Authentication in non80/443 traffic

for zapp tunnel2.0, i’m aware that all traffic including those that do not use port 80/443, will be sent to the ZEN. will the traffic be authenticated in this case?
(let’s say that the user has not been logged into ZApp yet)

Hi Samantha,

Zapp starts to forward traffic only after the auth is completed. Once the auth is completed ZAPP will be always able to tell the cloud who is sending that traffic, even the traffic is non 80/443.

Best Regards,

Jones Leung

SE Manager, Greater China

2 Likes

jones,

thanks for the reply.
i see, so every traffic would be authenticated and be found on the log for zapp tunnel2.0!

another question. i heard that if u exempt a certain URL from authentication, policies would not be applied to that traffic (to that URL). is that correct?

U r welcome.

Well I think what u mean is an url is exempted from ssl inspection, it will be allowed. Yes that’s the case, but since last release we have provided another option to customer, so that ssl can be bypassed with policy inspection.

jones,

sorry for being unclear.
i meant the usage of the function in the following:
https://help.zscaler.com/zia/exempting-urls-cloud-apps-authentication

I see.

Well first the auth exemption only applies to cookie based auth. Traditional proxy relies on cookie found in http headers to check user ID. But sometimes traffic doesn’t support it and apps or sites maybe broken. The auth bypass is created to skip cookie based auth for those traffic. User ID will be missing if you only rely on cookie based auth, but still we will check the traffic against other policies to see if there is any match all users policy in place.

However, if you have Ip surrogate enabled with GRE/ VPN tunnel to send traffic us, we will be able to assume the previous cookie authenticated IP to be from the same user before the idle timeout. So auth exemption is not required as we will not always check for cookie anymore. There are some settings around this feature to help to achieve your goal- another topic.

If you are using ZAPP, it is not using cookie based auth with your internet traffic, and zapp will always tell us who send the traffic, auth exemption is not required as well

2 Likes

jones,

i understand now.
thank you so much

1 Like