EZ – In Depth

Manoj Apte

VP Product Management

July 2010

Introducing EZ

EZ Agent Enforced  EZ agent covers corner cases (< 10% users) by enforcing proxy settings at all times  Agent also aids with “captive portals” that require authentication prior to establishing internet access  Settings are disabled while network connection has not been established and reinforced upon connection

“Thick” Client Inefficiencies

  Traditional vendors use a “thick” client for authentication and policy enforcement – increased IT burden

Road Warrior

 Client may conflict with VPN drivers and AV clients  Deployment is difficult because of the large file size  Zscaler service does not require a client   Traffic redirection via proxy settings Authentication via patented cookies technology In a small fraction of use cases such as road warriors without centralized provisioning these settings can not be enforced  Potential data leakage risks due to malicious employees  Compromise of remote corporate assets by malware, adware and spyware

EZ Benefits

Password prompt if user tries to disable or uninstall the application  Plug in is lightweight (< 4MB) and easy to deploy compared to “thick” clients  Can be centrally provisioned and maintained via GPO or Web download  Tamper proof but provision to disable and uninstall for privileged users with a password

EZ : Packaging

 EZ_JUL15.ZIP

 Contains all files for EZ Agent  EZAgentUserGuide.pdf

 Complete description of EZ and installation guide

Installing EZ with no customization

1. Unzip contents of the Zip file into some directory 2. Run Setup.BAT.

EZ Components

Service • Windows Service that monitors tray process and restarts it if it is killed.

• Ensures Tamper Resistance Tray • Enforces Proxy Settings • Bypass Proxy for Captive Portal • Password based temporary disable for enforcement

Configuration File Settings • Uninstall Password • Temporary Disable Password • Timeout for forcing proxy even if Service is not accessible • Polling interval to retry Service in a captive portal

Details of what Tray Sets and monitors

        Note: Proxy and PAC File settings are monitored for ALL types of Internet connections (LAN Settings is standard, but there may be modem internet connections as well) PAC File   Checkbox for PAC file enforcement URL for PAC File Proxy  Checkbox for Set Proxy  Proxy address for each type of protocol  Proxy Exception List Hide Tray Icon  Tray process is running in background, but tray icon is hidden.

Test Connection Host  Gateway Connectivity Test can be pointed to a private sub-cloud Polling Interval in Seconds  Retry connection to Service every X Seconds after Proxy is disabled Force Proxy Timeout in Seconds  If Service is unavailable, force proxy settings regardless of Service availability after polling for X Seconds (Tamper Resistance Feature) Applications to kill  Example: Opera browser can be disallowed by configuring opera.exe in the kill list. A warning is given to the user from the tray icon

Sample Configuration file

9 ConfigVersion =1.2.619

DebugLevel =0 DisablePassword =ZSCALER UninstallPassword =ZSCALER PollingIntervalInSeconds =30 ForceProxyTimeOutInSeconds =0 WatchdogLimitInSeconds =300 # Setting for IE redirect limit. Helps with IE 8 MaxHTTPRedirects =20 UseProxyServer =0 HTTPProxy =gateway.zscaler.net

HTTPProxyPort =80 HTTPSProxy =gateway.zscaler.net

HTTPSProxyPort =80 FTPProxy =gateway.zscaler.net

FTPProxyPort =80 SOCKSProxy =gateway.zscaler.net

SOCKSProxyPort =80 ProxyBypassIE =10.*;192.*;*.zscaler.org

ProxyBypassMozilla =10.*,192.*,*.zscaler.org

UsePacFile =1 PACFileURL =http://pac.zscaler.net/zscaler.net/proxy.pac

HideTrayIcon =0

Steps for GPO based install and uninstall

 Unzip package into some directory. It contains:  Setup.bat, config.txt, config.dat, encrypt_cfg.exe and zInstaller.exe

 Create custom config.txt and encrypt it :  encrypt_cfg.exe e config.txt config.dat

 GPO based deployment:  Deploy Setup.BAT, zInstaller.exe, config.dat in some directory  Run SETUP.BAT

 GPO based uninstall  Run Uinst000.exe in the directory where EZ was installed with  Uninst000.exe /PASS= /VERYSILENT  NOTE: All command line parameters are case sensitive

Other things…

 Loading a new configuration file:  Method 1 (with admin priviledge):  Copy new configuration file in ProgramData\RTServicemon (requires admin priviledge)  Right click on EZ agent and “Test Connection”  Method 2 (without admin priviledge):  Right click on EZ Agent “Load new configuration file”  Point to the new configuration file  Debugging  Set debug level to 10 and ask user to reload new configuration

Zscaler Client

Transcript Zscaler Client