Windows Defender Firewall Configuration

Hi, We are moving to Windows defender firewall (from Symantec) and are encountering some issues. We block all outgoing and inbound connections, I have added all the rules in the below link to allow the applications and process’ through the firewall:

Zscaler Client Connector Processes to Whitelist | Zscaler

However Teams, Outlook, Edge, Chrome etc are still getting blocked. When the above rules are added the Zscaler application itself, shows as connected and healthy. We were under the assumption that when you allow the Zscaler application through the Windows firewall, the other applications that are set to send there traffic through Zscaler would begin to work. We are only able to use the browsers once we add sperate rules for them i.e. Edge Allow TCP / UDP. However the issue with this is when you remove the Zscaler rules or disable the application, you are still able to browse the internet. Is there some configuration we are missing or is this by design?

Any help would be appreciated. Sorry if this is posted incorrectly, first time post. Thanks.

Hi Matthew - I’m afraid the following assumption is incorrect: “…when you allow the Zscaler application through the Windows firewall, the other applications that are set to send their traffic through Zscaler would begin to work.” The Zscaler Client Connector in no way takes the place of your browser. You still need to allow all Windows applications that you plan to allow to function, you just need to make sure that the Zscaler executable is also one of those allowed applications along with the normal application access users need to function.

Zscaler will provide security protection based on the policy you define in the administrative console and apply to traffic that leaves the workstation - not traffic local to the machine, which is what layers like Windows Defender are intended to do. It may be very time-consuming to try to block ALL applications and then determine which ones are required, which is why concentrating on the Zscaler policy that provides the best protection is probably a better approach than blocking all applications in Windows Defender.

Here is an example of one way to [integrate Windows Defender with Zscaler]. (Integrating with Microsoft Defender for Endpoint | Zscaler). I hope it helps.

Thank you very much for your quick response Mark, I’ll look into the above now and speak to the relevant colleagues.

I disagree with what you are saying. If you configure Client Connector in Packet Filter Tunnel mode then the idea is that ZCC picks up any traffic on 80 or 443 because it has filters in the TCP stack. That configuration is designed to catch non proxy aware traffic. So depending on Matthews configuration his assumption is correct. Now if you are running Tunnel with local proxy that is not true.

I am running into this same problem transitions from Symantec to CrowdStrike which simply integrates with Windows firewall. It appears that is slipping into the stack ahead of the filters ZCC uses to catch the traffic and therefore makes locking down client firewall rules almost impossible. We are currently running through various options, but if anyone has any suggestion it would be helpful.

I know this worked differently with Symantec Firewall in place

I agree my wording was probably not clear. My point was that the EDR product (whatever it is) “slipping into the stack ahead of the filters ZCC uses…” is the issue and not the browser, PAC file, or even Tunnel vs. TWLP mode. From what I could tell from Matthew’s question, it was about why someone could browse the Internet after rules were removed or ZCC was disabled and is that by design. My answer was “yes, that is by design”, especially if you have not rule prohibiting Internet traffic or ZCC is disabled. There’s obviously nothing ZCC can do if it is disabled, although when enabled, it’s possible that ZCC could be installed with the “STRICTENFORCEMENT” option and it would block all Internet access if ZCC was disabled. There are also configuration options to make sure users don’t disable ZCC.

In essence, I think Matthew was asking if the Windows Defender could be a fallback without specifying the rules in Zscaler, and that is absolutely not how the integration with Windows Defender works. Also, I think with both WinDefender and Crowdstrike, the point of the integration is not to help one or the other “lock down the firewall rules”, but instead to transfer the rule enforcement to the Zscaler Cloud and use the endpoint with more security data (threats found in ZS not found in endpoint agent, sandbox files on behalf of agent, block/quarantine files identified as malicious, and for the agent to block requests on behalf of Zscaler/remediation once a threat is identified to have reached the endpoint).