Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Automatic Proxy Configuration for Zscaler

Define governance policies in Skyhigh CASB using Service Groups and then sync all the URLs to Zscaler as Custom Categories to enforce these policies.

NOTE: Your Zscaler account must have admin permissions in order to set up URL categories to sync with Skyhigh CASB.

You can configure Skyhigh CASB Service Groups to sync to Zscaler manually or automatically:

  • Automatic. Use the following instructions to sync to Zscaler automatically.
  • Manual. If at any time you want to continue using the manual integration method, download the config file on the CLR screen. But be aware, this download action will approve any unapproved changes in the service groups.

Once you have integrated your Zscaler edge device using the Skyhigh CASB wizard, provide API credentials to connect to Zscaler. 

  1. On the Settings > Integrations > Firewall/Proxy page, click Provide API Credentials
  2. In the Provide API Credentials dialog, enter your Zscaler API credentials. (Ask your Zscaler admin if you don't have this information.)
    • Zscaler Instance
    • User Name
    • Password
    • API Key
    • Select I acknowledge that Skyhigh CASB will store these credentials...
  3. Click Authenticate
  4. When your API credentials are successfully authenticated, you will see a message that says your URLs have sycned to Zscaler, and the Status is Connected

After authentication, note that only Service Groups that do not require approvals are synced. Other Service Groups require you to Approve Changes in order for them to sync.

The Skyhigh CASB Service Group that is now synced creates a Custom Category in Zscaler with the same name and a prefix of "SHN" for easy identification. Now you can create and enforce App Control Policies on these Custom Categories in Zscaler. 

When a URL group is synced with a Custom Category, it leaves a message in Zscaler that states, "This category is created by integrating with a Skyhigh CASB Service Group."

If Skyhigh CASB is ever disconnected from Zscaler, Skyhigh CASB sends an email to administrators. 

Custom Category Best Practices

  • Zscaler has a limit of 48 Custom Categories. If you reach this limit, Skyhigh CASB will display an error, and send an email to notify the admin. 
  • We recommend that you DO NOT edit the URLs in Zscaler Custom Categories created using Skyhigh CASB Service Groups. Otherwise, your changes will be overwritten the next time Skyhigh CASB synchronizes to Zscaler. 
  • If you add URLs to your Zscaler Custom Category, Skyhigh CASB will not sync them back to the Service Group. And they will not be deleted if you delete your Service Group, which may cause inconsistencies. 

Delete Skyhigh Service Groups

  • If you delete a Service Group in Skyhigh CASB that IS NOT associated with a Zscaler policy, the Custom Category will be deleted in Zscaler the next time Skyhigh CASB syncs. 
  • If you delete a Service group in Skyhigh CASB that IS associated with a Zscaler policy, the URLs will be removed from the Custom Category in Zscaler the next time Skyhigh CASB syncs. Skyhigh CASB will also add a message that the URLs were removed. For best practices, you should remove this empty Custom Category. 
  • In Zscaler, rename your policy to URL filtering policy.


Reset API credentials for Zscaler

To reset API credentials for Zscaler:

  1. In Skyhigh CASB, go to Settings > Integrations > Firewall/Proxy Integration.
  2. Select Zscaler from the list of edge devices.
  3. Click Reset.
    NOTE: If the Status of your Zscaler instance is Connected, Sync was not successful, or Sync Suspended, you can reset your API credentials.
  4. In the Provide API Credentials dialog, enter the API credentials for your Zscaler instance.
    • Zscaler Instance.
    • User Name.
    • Password.
    • API Key.
  1. Select the acknowledgement checkbox and click Authenticate.

API credentials are now reset for your Zscaler instance.

After successfully authenticating your API credentials, the Status of your Zscaler instance displays Connected.


Zscaler has a limit of 25,000 URLs created across all Categories. If you see the following error, you have exceeded the URL limit. 


Skyhigh CASB will also send an email to notify the admin. 

To correct the problem, edit the integration to limit the number of URLs that are mapped. You can deselect Service Groups to remove them using the configuration wizard.  

  • Was this article helpful?