Professional Documents
Culture Documents
ZPA Workshop guide V11 Unified
ZPA Workshop guide V11 Unified
-Workshop Guide-
1
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Contents
How to Use This Guide ............................................................................................................................ 3
Activity 1: Understand and initiate Workshop environment .................................................................. 4
Task 1 – Log in to Your Workshop Environment ................................................................................. 4
Task 2 - Understand the Workshop Environment Setup..................................................................... 4
Activity 2 – Configure your VMs Network Parameters ........................................................................... 8
Task 1 – Retrieve assigned Student-ID ................................................................................................ 8
Task 2 – Configure My APP VM Network parameters......................................................................... 8
Task 3 – Configure APP Connector VM Network parameters ............................................................. 9
Activity 3 – Configure and link your App Connector VM to your ZPA instance .................................... 11
Task 1 – Connect to ZPA Tenant and Create App Connector requirements ..................................... 11
Task 2 – Link your App Connector to your ZPA tenant using your Provisioning key......................... 17
Activity 4 – Add your internal application to ZPA and test the user access to it .................................. 20
Task 1 – configure your internal application on ZPA......................................................................... 20
Task 3 – Log in the Client Connector on the mobile user VM ........................................................... 27
Task 3 – Test your mobile user access to your internal .................................................................... 29
Task 4 – Navigate to Dashboard and Observe some statistics .......................................................... 29
2
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
How to Use This Guide
The activities outlined in this Workshop Guide are meant to contain all the information necessary to
navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the LAB environment. This guide is meant to be used in conjunction with the information
and guidance provided by your instructor.
Using this guide, you will be able to configure basic features of Zscaler Private Access solution to
provide access to your customer internal applications with the best of breed Zero Trust Network Access
solution. You will configure your basic network parameters of your internal application. Then, you will
configure an App Connector on your internal network and finally, you will set up ZTNA service from
the ZPA admin console. You will also test your connection to your internal application and see some
Dashboard on the Admin IU.
You will find all the instruction to log in to ZPA Admin UI on this guide.
You instructor will provide you all required information and credentials to be used for Zscaler Client
Connector.
Using Zscaler Client Connector (formerly Zscaler App or Z App), users can get all the benefits of the
Zscaler service for Internet traffic, as well as granular, policy-based access to internal resources from a
single point.
● With Zscaler Client Connector's Internet Security feature, you can protect your users' web
traffic even when they are outside your corporate network. You can also protect your users’
mobile traffic, whether they are connected to Wi-Fi or cellular networks. The app forwards
user traffic to the Zscaler service and ensures that your organization's security and access
policies are enforced wherever they might be accessing the internet.
● With Zscaler Private Access (ZPA), you can enable your users to securely access enterprise
applications from outside the corporate network. ZPA establishes a secure transport for
accessing your enterprise apps and services.
● With Zscaler Digital Experience (ZDX), you can monitor your organization’s user devices to
detect user experience and productivity issues. ZDX relies on Zscaler Client Connector to
perform synthetic probing to a desired Software-as-a-Service (SaaS) application or internet-
based service (e.g., OneDrive, Gmail, etc.).
3
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 1: Understand and initiate Workshop environment
In this activity, you will:
• Log in to the Workshop environment from your laptop.
• Learn the layout of the environment and its various components
Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox®, Chrome, or Internet Explorer®/Edge®.
Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Enter your email address and the class passphrase.
Step 3: Complete the registration form and click Login at the bottom.
Step 4: Once you have logged in, the system will create a unique Lab environment for you. Please note
that this process may take a while, as indicated by the green progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page. Click Start Using
This Environment to begin.
This will display a list of all virtual systems that constitute the Lab environment.
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout
the workshop to switch between the available desktops.
1. App Connector VM: this App Connector will be configured to provide access to the internal
application. Network parameters will be changed based on this guide.
4
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note: Please do not change the Keyboard language of the App Connector virtual machine on
Cloudshare environment. The default Keyboard is English-US and use the Send Text Feature to
run commands on this VM. Do not reboot this VM also. This is important to accomplish the lab
without issues.
2. My APP: it is an Ubuntu based VM that hosts an internal web application and it will be used to verify
that ZPA configuration is working fine. Please note also that you will change networks parameters for
this VM.
3. Win-mobile: Windows VM running Zscaler Client Connector for remote user. Each student will be
logged in with their own unique login. Zscaler Client Connector will give access to ZIA Security
services, ZPA and ZDX. You will install Zscaler Client Connector later during this lab exercises. You
will use credentials provided by your instructor to log in.
