Day 1 ZPA Bootcamp Slides - New Hire Version

Welcome!
Support/TAM Bootcamp Training 201
By: Davis Altamirano

Class Starts at 7:00 am PDT / 8:00 CDT / 10:00 am EDT
©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION

Zscaler™, Zscaler Internet Access™, Zscaler Private Access™, ZIA™ and ZPA™ are either (i) registered trademarks or service marks or (ii) trademarks
or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the property of their respective owners.
Prerequisite for Bootcamp
1-week technical course on core functions of Zscaler for new hires
• Completed the 101 training

• Installed require tools to participate in the interactive Labs
• https://docs.google.com/document/d/1XCol6I4-
bs5lI9vXVZNor5K8CSWkI94luR2YXcRMyco/edit?usp=sharing
2 ©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
What is Bootcamp Training About?
1-week interactive technical course on core functions for new hires
• Goal is to extend your technical knowledge on Zscaler in live instructor led sessions by
SME’s (Subject Matter Experts) within the GSC organization.
Agenda
This week is to dive into ZPA
• ZPA (Zscaler Private Access)

• Day 1 (ZCC)
• Architecture Overview
• Fundamentals (Traffic Flow)
• Day 2 (ZPA)
• Architecture Overview
• Fundamentals (Traffic Flow)
• Authentication Flow
• Admin Portal
• Day 3
• Connectors
• Configuring Applications
• Day 4
• Troubleshooting ZPA issues
• Day 5
• Best practices.
• ZPA Quiz
Intro/Zscaler Core Function Overview
What services do we offer as a company?
Zscaler Core Functions
• We act as a secure web gateway (proxy) for customers’ outbound internet traffic
• Type of services we offer
• ZIA - Zscaler Internet Access
• ADP, AV, Cloud, FW, Cloud IPS, Sandbox, BW Control, Cloud, Browser Isolation, CASB, DLP
• ZPA - Zscaler Private Access
• Alternate for VPN, Browser Access
• ZDX - Zscaler Digital Experience
• Monitoring Tool
• ZCP - Zscaler Cloud Protection
• Zscaler Workload Segmentation, Cloud Connectors, Security Posture Management
Where are we in the industry?
Gartner Quadrant (We are the best!)
• Zscaler continues to define the Secure Web

Gateways (SWG) category, enabling secure
digital transformation for thousands of global
customers with an industry-leading Zero Trust
architecture. We’ve been named the only
Leader in the Magic Quadrant for Secure Web
Gateways, further extending 10 years of
Magic Quadrant leadership.
ZPA Architecture Review
Module 1 Objectives
By the end of the module, you will be able to understand and identify all
the different component of the ZPA infrastructure
Objectives
● Understand and identify all the different component of the ZPA
infrastructure
● Explain the role of the main components of the ZPA cloud like: Wally, ZPA
Broker and App connector
Why ZPA ?
Why should customers use ZPA
• Traditional VPN is intrusive.

• Admins need to provide access to the entire network or entire box.
• Overhead to maintain multiple ACLs for multiple users.
• Cost Overhead as there is need to have multiple boxes, (VPN Concentrator, IPS/IDS boxes etc.,)
What ZPA helps with?
What should customers that use ZPA expect
• Zero Trust Network Access (ZTNA)

• Connect users to apps without bringing them on the network(Application access, not network
access)
• Never expose applications to unauthorized users, You can’t attack what you can’t see – Deepweb
(not darkweb)
• Segment apps without segmenting the network (Per-session, user-to-app, segment of 1)
• Provide secure remote access over the Internet without VPN (End-to-end TLS tunnels)
• Granular and Segmented policies from a single UI
• Reporting and Diagnostics(Visibility into all transactions)
What is Zero Trust?
What is ZTNA
• Zero Trust means that even Zscaler cannot see or inspect client private traffic if it is not
desired.
• Use of your organization's private CA certificates means traffic can be double encrypted
(the "Bring Your Own Encryption" or BYOE model). Making it impossible for Zscaler to
gain insight into the traffic.
• It is possible for your applications to also use their own encryption when transiting ZPA
tunnels.
• Further, the tunnels used in ZPA are double certificate-pinned and this means traffic is
immune to Man In the Middle attacks. If the certificate used in the tunnel traffic is altered in
anyway, traffic is immediately blocked.
Threat Landscape and ZPA
Threats and Counter Measures
ZPA Privacy Controls
Controls at various levels
To summarize the high level privacy controls adopted by ZPA are as follows:
Privacy Protection at the Transactional Level

