icon-unified.svg
Experience Center

Upgrading the App Connector Host OS

App Connectors are licensed so that Zscaler can periodically update their software. However, updates to the host operating system (OS) are the organization's responsibility. Zscaler ensures that the App Connector software is the latest version. The App Connector software is designed to be compatible with updates to the host OS. To learn more, see Managing Deployed App Connectors and Operating System Security.

Prerequisites

Before you update the App Connector host OS, ensure the following prerequisites are met:

  • Determine the frequency that the host OS should be updated. Zscaler recommends updating the OS at least every 5 weeks.
  • Validate the App Connector connectivity to the upgrade servers.

For enhanced security, you must use the passwd command to change the credentials on the default admin account if you have not already done so.

  1. Enter the admin credentials.
zpa-connector login: admin 
    Password: *******
  1. Test connectivity by running the following command:
curl https://yum.private.zscaler.com

This is to validate that connectivity to the specific update URL is working. If you are waiting for the command to timeout, and you don't get any errors, you must troubleshoot connectivity. To learn more, see Troubleshooting App Connectors.

Updating the Host OS

The update of the host OS is scheduled according to local policy. App Connectors should be updated one at a time per App Connector group. Zscaler recommends notifying users of a potential for rolling reconnections during the update window. Each App Connector is estimated to be down for 20 minutes during the update.

For host OS updates:

  1. Go to the App Connectors page (Infrastructure > Private Access > App Connectors). 
  2. On the App Connectors page, click the Edit icon (Pencil Icon in the ZPA Admin Portal) to edit the App Connector you want to modify.
  3. Click Disabled under Status to disable the individual App Connector in the group.

This stops the App Connector from allowing new connections.

  1. Wait 15 minutes for the current connections on the App Connector to expire.
    1. (Optional) Disabling the App Connector helps deter new connections while still serving the existing connections.

The 15-minute expiry time is guidance to help drain the existing and long-lived critical transactions. To view the list of currently active App Connectors, access the App Connector Status log type in the Admin Portal.

  1. Log in to the App Connector console using your admin credentials.
  2. Stop the service using the following command:
[admin@zpa-connector ~]$ sudo systemctl stop zpa-connector
  1. After stopping the service, log in and enter the following command to update the local system software:
[admin@zpa-connector ~]$ sudo yum update -y
  1. After completing the update, reboot the App Connector using the following command:
[admin@zpa-connector ~]$ sudo reboot
  1. After the reboot, go to the Admin Portal and click the Edit icon to edit the App Connector.
  2. Click Enabled to enable the App Connector.

  1. Click Save.
Related Articles
Managing Deployed App ConnectorsUpgrading the App Connector Host OSMonitoring App Connector PerformanceTroubleshooting App Connectors