EZ – In Depth
Manoj Apte
VP Product Management
July 2010
Introducing EZ
EZ Agent Enforced
 EZ agent covers corner cases (< 10% users) by enforcing
proxy settings at all times
 Agent also aids with “captive portals” that require
authentication prior to establishing internet access
 Settings are disabled while network connection has not been
established and reinforced upon connection
2
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
“Thick” Client Inefficiencies
 Traditional vendors use a “thick” client for authentication
and policy enforcement – increased IT burden Road Warrior
 Client may conflict with VPN drivers and AV clients
 Deployment is difficult because of the large file size
 Zscaler service does not require a client
 Traffic redirection via proxy settings
 Authentication via patented cookies technology
 In a small fraction of use cases such as road warriors
without centralized provisioning these settings can not be
enforced
 Potential data leakage risks due to malicious employees
 Compromise of remote corporate assets by malware, adware and
spyware
3
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
EZ Benefits
Password prompt if user tries
to disable or uninstall the
application
 Plug-in is lightweight (< 4MB) and easy to deploy compared to “thick”
clients
 Can be centrally provisioned and maintained via GPO or Web
download
 Tamper proof but provision to disable and uninstall for privileged
users with a password
4
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
EZ : Packaging
 EZ_JUL15.ZIP
 Contains all files for EZ Agent
 EZAgentUserGuide.pdf
 Complete description of EZ and installation guide
5
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
Installing EZ with no customization
1. Unzip contents of the Zip file into some directory
2. Run Setup.BAT.
6
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
EZ Components
Service
Tray
Configuration File
Settings
7
• Windows Service that monitors tray process and
restarts it if it is killed.
• Ensures Tamper Resistance
• Enforces Proxy Settings
• Bypass Proxy for Captive Portal
• Password based temporary disable for enforcement
• Uninstall Password
• Temporary Disable Password
• Timeout for forcing proxy even if Service is not
accessible
• Polling interval to retry Service in a captive portal
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
Details of what Tray Sets and monitors
 Note: Proxy and PAC File settings are monitored for ALL types of Internet connections (LAN
Settings is standard, but there may be modem internet connections as well)
 PAC File
 Checkbox for PAC file enforcement
 URL for PAC File
 Proxy
 Checkbox for Set Proxy
 Proxy address for each type of protocol
 Proxy Exception List
 Hide Tray Icon
 Tray process is running in background, but tray icon is hidden.
 Test Connection Host
 Gateway Connectivity Test can be pointed to a private sub-cloud
 Polling Interval in Seconds
 Retry connection to Service every X Seconds after Proxy is disabled
 Force Proxy Timeout in Seconds
 If Service is unavailable, force proxy settings regardless of Service availability after polling for
X Seconds (Tamper Resistance Feature)
 Applications to kill
 Example: Opera browser can be disallowed by configuring opera.exe in the kill list. A warning
is given to the user from the tray icon
8
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
Sample Configuration file
ConfigVersion
DebugLevel
=1.2.619
=0
DisablePassword
UninstallPassword
=ZSCALER
=ZSCALER
PollingIntervalInSeconds
ForceProxyTimeOutInSeconds
WatchdogLimitInSeconds
=30
=0
=300
# Setting for IE redirect limit. Helps with IE 8
MaxHTTPRedirects
=20
9
UseProxyServer
HTTPProxy
HTTPProxyPort
HTTPSProxy
HTTPSProxyPort
FTPProxy
FTPProxyPort
SOCKSProxy
SOCKSProxyPort
=0
=gateway.zscaler.net
=80
=gateway.zscaler.net
=80
=gateway.zscaler.net
=80
=gateway.zscaler.net
=80
ProxyBypassIE
ProxyBypassMozilla
=10.*;192.*;*.zscaler.org
=10.*,192.*,*.zscaler.org
UsePacFile
PACFileURL
=1
=http://pac.zscaler.net/zscaler.net/proxy.pac
HideTrayIcon
=0
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
Steps for GPO based install and uninstall
 Unzip package into some directory. It contains:
 Setup.bat, config.txt, config.dat, encrypt_cfg.exe and zInstaller.exe
 Create custom config.txt and encrypt it :
 encrypt_cfg.exe e config.txt config.dat
 GPO based deployment:
 Deploy Setup.BAT, zInstaller.exe, config.dat in some directory
 Run SETUP.BAT
 GPO based uninstall
 Run Uinst000.exe in the directory where EZ was installed with
 Uninst000.exe /PASS=<uninstall pass> /VERYSILENT
 NOTE: All command line parameters are case sensitive
10
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL
Other things…
 Loading a new configuration file:
 Method 1 (with admin priviledge):
 Copy new configuration file in ProgramData\RTServicemon (requires admin
priviledge)
 Right click on EZ agent and “Test Connection”
 Method 2 (without admin priviledge):
 Right click on EZ Agent “Load new configuration file”
 Point to the new configuration file
 Debugging
 Set debug level to 10 and ask user to reload new configuration
11
Copyright (c) 2010 - 2011 Zscaler CONFIDENTIAL