configuring-zscaler-private-access-for-ztna

What this skill does

# Configuring Zscaler Private Access for ZTNA

## When to Use

- When replacing traditional VPN concentrators with application-level zero trust access
- When providing remote users secure access to internal applications without network-level connectivity
- When implementing least-privilege access where users only see authorized applications
- When needing to make internal applications invisible to unauthorized users and the internet
- When integrating ZTNA with existing SASE architecture using Zscaler Internet Access (ZIA)

**Do not use** for applications requiring raw UDP access (ZPA primarily supports TCP), for providing full network-level access equivalent to site-to-site VPN (use ZPA AppProtection or branch connector instead), or when the organization requires on-premises-only access control without cloud dependency.

## Prerequisites

- Zscaler Private Access subscription (Business or Transformation edition)
- Identity provider configured: Okta, Microsoft Entra ID, Ping Identity, or SAML 2.0 IdP
- App Connector VM requirements: Linux VM (CentOS 7/8, RHEL 7/8, Ubuntu 18.04+, Amazon Linux 2) with 2 vCPU, 4GB RAM minimum
- Outbound connectivity from App Connector to ZPA cloud on port 443 (no inbound ports required)
- DNS resolution from App Connector to internal application FQDNs
- Zscaler Client Connector deployed on user endpoints

## Workflow

### Step 1: Deploy App Connectors in Application Network

App Connectors establish outbound-only tunnels to the ZPA cloud, providing access to internal applications.

```bash
# Download and install App Connector on Linux VM
# Obtain provisioning key from ZPA Admin Portal > Administration > App Connectors

# For RHEL/CentOS
sudo yum install -y https://yum.private.zscaler.com/yum/el7/zpa-connector-latest.rpm

# For Ubuntu/Debian
curl -sS https://dist.private.zscaler.com/apt/pubkey.gpg | sudo apt-key add -
echo "deb https://dist.private.zscaler.com/apt stable main" | sudo tee /etc/apt/sources.list.d/zpa.list
sudo apt update && sudo apt install -y zpa-connector

# Configure the connector with provisioning key
sudo /opt/zscaler/bin/zpa-connector configure \
  --provision-key "PROVISIONING_KEY_FROM_PORTAL"

# Start the connector service
sudo systemctl enable zpa-connector
sudo systemctl start zpa-connector

# Verify connector status
sudo systemctl status zpa-connector
sudo /opt/zscaler/bin/zpa-connector status

# Deploy second connector for HA (minimum 2 per site)
# Repeat on second VM with same App Connector Group provisioning key
```

### Step 2: Define Server Groups and Application Segments

Map internal applications to server groups and create application segments.

```text
ZPA Admin Portal Configuration:

1. Server Groups:
   Navigate to: Administration > App Connectors > Server Groups
   - Name: "DC-East-Servers"
   - App Connector Group: "DC-East-Connectors"
   - Servers:
     - hr-portal.internal.corp (10.1.1.50, TCP 443)
     - finance-app.internal.corp (10.1.1.51, TCP 443)
     - git.internal.corp (10.1.2.10, TCP 22, 443)

2. Application Segments:
   Navigate to: Resources > Application Segments > Add Application Segment
   - Name: "HR Applications"
   - Domain/URL: hr-portal.internal.corp
   - TCP Ports: 443
   - Server Group: DC-East-Servers
   - Health Reporting: Continuous
   - Bypass Type: Never (force all traffic through ZPA)

   - Name: "Engineering Tools"
   - Domain/URL: git.internal.corp, ci.internal.corp, wiki.internal.corp
   - TCP Ports: 22, 80, 443
   - Server Group: DC-East-Servers
   - Segment Group: "Engineering Segment Group"
```

