Access Internal Servers via Zscaler Private Access (ZPA)

Please refer to the steps below on how to access internal servers via Zscaler Private Access (ZPA)

  1. Obtain Zscaler Private Access (ZPA) Portal Access from Zscaler
  2. Ensure that you can login to ZPA Portal successfully with the Credential and URL provided
  3. We are evaluating ZPA on the production enviroment where Zscaler Internet Access (ZIA) with Okta Authentication had been deployed and running for last 6 months

Sign up Okta Cloud ConnectConnect one Application to Okta for free forever to integrate with existing Active Directory for single Sign On (SSO)

Okta Cloud Connect can support both ZIA and ZPA


  1. ZPA uses certificates to authenticate the Connector and the user’s device before each connection and we are using the default Zscaler Certificate generated in this lab

Single Sign On (SSO) with Okta

ZPA supports single sign-on (SSO) via SAML so that your remote users can access enterprise applications without having to log in separately to ZPA

  1. Login to Okta Portal –> Applications –> Add Application

  2. Select Add Zscaler Private Access

  3. Select Configuration for User and click Done

  4. Assign Synced AD Users to login to ZPA

  5. Go to Sign On and click on Identity Provider Metadata to save the XML file to be imported to ZPA Portal later

  6. Go to ZPA Portal –> Administration –> idP Configuration –> Add idP Configuration

  7. Accept the defaut setting and select your Domains

  8. idP Configuration is imported successfully and click on Import SAML Attributes

  9. SAML Attributes imported

login to with the username assgined for ZPA App to verify the SAML Authentication is configured successfully


Deploy Zscaler Private Access (ZPA) Connector

  1. Deploy Zscaler Private Access (ZPA) Connector in VMware by following my previous post
  2. Outbound TLS tunnel over port 443 (HTTPS) is established to the ZPA Cloud infrastructure once the Connector is up and running – Outbound port 443 is the only ports required and NO inbound ports / incoming NAT configuration is needed

Refer to the link below for detail information for ZPA Connector
ZPA Connector Deployment Prerequisites

Application Discovery

Define Internal Applications that is accessable by client and refer to the link below for detail technical information

  1. Login to ZPA Portal –> Administration –> Application Segment –> Add Application Segment

Applications – Enter the IP Ranges or Host IP Address for the Application Servers

You will need to enter FQDN if you would like Client to able to access those server using FQDN in stead of IP Address

TCP / UDP Port Ranges – if you do not know the ports used by the Applications Server, just enter 1 – 65535 to let ZPA to discover automatically for you

  1. Create a New Segment Group – You can group the Application Segment in Segment Group for ease of assignment

  2. Create a new Server Group that include the ZPA Connector

  3. Review the setting and click save

  4. Create a New Access Policy to allow access to all the Application Servers

You can filter users who can access the Application by using SAML Attribute, like Email Address

Accessing ZPA with zApp in Windows 10 Machine

  1. Click Zscaler App Portal in ZPA Portal

  2. Click Administration –> Zscaler Service Entitlement to enable ZPA

  3. Download zApp Client and install on Windows 10 Machine

  4. Install zApp Client by accepting all default value and login with valid username in FQDN Format

  5. You will be redirected to Okta

  6. Connected to ZPA & Zscaler Internet Access / Security successfully

  7. Verify that both ZPA & ZIA is enabled & Connected in Notifications

  8. Accessing to vCenter by using Internal IP Address without connecting to existing Fortigate SSL VPN Client

  9. Verify that ZIA Policy is applied by accessing

We are connecting to Internet via Zscaler Web Proxy and are accessing Internal Applications via ZPA at the sametime now, and we will evaluate further whether ZPA can replace our existing Fortigate SSL VPN Client for VPN Access.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top