Preventing Unauthenticated users from using Enterprise Internet
There are three areas to setup Access Control in Zscaler to prevent unauthenticated users (guest/byod) using the services
(Assumption that the traffic has been forwarded to zscaler)
1. Bypass Authentication and SSL (for Ask4key server)
2. Firewall Control - block all ports (except DNS services and Ask4key server)
3. URL and Cloud App Control - block web
1. Bypass Authentication and SSL
1. Bypass ask4key server (.ask4key.com) and also Customer website (www.customer.com for the captive portal) for authentication (see below)
2. Bypass ask4key server (.ask4key.com) and also Customer website (www.customer.com for the captive portal) for SSL (see below)
2. Firewall Control (All Traffics)
Policy---->Access Control----> Firewall Control
The Policy Main Menu under firewall Access Control to select the Firewall control menu link click .To see the image screen shot.
After Click the Firewall control the Following Image screen shoot window will open.The Firewall control window have two tab menus are
- Firewall filtering Policy
- NAT Control Policy .
There are following firewall rules need to setup.
1. Rule 1 is to allow all ask4key server and also and also Customer website (www.customer.com for the captive portal)
2. Rule 2 is to allow DNS protocol across the Firewall
3. Rule 3 is to only allows user that authenticated and in the group (ask4key will provision user in service admin group as default)
4. Rule 4 is to block all users that not authenticated
3. URL and Control App Control
There are following URL rules need to setup.
1. Rule 1 is to allow all authenticate user (i.e Service Admin) access any URL (the order can be changed to block other sites)
2. Rule 2 is to allow ask4key server and also the captive portal URL (even without authenticate to access)
3. Other rules are example of blocking (need to change the rule order to higher than the Rule 1 so that it will be blocked because giving the access)