On the Configuration tab of the Managed and Download Clients page, you can enable the Threat Protection service and define the behavior of the service. Changes to these settings are applied to Zero Trust Client in approximately 10 minutes.

Threat Protection settings

After you enable the Threat Protection service, these settings are available

• Allow users to disable Threat Protection. Allows users to disable Threat Protection for a specific amount of time. In the client, users can select the duration of this action. If you enable this setting, these settings are also available:
  • Allow disable action without time limit. Allows users to disable threat protection with a time limit. In the client, users can select Forever in the duration menu.
  • Require code for disable action. Requires that users enter the activation code to disable the Threat Protection service. This code appears on the Activation tab of the Manage and Download Clients page. You or another administrator must securely provide this code to users. If you don’t enable this setting, no code is required for the disable action.
• Allow uninstall on Windows with code. Requires that users enter the activation code to uninstall the client on a Windows device. This code appears on the Activation tab of the Manage and Download Clients page. You or another administrator must securely provide this code to users.
  If you don’t enable this setting, users can uninstall the client without entering a code.
• Log traffic. When enabled, this setting logs traffic information, including IP addresses and URLs accessed by the user.
• Transparent traffic interception. Allows ​the client​ to intercept and capture traffic without modifying browser or operating system settings. DNS traffic is directed to ​SIA​ resolvers, while web traffic is directed to ​SIA​ Proxy.

  📘

  When turned on, this setting enables transparent traffic interception on Windows only. To enable this feature on macOS devices, contact Akamai Support . On macOS, this feature is still in beta and supported on Zero Trust Client 6.0 only. If you would like to disable transparent traffic interception on macOS, you can still disable it with this toggle. For more information, see Transparent traffic interception.

• Block QUIC. If Transparent traffic interception is enabled, you can enable this setting to block traffic that uses the QUIC protocol or HTTP/3. If QUIC traffic is not blocked, it bypasses the client and is directed to the origin. It is not scanned by the proxy.
• Bypass Non-HTTP Traffic. Allows non-HTTP traffic to bypass the SIA proxy through any of the origin ports. This traffic is directed to the origin. You configure origin ports in the SIA policy.
• Configure client as local computer web proxy. If enabled to do so, this setting configures ZTC ​as the local web proxy on the user's machine. You can choose to overwrite an existing local computer web proxy, overwrite settings when there's no proxy configured on the machine, or never modify these settings.
  • If you choose Yes, ZTC​ is configured as the local web proxy. This setting is useful when your network does not have an on-premises proxy. This setting also removes any PAC file configuration that was set in the browser or operating system proxy settings. If you configure the client as a local proxy, you cannot restore PAC file or proxy settings by changing this setting to No or Only if there’s no local proxy.
  • If you choose Only if there's no local proxy, ​ZTC is configured as the local web proxy only when there's no local proxy already configured. You may want to select this option if you manage the on-premises proxy setting on some computers in your network.
  • If you choose No, ZTC is not configured as the local web proxy on the user's machine. You may want to select this option if you manage on-premises proxy settings on all computers in your network

📘

When the Zero Trust Client is enabled for Threat Protection and this setting is enabled, it functions the same as the ETP Client when it’s enabled and configured for the full web proxy. To learn more about the proxy and the client when it’s set up for web traffic, see the SIA documentation.

• Proxy Port. If the client​ is configured as the local web proxy, the user's computer listens for traffic on this port. By default, the proxy listens for traffic on port 8080. Even if ZTC​ is not configured as the local web proxy, this configuration still applies and may conflict with other applications that try to use this port. Make sure you don’t configure the same port number that ​SIA​ proxy uses for outbound traffic (the proxy origin port). The proxy origin port is configured in the policy.
• Install proxy certificate on device. Automatically installs the proxy certificate on a Windows device where the client is installed. The certificate is installed in the Windows certificate store.
• Block Unprotected Traffic. Blocks traffic that occurred before the Threat Protection service was enabled or the client was in protection mode. This feature is enabled by default. To show this setting, contact your ​Akamai​representative.

  📘

  You may need to disable this setting in case there is an interoperability issue with third-party VPNs and applications. If you are having trouble with the client’s interoperability with other applications, contact your ​Akamai​ representative.

• Skip DoT Certificate Check. If there is no connection to the Online Certificate Status Protocol (OCSP) server, this setting lets clients skip the certificate revocation check for DNS over TLS (DoT). To show and enable this setting, contact your ​Akamai​ representative.
  In your firewall and allowlists, make sure you allow the domain for OCSP servers. For a list of domains you must allow for the Threat Protection service, see Prepare for Zero Trust Client setup.

Configure the Threat Protection service

Complete this procedure to configure the behavior of the Threat Protection service. To learn more about these settings, see Threat Protection settings.

To configure the Threat Protection service:

1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Manage and Download Clients.

