How do I deploy a Zscaler Authentication Bridge?


How do I deploy a Zscaler Authentication Bridge?

You will need the following to deploy the ZAB:

  • Hypervisor
    • VMware ESX/ESXi v5.0 and above
  • Virtual Machine
    • 2 GB RAM minimum. Increases with the number of users.
    • 64-bit Xeon CPU. Two cores assigned to the VM.
    • 1 network interface with a static IP address
      This IP address is used for control and data connections to the Zscaler cloud and to connect to the directory server. Your administrator can also use it to make an SSH connection to the VM.
  • Zscaler service
    • A subscription to the ZAB
    • Super admin access to the service
    • Log in information for the directory server

Firewall Requirements

The ZAB requires only outbound connections to the Zscaler service. It does not require any inbound connections to your network from the Zscaler service. Ensure that your outbound firewall is configured to allow the necessary connections. To view the firewall requirements, go to the following:  

https://ips.<zscaler-cloud-name>/addresses/zab.html

The <zscaler-cloud-name> depends on the Zscaler cloud administrative URL. For example, if you log in to admin.zscaler.net, then go to https://ips.zscaler.net/addresses/zab.html.

To learn how you can find your cloud name, see What is my cloud name?

Log in to the Zscaler service and go to Administration > Settings > Company Profile > Subscriptions tab to verify that your organization is subscribed to the ZAB.

Verify subscription

To register a new ZAB, log in to the service and do the following:

  1. Go to Administration > Authentication > Authentication Settings > Authentication Bridges tab.
  2. Click Add and enter a name for the ZAB.
  3. Click Save to exit the dialog.
  4. Activate the change.

Register ZAB

 

  1. Go to Administration > Authentication > Authentication Settings > Authentication Bridges tab.
  2. Click Download ZB VM

The ZAB can synchronize and authenticate hundreds of thousands of users. The ZAB specifications are determined by the number of users that the ZAB provisions. Specify the number of users that the ZAB synchronizes, and optionally, authenticates. Then, click Compute to compute the appropriate resources for your ZAB.

Compute ZAB resources

  1. Click Download ZAB VM.

The ZAB uses this certificate to authenticate itself to the Zscaler service. To download the SSLcertificate:

  1. Go to Administration > Authentication > Authentication Settings > Authentication Bridgestab.
  2. Click Download in the SSL Certificate column of the new ZAB.

Download the SSL certificate

Do the following to configure the ZAB:

  1. Configure the network settings.
  2. Install the client certificate.
  3. Install the server certificate.
  4. Install the ZAB software and start it.

You can view the troubleshooting commands, in case there are configuration issues.
See Troubleshooting.

Do the following to configure the network settings of the ZAB:

  1. Log in with the following:
    Username: zsroot 
    Password: zsroot
    See image.
  2. Zscaler strongly recommends that you change this default password by running the command passwd.
    1. To change the password, enter passwd and your username.
      • For example, if you are using the default username, the command is passwd zsroot.
    2. When prompted, specify the following:
      • Your current password
        • For example, if you are using the default password, enter zsroot.
      • Your new password
        See image.
  3. Switch to a superuser, by entering the following command:
    sudo su -
    Enter the password zsroot when prompted.
    See image.
    Zscaler strongly recommends that you change the default password.
  4. Configure the network settings. Enter zab configure and when prompted, specify the following:
    • Name server IP address
    • ZAB IPaddress and netmask
    • ZEN IPaddress
      See image.
  5. To verify the configuration, enter the following command: zab dump-config
    See image.

Configure network settings image 1

command passwd

Configure network settings image 2

Configure network settings image 3

Configure network settings image 4

Install the certificate that you downloaded from the Zscaler service. It is used to authenticate the ZAB to the service.

