Zscaler Summer 2015 Release Notes

110 Baytech Drive Suite 100 San Jose, CA 95134 | Phone: 1-866-902-7811 | www.zscaler.com

Zscaler Summer 2015 .......................................................................................... 3

Improved User Experience ................................................................................... 3
Localization of the Zscaler Admin Portal .................................................................................... 3
New End User Notifications (EUNs) ............................................................................................ 3

New Cloud Access Security Broker (CASB) Features ..............................................4

Zscaler Identity Broker ...............................................................................................................4
Blocking Google Consumer Accounts ......................................................................................... 5
Bandwidth Control Reporting ..................................................................................................... 5
Expanded Cloud Applications and File Type Coverage ................................................................6
Cloud Application as Policy Criteria ............................................................................................6

New Zscaler Web Security Features ..................................................................... 7

Retain Parent URL Category ....................................................................................................... 7
Zscaler SSL Inspection Enhancements ....................................................................................... 7
New Executive Reports ...............................................................................................................8
Increased PAC File size ...............................................................................................................8
SAML Authentication for Administrators ...................................................................................9
Authentication Enhancements ...................................................................................................9

Security Features .............................................................................................. 10

Rule-Based Policies for Zscaler Behavioral Analysis .................................................................. 10
Support for New File Types in Zscaler Behavioral Analysis ....................................................... 10
Security Blacklist Support ......................................................................................................... 10

Infrastructure Features ..................................................................................... 11

Virtual ZEN (Limited Availability) ............................................................................................. 11
Nanolog Streaming Service (NSS) for Zscaler Next Generation Firewall ................................... 11

New Zscaler Next Generation Firewall Features .................................................. 12

Increased Firewall and NAT Rules ............................................................................................. 12
TCP DNS Proxy ......................................................................................................................... 12
Office365 Predefined Application Group .................................................................................. 12

New Zscaler Data Loss Prevention (DLP) Features .............................................. 13

ICAP for DLP Support (Limited Availability).............................................................................. 13
Expression Matching Support ................................................................................................... 13
Enhanced Custom Dictionaries Support ................................................................................... 13
File Type and Cloud Applications as Criteria for DLP policy ...................................................... 13

Mobility and Endpoint Features ......................................................................... 14

The New Zscaler App (Limited Availability) .............................................................................. 14

Appendix A: New Cloud Applications ................................................................. 15

Appendix B: New File Types .............................................................................. 16

Copyright 2015

Zscaler Summer 2015

This release features significant enhancements that will help you gain additional control and
visibility over your organizations use of cloud applications. It also offers major enhancements
to our Web Security, Data Loss Prevention, Advanced Threat Protection and Next Generation
Firewall product lines, and introduces the Zscaler App, a unified agent that runs on Windows
and Mac computers and provides both improved security and easier deployment.
The following is a summary of the enhancements in this release. Please refer to our newly
redesigned online help portal for detailed information.

Improved User Experience

Localization of the Zscaler Admin Portal
Admins can now view the admin portal in any of the following languages: English, Spanish,
French, Traditional Chinese or Japanese.

New End User Notifications (EUNs)

We have redesigned our user notifications with clearer messaging and crisp color schemes.
These changes are designed to greatly improve the experience that your employees have as
they interact with Zscaler, and should also reduce the number of support calls that you have to
field. The new notifications adapt to all screen sizes and are localized in 11 languages.
As shown in the sample EUNs, the background colors signify the following:

Green: Log in and proceed

Yellow: Cautioned Content
Orange: Quarantined Content / FTP Violation
Red: Content Blocked
Grey: Error encountered

Copyright 2015

New Cloud Access Security Broker (CASB) Features

Zscaler Identity Broker
This release introduces the new Zscaler Identity Broker. The Zscaler Identify Broker lets you use
Zscaler as an identity provider for your most important cloud applications. This enables you to
ensure that your employees can only use these applications if their traffic flows through the
Zscaler platform, which greatly improves your overall security and compliance posture.
The Summer 2015 release provides support for the following applications:

Box.com

Salesforce

Google Apps

The Zscaler Identify Broker also gives you the ability to log user access to cloud applications
irrespective of their location or device, as well as agent-less deployment.

Copyright 2015

Blocking Google Consumer Accounts

If your corporate policy is to not allow your employees to use their personal Gmail accounts
from your company locations or their company devices, Zscaler can now use a Googleapproved X-header (X-GoogleApps-Allowed-Domains) to restrict Google Apps access only to
corporate domains. Access to Google consumer accounts such as gmail.com or other nonprovisioned domains will be blocked, and users will be notified.

