What criteria can Zscaler Client Connector consider during trusted network detection?
How can Zscaler client connector tell it's on a trusted network?
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
In some scenarios and deployments, Zscaler administrators may not necessarily want the endpoint app (Zscaler client connector) to forward traffic at all. For example, an Office may already be sending traffic to zscaler via a perimeter SD-WAN / Firewall device. In these situations, it's important for the client connector app to know where it is. That's accomplished through a feature called "Trusted Network Detection".
So how exactly does the client app determine if the user is on a trusted network? Zscaler has a number of approaches:
- Hostname/IP - With this approach, the client connector checks to see if a local FQDN matches an expected IP.
- DNS Server - With this technique, the client connector checks to see if the local DNS Server is a specific private value matching the enterprise DNS server.
- DNS Search Domain - The client app checks to see what the search domain is for a primary NIC. The expectation being that a corporate DHCP server might be assigning a unique value that's not commonly applied elsewhere.
- Network Range - In this case, the client would know it's on a trusted network if the local IP for the asset belonged to a specific network subnet.
- Default Gateway - Another similar network address check, this time looking at the default router/gateway (expecting it to be unique for a trusted network).
- DHCP Server - Noticing a trend? 😄 This criteria checks to see if a DHCP server (which would only reside in a trusted network) is nearby.
- Egress IP - This checks to see what the egress IP address of the network is (it's public IP to the internet) and checks to see if that matches an expected identity for a trusted network.
For more information on this, check out the following resource:
