SSL Inspection - Which URL Categories to Bypass (if any)?

New customer here.

I understand from comments made in passing from a Zscaler SE that enabling SSL Inspection for all URL categories is not a wise way to go since it unpredictably breaks too many legitimate business sites. He was not comfortable recommending a list of URL categories to bypass from SSL-inspection, however.

How do you approach this at your respective companies?

Since so much traffic is encrypted, I’d ideally like to inspect everything but not at the cost of creating too much disruption for my end users.

This is a big topic and needs to be answered differently for each OS. We see good results by excluding Finance and Health for everything. My answer is valid for a M365 / AAD based environment.

In Windows Developers are most likely to face issues with SSL Inspection. Apart from that we don’t see too many issues in browsing.

For iOS/Android it’s a different story because most of the Apps use certificate pinning. There is a pretty good list about that in the Zscaler help Certificate Pinning and SSL Inspection | Zscaler

In macOS exclude everything Apple related.

Zscaler SSL Policies are a very good tool. I hope this helps you to start.