Welcome To Day 3

ZPA Support/TAM Bootcamp Training 201

By: Davis Altamirano
Class Starts at 8:00 am PDT / 9:00 CDT / 11:00 am EDT

1 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
 Admin Portal

2 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
 Module 3 Objectives

By the end of the module, you will be able to explain the main components
of the admin portal and how to identify the main issues related to user
provisioning

Objectives
● Identify mandatory vs optional configuration to access internal applications
● Describe the different functionalities in the ZPA Admin portal.

3 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Admin Portal Overview

Dashboards Live Logs

Diagnostics Policy

Administration ZCC Portal

Dashboard

Applications Users

Details on the Applications Details on the Users Accessing the Service

Summary on multiple application related data Summary on the different user based data

Connected Users Recent Users

TopN Apps Access TopN Errors/Blocks
TopN Users (Apps/BW/Blocked)

Health App Connectors

TopN
Applications
Applications Connectors
Connectors ZPA-SEs
ZPA-SEs Activity Monitor Connector
Connectors
Health Status Overview shows the Details
Health Status Health
of Apps of App Status of trend in the Important
Shows Top 10
Connectors ZPA-SEs Connectors selected time connectivi
Having range for the ty details
various Data selected App of the
Connectors. Connector
Diagnostics

User Activity User Status App Connector Status Private SE Status

Almost real time logs User Auth Logs Connector Auth Logs PSE Auth Logs

• Details on the user • Details on the • Details on the PSE

• Get details on the
auth connector auth auth
Policy
• Time of Auth • Time of Auth • Time of Auth
• Details on the App
• Errors during • Errors during • Errors during
Segments/Groups
dissociation dissociation dissociation
• Details on connectors
• Need for auth again • Need for auth again • Need for auth again
• Details on brokers
etc., etc., etc.,
Live Logs

● Real Time Logs as the traffic is flowing to check for specific

User/Application
● We can also looks for any activity based on App Connector/PSE
Administration

App Connector MGMT App Connector Configuration/Mgmt

Creating/Editing Applications for Access

App MGMT

Authentication Settings Authentication and provisioning mgmt

Machine Management Manage provisioned Machine Tunnel Keys.

Records login name and IP address of admin who logs to Admin

Audit Logs
Portal and changes policies or configuration settings.

Policy Management Create/Edit policies for application access

API Management Manage API Keys

User Portal Configure Custom User Portal for BA

Certificate MGMT Manage enrolled certificates

Service Edge MGMT Manage Private Brokers

App Connector Management
App Connectors App Connector Groups
Connectors Configured Group the Connectors Created
• Get details on the App • Details on the Location of
Connectors the Connectors
• Status of the • Schedule the update of
connectors connectors.
• New option to select the
version of the connector.
App Connector Provisioning Key
Provioning Key to authenticate Connectors
• Details on the connector auth
Key
• Same key can be used for
multiple connectors
• Helps in authenticating the
connector to the ZPA Cloud.
 Lab Exercise #3
ZPA App Connector/App Connector Group Setup/Review

• If ZPA App Connector is already setup on your tenants, review the settings

• If ZPA App Connector is not setup already then, proceed with the setup of the App Connector.

• Use the CentOS ISO to deploy the App Connector as a VM

• Make sure the App connector is connected to the cloud and is active and running.

• Help Portal Link for deploying on CentOS

• Help Portal Link for configuring the App Connector

10 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Application Management

Application Segments App Segment Groups Browser Access Servers Server Groups

Groups of Servers
Applications Configured Group the App Seg’s Created Client-less Access of Apps Server for App Access Created

• Apps that can be • Servers that can • Can do

• Create Apps that • Groups the Application accessed via access the app dynamic
need access via ZPA Segments Created. browser without the • Could be servers discovery
• Monitor Apps via • Associate various App help of ZCC. hosting the app • Associate the
health probes Segments as required. • Helps to give access • 1 App can be App Conn Grp
• Configure Apps to be • New option to select the to contractors that reached via many for App
used via SIPA/BA TCP keepalive for Apps. cant install ZCC Servers access
 Lab Exercise #4
ZPA Application/Server and App/Server Groups Setup/Review

• If ZPA Application/Server and App/Server Group is already setup on your tenants, review the
settings

• If ZPA Application/Server and App/Server Group is not setup already then, proceed with the setup
of the Application/Server and App/Server Groups. You can use any public website

• Make sure the Application is reachable from the App Connector, is active and running.
• Create Applications with BA as well and make sure BA is working fine for those Apps.

