Currently at the time of writing this article, Zscaler only supports tenant restrictions for O365 and allowed domains for G-Suite.
If you’re looking to allow access to a specific Slack workspace and block access for anything else, you will need the following:
- SSL Inspection must be enabled (Zscaler App for road warriors or location based)
- Create Custom URL Category
- Create URL Filtering policy Rule Order # 1 to ALLOW Custom URL Category which contains the Slack workspace and supporting URLs you’re wanting to ALLOW
- Create URL Filtering policy Rule Order # 2 to BLOCK Custom URL Category which contains wildcard for .slack.com
Below is a short video summarizing the steps above:
Step 1 (assuming SSL inspection is already enabled)
Create a Custom URL Category with the following URLs; being sure to replace both containing Zscaler with the name of the workspace you’re wanting to ALLOW:
List of URLs to ALLOW
a.slack-imgs.com api.slack.com app.slack.com b.slack-imgs.com edgeapi.slack.com files.slack.com go.slack.com join.slack.com my.slack.com slack-core.com slack-edge.com slack-files.com slack-imgs.com slack-msgs.com slack-redir.net slack.com/ slackb.com wss-backup.slack.com wss-mobile.slack.com wss-primary.slack.com www.slack.com zscaler.slack.com
Create a Custom URL Category with the wildcard entry for .slack.com that will BLOCK everything else.
List of URL wildcard to BLOCK
.slack.com (be sure to include the leading period)
Create URL Filtering Policy in Rule Order # 1 to ALLOW the custom URL category created in Step 1
Create URL Filtering Policy in Rule Order # 2 to BLOCK the custom URL category created in Step 2
- If the block policy is not triggering, be sure to check that Slack is not being SSL bypassed and that either the Zscaler SSL cert is present or your own if using your own Custom Intermediate Root Cert.