ZPA Workshop guide V11 Unified

Zscaler Private Access Workshop
-Workshop Guide-
1
This Document is Westcon Group Proprietary. For any feedback or issue, please contact hamza.sahli@westcon.com.
Contents
How to Use This Guide ............................................................................................................................ 3
Activity 1: Understand and initiate Workshop environment .................................................................. 4
Task 1 – Log in to Your Workshop Environment ................................................................................. 4
Task 2 - Understand the Workshop Environment Setup..................................................................... 4
Activity 2 – Configure your VMs Network Parameters ........................................................................... 8
Task 1 – Retrieve assigned Student-ID ................................................................................................ 8
Task 2 – Configure My APP VM Network parameters......................................................................... 8
Task 3 – Configure APP Connector VM Network parameters ............................................................. 9
Activity 3 – Configure and link your App Connector VM to your ZPA instance .................................... 11
Task 1 – Connect to ZPA Tenant and Create App Connector requirements ..................................... 11
Task 2 – Link your App Connector to your ZPA tenant using your Provisioning key......................... 17
Activity 4 – Add your internal application to ZPA and test the user access to it .................................. 20
Task 1 – configure your internal application on ZPA......................................................................... 20
Task 3 – Log in the Client Connector on the mobile user VM ........................................................... 27
Task 3 – Test your mobile user access to your internal .................................................................... 29
Task 4 – Navigate to Dashboard and Observe some statistics .......................................................... 29
2
How to Use This Guide
The activities outlined in this Workshop Guide are meant to contain all the information necessary to
navigate the workshop interface, complete the workshop activities, and troubleshoot any potential
issues with the LAB environment. This guide is meant to be used in conjunction with the information
and guidance provided by your instructor.
Using this guide, you will be able to configure basic features of Zscaler Private Access solution to
provide access to your customer internal applications with the best of breed Zero Trust Network Access
solution. You will configure your basic network parameters of your internal application. Then, you will
configure an App Connector on your internal network and finally, you will set up ZTNA service from
the ZPA admin console. You will also test your connection to your internal application and see some
Dashboard on the Admin IU.
You will find all the instruction to log in to ZPA Admin UI on this guide.
You instructor will provide you all required information and credentials to be used for Zscaler Client
Connector.
Using Zscaler Client Connector (formerly Zscaler App or Z App), users can get all the benefits of the
Zscaler service for Internet traffic, as well as granular, policy-based access to internal resources from a
single point.
● With Zscaler Client Connector's Internet Security feature, you can protect your users' web
traffic even when they are outside your corporate network. You can also protect your users’
mobile traffic, whether they are connected to Wi-Fi or cellular networks. The app forwards
user traffic to the Zscaler service and ensures that your organization's security and access
policies are enforced wherever they might be accessing the internet.
● With Zscaler Private Access (ZPA), you can enable your users to securely access enterprise
applications from outside the corporate network. ZPA establishes a secure transport for
accessing your enterprise apps and services.
● With Zscaler Digital Experience (ZDX), you can monitor your organization’s user devices to
detect user experience and productivity issues. ZDX relies on Zscaler Client Connector to
perform synthetic probing to a desired Software-as-a-Service (SaaS) application or internet-
based service (e.g., OneDrive, Gmail, etc.).
3
Activity 1: Understand and initiate Workshop environment
In this activity, you will:
• Log in to the Workshop environment from your laptop.
• Learn the layout of the environment and its various components
Task 1 – Log in to Your Workshop Environment
Step 1: Verify that your laptop is equipped with a modern browser that supports HTML 5.0. We
recommend using the latest version of Firefox®, Chrome, or Internet Explorer®/Edge®.
Step 2: Open a browser window and navigate to the class URL. If you have an invitation email, you will
find the class URL and passphrase there. Otherwise, your instructor will provide them.
Enter your email address and the class passphrase.
Step 3: Complete the registration form and click Login at the bottom.
Step 4: Once you have logged in, the system will create a unique Lab environment for you. Please note
that this process may take a while, as indicated by the green progress bar at the top of the screen.
Once the environment has been created, the system will display a welcome page. Click Start Using
This Environment to begin.
This will display a list of all virtual systems that constitute the Lab environment.
Take note of the shortcut menu at the top of your browser window. You will use this menu throughout
the workshop to switch between the available desktops.
Task 2 - Understand the Workshop Environment Setup