5
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Review the diagram below to better understand the LAB environment setup.
Example of username to be provided by your instructor and to use on SAML authentication on the
Client Connector: student<ID>@westconcloudlab<tenant-ID>.com.
6
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note: Your ID will also be used to determine your network parameters of My APP VM and App
Connector VM.
End of Activity 1
7
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 2 – Configure your VMs Network Parameters
In this activity, you will:
• Retrieve your assigned Student-ID from your Instructor
• Access My APP VM and APP Connector VM
• Configure previous VMs with the right Network Parameters using your StudentID
Step 2: Go to Network button, click on Wired Connection and click on Wired Settings
8
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 4: Go to IPv4, then Address and change the IPv4 address to 10.160.20.2<yourStudentID> and
apply your settings.
Step 5: Stop the network service using previous window and then start it again:
Log into the system with the default credentials (admin / zscaler)
9
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
If you are not logged into the system as an admin user with Root privileges, type the next commands
(and introduce password “zscaler” again if required):
sudo su -
Now you should be already connected to App Connector as an admin user with Root privileges.
10
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 3: Go to IPADDR parameter and change it to use 10.160.20.1<student-ID> as IP Address.
For example, student11 should use 10.160.20.111 as IP address for the App Connector.
Step 4: Leave other parameters to their default values and use Ctrl+X then Yes to save changes.
Step 5: Apply the changes by rerestarting the networking subsystem using the following command:
Step 7: You can ping google.com to verify that your networks parameters are correct.
End of Activity 2
Step 1: Using your machine or your Windows10 VM, open a browser and go to the Westcon 3DLAB
Portal via, https://3dlab.westconsecurity.eu
Step 2: Sign in with credentials provided by you instructor. Login should be in this format:
student<ID>@westconcloudlab<tenant-ID>.com. Password is also provided by your instructor.
11
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note: Do not use login showed in the screenshot. It is just an example.
Note: if you don’t have installed Okta Browser Plugin before on your browser, you will prompt to
install it on your Browser. Okta Browser Plugin is mandatory to access your Admin Portal.
Step 4: If okta Browser Plugin is installed, go back to ZPA Admin Poral App and Click on it. Your Zscaler
Internet Access Portal will open in a new tab.
12
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 5: Go to Configuration & Control > Private Infrastructure > App Connector Management > App
Connectors:
13
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 8: On Signing Certificate, select Connector and click on Next
Step 10: Enter a Name and a Description to your App Connector Group. The name of your App
connector group should be StudentIDConnectorGroup
14
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 11: Status should be Enabled, leave other parameters to their default value, and enter a
Location for your App Connector then click on Next
Step 12: On Create Provisioning Key, enter a Name for your Key and a Maximum Reuse of the key.
The name should start with you studentID. Then click on Next
For example, student11 should use student11ProvisionningKey as name and 5 for the maximum
reuse value.
15
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 13: Review your configuration and save it by clicking on Save
You will be invited to review the documentation to deploy your app connector and to copy your key
for future use on this guide.
16
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 15: Go to your App Connector Group and verify that your App Connector is added.
Step 16: Move to App Connector Provisioning Keys and verify that your key isn’t already used (value
is 0).
Task 2 – Link your App Connector to your ZPA tenant using your Provisioning key
Step 1: Go to your App Connector VM on CloudShare and Stop Zpa-connector service using the
command
systemctl stop zpa-connector
Step 2: Remove any old Provisioning Key with the command rm -f /opt/zscaler/var/*
Step 3: Create the key file with the command touch /opt/zscaler/var/provision_key
17
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 5: Then edit the file using nano editor to enter your Provisionning Key using the command
nano /opt/zscaler/var/provision_key
Step 6: Go to ZPA Admin portal then go to App Connector Provisioning Key and copy your key
Step 7: Paste your Key on the nano editor using Keyboard > Send Text feature
Step 8: Save changes to the file using Ctrl+X then choose Yes and press Enter.
Step 9: Start zpa-connector service using the command systemctl start zpa-connector
Step 10: You can verify the status of the service using command systemctl status zpa-
connector
At this step, your App Connector should be UP and linked to your instance.
Step 11: To verify it you can go to App Connector Provisioning Keys and see that the number of key
usages was changed from 0 to 1.
18
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
You can also verify that your App Connector is UP by going to App Connectors sub menu on
Administration, you will see that your App Connector is Connected, and a Software Upgrade is
Scheduled.
