Chapter 2: Basic Connectivity (20%)

Study online at https://quizlet.com/_epvp51

1. Zero trust com- established in the cloud, and users/devices

ponents are es-
tablished where? IoT / OT devices, or workloads must establish a connec-
tion to this cloud so security controls can be enforced.

2. Zero trust con- independent of any network for control or trust.

nections are, by
definition, inde- Zero trust ensures access is granted by never sharing
pendent of what? the network between the originator (user/device, IoT / OT
device, or workload) and the destination application.

3. Zscaler Client Included as part of Zscaler Internet Access (ZIA), Zscaler

Connector Private Access (ZPA), and Zscaler Digital Experience
(ZDX)

Zscaler Client Connector is a lightweight app that sits on

users' endpoints and enforces security policies and ac-
cess controls regardless of device, location, or application.

4. App Connectors App connectors provide the secure authenticated inter-

face between a customer's servers and the ZPA cloud.

They establish connections through the Firewall to the

Zscaler cloud and the Zscaler cloud facilitates that con-
nection as a reverse connection in order to enable users
to access applications.

5. Browser Access Browser-based access provides connectivity through a

& Privileged Re- web browser without the Zscaler Client Connector being
mote Access installed to HTTP and HTTPS applications.

This core connectivity capability also provides access to

privileged remote access applications such as SSH or
RDP.

6. The Zscaler on the endpoint to create a tunnel to the Zero Trust Ex-
Client Connec- change for the protection of SaaS and internet-bound
tor is installed traffic.
where?

1 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51

7. The Zscaler Features include:

Client Connector Ï Consistent Experience on all Platforms
features include Ï Strict Enforcement Options (Tamper Proof)
(7): Ï Simple Enrollment
Ï Trusted Network Detection
Ï User Attribution and Asset Identification
Ï Transparent Authentication for Users
Ï Install Zscaler or Custom SSL Inspection Certificate

8. The three au- 1) ZTunnel - Packet Filter Based

thenticated tun- 2) ZTunnel - Route-Based
nel options: (Zs- 3) ZTunnel with Local Proxy
caler Client con-
nector)

9. ZTunnel - Packet Creates Packet Filters (Windows Only)

Filter Based
The packet filter based on Windows instruments, packet
filters that grab traffic, steer the traffic toward the Zscaler
Client Connector process that can then make a decision
to forward it to the Zscaler cloud.

10. ZTunnel - Creates Route Table Entries

Route-Based
Route-based mode also works in instruments and addi-
tional network adapter, which becomes the route for traffic,
route-based mode instruments, and additional network
adapter, which becomes the route for traffic generated
from client applications.

11. ZTunnel with Lo- Deploys System Proxy to Localhost

cal Proxy
Tunnel with local proxy creates a loopback address that
appears as a HTTP, HTTPS proxy, and then instructs the
operating system's proxy setting to point the browser at
that local proxy. It's then tunneling the traffic toward the
Zscaler cloud.

12.

2 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
Additional op- 1) Enforced PAC mode, which basically instruments the
tions that sup- PAC file in the browser, similar to what you'd get from a
port lega- group policy object. That means that the browser itself is
cy implementa- forced to go to Zscaler Internet Access via a specified
tions are: (2) proxy.
(Zscaler client
connector) 2) None, meaning that the policy is not going to do any
configuration of proxy or tunneling mode, and relies on the
group policy object or the default configuration within the
browser.

13. ZTunnel modes 1) The Legacy Z-Tunnel 1.0 2) The modern ZTunnel 2.0
come in two for-
mats:

14. ZTunnel 1.0 an HTTP CONNECT tunnel.

So as traffic is forwarded into the tunnel, it creates a

CONNECT method toward the cloud. It doesn't really en-
capsulate the traffic.

It simply adds some header information, which enables

the Zero Trust Exchange to understand the user informa-
tion and the data that's being passed to it.