2. In the Configuration tab, make sure you’ve turned on the toggle for Enable Threat Protection.

3. To allow users to disable the Threat Protection service, enable Allow users to disable Threat Protection. If you enabled this setting, you can complete these steps:

   1. To allow users to disable Threat Protection without a time limit, enable Allow disable action without time limit. This setting lets users select Forever as the duration of the disable action.
   2. To require that users enter a code to disable Threat Protection, enable Require code for disable action. From the Activation tab, you can copy the activation code and securely provide it to users for this operation.

4. To require that users enter a code to uninstall the client on their device, enable Allow uninstall on Windows with code. From the Activation tab, you can copy the activation code and securely provide it to users for this operation. If you don’t enable this setting, users can uninstall the client without the activation code.

5. To log traffic information, enable Log Traffic.

6. To have Zero Trust Client intercept traffic, direct DNS traffic to ​SIA​ resolvers, and direct web traffic to ​SIA​ Proxy without modifying browser or operating system settings, enable Transparent traffic interception.

   📘

   This toggle enables transparent traffic interception on Windows only. To enable this feature on macOS devices, contact Akamai Support . On macOS, this feature is still in beta and supported on Zero Trust Client 6.0 only. For more information, see Transparent traffic interception.

7. If you enable transparent traffic interception, you can block traffic that uses QUIC, a transport protocol that’s used by HTTP/3. To block QUIC traffic, enable Block QUIC. If this toggle is not enabled, the client bypasses QUIC traffic, and it is not directed to the proxy.

8. To allow non-HTTP traffic to bypass the proxy, enable Bypass Non-HTTP Traffic. When this setting is enabled, like all traffic directed to SIA proxy, non-HTTP traffic goes through the origin ports configured in your SIA policy. However, ​SIA​ Proxy does not intercept, scan, or break non-HTTP traffic.

9. To configure Zero Trust Client as the local proxy on the user's machine, for the Configure client​ as local computer web proxy setting, select Yes. Otherwise, you can select Only if there's no local proxy or No.

10. To configure the port that's used by ​SIA​ to listen for traffic, enter the port number. By default, the Threat Protection service listens for traffic on port 8080.

11. To automatically install the proxy certificate on a Windows device where the client is installed, enable the Install proxy certificate on device setting. The certificate is installed in the Windows certificate store.

12. By default, the client blocks traffic that occurred before the Threat Protection service was enabled or the client was in protection mode. You may need to disable this behavior in case there is an interoperability issue with third-party VPNS or applications. To disable this behavior, contact your ​Akamai​ representative to show the Block Unprotected Traffic setting.

13. To skip the DoT certificate check when there is no connection to the OCSP server, enable Skip DoT certificate check. To see and enable this setting, contact your ​Akamai​ representative.

    📘

    In your firewall and allowlists, make sure you allow the domain for OCSP servers. For a list of domains you must allow for the Threat Protection service, see Prepare for Zero Trust Client setup.

14. Click Save. To save and deploy the settings, click Save and Deploy.

Next steps

If you haven’t deployed this update, complete these steps:

1. Click Pending Changes.
2. In the list of pending changes, expand the Client Configuration section.
3. Select the changes that you want to deploy.
4. Click Deploy. A window appears where you can describe the changes.
5. Click Deploy.

Managed and Unmanaged devices

In the Activation tab, Enterprise Center provides the activation code that you use to activate the Threat Protection service on managed devices. Managed devices are devices that your organization monitors, manages, and secures with a device management solution.

Your organization can also generate activation codes for unmanaged devices. For example, a user's personal devices. If the device meets the requirements for the client, you can allow the user to install and activate Zero Trust Client with the Threat Protection service. For a list of requirements, see Client requirements.

Unmanaged devices

Zero Trust Client supports bring your own device (BYOD). You can let users install and activate Zero Trust Client on their personal device. After you provide the client to users and they install the client on their devices, users are prompted for an activation code. These methods are available for users to receive the code:

• Email activation codes. From SIA, you can select to email activation codes to users.
• Generate activation codes and distribute offline. Administrators can generate activation codes in ​SIA​ and distribute these codes offline to users.
• Let users request an activation code. From ZTC​, users can request an activation code. The client allows users to enter an email address to receive the code. If the provided email domain was preconfigured in ​SIA​ as an authorized domain, ​SIA​ sends an email with the activation code.

Set up Bring Your Own Device (BYOD)

To set up bring your own device (BYOD):

1. Specify corporate email domains. These email domains belong to users who are authorized to request an activation code after installing the client on their device. For instructions, see Specify corporate email domains.

   🚧

   Do not specify domains that are associated with unauthorized users. For example, do not specify a domain for a public service like gmail.com that has addresses of users who are not part of your organization.

