the Default Profile to review the settings.
The forwarding profile tells Zscaler Client Connector how to treat traffic from your users'
system in different network environments for the Zscaler Internet Access (ZIA) and Zscaler
Private Access (ZPA) services.

The Zscaler App can recognize 3 different network environments.

a. On Trusted Network – uses conditions like DNS Server or Hostname to identify a

known, trusted network.
b. VPN Trusted Network
c. Off Trusted Network

5. Close the Default Forwarding Profile

6. Select App Profiles along the top ribbon.

30
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
7. Select the Eye icon to view the Default policy for Windows devices.
App Profiles are operating system specific and control the behavior of the application including
setting a password requirement to log out of, disable, or uninstall the Zscaler Client Connector,
which forwarding profile to apply to the device, or for the application to install the certificate
used for SSL inspection, either Zscaler’s or the customers.

8. Close the Default Windows Policy.

End of Activity 3

31
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 4 – Enrolling your VM with Zscaler Client Connector

In this activity, you will confirm that your lab device is, at first, not sending internet traffic through Zscaler
and at the end, you will have successfully enrolled a device to begin forwarding through the Zscaler
service.

Task 1: Confirm the user device is not using Zscaler

1. Open your Windows10 Virtual Machine on cloudshare Environment.
2. Check that traffic is not currently being forwarded to Zscaler from this device.
a. From the student virtual machine, go to the browser window.
b. Browse to the “Zscaler Cloud Security: My IP” address page at http://ip.zscaler.com
c. Verify that you are not going through the Zscaler proxy service.
.

Task 2: Install Zscaler Client Connector on your Windows virtual machine

To install Zscaler Client Connector on your Windows10 VM, you will use EXE installer file located on
your desktop. You will use install option on this Task. Install option let you customize Client Connector
deployment on customers environment and simplify automated deployment of Client Connector Agent
on supported customer’s machines and devices.

To learn more about install options, you can visit this link: https://help.zscaler.com/z-app/customizing-
zscaler-app-install-options-exe#mode

On this task, you will use some installation option the ZCC (Zscaler Client Connector). Options that will
be used are:

- --mode: This install option allows you to install the app in silent mode.
- --cloudName: If your organization is provisioned on more than one cloud, your users are
asked to select the cloud to which their traffic is sent during the enrollment process. In this
lab, cloudName will be zscaler.
- --userDomain: This install option allows users to skip the app enrollment page. If SSO is
enabled for your organization, users are taken directly to your organization's SSO login page.
If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows
Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled
with Zscaler service and logged in. In this lab, userDomain will be westconclouclab3.com.

To install ZCC with the recommended method of this lab, please follow steps below:

1- Go to your virtual machine and open a Command Prompt

32
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 2- Type the command cd Desktop to change the directory to your Desktop (installation file is
located on your Desktop)

3- Locate your User Domain from the provided login username by your instructor.
Example: if your instructor gives you the username student10@westconcloudlab3.com, so
your Zscaler User Domain is westconcloudlab3

4- Type the command "Zscaler-installer.exe" --cloudName zscaler --userDomain

westconcloudlab<tenant-ID>.com --mode unattended to launch installation in silent
mode.

5- In UAC window, click on Yes to continue.

Once ZCC is installed, it will provision itself with your ZIA tenant using CloudName and userDomain
options and it connects you to your SSO portal to log in.

33
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 3: Enroll Zscaler Client Connector
Next, you will need to enroll your Windows10 VM into the Zscaler Internet Access service to begin
forwarding traffic and enforcing policies. To enroll the Zscaler Client Connector, follow these steps:

1. Click on the Zscaler icon in the toolbar of the desktop.

2. Enter the provided username (student<ID>@westconcloudlab<tenant-ID>.com) and click Login.
3. Enter the password and click Login.
4. Your Client Connector will now be connected to available Zscaler services including ZIA

Note: Upon successful enrollment the Zscaler Client Connector application will be minimized to the
hidden icons grouped in the task bar at the bottom of the Windows desktop. No further interaction with
the application is needed. Users may access the application through the Show hidden icons link if
needed.

5. You can open the ZCC and verify that is connected and forwarding traffic to Zscaler Cloud

34
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 4: Confirm device is using Zscaler
To confirm the traffic forwarding status, follow these steps:

1. Go to your Windows10 VM desktop.

2. Check that traffic is being forwarded to Zscaler from this device.

a. Open a Browser window.

b. Browse to, or refresh, the Zscaler Cloud Security: My IP address page at
http://ip.zscaler.com
c. Verify that you are going through the Zscaler proxy service.

That’s all! You are now sending the workstations internet traffic through the Zscaler platform.

