SSL Inspection - Which URL Categories to Bypass (if any)?

New customer here.

I understand from comments made in passing from a Zscaler SE that enabling SSL Inspection for all URL categories is not a wise way to go since it unpredictably breaks too many legitimate business sites. He was not comfortable recommending a list of URL categories to bypass from SSL-inspection, however.

How do you approach this at your respective companies?

Since so much traffic is encrypted, I’d ideally like to inspect everything but not at the cost of creating too much disruption for my end users.

This is a big topic and needs to be answered differently for each OS. We see good results by excluding Finance and Health for everything. My answer is valid for a M365 / AAD based environment.

In Windows Developers are most likely to face issues with SSL Inspection. Apart from that we don’t see too many issues in browsing.

For iOS/Android it’s a different story because most of the Apps use certificate pinning. There is a pretty good list about that in the Zscaler help Certificate Pinning and SSL Inspection | Zscaler

In macOS exclude everything Apple related.

Zscaler SSL Policies are a very good tool. I hope this helps you to start.

You’re going to bypass different categories for different reasons.

Legal/Privacy may care about those related to PII. Think healthcare, financial, maybe even social media.

I’ve recently added others that had high friction to IT and general internet services (SaaS companies with developers) - IT and OS updates as well as internet services and professional services.

There are trade offs to each. If you still want insight into a specific saas app, you can choose to inspect that in a higher rule. Like slack or salesforce.

My main driver is inspecting for malware and the risk is far higher on untrusted websites and services.

We ended up going big-bang with SSL inspection (i.e., enabled for all URL categories except Finance & Health as per Zscaler’s best practice). We only saw one issue with access to an IP camera being effected and we quickly whitelisted it with no issue.