Home / Blog / General / Zscaler deployment guide – Insider tips for deploying Zscaler

August 8, 2018

Built 100% in the cloud, Zscaler delivers your ‘Security Stack-as-a-Service’ from the cloud – where your services and users now reside. By securely connecting users to their applications, regardless of device, location, or network, Zscaler has transformed enterprise security, providing…

Tick Unmatched security – Always-on protection. No appliance complexity.

Tick Secure network transformation – From ‘hub-and-spoke’ to direct-to-cloud.

Tick Fast & secure remote access to AWS/Azure – No remote VPN pitfalls.

Tick Successful Office 365 deployment – One-click deployment. No network upgrades.


Every Zscaler deployment is different

With no hardware appliances to deploy, connecting to the Zscaler service is as simple as forwarding all internet traffic to the Zscaler service, so you can secure your internet traffic and apply policies accordingly.

But as Zscaler has a powerful set of features, it is important to configure Zscaler to your unique (and predefined) requirements. So here we’ll discuss how to deploy Zscaler.

Traffic forwarding methods

Firstly, there are number of traffic forwarding methods to connect to the Zscaler Cloud.

  • Tunnelling
  • PAC Files
  • Zscaler App
  • Proxy Chaining

You can use one, or a combination of these, depending on your environment / architecture. For more information about the various traffic forwarding methods Zscaler supports, read Choosing Traffic Forwarding Methods.

Configuring Zscaler to deliver on your requirements

However, aside from the technical elements of deployments, there are a large number of other considerations and variables which you should take into account when deploying Zscaler.

Every Zscaler deployment we (Comtact Ltd.) undertake is different

This is because every business has different operations, different goals and therefore different requirements.

While the goal of one organisation may be to secure their remote workforce – another organisation may be looking to implement URL filtering and bandwidth control. Zscaler has a wide set of security capabilities – it just depends on what you are looking to achieve.

Firstly, some questions to ask / answer

Here are a few questions relating to your environment and future plans, which it is helpful to consider and answer.

1. Do you have sites connected via MPLS – and do they have direct internet access?
2. Do you use any Hyperscale platforms? e.g. Office 365, Salesforce.com etc.
3. Do you allow remote VPN access for remote workers, contractors, or affiliated persons?
4. How do you currently firewall protect your services?
5. Do you currently use any DNS proxy web filtering services?
6. Do you have any expansion/acquisition plans?
7. What is the mix of office-based/mobile/remote workers?
8. Do you have a multi-device deployment? i.e. PC/Tablet/Mobile phone. How are these protected?
9. Do you have a multi-OS environment? i.e. Windows/Android/iOS. How are these protected?

How to approach a Zscaler deployment

As previously mentioned, every Zscaler deployment is different. There is no prescribed way of:

  • Forwarding traffic
  • Authenticating
  • Rolling out

Zscaler is capable and flexible enough to offer multiple deployment options, some of which will naturally lend themselves to certain environments – some of which will depend on the preference of those who will ultimately administer the service, day-to-day.

Zscaler deployment process

1. Define your required (and desired) goals from Zscaler

This is a critical step, as it will shape the deployment and help therefore help define the project plan. Following are the common business drivers we hear, driving the decision to deploy Zscaler. One, or several may apply to your organisation.

1.1. Security

Zscaler’s security cloud processes up to 50 billion requests (more than Google) and performs 120,000 security updates each day. Any threat detected by any user is instantly shared and blocked across the entire Zscaler network. So very little configuration is actually required to benefit from the powerful in-built security toolset of Zscaler’s security-as-a-service.

1.2. Compliance requirements

Compliance means different things to different people. With a lot of in-built feature sets, Zscaler can be configured to help you meet your compliance requirements – GDPR, PCI, ISO 27001, Cyber Essentials etc. – if a priority.

Zscaler gives you a toolset to control what people put onto the internet and includes a Data Loss Prevention (DLP) add-on.

1.3. Business productivity

Many organisations are concerned about lost productivity from (for example) the use of Facebook; or ‘shadow IT’ services like Google Drive, or Dropbox.

Zscaler gives you complete visibility of user behaviour, so you can intelligently shape policy and user behaviour.

For example, a large organisation we were working with saw a lot of file sharing activity with Google Drive, Dropbox and WeTransfer. Investigation saw no malicious activity, but this clearly highlighted risks. So, policy was adjusted to move everyone towards using Microsoft’s OneDrive, meaning file sharing stayed within the control of the business.

Additionally, bandwidth control allows you to view and prioritise business traffic. 60% of bandwidth was allocated to Office 365, while capping YouTube bandwidth. All of which maintained Quality of Service and user productivity.

1.4. Digital transformation

Cloud services reduce hardware footprint and reduces internal operation resource costs. However, many organisation’s architectures were not designed for cloud services.

