How to deploy Proton Pass behind Zscaler proxy solutions
If you’re using a Zscaler cloud proxy, you’ll need to take these steps in order to configure Proton Pass and its SSO capabilities:
- Exempt Proton Pass from Zscaler authentication.(nieuw venster)
- Exempt Proton Pass from SSL inspection.(nieuw venster)
- Create a custom URL category for Proton Pass(nieuw venster).
- Allowlist the following Proton Pass domains(nieuw venster):
- pass.proton.me
- pass-api.proton.me
- account.proton.me
- account-api.proton.me
You may also need to create Security Exceptions for these domains. You can find Security Exceptions in your Zscaler account by selecting Policy → Malware Protection → Security Exceptions.
Proton Pass needs access to those domains to sync data across different devices. These domains all follow the latest security protocols and are exclusively used by Proton Pass and other Proton products.
Some enterprise firewalls can’t use domain names for allowlisting and instead require lists of IP addresses. While we don’t change these IP addresses regularly, it is not considered best practice to allowlist specific IPs. If the IPs you’ve allowlisted change, the end user experience behind that firewall would be equivalent to an outage.
The full list of current IP addresses owned by Proton and announced by our ASN 62371 can be found independently in online IRR databases (for example, RIPE(nieuw venster)).