Block accessing to SSL Inspection exempted host

I want to prevent users from uploading files using zoom’s chat feature.
(I know that zoom is able to configured to prevent uploading files, But I want to prevent uploading not only our company tenant, but also other tenants like free account associated tenant.)

So I configured SSL Inspection enabled and made some File Type Control policy.
But I’ve found that when “Block Undecryptable Traffic” enabled, SSL Inspection prevents user invitaions on zoom.

Is there any way to balance below two function ?

  • Traffic of zoom should be exempted from SSL Inspection.
  • But, traffic to specific host(us04file.zoom.us) that serves file uploading function shoud be Blocked.

Hi Naoki,

I was able to achieve this in my lab environment by configuring the following:

  1. You are correct, you can’t SSL bypass Zoom completely, as you wouldn’t have the visibility you need to enforce the file type control. Instead, I’m only bypassing .cloud.zoom.us . This allows zoom to properly load, yet I can still see the file upload attempt.
  2. Next I created 2 custom URL categories. Allow Zoom and Block Zoom with “Allow Zoom” being the zoom tenant that can have file uploads (mytenant.zoom.us) and “Block Zoom” being (.zoom.us) which is all others.
  3. Your file type control policy will start with the allow, followed by the block.
2 Likes

Hi Wayne,

In fact, we decided to bypass traffic we want to block using ZPA.

  • Forward traffic(to us04file.zoom.us) to ZPA.
  • Then, block traffic by Access Policy on ZPA.

By doing this,it is expected that selective blocking to be possible.

  • traffic to us04file.zoom.up would be blocked on ZPA
  • other traffic to zoom would be forwarded to ZIA, and still be SSLi-exempted.

Thanks anyway.