Introducing Location-based Policy with Client Connector

According to a recent Gallup report*, 52% of all workers have a hybrid work arrangement, and 25% now exclusively work remotely. In other words, there are a lot of user devices that no longer sit in an office behind traditional firewalls. So, how do you prevent these devices from leaking sensitive data and ensure that they have the smallest attack surface possible when they are used in coffee shops and home offices?

Thousands of organizations with remote and hybrid workers already use Zscaler’s lightweight agent, Client Connector, to provide their workforce with secure, zero trust connectivity to the internet, SaaS, and private applications. And now, Zscaler is introducing a new Client Connector feature called Location-Based Policy, which enables the ability to steer traffic and apply inbound and outbound endpoint firewall rules based on the trust status of the location of the endpoint, while reducing the effort required to manage policies across groups of users,devices and types of trusted locations.

Key benefits:

• DNS and user traffic steering based on trusted location type
• Inbound and outbound endpoint firewall management based on type of trusted location
• A new policy framework with support for reusable objects and bulk changes

Location-based Policy

Protecting the endpoint in any location

When the Location-based Policy feature is enabled and a hybrid worker is at the office (which is considered a trusted location) Client Connector detects the location type and applies the Policy Ruleset for "On-Trusted Network". Since the organization has deployed Zero Trust for private application access with Zscaler Private Access (ZPA) externally only at this time, the laptop should disable ZPA forwarding in the office, access network resources and query internal domain names using the network DNS servers directly. However, when the laptop accesses SaaS applications or any external resources,  traffic should be forwarded to the Zscaler Internet Access (ZIA) service to ensure that user-specific policies for access, security, data protection, DNS security, IPS and firewall are enforced. Windows Defender Firewall on the laptop should  allow all inbound and outbound traffic with the Domain Profile.

The Policy Ruleset for "On-Trusted Network" can be configured with a traffic steering policy to forward all DNS requests for internal domains and all traffic to internal networks directly on the network. The traffic steering policy can be configured to tunnel all other traffic with Z-Tunnel 2.0 to ensure that traffic is protected by Zscaler Internet Access (ZIA). The Policy Ruleset for "On-Trusted Network" can be configured to disable endpoint firewall management so Client Connector doesn't make any changes to the endpoint firewall and Windows Defender Firewall continues to operate as it did previously.

When the hybrid worker, leaves the office after lunch for an offsite customer meeting (which is considered an untrusted location), Client Connector detects the change immediately when the laptop wakes up from sleep and applies the Policy Ruleset for "Off-Trusted Network". As per the organization's security policy, all DNS requests should be protected using DNS security with Zscaler Zero Trust Firewall and all other traffic should be tunneled to the Zero Trust Exchange with Z-Tunnel 2.0 except requests to private applications, which should be tunneled using Zscaler Private Access (ZPA). Lastly, all inbound and outbound traffic to/from the local network and any RFC-1918 networks should be blocked by the Windows firewall with the exception of inbound ZPA Client-to-Client traffic which is used by the IT Servicedesk for remote support.

The Policy Ruleset for "Off-Trusted Network" can be configured with a traffic steering policy, which forwards all DNS requests and application traffic to Zscaler Internet Access (ZIA) while enabling access to the organization's private applications via Zscaler Private Access (ZPA). Endpoint firewall management can be enabled in the App Profile and a firewall policy defined in the Policy Ruleset to enforce Windows firewall rules. The firewall rules can be configured to block all inbound traffic with the exception of ZPA Client-to-Client traffic and block outbound access to RFC-1918 and local networks while allowing all traffic to the Zscaler Zero Trust Exchange.

With the "Off-Trusted Network" Policy Ruleset now active, Client Connector steers traffic accordingly and in this case, enables endpoint firewall management. With endpoint firewall management active, Client Connector creates Windows firewall rules in separate WFP sublayer which override Windows Defender Firewall rules. As a result, the active Windows Defender Firewall configuration and rules are left intact and not modified in any way. Since Zscaler Private Access (ZPA) is active, Windows Defender Firewall switches to the Domain Profile (as per default behavior) but Client Connector ensures that the Windows firewall enforces the Client Connector firewall rules defined in the Policy Ruleset instead of the rules defined in Windows Defender Firewall's Domain Profile.

To further secure the device, the App Profile assigned to Client Connector can be configured with the Trigger Domain Profile Detection feature (introduced in previous releases) which ensures that Windows Defender Firewall continues to function using its Public Profile when Client Connector is in an "Off-Trusted Network" location and Zscaler Private Access (ZPA) is active. With the above feature enabled and Windows Defender Firewall Public Profile configured with a default Block policy for all inbound and outbound traffic, if the user were to disable the Zscaler Internet Access (ZIA) service in Client Connector, the Windows Defender Firewall Public Profile configuration would take effect and ensure that the Windows laptop doesn't fail-open and become a target for attackers and the only way the user would be able to access SaaS, internet or private applications would be by re-enabling Client Connector forwarding.

Wrap-up