This Workshop environment consists of the following components:
1. App Connector VM: this App Connector will be configured to provide access to the internal
application. Network parameters will be changed based on this guide.
4
Note: Please do not change the Keyboard language of the App Connector virtual machine on
Cloudshare environment. The default Keyboard is English-US and use the Send Text Feature to
run commands on this VM. Do not reboot this VM also. This is important to accomplish the lab
without issues.
2. My APP: it is an Ubuntu based VM that hosts an internal web application and it will be used to verify
that ZPA configuration is working fine. Please note also that you will change networks parameters for
this VM.
3. Win-mobile: Windows VM running Zscaler Client Connector for remote user. Each student will be
logged in with their own unique login. Zscaler Client Connector will give access to ZIA Security
services, ZPA and ZDX. You will install Zscaler Client Connector later during this lab exercises. You
will use credentials provided by your instructor to log in.
5
Review the diagram below to better understand the LAB environment setup.
Note: SSO with SAML is already configured and ready to be used.

Each student will be assigned a unique Student-ID which will be used for the configuration of your App
Connector and My_App VM’s network parameters.
Example of username to be provided by your instructor and to use on SAML authentication on the
Client Connector: student<ID>@westconcloudlab<tenant-ID>.com.
6
Note: Your ID will also be used to determine your network parameters of My APP VM and App
Connector VM.
End of Activity 1
7
Activity 2 – Configure your VMs Network Parameters
• Retrieve your assigned Student-ID from your Instructor
• Access My APP VM and APP Connector VM
• Configure previous VMs with the right Network Parameters using your StudentID
Task 1 – Retrieve assigned Student-ID

Step 1: Your Instructor will provide you a personal studentID that will be used in all tasks in this guide.
Please ask for studentID before continuing the workshop.
Task 2 – Configure My APP VM Network parameters

Step1: Access to My APP VM and click on Keyboard and then click on Send Password
Step 2: Go to Network button, click on Wired Connection and click on Wired Settings
Step 3: Click on the Gear Button to customize your network parameters:
8
Step 4: Go to IPv4, then Address and change the IPv4 address to 10.160.20.2<yourStudentID> and
apply your settings.
For example, student11 will use 10.160.20.211 as IP address:
Step 5: Stop the network service using previous window and then start it again:
At this Step, you finished network settings of MyAPP VM.
Task 3 – Configure APP Connector VM Network parameters

Hint: Use the copy and paste function. Copy and Paste commands using Keyboard > Send Text feature
for steps below.
Step1: Go to App Connector VM on Cloudshare.
Log into the system with the default credentials (admin / zscaler)
9
If you are not logged into the system as an admin user with Root privileges, type the next commands
(and introduce password “zscaler” again if required):
sudo su -
Now you should be already connected to App Connector as an admin user with Root privileges.
Step 2: Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Use an editor, such

as nano.
The complete command is nano /etc/sysconfig/network-scripts/ifcfg-eth0
10
Step 3: Go to IPADDR parameter and change it to use 10.160.20.1<student-ID> as IP Address.
For example, student11 should use 10.160.20.111 as IP address for the App Connector.
Step 4: Leave other parameters to their default values and use Ctrl+X then Yes to save changes.
Step 5: Apply the changes by rerestarting the networking subsystem using the following command:
systemctl restart network

