icon-unified.svg
Experience Center

App Connector Deployment Guide for Nutanix AHV

This deployment guide provides information on prerequisites, how to deploy an App Connector on Nutanix AHV, and post-deployment verification checks. For general information regarding App Connector deployment for Private Applications, see About Deploying App Connectors.

  • Before deploying a ZPA App Connector on any supported platform, Zscaler highly recommends reading the following information and making the necessary changes to your organization's environment, where applicable.

    • The following specifications are recommended by Zscaler for each ZPA App Connector:

      • Memory: 4 GB RAM

      For Zscaler Digital Experience (ZDX) deployments, Zscaler recommends App Connectors to have 8 GB of RAM.

      • CPU:
        • 2 CPU cores (Xeon E5 class) for physical machines without hyperthreading
        • 4 CPU cores (Xeon E5 class) for virtual machines (VMs) with hyperthreading
          • Both Amazon Web Services (AWS) and Google Cloud Platform (GCP) require a minimum of 4 CPU cores due to hyperthreading
            • To deploy an App Connector on AWS, Zscaler recommends using t3.xlarge (for non-production or low traffic App Connectors) or m5a.xlarge (for production or high traffic App Connectors)
            • To deploy an App Connector on GCP, Zscaler recommends using a Linux RPM on n2-standard-4 or n2-highcpu-4
          • Azure VMs older than V3 require 2 CPU cores, while VMs V3 and later require 4 CPU cores due to hyperthreading
            • To deploy an App Connector on Azure, Zscaler recommends using Standard_F4s_v2 or Standard_D4s_v3 or later

      To enable AppProtection using the default AppProtection profile provided by Zscaler, we recommend that your App Connectors have at least 8 CPU cores and 8 GB of memory. Ensure that your App Connectors are less than 40% for peak memory utilization and peak CPU utilization. If your CPU or memory utilization is above the suggested maximum, you need to add App Connectors to reach the maximum peak of 40% CPU and memory without AppProtection enabled. This rule also applies if you are using a smaller VM (4 CPUs, 4 GB). Your App Connector throughput might be 100 to 200 Mbps depending on App Connector sizing when using AppProtection. Monitor your App Connectors by going to the App Connector dashboard.

      The AppProtection recommendations are based on a mix of web traffic, 85% GET requests, and 15% POST and payload and response sizes of 32 KB. Smaller payload and response sizes might require less App Connector resources and result in higher throughput.

      For ZDX deployments, Zscaler recommends App Connectors to have 4 CPU cores.

      Using the PassMark Software Pty Ltd benchmark to verify the CPU Mark score, Zscaler recommends using a minimum CPU benchmark score of 2640 when choosing a CPU processor. The Intel Advanced Encryption Standard New Instructions (AES-NI) instruction set must also be enabled on the CPU processor.

      To learn more, see the App Connector Deployment Guide for your platform.

      • Disk Space: 64 GB (thin provisioned) for all deployment platforms
      • Network Card: 1 NIC (minimum)

      For VMware platform deployment, the default configuration to allow the host to dynamically allocate VM resources is not recommended. Configure the VM setting to reserve the following memory and CPU allocations:

      • Memory: 8 GB RAM
      • CPU: total CPU GHz (the number of cores (2 or 4 cores) multiplied by the GHz per core)

      To learn more, refer to the VMware documentation.

      Using these specifications, each App Connector supports up to 500 Mbps of throughput. To learn more, see Understanding App Connector Throughput in this article. Based on Zscaler's recommendations, determine the App Connector sizing requirements for your deployment. If disk space fills up in the App Connector, Zscaler recommends archiving files and creating more log space. To learn more, see Monitoring App Connector Performance.

      After an App Connector is enrolled, an outbound TLS tunnel over port 443 is established to the ZPA cloud infrastructure. This communication channel provides various functionality and utilizes minimal bandwidth, which includes the following traffic:

      • Periodic keepalives to ZPA Public Service Edges or ZPA Private Service Edges
      • Application learning
      • Application health reporting
      • App Connector software upgrades (upgrades are completed based on a weekly schedule)

      You can deploy additional App Connectors at any time, using the same provisioning key to add them to the existing App Connector Group, while ensuring network and internet connectivity. App Connectors are designed to scale elastically. You can deploy additional App Connectors in the same App Connector Group to increase the total throughput as required by your deployment. Zscaler recommends you have a minimum of two healthy App Connectors to always ensure an available path. To learn more, see About Deploying App Connectors and Supported Platforms for App Connectors.

      After deployment, ensure that the App Connector meets your sizing requirements. To learn more, see Verify App Connector Sizing Requirements.

      Understanding App Connector Throughput

      Throughput numbers are aggregate (i.e., total inbound and outbound). The following best practices apply regarding App Connector throughput sizing:

      • Check your existing VPN solution's average and peak throughput. Be sure to only account for user/client VPN traffic and not any site-to-site tunnel traffic.
      • App Connectors communicate over the provided (default) gateway, which is most likely your ISP WAN broadband connection.
      • Using double encryption affects throughput. However, the effect varies based on the number of applications that are enabled for double encryption.

      So, if you have a 1 Gbps connection (aggregate) in your data center, you can use the throughput guidelines in the following table to make sure that you have enough App Connectors to support the connection and room for failover (N+1). For example, with a 1 Gbps connection, you would need to deploy 2 to 3 App Connectors if your applications are not using double encryption, but 4 to 6 App Connectors if they are. To learn more, see Understanding Double Encryption.

      The following throughput guidelines apply based upon the recommended App Connector specifications:

      % of Applications with Double EncryptionPer App Connector Throughput
      0%500 Mbps
      25%437.5 Mbps
      50%375 Mbps
      75%312.5 Mbps
      100%250 Mbps

      It is possible to increase App Connector throughput up to 1 Gbps per App Connector by running the App Connector on hardware with more memory and CPUs along with increased network link speed. If you have a 10 Gbps connection (aggregate) in your data center, and you want to increase the App Connector throughput up to 1 Gbps per App Connector, you can increase the underlying VM spec as follows:

      • 8 vCPU cores for virtual machines or 4 CPU cores for physical machines
      • 8 GB RAM

      The exact throughput can vary and depends on other network factors such as your internal network setup, latency, and whether you have double encryption, App Protection, and/or ZDX enabled. Make sure that you have enough App Connectors to support the connection and room for failover (N+1).

      Zscaler recommends that you have more App Connectors with lower specifications rather than fewer App Connectors with higher specifications to horizontally scale your deployment. For example, if you have fewer App Connectors with higher specifications and one fails, you could adversely affect more user application traffic/sessions than a smaller App Connector that fails.

      Close

    • Before you begin any procedures within the App Connector Deployment Guide for your platform, make sure that you have the following:

      • Intel x86_64/AMD64-based architecture

      • systemd

      • Root or sudo access to the system to configure a new package repository and install packages

      • DNS resolution and network access

      • An App Connector provisioning key obtained from the ZPA Admin Portal

      • A static MAC address

      Close

    • App Connectors can be deployed in different ways (as private cloud VMs, public cloud VMs, or OS packages), so the security features for each deployment type are slightly different.

      Zscaler recommends treating access to App Connectors as privileged, so only authorized personnel can access an App Connector's console. By limiting access, there is the added benefit of shielding inter-process communication within the App Connector from attack.

      Operating System Security

      The App Connector VMs distributed by Zscaler for use in private clouds are configured without any remotely accessible services running. Swap partitions are disabled on the App Connector VMs to ensure that memory growth does not have an impact on App Connector performance. For enhanced security, you must use the passwd command to change the credentials on the default admin account. To learn more, see the App Connector Deployment Guide for the platform you're using.

      ZPA provides Security Technical Implementation Guide (STIG) VM images for AWS, GCP, Microsoft Azure, Nutanix, and VMware by default. To learn more, see App Connector Software by Platform. The remaining private and public cloud VM images provided by Zscaler are configured with minimal listening services to reduce the remotely exploitable attack surface. Because these are essentially unmodified operating systems (currently based on RHEL 9.x), you can patch these systems when necessary by using the standard yum OS update mechanism. Zscaler recommends that you harden the operating system, including the sshd-config file, on the VM images in accordance with your organization's security standards after initial deployment. To learn more, see Update App Connector System Software.

      To learn more about support for CentOS 7.x, see End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x.

      Because vulnerabilities are regularly found in core open-source components such as DNS resolvers and the Linux Kernel, Zscaler recommends either patching or using new Zscaler-distributed VM images on a regular basis, or protecting App Connectors using firewall policies. Additionally, if you've installed the App Connector as a package, Zscaler recommends that you take similar precautions.

      Some organizations choose to firewall or otherwise restrict outbound traffic to the internet from the data center. It is possible to deploy an App Connector in such an environment as long as the App Connector is able to reach all Zscaler data centers containing ZPA Public Service Edges. For firewall configuration information for your deployment, see config.zscaler.com/private.zscaler.com/zpa (for the private.zscaler.com cloud) or config.zscaler.com/zpatwo.net/zpa (for the zpatwo.net cloud). To learn more, see What Is My Cloud Name for ZPA?

      Firewall Requirements and Interoperability Guidelines

      All the Zscaler data centers containing ZPA Public Service Edges must be allowed. A partial firewall configuration can result in connectivity problems for end users. Zscaler’s policy is to provide a 90-day notice for activating additional IP CIDR ranges to provide organizations with sufficient opportunity for changing control policies.

      Because the service enforces TLS certificate pinning for both client and server certificates, all forms of inline or man-in-the-middle TLS interception or inspection must be disabled. App Connectors do not function if the TLS certificates presented by the ZPA Public Service Edges or ZPA Private Service Edges do not cryptographically verify against Zscaler-trusted public keys.

      By design, certificate verification is not configurable to maintain the integrity of the service. Ensure that *.prod.zpath.net is in your SSL bypass list for traffic originating from the App Connector. This is necessary for allowing the App Connector to resolve and reach ZPA Public Service Edges or ZPA Private Service Edges. If you need to allowlist additional Zscaler IP addresses, see config.zscaler.com/private.zscaler.com/zpa (for the private.zscaler.com cloud) or config.zscaler.com/zpatwo.net/zpa (for the zpatwo.net cloud). To learn more, see What Is My Cloud Name for ZPA?

      For ZPA integration with ZDX, App Connector firewall requirements must align with the respective ZDX configuration. You must configure the firewall to allow egress traffic on the TCP, UDP, and ICMP protocols. App Connectors must be able to egress traffic to port 443 for Zscaler Service Edge connections and the ports of all configured applications (i.e., ports that are configured in all application segments that are registered on the App Connector).

      Close

    After you have met all the prerequisites, you can deploy the App Connector on a supported platform.

    Close

  • This procedure describes how to deploy a virtual appliance on Nutanix AHV.

    Before you deploy a virtual appliance on Nutanix AHV, you must obtain the latest Zscaler App Connector OVA. Use the following link to download the latest VMware image from Zscaler: https://dist.private.zscaler.com/vms/VMware/2023.12/zpa-connector-2023.12.ova.

    After you obtain the latest Zscaler App Connector OVA, upload the OVA to one of the following platforms:

    The procedures in this article cover deployment of a virtual appliance on Nutanix AHV by uploading the OVA to Prism Element.

    To deploy a virtual appliance on Nutanix AHV:

    1. Extract the VMDK file from the OVA. Right-click the OVA file and then click 7-Zip > Extract files... to extract the files.
    2. Select the destination of the files and click OK.
    3. Upload the VMDK file to Prism Element.
      1. Log in to Prism Element.
      2. Click Settings and then click Image Configuration.

    1. Click Upload Image. The Create Image window appears.

    1. In the Create Image window, enter the following:
    • Name: The name of the VM.
    • Image Type: Select DISK from the Image Type drop-down menu.

    1. For Image Source, select Upload a file.
      1. Click Choose File and select the VMDK file extracted in Step 1.b.
      2. Click Open.
    2. Click Save.
    3. Return to the Image Configuration page Image Configuration) and verify that the image is listed as ACTIVE in the table.

    1. Create the VM.
      1. Click VM.
      2. In the Table tab, click Create VM.

    The Create VM window appears.

    1. Under General Information, enter the following information:
    • Name: The name of the VM.
    • Timezone: The timezone of the VM.

    1. Under Compute Details, enter the following information:
    • vCPU(s): The CPU of the VM (e.g., 1 core of 2 cores).
    • Number Of Cores Per vCPU: The number of cores for the virtual CPU. The minimum required value is 4.
    • Memory: The memory of the VM (e.g., 8 GB or 4 GB).

    1. Under Disks, click the Delete icon to remove the CD-ROM disk type.

    1. Click Yes when prompted to delete the disk.
    2. Click Add New Disk.

    1. In the Add Disk window, enter the following parameters, then click Add:
    • Type: Disk
    • Operation: Clone from Image Service
    • Bug Type: SCSI
    • Image: Select the image uploaded in Step 2.

    The Size field is auto-populated based on the selected image.

    After adding the disk, you may click the Edit icon to edit the disk.

    1. Under Network Adapters (NIC), click Add New NIC.

    1. In the Create NIC window, select NR_PRT_DHCP in the Subnet Name drop-down menu, then click Add.

    1. Click Save.
    2. In the Table tab VM, search for the VM by name.

    1. Select the VM to view the VM details.
    2. Click Power On.

    1. Click Launch Console to configure the provisioning key.

    1. Apply the App Connector provisioning key.
      1. On Zscaler-provided virtual appliances, SSH is not enabled by default. It is required for a short time to configure the provisioning key for the App Connector. Complete the following steps to temporarily enable SSH:
        1. Log in to the App Connector console using your admin credentials.

      After the initial boot of an App Connector instance, it might take up to 15 minutes for the admin credentials to apply. So, if you receive an invalid credentials error after initial boot, wait a few minutes and try again.

      1. Start the SSH daemon using the following command:
      [admin@zpa-connector ~]$ sudo systemctl start sshd

      This command temporarily enables SSH, but it does not persist if a reboot occurs. If you need SSH to remain enabled after a reboot, use the sudo systemctl enable sshd command.

      1. Verify the App Connector's IP address using the following command:
      [admin@zpa-connector ~]$ ifconfig

      The configuration output should look similar to the following:

      eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
                inet 192.0.2.1 netmask 255.255.255.128 broadcast 192.168.144.127
                inet6 fe80::20c:29ff:fef5:5d43 prefixlen 64 scopeid 0x20<link>
                ether 00:0c:29:f5:5d:43 txqueuelen 1000 (Ethernet)
                RX packets 8504 bytes 8732964 (8.3 MiB)
                RX errors 0 dropped 0 overruns 0 frame 0
                TX packets 4900 bytes 427768 (417.7 KiB)
                TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
      1. SSH into the virtual machine (VM) using a standard SSH client. Using the previous example, the App Connector IP address is 192.0.2.1:
      [admin@zpa-connector ~]$ ssh admin@192.0.2.1
      1. Populate the provisioning key file.
        1. Stop the running connector service. If the provisioning key was not detected when the App Connector was first started, the App Connector is in a sleep cycle and will look for the key again every 24 hours.
      [admin@zpa-connector ~]$ sudo systemctl stop zpa-connector
      1. Create a provisioning key file with 644 permissions at /opt/zscaler/var/provision_key. For example:
      [admin@zpa-connector ~]$ sudo touch /opt/zscaler/var/provision_key
        [admin@zpa-connector ~]$ sudo chmod 644 /opt/zscaler/var/provision_key
      1. Copy the provisioning key from the Admin Portal, paste it into the file, and save. Use an editor, such as vi.
      [admin@zpa-connector ~]$ sudo vi /opt/zscaler/var/provision_key

      If you are using vi, make sure it is in insert mode before you paste the key into the file.

      If you are unfamiliar with the vi editor, you can also use the following echo and tee commands to paste in the provisioning key:

      echo "<App Connector Provisioning Key>" | sudo tee /opt/zscaler/var/provision_key

      Make sure that the key is within double quotes (").

      1. Enter the following command to verify the file's content:
      [admin@zpa-connector ~]$ sudo cat /opt/zscaler/var/provision_key

      The output should return the provisioning key you entered in the previous step.

      1. Start the connector service.
      [admin@zpa-connector ~]$ sudo systemctl start zpa-connector
      1. After the App Connector is enrolled, disable SSH using the following command:
      [admin@zpa-connector ~]$ sudo systemctl stop sshd

      However, if you used the sudo systemctl enable sshd command for Step a.ii above, then enter the sudo systemctl disable sshd command.

      1. Run the following:
      [admin@zpa-connector ~]$ systemctl daemon-reload
        [admin@zpa-connector ~]$ systemctl start zpa-connector
      1. Zscaler highly recommends updating the App Connector system software before proceeding.
      Close
    Close

  • After you have deployed the App Connector on a supported platform, you can complete the following networking configurations:

    • If necessary, additional changes can be made to interfaces by configuring new ones using nmcli connection add con-name or by renaming existing ones using nmcli connection modify.

      1. Log in to the App Connector console using your admin credentials.
      2. View the IP address.
      [admin@zpa-connector ~]$ ip addr show
      1. View the current connection profiles.
      [admin@zpa-connector ~]$ nmcli connection show
      1. Configure the interface's IP network using either a dynamic or static Ethernet configuration.

      For dynamic, modify the connection profile. For example:

      [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" ipv4.method auto

      For static, modify the connection profile and identify the IP addresses and gateway using the following format: <profile name> ipv4.method manual ipv4.addresses <address> ipv4.gateway <gateway IP>. For example:

      [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" ipv4.method manual ipv4.addresses 192.168.2.241/24 ipv4.gateway 192.168.2.254
      1. To apply the changes, bring the connection profile back up. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection up "Profile 1"
      1. Reverify the IP address.
      [admin@zpa-connector ~]$ ip addr show
      1. Reverify the new connection.
      [admin@zpa-connector ~]$ nmcli connection show
      Close

    • The proxy setting on the App Connector is used to proxy the traffic between the App Connector and the ZPA Private Service Edge. It is not used to proxy the traffic between the App Connector and internal applications.

      If your traffic is going through a proxy (i.e., traffic between the App Connector and the ZPA Public Service Edges or ZPA Private Service Edges), you must manually configure the App Connector to work through that proxy. The following procedure allows the App Connector to communicate with the broker by using CONNECT requests through a standard HTTP proxy server.

      To configure the App Connector to work through an explicit proxy:

      1. Log in to the App Connector console using your admin credentials.
      2. Create a file named /opt/zscaler/var/proxy. Use an editor, such as vi.
      [admin@zpa-connector ~]$ sudo vi /opt/zscaler/var/proxy

      Enter the proxy information using the following format: <Proxy Hostname or IP Address>:<Proxy Port> (e.g., 192.0.2.0:0).

      1. To apply the changes, restart the App Connector using the following command:
      [admin@zpa-connector ~]$ sudo systemctl restart zpa-connector

      The App Connector attempts to create a TLS session through the proxy specified previously.

      Close

    • By default, virtual machine-based App Connectors are configured to use DHCP networking on their primary interface. If necessary, you can configure a static IP address for the App Connector.

      Close

    • DNS resolution is critical for the successful operation of the App Connector. App Connectors use DNS to discover applications, as well as enumerate each of the IP addresses that an application DNS name resolves to as a separately tracked and load-balanced server. During dynamic application discovery, DNS is used as the initial reachability check from each App Connector in an App Connector group. It is possible for App Connectors to function in partitioned environments where a subset of App Connectors are able to resolve a given DNS name without additional configuration. App Connectors must also be able to resolve external DNS names, such as those of the ZPA cloud infrastructure.

      1. Log in to the App Connector console using your admin credentials.
      2. View the current connection profile.
      [admin@zpa-connector ~]$ nmcli connection show
      1. Modify the DNS settings using the following format: <profile name> ipv4.dns <nameserver IP>. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" +ipv4.dns 192.168.2.241
      1. To apply the changes, bring the connection profile down and then back up. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection down "Profile 1"
       [admin@zpa-connector ~]$ sudo nmcli connection up "Profile 1"
      1. Verify the nameservers record was added.
      [admin@zpa-connector ~]$ sudo cat /etc/resolv.conf
      Close

    • You cannot configure NTP servers for App Connectors running on the Amazon Web Services (AWS) or Microsoft Azure platforms.

      To configure App Connectors to use internal NTP servers:

      1. Log in to the App Connector console using your admin credentials.
      2. Edit the /etc/chrony.conf file. Use an editor, such as vi.
      [admin@zpa-connector ~]$sudo vi /etc/chrony.conf

      Add your internal NTP servers to the list, for example:

      server 0.zscaler.pool.ntp.org iburst
server 1.zscaler.pool.ntp.org iburst
server 2.zscaler.pool.ntp.org iburst
server 3.zscaler.pool.ntp.org iburst
      1. To apply the changes, restart the chrony daemon using the following command:
      [admin@zpa-connector ~]$ systemctl restart chronyd
      1. To verify the NTP servers, check that NTP is working successfully using the following command:
      [admin@zpa-connector ~]$ chronyc sources
      Close

    • If an App Connector is configured to send traffic to a proxy, you can set up a proxy bypass on it for the traffic that needs to be exempted from the proxy (i.e., traffic between the App Connector and the ZPA Public Service Edges or Public Service Edges). To use a proxy bypass for an App Connector, a proxy bypass file needs to be added to the App Connector.

      To configure the App Connector to do a proxy bypass:

      1. Log in to the App Connector console using your admin credentials.
      2. Create a file named opt/zscaler/var/proxy-bypass. Use an editor, such as vi. For example:
      [admin@zpa-connector ~]$sudo vi /opt/zscaler/var/proxy-bypass
      1. Enter the necessary bypass entries using IP addresses, subnets, domains, or domains with a prefix wildcard. For example:
      1.2.3.4
111.222.33.0/24
myexampledomain.com
*.internal.local
      1. To apply the changes, restart the App Connector using the following command:
      [admin@zpa-connector ~]$ sudo systemctl restart zpa-connector
      Close

    • If DHCP is not available, you can configure a static IP address on a VM-based App Connector.

      1. Log in to the App Connector console using your admin credentials.
      2. View the current connection profile.
      [admin@zpa-connector ~]$ nmcli connection show
      1. Modify the connection profile using the following format: <profile name> connection.id <new connection name>. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" connection.id LAN
      1. Review the current connection profile.
      [admin@zpa-connector ~]$ nmcli connection show
      1. Edit the profile using a static IP and a default gateway with the following format: <connection ID> ipv4.method manual ipv4.addresses <IP addresses> ipv4.gateway <gateway IP> ipv4.dns <DNS IP> ipv4.dns-search <domain name>. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection modify LAN ipv4.method manual ipv4.addresses 172.30.1.88/24 ipv4.gateway 172.30.1.1 ipv4.dns 172.30.1.254 ipv4.dns-search company.com
      1. To apply the changes, bring the connection ID back up. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection up LAN
      1. Verify the IP address.
      [admin@zpa-connector ~]$ ip addr show
      1. Verify the default gateway.
      [admin@zpa-connector ~]$ ip route show default
      1. Verify the DNS settings.
      [admin@zpa-connector ~]$ sudo cat /etc/resolv.conf
      Close

    • To add static routes to the interface control files for an App Connector:

      1. Log in to the App Connector console using your admin credentials.
      2. Edit the static route for an existing Ethernet connection using the following format: <profile name> ipv4.routes <address and gateway>. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection modify "Profile 1" +ipv4.routes "192.168.2.241/24 10.10.10.1"
      1. To apply the changes, bring the connection profile down and then back up. For example:
      [admin@zpa-connector ~]$ sudo nmcli connection down "Profile 1"
       [admin@zpa-connector ~]$ sudo nmcli connection up "Profile 1"
      1. Verify the new route is added.
      [admin@zpa-connector ~]$ ip route
      Close

    • To temporarily configure TCP communication sockets using the profs interface and the SO_KEEPALIVE socket option for an App Connector:

      1. Enable TCP Keepalive for your segment group in the ZPA Admin Portal. To learn more, see Configuring Defined Application Segments.

      The socket used for TCP communication is set to SO_KEEPALIVE and establishes an App Connector-to-Server connection. Communication using this socket looks at the system value corresponding to SO_KEEPALIVE and performs the action according to the parameters.

      1. Tune your App Connector's kernel to configure the TCP parameters and choose how the keepalive packets are sent using the following commands:
      # echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
# echo 60 > /proc/sys/net/ipv4/tcp_keepalive_intvl
# echo 20 > /proc/sys/net/ipv4/tcp_keepalive_probes

      Default values are used if no system parameters are chosen. The values in red represent examples of values that can be configured.

      Changes to the App Connector's kernel to configure the TCP parameters using the profs interface are temporary and return to default after reboot.

      To permanently configure TCP communication sockets using the sysctl interface:

      1. Enable TCP Keepalive for your segment group in the ZPA Admin Portal. To learn more, see Configuring Defined Application Segments.
      2. Edit your /etc/sysctl.conf using the following command:
      # vi /etc/sysctl.conf
      1. Tune your App Connector's kernel to configure the TCP parameters and choose how the keepalive packets are sent using the following commands:
      net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6

      Default values are used if no system parameters are chosen. The values in red represent examples of values that can be configured.

      1. To load the settings, enter the following command:
      # sysctl -p

      The keepalive packets have the following parameters:

      ParameterDefinitionDefault Value
      tcp_keepalive_timeThe interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further.7,200 seconds (2 hours)
      tcp_keepalive_intvlThe interval between subsequent keepalive probes, regardless of what the connection has exchanged in the meantime.75 seconds
      tcp_keepalive_probesThe number of unacknowledged probes to send before considering the connection dead and notifying the application layer. The tcp_keepalive_probes value is a pure number.9

      For example:

      • If the tcp_keepalive_time value is one hour, the keepalive routines wait for one hour before sending the first keepalive probe, and then resend it at a 75-second interval according to the tcp_keepalive_intvl value.
      • If the tcp_keepalive_intvl value is 60 seconds, the keepalive probes are sent every 60 seconds after the initial tcp_keepalive_time value.
      • If the tcp_keepalive_probes value is 7, and no ACK response is received after 7 consecutive times, then the connection is marked as broken.

      If there is no data communication within the tcp_keepalive_time value, it sends out a keepalive probe to the app server:

      • If ACK is returned, another keepalive probe is sent after 2 hours (tcp_keepalive_time) if no data communication happens in between.
      • If RST is returned, then the socket closes.
      • If there is no reply, it resends the keepalive every 75 seconds (tcp_keepalive_intvl) for a reply, and it retries 9 times (tcp_keepalive_probes). If there is no reply after 9 probes, the socket closes.

      To learn more about configuring a kernel, refer to the Linux documentation.

      Close

    • If you want to configure yum to communicate through an HTTP proxy server, refer to the CentOS and Red Hat documentation.

      To learn more about support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x, see End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x.

      Close

    • To see which TCP sessions have keepalive enabled and what their current timer is, run the ss command on the App Connector with the -t (tcp only) and -o (show timers) options:

      # ss -to
State  Recv-Q  Send-Q  Local Address:Port  Peer Address:Port
ESTAB  0       0       10.18.4.210:42452   10.251.33.110:https  timer:(keepalive,29sec,0)

      For sessions that have keepalive enabled, timer information (timer:(<timer_name>,<expire_time>,<retrans>)) indicates when keepalive will be sent. To learn more, refer to the Linux documentation.

      Close

    Close
  • Step 4: Verify that the deployed App Connector is running and healthy. Also, check that it is meeting your sizing requirements.

After you have verified your deployment, you can perform additional tasks to maintain the system (i.e., changing your App Connector console admin credentials or performing system software updates). To learn more, see Managing Deployed App Connectors.

After App Connectors are deployed, you can:

Related Articles
About Deploying App ConnectorsApp Connector Software by PlatformApp Connector Deployment PrerequisitesApp Connector Deployment Guide for Amazon Web ServicesApp Connector Deployment Guide for LinuxApp Connector Deployment Guide for DockerApp Connector Deployment Guide for Google Cloud PlatformApp Connector Deployment Guide for Microsoft AzureApp Connector Deployment Guide for Nutanix AHVApp Connector Deployment Guide for OpenShiftApp Connector Deployment Guide for VMware PlatformsRed Hat Enterprise Linux 9 Migration for App ConnectorsNetworking Deployed App ConnectorsConfiguring a Split DNS Zone for App ConnectorsCentOS 7 Configuration for Long-Term Zscaler Support