This deployment guide provides information on prerequisites, how to deploy an App Connector on Red Hat Enterprise Linux 9.x (and 8.x), and post-deployment verification checks. For general information regarding App Connector deployment, see About Deploying App Connectors.

• Step 1: Make Sure You Have Met All App Connector Deployment Prerequisites

  Before deploying an App Connector on any supported platform, Zscaler highly recommends reading the following information and making the necessary changes to your organization's environment, where applicable.

  • App Connector Specifications and Sizing Requirements

    The following specifications are recommended by Zscaler for each App Connector:

    • Memory: 4 GB RAM

    For Zscaler Digital Experience (ZDX) deployments, Zscaler recommends App Connectors to have 8 GB of RAM.

    • CPU:
      • 2 CPU cores (Xeon E5 class) for physical machines without hyperthreading
      • 4 CPU cores (Xeon E5 class) for virtual machines (VMs) with hyperthreading
        • Both Amazon Web Services (AWS) and Google Cloud Platform (GCP) require a minimum of 4 CPU cores due to hyperthreading
          • To deploy an App Connector on AWS, Zscaler recommends using t3.xlarge (for non-production or low traffic App Connectors) or m5a.xlarge (for production or high traffic App Connectors)
          • To deploy an App Connector on GCP, Zscaler recommends using a Linux RPM on n2-standard-4 or n2-highcpu-4
        • Azure VMs older than V3 require 2 CPU cores, while VMs V3 and later require 4 CPU cores due to hyperthreading
          • To deploy an App Connector on Azure, Zscaler recommends using Standard_F4s_v2 or Standard_D4s_v3 or later

    To enable AppProtection using the default AppProtection profile provided by Zscaler, we recommend that your App Connectors have at least 8 CPU cores and 8 GB of memory. Ensure that your App Connectors are less than 40% for peak memory utilization and peak CPU utilization. If your CPU or memory utilization is above the suggested maximum, you need to add App Connectors to reach the maximum peak of 40% CPU and memory without AppProtection enabled. This rule also applies if you are using a smaller VM (4 CPUs, 4 GB). Your App Connector throughput might be 100 to 200 Mbps depending on App Connector sizing when using AppProtection. Monitor your App Connectors by going to the App Connector dashboard.

    The AppProtection recommendations are based on a mix of web traffic, 85% GET requests, and 15% POST and payload and response sizes of 32 KB. Smaller payload and response sizes might require less App Connector resources and result in higher throughput.

    For ZDX deployments, Zscaler recommends App Connectors to have 4 CPU cores.

    Using the PassMark Software Pty Ltd benchmark to verify the CPU Mark score, Zscaler recommends using a minimum CPU benchmark score of 2640 when choosing a CPU processor. The Intel Advanced Encryption Standard New Instructions (AES-NI) instruction set must also be enabled on the CPU processor.

    To learn more, see the App Connector Deployment Guide for your platform.

    • Disk Space: 64 GB (thin provisioned) for all deployment platforms
    • Network Card: 1 NIC (minimum)

    For VMware platform deployment, the default configuration to allow the host to dynamically allocate VM resources is not recommended. Configure the VM setting to reserve the following memory and CPU allocations:

    • Memory: 8 GB RAM
    • CPU: total CPU GHz (the number of cores (2 or 4 cores) multiplied by the GHz per core)

    To learn more, refer to the VMware documentation.

    Using these specifications, each App Connector supports up to 500 Mbps of throughput. To learn more, see Understanding App Connector Throughput in this article. Based on Zscaler's recommendations, determine the App Connector sizing requirements for your deployment. If disk space fills up in the App Connector, Zscaler recommends archiving files and creating more log space. To learn more, see Monitoring App Connector Performance.

    After an App Connector is enrolled, an outbound TLS tunnel over port 443 is established to the cloud infrastructure. This communication channel provides various functionality and utilizes minimal bandwidth, which includes the following traffic:

    • Periodic keepalives to Public Service Edges or Private Service Edges
    • Application learning
    • Application health reporting
    • App Connector software upgrades (upgrades are completed based on a weekly schedule)

    You can deploy additional App Connectors at any time, using the same provisioning key to add them to the existing App Connector Group, while ensuring network and internet connectivity. App Connectors are designed to scale elastically. You can deploy additional App Connectors in the same App Connector Group to increase the total throughput as required by your deployment. Zscaler recommends you have a minimum of two healthy App Connectors to always ensure an available path. To learn more, see About Deploying App Connectors and Supported Platforms for App Connectors.

    After deployment, ensure that the App Connector meets your sizing requirements. To learn more, see Verify App Connector Sizing Requirements.

    Understanding App Connector Throughput

    Throughput numbers are aggregate (i.e., total inbound and outbound). The following best practices apply regarding App Connector throughput sizing:

    • Check your existing VPN solution's average and peak throughput. Be sure to only account for user/client VPN traffic and not any site-to-site tunnel traffic.
    • App Connectors communicate over the provided (default) gateway, which is most likely your ISP WAN broadband connection.
    • Using double encryption affects throughput. However, the effect varies based on the number of applications that are enabled for double encryption.

    So, if you have a 1 Gbps connection (aggregate) in your data center, you can use the throughput guidelines in the following table to make sure that you have enough App Connectors to support the connection and room for failover (N+1). For example, with a 1 Gbps connection, you would need to deploy 2 to 3 App Connectors if your applications are not using double encryption, but 4 to 6 App Connectors if they are. To learn more, see Understanding Double Encryption.

    The following throughput guidelines apply based upon the recommended App Connector specifications:

    % of Applications with Double Encryption	Per App Connector Throughput
    0%	500 Mbps
    25%	437.5 Mbps
    50%	375 Mbps
    75%	312.5 Mbps
    100%	250 Mbps

    It is possible to increase App Connector throughput up to 1 Gbps per App Connector by running the App Connector on hardware with more memory and CPUs along with increased network link speed. If you have a 10 Gbps connection (aggregate) in your data center, and you want to increase the App Connector throughput up to 1 Gbps per App Connector, you can increase the underlying VM spec as follows:

    • 8 vCPU cores for virtual machines or 4 CPU cores for physical machines
    • 8 GB RAM

    The exact throughput can vary and depends on other network factors such as your internal network setup, latency, and whether you have double encryption, App Protection, and/or ZDX enabled. Make sure that you have enough App Connectors to support the connection and room for failover (N+1).

    Zscaler recommends that you have more App Connectors with lower specifications rather than fewer App Connectors with higher specifications to horizontally scale your deployment. For example, if you have fewer App Connectors with higher specifications and one fails, you could adversely affect more user application traffic/sessions than a smaller App Connector that fails.

    Close
  • App Connector Platform Prerequisites

    Before you begin any procedures within the App Connector Deployment Guide for your platform, make sure that you have the following:

    • Intel x86_64/AMD64-based architecture

    • systemd

    • Root or sudo access to the system to configure a new package repository and install packages

    • DNS resolution and network access

    • An App Connector provisioning key obtained from the Admin Portal

    • A static MAC address

    Close
  • App Connector Security Guidance and Firewall Requirements

    App Connectors can be deployed in different ways (as private cloud VMs, public cloud VMs, or OS packages), so the security features for each deployment type are slightly different.

    Zscaler recommends treating access to App Connectors as privileged, so only authorized personnel can access an App Connector's console. By limiting access, there is the added benefit of shielding inter-process communication within the App Connector from attack.

    Operating System Security

    The App Connector VMs distributed by Zscaler for use in private clouds are configured without any remotely accessible services running. Swap partitions are disabled on the App Connector VMs to ensure that memory growth does not have an impact on App Connector performance. For enhanced security, you must use the passwd command to change the credentials on the default admin account. To learn more, see the App Connector Deployment Guide for the platform you're using.

    Zscaler provides Security Technical Implementation Guide (STIG) VM images for AWS, GCP, Microsoft Azure, Nutanix, and VMware by default. To learn more, see App Connector Software by Platform. The remaining private and public cloud VM images provided by Zscaler are configured with minimal listening services to reduce the remotely exploitable attack surface. Because these are essentially unmodified operating systems (currently based on RHEL 9.x), you can patch these systems when necessary by using the standard yum OS update mechanism. Zscaler recommends that you harden the operating system, including the sshd-config file, on the VM images in accordance with your organization's security standards after initial deployment. To learn more, see Update App Connector System Software.

    To learn more about support for CentOS 7.x, see End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x.

    Because vulnerabilities are regularly found in core open-source components such as DNS resolvers and the Linux Kernel, Zscaler recommends either patching or using new Zscaler-distributed VM images on a regular basis, or protecting App Connectors using firewall policies. Additionally, if you've installed the App Connector as a package, Zscaler recommends that you take similar precautions.

    Some organizations choose to firewall or otherwise restrict outbound traffic to the internet from the data center. It is possible to deploy an App Connector in such an environment as long as the App Connector is able to reach all Zscaler data centers containing Public Service Edges. For firewall configuration information for your deployment, see config.zscaler.com/private.zscaler.com/zpa (for the private.zscaler.com cloud) or config.zscaler.com/zpatwo.net/zpa (for the zpatwo.net cloud). To learn more, see What Is My Cloud Name for ZPA?

    Firewall Requirements and Interoperability Guidelines

    All the Zscaler data centers containing Public Service Edges must be allowed. A partial firewall configuration can result in connectivity problems for end users. Zscaler’s policy is to provide a 90-day notice for activating additional IP CIDR ranges to provide organizations with sufficient opportunity for changing control policies.

    Because the service enforces TLS certificate pinning for both client and server certificates, all forms of inline or man-in-the-middle TLS interception or inspection must be disabled. App Connectors do not function if the TLS certificates presented by the Public Service Edges or Private Service Edges do not cryptographically verify against Zscaler-trusted public keys.

    By design, certificate verification is not configurable to maintain the integrity of the service. Ensure that *.prod.zpath.net is in your SSL bypass list for traffic originating from the App Connector. This is necessary for allowing the App Connector to resolve and reach Public Service Edges or Private Service Edges. If you need to allowlist additional Zscaler IP addresses, see config.zscaler.com/private.zscaler.com/zpa (for the private.zscaler.com cloud) or config.zscaler.com/zpatwo.net/zpa (for the zpatwo.net cloud). To learn more, see What Is My Cloud Name for ZPA?

    For Private Application integration with Digital Experience Monitoring, App Connector firewall requirements must align with the respective Digital Experience Monitoring configuration. You must configure the firewall to allow egress traffic on the TCP, UDP, and ICMP protocols. App Connectors must be able to egress traffic to port 443 for Zscaler Service Edge connections and the ports of all configured applications (i.e., ports that are configured in all application segments that are registered on the App Connector).

    Close

  After you have met all the prerequisites, you can deploy the App Connector on a supported platform.

  Close
• Step 2: Configure the Networking for the Deployed App Connector

  After you have deployed the App Connector on a supported platform, you can complete the following networking configurations:

  • Configure Additional Interfaces for an App Connector

    If necessary, additional changes can be made to interfaces by configuring new ones using nmcli connection add con-name or by renaming existing ones using nmcli connection modify.

    1. Log in to the App Connector console using your admin credentials.
    2. View the IP address.

    [admin@zpa-connector ~]$ ip addr show

    3. View the current connection profiles.

    [admin@zpa-connector ~]$ nmcli connection show

    4. Configure the interface's IP network using either a dynamic or static Ethernet configuration.

    For dynamic, modify the connection profile. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" ipv4.method auto

    For static, modify the connection profile and identify the IP addresses and gateway using the following format: <profile name> ipv4.method manual ipv4.addresses <address> ipv4.gateway <gateway IP>. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" ipv4.method manual ipv4.addresses 192.168.2.241/24 ipv4.gateway 192.168.2.254

    5. To apply the changes, bring the connection profile back up. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection up "Profile 1" 

    6. Reverify the IP address.

    [admin@zpa-connector ~]$ ip addr show

    7. Reverify the new connection.

    [admin@zpa-connector ~]$ nmcli connection show

    Close
  • Configure an App Connector to Use an Explicit Proxy Server

    The proxy setting on the App Connector is used to proxy the traffic between the App Connector and the Private Service Edge. It is not used to proxy the traffic between the App Connector and internal applications.

    If your traffic is going through a proxy (i.e., traffic between the App Connector and the Public Service Edges or Private Service Edges), you must manually configure the App Connector to work through that proxy. The following procedure allows the App Connector to communicate with the broker by using CONNECT requests through a standard HTTP proxy server.

    To configure the App Connector to work through an explicit proxy:

    1. Log in to the App Connector console using your admin credentials.
    2. Create a file named /opt/zscaler/var/proxy. Use an editor, such as vi.

    [admin@zpa-connector ~]$ sudo vi /opt/zscaler/var/proxy

    Enter the proxy information using the following format: <Proxy Hostname or IP Address>:<Proxy Port> (e.g., 192.0.2.0:0).

    3. To apply the changes, restart the App Connector using the following command:

    [admin@zpa-connector ~]$ sudo systemctl restart zpa-connector

    The App Connector attempts to create a TLS session through the proxy specified previously.

    Close
  • Configure DHCP IP Addressing for an App Connector

    By default, virtual machine-based App Connectors are configured to use DHCP networking on their primary interface. If necessary, you can configure a static IP address for the App Connector.

    Close
  • Configure Domain Name System (DNS) Resolver for an App Connector

    DNS resolution is critical for the successful operation of the App Connector. App Connectors use DNS to discover applications, as well as enumerate each of the IP addresses that an application DNS name resolves to as a separately tracked and load-balanced server. During dynamic application discovery, DNS is used as the initial reachability check from each App Connector in an App Connector group. It is possible for App Connectors to function in partitioned environments where a subset of App Connectors are able to resolve a given DNS name without additional configuration. App Connectors must also be able to resolve external DNS names, such as those of the cloud infrastructure.

    1. Log in to the App Connector console using your admin credentials.
    2. View the current connection profile.

    [admin@zpa-connector ~]$ nmcli connection show

    3. Modify the DNS settings using the following format: <profile name> ipv4.dns <nameserver IP>. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" +ipv4.dns 192.168.2.241

    4. To apply the changes, bring the connection profile down and then back up. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection down "Profile 1"

     [admin@zpa-connector ~]$ sudo nmcli connection up "Profile 1"

    5. Verify the nameservers record was added.

    [admin@zpa-connector ~]$ sudo cat /etc/resolv.conf

    Close
  • Configure Network Time Protocol (NTP) Servers for an App Connector

    You cannot configure NTP servers for App Connectors running on the Amazon Web Services (AWS) or Microsoft Azure platforms.

    To configure App Connectors to use internal NTP servers:

    1. Log in to the App Connector console using your admin credentials.
    2. Edit the /etc/chrony.conf file. Use an editor, such as vi.

    [admin@zpa-connector ~]$sudo vi /etc/chrony.conf

    Add your internal NTP servers to the list, for example:

    server 0.zscaler.pool.ntp.org iburst
    server 1.zscaler.pool.ntp.org iburst
    server 2.zscaler.pool.ntp.org iburst
    server 3.zscaler.pool.ntp.org iburst

    3. To apply the changes, restart the chrony daemon using the following command:

    [admin@zpa-connector ~]$ systemctl restart chronyd

    4. To verify the NTP servers, check that NTP is working successfully using the following command:

    [admin@zpa-connector ~]$ chronyc sources    

    Close
  • Configure a Proxy Bypass for an App Connector

    If an App Connector is configured to send traffic to a proxy, you can set up a proxy bypass on it for the traffic that needs to be exempted from the proxy (i.e., traffic between the App Connector and the Public Service Edges or Public Service Edges). To use a proxy bypass for an App Connector, a proxy bypass file needs to be added to the App Connector.

    To configure the App Connector to do a proxy bypass:

    1. Log in to the App Connector console using your admin credentials.
    2. Create a file named opt/zscaler/var/proxy-bypass. Use an editor, such as vi. For example:

    [admin@zpa-connector ~]$sudo vi /opt/zscaler/var/proxy-bypass

    3. Enter the necessary bypass entries using IP addresses, subnets, domains, or domains with a prefix wildcard. For example:

    1.2.3.4
    111.222.33.0/24
    myexampledomain.com
    *.internal.local

    4. To apply the changes, restart the App Connector using the following command:

    [admin@zpa-connector ~]$ sudo systemctl restart zpa-connector

    Close
  • Configure Static IP Addressing for an App Connector

    If DHCP is not available, you can configure a static IP address on a VM-based App Connector.

    1. Log in to the App Connector console using your admin credentials.
    2. View the current connection profile.

    [admin@zpa-connector ~]$ nmcli connection show

    3. Modify the connection profile using the following format: <profile name> connection.id <new connection name>. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" connection.id LAN

    4. Review the current connection profile.

    [admin@zpa-connector ~]$ nmcli connection show

    5. Edit the profile using a static IP and a default gateway with the following format: <connection ID> ipv4.method manual ipv4.addresses <IP addresses> ipv4.gateway <gateway IP> ipv4.dns <DNS IP> ipv4.dns-search <domain name>. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection modify LAN ipv4.method manual ipv4.addresses 172.30.1.88/24 ipv4.gateway 172.30.1.1 ipv4.dns 172.30.1.254 ipv4.dns-search company.com

    6. To apply the changes, bring the connection ID back up. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection up LAN 

    7. Verify the IP address.

    [admin@zpa-connector ~]$ ip addr show

    8. Verify the default gateway.

    [admin@zpa-connector ~]$ ip route show default

    9. Verify the DNS settings.

    [admin@zpa-connector ~]$ sudo cat /etc/resolv.conf

    Close
  • Configure Static Routing for an App Connector

    To add static routes to the interface control files for an App Connector:

    1. Log in to the App Connector console using your admin credentials.
    2. Edit the static route for an existing Ethernet connection using the following format: <profile name> ipv4.routes <address and gateway>. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" +ipv4.routes "192.168.2.241/24 10.10.10.1"

    3. To apply the changes, bring the connection profile down and then back up. For example:

    [admin@zpa-connector ~]$ sudo nmcli connection down "Profile 1"

     [admin@zpa-connector ~]$ sudo nmcli connection up "Profile 1"

    4. Verify the new route is added.

    [admin@zpa-connector ~]$ ip route
    

    Close
  • Configure TCP Communication Sockets for an App Connector

    To temporarily configure TCP communication sockets using the profs interface and the SO_KEEPALIVE socket option for an App Connector:

    1. Enable TCP Keepalive for your segment group in the Admin Portal. To learn more, see Configuring Defined Application Segments.

    The socket used for TCP communication is set to SO_KEEPALIVE and establishes an App Connector-to-Server connection. Communication using this socket looks at the system value corresponding to SO_KEEPALIVE and performs the action according to the parameters.

    2. Tune your App Connector's kernel to configure the TCP parameters and choose how the keepalive packets are sent using the following commands:

    # echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
    # echo 60 > /proc/sys/net/ipv4/tcp_keepalive_intvl
    # echo 20 > /proc/sys/net/ipv4/tcp_keepalive_probes

    Default values are used if no system parameters are chosen. The values in red represent examples of values that can be configured.

    Changes to the App Connector's kernel to configure the TCP parameters using the profs interface are temporary and return to default after reboot.

    To permanently configure TCP communication sockets using the sysctl interface:

    1. Enable TCP Keepalive for your segment group in the Admin Portal. To learn more, see Configuring Defined Application Segments.
    2. Edit your /etc/sysctl.conf using the following command:

    # vi /etc/sysctl.conf

    3. Tune your App Connector's kernel to configure the TCP parameters and choose how the keepalive packets are sent using the following commands:

    net.ipv4.tcp_keepalive_time = 60
    net.ipv4.tcp_keepalive_intvl = 10
    net.ipv4.tcp_keepalive_probes = 6

    Default values are used if no system parameters are chosen. The values in red represent examples of values that can be configured.

    4. To load the settings, enter the following command:

    # sysctl -p

    The keepalive packets have the following parameters:

    Parameter	Definition	Default Value
    tcp_keepalive_time	The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further.	7,200 seconds (2 hours)
    tcp_keepalive_intvl	The interval between subsequent keepalive probes, regardless of what the connection has exchanged in the meantime.	75 seconds
    tcp_keepalive_probes	The number of unacknowledged probes to send before considering the connection dead and notifying the application layer. The tcp_keepalive_probes value is a pure number.	9

    For example:

    • If the tcp_keepalive_time value is one hour, the keepalive routines wait for one hour before sending the first keepalive probe, and then resend it at a 75-second interval according to the tcp_keepalive_intvl value.
    • If the tcp_keepalive_intvl value is 60 seconds, the keepalive probes are sent every 60 seconds after the initial tcp_keepalive_time value.
    • If the tcp_keepalive_probes value is 7, and no ACK response is received after 7 consecutive times, then the connection is marked as broken.

    If there is no data communication within the tcp_keepalive_time value, it sends out a keepalive probe to the app server:

    • If ACK is returned, another keepalive probe is sent after 2 hours (tcp_keepalive_time) if no data communication happens in between.
    • If RST is returned, then the socket closes.
    • If there is no reply, it resends the keepalive every 75 seconds (tcp_keepalive_intvl) for a reply, and it retries 9 times (tcp_keepalive_probes). If there is no reply after 9 probes, the socket closes.

    To learn more about configuring a kernel, refer to the Linux documentation.

    Close
  • Configure yum to Use an HTTP Proxy Server

    If you want to configure yum to communicate through an HTTP proxy server, refer to the CentOS and Red Hat documentation.

    To learn more about support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x, see End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x.

    Close
  • Verify That Keepalive Is Enabled for TCP Sessions

    To see which TCP sessions have keepalive enabled and what their current timer is, run the ss command on the App Connector with the -t (tcp only) and -o (show timers) options:

    # ss -to
    State  Recv-Q  Send-Q  Local Address:Port  Peer Address:Port
    ESTAB  0       0       10.18.4.210:42452   10.251.33.110:https  timer:(keepalive,29sec,0)

    For sessions that have keepalive enabled, timer information (timer:(<timer_name>,<expire_time>,<retrans>)) indicates when keepalive will be sent. To learn more, refer to the Linux documentation.

    Close

  Close
• Step 3: (Optional) Migrate App Connectors to Red Hat Enterprise Linux 9

  This article provides migration instructions to replace CentOS 7 instances with Red Hat Enterprise Linux 9 (RHEL 9). The enrollment and provisioning of new App Connectors can be automated in a few steps using Terraform (IaC) or Container Orchestration to further simplify deployment.

  To learn more about support for CentOS 7.x, see End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x.

  Note the following requirements for successfully migrating from CentOS 7 to RHEL 9:

  • Use a fresh install for all deployments.
  • The EL9 repository must be used with RHEL 9 base OS. Older platform binaries (EL7/EL8) are not supported.
  • Ensure that the/opt/zscaler/var folder is empty before install.
  • Yum upgrades from EL7/EL8 to RHEL9 are not supported.

  Use the following steps to migrate from CentOS 7 to RHEL 9:

  1. Use a current provisioning key or create a new App Connector group with a provisioning key for each location.

  2. Verify the version profile is Default, Previous Default, or New Release by doing one of the following:
     • If Persist Local Version Profile is Disabled, check the Version Profile that was inherited from the tenant.
       See image.

       

       Close
     • If Persist Local Version Profile is Enabled, select an option for the Version Profile.
       See image.

       

       Close

  3. Follow the step-by-step guide to deploy new VMs using the RHEL 9 images and newly created provisioning keys. Ensure the yum repository is pointing to the new RHEL 9 link: https://yum.private.zscaler.com/yum/el9

  Only RHEL 9 repositories and RPMs are supported on RHEL 9.

  4. Add the new App Connector groups to each respective server group.

     

  5. (Optional) Disable the App Connector groups 5 minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down.

  6. During regional off hours, remove the CentOS 7 App Connector groups.

     

  Close
• Step 4: Deploy the App Connector on Red Hat Enterprise Linux 9

  To deploy an App Connector, you need to download the RPM package on the App Connector you're deploying. However in some cases, the App Connector might be unable to download the package, and you'll have to download it on a server instead. Choose one of the following deployment options depending on your situation.

  • Downloading the RPM package on the App Connector

    If the App Connector can download the RPM package:

    1. Log in to the App Connector console with sudo access or directly as the root user.
    2. Create a file named /etc/yum.repos.d/zscaler.repo. Use an editor, such as vi.

    [admin@zpa-connector ~]$ sudo vi /etc/yum.repos.d/zscaler.repo

    For Red Hat Enterprise Linux 9-based deployments, enter the following content within the file:

    [zscaler]
    name=Zscaler Private Access Repository
    baseurl=https://yum.private.zscaler.com/yum/el9
    enabled=1
    gpgcheck=1
    gpgkey=https://yum.private.zscaler.com/yum/el9/gpg

    For Red Hat Enterprise Linux 8-based deployments, you must use: https://yum.private.zscaler.com/yum/el8 as the baseurl and gpgkey=https://yum.private.zscaler.com/yum/el8/gpg as the gpgkey.

    For Red Hat Enterprise Linux 8-based deployments, enter the following content within the file:

    [zscaler]
    name=Zscaler Private Access Repository
    baseurl=https://yum.private.zscaler.com/yum/el8
    enabled=1
    gpgcheck=1
    gpgkey=https://yum.private.zscaler.com/yum/el8/gpg

    3. Install the package using the yum install command, for example:

    [admin@zpa-connector ~]$ sudo yum install zpa-connector

    If you have a proxy environment, you need to configure the proxy server IP address and proxy port in /etc/yum.conf. For example:

    proxy=http://10.0.0.1:8080

    To learn more, see Configure yum to Use an HTTP Proxy Server.

    4. The App Connector console asks for confirmation twice. Enter y both times and ensure that the GPG fingerprint matches, a6fe 2422 fce7 e8ac 672e 9e51 644e a315 8765 e1dd, as highlighted in green within the example below:

    [admin@zpa-connector ~]$ sudo yum install zpa-connector
    Loaded plugins: fastestmirror, langpacks
    Determining fastest mirrors
      * base: mirror.keystealth.org
      * epel: mirrors.kernel.org
      * extras: mirror.lug.udel.edu
      * updates: mirrors.cat.pdx.edu
    Resolving Dependencies
    --> Running transaction check
    ---> Package zpa-connector.x86_64 0:25.42.4-1.el9 will be installed
    --> Finished Dependency Resolution
    Dependencies Resolved
    ================================================================================
      Package               Arch        Version               Repository      Size
    ================================================================================
    Installing:
      zpa-connector         x86_64      25.42.4-1.el9         zscaler         1.1 M
    Transaction Summary
    ================================================================================
    Install 1 Package
    Total download size: 1.1 M
    Installed size: 2.9 M
    Is this ok [y/d/N]: y
    Downloading packages:
    warning: /var/cache/yum/x86_64/7/zscaler/packages/zpa-connector-25.42.4-1.el9.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 8765e1dd: NOKEY kb 00:00:01 ETA
    Public key for zpa-connector-25.42.4-1.el9.x86_64.rpm is not installed
    zpa-connector-25.42.4-1.el9.x86_64.rpm                                                                                              | 1.1 MB      00:00:03
    Retrieving key from https://yum.private.zscaler.com/gpg
    Importing GPG key 0x8765E1DD:
      Userid     : "Zscaler, Inc. (External Package Repository Signing Key) <ext-pkg-repo@zscaler.com>"
      Fingerprint: a6fe 2422 fce7 e8ac 672e 9e51 644e a315 8765 e1dd
      From       : https://yum.private.zscaler.com/gpg
    Is this ok [y/N]: y
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : zpa-connector-25.42.4-1.el9.x86_64                           1/1
      Verifying  : zpa-connector-25.42.4-1.el9.x86_64                           1/1
    Installed:
      zpa-connector.x86_64 0:25.42.4-1.el9
    Complete!    

    5. Apply the App Connector provisioning key.

    • See instructions.

      1. On Zscaler-provided virtual appliances, SSH is not enabled by default. It is required for a short time to configure the provisioning key for the App Connector. Complete the following steps to temporarily enable SSH:
         1. Log in to the App Connector console using your admin credentials.

      After the initial boot of an App Connector instance, it might take up to 15 minutes for the admin credentials to apply. So, if you receive an invalid credentials error after initial boot, wait a few minutes and try again.

      2. Start the SSH daemon using the following command:

      [admin@zpa-connector ~]$ sudo systemctl start sshd

      This command will temporarily enable SSH, but it will not persist if a reboot occurs. If you need SSH to remain enabled after a reboot, use the sudo systemctl enable sshd command.

      3. Verify the App Connector's IP address using the following command:

      [admin@zpa-connector ~]$ ip addr show

      The configuration output should look similar to the following:

      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
      inet 192.0.2.1 netmask 255.255.255.128 broadcast 192.168.144.127
      inet6 fe80::20c:29ff:fef5:5d43 prefixlen 64 scopeid 0x20<link>
      ether 00:0c:29:f5:5d:43 txqueuelen 1000 (Ethernet)
      RX packets 8504 bytes 8732964 (8.3 MiB)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 4900 bytes 427768 (417.7 KiB)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

      4. SSH into the virtual machine (VM) using a standard SSH client. Using the previous example, the App Connector IP address is 192.0.2.1:

      [admin@zpa-connector ~]$ ssh admin@192.0.2.1

      [admin@zpa-connector ~]$ sudo systemctl stop zpa-connector

      2. Create a provisioning key file with 644 permissions, at /opt/zscaler/var/provision_key. For example:

      [admin@zpa-connector ~]$ sudo touch /opt/zscaler/var/provision_key
      [admin@zpa-connector ~]$ sudo chmod 644 /opt/zscaler/var/provision_key

      3. Copy the provisioning key from the Admin Portal, paste it into the file, and save. Use an editor, such as vi.

      [admin@zpa-connector ~]$ sudo vi /opt/zscaler/var/provision_key

      If you are using vi, make sure it is in insert mode before you paste the key into the file.

      If you are unfamiliar with the vi editor, you can also use the following echo and tee commands to paste in the provisioning key:

      echo "<App Connector Provisioning Key>" | sudo tee /opt/zscaler/var/provision_key

      Make sure that the key is within double quotes (").

      4. Enter the following command to verify the file's content:

      [admin@zpa-connector ~]$ sudo cat /opt/zscaler/var/provision_key

      The output should return the provisioning key you entered in the previous step.

      5. Start the zpa-connector service.

      [admin@zpa-connector ~]$ sudo systemctl start zpa-connector

      3. After the App Connector is enrolled, disable SSH using the following command:

      [admin@zpa-connector ~]$ sudo systemctl stop sshd

      However, if you used the sudo systemctl enable sshd command for Step a.ii above, then enter the sudo systemctl disable sshd command.

      Close

    After the App Connector provisioning key is applied, and you have made any necessary network configuration changes, be sure to verify that the deployed App Connector is running and healthy.

    6. Zscaler highly recommends updating the App Connector system software before proceeding.

    Console outputs reference 25.42.4-1.el9 if you are using the App Connector RPM package for Red Hat Enterprise Linux 9-based deployments.

    Close
  • Downloading the RPM package on a Server

    If the App Connector can't download the RPM package, you must download the package on a server.

    To download the RPM on a server:

    1. Download the following files on a server with access:
       • For Red Hat Enterprise Linux 8-based deployments:
         • RPM package (zpa-connector.rpm)
         • GPG public key (https://yum.private.zscaler.com/yum/el8/gpg)
       • For Red Hat Enterprise Linux 9-based deployments
         • RPM package (zpa-connector.rpm)
         • GPG public key (https://yum.private.zscaler.com/yum/el9/gpg)
    2. Use the scp command to copy the RPM package and GPG public key to the App Connector. For example:

    $ scp zpa-connector-25.42.4-1.el9.x86_64.rpm admin@<App Connector Hostname or IP Address>
    $ scp gpg admin@<App Connector Hostname or IP Address>
    

    3. On the App Connector console, verify that the RPM package is signed by entering the following command:

    [admin@zpa-connector ~]$ rpm --import <GPG public key file>

    4. After the RPM package has been verified, enter the following command:

    [admin@zpa-connector ~]$ rpm -i <RPM package file>

    5. Apply the App Connector provisioning key.

    • See instructions.

      1. On Zscaler-provided virtual appliances, SSH is not enabled by default. It is required for a short time to configure the provisioning key for the App Connector. Complete the following steps to temporarily enable SSH:
         1. Log in to the App Connector console using your admin credentials.

      After the initial boot of an App Connector instance, it might take up to 15 minutes for the admin credentials to apply. So, if you receive an invalid credentials error after the initial boot, wait a few minutes and try again.

      2. Start the SSH daemon using the following command:

      [admin@zpa-connector ~]$ sudo systemctl start sshd

      This command will temporarily enable SSH, but it will not persist if a reboot occurs. If you need SSH to remain enabled after a reboot, use the sudo systemctl enable sshd command.

      3. Verify the App Connector's IP address using the following command:

      [admin@zpa-connector ~]$ ip addr show

      The configuration output should look similar to the following:

      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
      inet 192.0.2.1 netmask 255.255.255.128 broadcast 192.168.144.127
      inet6 fe80::20c:29ff:fef5:5d43 prefixlen 64 scopeid 0x20<link>
      ether 00:0c:29:f5:5d:43 txqueuelen 1000 (Ethernet)
      RX packets 8504 bytes 8732964 (8.3 MiB)
      RX errors 0 dropped 0 overruns 0 frame 0
      TX packets 4900 bytes 427768 (417.7 KiB)
      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0,broadcast,running,multicast>

      4. SSH into the virtual machine (VM) using a standard SSH client. Using the previous example, the App Connector IP address is 192.0.2.1:

      [admin@zpa-connector ~]$ ssh admin@192.0.2.1

      2. Populate the provisioning key file.
         1. Stop the running zpa-connector service. If the provisioning key was not detected when the App Connector was first started, the App Connector is in a sleep cycle and will look for the key again every 24 hours.

      [admin@zpa-connector ~]$ sudo systemctl stop zpa-connector

      2. Create a provisioning key file with 644 permissions, at /opt/zscaler/var/provision_key. For example:

      [admin@zpa-connector ~]$ sudo touch /opt/zscaler/var/provision_key
      [admin@zpa-connector ~]$ sudo chmod 644 /opt/zscaler/var/provision_key

      3. Copy the provisioning key from the Admin Portal, paste it into the file, and save. Use an editor, such as vi.

      [admin@zpa-connector ~]$ sudo vi /opt/zscaler/var/provision_key

      If you are using vi, make sure it is in insert mode before you paste the key into the file.

      If you are unfamiliar with the vi editor, you can also use the following echo and tee commands to paste in the provisioning key:

      echo "<App Connector Provisioning Key>" | sudo tee /opt/zscaler/var/provision_key

      Make sure that the key is within double quotes (").

      4. Enter the following command to verify the file's content:

      [admin@zpa-connector ~]$ sudo cat /opt/zscaler/var/provision_key

      The output should return the provisioning key you entered in the previous step.

      5. Start the zpa-connector service.

      [admin@zpa-connector ~]$ sudo systemctl start zpa-connector

      3. After the App Connector is enrolled, disable SSH using the following command:

      [admin@zpa-connector ~]$ sudo systemctl stop sshd

      However, if you used the sudo systemctl enable sshd command for Step a.ii above, then enter the sudo systemctl disable sshd command.

      Close

    After the App Connector provisioning key is applied, and you have made any necessary network configuration changes, be sure to verify that the deployed App Connector is running and healthy.

    6. Zscaler highly recommends updating the App Connector system software before proceeding.

    Close

  Close
• Step 5: Verify that the deployed App Connector is running and healthy. Also, check that it is meeting your sizing requirements.

After you have verified your deployment, you can perform additional tasks to maintain the system (i.e., changing your App Connector console admin credentials or performing system software updates). To learn more, see Managing Deployed App Connectors.

After App Connectors are deployed, you can:

• Create application segments and access policies to pass application traffic. For example, to test your configuration, consider setting up a simple application segment that allows SSH access to your App Connectors.
• Configure a log receiver for your App Connectors to receive information about your App Connectors or users via the Log Streaming Service (LSS).