Step 6: Verify that a public DNS server is already configured on your app connector using the command
cat /etc/resolv.conf
Step 7: You can ping google.com to verify that your networks parameters are correct.
End of Activity 2
Activity 3 – Configure and link your App Connector VM to your ZPA

instance
• Connect to your ZPA admin portal
• Create App Connector group and Provisioning Key
• Link you App Connector to your ZPA tenant using Provisioning Key
Task 1 – Connect to ZPA Tenant and Create App Connector requirements

Note: You can connect to ZPA Administration Portal from browser’s PC or from your Win-mobile
Virtual machine browser.
Step 1: Using your machine or your Windows10 VM, open a browser and go to the Westcon 3DLAB
Portal via, https://3dlab.westconsecurity.eu
Step 2: Sign in with credentials provided by you instructor. Login should be in this format:
student<ID>@westconcloudlab<tenant-ID>.com. Password is also provided by your instructor.
11
Note: Do not use login showed in the screenshot. It is just an example.
Step 3: After Sign in, Click on ZPA Admin Portal
Note: if you don’t have installed Okta Browser Plugin before on your browser, you will prompt to
install it on your Browser. Okta Browser Plugin is mandatory to access your Admin Portal.
Step 4: If okta Browser Plugin is installed, go back to ZPA Admin Poral App and Click on it. Your Zscaler
Internet Access Portal will open in a new tab.
After Signing in, close Cloud Updates popup:
12
Step 5: Go to Configuration & Control > Private Infrastructure > App Connector Management > App
Connectors:
Step 6: On App Connector Page click on + Add App Connector
Step 7: Select Create a new provisioning key and click on Next
13
Step 8: On Signing Certificate, select Connector and click on Next
Step 9: On App Connector Group, click on Add App Connector Group
Step 10: Enter a Name and a Description to your App Connector Group. The name of your App
connector group should be StudentIDConnectorGroup
14
Step 11: Status should be Enabled, leave other parameters to their default value, and enter a
Location for your App Connector then click on Next
Step 12: On Create Provisioning Key, enter a Name for your Key and a Maximum Reuse of the key.
The name should start with you studentID. Then click on Next
For example, student11 should use student11ProvisionningKey as name and 5 for the maximum
reuse value.
15
Step 13: Review your configuration and save it by clicking on Save
You will be invited to review the documentation to deploy your app connector and to copy your key
for future use on this guide.
Step 14: Click on Done to finish this step
16
Step 15: Go to your App Connector Group and verify that your App Connector is added.
Step 16: Move to App Connector Provisioning Keys and verify that your key isn’t already used (value
is 0).
Task 2 – Link your App Connector to your ZPA tenant using your Provisioning key
Step 1: Go to your App Connector VM on CloudShare and Stop Zpa-connector service using the
command
systemctl stop zpa-connector
Step 2: Remove any old Provisioning Key with the command rm -f /opt/zscaler/var/*
Step 3: Create the key file with the command touch /opt/zscaler/var/provision_key
Step 4: Change the file rights using command

chmod 644 /opt/zscaler/var/provision_key
17
Step 5: Then edit the file using nano editor to enter your Provisionning Key using the command
nano /opt/zscaler/var/provision_key
Step 6: Go to ZPA Admin portal then go to App Connector Provisioning Key and copy your key
Step 7: Paste your Key on the nano editor using Keyboard > Send Text feature
Step 8: Save changes to the file using Ctrl+X then choose Yes and press Enter.
Step 9: Start zpa-connector service using the command systemctl start zpa-connector
Step 10: You can verify the status of the service using command systemctl status zpa-
connector
At this step, your App Connector should be UP and linked to your instance.
Step 11: To verify it you can go to App Connector Provisioning Keys and see that the number of key
usages was changed from 0 to 1.
18
You can also verify that your App Connector is UP by going to App Connectors sub menu on
Administration, you will see that your App Connector is Connected, and a Software Upgrade is
Scheduled.
End of Activity 3
19
Activity 4 – Add your internal application to ZPA and test the user
access to it
• Configure your internal application on ZPA
• Log in the Client Connector on the Windows VM
• Test your mobile user access to your internal application
• Navigate to Dashboard and see some statistics
Task 1 – configure your internal application on ZPA

