Tenant Restriction -- Tunnel 1.0

Will it be possible to enable Tenant Restriction on Z-Tunnel 1.0 ?

0r

Z-Tunnel 2.0 is mandatory ?

Thanks,
Rahul

Classification: Public

Hi, SSL inspection is mandatory. Will work on tunnel 1.0 as well.

Hello Rahul, great question! As Ramesh stated SSL inspection is going to be mandatory for Tenant Restrictions which will work for services using traditional TCP/443. Depending on your use cases within tenant restrictions it may be necessary to block the QUIC protocol which Tunnel 1.0 would not forward to Zscaler as it operates over UDP. Some services that would utilize QUIC may be Google and Microsoft Cloud Applications as well as a growing list of others that are migrating to QUIC. The good thing about QUIC is that most services using it will fall back to SSL/TLS if QUIC is blocked, which would then be able the be inspected and enforced by your ZIA policies. This can all be solved by deploying Tunnel 2.0 to your users, installing a Firewall rule to block the QUIC Network Service or Application in your ZIA Cloud Firewall, and then continue on the path of tenant restrictions and any remaining use cases you have!

2 Likes

OK… So Z-Tunnel 2.0 is mandatory for the Tenant Restriction to work.

Thanks,
Rahul