• Help Portal Link : https://help.zscaler.com/zpa/configuring-application-segments

12 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Authentication Management

IDP Configuration SAML Attributes Settings

Configure the IDP Import SAML Attributes Setup a few Auth related options

• Configure IDP for • Enable SSO for Admin Login

Auth • Import SAML Attibutes from • Setup session timeout for the
• Can do User login or IDP or add them manually admin portal
Admin login • Use these SAML Attributes • Get details on the
• Support for Multiple in Policies/CFPs authentication domains
IDP like ZIA
Certificate Management

Enrollment Certificate Certificate

For Custom Enrollment Custom Certificates

Certificates

• Configure Custom
Certs for Enrollment • Custom certificate for BA
• Enrollment of and Double Encryption
PSE/Connector • Need to create a CSR
• Need to create a CSR
How Log Streaming works

ZEN
2. User access
through ZEN Internet
NSS -- (ZIA)
Nanolog Private Apps
Streaming 3. ZEN
Service sends the
logs to
4. The cloud
LSS -- (ZPA) 5. NSS/Connector
Nanolog
the cloud
Nanolog
Log sends desired logs
streams a copy for storage
of the log to
Streaming to the SIEM over
the NSS/LSS
the network
Service
1. NSS/LSS
SIEM opens a secure Nanolog
NSS/LSS Virtual tunnel to the
Appliance cloud

©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation
Log Streaming Service

Log Receivers App Connector Groups • Can stream the below

type of logs., ● Browser Access
● User Activity : Logs: HTTP log
Receives logs Streams Logs to SIEM information
Information on end
related to
user requests to
Browser Access.
Applications.
• Configure SIEM for
receiving logs • Initiates streaming of logs. ● Audit Logs:
• Streams logs from the ● User Status: Session
• Need to associate Information related
Public Service Edge. information for all
App Connector Group to an end user's admins
to the Receiver availability and accessing the
connection to ZPA ZPA Admin
Portal.
 Lab Exercise #5
ZPA LSS Setup/Review

• If ZPA LSS is already setup on your tenants, review the settings

• If ZPA LSS is not setup already then, proceed with the setup of the LSS. You can use the App
Connector you already deployed
• You can install Splunk Free or run netcat as a receiver (install Linux for Windows) for the SIEM

• Make sure the LSS is reachable from the SIEM, is active and running.
• Make Sure the Logs are seen in the SIEM.

• Help Portal Link : https://help.zscaler.com/zpa/configuring-log-receiver

17 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
 Pre Windows Login

18 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Machine Management

Machine Groups Machine Provisioning Keys

Groups created for Create MT Provisioning Keys

Machine Tunnel Usage

• Groups Based on the • Create Provisioning Keys

Machine Provisioning Keys for setting up Machine
• Enrollment of Machine Tunnels
Tunnels via App Profile on • Based on the Keys, Groups
MA are created and those are
• Used for Granular Control available in the MA
 Lab Exercise #6
ZPA Machine Tunnel/PWL Setup/Review

• If ZPA Machine Tunnel/PWL is already setup on your tenants, review the settings

• If ZPA Machine Tunnel/PWL is not setup already then, proceed with the setup of the Machine
Tunnel/PWL.

• Make sure the MT is up and running on the machine.

• Find the below:

• MachineTunnel dat file
• Machine tunnel successful log in the ZSATunnel logs

• Help Portal Link : https://help.zscaler.com/zpa/deploying-machine-tunnels-pre-windows-login

20 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
 Client Forwarding Policy

21 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Policy Management

Access Policy Timeout Policy Client Forwarding Policy

Configure Allow/Block Configure Re-Auth Timers Configure granular bypasses

• Configure when the user needs to Re-Authenticate.

