Blog de Zscaler
Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler
Communicating Security Notifications to Users with Zscaler Client Connector EUN Notifications
In the networking world, there is a widely known adage: "It's always the network". This phrase refers to the tendency of users to blame network connectivity whenever access to a resource fails, even if the true reason lies elsewhere—such as being blocked by a corporate security policy.
The Need for Better User Communication
When end-users receive no clear notification of why access to an application or network has been denied or other action taken, it is natural for them to assume the failure stems from a "networking issue." Left in the dark, users often retry accessing the resource, wasting valuable time and, eventually, filing help desk tickets.
This pattern creates multiple challenges:
- Increased workload for IT support teams, draining resources that could be allocated elsewhere.
- Frustration across the business, as employees feel hindered by network inefficiencies.
- Potential security risks, as users may attempt to bypass corporate security restrictions by leveraging unsanctioned third-party solutions.
In most instances, employees adopting workarounds are driven by necessity, not malice—they simply want to complete tasks without engaging with technical barriers they don’t fully understand.
The solution? Providing clear, timely end-user notifications (EUNs) that inform users when access to a specific resource is blocked, along with the reason for the restriction.
Such transparency not only reduces the volume of unnecessary tickets but also cultivates better-informed, security-aware employees. Over time, this strengthens the organization’s overall security posture.
A Unique Challenge: Non-Web Traffic EUNs
For web traffic, user notifications are relatively straightforward: organizations can display a web-based End-User Notification (EUN) page explaining the block. This page might include customized corporate branding, a message specific to the policy violation, and instructions for contacting IT support if needed.
But not all traffic is web-based. What happens, for example, when a user tries to access a resource via SSH in a public cloud, only to have the attempt blocked by a security policy? Since there’s no browser-based interaction, traditional EUN pages can’t be displayed in such cases. This can leave users confused, wasting time trying to troubleshoot what they perceive as “networking” or application-related issues.
Enter Zscaler Client Connector EUN Notifications
This is where Zscaler Client Connector EUN Notifications step in to fill the gap. Starting with Zscaler Client Connector version 4.8 (used in conjunction with Z-Tunnel 2.0), notifications can now be surfaced directly to the user for ZIA policies, clearly explaining that access to a site or resource has been blocked by a corporate security policy.
Expanded Policy Support
Previously, ZCC-based notifications were available for policies such as Inline Web Data Loss Prevention (DLP), Endpoint DLP, and Cloud App Control. Recently, Zscaler has enhanced these capabilities to include:
- Firewall Filtering
- DNS Control
- Intrusion Prevention System (IPS) Control
This expanded support is particularly valuable for non-web traffic, where no web-based EUN page can be presented.
Key Use Cases for EUN Notifications
Here are some common scenarios in which Zscaler Client Connector EUN Notifications offer clarity:
- DNS Control Actions:
When a DNS request is blocked due to a classification (e.g., a domain falls under a restricted category).
- When DNS Control redirects a request (e.g., A-record response redirected to a specified IP), but no subsequent web flow occurs, leaving the user without context for the block.
- Firewall or IPS Control Actions:
- When attempts to use protocols such as SSH are blocked.
- When an IPS signature match triggers a block, users are left wondering why their application or connection isn't functioning as expected.
EUN notifications eliminate this ambiguity by clearly communicating the reason behind the restriction, for example, by communicating:
- Block actions on non-web traffic to the user.
- Warnings to the user when they go to a suspicious domain or use a protocol or application that is not banned but dangerous.
- Remediation steps to the user (opening a ticket, not running an app etc.).
Key Capabilities of Zscaler Client Connector EUN Notifications
Customizable Messaging:
- A default EUN message is available, but you can tailor messages by policy type (e.g., Firewall, DNS, IPS Control) to better suit your organization's requirements. This can include details such as the remediation steps such as contact information for opening a ticket.
- Administrators can control the specific data displayed in the EUN message. For example, when users are blocked from going to a suspicious domain by a DNS Control policy, the EUN notification can include additional details such as the domain category, thereby providing clarity to the user.
Policy-Specific Enablement:
- Organizations can activate Client Connector EUN notifications on a per-policy basis for Firewall, DNS Control, and IPS Control actions.
Severity-Based Color Coding:
- Visual indicators allow users to quickly understand the severity of the block:
- Red: Severe enforcement, such as "Block" actions for DNS, Firewall, or IPS policies.
- Amber: Less severe actions, such as "Redirect Response" for DNS or "Allow" for IPS.
Supported Actions:
DNS Control:
Block (Red)
Block with Response Code (Red)
Redirect Response (Amber)
Firewall Policies:
Block/Drop (Red)
Block/ICMP (Red)
Block/Reset (Red)
IPS Control:
Allow (Amber)
Block/Drop (Red)
Block/Reset (Red)
Summary
The Zscaler Client Connector EUN Notification is a game-changing feature that enhances end-user visibility across both web and non-web traffic. It eliminates confusion by notifying users when their access is denied due to corporate security policies, reducing unnecessary IT support tickets and reclaiming employee productivity.
Beyond operational efficiency, these notifications also foster a culture of security awareness across your organization, ensuring employees understand and respect corporate policies, consequently improving the organization's security posture.
With this feature, Zscaler continues to empower businesses by prioritizing both security and user experience. No longer will users believe "it's always the network." Instead, they’ll know exactly what’s happening—and why.
¿Este post ha sido útil?
Exención de responsabilidad: Este blog post ha sido creado por Zscaler con fines informativos exclusivamente y se ofrece "como es" sin ninguna garantía de precisión, integridad o fiabilidad. Zscaler no asume responsabilidad alguna por cualesquiera errores u omisiones ni por ninguna acción emprendida en base a la información suministrada. Cualesquiera sitios web de terceros o recursos vinculados a este blog se suministran exclusivamente por conveniencia y Zscaler no se hace responsable de su contenido o sus prácticas. Todo el contenido es susceptible a cambio sin previo aviso. Al acceder a este blog, usted acepta estas condiciones y reconoce su responsabilidad exclusiva de verificar y utilizar la información según sea precisa para sus necesidades.
Explorar más blogs de Zscaler
Zscaler Internet Access (ZIA) and CrowdStrike: Zero Trust Access Control Based on Device Security Posture
Five Must-Haves for Data Security Posture Management (DSPM)
Zero Trust is Shaking up VPN Strategies
Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler
Al enviar el formulario, acepta nuestra política de privacidad.