Bandwidth Control Reporting

Zscaler Summer2015 provides granular bandwidth control for cloud applications and internetbound traffic, where you can define priority-based bandwidth rules for cloud apps, URL
categories, file size and other criteria. You can then reduce the bandwidth used by consumer
applications like YouTube, so business applications like Office365 and Salesforce always
perform well. Organizations that have subscribed to our Bandwidth Control features can now
view detailed reports, such as:

Bandwidth Control Dashboard with 30-day view

Monthly bandwidth usage report

App class-level bandwidth utilization report

Top throttled bandwidth locations and apps reports

Bandwidth rule-level reports

Copyright 2015

Expanded Cloud Applications and File Type Coverage

Zscaler has expanded cloud application coverage in Summer 2015, adding support for 23 new
apps in our Cloud Applications control panel. Please refer to Appendix A for details.
Zscaler has also added nine new file types to the File Type policy. Please refer to Appendix B for
details.

Cloud Application as Policy Criteria

Zscaler now supports cloud applications as a criteria for the following policies:

Bandwidth Control

DLP

Authentication Bypass

SSL Bypass

This allows you to define policies without having to configure custom URL categories for cloud
applications that are already supported by Zscaler.

Copyright 2015

New Zscaler Web Security Features

Retain Parent URL Category
Zscaler Summer 2015 now provides an option to retain the original parent category of a URL
when you move the URL to a custom category or to any other category. In the past, the original
parent category mapping was lost when a URL was moved to another category. Starting with
this release, when you move a URL to another category, you can choose to retain the original
parent category. This update does not impact your current URL categorization.

Zscaler SSL Inspection Enhancements

We have enhanced our SSL inspection capabilities in Summer 2015 with the following new
features:

OCSP support for server certificate validation:

o

Zscaler now validates the servers OCSP responder URL

Zscaler now supports the OCSP protocol to verify the validity of all server
certificates

Zscaler now blocks all certificates with a revoked/unknown status and displays
an EUN.

Zscaler displays EUNs for bad server certificates in the following scenarios:
o

The issuer is unknown

The certificate is expired

The common name in the certificate does not match

Zscaler does not fall back to the Zscaler root certificate if a custom self-signed
certificate is invalid. Instead, Zscaler continues to use the previously uploaded selfsigned certificate.

Copyright 2015

New Executive Reports

New Executive Reports are now available from the Analytics tab of the admin portal. The
Executive Report provides a quick snapshot of your companys security posture. It is designed
to be forwarded to your executives who are looking for a quick snapshot that shows what you
are doing to keep your organization safe, and how you compare to your peers. You can also
schedule the Executive Report to be emailed to registered users.

Increased PAC File size

Zscaler now supports PAC files of up to 256KB. Before this release, Zscaler supported PAC files
of up to 64 KB.

Copyright 2015

SAML Authentication for Administrators

Zscaler now supports password-less single sign-on (SSO) for administrators. You can use your
Identity Provider to set up SSO and disable password-based login for admin users.

Authentication Enhancements
Zscaler now supports the following:

Frequent LDAP synchronizations (up to every 2 hours) for organizations that use the
Zscaler Authentication Bridge

LDAP server configuration by domain name in addition to IP addresses

RC4 for Kerberos for Windows 2003 servers

Aliasing for Kerberos authentication, where the Zscaler service can synchronize
sAMAccountName as an alias for User Principal Name.

Copyright 2015

Security Features
Rule-Based Policies for Zscaler Behavioral Analysis
Zscaler Behavioral Analysis automatically sends suspicious files to our cloud-based sandboxes
for further inspection it is designed to give you protection similar to FireEye at a fraction of
the cost.
With Zscaler Summer 2015, we now support granular rule-based policies for Behavioral
Analysis. For example, you can set up a policy that increases your overall security posture by
enforcing that for your CFO, CEO and CEO, suspicious and unknown Adobe PDF and Microsoft
Office Documents must always be quarantined and inspected but for the remainder of your
employee population they will be passed and inspected.

Support for New File Types in Zscaler Behavioral Analysis

Zscaler Behavioral Analysis now supports the following additional file types for sandbox
analysis: Android APK files, ZIP files and RAR files (up to 5 levels deep).
These new file types are in addition to the file types that our cloud-based sandboxes have
previously supported, which include Windows 32-bit and 64-bit executable files, Windows 32bit and 64-bit dynamic link libraries, system files, ActiveX controls and screen savers, Microsoft
Office documents, Adobe PDF files, Adobe Flash files and Java apps and applets

Security Blacklist Support

You can now define a malicious URLs black list in the Advanced Threats Protection page of the
admin portal.