• Zscaler services never store transactional content
• Transactional content is never written to disk
• Logs are stored and transferred in an encrypted format
• Logs are only viewable through the Zscaler admin portal with Admin privileges
Protection at the Hub Facilities

• Security standards are on par with world-class financials and data centers
• Authorized personnel must pass through multiple levels of security and scanning to gain access
• All data centers are completely anonymous
Protection at the Network Level

• All logs are transferred using TLS encryption, and stored with key elements in tokenized form
Major components of ZPA.
Components That Make Up the ZPA Cloud...
Major components of ZPA.
Components That Make Up the ZPA Cloud...
ITASCA Components Components
written in C-Language written in JAVA DB SCHEMA GULF ATLANTIC UI
Wally Management API Postgres SQL Admin UI Annoucements
Dashboard/Diagn
Broker Geo-IP Updates
ostics
Connector Dispatcher Provisioning
AuthSP/AdminS
Slogger
P
Lookup
Exporter
zShift
Major components of ZPA
What powers the cloud
• Wally : Central Authority:

• Similar to the CA on the ZIA front.
• Act as the brain of the cloud.
• Follows a Client/Server distribution model
• Central database holding all the sensitive information about the organization and their policies.
• Monitors all the components in the cloud and much more.
• Gulf UI : Administrator User Interface or Policy Portal

• Application and application groups are mandatory
• Server configuration is optional; can be left to dynamic discovery (also recommended)
• Connector and connector groups are mandatory
• Policy is tied to an application (group)
• Connector with the shortest rtt to the application socket is selected
• ZPA will load balance between the connectors
• Recommended to have a connector pair in every physical site where an application is hosted
Major components of ZPA cont.
• Dispatcher:
● Finds the best route from the Broker to the Application via the best possible App Connector.
● Ephemeral health propagation layer, tracks health of all connectors and private applications
behind them
● Checks for resolvability of DNS names of private applications
● Less number of dispatchers than ZPA SEs (reduces the number of state messages being sent
across the network)
● Path selection : using server latency(comes from health reporting), round robin and user
stickiness cache
• AuthSP/AdminSP:
• Helps with the Authentication Service.
• AuthSP helps with the user login.
• AdminSP helps with the Admin login.
• Connectors:
• Lightweight Linux package, also available as OVA, AWS/Azure instance.
• Connector process maintained by Zscaler (customer has only control over the upgrade time
window)
• Upgrades are always staggered across connectors in the same group.
• Enrollment using provisioning keys and certificate.
• Provisioning key deleted after enrollment through the ZPA SE
• Functions:
• DNS, application reporting/discovery, health reporting(latency and reachability of
applications), sets up mtunnels on request from the dispatcher.
• Broker : ZPA Service Edges:

• Similar to the ZIA Service Edges.
• High performance, web gateway that takes traffic from the customers.
• Downloads the config from Wally and applies the policies on the traffic.
• Data forwarding(mtunnel signaling)
• Client auth (cert+SAML) : client certificate, saml assertion, user id and hardware fingerprint
• Connector auth : connector certificate, hardware fingerprint
• Config distribution to connector
• Config distribution to client
• DNS Message passing between dispatchers and connectors (no local DNS resolution)
• Logging of auth, ztunnels(tunnel nego, termination, every 5 minutes), mtunnels(tunnel nego,
termination, every 5 minutes) and health
• All authentication using public keys (Only the customer knows the private keys)
• ZPA SE gets the following config from Wally

