Zscaler Internet Access (ZIA) is a Secure Web Gateway as a Service offering from Zscaler Inc. It is a key component of their SASE platform called Zscaler Zero Trust Exchange. Zscaler Internet Access provides an organization with a comprehensive cloud-based security stack that protects all (mobile) users and corporate locations from web and internet threats.
Zscaler and Microsoft have maintained a strong partnership for years and have partnered to enable secure cloud transformations for organizations of all sizes. In 2019, Zscaler was named a certified partner in the Microsoft 365 Networking Partner Program, which demonstrates that Zscaler follows Microsoft 365 networking requirements, recommendations, and best practices.
In this article, I would like to highlight some of the key benefits of using Zscaler Internet Access and Microsoft 365 together.
1. Enabling secure local internet breakouts
The Microsoft 365 network connectivity principles recognize the fact that many enterprise networks are still designed to backhaul network traffic to a central headquarter for security inspection before egress to the internet (Hub and Spoke Architecture). To attain optimal performance for M365 services, Microsoft recommends local internet breakouts to shorten network paths and to allow users access to their closest M365 entry point. However, having numerous local internet breakouts introduces new challenges for organisations. It now becomes necessary to provide enterprise grade security capabilities across all breakouts. The traditional appliance based NGFW approach is expensive, difficult to manage and not capable of delivering the necessary performance. Here Zscaler Internet Access comes into play. It moves your security stack in the cloud and thereby enables secure local internet breakouts – every bit and byte of the internet-bound traffic across your organisation is secured and inspected.
2. Microsoft-Recommended One Click Office 365 Configuration
Zscaler Internet offers a feature called “Microsoft-Recommended One Click Office 365 Configuration” that ensures that all Office 365 application traffic is identified based on IP address and fully qualified domain name (FQDN). This makes it easy for organisations to adhere to Microsoft’s connectivity principles.
Once this feature is turned on, the following takes effect:
- A pre-defined ruleset for Office 365 traffic is created and makes sure that your policy set is treating Office 365 traffic the way Microsoft recommends it. E.g., Office 365 traffic will be exempted from SSL Inspection
- ZIA fingerprints Office 365 applications and displays all this information on the Office 365 Dashboard to give you detailed insights on the usage of O365 Services in your organisation
- ZIA changes the destination IP address with the closest CDN destination for the application to ensure a better user experience. In addition, DNS optimisation is performed automatically. Zscaler upholds a peering partnership with Microsoft and ensures minimal hops to Microsoft Cloud Services.
Enabling this feature is literally one click in the Zscaler Internet Access Admin Portal:
3. Tenancy Restriction for M365 services
The tenancy restriction feature of Zscaler Internet Access lets organisation restrict access to Microsoft personal and business accounts based on the Azure AD tenant the application is using for authentication. This way, organisation can ensure that their users only get access to approved M365 ressources. The implementation of this feature is very simple. It does not just work for M365. Also other noncorporate instances of popular cloud services such as Google Apps and Dropbox can be blocked automatically.
4. Bandwith Control to manage traffic flows
The bandwidth control feature of Zscaler Internet Access allows you to always preserve enough bandwidth for your business critical M365 applications at all your corporate locations. With Zscaler’s reporting capabilities it is easy to identify bandwidth constraints and to take necessary action, such as limiting the impact of streaming, social media and file sharing by aligning the bandwidth control policies with your business needs.
5. Integration with Microsoft Cloud App Security MCAS (now called Microsoft Defender for Cloud Apps)
Microsoft Defender for Cloud Apps is Microsoft’s CASB solution. It can be tightly integrated with Zscaler Internet Access. Zscaler forwards logs to Microsoft Defender for Cloud Apps where all Cloud Apps can be discovered, classified and controlled through policies. These policies are polled via API and enforced inline through Zscaler Cloud App Control.
In combination, these two solutions offer a very seamless experience for cloud service discovery making sure that your users are only using your M365 services and no alternative cloud services that can pose a risk to sensitive data of your organisation.
Summary
Zscaler Internet Access is made to enable direct-to-cloud access for internet-based applications like Microsoft 365. Through the strong partnership with Microsoft and adherence to their network connectivity principles, it can be a real facilitator of your M365 deployment. Feel free to contact us if you need advice on Zscaler Internet Access.
