After you have enabled disaster recovery application segments, Private Service Edges, and App Connector Groups, you can set up the authentication validation window for Disaster Recovery Mode, enter the DNS name, and upload the DNS Public Key. To learn more, see Understanding Disaster Recovery.

About the Disaster Recovery Settings Page

On the Disaster Recovery Settings page (Infrastructure > Private Access > Business Continuity > Disaster Recovery), you can do the following:

1. View and manage the disaster recovery settings.
2. Go to the Disaster Recovery Application Segments page to view the application segments designated for disaster recovery.
3. Go to the Disaster Recovery Private Service Edge Groups page to view the Private Service Edge groups designated for disaster recovery.
4. Go to the Disaster Recovery App Connector Groups page to view the App Connector Groups designated for disaster recovery.
5. Download the Zscaler DNS Record Generator. The Zscaler DNS Record Generator creates the DNS TXT records and the private and public keys used to verify the activation of Disaster Recovery Mode.

Configuring Disaster Recovery Settings

To configure Disaster Recovery Settings:

1. Go to the Settings tab.
2. Complete the following fields:

   1. Max Age for Authentication: Review your timeout policy and add the maximum timeout with the desired length you want disaster recovery to be set for. Then enter the amount in days, weeks, or months. This is the set amount of time that the current end user authentication is valid for during Disaster Recovery Mode. The default maximum age for authentication is 14 days.

      Zscaler recommends configuring the Max Age for Authentication value to be greater than or equal to the Authentication Timeout value of your timeout policy.

   2. Disaster Recovery Public Key: Upload a public key generated by the DNS Record Generator. The DNS Record Generator creates both signed and unsigned public and private keys, but you only need to upload the public key. This public key verifies that the DNS name is signed with the selected private key. The public key is only applicable if you are signing the DNS TXT records. To learn more, see Creating DNS TXT Records. You can also delete the public key by clicking the Delete icon () or download it by clicking the Download icon ().

Zscaler provides the DNS Record Generator to help you create the file for you to upload for your DNS public and private keys. To learn more, see Understanding and Installing the Zscaler DNS Record Generator.

3. Disaster Recovery Domain Name: Enter an administrator-controlled valid domain name or a subdomain (e.g., zpadr.zscaler.com) that is used to trigger or exit Disaster Recovery Mode. The disaster recovery domain name hosts these two types of DNS record names: the TXT record name and the A record name. Disaster recovery is triggered or exited through the TXT record. Ensure you enter all of the IP addresses of the disaster recovery-enabled Private Service Edges into the A records under the disaster recovery domain or subdomain you created (e.g., the domain zpadr.zscaler.com can have four A records corresponding to each of the disaster recovery-enabled Private Service Edges). This domain name is also used by Zscaler Client Connector to connect to the Private Service Edge for Disaster Recovery Mode, based on the A records included in the DNS response.
4. Click Save.

See image.