icon-unified.svg
Experience Center

Configuring App Connectors

Within the Admin Portal, you can create App Connectors, App Connector groups, and provisioning keys. For a complete list of ranges and limits per feature, see Ranges & Limitations.

To add a new App Connector:

  1. Go to the App Connectors page (Infrastructure > Private Access > Component > App Connectors).
  2. Click Add App Connector.
  3. In the Add App Connector window that appears:

    • Create a provisioning key or choose an existing one. The provisioning key is a secure random text string that you need to enter when you deploy the App Connector on a platform. Each key is associated with a specific App Connector group and functions like an ID for the App Connector.

      After deployment, the App Connector launches and makes initial contact with the cloud. It presents a key as its ID, allowing the cloud to verify that this is an authentic App Connector and to identify which App Connector group it belongs to. Private Applications then automatically completes the deployment process.

      On the Choose Key tab, choose one of the following options:

      Close
      1. On the Signing Certificate tab, from the drop-down menu, select the certificate that ZPA uses to sign certificates it issues to the App Connector. If you need to generate a new enrollment certificate, see Generating an Enrollment Certificate.
      2. Click Next.

      To learn more about certificates, see About Certificates.

      Close

    • On the App Connector Group tab, choose one of the following options:

        1. Select an existing App Connector group from the drop-down menu. You can search for a specific group or click Clear Selection to remove any selections. App Connector groups can be associated with multiple provisioning keys. So, you can assign this App Connector to an existing group that's already associated to a provisioning key.
        2. Click Next.
        Close
        1. Click Add App Connector Group:
        • Name: Enter a name for the group. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
        • Status: Make sure Enabled is selected.
        • DNS Resolution Option: Enable the necessary interface for DNS resolution checks. If the App Connectors assigned to that App Connector group should perform DNS resolution checks for applications using only IPv4, select IPv4. If the App Connectors assigned to the App Connector group should perform DNS resolution checks for applications using only IPv6, select IPv6. If you select IPv4 and IPv6, both interfaces can perform resolution checks for applications. The App Connector must have the corresponding interface or interfaces enabled for the DNS resolution checks to work, and the servers hosting your applications must support the selected interface or interfaces. By default, IPv4 and IPv6 is selected.

        Select the IPv6 option only if you have end-to-end IPv6 support.

        • TCP Quick Acknowledgement: Enable TCP Quick Acknowledgement for the App Connector group to perform TCP Quick Ack for applications. TCP Quick Acknowledgement is used to improve performance of applications that use specific protocols (e.g., Server Message Block Protocol).
        • Description: (Optional) Enter a description for the group.
        • Disaster Recovery: Enable to designate the App Connector Group for disaster recovery. App Connector groups that are designated for disaster recovery bypass the cloud to ensure business continuity in the event of a disaster scenario. The App Connector Group designated for disaster recovery must be associated with a server group that serves an application segment designated for disaster recovery. Disaster recovery is disabled by default. To learn more, see Understanding Disaster Recovery and About Disaster Recovery App Connector Groups.

        Disaster Recovery Mode is triggered when you upload the DNS TXT records to the DNS server for the disaster recovery domain name. To learn more, see Creating DNS TXT Records.

        • Disable AppProtection: Select Yes to disable AppProtection for the App Connector group. By default, No is selected, meaning that AppProtection is enabled for the new App Connector group. If enabled, the App Connector Group with its associated App Connectors and applications can be inspected and managed via AppProtection Profiles. To learn more, see About AppProtection Profiles.

        The Disable AppProtection option is displayed if your account has this feature enabled. If the feature isn’t enabled, the Disable AppProtection option is not shown.

