Scribd
Upload
66 views7 pages

Zscaler - Okta Overview and Zscaler Client Setup Instructions - 0630

Zscaler will replace Meta for accessing Jumphosts in AWS VPCs, requiring users to install the Zscaler client on their PCs. The installation process involves using command lines to ensure FIPS compliance, and users must manage their domain accounts and jump hosts through Okta and Zscaler portals. Support for the Zscaler implementation will be provided by team Larch via the Slack channel #zscalervpn_rollout.

Uploaded by

Saravanan VEnkatesh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
66 views7 pages

Zscaler - Okta Overview and Zscaler Client Setup Instructions - 0630

Zscaler will replace Meta for accessing Jumphosts in AWS VPCs, requiring users to install the Zscaler client on their PCs. The installation process involves using command lines to ensure FIPS compliance, and users must manage their domain accounts and jump hosts through Okta and Zscaler portals. Support for the Zscaler implementation will be provided by team Larch via the Slack channel #zscalervpn_rollout.

Uploaded by

Saravanan VEnkatesh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Zscaler/Okta overview and Zscaler Client Setup Instructions

Zscaler will replace Meta for access to your Jumphosts in our AWS Vpc’s. Please read this entire
document to understand how Zscaler works and how to install the Zscaler client on your pc.

There are several components to the Zscaler/Okta implementation pictured below. In each domain a
Zscaler App connector is an AMI Ec2 instance that connects to the Zscaler cloud. An Okta agent runs on
a AD domain member and exports users domain credentials from defined OUs or Groups to the Okta
cloud. Then Okta and Zscaler are configured as IDP peers and are applications to each other.

Management of the AD users assigned to the Zscaler application from each domain is done through the
Okta Portal. Management for access to the specific domain targets (jump hosts) are defined in the
Zscaler portal within Application Segments and Policies. Pictured below is the architecture.
For Each Zscaler user the following is required:

• A domain account in each AD domain placed in their respective AD groups.


• A jump host for each user created and its IP added to the Zscaler application segment.
• Installation of the Zscaler App on the users work pc described below.

INSTALLING THE ZSCALER CLIENT

To install the Zscaler client supplied to you on your Windows, Mac or Linux workstation. You must do so
via the command or Terminal so you can add the required feature specific inputs described below. This
allows the client to be installed to our zscalergov tenant and makes it FIPS compliant. The Zscaler client
will install without the needed feature inputs but will not work correctly. Please read this again as it is
very important.

Link to share folder: Zscaler Installer

https://onsolvelaunch.sharepoint.com/sites/prodops/Shared%20Documents/Forms/AllItems.aspx?id=%
2Fsites%2Fprodops%2FShared%20Documents%2FZscaler%20Installers&p=true&originalPath=aHR0cHM
6Ly9vbnNvbHZlbGF1bmNoLnNoYXJlcG9pbnQuY29tLzpmOi9zL3Byb2RvcHMvRXVDOHQwc3pCYTVGbER2
SFBDandvU3dCbm1HZ2ZlcngyVFVJbkJiRnRiNGtjdz9ydGltZT1ZOUdjV1hBeTJVZw

So download the install files for your OS and cli to your directory where your installer file is and run the
respective command lines shown below:

For Windows see sample below:

C:\downloads>Zscaler-windows-gov-3.4.0.124-installer.exe --cloudName zscalergov --enableFips 1

(Cut and paste into your command line the bolded command above OR there is also a folder on the
sharedrive with a bat file in it that can install without command line. Just copy the entire folder to your
desktop and click on the .BAT file inside it)

For MAC users see sample below:

~/Downloads/Zscaler-osx-3.2.3.17-installer.app/Contents/MacOS
sudo ./installbuilder.sh --cloudName zscalergov --enableFips 1

For Linux users see sample below:

root@onsolve:~# ./Zscaler-linux-1.0.0.108-installer-deb.run --cloudName zscalergov (yes Fips switch


not needed)

Once installed login to the Zscaler app with your AWS domain username (not console credentials) for
each respective domain. In the screen shot below you see I login [email protected]
useast1.onsolve.com. This will only allow access to targets in that domain. Also shown is logging in with
credentials to access targets in the ad.prod-uswest2.onsolve.com domain.
Hit Login. You will be prompted to reverify your domain credentials with password against Okta. When
you login for the first time it will ask you to select a picture to represent your login credentials. I suggest
a different picture for each domain.
Then you will be asked to setup 2fa authentication with either Google authenticator or the Okta auth
app whichever you prefer. I like the Okta verify app as its separate from my many Google auths.
Once connected the Zscaler app the screen will fall to your task bar (in Windows) you should see traffic
incrementing when you select your targets.
Access, usage and error logs can be shown in the Zscaler portal for administrators. Authentication issues
can be seen in the Okta portal logs for administrators. Logging from the Zscaler app connector will be
sent to Elk log servers.

To disconnect the Zscaler client hit the TURN OFF button.


Note:

• You cannot ping to targets while connected to Zscaler from your workstation you can although
once you are in your Jump host. Access your jump host via FQDN or IP.
• Meta and Zscaler does not work well running at the same time.

Zscaler support for Production environments will be provided by team Larch. Please contact slack
channel #zscalervpn_rollout for questions or clarification of these instructions.

You might also like