Deploy zScaler Private Access (ZPA) Connector in VMware

Deploy zScaler Private Access (ZPA) Connector in VMware

Please refer to the steps below on how to Deploy zScaler Private Access (ZPA) Connector in VMware

  1. Download the ZPA Connector

  2. Prepare the Provisioning Key from ZPA Portal as this key will be required when we provision the ZPA VM later

ZPA-OVAConnector-02

  1. Import the ZPA OVA to vCenter 6.0 and it is actually a CentOS 7 VM with 2 x vCPU, 4GB RAM, 8GB HDD, 1 x vNIC (Default Resources assigned)

ZPA-OVAConnector-01

ZPA-OVAConnector-03

Login to the Console and assign Static IP Address to the ZPA VM

[admin@zpa-connector ~]$ sudo su
[sudo] password for admin: <Type Your Admin Password Here>
[root@zpa-connector admin]# echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/06_network.cfg
[root@zpa-connector admin]# reboot

#Assign Static IP
[admin@zpa-connector ~]$ sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
    DEVICE="eth0"
    BOOTPROTO="none"
    ONBOOT="yes"
    NETWORK="192.0.2.0"
    NETMASK="255.255.255.0"
    IPADDR="192.0.2.100"

#Default Gateway
[admin@zpa-connector ~]$ sudo vi /etc/sysconfig/network
    NETWORKING=yes 
    GATEWAY=192.0.2.254

#Restart Network service 
[admin@zpa-connector ~]$ sudo systemctl restart network

#Verify the DNS Server is configured 
    [admin@zpa-connector ~]$ cat /etc/resolv.conf
    ; generated by /usr/sbin/dhclient-script
    search AventisTech.com
    nameserver 192.0.2.1
    nameserver 192.0.2.2

Update Connector System Software by following the documentation provided, but we encounter the following error message

[admin@zpa-connector ~]$ sudo yum update -y

[admin@zpa-connector ~]$ yum repolist
Loaded plugins: fastestmirror
base                                                                                                                                                       | 3.6 kB  00:00:00
extras/7/x86_64                                                                                                                                            | 3.4 kB  00:00:00
updates/7/x86_64                                                                                                                                           | 3.4 kB  00:00:00
zscaler                                                                                                                                                    | 3.3 kB  00:00:00


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again

Finally, we manage to resolve this by removing the comment for baseurl and comment out the mirrorlist

[admin@zpa-connector ~]$  cat /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$ba                                                                                                  search
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$b                                                                                                  asearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

Update the System Software again, and it should be successful this time

[admin@zpa-connector ~]$ sudo yum update -y

Verify that the ZPA Connector is up and running

[admin@zpa-connector ~]$ systemctl status zpa-connector
● zpa-connector.service - Zscaler Private Access Connector
   Loaded: loaded (/usr/lib/systemd/system/zpa-connector.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-08-24 12:07:36 UTC; 24min ago
 Main PID: 830 (zpa-connector)
   CGroup: /system.slice/zpa-connector.service
           ├─ 830 /opt/zscaler/bin/zpa-connector
           └─2128 zpa-connector-child

Aug 24 12:30:40 zpa-connector zpa-connector-child[2128]: Time skew: + 716.278387s
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: -------- Connector Status:ID=144123398979584011:Name=Connector Provisioning Key-1:Ver=18.66.1 --------
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: Certificate will expire in 369 days, 22 hours, 50 minutes, 58 seconds
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: Control connection state: fohh_connection_connected, [10.253.24.6]:35232;broker2.sin4.prod.zpath.net:[165.22...2.252]:443
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: RPC Messages: BrkRq = 0, BrkRqAck = 0, BindReq = 0, BindReqAck = 0, AppRtDisc = 0, AppRtReq = 286, DsnAstChk = 0
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: Broker data connection count = 0, backed_off connections = 0
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: Data Transfer: Total ToBroker = 0 bytes, Total FromBroker = 0 bytes
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: Mtunnels: Total Created = 0, Total Freed = 0, Current Active = 0, Alloc = 0, Free_q_cnt = 0
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: Registered apps count = 1, alive app = 1, passive_health = 1, service_count = 0, target_count = 0, alive_tar...target = 0
Aug 24 12:31:40 zpa-connector zpa-connector-child[2128]: Time skew: + 716.277232s
Hint: Some lines were ellipsized, use -l to show in full.

Login to ZPA Portal, and you should see the ZPA Connector is showing up and running now

ZPA-OVAConnector-04

Leave a Comment