Firewall Configuration Requirements

In order to make certain that the Cloud Security Service works correctly in your environment, please make certain that your firewall configurations allow the types of traffic necessary. Refer to the following use cases for more details.

Authentication Requirements

  • If your users are being authenticated by a method hosted by you (Active Directory/OpenLDAP)
    • You must make certain that the Cloud service can reach those resources or your user authentication will fail. For example this means we must be able to talk to your Active Directory/OpenLDAP servers to pass authentication requests.
Port(s) From To Reason
389, 636, 3268, 3269
(Only One May Be Required)
Central Authority IP Addresses Customer Authentication Server (LDAP/AD) Authentication and Group Retrieval
  • If users are being authenticated by Kerberos mechanism
Port(s) From To Reason
88 (TCP & UDP) From Customer Location(s) Central Authority IP Addresses Access to Kerberos distribution server
  • If your users are being authenticated by a Cloud-hosted list of users
    • No special firewall configuration is necessary for authentication

Traffic Forwarding Requirements

  • If you are accessing the Cloud Security service via use of GRE or IPSec tunnels
    • No special firewall configuration is necessary for traffic forwarding
    • Zscaler requires a primary and secondary connection to geographically separate data centers to meet SLA requirements
  • If you are using the Cloud Service via use of PAC files and
    • You do not restrict web access (outbound port 80/443)
      • No special firewall configuration is necessary for traffic forwarding
    • You restrict web access to only Cloud Enforcement Nodes and PAC servers
      • All of the client systems must be able to reach the PAC file servers and the Cloud Enforcement Nodes:
Port(s) From To Reason
80 Customer Location(s) PAC IP Addresses PAC File Retrieval
80 Customer Location(s) Cloud Enforcement Node Ranges Web Browsing
      • Optionally you may also enable the following ports:
Port(s) From To Reason
443 Customer Location(s) Cloud Enforcement Node Ranges Alternate Web Port
8080 Customer Location(s) Cloud Enforcement Node Range Mobile (iOS) Proxy
8800 Customer Location(s) Cloud Enforcement Node Ranges Kerberos enabled web browsing
9400 Customer Location(s) Cloud Enforcement Node Ranges Web Browsing, Alternative Port
9443 Customer Location(s) Cloud Enforcement Node Ranges Traffic Over This Port Enforces SSL Decryption
9480 Known Location (IP) Only Cloud Enforcement Node Ranges Traffic Over This Port Bypasses Authentication Requirements For Known Locations Only
Organization Dedicated Port Customer Location(s) Cloud Enforcement Node Ranges Web Browsing
  • If you are using the Cloud Security service for SMTP
    • You do not restrict inbound or outbound SMTP access
      • No special firewall configuration is necessary for traffic forwarding

       

    • You restrict inbound or outbound SMTP access
      • Your E-mail servers must be able to communicate with the Cloud Enforcement Nodes:
Port(s) From To Reason
25 Cloud Enforcement Node Ranges Customer Inbound SMTP Gateway Inbound Email Delivery From Cloud
(Only if inbound SMTP Customer)
25, 465, 587 Customer Location(s) Cloud Enforcement Node Ranges Outbound Email Relay From Cloud
(Only if Outbound SMTP Customer)

For customers with Zscaler private infrastructure deployed, here are the Zscaler Hub IP addresses:

Required IP Addresses
165.225.44.0/24165.225.75.0/24
104.129.202.0/24165.225.108.0/24
8.25.203.0/24 27.251.211.238/32
216.52.207.64/26213.152.228.0/24
64.74.126.64/26 70.39.159.0/24
72.52.96.0/2689.167.131.0/24
104.129.192.0/23104.129.194.0/23
104.129.196.0/23185.46.212.0/22
199.168.148.0/24165.225.72.0/22
199.168.149.0/24199.168.150.0/24
199.168.151.0/24209.51.184.0/26
216.218.133.192/26
Recommended IP Addresses
104.129.192.0/20
165.225.0.0/17
165.225.192.0/18
199.168.148.0/22