End of Activity 4

35
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 5 – Test your Policies

We have now enabled some policies, confirmed that the Zscaler client is forwarding device traffic to
Zscaler, and now we want to test that policy is applying to our users.

SSL Inspection
The ability to inspect web traffic, including HTTP/S, on user devices regardless of their location is critical
in today’s environments. In this lab, you will check to see that encrypted traffic is being inspected by
Zscaler.

Task 1: Testing SSL Inspection

In this task, you will test that SSL encrypted traffic is being inspected by Zscaler. You need to verify that
the SSL inspection is transparent to the user experience and that it is done with Zscaler as a trusted
party in the secure end-to-end connection.

To test SSL inspection, follow these steps:

From your Windows10 VM :

1. Go to https://www.linkedin.com
2. Check the secure connection information.
a. Click the padlock icon in the URL field.
b. Select Certificate
c. Verify that Zscaler certificate is being used.

Internet Access Control Policies

Zscaler threat protections are enabled to inspect and block users from a wide variety of threats. For
extra protection and to comply with company acceptable use policies, access control rules are

36
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
configured to regulate access to URL categories that are not permitted. Your goal is to test the user
experience when accessing a site.

Task 1: Testing Organization-wide Internet Access Control Policies

Attempt to access a website that is categorized as a gambling site using the Windows10 VM.

a. In a browser tab attempt to access https://www.gambling.com

b. Verify that the website is blocked.

Attempt to access a website that is categorized as a social media site using the Windows10 VM.

a. In a browser tab attempt to access https://www.twitter.com

b. Verify that the website is not accessible.

Testing DLP Policy

At this step, you will test the configured DLP Policy.

1. Go to the Desktop of your Windows10 VM

2. Open the file Credit Cards Samples.txt

37
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
3. Copy the content of this file.
4. Go to the Google Chrome Browser and the open Pastebin application using this url
https://pastebin.com/
5. Paste the content of the file on New Paste Section on the web application.
6. Scroll down and click on Create New Paste to share the credit cards numbers.
7. Content should be Blocked and a data violation message from Zscaler will be displayed on the
web page.

Testing Threat Prevention

Now that you have enabled some policies, test the desktop security again.

Task 1: Testing Malware / Advanced Threat Protection

In this test, you will test the cyber risk posture of the user’s machine.

Go to http://securitypreview.zscaler.com/

Select “Test your cyber risk posture”. Compare to the first time you ran this test. In just a few short
minutes, you have created controls and protections that are available to users anywhere they connect
from.
● It is expected behavior that DLP will not pass this test, it was not configured for this
environment.

38
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Testing Cloud Browser Isolation policy

At this step, you will test the Cloud Browser Isolation policies.

1. Go to the Chrome browser of your Windows10 VM where you installed the Zscaler Client
Connector.
2. Go to www.ikea.com

Browser Isolation opens seamlessly - allowing access to the destination but now the user is running in
an isolated session and the user’s device is only receiving pixels from the destination. The site is
rendered safely in the Isolation Environment - air gapped from potential dangers.

Note that a customizable message is alerting the user that the website is being redirected to an isolated
environment to protect the user from malicious content.
Also note that the URL does not correspond to the original.

End of Activity 5

39
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 6 – Discover Reporting features
Zscaler Internet Access has great abilities to protect users with threat and data protections but there is
more to it than that. ZIA provides additional value in the reporting and visibility that it provides to an
organization. With Zscaler, a customer can now have detailed logging for every user, even when that
user is off network and sending traffic directly to the Internet – a gap for many organizations.

For this lab, you are going to review the many options available to a customer in the Zscaler console.

To start, review the dashboard data from the Web Overview dashboard. It is the main landing page
when you first log into the Zscaler console and provides a good starting point when getting a picture of
the current environment statistics.

Task 1: Add a widget to the Web Overview dashboard

1. Go to the Web Overview Dashboard.

2. Select the “+” sign in the top right corner to add a widget.

• Name the new widget Web Traffic Types

• Change the Data Type to Protocols
• Select the Pie Chart
• Select OK

40
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
This will create a new widget in the Web Overview dashboard showing the different protocols in use.
You can drag and drop widgets in the dashboard to organize it however you like. Click and hold when
your mouse is along the top border of the widget you want to move.

41
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Extra Credit
Spend some time looking other available Dashboards. Two popular ones are:
• Dashboard -> Security
• Dashboard -> Firewall Overview

Task 2: View an Interactive Report

1. From the administrative console, go to Analytics -> Interactive Reports.

2. Select View for the CIO Report. Look in the top right corner of the report, note that you can do a
few things here, including being able to schedule the report to be emailed at a specific time.

42
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
3- Scroll through the report to get an idea of the type of information that is easily accessible from here.
Click on a chart or two. Notice that you can analyze the chart or go to logs.