Step 1: Go to ZPA Admin Portal, then Resource Management > Application Management >
Application Segments
Step 2: Click on Add Application Segment and give a Name and a Description to your application.
Use as name Student<ID>AppSegment on your application name, for example student11 should use
Student11AppSegment as a name.
Be sure that Status is Enabled
20
Step 3: On Applications, enter your FQDN that will be used later to connect to your internal web
application.
The FQDN should be student<ID>.westconcloudlab<tenant-ID>.com
Step 4: Specify the TCP port range is 80 and click on Next
If a warning message will be displayed, click on OK
21
Step 5: On Segment Group, select Add Segment Group and enter a Name and a Description using
your Student<ID>SegmentGroup. Click Next.
Step 6: On Server Group, select Add Server Group and give a name Student<ID>ServerGroup.
Verify that Status is enabled, and Dynamic Server Discovery is turned OFF. Click ok to the Warning.
Then, select your App Connector Group previously created (with your
student<ID>AppConnectorGroup). Click Done.
22
Step 7: Click on Next
Step 8: On Servers, Select Add Server and enter the Name student<ID>Server and the IP Address of
your APP VM that you configured on Activity 1 (the IP Address of the Ubuntu VM).
The IP address should be 10.160.20.2<yourStudentID>
Step 9: Click on Next
Step 10: On Review Step, review your configuration and save it by clicking Save
23
Step 11: On the Last step (Policies), click on Edit Policy
Step 12: Then Click on Add Rule
24
Now you will add a rule to authorize users to access to your internal web application hosted by the
Ubuntu VM.
Step 13: Enter Name and a Description Student<ID>AccessPolicy to the new policy.
Step 14: On Action, Rule Action must be set to Allow Access
Step 15: Set App Connector Selection Method to Specific App Connector groups or Server[…]
Step 16: Specify your App Connector Group from the drop-down menu Student<ID>ConnectorGroup
and click Done.
Step 17: Select your Server Groups previously created Student<ID>ServerGroup.
Step 15: Click on Save to add the Policy
Note: ZPA UI will be shared with other Student and maybe you will configure policy order 1 and later
another Student will get the order 1. Then your policy will get order 2 or 3 or another order number.
You finished your configuration. Next Task you will test your user access to your internal application.
25
Task 2 - Install Zscaler Client Connector on your Windows virtual machine
To install Zscaler Client Connector on your Windows10 VM, you will use EXE installer file located on
your desktop. You will use install option on this Task. Install option let you customize Client Connector
deployment on customers environment and simplify automated deployment of Client Connector Agent
on supported customer’s machines and devices.
To learn more about install options, you can visit this link: https://help.zscaler.com/z-app/customizing-
zscaler-app-install-options-exe#mode
On this task, you will use some installation option the ZCC (Zscaler Client Connector). Options that will
be used are:
- --mode: This install option allows you to install the app in silent mode.
- --cloudName: If your organization is provisioned on more than one cloud, your users are
asked to select the cloud to which their traffic is sent during the enrollment process. In this
lab, cloudName will be zscaler.
- --userDomain: This install option allows users to skip the app enrollment page. If SSO is
enabled for your organization, users are taken directly to your organization's SSO login page.
If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows
Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled
with Zscaler service and logged in. In this lab, userDomain will be westconclouclab3.com.
To install ZCC with the recommended method of this lab, please follow steps below:
1- Go to your virtual machine and open a Command Prompt
2- Type the command cd Desktop to change the directory to your Desktop (installation file is
located on your Desktop)
3- Locate your User Domain from the provided login username by your instructor.
Example: if your instructor gives you the username student10@westconcloudlab3.com, so
your Zscaler User Domain is westconcloudlab3
4- Type the command "Zscaler installer.lnk" --cloudName zscaler --userDomain
westconcloudlab<tenant-ID>.com --mode unattended to launch installation in silent
mode.
26
5- In UAC window, click on Yes to continue.
Once ZCC is installed, it will provision itself with your ZPA tenant using CloudName and userDomain
options and it connects you to your SSO portal to log in.
Task 3 – Log in the Client Connector on the mobile user VM