2. Specify usernames or email addresses of users. If you plan to manually distribute activation codes to users or send users an email invitation that includes the code, you can specify a random username or the email address of users​. For more information, see Email activation codes to users or Generate activation codes in a CSV file.
   The username or email address that is provided allows ​SIA​ to easily identify users in reports. This information is shown in the Device Owner field that’s available in event and activity reports.
3. Distribute SIA Proxy certificates to client devices. The MITM certificate for ​SIA​ Proxy is required for TLS inspection of web traffic. To use ​the client with the SIA proxy, you need to securely distribute and install the certificate on the user’s device. For instructions, see the SIA documentation.

Specify corporate email domains

To support activation requests from users who install the client on their device, you need to specify corporate email domains in Enterprise Center. You can provide these email domains in the Manage and Download Clients page or on the Local Bypass Settings page. ​SIA​ uses this information to verify that users belong to these domains.

🚧

Do not specify domains that are associated with unauthorized users. For example, do not specify a domain for a public service like gmail.com that has addresses of users who are not part of your organization.

To specify corporate email domains:

1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Manage and Download Clients. Click the Activation tab.

   📘

   You can also access these settings on the Local Bypass Settings page​. In the Enterprise Center navigation menu, select Clients & Connectors > ​Local Bypass Settings. Expand the Email Domains section.

2. In the Corporate Domains field, enter one or more corporate email domains. End users need to belong to one of the specified domains to receive the email invitation with the activation code.
3. Click Save. To save and deploy this configuration, click Save and Deploy.

Next steps

• If you haven’t deployed this update, make sure you deploy it.
• To send an email that contains activation codes, see Email activation codes to users.
• To generate a CSV file that contains activation codes for you to manually distribute to users, see Generate activation codes in a CSV file.

Email activation codes to users

Before you begin

If you would like users to have the option of requesting activation codes from the client, make sure you define the corporate domains. For more information, see Specify corporate email domains.

From ​SIA​, you can send users an email that contains the activation code. An activation code is valid for seven days.

To email activation codes to users:

1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Manage and Download Clients.
2. Click the Activation tab.
3. For the Code Distribution Method, select Send email invitation.
4. In the User List area, enter a comma-separated list of user email addresses where you want to send activation codes. To add users in bulk, you can download the CSV template file, enter email addresses, save the file, and then upload it to SIA. For instructions, see Email activation codes to users in bulk.
5. Click Generate and Send. The emails are sent to the users you specified in the User List field.

Email activation codes to users in bulk

Before you begin

If you would like users to have the option of requesting activation codes from the client, make sure you define the corporate domains. For more information, see Specify corporate email domains.

Complete this procedure to download the CSV template file for one-time activation codes and upload it with the email addresses or IDs of users who you want to receive the email invitation​. The email contains the activation code.

To email activation codes to users in bulk:

1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > ​Manage and Download Clients.
2. Click the Activation tab.
3. Download the template file and complete the spreadsheet:
   1. Click this template file to download the CSV template file.
   2. Open the file.
   3. In the User column, enter an email address in each row.
   4. Save the CSV file.
4. For the Code Distribution Method, select Send email invitation.
5. Click Upload CSV to find and select the file you saved. The users you specified are sent an activation code email.

Generate activation codes in a CSV file

Before you begin

If you would like users to have the option of requesting activation codes from the client, make sure you define the corporate domains. For more information, see Specify corporate email domains.

Complete this procedure to generate activation codes for users in a CSV file. After you generate activation codes, you can distribute them offline to users.

The usernames or email addresses that you specify in the User List or in an uploaded CSV are used to identify the Device Owner in ​SIA​ reports.

To generate activation codes in a CSV file:

1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Manage and Download Clients.
2. Click the Activation tab.
3. For the Code Distribution Method, select Download CSV.
4. In the User List field, enter a comma-separated list of email addresses or random usernames. No spaces are allowed in the names.
   To add users in bulk, see Generate activation codes for users in bulk.
5. Click Generate and Download. A CSV with the users you added to the User's List and the activation codes appear.

Next steps:

Securely communicate activation codes to users.

Generate activation codes for users in bulk

Before you begin

If you would like users to have the option of requesting activation codes from the client, make sure you define the corporate domains. For more information, see Specify corporate email domains.

Complete this procedure to generate activation codes by submitting a CSV file that contains a list of users IDs and email addresses. This process involves downloading the one-time activation codes CSV template and uploading it to ​SIA​.

To generate activation codes for users in bulk:

1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Manage and Download Clients.
2. Click the Activation tab.
3. Download the CSV template file and complete the spreadsheet:
   1. Click this template file to download the CSV template file.
   2. Open the file.
   3. In the User column, enter an email address or a random username for each user.
   4. Save the CSV file.
4. For the Code Distribution Method, select Download CSV.
5. Click Upload CSV. A CSV file with the users and their activation codes appears.

Next steps

Securely communicate activation codes to users.