80 / 443 Proxy Aware Traffic Only No Real Encapsulation

of Traffic No Control ChannelLimited Log Visibility
No Visibility Into Non-Web Traffic Configurable drop of
Non-Web Traffic

15. With ZTunnel 1.0, A tunnel towards the Zero Trust Exchange for the authen-
there are essen- tication, enrollment and passing traffic
tially two tun-
nels: Another for the policy updates that would occur every 60
minutes against the Zscaler Client Connector Portal where
all those configuration changes are made.

16. ZTunnel 2.0 a DTLS (Datagram Transport Layer Security) tunnel with
fallback to TLS supporting all client traffic, which means
the Zscaler Firewall, as part of the Zero Trust Exchange,
3 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
could inspect and apply policy on all traffic.

Any TCP, UDP, and ICMP Traffic

Logging of Client Connector Version

17. With Z-Tunnel control channel and a single tunnel from the client to the
2.0, which is the Zero Trust Exchange.
best practice op-
tion, the tunnel is Any notifications from the Client Connector admin portal
the: (aka. "Mobile Admin") are passed through the Zero Trust
Exchange directly to the client, and those happen in real
time.

18. DTLS uses a: TLS tunnel = Integrity

(Ztunnel 2.0)

19. Tunnel Provides updates to client (policy changes), available updates,

Control Channel connectivity information, and logging/alerting towards the
= client.
(Ztunnel 2.0)

20. DTLS runs on Faster Transport

UDP = If the client detects that the DTLS tunnel wasn't success-
(Ztunnel 2.0) ful, such as a firewall blocking UDP traffic, we want to fall
back to a TLS-TCP connection.

21. Tunnel Failure There are also connection timeout options and additional
options for redirecting traffic to a local listener ( tunnel with
local proxy, providing safe fallback within the client if the
tunnel mode connection is not successful.

22. Forwarding Pro- 1) Hostname and IP

file: Trusted Net- 2) DNS Search Domains
work Detection 3) DNS Server
combines 3 fea-
tures to identify
trusted network
within the client:

23. Hostname and IP

4 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
Does a specific FQDN resolve to an IP address?

If those two match, then the condition is true.

24. DNS Search Do- The DNS search domain, provided by DHCP, where the
mains client will receive a DNS search domain.

If those things match the configuration of the trusted net-

work criteria, the user is on the matching network.

25. DNS Server The DNS server looks at the primary network adapter
on the client and understands what DNS server is being
provided to it through DHCP.

If those things are equal, then the DNS server condition is

true.

26. Forwarding pro- multiple trusted networks.

files can refer-
ence

27. Forwarding Pro- Finally, within the forwarding profile, we can select a trust-
file: Profile Ac- ed network criteria and then select from your predefined
tion for ZIA list of multiple trusted networks, confirming which ones are
going to apply to the forwarding profile.

28. Forwarding Pro- Within the system proxy settings, you can control how
file: System the browser, or more specifically the operating system,
Proxy Settings receives proxy settings.

If you're migrating from an on-premises proxy, you will

already have a proxy setting set within the browser or
within the system.

With a tunnel mode, there is no need to have these proxy

settings. So the recommendation is to enforce a no-proxy
configuration.

29. 4 Enforcing 1) Automatically Detect Settings

Proxy Action
5 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
Types: 2) Use Automatic Configuration Script
(Forwarding Pro-
file: System 3) Use Proxy Server for your LAN
Proxy Settings)
4) Execute GPO Update

30. Automatically The client sends a WPAD (Web Proxy Auto-Discovery)

Detect Settings lookup looking for a proxy.

31. Use Automat- Explicitly configure where the Zscaler Client Connector
ic Configuration sets your custom system PAC file to download and run
Script through that PAC file configuration for traffic to be explicitly
proxied to a proxy server.

Also referred to as a forwarding PAC file.

32. Use Proxy Server This is a hard-coded proxy import (IP address and a port
for Your LAN or an FQDN and a port) with the ability to bypass local
addresses.

A local address is something that is non-fully qualified.

33. Execute GPO Up- The Windows machine will provide a GPO (Group Policy
date Object) update/force from Active Directory to set the proxy
settings on the machine.

