Connecting outbound through Enterprise Proxy (Zscaler)

What happened?
Hello, I am a Security Engineer, not a developer and not familiar with this app, so I am sorry if I am misunderstanding something here. We have users using Pomerium to authenticate and then connect to a PostgreSQL database that is hosted in AWS. I see that Pomerium acts as a proxy, so the user can connect to localhost:5532 and Pomerium will pick that up and connect them to the database on what appears to be an ephemeral port. The issue is that we use an enterprise cloud gateway (zscaler), and we block outbound connections on just about any ports other than 443, 80, 53 etc. We have the ability to create rules to allow specific ports, protocols, source, destination, etc, but if its always connecting out on a random port, I am not sure how I can allow it through.

Is there any way to set a static port for the connection to use, or is that dictated on the AWS side?

The next issue is that Zscaler is also a MITM SSL decryption service. Is there any way to install our certificate for outbound calls?

I’m not familiar with zscaler but I’ll try to answer.

for TCP connections, you configure a route in pomerium proxy like

  from: tcp+
  to: tcp://postgres.internal:5432

it is important to note that the port in does not really represent the port that you have to open on your firewall; more about that below

then you use either pomerium CLI or Desktop and you specify the local address (on their laptop) the users would connect to:

when pomerium cli (or desktop) is then forwarding traffic from user’s laptop to pomerium, it does so over HTTPS using port 443.

there should be no ephemeral ports in this scenario. please see more Pomerium TCP Clients | Pomerium

Tangentially related, Pomerium solves this by doing continuous verification for you while being self-hosted, removing the MITM attack vector.

Your Pomerium instance is your own and data never leaves your infra. There are large companies that have removed Zscaler and secure their internal services with Pomerium alone for zero trust purposes.

OK, perhaps I was misunderstanding what all Pomerium does. So, the user that was explaining this to me made it seem like Pomerium authenticates and then builds a secure connection to the Database, but is it Pomerium just handling the authentication and then the application he is using to open the connection still what is calling out?

In the connection to the database we could see it was calling out on ports 6913, 5817, 6853, etc but perhaps that is being controlled by his database client?

It sounds like we would need more insight into your set up and have a discussion with your team, if that’s possible.

Is it possible to set up a meeting with those who are in charge of Zscaler and Pomerium?