        • App Connector Allow List: Enter the IP address or subnet of a deployed App Connector Group to allow the App Connector Group on a specific IP. This feature is used to add a layer of security to the App Connector enrollment process, in addition to the provisioning key and signing certificate. Both IPv4 and IPv6 IP addresses are supported. If the App Connector Group is deployed in a subnet, then the subnet prefix notation can be used. For example, if the App Connector Groups are deployed on 10.80.1.18 and 10.80.1.19, then the IP address can be defined as 10.80.1.0/24. You can search for a specific IP address or subnet, edit an IP address or subnet by clicking the Edit icon, delete an IP address or subnet by clicking the Delete icon, or click Remove All to remove all IP addresses or subnets.

        This feature is in limited availability. To learn more, contact Zscaler Support. Consider the following when entering an IP address for the App Connector Allow List:

        • App Connector enrollment stays pending if the App Connector IP address is not configured in the App Connector Allow List field. For example, a user configures 10.1.1.0/30 as the IP address for the App Connector Allow List. This means the App Connector Group can only have two App Connectors, and the App Connectors in this group can only use 10.1.1.1 and 10.1.1.2 as the IP addresses.
        • If the IP address of the App Connector Group changes due to Dynamic Host Configuration Protocol (DHCP) or other network changes, then the App Connector Groups fail to enroll.
        • If the App Connector is configured with a static IP, do not change the IP address unless you update the App Connector Allow List entry. If you want to add a new App Connector to the group, the App Connector Allow List must be updated so that the new App Connector can successfully enroll.
        • Persist Local Version Profile: Enable if the App Connector Group should persist the local Version Profile. By default, Disabled is selected.
        • Version Profile: Displays the current Version Profile. The default value is set to Default. To learn more, see Configuring a Version Profile.
        • App Connector Software Update Schedule: Schedule the periodic App Connector software update for the group by selecting the day of the week and start time. You can search for a specific day of the week and start time, or click Clear Selection to remove any selections.
        • App Connector Location: Enter the location where the App Connectors in the group are set up. The map displays the location you've entered. If you click the location marker on the map, the Latitude, Longitude, and Location Address fields are automatically populated.
          • Latitude: Displays the latitude coordinate.
          • Longitude: Displays the longitude coordinate.
          • Country Code: Displays the country code for the location address you’ve entered.
          • Location Details: Displays the location address you've entered.

        1. Click Next.
        Close
      Close
      1. On the Create Provisioning Key tab:
      • Name: Enter a name for the provisioning key. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).

      This name is automatically assigned as a prefix for the name of each App Connector enrolled with it. Meaning that all App Connectors in a given App Connector group use the same prefix in its name.

      To help distinguish between the different App Connectors in a group, each App Connector also has a number automatically added to its name upon being enrolled. This number signifies that it is the nth App Connector to be enrolled with the key. For example, if you enter AWS Oregon as a provisioning key name in this step, the first App Connector you enroll with this key is named AWS Oregon-1. The next App Connector you enroll with the same key is named AWS Oregon-2, and so on.

      • Maximum Reuse of Provisioning Key: Enter the maximum number of instances where this key can be used to enroll an App Connector. After adding the App Connector, this number can be modified.

      The Instances of Provisioning Key Reuse field cannot be modified. The number of App Connectors enrolled in this App Connector group is tracked and the number is automatically displayed in this field. This helps ensure that keys are not being used improperly by unknown parties in order to enroll App Connectors.

      1. Click Next.
      Close
      1. On the Review tab, review your configuration settings.
      2. Click Save.
      Close
      1. On the Review Documentation tab:
        • Copy Provisioning Key: Copy the App Connector provisioning key. You need to enter this key when you deploy the App Connector to a platform. You can click the Copy icon to copy the key to your clipboard.
        • Review Documentation: Choose the platform you want to deploy your App Connector on, and follow the instructions that appear. To learn more, see the App Connector Deployment Guide for your supported platform.

      1. Click Done.
      Close
Related Articles
About App ConnectorsConfiguring App ConnectorsEditing a Deployed App ConnectorDeleting Disconnected App ConnectorsConfiguring App Connectors Settings