Networking Deployed App Connectors

Experience Center Help
Infrastructure
Private Applications
Infrastructure Components
App Connector Management
App Connector Deployment Guides for Supported Platforms
Networking Deployed App Connectors

Experience Center

Networking Deployed App Connectors

After you have deployed the App Connector on a supported platform, you can complete the following networking configurations:

Configure Additional Interfaces for an App Connector
If necessary, additional interfaces can be configured by creating additional files in /etc/sysconfig/network-scripts.
1. Log in to the App Connector console using your admin credentials.
2. Copy the /etc/sysconfig/network-scripts/ifcfg-eth0 file to /etc/sysconfig/network-scripts/ifcfg-eth1, for example:
```
[admin@zpa-connector ~]$ sudo cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1
```
1. Edit the new /etc/sysconfig/network-scripts/ifcfg-eth1 file with the network configuration information required for the interface. Use an editor, such as vi.
```
[admin@zpa-connector ~]$ sudo vi /etc/sysconfig/network-scripts/ifcfg-eth1
```
The content within the new file should be similar to the following:
```
IPADDR="104.129.193.254"
    NETMASK="255.255.254.0"
    GATEWAY=104.129.192.1
```
1. To apply the changes, restart the networking subsystem using the following command:
```
[admin@zpa-connector ~]$ sudo systemctl restart network
```
Close
Configure an App Connector to Use an Explicit Proxy Server
The proxy setting on the App Connector is used to proxy the traffic between the App Connector and the Private Service Edge. It is not used to proxy the traffic between the App Connector and internal applications.
If your traffic is going through a proxy (i.e., traffic between the App Connector and the Public Service Edges or Private Service Edges), you must manually configure the App Connector to work through that proxy. The following procedure allows the App Connector to communicate with the broker by using CONNECT requests through a standard HTTP proxy server.
To configure the App Connector to work through an explicit proxy:
1. Log in to the App Connector console using your admin credentials.
2. Create a file named /opt/zscaler/var/proxy. Use an editor, such as vi.
```
[admin@zpa-connector ~]$ sudo vi /opt/zscaler/var/proxy
```
Enter the proxy information using the following format: <Proxy Hostname or IP Address>:<Proxy Port> (e.g., 192.0.2.0:0).
1. To apply the changes, restart the App Connector using the following command:
```
[admin@zpa-connector ~]$ sudo systemctl restart zpa-connector
```
The App Connector attempts to create a TLS session through the proxy specified in step 2.
Close
Configure DHCP IP Addressing for an App Connector
By default, virtual machine-based App Connectors are configured to use DHCP networking on their primary interface. If necessary, you can configure a static IP address for the App Connector.
Close
Configure Domain Name System (DNS) Resolver for an App Connector
DNS resolution is critical for the successful operation of the App Connector. App Connectors use DNS to discover applications as well as enumerate each of the IP addresses that an application DNS name resolves to as a separately tracked and load balanced server. During dynamic application discovery, DNS is used as the initial reachability check from each App Connector in an App Connector group. It is possible for App Connectors to function in partitioned environments where a subset of App Connectors are able to resolve a given DNS name without additional configuration. App Connectors must also be able to resolve external DNS names, such as those of the cloud infrastructure.
1. Log in to the App Connector console using your admin credentials.
2. Edit the /etc/resolv.conf file. Use an editor, such as vi.
```
[admin@zpa-connector ~]$sudo vi /etc/resolv.conf
```
Replace the example nameserver IP addresses and search domains with your company-specific configuration, for example:
```
nameserver 8.34.34.34
    nameserver 8.35.35.35 
    search myexampledomain.com    
```
Close
Configure Network Time Protocol (NTP) Servers for an App Connector
You cannot configure NTP servers for App Connectors running on the Amazon Web Services (AWS) or Microsoft Azure platforms.
To configure App Connectors to use internal NTP servers:
1. Log in to the App Connector console using your admin credentials.
2. Edit the /etc/chrony.conf file. Use an editor, such as vi.
```
[admin@zpa-connector ~]$sudo vi /etc/chrony.conf
```
Add your internal NTP servers to the list, for example:
```
server 0.zscaler.pool.ntp.org iburst
    server 1.zscaler.pool.ntp.org iburst
    server 2.zscaler.pool.ntp.org iburst
    server 3.zscaler.pool.ntp.org iburst
```
1. To apply the changes, restart the chrony daemon using the following command:
```
[admin@zpa-connector ~]$ systemctl restart chronyd
```
1. To verify the NTP servers, check that NTP is working successfully using the following command:
```
[admin@zpa-connector ~]$ chronyc sources    
```
Close
Configure a Proxy Bypass for an App Connector
If an App Connector is configured to send traffic to a proxy, you can set up a proxy bypass on it for the traffic that needs to be exempted from the proxy (i.e., traffic between the App Connector and the Public Service Edges or Public Service Edges). To use a proxy bypass for an App Connector, a proxy bypass file needs to be added to the App Connector.
To configure the App Connector to do a proxy bypass:
1. Log in to the App Connector console using your admin credentials.
2. Create a file named opt/zscaler/var/proxy-bypass. Use an editor, such as vi. For example:
```
[admin@zpa-connector ~]$sudo vi /opt/zscaler/var/proxy-bypass
```
1. Enter the necessary bypass entries using IP addresses, subnets, domains, or domains with a prefix wildcard. For example:
```
1.2.3.4
    111.222.33.0/24
    myexampledomain.com
    *.internal.local
```
1. To apply the changes, restart the App Connector using the following command:
```
[admin@zpa-connector ~]$ sudo systemctl restart zpa-connector
```
Close
Configure Static IP Addressing for an App Connector
If DHCP is not available, you can configure a static IP address on a VM-based App Connector.
1. Log in to the App Connector console using your admin credentials.
2. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Use an editor, such as vi.
```
[admin@zpa-connector ~]$ sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
```
If your network does not support DHCP, disable DHCP in the App Connector using the value BOOTPROTO="none". In the following example, the edited file is using an App Connector IP address of 104.129.193.254, highlighted in green:
```
BOOTPROTO="none"
    IPADDR="104.129.193.254"
    NETMASK="255.255.254.0"
    GATEWAY="104.129.192.1"
```
1. The /etc/sysconfig/network file requires no modifications.
2. To apply the changes, restart the networking subsystem using the following command:
```
[admin@zpa-connector ~]$ sudo systemctl restart network
```
Close
Configure Static Routing for an App Connector
To add static routes to the interface control files for an App Connector:
1. Log in to the App Connector console using your admin credentials.
2. Edit the /etc/sysconfig/network-scripts/route-eth0 file. Use an editor, such as vi.
```
[admin@zpa-connector ~]$sudo vi /etc/sysconfig/network-scripts/route-eth0
```
Add additional static routes using the following format: <CIDR> via <GATEWAY> dev <INTERFACE>. For example:
```
192.168.0.0/16 via 192.0.2.1 dev eth0
    172.16.0.0/12 via 192.0.2.1 dev eth0
    10.0.0.0/8 via 192.0.2.2 dev eth0
```
1. To apply the changes, restart the networking subsystem using the following command:
```
[admin@zpa-connector ~]$ sudo systemctl restart network
    
```
Close

