IMPORTANT INFORMATION: Making these changes will cause ALL users public GenAI traffic redirected to SurePath AI. Users will be required to use SSO to authenticate before getting access to GenAI sites under SurePath AI governance. Please talk to your SurePath AI technical representative if you have any questions.
Overview
Using this method of interception will force all GenAI traffic (defined by the Custom URL Category) to be sent through the Zscaler proxy system. From there Zscaler will send the traffic to the SurePath AI Proxy and then on to the final destination. All of the GenAI traffic is visible in the Zscaler tools. Zscaler and SurePath AI logs can be used for troubleshooting or analysis.
Prerequisites
Admin access to admin.surepath.ai for file downloads
Administrative access to your Zscaler environment
Zscaler Tunnel 2.0 use on your clients.
See screen below to verify in your desktop client.
IMPORTANT: Don't skip the tunnel version validation pre-requisite. The configuration outlined in this document will not function properly if tunnel version 1.0 is used. Please see this Zscaler document for more information.
SurePath AI uses Forwarding Control policies. https://help.zscaler.com/zia/about-forwarding-policies
Download files and gather information from SurePath AI
Gather the Proxy Address
SurePath AI provides a proxy address to forward traffic to. This address will be used in your Zscaler configuration and will be called the following later in the document: SurePath AI Proxy URL
Access the Organization Settings -> Integration in the Admin UI at: https://admin.stage.surepath.ai/config/org-settings?tab=1
Copy the SurePath AI Proxy URL (you likely won't need the port number ":8080")
SurePath GenAI site list
SurePath AI creates and curates a list of GenAI sites on the global Internet. The link to view and evaluate the vendor names and associated risk levels of their use can be found at the download link in the steps below.
Access the SurePath AI Public Services at: https://admin.surepath.ai/config/public-services
Click the DOWNLOAD CATALOG button
Select Zscaler Config from the Download Format dropdown
Click the DOWNLOAD button and save the file
SurePath AI Security Certificate
To ensure that end users don't get security warning when using public GenAI services the SurePath AI certificate must be provided and trusted on each end device. Netskope will do this automatically when it's included in the Proxy setup.
Access the SurePath AI Integration at: https://admin.surepath.ai/config/org-settings?tab=1
Select the Certificate Format that you need
Click the DOWNLOAD CERTIFICATE button
Login to the Zscaler Admin Console
Create a URL Category
Note: Please do not add additional URLs to the text file because what you download from SurePath AI. Contact your SurePath AI technical representative for guidance on adding additional sites.
Click Administration -> URL Categories -> Add URL Category
Enter a descriptive name. We will use the following in these examples: SurePathAI
Click in the Custom URLs text field.
Open the Zscaler Config that you previously downloaded and select all hosts/lines in the file.
The file name should be similar to the following: surepath-ai-public-services-zscaler-year-month-day.txt
Paste the hosts/lines into the text field (they must be on separate lines).
Click the Add Items button next to the text field.
Click Save at the bottom of the window.
The URL Category name of SurePathAI should now be visible in the list under User-Defined.
Note: The number of services and the number of lines in the file do NOT match. The lines in the file will be a higher number. This is due to some GenAI sites requiring more than one host or line in the file to capture all the traffic.
Add SurePath AI Security Certificates
Follow the steps in the SurePath AI Security Certificate section
Click Administration -> Root Certificates -> Add Root Certificate
Enter a descriptive name. We will use the following in these examples: SurePathAI
Change the Type to Proxy Chaining and click Done.
Click Choose File and select and accept the .pem file you received from SurePath.
Click SAVE
The certificate name of SurePathAI should now be visible in the list of Root Certificates.
Create a Proxy
Click Administration -> Proxies & Gateways -> Proxies -> Add Proxy
Enter a descriptive name. We will use the following in these examples: SurePathAI
Set the IP Address / FQDN of the Proxy to the SurePath AI Proxy URL (from admin.surepath.ai)
Set the Port to: 8080
Set Proxy's Root Certificate to the Root Certificate that you created in the previous step. (SurePathAI)
Save or perform the optional configuration below if required for your deployment.
(Optional) X-Authenticated-User
Zscaler supports a header for the proxy connection that passes the end user username to SurePath AI. This is required for SurePath AI Discovery but is also optionally used for non-Discovery organizations to replace authentication requirements when visiting public services governed by SurePath AI. The use of the X-Authenticated-User header effectively makes SurePath AI fully transparent to the end user when using public GenAI services.
Change the Insert X-Authenticated-User to Green or selected
Save the settings
Create Proxy Gateway
Click Administration -> Proxies & Gateways -> Proxy Gateways -> Add Gateway for Proxies
Enter a descriptive name. We will use the following in these examples: SurePathAI
Talk to your Field CTO before changing the Failed Closed option from default (On).
Set the Primary Proxy to the Proxy you created in the previous step. (SurePathAI)
Secondary proxy is not needed. Multiple SurePathAI proxies will respond from the host name provided.
Click SAVE
The Proxy Gateway of SurePathAI should now be visible in the list.
Setup Forwarding to the Proxy
POC, POV, Limited Deployments: If you are doing limited deployment in your organization, please contact your SurePath AI technical representative before proceeding. The changes below will redirect traffic for ALL users.
Click Policies -> Forwarding Control -> Add Forwarding Rule
Enter a descriptive name. We will use the following in these examples: SurePathAI
Adjust the Rule Order and Admin Rank to ensure that the rule you are creating is applied to your uses in an appropriate order for your organization. This rule should be before all other AI based rules.
Set the Forwarding Method to Proxy Chaining.
Set CRITERIA -> General to specific groups of users if needed or leave as default of Any to capture all user traffic.
Set CRITERIA -> Destination -> URL Category to the URL Category you created in the first step: SurePathAI
Set ACTION -> Forward to Proxy Gateway to the Proxy Gateway you created in the previous step. (SurePathAI)
Click SAVE
The Forwarding Control Rule of SurePathAI should now be visible in the list.
Activate Changes
Activation -> Activate