34. It's really impor- With a tunnel mode configuration, we do not want to set
tant to under- any forwarding PAC file and have the client intercept the
stand the distinc- traffic natively as the browser or the client configuration
tion between a resolves an internet address and intercepts the traffic as
forwarding PAC it routes toward the internet and tunnels it toward the Zero
and how the Trust Exchange through the DTLS tunnels.
forwarding PAC
is implemented
within Zscaler
Client Connec-
tor:

35. Application Pro- An application profile exists to map the forwarding profiles
file to different users and different devices based on certain
6 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
criteria.

The app profile selects the forwarding profile, which there-

fore defines the method of tunneling.

So, the forwarding profile defines it as Z-Tunnel 2.0, and

so we map that to the application profile to forward traffic
through the tunnel.

This defines the on- and off-trusted network configuration

and defines the system proxy is not configured.

The app profile PAC URL defines the Zero Trust Exchange
node to be used based on the client's geographic IP
information.

36. The most com- - Custom PAC URL

mon configura-
tion items here - Override WPAD
include: (6)
(Application Pro- - Restart WinHTTP
files)
- Install Zscaler SSL Certificate

- Tunnel Internal Client Connector Traffic

- Cache System Proxy

37. Custom PAC URL References the PAC file configured in the ZIA Admin Por-
tal, making decisions on traffic that should be forwarded
or bypassed from the Zero Trust Exchange.

38. Override WPAD Ensures that the system GPO WPAD configuration is pre-
vented, and makes sure that the WPAD configuration in
the forwarding profile is used as a precedence

39. Restart WinHTTP specific to Windows devices

Ensures that the system refreshes all of the proxy config-

uration once Zscaler Client Connector is established.
7 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51

40. Install Zscaler If you aren't pushing out your own certificates from your
SSL Certificate own Certificate Authority, then simply enabling this option
will use the one provided by Zscaler.

41. Tunnel Internal Ensures that the health updates and policy traffic passes
Client Connector through the Zscaler tunnels towards the Zero Trust Ex-
Traffic change.

Or more specifically, it doesn't go direct to the Zero Trust

Exchange - it stays within the zero trust tunnels.

Used to uninstall or revert a previous version, and making

sure that they have business continuity in the case of any
issue with the updates.

42. Cache System Ensures that Zscaler Client Connector stores the sys-
Proxy tem proxy state from before it was installed or enabled,
and makes sure that when Zscaler Client Connector is
uninstalled or disabled, a system proxy configuration is
reverted and the user can continue to function as before.

And that the Zscaler Client Connector reverts to previous

versions of the Zscaler Client Connector software in the
event of an upgrade issue.

Used to uninstall or revert a previous version, and making

sure that they have business continuity in the case of any
issue with the updates.

43. Critical part of Its ability to inspect SSL

zero trust ex-
change

44. Zscaler Client Zscaler root CA as well as custom root CAs

Connector has
the ability to de-
ploy the what
types of CAs?

8 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
45. application by- There are some specific application bypasses for things
pass like UCaaS. If we want to bypass Microsoft Teams or
Zoom traffic from going into the tunnel, we can do that by
selecting them under the application bypass

46. Forwarding Pro- Steers traffic toward or away from the Client Connector
file PAC
Controls System PAC file - which HTTP Proxy to be used
for a URL, tunnel with local proxy or other explicit proxy.

Has no bearing where Client Connector will route traffic,

only where the user's apps will send traffic.

47. App Profile PAC Steers traffic toward or away from the Zscaler Cloud

Routes traffic AFTER the Client Connector has received

it.

Used to determine the geographically closest Zscaler En-

forcement Node (ZEN).

48. How A Forward- Gets defined within the forwarding profile and it steers
ing Profile PAC traffic toward or away from Zscaler Client Connector. It's
works: essentially the system PAC file, stating which HTTP proxy
is going to be used for a specific URL.

If it's the PAC file for a Tunnel with Local Proxy, it's going
to point traffic at the loopback address or another explicit
proxy. It has no bearing on where Zscaler Client Connector
will route traffic, only where the user's applications will
send traffic.

So a user's application could be the Internet Explorer

browser, Edge browser, Chrome browser, Firefox.

They would receive the Forwarding Profile PAC that makes

the decision how that browser will treat the HTTP traffic
and what proxy server it will send it to.

9 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
And that proxy server could be Zscaler, or that proxy
server could be the local proxy that's enabled in Zscaler
Client Connector

49. How Applica- The Application Profile PAC steers traffic towards or away
tion Profile PAC from the Zscaler cloud - after traffic has been intercepted
works: by the tunnel mode or after traffic has been directed to it
with the local proxy.

The Application Profile PAC then processes the traffic

and makes a decision which Zscaler node (ZIA Public or
Private Service Edge, or ZPA Public or Private Service
Edge) is going to process the request afterwards.

Finally, that App Profile PAC is then used to determine

the geographically closest Zscaler enforcement node to
process it.

50. Within the Zs- the PAC files that are hosted on the cloud
caler Internet Ac-
cess (ZIA) Admin
Portal, we can de-
fine:

51. PAC files PAC files are essentially JavaScript functions that take two
inputs that are dynamically provided to it by the browser, or
in the case ofthe App Profile PAC, through the inspection
process.

It takes the input of a URL and a host, and it returns back

an answer of sending the traffic "DIRECT" or "PROXY".

52. Forwarding PAC Forwarding PAC is processed by the web browser or the
vs. Application system proxy
Profile PAC
the Application Profile PAC is for Zscaler Client Connector
to make its traffic routing decisions.

53. ZIA: Browser Be- can be pushed out through group policy objects and iden-
havior - PAC to tified from your existing PAC file, migrated into the brows-
10 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
Tunnel Mode and er configuration, and pushed out before the migration to
site authentica- Zscaler occurs.
tion

54. Inclusions vs. Ex- The bottom line is that there are going to be exclusions
clusions (Tunnel and inclusions
Mode - Packet Fil-
ter Based - ZTun- Anything that's included will be sent through to Zscaler
nel 2.0) Client Connector, or Zscaler Client Connector will physi-
cally intercept traffic.

Anything that is bypassed or bypassed through the packet

filters will go directly out to the internet.

55. Tunnel Mode With Z-Tunnel 1.0, it's important to understand that traffic
- Packet Filter at a network layer will only intercept traffic that's 80 or 443.
Based - ZTunnel
1.0 So if you've got, again, the application generating packets,
if it's port 80 or 443, it'll be intercepted and passed to
Zscaler Client Connector.

If it's explicitly proxy, do you have a proxy configuration

tunnel with local proxy? It'll be passed to that local adapter
that's listening, and again, into Zscaler Client Connector.

56. Tunnel Mode In the route-based mode, again, there is a routed adapter.
- Route-Based
Flow There's an additional network adapter that's configured on
the machine.

And in a scenario where the Tunnel with Local Proxy is not

configured, the application generates traffic, it follows the
routing table, and that traffic routes into the Zscaler Client
Connector IP address.

The Application PAC processes the traffic, and again,

traffic routes either to the Zscaler cloud or it bypasses and
routes directly to the internet.

57.
11 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
ZIA Enrollment 1) As the Zscaler Client Connector launches, it's going to
Process (5 steps) talk to the mobile admin portal (Zscaler Client Connector
Portal) and understand what domain the user is in and
what SAML identity provider the user should authenticate
against.

2) The user receives that IdP redirect and they are redi-
rected to their SAML IdP

3) if the response is valid, then the user receives an

authentication token back to Zscaler Client Connector.

4) Zscaler Client Connector provides that token to the

Zscaler Client Connector Portal, which validates the token
and registers the device. At this point, the Zscaler Client
Connector Portal understands who the user is, fingerprints
the device, consumes that device information, and passes
that device registration through to Zscaler Internet Access.

5) Zscaler Internet Access then provides the client creden-

tials so that when the user makes a request through the
Zscaler service, it can authenticate the user and it uses
the Zscaler identity token to authenticate the client through
the platform.

58. ZPA Enrollment 1) there's an immediate registration attempt, followed by

Process (5 steps) a second IdP redirect as Zscaler Internet Access and
Zscaler Private Access are controlled as two separate
SAML-reliant party trusts.

2) During this second authentication round where the

Zscaler Client Connector talks to the SAML IdP, it will sign
in transparently because they're already signed in from
the Zscaler Internet Access enrollment. There may be a
multifactor authentication at this point

3) the IdP authenticates the user and returns the SAML

response back to Zscaler Client Connector.

12 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
4) Zscaler Client Connector provides that response token
and registers the device into Zscaler Client Connector
Portal, which passes that registration through to Zscaler
Private Access, and Zscaler Private Access enrollment
then enables the Zscaler Client Connector certificates to
be generated and Zscaler Client Connector is enrolled in
Zscaler Private Access.

5) Zscaler Client Connector then generates the secure

tunnels to the Zero Trust Exchange, through which the pro-
file and settings are downloaded so the client receives the
information about the Zscaler Private Access applications
that they're able to access.

59. Client Connector - On Network Change (connect/disconnect)

Intervals: (5)
- Every 2 hours

- Every hour

- Every 15 minutes

- Manually

60. Device Posture Device Posture enables a level of trust of the device as
(Client connec- part of the Zero Trust Network Access policy.
tor)

61. Device Posture - BYOD vs. Corporate devices

Check examples:
(3) - device security

- endpoint protection

62. The strictEn- The strictEnforcement option requires cloudName and

forcement option policyToken options to ensure that the user is automati-
cally triggered to the right cloud and authentication token,
and make sure that the user can not access the Internet
until they are enroll

13 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51
63. Fundamentals of Always deploy App Connectors as a pair (minimum) and
App connectors as a different Connector Group in separate data centers.
Ensure app connectors:
Ï Can route to the internet and internal applications.
Ï Meet the minimum VM requirements.
Ï Can connect to applications (TCP/UDP) for health check-
ing.
Ï Source IPs are registered in Active Directory Sites &
Services, as
the requests will be seen as coming from the App Connec-
tors.

64. Deploy app con- Create a provisioning key for each Connector GroupPro-
nectors visioning keys are signed by an intermediate certificate
authority and the intermediate trusted by the root CA.
Clients are enrolled against a client intermediate certifi-
cate authority. Revoking/deleting the intermediates breaks
the trust, invalidating the provisioning keys.
Treat provisioning keys as credentials (don't share in clear-
text = download from the UI and upload via SCP or
copy/paste over SSH or use the API to retrieve or generate
dynamically).

65. Server groups for Server Group

app connectors Associate the Connector Group(s) with a Server
Group.Dynamic Server Discovery on that server group
means that either the group or the connectors will au-
tomatically perform DNS resolution and create synthetic
server associations that advertise those applications. This
is the default (recommended) configuration and, it is not
recommended to move away from Dynamic Server Dis-
covery unless for a very specific reason.

66. Applications Application Segment.

must be defined
within an

67. Application Seg- An application segment is a grouping of those applica-

ment tions, those defined FQDNs that make that application
function.
14 / 15
 Chapter 2: Basic Connectivity (20%)
Study online at https://quizlet.com/_epvp51

68. Segment group A segment group is a grouping of similar applications that

you want to apply policy to.

69. Browser Access Browser Based Access provides connectivity through a

(BA) web browser without the Zscaler Client Connector be-
ing installed to HTTP and HTTPS applications. This core
connectivity capability also provides access to Privileged
Remote Access applications such as SSH or RDP.

70. How Browser Ac- 1) User types in the URL of internal web application or the
cess Works (4 User Portal and is redirected to appropriate IDP for user
steps) authentication.

2) The closest connector to requested app creates inside

out TLS 1.2 encrypted tunnel over port 443.

3) The Zscaler broker stitches together apps to user con-

nection in the broker location closest to the user, pre-
senting them with either the direct application or the User
Portal, depending on which option the user selected.

4) Real-time, global visibility into all user and app activity

71. What is required FQDNs

for ZPA admin
configuration for
browser access?

72. Privileged Re- PRA is an authenticated remote desktop gateway/SSH

mote Access gateway that relies on Zscaler's Service Edge and the App
(PRA) Connector to allow a user to access IT and OT servers,
desktops, and workstations using their browser, typically
through an authenticated web portal.

15 / 15