• Configure to explicitly • Configure bypasses to be more
• Default is 7 days, can increased/decrease based on
ALLOW access to granular.
requirement.
applications
• Can be granular, per app or for entire org. • Setup bypasses based upon
• Based on various various criteria.
• Idle Timeout policy does not ask re-auth.
Criteria
• It only drops the TCP connection. • Different actions to granularly
• ZPA is Implicit BLOCK control the flow of traffic via ZPA
• Mtunnel remains active
 Lab Exercise #7
ZPA Policy Access Setup/Review

• If ZPA Policies for App Access/App Timeout/CFP is already setup on your tenants, review the
settings

• If ZPA Policies for App Access/App Timeout/ CFP is not setup already then, proceed with the
setup of the Policies for App Access/App Timeout/ CFP.

• Make sure the Various Policies are working as expected.

• Find the below:

• Only apps assigned to a particular CFP is downloaded
• SAML error when you access the app which is set to timeout

• Help Portal Link : https://help.zscaler.com/zpa/about-policies

23 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Public API: API Keys

● An API key is required for authenticating with the ZPA API in order to make API calls.
● We can use Postman or any other API client to implement this.
● BaseURL is config.private.zscaler.com/v2

● To add a new API key:

● Go to Administration > API Keys.
● Click Add API Key.
● The Add API Key window appears.

● In the Add API Key window:

● Name: Enter a name for the key.
● Status: Enable the key. If Disabled, the key will be unavailable to use. By default, this is enabled.
● Session Validity Interval (In Seconds): The amount of time the key is available to use. The maximum amount of time is
3600 seconds.
 Lab Exercise #8
ZPA API Setup/Review

• If ZPA APIs is already setup on your tenants, review the settings

• If ZPA API is not setup already then, proceed with the setup of the Policies for App Access/App
Timeout/ CFP.

• Make sure the Various APIs are working as expected using Postman App.

• Find the Below:

• Create Application via API
• Create Server Group via API

Help Portal Link :

https://help.zscaler.com/zpa/getting-started-zpa-api
https://help.zscaler.com/zpa/configuring-postman-rest-api-client

25 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Reporting: Executive Insights App Access

● An Executive Insights App user has access to the Executive Insights App, but not the ZPA Admin Portal.
● If you want to provide access to the Admin Portal, you must create a ZPA admin.

● When an Executive Insights App User downloads the the app and registers, The devices they registered the app on will
appear under Authorized Devices when you expand their row in the table.
● You can revoke access on that device by clicking the X icon.
● You can revoke access to all devices by clicking Remove All

● In the Add App User window:

● Name: Enter a name for the user.
● Title: Enter the user's business title.
● Email: Enter the user's valid business email address.
● Confirm: Executive Insights App Download Email window appears.
 Lab Exercise #9
ZPA Executive Insight App Setup/Review

• If ZPA Executive Insight App is already setup on your tenants, review the settings

• If ZPA Executive Insight App is not setup already then, proceed with the setup of the Executive
Insight App

• Make sure the Download from the App store is working fine.
• Make sure the login to the App is working fine.
• Make sure the logs/Reports are showing in the App.

• Help Portal Link : https://help.zscaler.com/zpa/adding-executive-insights-app-user

27 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
SCIM Management

SCIM Attributes SCIM User SCIM Groups SCIM Sync Logs

Attributes to Synced Sync Users for SCIM Sync Groups for SCIM SCIM Logs

• Logs related to the

SCIM Sync.
• Different Attributes • Details of the User
• Details of the user • We can check if the
that can be used to Groups Synced via
synced via SCIM. user sync’d without
sync with the SCIM the SCIM. issues or if there
activated IDP.
were any issues
• User/Group is
during the sync
provisioned based on
process.
the details provided to
be Sync’d
 Lab Exercise #10
ZPA SCIM Setup/Review

• If ZPA SCIM Sync is already setup on your tenants, review the settings

• If ZPA SCIM Sync is not setup already then, proceed with the setup of the SCIM Sync

• Make sure the SCIM Sync is working fine. (SCIM Sync Logs on the UI to verify successful
sync)
• Make sure the login to the App is working fine after the sync.
• Make sure the policies are working as expected.
• Enable the SCIM Policy over ride option and see the difference.

