Please refer to the steps below on how to access internal servers via Zscaler Private Access (ZPA)
- Obtain Zscaler Private Access (ZPA) Portal Access from Zscaler
- Ensure that you can login to ZPA Portal successfully with the Credential and URL provided
- We are evaluating ZPA on the production enviroment where Zscaler Internet Access (ZIA) with Okta Authentication had been deployed and running for last 6 months
Sign up Okta Cloud Connect – Connect one Application to Okta for free forever to integrate with existing Active Directory for single Sign On (SSO)
Okta Cloud Connect can support both ZIA and ZPA
- ZPA uses certificates to authenticate the Connector and the user’s device before each connection and we are using the default Zscaler Certificate generated in this lab
Single Sign On (SSO) with Okta
ZPA supports single sign-on (SSO) via SAML so that your remote users can access enterprise applications without having to log in separately to ZPA
- Login to Okta Portal –> Applications –> Add Application
- Select Add Zscaler Private Access
- Select Configuration for User and click Done
- Assign Synced AD Users to login to ZPA
- Go to Sign On and click on Identity Provider Metadata to save the XML file to be imported to ZPA Portal later
- Go to ZPA Portal –> Administration –> idP Configuration –> Add idP Configuration
- Accept the defaut setting and select your Domains
- idP Configuration is imported successfully and click on Import SAML Attributes
- SAML Attributes imported
login to https://samlsp.private.zscaler.com/auth/login?domain=
Deploy Zscaler Private Access (ZPA) Connector
- Deploy Zscaler Private Access (ZPA) Connector in VMware by following my previous post
- Outbound TLS tunnel over port 443 (HTTPS) is established to the ZPA Cloud infrastructure once the Connector is up and running – Outbound port 443 is the only ports required and NO inbound ports / incoming NAT configuration is needed
Refer to the link below for detail information for ZPA Connector
ZPA Connector Deployment Prerequisites
Application Discovery
Define Internal Applications that is accessable by client and refer to the link below for detail technical information
https://help.zscaler.com/zpa/about-applications
- Login to ZPA Portal –> Administration –> Application Segment –> Add Application Segment
Applications – Enter the IP Ranges or Host IP Address for the Application Servers
You will need to enter FQDN if you would like Client to able to access those server using FQDN in stead of IP Address
TCP / UDP Port Ranges – if you do not know the ports used by the Applications Server, just enter 1 – 65535 to let ZPA to discover automatically for you
- Create a New Segment Group – You can group the Application Segment in Segment Group for ease of assignment
-
Create a new Server Group that include the ZPA Connector
-
Review the setting and click save
-
Create a New Access Policy to allow access to all the Application Servers
You can filter users who can access the Application by using SAML Attribute, like Email Address
Accessing ZPA with zApp in Windows 10 Machine
- Click Zscaler App Portal in ZPA Portal
-
Click Administration –> Zscaler Service Entitlement to enable ZPA
-
Download zApp Client and install on Windows 10 Machine
-
Install zApp Client by accepting all default value and login with valid username in FQDN Format
-
You will be redirected to Okta
-
Connected to ZPA & Zscaler Internet Access / Security successfully
-
Verify that both ZPA & ZIA is enabled & Connected in Notifications
-
Accessing to vCenter by using Internal IP Address without connecting to existing Fortigate SSL VPN Client
-
Verify that ZIA Policy is applied by accessing http://ip.zscaler.com/
We are connecting to Internet via Zscaler Web Proxy and are accessing Internal Applications via ZPA at the sametime now, and we will evaluate further whether ZPA can replace our existing Fortigate SSL VPN Client for VPN Access.