Adobe Captivate Wednesday, February 10, 2021

Slide 1 - Zscaler Private Access

Slide notes
Welcome to this training module on Zscaler Private Access fundamentals.

Page 1 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 2 - New Product Names

Slide notes
Before you begin, take a moment and familiarize yourself with the recent changes to Zscaler product names used
throughout this course. For example, Zscaler App is now called Client Connector. A complete reference of old and new
product names for ZIA, ZPA and Z-App is available on the Help Portal at the URL listed here.

Page 2 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 3 - Navigating the eLearning Module

Slide notes
Here is a quick guide to navigating this module. There are various controls for playback including Play and Pause,
Previous and Next slide. You can also Mute the audio or enable Closed Captioning which will cause a transcript of the
module to be displayed on the screen. Finally, you can click the X button at the top to exit.

Page 3 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 4 - Agenda

Slide notes
In this module we will cover the following topics:
• We will describe in overview what Zscaler Private Access actually is, its design tenets, and use cases;
• We will have a look at the components of ZPA;
• And we will have a brief look at some of the key features of the ZPA service.

Page 4 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 5 - What is Zscaler Private Access?

Slide notes
The first topic that we will cover is a description in overview of what Zscaler Private Access actually is.

Page 5 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 6 - How Application Access Traditionally Works

Slide notes
Virtual Private Networks (VPNs) have been the standard method to provide remote access to private applications and
assets since users began moving away from a central office with a direct connection to the data center. Remote access
VPNs extend the enterprise network perimeter to ‘trusted’ users, providing them with an ‘on-net’ experience.
As the network perimeter has evolved and use of the cloud becomes increasingly prevalent for business and personal
applications, however, certain attributes of remote access VPNs have become drawbacks. Remote access VPNs were
designed to deliver the user access to a network, and as the enterprise network becomes increasingly mission-critical, it
has become increasingly complex. The proliferation of remote access VPNs adds exponentially to this complexity.
This is partly because, like any other part of an enterprise network, the remote access VPN must be highly available. This
typically leads to multiple regional data centers, each with load balancers and redundant configurations to ensure
reliability. Enterprises often must further deploy global load balancers to ensure availability in case of regional disaster,
as well as purchase additional user licenses for concurrent use.

Page 6 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 7 - How Application Access Traditionally Works

Slide notes
The drawbacks of this VPN architecture have become apparent over time:
• The ‘Hub and Spoke’ architecture is complex, with principal and regional data centers, each with its own stack of
security appliances to control access in and out. An MPLS backbone is often used to interconnect these data
centers.
• This architecture is expensive to implement and maintain. Every appliance at each location must be purchased,
deployed, managed, and maintained up to date.
• The end user experience when accessing resources from remote can be horrible. The VPN gateway that a user
connects to may or may not be relatively local, while the resources they need access to could be hosted
anywhere within a datacenter, or even in the cloud. This can result in severely sub-optimal routing and
significant latency. Plus, the end user experience when off the network is different from when they are on it.

Page 7 of 54
Adobe Captivate Wednesday, February 10, 2021

Some of the known issues and vulnerabilities of VPNs are:

• The VPN concentrator is typically installed on the DMZ subnet of the corporate firewall and must listen for
inbound connections from the remote users or sites. This means that ports and protocols must be opened at the
external firewall.
• Once connected, a remote node receives an IP address on the destination network, which it can use as a
bridgehead to move laterally on the internal network and potentially access any application or data that can be
reached on that network. As services and applications move to the cloud, this can result in sub-optimal data
routing, as the VPN connection to corporate must then be ‘tromboned’ back out to the cloud.
Known VPN attack vectors include:
• Man-in-the-Middle attacks (MitM), particularly from public hotspots;
• Shared devices giving unauthorized access;
• Unrestricted access to 3rd parties, such as contractors or service vendors;
• DoS/DDoS against the concentrators themselves;
• SSL VPNs may also be subject to Browser vulnerabilities.

Page 8 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 8 - Zero Trust Network Access Eliminates the Attack Surface

Slide notes
Gartner predicts that 60% of enterprises will phase out most of their VPNs in favor of ‘Zero Trust Network Access’ (ZTNA)
solutions by 2023. So what is a ZTNA solution?
In contrast to the VPN model, where the VPN appliances must be reachable on the Internet on known IPs with known
inbound port openings, with the whole purpose being to place the remote user onto the corporate network, ...

Page 9 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 9 - Zero Trust Network Access Eliminates the Attack Surface

Slide notes
...a ZTNA solution only ever connects users to the specific applications they need. End users are never actually placed
onto the destination network, removing any possibility of lateral movement on the network to potentially attack or
infect other resources. Typically this is achieved by some form of ‘inside-out’ connectivity, where secure connections are
only ever established in the outbound direction and are brokered to ensure an end-to-end connection in a cloud service.
This is exactly the model that ZPA uses to give authenticated and authorized end users access to the specific
applications that they require.

Page 10 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 10 - Zero Trust Network Access

Slide notes
Garter define ‘Zero trust network access’ as a replacement for traditional technologies, which require companies to
extend excessive trust to employees and partners to connect and collaborate.
Key attributes of a ZTNA system include:
• Removing applications and services from direct visibility on the public internet - if applications cannot be seen,
they cannot be targeted for denial of service or other types of attack;
• Enabling precision (’just in time’ and ‘just enough’) access for named users to specific applications and only after
an assessment of the identity, device health and context has been made;
• Enabling application access independent of the user’s physical location or the device’s IP address (except where
this is a requirement - e.g. for specific areas of the world);
• Application access policies need to be based on user, device and application ‘identities’;
• Granting access only to the specific application and not to the underlying network, as this limits the need for
excessive access to all ports and protocols, or all applications, some of which the user may not be entitled to;

Page 11 of 54
Adobe Captivate Wednesday, February 10, 2021

• Providing end-to-end encryption of network communications is of course a fundamental requirement;

• And providing a consistent user experience for accessing applications - clientless or via a ZTNA client regardless
of user’s location.

Page 12 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 11 - Securing Access to Private Apps: ZPA in Action

Slide notes
Zscaler Private Access has been built with four key security tenets in mind to achieve a true ZTNA infrastructure:
• Tenet 1: ‘Connect users to applications without bringing them onto the network’ – With ZPA, end users are never
placed onto the private network, they are simply granted access to a specific application based on the
applicable policy rules.
The goal has always been to connect users to applications without having to bring them onto the network.
Application access shouldn’t require network access, and access policies should be application-centric, rather
than ACLs based on network IP addresses. If remote users are not brought onto your network, then it isn’t
extended to thousands of locations, which helps to minimize the attack surface, and provides better security.

Page 13 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 12 - Securing Access to Private Apps: ZPA in Action

Slide notes
• Tenet 2: ‘Never expose applications to unauthorized users’ – ZPA does not advertise the availability of
applications; they are invisible to users other than legitimate and authenticated end users.
We never want to expose applications to unauthorized users. Application access should happen only after
authentication succeeds and policy is applied, so unauthorized users cannot discover or exploit internal
applications. Eliminating inbound connections and public IP addresses creates an enterprise darknet, where
applications are invisible to the external and unauthorized users.

Page 14 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 13 - Securing Access to Private Apps: ZPA in Action

Slide notes
• Tenet 3: ‘Segment applications without segmenting the network’ – ZPA controls access to applications based on
who the users are, what access they are entitled to, and the posture status of their end device.
We wanted to segment applications without having to segment the network. Each user connection is to a
specific application, through a per-session Microtunnel. Moving from a network-to-network connection, to a
user-to-application connection, eliminates any possibility of lateral movement on the secure connection.

Page 15 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 14 - Securing Access to Private Apps: ZPA in Action

Slide notes
• Tenet 4: ‘Provide increased visibility into private app activity’ – ZPA allows for targeted application discovery, to
allow end users to find the applications that they need. Discovery can be restricted to a specific domain or sub-
domain and can be limited to users matching any authorization criteria that you specify. For administrators
there are real-time authentication and activity logs available for 14 days in the Admin Portal, which may be
streamed to your on-premise SIEM for longer term storage and analysis.
• Our goal here is not to get in the way of legitimate application access requests, for end users it should just work.
We also wanted to provide administrators a comprehensive suite of Dashboards, Logs and Tools to allow them
to effectively monitor ZPA performance and quickly troubleshoot potential issues.

Page 16 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 15 - Four main enterprise use cases

Slide notes
Common ZPA use cases include: As a remote access VPN replacement technology for employee access to internal
applications. With ZPA you can give users access to specific applications. Users are never brought onto the network and
applications are never exposed to the Internet, all without the need to deploy any hardware.

Page 17 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 16 - Four main enterprise use cases

Slide notes
To facilitate a migration to cloud-based applications. With ZPA you can transition to cloud seamlessly by deploying
Connectors adjacent to your cloud applications. The end user experience is identical to accessing on-premise
applications; no remote access VPN connectivity is required, and no new infrastructure.

Page 18 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 17 - Four main enterprise use cases

Slide notes
Enabling truly secure partner, vendor or B2B access to specific applications only. ZPA end user authentication and
access policy rules can control exactly who gets access to which applications, which prevents any possibility of
unauthorized access.

Page 19 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 18 - Four main enterprise use cases

Slide notes
Quickly and securely allow (or block) access to applications on merger, acquisition, or divestiture. ZPA allows you to
provide named users access to named applications without any need to merge, or route between networks.

Page 20 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 19 - Redefining private application access

Slide notes
All-in-all ZPA meets the majority of Gartner’s criteria for consideration as a Zero trust Network access solution and
completely redefines the private application access model.
1. For a start, users no longer need network access in order to use an application, with ZPA they do not need to
know where the application is hosted, they do not even know it’s IP address!

Page 21 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 20 - Redefining private application access

Slide notes
2. The ‘Inside-out’ communication model of ZPA allows the data center to ‘go dark’, there is no longer any need to
advertise the applications publicly. No inbound connections are required, removing the main vector for DDoS
attacks against traditional VPN appliances.

Page 22 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 21 - Redefining private application access

Slide notes
3. As the user is never placed onto the destination network by ZPA, there is absolutely no possibility of remote
network discovery through probing, or lateral movement to exploit vulnerabilities in adjacent servers or other
hosts.

Page 23 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 22 - Redefining private application access

Slide notes
4. As a result, ZPA is the enabler that allows the Internet to be used as the new Corporate network, providing
secure access to internal applications from mobile devices or direct from the Branch Office. Robust
authentication of end users, granular access policy controls and end-to-end encryption all contribute to allow
this network transition.

Page 24 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 23 - Attack Surface Tool

Slide notes
In a similar way to the ZIA Service which has a Security Preview tool, the ZPA Service provides an Attack Surface Tool,
that allows you to evaluate what potential cyber criminals can see with your existing security environment. This tool can
uncover the servers, namespaces, vulnerabilities, and cloud instances that are currently visible to the Internet by,
querying public sources.
This tool is a little more invasive than the ZIA Security Preview tool, as we need to know a bit about your environment in
order to evaluate your exposure, so registration is required in order to use it. For more information see the page at
https://www.zscaler.com/tools/security-assessment#contact-us.

Page 25 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 24 - ZPA Components

Slide notes
The next topic we will cover are the components of the Zscaler Private Access solution.

Page 26 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 25 - ZPA Components

Slide notes
Zscaler Private Access is a service deployed on a completely separate cloud from the Zscaler Internet Access service, and
some of the key components of the system are listed here. We will look at each in more detail in the following slides.
• The ZPA Central Authority (ZPA-CA) - Is a multi-tenant, globally distributed policy engine for provisioning
policies and enabling connection requests which provides full visibility into user activity and application access.
Note this is a different engine from the regular Zscaler Internet Access CA.
• ZPA Service Edges - Are globally available Zscaler nodes that act as brokers to enable the connection of users to
App Connectors for access to specific applications. Note that the ZPA Service Edges are distinct from Service
Edges used for Zscaler Internet access. ZPA Service Edges are hosted in a combination of Zscaler in-house Data
Centers, in AWS and in Azure to provide optimum coverage World-wide. ZPA Service Edges may also be
implemented on-premise as a single-tenant ‘private’ solution, although in this case they are still controlled and
managed by Zscaler.
• Zscaler Client Connector - Is a lightweight client available for the most popular end user platforms that can
configured to access ZPA applications. It can also be used to provide Zscaler’s award-winning cloud security
services for Internet traffic. With Client Connector installed, authenticated, and authorized end users can be
given access to private TCP or UDP client/server applications regardless of port.

Page 27 of 54
Adobe Captivate Wednesday, February 10, 2021

• App Connectors - These are lightweight RPMs or virtual machines (VMs) installed on the destination network,
that establish an ‘inside-out’ connection to allow the private applications to securely reach the ZPA cloud.
• ZPA Tunnels (Z Tunnels) - Are fully encrypted TLS tunnels to the Zscaler cloud from both the Client and App
Connectors. These tunnels are mutually validated and doubly-pinned, so are immune to man-in-the-middle
attacks.
• Microtunnels - Are end-to-end Byte-stream connections, identified by unique source and destination tags, that
are used for user access to a specific application. Optionally Microtunnels may also be encrypted using
customer-derived keys (the Double Encryption option).
• The Logging and Analytics Cluster and Log Streaming Service (LSS) - This component correlates analytics
information sent by the ZPA Service Edges and provides 14 Days of log data in the ZPA Admin Portal. The
optional Log Streaming Service (LSS) allows you to stream log data to your on-premise SIEM through a chosen
set of App Connectors.
• And finally, the End User Portal - This provides an optional landing page for initial end-user logon, and can
contain links to all, or a subset of the applications that an end user is permitted to access. This component is
more associated with (although not exclusive to) Browser Access users.

Page 28 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 26 - Zscaler Private Access – Components

Slide notes
The ZPA Central Authority (CA) is the brains behind the ZPA system. It is a redundant, distributed, multi-tenant engine
that is implemented within the ZPA cloud. It allows:
• The configuration of the environment;
• The establishment of policies for application access;
• It offers detailed visibility into user activity and application access;
• And it provides the App Connectors with their configurations.
One or more SAML IdPs to be used for user and/or administrator authentication must be configured on the CA and
customer-signed enrollment certificates (if required) may be loaded to it. The CA lists all discovered applications and
can be configured to target policies for specific applications (identified by hostname/IP address and port ranges). The
servers hosting the applications can be added manually or be dynamically discovered (recommended), and policy
configurations are available to control exactly who gets access to what. As applications are discovered, the CA also
monitors reachability and health, so that clients are always connected to the best possible instance of an application.

Page 29 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 27 - Zscaler Private Access – Components

Slide notes
ZPA Public Service Edges hosted within the ZPA Cloud (or Private ones hosted on a customer’s premise), are the central
contact points between the end user devices and the customer hosted components; they can be thought of as the data
forwarding component of the system.
The ZPA Service Edges are the Z Tunnel destinations for both the Client and App Connectors and they ‘broker’ the end-
to-end connections needed by the end users. ZPA Service Edges provide authentication, secure data forwarding and
policy enforcement services.
ZPA Public Service Edges are hosted in Zscaler in-house DCs, in AWS and in Azure to provide a globally distributed,
redundant access infrastructure.