Configure TCP Communication Sockets for an App Connector

To temporarily configure TCP communication sockets using the profs interface and the SO_KEEPALIVE socket option for an App Connector, you must:

Enable Tcp Keepalive for your segment group in the Admin Portal. To learn more, see Configuring Defined Application Segments.

The socket used for TCP communication is set to SO_KEEPALIVE and establishes an App Connector-to-Server connection. Communication using this socket looks at the system value corresponding to SO_KEEPALIVE and performs the action according to the parameters.

Tune your App Connector's kernel to configure the TCP parameters and choose how the keepalive packets are sent using the following commands:

# echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
    # echo 60 > /proc/sys/net/ipv4/tcp_keepalive_intvl
    # echo 20 > /proc/sys/net/ipv4/tcp_keepalive_probes

Default values are used if no system parameters are chosen. The values in red represent examples of values that can be configured.

Changes to the App Connector's kernel to configure the TCP parameters using the profs interface are temporary and return to default after reboot.

To permanently configure TCP communication sockets using the sysctl interface:

Enable TCP Keepalive for your segment group in the Admin Portal. To learn more, see Configuring Defined Application Segments.
Edit your /etc/sysctl.conf using the following command:

# vi /etc/sysctl.conf

Tune your App Connector's kernel to configure the TCP parameters and choose how the keepalive packets are sent using the following commands:

net.ipv4.tcp_keepalive_time = 60
    net.ipv4.tcp_keepalive_intvl = 10
    net.ipv4.tcp_keepalive_probes = 6

Default values are used if no system parameters are chosen. The values in red represent examples of values that can be configured.

To load the settings, enter the following command:

# sysctl -p

The keepalive packets have the following parameters:

Parameter	Definition	Default Value
`tcp_keepalive_time`	The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further.	7,200 seconds (two hours)
`tcp_keepalive_intvl`	The interval between subsequent keepalive probes, regardless of what the connection has exchanged in the meantime.	75 seconds
`tcp_keepalive_probes`	The number of unacknowledged probes to send before considering the connection dead and notifying the application layer. The `tcp_keepalive_probes` value is a pure number	9

For example:

If the tcp_keepalive_time value is one hour, the keepalive routines wait for one hour before sending the first keepalive probe, and then resend it at a 75 second interval according to the tcp_keepalive_intvl value.
If the tcp_keepalive_intvl value is 60 seconds, the keepalive probes are sent every 60 seconds after the initial tcp_keepalive_time value.
If the tcp_keepalive_probes value is 7, and no ACK response is received after 7 consecutive times, then the connection is marked as broken.

If there is no data communication within the tcp_keepalive_time value, it sends out a keepalive probe to the app server:

If ACK is returned, another keepalive probe is sent after 2 hours (tcp_keepalive_time) if no data communication happens in between.
If RST is returned, then the socket closes.
If there is no reply, it resends the keepalive every 75 seconds (tcp_keepalive_intvl) for a reply, and it retries 9 times (tcp_keepalive_probes). If there is no reply after 9 probes, the socket closes.

To learn more about configuring a kernel, see The Linux Documentation Project's how-to article.

Configure yum to Use an HTTP Proxy Server
If you want to configure yum to communicate through an HTTP proxy server, refer to the CentOS and Red Hat documentation.
Close
Verify That keepalive Is Enabled for TCP Sessions
To see which TCP sessions have keepalive enabled and what their current timer is, run the ss command on the App Connector with the -t (tcp only) and -o (show timers) options:
```
# ss -to
    State  Recv-Q  Send-Q  Local Address:Port  Peer Address:Port
    ESTAB  0       0       10.18.4.210:42452   10.251.33.110:https  timer:(keepalive,29sec,0)
```
For sessions that have keepalive enabled, timer information (timer:(<timer_name>,<expire_time>,<retrans>)) indicates when keepalive will be sent. To learn more, refer to the Linux manual page.
Close

Experience Center

Networking Deployed App Connectors

Related Articles