End of Activity 3
19
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Activity 4 – Add your internal application to ZPA and test the user
access to it
In this activity, you will:
• Configure your internal application on ZPA
• Log in the Client Connector on the Windows VM
• Test your mobile user access to your internal application
• Navigate to Dashboard and see some statistics
Step 2: Click on Add Application Segment and give a Name and a Description to your application.
Use as name Student<ID>AppSegment on your application name, for example student11 should use
Student11AppSegment as a name.
20
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 3: On Applications, enter your FQDN that will be used later to connect to your internal web
application.
21
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 5: On Segment Group, select Add Segment Group and enter a Name and a Description using
your Student<ID>SegmentGroup. Click Next.
Step 6: On Server Group, select Add Server Group and give a name Student<ID>ServerGroup.
Verify that Status is enabled, and Dynamic Server Discovery is turned OFF. Click ok to the Warning.
Then, select your App Connector Group previously created (with your
student<ID>AppConnectorGroup). Click Done.
22
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 7: Click on Next
Step 8: On Servers, Select Add Server and enter the Name student<ID>Server and the IP Address of
your APP VM that you configured on Activity 1 (the IP Address of the Ubuntu VM).
Step 10: On Review Step, review your configuration and save it by clicking Save
23
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Step 11: On the Last step (Policies), click on Edit Policy
24
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Now you will add a rule to authorize users to access to your internal web application hosted by the
Ubuntu VM.
Step 13: Enter Name and a Description Student<ID>AccessPolicy to the new policy.
Step 15: Set App Connector Selection Method to Specific App Connector groups or Server[…]
Step 16: Specify your App Connector Group from the drop-down menu Student<ID>ConnectorGroup
and click Done.
Note: ZPA UI will be shared with other Student and maybe you will configure policy order 1 and later
another Student will get the order 1. Then your policy will get order 2 or 3 or another order number.
You finished your configuration. Next Task you will test your user access to your internal application.
25
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 2 - Install Zscaler Client Connector on your Windows virtual machine
To install Zscaler Client Connector on your Windows10 VM, you will use EXE installer file located on
your desktop. You will use install option on this Task. Install option let you customize Client Connector
deployment on customers environment and simplify automated deployment of Client Connector Agent
on supported customer’s machines and devices.
To learn more about install options, you can visit this link: https://help.zscaler.com/z-app/customizing-
zscaler-app-install-options-exe#mode
On this task, you will use some installation option the ZCC (Zscaler Client Connector). Options that will
be used are:
- --mode: This install option allows you to install the app in silent mode.
- --cloudName: If your organization is provisioned on more than one cloud, your users are
asked to select the cloud to which their traffic is sent during the enrollment process. In this
lab, cloudName will be zscaler.
- --userDomain: This install option allows users to skip the app enrollment page. If SSO is
enabled for your organization, users are taken directly to your organization's SSO login page.
If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows
Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled
with Zscaler service and logged in. In this lab, userDomain will be westconclouclab3.com.
To install ZCC with the recommended method of this lab, please follow steps below:
2- Type the command cd Desktop to change the directory to your Desktop (installation file is
located on your Desktop)
3- Locate your User Domain from the provided login username by your instructor.
Example: if your instructor gives you the username student10@westconcloudlab3.com, so
your Zscaler User Domain is westconcloudlab3
4- Type the command "Zscaler installer.lnk" --cloudName zscaler --userDomain
westconcloudlab<tenant-ID>.com --mode unattended to launch installation in silent
mode.
26
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
5- In UAC window, click on Yes to continue.
Once ZCC is installed, it will provision itself with your ZPA tenant using CloudName and userDomain
options and it connects you to your SSO portal to log in.
The Zscaler Client Connector is now installed. Open the Zscaler Client Connector.
27
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Note: May after Sign In you have to Reconnect the machine. Go in the Cloudshare GUI on the left to
“Connectivity” and click “Reconnect”.
Step 4: After a successful authentication, go to Zscaler icon, right-click and click on Open Zscaler
28
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Task 3 – Test your mobile user access to your internal
In this Task, you will connect to your internal web application.
Step 1: On the Desktop, open a browser and Navigate to your previously configured FQDN, in this
case student<ID>.westconcloudlab<tenant-ID>.com
Your connection is successful, and Your internal Web app is now delivered by ZPA and your App
Connector.
Step 1: Go to Dashboard > Application and see how many transactions was successful or how many
recent Applications accessed
Step 2: Go to Users to see how many users are connected and statistics about their transactions.
29
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
You can also navigate to Health to verify application Health and App connectors to verify your App
Connector status.
You can Also see Live Logs which can be used to view Live Transaction
End of Activity 4
30
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.