icon-unified.svg
Experience Center

About Applications

An application is a fully qualified domain name (FQDN), local domain name, or IP address that you define on a standard set of ports. Applications must be defined within an application segment.

To enable application discovery, you can define an application as an FQDN in wildcard format or as an IP subnet.

An application segment is a grouping of defined applications, based upon access type or user privileges. So, features such as double encryption, health reporting, etc. are configured per application segment.

Defining your applications in application segments enables you to:

  • Restrict access to excess ports for the application, reducing the application’s attack surface.
  • Leverage those application segments in access policies to restrict user groups that can access them, as well as reduce lateral movement.
  • Apply advanced capabilities such as Browser Access, Isolation, AppProtection, and data loss prevention that you are licensed for.

Read about the following key configuration options available for your applications before configuring an application segment:

About the Defined Application Segments Page

On the Defined Application Segments page (Policies > Access Control > Private Applications > App Segments), you can do the following:

  1. Validate a client hostname.

If you are using a Microtenant, this option is hidden.

  1. View and add DNS search domains.

DNS search domains are unique per customer. When configuring Microtenants, DNS search domains that are added in the default tenant are inherited across Microtenants.

  1. Expand all rows in the table to see more information about each application segment.
  2. Set application segment configuration warnings.
  3. Add an application segment.
  4. Download the configuration information for the application segments to a CSV file. The file lists the application segments based on the selected table filters.
  5. Go to the AI-Powered Recommendationspage to view and manage recommended application segments.
  6. Go to the Settings page to add parameters to recommended application segment findings.
  7. Filter the information that appears in the table. By default, no filters are applied.

If you are using a Microtenant, then the Microtenant Ownership Type filter is available. By default, the Configured within Microtenant filter option is applied to show the application segments configured within that specific Microtenant. The options for the filter are based on access type (Global, Configured with Microtenant, Shared to this Microtenant, and Share from this Microtenant). The only available operator for this filter type is Equals.

  1. View a list of all application segments that were configured for your organization. For each application segment, you can see:
    • Name: The name of the application segment. When you expand the row for an application segment, you can
      • Description: (Optional) Enter a description for the application segment.
      • Segment Group: The segment group that the application segment is a member of.
      • Server Groups: The server groups that the applications are hosted on.
      • Double Encryption: Indicates whether Double Encryption is enabled or disabled for all applications. By default, if a Browser Access-enabled application was defined, Double Encryption is disabled.
      • Bypass: Indicates whether users can bypass Private Applications to access applications.
      • Zscaler Client Connector can receive CNAME: Indicates if Zscaler Client Connector receives CNAME DNS records from App Connectors.
      • Source IP Anchor: Indicates if Source IP Anchoring is enabled or disabled for all applications.
      • ICMP Access: Indicates if ICMP communication is enabled or disabled for all applications.
      • App Connector Closest to Application: Indicates if the App Connector is closest to the application (Enabled) or closest to users (Disabled).
      • Inspect Traffic with ZIA: Indicates if the traffic for the application segments is enabled to be inspected.
      • Active Directory Inspection: Indicates if the traffic for the application segment is inspected with Active Directory (AD) Protection protocols.
      • Auto App Protection: Indicates if the traffic for the application segment is inspected with AppProtection protocols.
      Close

If an application segment is missing required settings, the incomplete configuration icon appears next to the name within the table. Edit it to resolve the configuration issues.

If an application segment is Source IP Anchoring-enabled, the information icon appears next to the name within the table.

  • Applications: A list of up to three defined applications within the application segment. Browser Access enabled-applications are denoted by a;Browser Access Icon icon. Privileged Remote Access-enabled applications are denoted by a Privileged Remote Access enabled icon icon. All other applications are denoted by a Zscaler Client Connector icon icon. If there are more than three applications, then only the number of defined applications appears.

For all applications, there is a link to view the Application Segment details with a list of all the applications for the application segment.

  • TCP Port Ranges: The TCP port ranges being used to access applications.
  • UDP Port Ranges: The UDP port ranges being used to access applications.
  • Certificate: The certificate that matches the fully qualified domain the user accesses when using Browser Access, Isolation, or Privileged Remote Access.
  • Protocol: The protocol that the application is using. Use HTTP or HTTPS for Browser Access and Browser Isolation. Use VNC, SSH, or RDP for Privileged Remote Access.
  • Server Port: The web server port number used when a request is made to access a Browser Access-enabled or Privileged Remote Access-enabled application.
  • Use Untrusted Certificates: Indicates whether Use Untrusted Certificates is enabled or disabled for a Browser Access-enabled or Privileged Remote Access-enabled application.
Close

  • Status: Indicates that the application segment is enabled or disabled.
  • Health Reporting: Indicates whether health reporting for the application is Continuous, On Access, or None. To learn more, see About Health Reporting.
  1. See a graphical view for how the application segment connects to other ZPA configuration objects (e.g., Segment group, Server groups, etc.)

You can edit any of the objects directly from the graphical view.

  1. Copy an existing application segment.
  2. Move the application segment in a Microtenant.>

The Move icon is only visible if there are one or more Microtenants available. If you are using a Microtenant, the Share icon appears. If you share an application segment with another Microtenant, it appears as Shared to when you expand the application segment.

  1. Enable or disable Load Balance Server Groups.
  2. Edit an existing application segment.
  3. Download the configuration information for an application segment to a CSV file.
  4. Delete an application segment.

Zscaler recommends you consider the following when deleting an application segment:

  • If an application segment is referenced in a segment group and has a policy configured, the delete action is unavailable. An admin must manually review and remove the link to the policy to successfully delete the application segment. If an application segment is referenced by ZIA for Source IP Anchoring, the delete action is unavailable. A Lock icon (Lock icon within the tables of the ZPA Admin Portal) appears in its place. To learn more, see About Source IP Anchoring.
  • If an application segment is configured using Zscaler Deception, then the copy, edit, and delete options are unavailable.

Related Articles
About ApplicationsConfiguring Defined Application SegmentsEditing Defined Application SegmentsAbout AI-Powered Recommendations for Application SegmentsConfiguring AI-Powered RecommendationsMerging AI-Powered RecommendationsSharing Defined Application SegmentsConfiguring AI-Powered Recommendations SettingsValidating a Client HostnameAdding DNS Search DomainsSetting Application Segment Configuration WarningsAbout AppProtection ApplicationsAbout Privileged Remote Access ApplicationsAbout Application DiscoveryAbout Application AccessUnderstanding Double EncryptionUnderstanding Health ReportingDefining a Dynamically Discovered ApplicationConfiguring Bypass SettingsDisabling Access to ApplicationsUnderstanding Source IP Anchoring DirectUsing Application Segment MultimatchAbout Application Segment ImportUsing Application Segment ImportMerging Imported Application Segments