Page 30 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 28 - Zscaler Private Access – Components

Slide notes
ZPA Private Service Edges are a SW only solution that may be deployed on-premise for the exclusive use of a single
customer, although they are still controlled and managed by Zscaler. A Private Service Edge is slaved to the nearest
Public Service Edge for control purposes and for forwarding logs. Otherwise it operates independently as a dedicated
on-premise Broker for the customer who deployed it. It may forward data to the Public service Edge if an end user needs
to connect to an application that is only available through a public Broker.
A Private Service Edge can be useful in situations where access to the customer’s nearest Public Service Edge may add
unnecessary latency between users and applications. It’s also useful for customers who simply prefer traffic not to leave
the corporate network, whether due to bandwidth constraints, security and compliance policies, or general philosophy.

Page 31 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 29 - Zscaler Private Access – Components

Slide notes
Deployed by the customer, the Zscaler Client Connector sits on end-user devices and enables the user to request access
to applications. It may be used just for ZPA access to applications, or it can also be configured to protect Internet bound
traffic by forwarding it to the Zscaler Internet Access Cloud.
When connecting to ZPA applications, the browser (or other SW agent) on the end user’s device will believe that it is
talking direct to the application on a synthetic IP address assigned for the application by Client Connector.
Client Connector is the origin point for the user’s encrypted Z Tunnels, and the origin for the end-to-end Microtunnels
required to connect the user to private resources. Posture profiles can be defined and are enforced by Client Connector
to ensure that access is only permitted to your private applications if the host device complies to any specified posture
requirements.
Note that the Client Connector is not required for ZPA access, as that can also be achieved for web applications from a
standard browser using a Browser Access (BA) configuration. However, Client Connector is required to allow client
device posture-checking, trusted network configuration validation and to provide multi-protocol access to private
applications.

Page 32 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 30 - Zscaler Private Access – Components

Slide notes
Also deployed by the customer, App Connectors are normally the only component of the ZPA solution that are deployed
on the customer’s internal network, adjacent to the applications that need to be accessible. They are available as a
lightweight virtual machine implementation for a number of popular hypervisor solutions, or as a Remote Package
Manager (RPM) for deployment on Linux.
App Connectors must be able to DNS resolve the applications to be made available over ZPA and subsequently establish
a connection to them. The applications will believe that they are talking solely to the App Connector and are unaware of
the tunneling used to connect with the end user’s device.
An App Connector is a lightweight software module that boots extremely fast and is intended to sit adjacent to the
private applications that you need to provide remote access to, typically on the same subnet. App Connectors neither
support, nor require any inbound connections. They are the origin point for the application Z Tunnels, and destination
for the end-to-end Microtunnels. A provisioning key, signed by the appropriate ZPA subsidiary CA, is required to enroll an
App Connector after which it receives its configuration and certificates from the ZPA-CA. They may be updated or
restarted from the CA as required.

Page 33 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 31 - Zscaler Private Access – Components

Slide notes
A single App Connector supports up to 500Mbps of throughput and to add access capacity for your private applications,
you simply need to add more App Connectors. They scale horizontally without any need for clustering or load-balancing;
the ZPA-CA automatically distributes user sessions across the available App Connectors to ensure an optimum user
experience.

Page 34 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 32 - Zscaler Private Access – Components

Slide notes
Note that Zscaler recommends that App Connectors always be deployed in pairs, for redundancy and to ensure
continuous availability during the weekly App Connector software upgrades.

Page 35 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 33 - Zscaler Private Access – Components

Slide notes
ZPA Tunnels (Z Tunnels) are encrypted TLS tunnels on destination port 443 that are established outbound by both the
Client Connector and the selected App Connector, to the nominated ZPA Service Edge for the connection. Both the App
and Client Connectors may open multiple Z Tunnels to the ZPA infrastructure, depending on the locations of the
applications requested, and the users requesting them.
These tunnels are double-pinned with mutual certificate validation, so are immune to Man-in-the-Middle attacks. If you
use outbound Firewall rules, check the ZPA page at https://config.zscaler.com for the destinations that must be
reachable for the service to function.
The authentication of the Z Tunnels from the Client Connector is inherently multi-factor, as they are validated using the
SAML assertion, user identity certificate, and a hardware fingerprint; for the App Connector Z Tunnel an identity
certificate and hardware fingerprint are used for validation. TLS 1.2 is used to establish these tunnels, with the strongest
encryption cipher that is mutually supported by the Client and App Connector hosts, and the ZPA Service Edges.

Page 36 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 34 - Zscaler Private Access – Components

Slide notes
Microtunnels consist of the data Byte-stream from the client application (Browser or software agent) that is transported
within the Z Tunnels to provide end-to-end connectivity between the client-side agent on the end user’s device and the
private application (in the datacenter or cloud). Microtunnels are established on a per-user, per-application basis, and
cannot be shared.
They are addressed using unique tags allocated dynamically when the connection is first established. The addressing of
data into the Microtunnels is somewhat similar to the ‘Label Switched Path’ of an MPLS network, with Microtunnel IDs
being generated on-the-fly by the Client and App Connectors as required and the ZPA Service Edge switching traffic into
the Microtunnels as necessary (based on those IDs) to provide application connectivity.
Optionally, an additional encrypted TLS tunnel can be established within the Microtunnel, encrypted using the strongest
cipher that is mutually supported by the Client and App Connector hosts. Keys can be provided by the customer, which
means that Zscaler has no possibility of intercepting, or reading data within the tunnel at the ZPA Service Edge. This
results in the ‘double encryption’ of traffic between the Client and App Connectors.

Page 37 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 35 - Zscaler Private Access – Components

Slide notes
The Logging and Analytics Cluster provides real-time visibility into the operation of ZPA over the last 14 Days by
analyzing events reported, primarily by the ZPA Service Edges. Information includes:
• Primary tunnel logs - which consist of authentication logs for the Client and App Connector end stations;
• As well as Microtunnel logs - which consist of transaction data. These logs are sent to both the Log Cluster and, if
so configured, to your SIEM through the Log Streaming Service (LSS).
The ZPA Log Clusters and LSS provide real-time analytics and status, as well as short and long-term log storage.
No personally identifiable information (PII) is included in any logs created by ZPA, as security and privacy are the central
tenets upon which the solution has been built. The material is never stored on any type of persistent media until it
arrives at the Log Cluster. The information can also be obfuscated, based on the customer’s preferences.
It is important to note that data at rest in the Log Cluster consists of abstracted IDs and is not useful in any way on its
own; this information must be combined with additional information housed elsewhere to derive anything meaningful.
Should this data ever be combined, ZPA does not retain any record of the traffic.

Page 38 of 54
Adobe Captivate Wednesday, February 10, 2021

The log streaming service (LSS) allows you to automatically stream User Activity, User Status, App Connector Status,
Browser Access or Audit Logs to your SIEM. You can then view them at leisure within your SIEM to analyze, identify and
remediate as needed. LSS provides a better understanding of the information coming from the ZPA service, by allowing
you to create log receivers that can receive information about your App Connectors and users.
LSS utilizes ZPA to stream the logs, and therefore requires an App Connector adjacent to your SIEM. LSS initiates a log
stream through a ZPA Service Edge which forwards it to a log receiver (your SIEM) through the appropriate App
Connector.

Page 39 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 36 - Zscaler Private Access – Components

Slide notes
User Portals provide visibility to authorized applications for your organization’s employees and partners. From a User
Portal, an authenticated user can:
• View all applications they are allowed to access;
• Launch web applications directly from the portal (including Browser Access-enabled applications, web
applications set up for Zscaler Client Connector access, and public Software-as-a-Service (SaaS) web sites);
• And download the Zscaler Client Connector.

Page 40 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 37 - ZPA – Key Features

Slide notes
The final topic we will cover is a list of some of the principal features of the Zscaler Private Access solution.
Note, review the specifics of each item in your own time, there may be Quiz questions on the list of features, but not on
their details.

Page 41 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 38 - Infrastructure

Slide notes
In terms of the infrastructure provided by the ZPA service, here are some of the most important features of the solution:
• ZPA provides a globally distributed cloud service;
• It is a multi-tenant infrastructure;
• ZPA provides end user access to named applications only, it does NOT provide access to the destination network
in any way;

Page 42 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 39 - Infrastructure

Slide notes
• ZPA provides an ‘inside-out’ tunneling model, where the encrypted TLS tunnels are only ever established in the
outbound direction;
• The ZPA cloud is highly scalable and includes the option to deploy Private Service Edges on-site;
• It also ensures the secure enrollment of the infrastructure components (App Connectors) that are installed on
the customer’s network.

Page 43 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 40 - Certificate Management

Slide notes
In the certificate management area:
• ZPA provides a default set of certificates for device enrollment and the establishment of TLS tunnels on
subscription to the service;
• Alternatively, customers can generate their own self-signed certificate authorities;
• Or even upload certificates signed by an internal enterprise private CA.

Page 44 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 41 - Secure Data Transfer

Slide notes
For the secure transmission of application data:
• ZPA tunnels used for data transfer are encrypted with the strongest mutually supported cipher;
• And are immune to Man-in-the-middle attacks;
• A ‘Double Encryption’ option is available to ensure end-to-end security for data transferred to/from legacy,
unencrypted applications.

Page 45 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 42 - Authentication

Slide notes
In the area of authentication:
• ZPA supports integration with multiple SAML Identity Providers (IdPs);
• The service supports the dynamic management of user accounts using the System for Cross-domain Identity
Management (SCIM);
• Plus, ZPA provides configurable per-application re-authentication timers.

Page 46 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 43 - Application Management

Slide notes
In the area of application management:
• ZPA allows the on-demand discovery of applications, without the need for continuous probing or port scanning
on the destination network;
• Applications can be logical grouped at several levels;
• There are flexible forwarding configuration options, based on the network that an end user is connected to;

Page 47 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 44 - Application Management

Slide notes
• Plus, the service is always seeking to find the optimum path to an application instance for the end user.

Page 48 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 45 - Policy Management

Slide notes
In terms of the access policy configuration options:
• The ZPA service will never grant anybody access to anything, unless there is an explicit allow policy;
• The policy rules may be targeted against individual applications, or logical groups of applications;
• There are multiple criteria available to refine the targeting of policy to particular users, groups of users, posture
statuses or trusted network settings;

Page 49 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 46 - Monitoring and Reporting

Slide notes
In the area of monitoring and reporting:
• The service provides configurable infrastructure health checking;
• With real-time system-wide health reporting;
• Detailed diagnostics are available with a drill down capability;

Page 50 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 47 - Monitoring and Reporting

Slide notes
• Logs are retained for 14 days, plus there is a log streaming service, to allow longer term retention;
• There is also the option to generate and send to targeted individuals a high-level ‘Executive Insights’ report.

Page 51 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 48 - User Experience

Slide notes
From the end user perspective:
• The service is effectively ‘always-on’, all they need do is click on a link or bookmark to open the application;
• Connection to any TCP/UDP client/server application is fully supported for Client Connector users, regardless of
port;
• Plus, browser-based access is also available, for the situations where Client Connector is not suitable;

Page 52 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 49 - User Experience

Slide notes
• Where necessary a customizable end-user portal can be created to advertise the availability of private
applications.

Page 53 of 54
Adobe Captivate Wednesday, February 10, 2021

Slide 50 - Thank you & Quiz

Slide notes
Thank you for following this Zscaler training module, we hope this module has been useful to you and thank you for your
time.
What follows is a short quiz to test your knowledge of the material presented during this module. You may retake the
quiz as many times as necessary in order to pass.

Page 54 of 54