### Step 3: Configure Access Policies

Define who can access which application segments based on identity and device posture.

```text
ZPA Admin Portal > Policies > Access Policy:

Rule 1: HR Team Access
  - Name: "HR Portal Access"
  - Action: ALLOW
  - Criteria:
    - User Groups: "HR-Department" (from IdP)
    - Application Segment: "HR Applications"
    - Device Posture Profile: "Corporate Managed Device"
    - Client Type: Zscaler Client Connector
  - Conditions:
    - SAML Attribute: department = "Human Resources"
    - Device Trust Level: "HIGH" (CrowdStrike ZTA score > 70)

Rule 2: Engineering Access
  - Name: "Engineering Tools Access"
  - Action: ALLOW
  - Criteria:
    - User Groups: "Engineering-Team", "DevOps-Team"
    - Application Segment: "Engineering Tools"
    - Device Posture Profile: "Developer Workstation"
  - Conditions:
    - Machine Group: "Engineering Laptops"

Rule 3: Contractor Limited Access
  - Name: "Contractor Wiki Access"
  - Action: ALLOW
  - Criteria:
    - User Groups: "External-Contractors"
    - Application Segment: "Wiki Only"
    - Client Type: Zscaler Client Connector OR Browser Access
  - Conditions:
    - Time Window: Mon-Fri 08:00-18:00 EST

Rule 4: Default Deny
  - Name: "Block All Other Access"
  - Action: DENY
  - Criteria: All Users, All Applications
  - Log: Enabled
```

### Step 4: Configure Device Posture Profiles

Integrate device posture signals from endpoint security tools.

```text
ZPA Admin Portal > Administration > Device Posture:

Profile 1: Corporate Managed Device
  - CrowdStrike Falcon: Running, ZTA Score >= 60
  - OS: Windows 10 21H2+, macOS 13+, Ubuntu 22.04+
  - Disk Encryption: Enabled (BitLocker/FileVault)
  - Firewall: Enabled
  - Screen Lock: Enabled

Profile 2: Developer Workstation
  - Inherits: Corporate Managed Device
  - CrowdStrike Falcon: ZTA Score >= 70
  - Patch Level: Within 30 days of latest
  - Certificate: Valid corporate certificate present

Profile 3: BYOD Device
  - OS: Latest minus 1 version
  - Browser: Chrome 120+ or Edge 120+
  - Antivirus: Any recognized AV running
```

### Step 5: Enable Browser Access for Clientless ZTNA

Configure Browser Access for users without Zscaler Client Connector installed.

```text
ZPA Admin Portal > Resources > Application Segments:

For "HR Applications" segment:
  - Enable Browser Access: Yes
  - Browser Access Type: HTTPS
  - Custom Domain: hr.access.company.com
  - Certificate: Upload TLS certificate for custom domain
  - Authentication: SAML via corporate IdP
  - Session Timeout: 4 hours
  - Clipboard Control: Disabled for sensitive apps
  - File Upload/Download: Restricted

For Browser Access Portal:
  - Portal URL: access.company.com
  - IdP: Microsoft Entra ID (SAML 2.0)
  - MFA: Required
  - Applications shown: Only authorized per user group
```

### Step 6: Configure Logging and Monitoring

Set up log streaming for SIEM integration and continuous monitoring.

```text
ZPA Admin Portal > Administration > Log Streaming Service:

Log Receiver Configuration:
  - Name: "Splunk-SIEM"
  - Type: Splunk (HEC)
  - Destination: https://splunk-hec.company.com:8088
  - HEC Token: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  - Log Types:
    - User Activity: Enabled
    - App Connector Status: Enabled
    - Audit Logs: Enabled
    - Browser Access: Enabled

# Splunk search for ZPA access anomalies
index=zscaler_zpa sourcetype=zpa:useractivity
| where action="denied"
| stats count by user, application, policy_name
| where count > 10
| sort -count
```

## Key Concepts

| Term | Definition |
|------|------------|
| App Connector | Lightweight Linux service that creates outbound-only encrypted tunnels from internal networks to ZPA cloud, providing access to applications without inbound ports |
| Application Segment | Logical grouping of internal applications defined by FQDN/IP and ports, mapped to server groups for access policy enforcement |
| Server Group | Collection of application servers associated with App Connector groups that can serve requests for application segments |
| Access Policy | Rules defining which users/groups can access which application segments under what conditions (device posture, time, location) |
| Zscaler Client Connector | Endpoint agent installed on user devices that routes traffic to ZPA cloud for policy enforcement and application access |
| Browser Access | Clientless ZTNA option allowing application access through a we