4- Click the Left Arrow to go back to the reports.

5- Scroll down to Web Activity to select View for the Blocked Web Traffic Overview report

43
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
In the report, locate the top blocked user, click on the user with your mouse and select View Logs.
You can see all the relevant log data that relates to this user.

Task 3: Review the Zscaler web logs

It’s common to need to review the log data in its raw form, not from within reports or dashboards.
Finding that in Zscaler is just a few clicks away. In this exercise, we will drill down to the logs and
review what information is available.

1. Go to Analytics -> Web Insights

2. Select Logs

44
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
3. Select Apply Filters

4. Expand the logs to include all available fields by Selecting All after clicking the ellipsis.

5. Scroll right to review all the available fields of data. Look for options such as the User,
Policy Action, Location, URL Category, and SSL Policy Reason.

45
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
6. Next, select Add Filter.

7. Search for and select Policy Action.

8. Select Block from the drop-down menu.

46
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
9. Click Apply Filters

i. What type of policy does it say is blocking the transactions?

ii. What URL category is it?

End of Activity 6

47
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 7 – Discover Zscaler Cloud Access Security Broker (CASB)
In this activity, you will:
• Discover how Zscaler deals with CASB feature.
• Discover how to configure API based CASB policies for Out-of-band DLP and malware
controls.
• Navigate on the ZIA Administration Portal to discover features.

Task 1: Introduction on Zscaler CASB (SaaS Security API)

Zscaler’s multimode cloud access security broker (CASB) secures cloud data in motion (via proxy) and
at rest (via APIs). Admins simply configure one automated policy that delivers consistent security across
all cloud data channels, reducing their management burden.

Zscaler CASB is part of the comprehensive Zero Trust Exchange (with SWG, ZTNA, and more), so
customers can avoid point products, reduce IT complexity, and inspect traffic only once.

Inline security for data in motion

As a proven inline security vendor, Zscaler delivers high-performance forward proxy and SSL inspection
with critical real-time protections.
• Shadow IT discovery and cloud app control identify and secure unsanctioned apps—without
requiring network device logs.
• DLP measures prevent uploads of sensitive data to sanctioned and even unsanctioned apps.
• Real-time advanced threat protection leverages ML-powered cloud sandbox to stop known and
unknown malware.
• Cloud Browser Isolation streams sessions as pixels for BYOD to prevent data leakage without
reverse proxy headaches.

Out-of-band security for data at rest

Zscaler leverages API integrations to scan SaaS apps, cloud platforms, and their contents, automatically
enhancing enterprise security.
• Predefined and customizable DLP dictionaries identify sensitive data within SaaS and public
clouds like AWS.
• Collaboration management functionality crawls apps for risky file shares and revokes them
according to policy.
• Cloud sandbox technology scans data at rest to identify and respond to zero-day malware
and ransomware.
• SSPM, CSPM, and CIEM evaluate SaaS and IaaS configurations and permissions to remediate
issues automatically.

In this section, we will cover Zscaler Out-of-band CASB features.

Task 2: SaaS tenant Onboarding process on Zscaler

Step 1: Navigate to ZIA Administration Portal >> Administration >> SaaS Application Tenants

48
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 2: Discover tenants that are already onboarded on Zscaler Internet Access. Three tenants are
onboarded: GitHub, OneDrive and Office365.

Note: Office365 is onboarded for SaaS Security Posture Management (SSPM) Feature which will be
covered on the next activity. Office365 is not a tenant for out-of-band CASB.

Step 3: You can see the status of tenants, their names and policies that are applied.

Step 4: if you have a SaaS tenant, you can add it to ZIA and apply policies. Click on Add SaaS Application
Tenant to discover supported applications.

Note that in the lab environment you may not be able to see the "Add SaaS Application tenant" button
due to permissions issues with the account. Therefore, you may not be able to see next image.

49
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note: please note that the onboarding process is very simple, it requires your tenant domain and valid
admin credentials of your SaaS application.

Task 3: Discover SaaS Security API Configured Policies

Step 1: Go to Policy >> SaaS Security API Control >> Data Loss Prevention

Step 2: Select File Sharing from the provided list. The DLP policy for OneDrive Tenant is now showed,
click on the pencil to show it:

50
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 3: Discover the DLP Policy for OneDrive. You can see, the OneDrive Tenant
(O365.westconsecurity.eu), all DLP Engines are activated, same thing for File Type. The action is
configured to Report incident Only.

Step 4: Click on Action to see different possible actions. You can configure auto remediation for
excessive shared files for example.

Step 5: Leave the action to action to Report Incident Only. Note also that the severity of the action is
set to High.

