Zscaler Integration with Votiro
Zscaler Isolation and Votiro CDR Integration
Zscaler Isolation and Votiro Cloud enable users to access, view, and download the content they need—seamlessly and without risk. Improve the security of traffic passing through the ZIA platform with Votiro Cloud.
|
n |
Reduce the risk of malware and malicious code by only allowing known good files through! |
|
n |
Zero-day threat prevention: Votiro strips out unknown bad code. This complements ZIA by mitigating novel and unverified threats. |
|
n |
Improved compliance: Sanitizing files while maintaining the original file format helps prevent data breaches and ensure the sanitized files align with secure industry standards. |
|
n |
Reduced attack surface: Votiro Cloud sanitizes every file passing through ZIA; together, this reduces the risk of cyberattacks originating from file-borne threats. |
|
n |
Ability to scale: Votiro Cloud and Zscaler ZIA are cloud-based solutions that enable organizations to scale traffic and file ingestion based on their expected workload. |
Votiro and Zscaler Workflow
Configuring the Votiro Management Dashboard
Prerequisites
|
n |
A licensed Votiro tenant |
|
n |
Votiro administrator account |
Configure the Votiro Service Token
To begin using Votiro and Zscaler Isolation, you must first log in to the Votiro Management Dashboard and obtain a Service Token.
To create the Service Token:
|
1. |
Provide the email address registered in the Votiro tenant, then click Sign in. |
|
2. |
Provide your Votiro administrator username and password, then click Sign in. The Votiro Monitor page is displayed. |
|
3. |
Select Settings (the Gear icon). |
|
4. |
Select Service Tokens. |
|
5. |
Select Create New in the Service Tokens page. |
|
6. |
Select the token Type: |
|
a. |
Connector - Basic integration. Allows authentication for uploading files procedure. |
|
b. |
Developer - Advanced integration. For all available APIs. Handle it with caution. |
|
7. |
Enter a name for the Service Token in the Issued To Field. |
|
8. |
Set the expiration date. |
|
9. |
Click Create. The Service Token is displayed. |
|
10. |
Copy and save the Token text in a secure location, then click OK. |
Note: You won’t see the Service Token again.
Configure Votiro Policies for Zscaler
To create a policy:
|
3. |
On the Policies page, click the add icon ⊕. |
|
4. |
Provide a name for the new policy and click the checkmark icon ✓ to save the new policy. |
Note: In this example, you are keeping the policy with the default actions. For more information regarding Votiro’s policy options, refer to Policies.
Configuring the ZIA Admin Portal
Prerequisites
|
n |
A licensed Zscaler Internet Access Tenant |
Enable Votiro Partner Integration
|
1. |
Log in to the ZIA Admin Portal. |
|
2. |
Go to Administration > Partner Integrations. |
|
b. |
In Votiro Hostname, enter the Votiro Tenant URL. |
Configuring ZIA Isolation
Prerequisites
|
n |
Zscaler Isolation license |
|
n |
Configure Isolation Profile |
Votiro Integration within the Zscaler Isolation
|
1. |
In the ZIA Admin Portal, select Administration > Isolation. |
|
3. |
In the Add Isolation Profile window, enter the following fields: |
|
t |
Name: Enter a name for the ZIA isolation profile. |
|
t |
Description: (Optional) Enter a description of the profile. |
|
5. |
On the Company Settings tab, choose to use either the recommended PAC file URL or your own manually configured PAC file URL: |
|
a. |
If you select Use recommended PAC file URL, the Automatic proxy configuration URL field is populated by default with the recommended PAC file from your Hosted PAC Files list in ZIA. The isolation browser configures the PAC file within the endpoint experience containers, and any traffic to the internet from the isolated browser is also forwarded through the ZIA cloud. |
|
b. |
Enable or disable Override PAC File and return traffic to the ZIA Public Service Edge. The ZIA Public Service Edges use auto-geoproximity, meaning that the traffic is returned to the service edge closest to the location of the user, not the location of the isolation browser. |
|
c. |
Enable or disable Debug Mode. If you enable it, you can optionally create a Debug File Password for the ZIP file that is created at the end of a debug troubleshoot. Make sure to share the password with the user associated with the isolation profile. |
|
d. |
In the Root Certificates section, select at least one certificate from the File (.pem) drop-down menu. The Zscaler Root Certificate that ZIA uses for SSL inspection appears by default in the drop-down menu. If your organization uses custom root certificates for SSL inspection, you can add them before creating isolation profiles. |
|
a. |
Enable or disable Allow local browser rendering. |
|
b. |
Enable or disable Allow Application Deep Linking. |
|
c. |
In the Votiro CDR Integration section: |
|
i. |
Enable Votiro CDR: Enable to allow downloaded files to be sanitized by CDR while in Isolation. |
|
ii. |
Download: Enable to allow Votiro to sanitize downloaded files. |
|
iii. |
Upload: Enable to allow Votiro to sanitize uploaded files. |
|
iv. |
Votiro Policy Name: (Optional) Select a Votiro policy from the drop-down menu. If none is selected, the default Votiro policy is applied. |
|
a. |
From the drop-down menu, select at least two regions. The isolation containers are leased to the user only from the selected regions based on the least network latency. |
|
10. |
On the Isolation Experience tab: |
|
b. |
Select the Isolation Experience mode: |
|
|
Native browser experience: This mode provides the user with a browsing experience similar to accessing the native web page with a typical browser. The user can customize this view. |
|
|
Browser-in-browser experience: This mode provides the user with the complete look and feel of an isolated session experience. To learn more, see User Experience Modes in Isolation. |
Configure Zscaler URL Filtering Policy
After the Votiro integration is enabled, and the Isolation profile is configured, you must create a URL filtering rule, and then associate the isolation profile.
|
1. |
In the ZIA Admin Portal, select Administration > URL & Cloud App Control. |
|
2. |
Click Add URL Filtering Rule. |
|
a. |
Enter a Rule Name for the new rule. |
|
3. |
In the Protocols option, select HTTP and HTTPS. |
Note: These are the only protocols supported by Zscaler’s Isolation solution.
|
5. |
In the User Agent option, select the browser criteria for which this rule must be applied. |
|
6. |
In the Action section under Web Traffic, select Isolate. |
Testing ZIA Isolation and Votiro CDR
Prerequisites
|
n |
Votiro tenant configuration |
End-to-End Testing
|
1. |
Connect to Zscaler Client Connector. |
|
2. |
When downloading a file that matches the URL Filtering Policy, the request is redirected to Zscaler Isolation and the Content Disarm analysis process starts. |
|
3. |
After the CDR analysis is complete, the banner message in the following figure is displayed. |
|
4. |
Go to Protected Storage to open the sanitized file. |
|
5. |
Click the View icon to open the sanitized file within Isolation. |
Analyzing Events in the Votiro Management Dashboard
|
1. |
Log in to the Votiro Management Dashboard, then click Events. |
Use Cases
The following sections describe the use cases for a Zscaler and Votiro integration.
Use Case 1: Download of Files to Managed Endpoints
Customers use ZIA and the associated services to ensure that no malicious files are downloaded onto managed end points. However, in certain circumstances, they also must ensure that the file downloaded is sanitized so that certain active content and file capabilities are turned off. This approach ensures that the files are not weaponized in the future or used for any malicious purpose.
To achieve this, customers use file sanitization CDR solutions such as Votiro. Customers expect that the files downloaded onto the end user’s computer are sanitized by Votiro so that the file delivered to the user is not only benign, but also has any capabilities that can later be used to weaponize the file or make the file vulnerable are turned off or sanitized.
The CDR service is expected to perform actions such as removing printer settings, sanitizing files with dynamic data exchange (DDE), removing metadata, removing external links, removing suspicious links, removing external images, removing macros, VBA macros, etc.
Use Case 2: Upload of Files to Private and SaaS Web Applications
Customers have private or SaaS applications that are critical in nature. In some cases, however, these applications must be accessed from unmanaged devices.
The user on the other end of these devices could be employees or third-party contractors. In some cases, uploading files to the application becomes a critical part of the user workflow. For example, an insurance agent or an investment broker could need to upload client documents to an internal web portal for legal and documentation purposes.
Secure access to these applications is provided by the user of browser isolation, however if the user is allowed to upload files to the application, it becomes critical to ensure that the files being uploaded to the application are not malicious or do not make the application itself vulnerable due to vulnerabilities in the uploaded file. In such cases, the use of a CDR solution such as Votiro to sanitize the uploaded files ensures application security.
Comments
0 comments
Please sign in to leave a comment.