• Application segments (and groups)
• Server (and groups)
• Client enrollment state
• Connector enrollment state
• Slogger:
● It is used by the LSS.
● It evaluates the LSS and informs the Broker to forward the logs to the connector designated for
LSS.
• LookUp:
● Converts IDs to name
● Used in the UI for the Dashboard and Diagnostics sections.
• Exporter:
● Used in Browser Access
● Browser Access is for Client-less Access of Applications.
Break
Zscaler Client Connector (ZCC)
About ZCC / ZPA
• ZCC is nothing but a “Smart traffic forwarder”. Using ZCC, users can get all of the benefits of the
Zscaler service for Internet traffic, as well as granular, policy-based access to internal resources from a
single point.
• When ZCC is configured for ZIA , you can protect your users' web traffic even when they are outside
your corporate network. The app forwards user traffic to the Zscaler service and ensures that your
organization's security and access policies are enforced wherever they might be accessing the internet.
• With Zscaler Private Access (ZPA), you can enable your users to securely access enterprise
applications from outside the corporate network. ZPA establishes a secure transport for accessing your
enterprise apps and services.
• Mobile Admin portal (Zscaler App portal) is a Web portal used for administration of Zapp devices ,
configuring policies , generating reports , upgrading Zscaler App on all customer devices..etc
ZCC Enrollment
Zscaler App Provisioning and Enrollment
Zscaler APP Portal SSO
1. Configure Zscaler App

Zscaler Admin Mobile Admin
Portal
Company Admin
Enterprise
2. Enroll
User
Internet
Zscaler App Provisioning and Enrollment
• User Workflow
‣ User enters userid@domain in App.
‣ ZCC starts cloud discovery. App discovers the cloud based on the domain captured from the userID.
‣ If more than one cloud has the domain provisioned, it asks the user to select the cloud.
‣ Or if, as part of installation parameters cloud was given, then App directly connects to the same cloud.
‣ App discovers the cloud based on the domain captured from the cloud
‣ User authenticates with presented service.

‣ App is auto provisioned for authenticated service by downloading the service specific configuration
‣ User is assigned a deviceID and PIN, which forms the basis for digest credentials used by ZCC now.
‣ Ztunnel is setup on the device on successful enrollment

‣ Based on forwarding profile, ZCC now sets up proxy and routes if needed.
‣ ZCC is now ready to intercept user traffic.
Authentication Overview
Device is registered with

SMCA and a PIN is
generated by CA and
passed back.
DeviceID and
PIN becomes
username
and password
for completing
digest auth
with ZIA.
ZCC App profile
• This is a configuration file the App downloads to configure the client.

• The app profiles are OS specific. Currently we support Windows, MAC, Android, IOS, and Linux.
• The app profile inherits the forwarding profile. Forwarding profile decides the mode ZCC works in.
• ZCC application-level configurations are added in this profile.
App profile inherits forwarding profile.

App profile PAC helps
ZCC decide the SME to
connect
ZCC Forwarding profile
• Administrator configures the “Forwarding profile” on the Mobile Admin portal to decide “when” and
“which “ traffic forwarding mechanism Zscaler app should use
• The forwarding profile tells the Zscaler App how to treat traffic from your user's device in “different
network environments” for the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA)
services.
• Ways to forward traffic for ZIA traffic :

• Tunnel (TAP driver or LWF Filter) : In Tunnel mode, the app tunnels traffic at the network (IP) layer. It
captures user traffic by setting IP routes on user devices OR uses LWF filter .
• Tunnel with Local proxy: In this mode, the Zscaler App sets proxy settings on user devices so that all user
traffic is tunneled to Zscaler.
• Enforce Proxy : In Enforce Proxy mode, the Zscaler App enforces system proxy settings as specified, without
tunneling any traffic.
• None: Disable Zscaler app traffic forwarding
• Ways to forward traffic for ZPA traffic :

• Tunnel
• None
ZCC Forwarding profile
• Forwarding Profile determines the forwarding action used by ZCC.
• It also helps you select “Trusted Network Criteria”, based on which forwarding behavior can be
changed.
• Forwarding profile lets you configure a PAC which ZCC enforces on the system.
Depending on type Depending on type of

of Network, Network, Forwarding
Forwarding Action Action can be
can be changed. changed for ZPA too.
Forwarding profile PAC.