Step 6: Click on cancel and do not modify the policy.

Step 7: Click on Malware Detection to see Malware Detection Policy that is configured for OneDrive
(click on the pencil):

Step 8: Click on Action to see different actions that can be taken by ZIA if a dormant malware is
discovered on our OneDrive Tenant:

51
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
The Configured Action is Report Malware. Do not change the action on this policy.

Note that we can configure the policy to Quarantine the Malware or to delete it from OneDrive.

Step 9: Click on Cancel to not modify the policy.

Step 10: Go to Policy >> SaaS Security API >> Scan configuration.

Step 11: Discover the configured Scan policy.

52
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
You can see the SaaS tenant, Policies that are applied to the Scan and the Scan Status. Note that you
can also Schedule Scans of your SaaS tenants.

Task 4: Examine Scan Results, Discovered Assets and Policies Violations

Step 1: Go to Analytics >> SaaS Assets Summary Report

Step 2: Discover Reported outputs from the Scan. Please Select last 30 days on the Time Filter:

When this document was created, 248 incidents were reported, 191 DLP and 57 Malwares were
discovered in our case. Yours should be quite similar.

Scroll down to see other outputs like DLP Engine by Dictionary, Engine or Severity. You can also see
malware types.

53
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 3: On File Sharing Applications, click on the total number of Violations (248 when this document
was created), you will be redirected to Logs to investigate on these violations:

Step 4: Go to Analytics >> SaaS Security Report >> Applications >> Overview.

54
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 5: Discover SaaS Application usage learned from user Traffic.

Note that this screenshot could be slightly different from what you see on your screen due to the
timing of when these traffics have been generated.

Step 6: you can modify the information seen on your screen by selecting a longer filter time.

Select “Last Month” and see how the statistics are modified in all charts and dashboards.

55
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 7: Go to Administration >> Cloud Applications

Step 8: In the search bar, search for the "OneDrive" application.

56
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
You can see that there are two Cloud Applications with the OneDrive name: the corporate OneDrive,
which is “Sanctioned” for the company and the OneDrive (Personal).

Step 9: click on the “OneDrive” corporate (not the Personal) and see you will be redirected to the “SaaS
Security Report” we were seeing a few steps back.

Discover all information provided for this SaaS application.

Step 10: You can go back to Analytics >> SaaS Security Report >> Applications and select any other
application you see on your screen and find out more about its “Risk Index” and the attributes of that
application.

For instance, we have selected “PasteBin”:

57
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 11: Go Back to Application then Click on Assets to see the SaaS Asset Report. Be sure that File
Sharing Application is Selected, and time range is from the 1st of August 2023 to the 8th August 2023
and click on Apply.

Step 12: Explore the different level of visibility provided by the CASB features.

58
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
For example, if you click on “File with Incidents Matching a rule” you can different files that violate a
policy.

Have a look at the different information fields. For example: File Name, File Path, Severity, Owner, etc.

End of Activity 7

59
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 8 – Discover Zscaler SaaS Security Posture Management

In this activity, you will:

• Discover the Zscaler Internet Access SSPM feature.

Introduction on SSPM

With the SaaS Security Posture Control, the Zscaler service provides recommended security policies to
decrease security risks for your organization’s SaaS applications.

With the SaaS Security Posture Control policy, you can configure the number of recommended security
policies that the report includes in its analysis of your organization’s security posture. This allows you
to ignore a policy without ZIA applying the Fail status to that policy.

During the creation of this document, SSPM Feature is supported by Microsoft365, Salesforce, GitHub,
Google Workspace, Confluence, Jira Software, Okta and Bitbucket. More details on:
https://help.zscaler.com/zia/supported-saas-security-posture-control-policies

Some Benefits of SaaS Security Posture Management (SSPM) for securing the M365 environment:

• Reduced likelihood of a data breach.

• Less time that IT and security teams must spend monitoring, assessing, and governing risks
manually.
• Increased visibility and control over M365.
• Adherence to ever-changing industry compliance rules and regulations—audit-ready reports
with ease.
• Ease of deployment, instant visibility and control, and no burden on the IT team.

Task 1: Discover SSPM Policies

Step 1: Navigate to Policy >> SaaS Security Posture Control

Step2: Discover different security posture policies for every supported application.

60
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note that all policies are provided and updated by Zscaler, and you can turn on or turn off policies as
you want.

Task 2: Discover SSPM Results for Microsoft 365 and GitHub tenants
Step 1: Go to Analytics >> SaaS Security Report >> Security Configuration

Step2: Switch between Microsoft 365 and GitHub Tenants to see the posture of these tenants and
what are security issues that are risky and what should be done to enhance your SaaS environment
Security.

61
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
 End of Activity 8

62
This Document is Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.