Zscaler allows secure, policy-based access to cloud-based services via direct internet breakouts. With no hardware to deploy, any user (regardless of location) will get the same quality of service and user experience. Making it much easier to deploy cloud-based services, like Office 365 – especially since Zscaler is colocated with Microsoft’s data centres.

1.5. Increasingly mobile workforce

Similarly, Zscaler makes it easy to provide remote and mobile users with secure, policy-based access to corporate services. Apply consistent policy to users, regardless of whether they’re in the office, or a cafe. Everything is still controlled centrally – and every user gets the same Quality of Service.

1.6. Expanding network / Mergers & acquisitions

With a mergers or acquisition, you wouldn’t want to connect networks immediately. But with Zscaler, it is easy to transfer new users/operations into your network. Simply enrol new users, to make them part of existing corporate controls and security policies. This provides the umbrella, from which you can stitch together networks.

2. Design & Project Plan

Having understood and defined your business requirements and goals, the next step is to produce a design, to ensure the important functionality is configured, tested and the service is successfully deployed along the agreed plan and timescales.

As a standard process, Comtact works with your internal network experts with project management resources, engaging with a variety of people over the business to help bring to the surface any concerns from within the business (regardless of where they are coming from).

3. Deployment Support

As a cloud service, there’s rarely a need for a Comtact engineer to be on-site. However, only our most experienced Zscaler-certified engineers are assigned to client Zscaler deployments, providing a dedicated point of contact, to support the intensive project plan.

Zscaler themselves do provide a standard support service, but the most intensive and business critical support activities will occur during installation. Comtact’s team are always on-hand to offer their wider IT expertise to oversee the installation and ensure any interaction with Zscaler is appropriately escalated and managed.

Guide to deploying ZscalerExample Zscaler deployment

Comtact Ltd. deployed Zscaler to a company with 1,000+ users, spread over 26 sites in 8 countries.

The majority of users were concentrated in 3 main regional headquarters, but with many small branch offices – plus an ever-increasing number of exclusively remote mobile workers.

The company already supported direct internet breakout from each site, so as a result, were not needing to backhaul traffic over MPLS to a central location. They had no existing context-based URL filtering and used a DNS-based filter with a single policy applied to all. There was no ability to differentiate between groups, with little visibility or security over traffic.

The company had grown via a series of acquisitions, so the infrastructure was very disparate. Many of the sites operated semi-autonomously.

The challenge

The challenge they faced was how to apply a common security policy to internet activity, and increase data loss protection, when each site was very different in terms of how users authenticated, and how traffic could be routed.

Discovery phase

During the discovery phase, we were able to draw an accurate picture across all the sites, establishing that the majority of sites (including the three HQs) used the same version of firewall, and these were managed by the same 3rd-party. We were also able to discover that despite the disparity, operating systems were largely uniform.

Identities were not managed centrally, but via multiple independent Active Directories. This was a challenge that sat outside of the Zscaler deployment, so Comtact recommended a highly effective cloud-based Identity Provider, which could unite the various directories – so that Zscaler and other cloud-based applications could be easily integrated with the business going forward.

Traffic forwarding

Business-critical applications such as Salesforce and various banking sites were identified for the testing and possible SSL bypasses. With regards to traffic forwarding, it was decided to use a combination of tunnels where firewalls existed (for the most comprehensive coverage), and the Zscaler App on devices where there was no firewall, or for mobile users.

GRE tunnels were not supported by the firewalls, but given bandwidth information, it was decided that IPSec VPN tunnels were the best option. The Zscaler App would be configured to recognise when the device was on/off a corporate network, so it could disable/enable itself respectively.

Test site, with staged deployment

A mid-sized branch site was identified as a test site. The service was then incrementally and systematically rolled out over the course of a week, with several prescribed tests built around business-critical applications to measure the success of the Zscaler deployment.

As per the project plan, the successful Zscaler deployment not only ensured a smooth transformation with minimal business disruption, but also leveraged the strengths of Zscaler’s cloud security platform, delivering on the defined goals:

Tick Transformed security infrastructure, with local internet breakouts

Tick Securing and enabling of mobile workforce

Tick Unification of security services

Tick Simplified and reduced administration

About Zscaler Inc.

Gartner magic-quadrant secure web gateways 2017

The world’s largest cloud security platform

As a Gartner magic quadrant leader for Secure Web Gateways, Zscaler moves your security stack to the cloud, providing fast, secure connections between users and applications – regardless of device, location, or network.

With 100+ data centres globally, every user gets a fast, local connection no matter where they connect from.

About Comtact Ltd.

Comtact Ltd. is a specialist Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

And as the UK’s leading Zscaler partner, with a dedicated in-house team to Zscaler-certified professionals, there’s no better place to start your Zscaler deployment.

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.