Copyright 2015

10

Infrastructure Features
Virtual ZEN (Limited Availability)
With Summer 205, the Zscaler Enforcement Node (ZEN) is now available as a virtual machine
that you can deploy on premise. A virtual ZEN (vZEN) functions as a full-featured Zscaler proxy,
running on your network, inside your data center, or in your public or private cloud
infrastructure. vZENs are available as an additional subscription. Zscaler supports vZEN
deployments in clusters for scalability and load distribution. vZEN supports traffic forwarding
via GRE tunnels, L2 forwarding and PAC files.

Nanolog Streaming Service (NSS) for Zscaler Next Generation Firewall

If you have a subscription to the Zscaler Next Generation Firewall, you can now obtain an
additional subscription for NSS to stream firewall logs to your on-premise SIEM. NSS for
Firewall requires a separate VM from the NSS VM that is used to stream web logs. In addition,
NSS for Firewall provides an option to choose different output feeds, including aggregated
firewall logs, session-based firewall logs and DNS logs.

Copyright 2015

11

New Zscaler Next Generation Firewall Features

Increased Firewall and NAT Rules
You can now define up to 1,024 rules in your firewall and NAT control policy. This allows scaling
of your firewall policy and network services.

TCP DNS Proxy

The Zscaler Next Generation Firewall now supports TCP DNS queries, in addition to UDP DNS
queries. You can now use TCP-based DNS, like DNSsec. Logging also has been enhanced to
differentiate between a TCP and UDP DNS session.

Office365 Predefined Application Group

Zscaler now provides a predefined application group for Office365 apps, simplifying policy
creation for all Office365 apps through a single rule. All Office365 apps, including Outlook,
Lync, OneDrive, Sharepoint and Skype, are in this group.

Copyright 2015

12

New Zscaler Data Loss Prevention (DLP) Features

ICAP for DLP Support (Limited Availability)
Zscaler now supports secure ICAP as an additional subscription to its DLP license to allow
forwarding data to on-premise DLP engines. For example, you can integrate Zscaler with
Symantec Vontu, allowing your existing Vontu infrastructure to process DLP violations
detected by Zscaler. Customers can define granular policies to specify the content that should
be sent to the on-premise DLP module for correlation with data-at-rest classification.

Expression Matching Support

In addition to phrases, custom dictionaries now also support pattern expressions to enable you
to specify custom identifier formats such as bank account numbers, legal identification
numbers and more.

Enhanced Custom Dictionaries Support

The custom dictionaries now feature more intuitive scoring rules for finding exact matches.
Dictionaries are now also capable of detecting unique pattern matches, rather than the total
number of violations, for trigger thresholds.

File Type and Cloud Applications as Criteria for DLP policy

Zscaler now supports file type and cloud applications as criteria for the DLP policy. A subset of
file types supported by the Zscaler File Type Control policy is available for DLP policy criteria.

Copyright 2015

13

Mobility and Endpoint Features

The New Zscaler App (Limited Availability)
With Summer 2015, Zscaler has launched a new unified agent for Windows and Mac computers
that makes it easy to tunnel HTTP port 80 and 443 traffic to the Zscaler cloud. The App is
available for download for all of our existing customers through the Zscaler app portal, which is
accessible through your main Zscaler admin portal. Zscaler app simplifies deployment by
enforcing the Zscaler profile on users devices and provides you with detailed device-level
reporting, including device compliance posture.

Please note that the Zscaler app is not enabled by default on your account. Contact Zscaler
support to enable the Zscaler app for your account. The app is available in Limited Availability
mode and should not yet be used as your primary deployment vehicle for Zscaler.

Copyright 2015

14

Appendix A: New Cloud Applications

Onehub Streaming Media & File Sharing

Screencast Streaming Media & File Sharing

Leapfile Streaming Media & File sharing

Egnyte Streaming Media & File Sharing

Auto Hotkey System & Development

Syncplicity Streaming Media & File Sharing

Sharefile Streaming Media & File sharing

Docstoc Enterprise Productivity

Adobe EchoSign Enterprise Productivity

Archway Sales & Marketing

Bazaar Voice Sales & Marketing

Brainshark Sales & Marketing

CheetahMail Sales & Marketing

Docusign Enterprise Productivity

HipChat Enterprise Collaboration

Raybec Sales & Marketing

Responsys Sales & Marketing

Salesforce Radian 6 Enterprise Collaboration

SAP Ariba eSourcing Enterprise Productivity

Shopwyre Sales & Marketing

Socialbakers Sales & Marketing

Copyright 2015

15

SpredFast Enterprise Productivity

Sprinklr Sales & Marketing

Appendix B: New File Types

.cgr

.mkv

.webm

.sldprt

.GIF

.JPEG

. PNG

Unknown Vendor App File types

Copyright 2015

16