Zscaler

Proxy Chaining Overview

Proxy chaining is the process of configuring one proxy server to forward traffic to another proxy server, creating a chain of proxies between the client and the destination server. This is often used for:

• Layered security: Each proxy can apply its own security policies.
• Logging and monitoring: Multiple proxies can log traffic for compliance or troubleshooting.
• Network segmentation: Traffic can be routed through different networks or security zones.
• Policy enforcement: Different proxies can enforce different access or filtering rules.

In a typical proxy chain, a client sends requests to Proxy A, which then forwards them to Proxy B (the upstream proxy), and so on, until the request reaches the internet. Zscaler customers who want to use third-party services, like Nullafi Shield, for additional layers of security can employ the Third-Party Proxy Chaining feature to successfully integrate with these services.

Step-by-Step Guide

Configuring Zscaler to Forward to an Upstream Squid Proxy

Assumptions:

• Your organization uses Zscaler Internet Access (ZIA).
• You have admin access to the Zscaler admin portal.
• You have the hostname/IP and port of your upstream Squid proxy.

Steps:

1. Configure Proxies for the Shield Proxy Service
2. Create a Gateway for the Proxies Configured
3. Configure the Forwarding Policies for Third-Party Proxy Chaining Using the Gateways Created

Notes:

• Proxy Chaining is a part of Zscaler’s Forwarding Control capabilities. It may be useful to review the overall forwarding section as well.
• Zscaler will need to trust the upstream proxy's SSL certificate. Zscaler provides administrators with the capability to upload root certificates of their choice to use for successful SSL inspection
• If you use PAC files, you may need to update them to ensure traffic is routed through Zscaler first.