Transcript Zscaler Client
EZ – In Depth
Manoj Apte
VP Product Management
July 2010
Introducing EZ
2
EZ Agent Enforced EZ agent covers corner cases (< 10% users) by enforcing proxy settings at all times Agent also aids with “captive portals” that require authentication prior to establishing internet access Settings are disabled while network connection has not been established and reinforced upon connection
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
3
“Thick” Client Inefficiencies
Traditional vendors use a “thick” client for authentication and policy enforcement – increased IT burden
Road Warrior
Client may conflict with VPN drivers and AV clients Deployment is difficult because of the large file size Zscaler service does not require a client Traffic redirection via proxy settings Authentication via patented cookies technology In a small fraction of use cases such as road warriors without centralized provisioning these settings can not be enforced Potential data leakage risks due to malicious employees Compromise of remote corporate assets by malware, adware and spyware
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
EZ Benefits
4
Password prompt if user tries to disable or uninstall the application Plug in is lightweight (< 4MB) and easy to deploy compared to “thick” clients Can be centrally provisioned and maintained via GPO or Web download Tamper proof but provision to disable and uninstall for privileged users with a password
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
EZ : Packaging
EZ_JUL15.ZIP
Contains all files for EZ Agent EZAgentUserGuide.pdf
Complete description of EZ and installation guide
5
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
6
Installing EZ with no customization
1. Unzip contents of the Zip file into some directory 2. Run Setup.BAT.
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
EZ Components
Service • Windows Service that monitors tray process and restarts it if it is killed.
• Ensures Tamper Resistance Tray • Enforces Proxy Settings • Bypass Proxy for Captive Portal • Password based temporary disable for enforcement
7
Configuration File Settings • Uninstall Password • Temporary Disable Password • Timeout for forcing proxy even if Service is not accessible • Polling interval to retry Service in a captive portal
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
8
Details of what Tray Sets and monitors
Note: Proxy and PAC File settings are monitored for ALL types of Internet connections (LAN Settings is standard, but there may be modem internet connections as well) PAC File Checkbox for PAC file enforcement URL for PAC File Proxy Checkbox for Set Proxy Proxy address for each type of protocol Proxy Exception List Hide Tray Icon Tray process is running in background, but tray icon is hidden.
Test Connection Host Gateway Connectivity Test can be pointed to a private sub-cloud Polling Interval in Seconds Retry connection to Service every X Seconds after Proxy is disabled Force Proxy Timeout in Seconds If Service is unavailable, force proxy settings regardless of Service availability after polling for X Seconds (Tamper Resistance Feature) Applications to kill Example: Opera browser can be disallowed by configuring opera.exe in the kill list. A warning is given to the user from the tray icon
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
Sample Configuration file
9 ConfigVersion =1.2.619
DebugLevel =0 DisablePassword =ZSCALER UninstallPassword =ZSCALER PollingIntervalInSeconds =30 ForceProxyTimeOutInSeconds =0 WatchdogLimitInSeconds =300 # Setting for IE redirect limit. Helps with IE 8 MaxHTTPRedirects =20 UseProxyServer =0 HTTPProxy =gateway.zscaler.net
HTTPProxyPort =80 HTTPSProxy =gateway.zscaler.net
HTTPSProxyPort =80 FTPProxy =gateway.zscaler.net
FTPProxyPort =80 SOCKSProxy =gateway.zscaler.net
SOCKSProxyPort =80 ProxyBypassIE =10.*;192.*;*.zscaler.org
ProxyBypassMozilla =10.*,192.*,*.zscaler.org
UsePacFile =1 PACFileURL =http://pac.zscaler.net/zscaler.net/proxy.pac
HideTrayIcon =0
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
10
Steps for GPO based install and uninstall
Unzip package into some directory. It contains: Setup.bat, config.txt, config.dat, encrypt_cfg.exe and zInstaller.exe
Create custom config.txt and encrypt it : encrypt_cfg.exe e config.txt config.dat
GPO based deployment: Deploy Setup.BAT, zInstaller.exe, config.dat in some directory Run SETUP.BAT
GPO based uninstall Run Uinst000.exe in the directory where EZ was installed with Uninst000.exe /PASS=
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
11
Other things…
Loading a new configuration file: Method 1 (with admin priviledge): Copy new configuration file in ProgramData\RTServicemon (requires admin priviledge) Right click on EZ agent and “Test Connection” Method 2 (without admin priviledge): Right click on EZ Agent “Load new configuration file” Point to the new configuration file Debugging Set debug level to 10 and ask user to reload new configuration
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL