Allow Specific Slack Workspace

Currently at the time of writing this article, Zscaler only supports tenant restrictions for O365 and allowed domains for G-Suite.

If you’re looking to allow access to a specific Slack workspace and block access for anything else, you will need the following:

  • SSL Inspection must be enabled (Zscaler App for road warriors or location based)
  • Create Custom URL Category
  • Create URL Filtering policy Rule Order # 1 to ALLOW Custom URL Category which contains the Slack workspace and supporting URLs you’re wanting to ALLOW
  • Create URL Filtering policy Rule Order # 2 to BLOCK Custom URL Category which contains wildcard for .slack.com

Below is a short video summarizing the steps above:

Step 1 (assuming SSL inspection is already enabled)

Create a Custom URL Category with the following URLs; being sure to replace both containing Zscaler with the name of the workspace you’re wanting to ALLOW:

List of URLs to ALLOW

a.slack-imgs.com
api.slack.com
app.slack.com
b.slack-imgs.com
edgeapi.slack.com
files.slack.com
go.slack.com
join.slack.com
my.slack.com
slack-core.com
slack-edge.com
slack-files.com
slack-imgs.com
slack-msgs.com
slack-redir.net
slack.com/
slackb.com
wss-backup.slack.com
wss-mobile.slack.com
wss-primary.slack.com
www.slack.com
zscaler.slack.com

Step 2

Create a Custom URL Category with the wildcard entry for .slack.com that will BLOCK everything else.

List of URL wildcard to BLOCK

.slack.com (be sure to include the leading period)

Step 3

Create URL Filtering Policy in Rule Order # 1 to ALLOW the custom URL category created in Step 1

Step 4

Create URL Filtering Policy in Rule Order # 2 to BLOCK the custom URL category created in Step 2

Troubleshooting

Slack Reference

5 Likes

The article is very helpful. Our customer want to do exactly same thing.
But our customer tried to use cloud application “Slack” with cascading instead of “.slack.com”. It seem it should be worked same as “.slack.com”. URL filter should win against Cloud app policy. But Cloud app policy blocked Slack. I confirmed the same behavior. Is this expected?

Hi @kentarokoba, it may depend on the type of request (GET, POST) and how the policy is configured. Please see this page for specific information:

https://help.zscaler.com/zia/about-policy-enforcement

Hi,

Not sure if my understanding is correct, but just to clarify, cascade feature actually doesn’t change the order we parse the policy- cloud app still goes first, BUT with the feature enabled we will also parse the URL filtering policy after parsing the cloud app policy. So it is normal that cloud app will block slack if it is configured to be.

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler, Inc