Access Internal Servers via Zscaler Private Access (ZPA)

Please refer to the steps below on how to access internal servers via Zscaler Private Access (ZPA)

  1. Obtain Zscaler Private Access (ZPA) Portal Access from Zscaler
  2. Ensure that you can login to ZPA Portal successfully with the Credential and URL provided
    ZPA-POC-01
  3. We are evaluating ZPA on the production enviroment where Zscaler Internet Access (ZIA) with Okta Authentication had been deployed and running for last 6 months

Sign up Okta Cloud ConnectConnect one Application to Okta for free forever to integrate with existing Active Directory for single Sign On (SSO)

Okta Cloud Connect can support both ZIA and ZPA

ZPA-POC-02

  1. ZPA uses certificates to authenticate the Connector and the user’s device before each connection and we are using the default Zscaler Certificate generated in this lab
    ZPA-POC-03

Single Sign On (SSO) with Okta

ZPA supports single sign-on (SSO) via SAML so that your remote users can access enterprise applications without having to log in separately to ZPA

  1. Login to Okta Portal –> Applications –> Add Application
    ZPA-POC-04

  2. Select Add Zscaler Private Access
    ZPA-POC-02

  3. Select Configuration for User and click Done
    ZPA-POC-05

  4. Assign Synced AD Users to login to ZPA
    ZPA-POC-06

  5. Go to Sign On and click on Identity Provider Metadata to save the XML file to be imported to ZPA Portal later
    ZPA-POC-07

  6. Go to ZPA Portal –> Administration –> idP Configuration –> Add idP Configuration
    ZPA-POC-08

  7. Accept the defaut setting and select your Domains
    ZPA-POC-09

  8. idP Configuration is imported successfully and click on Import SAML Attributes
    ZPA-POC-10

  9. SAML Attributes imported
    ZPA-POC-11

login to https://samlsp.private.zscaler.com/auth/login?domain= with the username assgined for ZPA App to verify the SAML Authentication is configured successfully

ZPA-POC-12

Deploy Zscaler Private Access (ZPA) Connector

  1. Deploy Zscaler Private Access (ZPA) Connector in VMware by following my previous post
  2. Outbound TLS tunnel over port 443 (HTTPS) is established to the ZPA Cloud infrastructure once the Connector is up and running – Outbound port 443 is the only ports required and NO inbound ports / incoming NAT configuration is needed

Refer to the link below for detail information for ZPA Connector
ZPA Connector Deployment Prerequisites

Application Discovery

Define Internal Applications that is accessable by client and refer to the link below for detail technical information
https://help.zscaler.com/zpa/about-applications

  1. Login to ZPA Portal –> Administration –> Application Segment –> Add Application Segment
    ZPA-POC-13

Applications – Enter the IP Ranges or Host IP Address for the Application Servers

You will need to enter FQDN if you would like Client to able to access those server using FQDN in stead of IP Address

TCP / UDP Port Ranges – if you do not know the ports used by the Applications Server, just enter 1 – 65535 to let ZPA to discover automatically for you

  1. Create a New Segment Group – You can group the Application Segment in Segment Group for ease of assignment
    ZPA-POC-14

  2. Create a new Server Group that include the ZPA Connector
    ZPA-POC-15

  3. Review the setting and click save
    ZPA-POC-16

  4. Create a New Access Policy to allow access to all the Application Servers
    ZPA-POC-17

You can filter users who can access the Application by using SAML Attribute, like Email Address

Accessing ZPA with zApp in Windows 10 Machine

  1. Click Zscaler App Portal in ZPA Portal
    ZPA-POC-18

  2. Click Administration –> Zscaler Service Entitlement to enable ZPA
    ZPA-POC-19

  3. Download zApp Client and install on Windows 10 Machine
    ZPA-POC-20

  4. Install zApp Client by accepting all default value and login with valid username in FQDN Format
    ZPA-POC-21

  5. You will be redirected to Okta
    ZPA-POC-22

  6. Connected to ZPA & Zscaler Internet Access / Security successfully
    ZPA-POC-23

  7. Verify that both ZPA & ZIA is enabled & Connected in Notifications
    ZPA-POC-24

  8. Accessing to vCenter by using Internal IP Address without connecting to existing Fortigate SSL VPN Client
    ZPA-POC-25

  9. Verify that ZIA Policy is applied by accessing http://ip.zscaler.com/
    ZPA-POC-26

We are connecting to Internet via Zscaler Web Proxy and are accessing Internal Applications via ZPA at the sametime now, and we will evaluate further whether ZPA can replace our existing Fortigate SSL VPN Client for VPN Access.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top