Step 1: Go to your CloudShare environment, then open your win-mobile VM.
The Zscaler Client Connector is now installed. Open the Zscaler Client Connector.
Step 2: Enter your username and password provided by your instructor:

student<ID>@westconcloudlab<tenant-ID>.com
27
Note: May after Sign In you have to Reconnect the machine. Go in the Cloudshare GUI on the left to
“Connectivity” and click “Reconnect”.
Step 4: After a successful authentication, go to Zscaler icon, right-click and click on Open Zscaler
Step 5: Verify that ZPA is connected (Private Access on Client Connector)
28
Task 3 – Test your mobile user access to your internal
In this Task, you will connect to your internal web application.
Step 1: On the Desktop, open a browser and Navigate to your previously configured FQDN, in this
case student<ID>.westconcloudlab<tenant-ID>.com
Your connection is successful, and Your internal Web app is now delivered by ZPA and your App
Connector.
Task 4 – Navigate to Dashboard and Observe some statistics

You can generate some connection to your internal web application, and you can visualize real-time
statistics using Dashboard and Live Logs features on the ZPA Admin Portal.
Step 1: Go to Dashboard > Application and see how many transactions was successful or how many
recent Applications accessed
Step 2: Go to Users to see how many users are connected and statistics about their transactions.
29
You can also navigate to Health to verify application Health and App connectors to verify your App
Connector status.
You can Also see Live Logs which can be used to view Live Transaction
End of Activity 4
30

ZPA Workshop guide V11 Unified

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ZPA Workshop guide V11 Unified

Uploaded by

Copyright:

Available Formats

Zscaler Private Access Workshop

Task 1 – Log in to Your Workshop Environment

Task 2 - Understand the Workshop Environment Setup

Note: SSO with SAML is already configured and ready to be used.

Task 1 – Retrieve assigned Student-ID

Task 2 – Configure My APP VM Network parameters

Step 3: Click on the Gear Button to customize your network parameters:

For example, student11 will use 10.160.20.211 as IP address:

At this Step, you finished network settings of MyAPP VM.

Task 3 – Configure APP Connector VM Network parameters

Step1: Go to App Connector VM on Cloudshare.

Step 2: Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Use an editor, such

systemctl restart network

Activity 3 – Configure and link your App Connector VM to your ZPA

Task 1 – Connect to ZPA Tenant and Create App Connector requirements

Step 3: After Sign in, Click on ZPA Admin Portal

After Signing in, close Cloud Updates popup:

Step 6: On App Connector Page click on + Add App Connector

Step 7: Select Create a new provisioning key and click on Next

Step 9: On App Connector Group, click on Add App Connector Group

Step 14: Click on Done to finish this step

Step 4: Change the file rights using command

Task 1 – configure your internal application on ZPA

Be sure that Status is Enabled

The FQDN should be student<ID>.westconcloudlab<tenant-ID>.com

Step 4: Specify the TCP port range is 80 and click on Next

If a warning message will be displayed, click on OK

The IP address should be 10.160.20.2<yourStudentID>

Step 9: Click on Next

Step 12: Then Click on Add Rule

Step 14: On Action, Rule Action must be set to Allow Access

Step 17: Select your Server Groups previously created Student<ID>ServerGroup.

Step 15: Click on Save to add the Policy

1- Go to your virtual machine and open a Command Prompt

Task 3 – Log in the Client Connector on the mobile user VM

Step 2: Enter your username and password provided by your instructor:

Step 5: Verify that ZPA is connected (Private Access on Client Connector)

Task 4 – Navigate to Dashboard and Observe some statistics

You might also like