Tidbit: How CBI works

I use the “Tidbit” subject line to denote a snippet of text I’ve found useful in understanding or communicating a particular topic for customers. Here’s how I boiled down Cloud Browser Isolation (CBI) setup and signal flow for my PoC customer. Does this work for you?

  1. Define a location in ZIA pertaining to a dedicated proxy port (DPP) in Zscaler’s infrastructure
  2. Define a PAC file in your ZIA console that directs all traffic to this dedicated port
  3. Create a profile in the Cloud Browser Isolation (CBI) user interface that references the new PAC file
  4. Copy the Isolation URL from the profile you created in step 3
  5. Make a URL rule(s) for sites to be isolated, with the “action” set to block and the “Redirect URL” set to the Isolation URL you copied from step 4.
  6. Make another rule, above the isolation rule, that allows all traffic from the dedicated proxy port location you defined in step 1. This is necessary to avoid a redirection loop, which would look to users like a “sorry, we’ve encountered an error” message from Zscaler.

To recap the recap:

  • User asks for www.gmail.com
  • ZIA blocks the request. The blocking rule redirects the request to the isolation url from step 3 above.
  • The isolation platform retrieves www.gmail.com using ZIA, fetching it from the dedicated proxy port referenced in step 1
  • ZIA allows the request because it’s coming by way of the DPP location
  • The page is rendered in isolation and the user is happy

This is great summary. Thanks @Will_Irace
QQ, when you create location with DPP are we enabling Authentication, SSL Inspection? What are the other options we are enabling?