PAC Files Used By ZCC
• ZCC configuration allows the user to configure two PAC files.

• PAC file in Forwarding profile.
• PAC file in App profile.
• App profile PAC is used by ZCC to decide which SME to connect to.
• It can also contain bypasses that customer configures.
• Forwarding profile PAC is the PAC which ZCC enforces on the browsers/system.
Forwarding Modes in ZCC.
Forwarding modes
• Forwarding modes Applicable for ZIA

● Enforced Proxy/PAC
● TWLP
● Tunnel 1.0 with route based.
● Tunnel 1.0 with packet filter based.
● Tunnel 2.0
● None
• Forwarding modes Applicable for ZPA

• Tunnel Mode
• None
Tunnel (Tap/Route) Forwarding Mode
• In tap/route mode, we install an adapter and specific routes to get traffic.
• ZCC operates at layer 3 and redirects packets to local listening proxy.

• Local listening proxy accepts the connection and does tcp handshake.(127.0.0.1:9000)
• 80/443 traffic is sent to SME based on pac bypasses in App profile pac. Rest of traffic is sent direct through default Physical
interface.
• After the traffic lands on ZCC, we evaluate the app profile PAC
and determine action for all web traffic.
• Rest of the traffic is sent DIRECT.
Zscaler installs more specific routes

than default route.
LWF driver installation verification
• Look for “zs_zapprd” driver in the output of following command
• Command lists all installed network drivers so can be used to find out other LWF based drivers installed on
machine.netcfg -s n
• If there is need to dump current filters set during live debugging, execute filter.exe utility to print all filters on cmd. Link
to download: FilterTable.zip
Trusted Network
• Why do customers use trusted network:

• Customers want different forwarding actions depending on the network they are in. To this end,
customers can configure trusted network.
For Zscaler Client Connector, to identify one of your organization’s trusted networks, you must define
conditions for that network as criteria that Zscaler Client Connector uses for verification.
• DNS Search Domains: The DNS servers to which your corporate network sends DNS requests. Enter the DNS
servers, separated by commas. IPv6 addresses are supported if you’re using Zscaler Client Connector version 3.4
or later. The app verifies at least one DNS server.
• Hostname to IP mapping: The search domains configured as the primary domains for the network adapter
used for connecting to Zscaler. Enter the search domains, separated by commas. The app only verifies the
primary domains assigned to the active network adapter.
• Pre-defined trusted networks: A hostname and the IP addresses to which the hostname resolves when users
are on the corporate network. For Hostname, enter the hostname. For Resolved IPs for Hostname, enter the IP
addresses that the hostnames resolve to, separated by commas. IPv6 addresses are supported if you’re using
Zscaler Client Connector version 3.4 or later. The app verifies at least one IP address.
Configuring Trusted Networks for Zscaler Client Connector
ZCC Troubleshooting
Most common issues and what to look for
• Most common issues:
• ZCC App Upgrade is failing

• Integrated auth related issues.
• ON/VPN Trusted criteria failing
• Seeing AV FW error in the ZCC browser
• Captive Portal Issues
Lab Exercise #1
Issue: Customer seeing FW Errors in the ZCC browser
• Problem Scenario:
a. Customer using ZCC and seeing FW Errors in the ZCC application and it cannot establish
a connection to the cloud.
b. ZCC logs -
https://drive.google.com/file/d/1RlWUt1BYWhykCHDK7fFvvAB95Wg0qhr5/view?usp=sha
ring
• Task:
a. If you do not have LOGAN access, open a helpdesk ticket and ask for it to be added to
Okta
b. Watch the demo on the LOGAN page and also additional training LOGAN training here.
c. Download the ZCC logs above and the upload them to LOGAN
d. Analyze the data and determine what the problem might be.
e. You can also use a text editor to analyze if you are unable to find the issue in LOGAN
f. From your analysis, what do you think the issue is?
g. What would you advise the customer as next steps?
Mobile Admin Portal (ZCC)
ZCC portal / ZAPP portal overview
Few key features or options:

➢ License Dashboard
➢ Enrolled devices list
➢ User group sync from ZIA (every 3 hrs)
➢ Zscaler App as IDP for authentication (link)
➢ Device posture for ZPA applications (link)
➢ Custom cert for SSL inspection of ZIA traffic
➢ Audit logs
➢ ZCC update configuration
➢ Device cleanup
➢ App fail open
➢ User Privacy
➢ Endpoint integration
Zscaler Client Connector Portal
View a list of enrolled devices, device
fingerprint information, and remove apps
from devices.
Click here for more information about Zscaler

Client Connector Portal
ZCC Help
Device detail
App Profiles
Configure a new app Edit an app profile rule or view the

profile rule policy token for a app profile rule.
Policy name Developers Developers

1
Policy name Group 2 Group_A,
2 Group_B
View specific platform Policy name Group 3
3
View a list of all configured app View the default policy.

profile rules.
ZCC Administration: Client Connector App Store
ZCC Administration: Client Connector App Store
ZCC Administration: Audit Logs
ZCC Administration: Forwarding Profile
ZCC Administration: Client Connector Support
Lab Exercise #2
Issue: Identify how many users not updated to latest ZCC version
• Problem Scenario:
a.Customer configured to update users to the latest version of ZCC. Some users were not getting
updated to the latest version.
b.CVS file from Mobile portal showing ZCC versions for users -
c.ZCC log from user who did get the update -
• Task:
a.Review the CSV file to see who did not get the update to the latest ZCC version
b.Analyze the ZCC log from the user who did not get the latest update.
c.How would you communicate your steps you did to the customer?
d.What would you advise the customer on issues it may cause when they do this?
Thank you For Attending
Day1

Day 1 ZPA Bootcamp Slides - New Hire Version

Uploaded by

Copyright:

Available Formats

Day 1 ZPA Bootcamp Slides - New Hire Version

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Day 1 ZPA Bootcamp Slides - New Hire Version

Uploaded by

Copyright:

Available Formats

Welcome!

Support/TAM Bootcamp Training 201

By: Davis Altamirano

©2021 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION

• Completed the 101 training

• ZPA (Zscaler Private Access)

• Zscaler continues to define the Secure Web

• Traditional VPN is intrusive.

• Zero Trust Network Access (ZTNA)

Privacy Protection at the Transactional Level

Protection at the Hub Facilities

Protection at the Network Level

Wally Management API Postgres SQL Admin UI Annoucements

Connector Dispatcher Provisioning

• Wally : Central Authority:

• Gulf UI : Administrator User Interface or Policy Portal

• Broker : ZPA Service Edges:

• ZPA SE gets the following config from Wally

Zscaler APP Portal SSO

1. Configure Zscaler App

‣ User authenticates with presented service.

‣ Ztunnel is setup on the device on successful enrollment

Device is registered with

• This is a configuration file the App downloads to configure the client.

App profile inherits forwarding profile.

• Ways to forward traffic for ZIA traffic :

• Ways to forward traffic for ZPA traffic :

Depending on type Depending on type of

Forwarding profile PAC.

• ZCC configuration allows the user to configure two PAC files.

• Forwarding modes Applicable for ZIA

• Forwarding modes Applicable for ZPA

• ZCC operates at layer 3 and redirects packets to local listening proxy.

• Rest of the traffic is sent DIRECT.

Zscaler installs more specific routes

• Why do customers use trusted network:

• Most common issues:

• ZCC App Upgrade is failing

Few key features or options:

Click here for more information about Zscaler

Configure a new app Edit an app profile rule or view the

Policy name Developers Developers

View a list of all configured app View the default policy.

You might also like