Professional Documents
Culture Documents
Day 3 ZPA Bootcamp Slides - New Hire Version
Day 3 ZPA Bootcamp Slides - New Hire Version
1 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Admin Portal
2 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Module 3 Objectives
By the end of the module, you will be able to explain the main components
of the admin portal and how to identify the main issues related to user
provisioning
Objectives
● Identify mandatory vs optional configuration to access internal applications
● Describe the different functionalities in the ZPA Admin portal.
3 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Admin Portal Overview
Diagnostics Policy
Applications Users
Almost real time logs User Auth Logs Connector Auth Logs PSE Auth Logs
Connectors Configured Group the Connectors Created Provioning Key to authenticate Connectors
• Get details on the App • Details on the Location of • Details on the connector auth
Connectors the Connectors Key
• Status of the • Schedule the update of • Same key can be used for
connectors connectors. multiple connectors
• New option to select the • Helps in authenticating the
version of the connector. connector to the ZPA Cloud.
Lab Exercise #3
ZPA App Connector/App Connector Group Setup/Review
• If ZPA App Connector is already setup on your tenants, review the settings
• If ZPA App Connector is not setup already then, proceed with the setup of the App Connector.
10 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Application Management
Application Segments App Segment Groups Browser Access Servers Server Groups
Groups of Servers
Applications Configured Group the App Seg’s Created Client-less Access of Apps Server for App Access Created
• If ZPA Application/Server and App/Server Group is already setup on your tenants, review the
settings
• If ZPA Application/Server and App/Server Group is not setup already then, proceed with the setup
of the Application/Server and App/Server Groups. You can use any public website
• Make sure the Application is reachable from the App Connector, is active and running.
• Create Applications with BA as well and make sure BA is working fine for those Apps.
12 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Authentication Management
Configure the IDP Import SAML Attributes Setup a few Auth related options
• Configure Custom
Certs for Enrollment • Custom certificate for BA
• Enrollment of and Double Encryption
PSE/Connector • Need to create a CSR
• Need to create a CSR
How Log Streaming works
ZEN
2. User access
through ZEN Internet
NSS -- (ZIA)
Nanolog Private Apps
Streaming 3. ZEN
Service sends the
logs to
4. The cloud
LSS -- (ZPA) 5. NSS/Connector
Nanolog
the cloud
Nanolog
Log sends desired logs
streams a copy for storage
of the log to
Streaming to the SIEM over
the NSS/LSS
the network
Service
1. NSS/LSS
SIEM opens a secure Nanolog
NSS/LSS Virtual tunnel to the
Appliance cloud
©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation
Log Streaming Service
• If ZPA LSS is not setup already then, proceed with the setup of the LSS. You can use the App
Connector you already deployed
• You can install Splunk Free or run netcat as a receiver (install Linux for Windows) for the SIEM
• Make sure the LSS is reachable from the SIEM, is active and running.
• Make Sure the Logs are seen in the SIEM.
17 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Pre Windows Login
18 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Machine Management
• If ZPA Machine Tunnel/PWL is already setup on your tenants, review the settings
• If ZPA Machine Tunnel/PWL is not setup already then, proceed with the setup of the Machine
Tunnel/PWL.
20 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Client Forwarding Policy
21 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Policy Management
• If ZPA Policies for App Access/App Timeout/CFP is already setup on your tenants, review the
settings
• If ZPA Policies for App Access/App Timeout/ CFP is not setup already then, proceed with the
setup of the Policies for App Access/App Timeout/ CFP.
23 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Public API: API Keys
● An API key is required for authenticating with the ZPA API in order to make API calls.
● We can use Postman or any other API client to implement this.
● BaseURL is config.private.zscaler.com/v2
• If ZPA API is not setup already then, proceed with the setup of the Policies for App Access/App
Timeout/ CFP.
• Make sure the Various APIs are working as expected using Postman App.
25 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Reporting: Executive Insights App Access
● An Executive Insights App user has access to the Executive Insights App, but not the ZPA Admin Portal.
● If you want to provide access to the Admin Portal, you must create a ZPA admin.
● When an Executive Insights App User downloads the the app and registers, The devices they registered the app on will
appear under Authorized Devices when you expand their row in the table.
● You can revoke access on that device by clicking the X icon.
● You can revoke access to all devices by clicking Remove All
• If ZPA Executive Insight App is already setup on your tenants, review the settings
• If ZPA Executive Insight App is not setup already then, proceed with the setup of the Executive
Insight App
• Make sure the Download from the App store is working fine.
• Make sure the login to the App is working fine.
• Make sure the logs/Reports are showing in the App.
27 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
SCIM Management
Attributes to Synced Sync Users for SCIM Sync Groups for SCIM SCIM Logs
• If ZPA SCIM Sync is already setup on your tenants, review the settings
• If ZPA SCIM Sync is not setup already then, proceed with the setup of the SCIM Sync
• Make sure the SCIM Sync is working fine. (SCIM Sync Logs on the UI to verify successful
sync)
• Make sure the login to the App is working fine after the sync.
• Make sure the policies are working as expected.
• Enable the SCIM Policy over ride option and see the difference.
29 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Service Edge Management
Service Edge’s Configured Group the Service Edges Created Provisioning Key to Authenticate Service Edges
• Get details on the Service • Details on the Location of • Details on the Service Edge auth
Edge’s the Service Edges Key
• Status of the Service Edges • Schedule the update of • Same key can be used for
• 2 Types of PSEs: connectors. multiple Service Edges
● Pvt Pvt Service Edge • New option to select the • Helps in authenticating the
● Pub Pvt Service Edge version of the Service Edge. Service Edges to the ZPA Cloud.
Lab Exercise #11
ZPA PSE Setup/Review
• If ZPA PSE is not setup already then, proceed with the setup of the PSE. You can deploy another
CentOS VM for the PSE
• Make sure the PSE is connected to the cloud and is working fine.
• Make sure the ZCC can connect to the PSE.
• Make sure the App is reachable via the PSE.
31 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
SETTINGS
Configure Admins Manage Roles for Audit logs for changes Usage Policy Logged in Admin Company Details
Admins
• Configure • Manage Roles of • Read Audit logs for • Show the • See which
Adminitrators to Admins for RBAC. changes made to the • See
AUP for Admin is
manage the portal. • Granularly select portal by admins. company
users currently
• You can Pin the the • Using this we can details, like
according loggedin.
sessions and setup 2 options/modules tenant ID,
check if there was to • See the Source
factor Auth for you want the any changes made logo etc.,
company IP of the Admin
Admins admins to access. during issues. policies.
Lab Exercise #12
ZPA Various Settings Setup/Review
• If Various settings of the ZPA admin portal are already setup on your tenants, review the settings
• If various advanced settings of the admin portal are not setup already then, proceed with the setup
of the same
33 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
User Portal
Authorized Apps Portal Create Links for Tiles Configure Download Links
• If ZPA User portal is already setup on your tenants, review the settings
• If ZPA User portal is not setup already then, proceed with the setup of the same
• Configure user portal and make sure the apps are showing up in the portal.
• Check if the apps are accessible via the user portal.
35 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
Thank You
For Attending
Day 3
36 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION