Begin by deploying the app to about 25-50 users in your organization's IT group.

Goal: To discover different use cases for the app in your organization and ensure that it is properly configured for those use cases.

Success Criteria: No blockers exist for moving to the next phase.

Following are the recommended tests for IT group:

• Test Interoperability with VPN Clients

  If your users will be running Zscaler Client Connector in conjunction with VPN clients or applications that function like VPNs (for example, Microsoft DirectAccess), take steps to ensure users don't face interoperability issues. Zscaler recommends selecting Tunnel with Local Proxy as the forwarding profile action in your forwarding profiles.

  For a complete list of recommended steps, see Best Practices for Zscaler Client Connector and VPN Client Interoperability.

  Confirm that users can run Zscaler Client Connector with VPN clients together without any connectivity issues.

  Close
• Test Functionality On and Off Trusted Networks

  Take steps to ensure Zscaler Client Connector forwards traffic properly on and off trusted networks. The app must be able to detect trusted networks and untrusted networks and forward user traffic as configured in forwarding profiles. Try configuring your forwarding profiles so that the app disables its services when users are on trusted networks that have GRE or IPsec tunnels forwarding traffic to Zscaler. Then, test the configuration to ensure the app behaves as expected, and user traffic is sent to Zscaler through the GRE or IPsec tunnels rather than through the app.

  To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.

  Confirm that Zscaler Client Connector properly forwards traffic on and off trusted networks.

  Close
• Test Traffic Exemptions

  Some applications or websites your users access might be incompatible with proxy services enabled by Zscaler Client Connector. If so, create PAC files so you can exempt some user traffic from being forwarded with the app. You can specify the URL for this PAC file when configuring Zscaler Client Connector app profiles and forwarding profiles. If you have DNS resolve, add this function to the forwarding profile PAC file only, to avoid duplication of the DNS query.

  Confirm that traffic to applications or websites specified as exempt from Zscaler Client Connector in the PAC file are not forwarded by the app, and ensure users can access them properly with the app running.

  Close
• Test SSL Inspection

  If you want Zscaler to perform SSL inspection on traffic forwarded by Zscaler Client Connector, you must:

  • Turn on the Install Zscaler SSL Certificate option when configuring app profiles. If you want to use your organization's custom SSL certificate, upload the custom certificate on the Advanced Configuration page and Zscaler automatically uses this certificate for Zscaler Client Connector.

  The Install Zscaler SSL Certificate feature is not supported on devices running macOS Big Sur (11) and later.

  • For Internet & SaaS, in the Policy for Zscaler Client Connector section of the SSL Inspection page in the Admin Portal, enable to perform SSL inspection for Zscaler Client Connector users on each relevant platform.
    • Ensure all applications that perform certificate pinning are specified under Do Not Inspect these Applications on the SSL Inspection page in the Admin Portal.
    • Conduct the recommended tests described in Best Practices for Testing and Rolling Out SSL Inspection.

  Confirm that SSL inspection is being correctly performed on traffic forwarded by Zscaler Client Connector.

  Close
• Test Custom App Profiles

  Try configuring custom app profiles to ensure Zscaler Client Connector functions as intended for your organization. In particular, Zscaler recommends selecting the following options when configuring app profiles:

  • If you want to enable SSL inspection of traffic forwarded by Zscaler Client Connector, select Install Zscaler SSL Certificate.

  The Install Zscaler SSL Certificate feature is not supported on devices running macOS Big Sur (11) and later.

  • For Log Mode, select Debug in Phase 1 and Error in Phase 4.
  • If configuring app profiles for Windows users and if the app is running in Tunnel with Local Proxy mode:
    • Disable Loopback Restriction: Required for Tunnel with Local Proxy mode
    • Override WPAD: Unless the devices must utilize WPAD, Zscaler recommends selecting this option for fresh installations where WPAD is still present or received by DHCP.
    • Restart WinHTTP Service: Zscaler recommends selecting this option to delete any cached WPAD settings.

  Confirm that the custom app profiles allows the app to meet the needs of your organization.

  Close

Expand the group of users by deploying the app to another 100-150 users in your organization's IT group as a pilot.

Goal: To ensure Zscaler Client Connector functionality on a variety of platforms, with different applications and use cases.

Success Criteria: No blockers exist for moving to the next phase.

Deploy Zscaler Client Connector to 200-300 end users in your organization.

Goal: To ensure app functionality for a smaller group of end users before full deployment to all end users.

Success Criteria: No blockers exist for moving to the next phase.

Deploy Zscaler Client Connector to your organization's remaining end users, in batches of 1,000 users.

Goal: To ensure Zscaler Client Connector functionality for full deployment to all end users.

Success Criteria: No blockers exist.