• Find the below:

• The SCIM policy is working instead of the SAML Policy
• Check the ZSATunnel Logs for SCIM policy evaluation

• Help Portal Link : https://help.zscaler.com/zpa/about-scim

29 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Service Edge Management
Service Edges
Service Edge’s Configured
• Get details on the Service
Edge’s
• Status of the Service Edges
• 2 Types of PSEs:
● Pvt Pvt Service Edge
● Pub Pvt Service Edge
Service Edge Groups
Group the Service Edges Created
• Details on the Location of
the Service Edges
• Schedule the update of
connectors.
• New option to select the
version of the Service Edge.
Service Edge Provisioning Key
Provisioning Key to Authenticate Service Edges
• Details on the Service Edge auth
Key
• Same key can be used for
multiple Service Edges
• Helps in authenticating the
Service Edges to the ZPA Cloud.
 Lab Exercise #11
ZPA PSE Setup/Review

• If ZPA PSE is already setup on your tenants, review the settings

• If ZPA PSE is not setup already then, proceed with the setup of the PSE. You can deploy another
CentOS VM for the PSE

• Make sure the PSE is connected to the cloud and is working fine.
• Make sure the ZCC can connect to the PSE.
• Make sure the App is reachable via the PSE.

• Find the Below:

• In the Diagnostic logs find the Service Edge being used.
• In the ZSATunnel Logs find the Private Broker connection setup.

• Help Portal Link : https://help.zscaler.com/zpa/configuring-service-edges

31 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
SETTINGS

Administrators Roles Audit Logs AUP Client Sessions Company

Configure Admins Manage Roles for Audit logs for changes Usage Policy Logged in Admin Company Details
Admins
• Configure • Manage Roles of • Read Audit logs for • Show the • See which
Adminitrators to Admins for RBAC. changes made to the • See
AUP for Admin is
manage the portal. • Granularly select portal by admins. company
users currently
• You can Pin the the • Using this we can details, like
according loggedin.
sessions and setup 2 options/modules tenant ID,
check if there was to • See the Source
factor Auth for you want the any changes made logo etc.,
company IP of the Admin
Admins admins to access. during issues. policies.
 Lab Exercise #12
ZPA Various Settings Setup/Review
• If Various settings of the ZPA admin portal are already setup on your tenants, review the settings

• If various advanced settings of the admin portal are not setup already then, proceed with the setup
of the same

Create 3 admin users with

1) Read Only Role
2) App Policy Only Role
3) App Segment Only Role
Login to the portal with each type of admin
Review the Changes made to the RBAC section via the Audit Logs

Help Portal Link:

https://help.zscaler.com/zpa/about-administrators
https://help.zscaler.com/zpa/about-roles
https://help.zscaler.com/zpa/configuring-administrator-roles

33 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
User Portal
User Portals
Authorized Apps Portal
• User portals provide visibility
to authorized applications
• These can be for your
organization's employees
and partners.
• From a user portal, your
users can access apps as a
tile(like OKTA)
Portal Links Client Connector Download Links
Create Links for Tiles Configure Download Links
• Create links for tiles that will be added in the user
portals. • Configure links for ZCC
• There are 2 types of links that can be added: Download.
● Web : live links that users can click on • Links are for all supported OS’
● Display: view only links, users cant interact of ZCC
with these tiles.
 Lab Exercise #13
ZPA User Portal Setup/Review

• If ZPA User portal is already setup on your tenants, review the settings

• If ZPA User portal is not setup already then, proceed with the setup of the same

• Configure user portal and make sure the apps are showing up in the portal.
• Check if the apps are accessible via the user portal.

• Help Portal Link : https://help.zscaler.com/zpa/configuring-user-portals

35 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
 Thank You
For Attending
Day 3
36 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION