Zscaler For Users Flashcards
What are ZIA forwarding Modes
ZTunnel - Packet Filter Based (Creates Packet Filters (Windows)
ZTunnel - Router Based (Creates Router Table Entries)
ZTunnel with Local Proxy (Deploys System Proxy To Localhost)
Enforce PAC (No Client Connector forwarding (browser-based Auth), similar to GPO)
None (Client Connector is completely disabled (system settings only))
Differences between ZTunnel 1.0 vs 2.0
ZTtunnel 1.0 CONNECT Tunnels
- 80/443/ Proxy Aware Traffic Only
- No real encapsulation of traffic
- No control channel
- Limited Log Visibility
- No Visibility into Non-web Traffic
- Configurable drop of Non-web traffic
ZTunnnel 2.0 DTLS Tunnels
- Any TCP, UDP and ICMP Traffic(support cloud firewall)
- DTLS = UDP = Faster transport
- DTLS/TLS Tunnel = Integrity
- Tunnel Provides Control Channel
- Logging of client connector version, ZTunnel version etc.
Forwarding Profile: Trusted Network Detection
Trusted Network Criteria
- Hostname/IP - ZCC will resolve the FQDN locally on the system and check it matches the IP
- DNS Server - ZCC looks at the primary NIC and looks for this DNS server
- DNS Search Domain - ZCC looks at primary NIC and looks for this search domain
Forwarding Profile: Multiple Trusted Networks
- Define each office/network separately to forwarding profile
- Forwarding profiles can reference multiple trusted networks
- Define tunnel/bypass for each network
Forwarding Profile: Profile Action for ZIA
- Select forwarding mode based on Trusted Network
- Tunnel, Tunnel with local proxy, Enforce Proxy, None
- Best Practice - Tunnel mode
- Select Tunnel Version
- Best Practice - Tunnel 2.0
- ZTunnel 2.0 Config
- Config tunnel transport DTLS vs TLS
- Connection timeout
- Fallback methods and behavior
- Advanced settings for TWLP config
Forwarding Profile PAC vs App Profile PAC
Forwarding Profile PAC
- Steers traffic towards or away from ZCC
- Controls system PAC file - which HTTP proxy to be used for URL. Tunnel with local Proxy, or other explicit proxy
- has no bearing on where ZCC will route traffic users apps will send traffic
App Profile PAC
- Steers traffic towards or away from Zscaler Cloud
- Routes traffic AFTER ZCC has received it
- Used to determine Geo closest ZEN
SAML Authentication
SAML (Security Assertion Markup Language) is used to verify user identities, allowing for safe and easy access to multiple services with a single sign-on (SSO) experience.
SCIM Authorization
SCIM (System for Cross-domain Identity Management), a standard for keeping user information consistent and current across different platforms.
What is Zscaler’s primary purpose for users
To provide secure internet and application connectivity via Zero Trust Exchange.
How does Zscaler verify access user access
Through identity and context verification, using SAML, LDAP, or other methods.
What does Zscaler enforce after verifying identity?
Policies like Allow, Block, Isolate, and Prioritize.
What initiates the SAML Auth process in Zscaler?
The process begins when a user requests an application and is redirected to authenticate at Zscaler Internet Access or Zscaler Private Access due to not being authenticated.
What does the identity provider do after receiving a SAML request?
The identity provider challenges the user to authenticate according to its policy, which may involve a username and password, Kerberos, or multifactor authentication. It can also retrieve additional user attributes and group memberships for the SAML assertion.
How does Zscaler handle a received SAML assertion?
What are the modes for ZCC forwarding traffic to ZIA?
The modes include;
* Zscaler tunnel,
* route-based mode,
* tunnel with local proxy.
How does the Zscaler Tunnel function?
Using packet filters, the Zscaler tunnel intercepts and forwards network traffic through an encapsulated tunnel to the Zscaler platform.
What is enforced PAC mode in ZCC
Enforced PAC mode routes browser traffic through ZIA as a proxy using PAC file. Suitable for legacy implementations.
How does the ZCC determine trusted network status?
The Zscaler Client Connector determines trusted network status by evaluating criteria such as hostname, IP, and DNS server information supplied by DHCP.
What forwarding options does the ZCC provide for trusted network conditions?
The Zscaler Client Connector offers forwarding options based on trusted network conditions, such as tunneling traffic, using a local proxy tunnel, enforcing the proxy, or taking no action.
What are the recommended connection timeout settings for ZCC
It is recommended to use Z-Tunnel 2.0 in tunnel mode with the option to switch from DTLS to TLS. Fallback option, such as redirecting traffic to a local listener, is also available to ensure connection reliability.
What is the purpose of an application profile in Zscaler config
An application profile associates forwarding profiles with users and devices based on specific criteria, defining the tunneling method and trusted network configurations.
What does the “Restart WinHTTP” feature ensure in Zscaler config for Windows devices?
“Restart WinHTTP” ensures that the system refreshes all proxy configurations once the Zscaler Client Connector is established, enhancing connectivity and system functionality.
What is the initial step in the enrollment process for the ZCC?
Zscaler Client Connector launches and communicates with the mobile admin portal (now known as Zscaler Client Connector Portal) to determine the user’s domain and SAML identity provider.
How does the ZCC authenticate and enroll the user after receiving the SAML response?
After receiving the SAML response from the SAML IdP, the Zscaler Client Connector validates it. Then, it receives an authentication token from ZIA, which it provides to the mobile admin portal for validation and device registration.
What is the enrollment process for Zscaler Client Connector in ZPA?
The process involves client launch, registration attempts, SAML IdP authentication, potential multifactor authentication, device registration into mobile admin, enrollment in ZPA, and secure tunnel creation to the Zero Trust Exchange.
How does ZCC enroll in ZPA?
By providing the SAML response token after authentication, the device is registered in mobile admin, enabling ZPA enrollment. This process generates Zscaler Client Connector certificates and establishes secure tunnels to the Zero Trust Exchange.
ZCC refresh intervals
- On network change(connect/disconnect) - refesh of key components, app profile, forwarding profile, PAC files and policy updates.
- Every 15 mins - ZCC downloads the PAC files of the app profiles and forwarding profiles.
- Every 1hr - checks for policy updates from the app and forwarding profiles
- If PAC file URLs are modified, the system auto triggers updates every 1hr
- Every 2hrs, checks for SW updates
What is the device posture in ZCC?
Device Posture in Zscaler Client Connector assesses device trust for Zero Trust Network Access policies by analyzing certificate trust, domain-joining status, and security measures
How does ZCC evaluate device security~?
Zscaler Client Connector checks for device security information (client certificates, antivirus, operating system version, disk encryption, and firewall status) to make policy decisions for application access.
What are some benefits of using installer options for ZCC?
Automated installer options simplify SAML IDP identification and provide transparent authentication and enrollment processes, reducing user burden.
What does the strict Enforcement mode do in ZCC installation?
The strict Enforcement mode requires the Zscaler Client Connector to be running for internet access. Its automated enrollment uses the cloud name, policy token, and user domain information.
What is the recommended deployment approach for App connectors?
Deploy them as a pair in different locations, such as data centers or infrastructure as service environments, to ensure resilience. Each location should be treated as a separate connector group.
How is the health of UDP apps inferred in Zscaler App Connector deployment?
Since UDP health checks are not possible, Zscaler relies on ICMP (ping) or previous TCP health checks. If a TCP connection succeeds, UDP connections to the same server are inferred to be healthy.
Which IP addr appears on the network when using Zscaler App Connector for Zero Trust Exchange applications?
The IP address of the App Connector becomes the source IP for application access traffic. It’s crucial for services like Active Directory, which rely on client IP addresses for policy applications.
What are the Provisioning keys in the context of deploying App connectors?
Provisioning keys are seeds used to generate TLS connections, assigned by an intermediate certificate authority (CA), and are crucial for establishing trust within ZPA.
How are App Connectors deployed and associated with applications?
Provisioning keys are created to deploy App Connectors. App Connectors are deployed within geolocation, linked to a server group, and associated with an application segment defined by a wildcard domain or IP address, facilitating access based on policy.
What is the role of application segments and segment groups in ZPA deployment?
Application segments group FQDNs or IPs, while segment groups group similar applications for policy application. They are associated with server and app connector groups, facilitating secure access based on defined policies and server health checks.