Do the following:

  1. Copy the client certificate securely to the ZAB VM. Zscaler recommends that you use SCP or SFTP instead of FTP.
  2. On the ZAB, run the following command to install the ZAB: zab install-client-cert ZabCert.zip.
    See image.
  3. Run zab dump-config to verify that the ZAB is associated with the Zscaler cloud and with your organization.
    See image.

Configure the zab - install cert image

Configure the zab - zab dump config image

The ZAB acts as a web server that authenticates users against your Active Directory or LDAP server. Because it processes HTTPS transactions, the ZAB must host a private SSL certificate to secure the transactions. Your organization can install your own certificate signed by a trusted Certificate Authority or a self-signed certificate.

To install the server certificate, enter the following command: zab install-server-cert

  • If you have a server certificate, do the following:
    • Copy the certificate and the private key.
    • Specify the path of the certificate.
    • Specify the path of the key.
    • Optionally, specify a password to decrypt the key
  • If you are using ZAB to provision users, but not to authenticate them, you can allow the system to generate a self-signed certificate. Press enter when prompted for the certificate and complete the questions.
  1. To download the ZAB software for the first time, enter the following command: zab update-now 
    See image.
  2. To start the ZAB, enter the following command: zab start
    See image.
  3. Run zab enable-autostart
    See image.
  4. Verify that the ZAB is operational by running the following commands:
    zab status displays the process running.
    See image.
    sockstat -4 shows that the ZAB is making outbound connections.
    See image. 

Install zab software - zab update now

Install zab software - zab start

Install zab software - autostart

Install zab software - zab status

Install zab software - sockstat

Following are some commands that you can use to troubleshoot your configuration:

  • zab -h
    ​​​Lists the ZAB commands.
  • zab test-firewal
    Runs a script to test access to the outbound firewall.
  • zab collect-diagnostics
    Collects all the relevant log files and configuration files, and then places them in a zip file. You can send the zip file to Zscaler Support for troubleshooting.
  • zab enable-remote-debugging
    Allows Zscaler Support to examine and diagnose configuration errors. This feature is disabled by default. Run the command to enable it.
  • zab support-access-start
    Allows Zscaler Support to log in to your ZAB via SSH, if your organization requires assistance. An interactive shell is often useful when additional troubleshooting assistance is required. This feature is disabled by default. Run the command to enable it. 

After you configure the ZAB, you must then configure the service to synchronize with the ZAB. You can optionally configure the service to use the ZAB for authentication as well.

To configure the service to synchronize with the ZAB, log in to the service and do the following:

  1. Go to Administration > Authentication > Authentication Settings.
  2. From the Authentication Profile tab, choose Active Directory as the Directory Type.
  3. Click Setup Wizard to start the wizard.
    See image.
  4. Complete the fields in the Directory Server window and ensure that you specify the following values:
    • Authentication Agent Hosting: Choose Enterprise.
    • Directory Server IP Address: Enter the IP address of the directory server to which the ZAB connects.
      See image.
  5. In the Directory Server Authentication window, specify any user in the BIND DN field. It does not have to be an administrator.
    See image.
  6. The Detected Settings window shows that the wizard has successfully connected to the directory server and pre-populated the Base DN field. Click Next.
    See image.
  7. In the Lookup Parameters window, specify a user to enable the service to discover the LDAP attributes it needs. Choose Auto from the Lookup Parameters filter list, and enter an email address, login name, DN, or LDAP attribute. 
    See image.
    The Synchronization window displays the synchronization results.
    See image.
  8. In the Authentication Parameters window, verify whether the user information was synchronized correctly. 
    See image.
    If your organization is using the ZAB for authentication as well, ensure that the ZAB URL is specified in the Authentication Agent Address field. If your organization is using another authentication mechanism, such as SAML or LDAP, the Authentication Agent Address field can contain any IP address.
  9. Click Finish.

setup wizard start

setup wizard 1

setup wizard 2

setup wizard 3

setup wizard 4

step wizard 4a

setup wizard 5

Optionally, if you have a local NTP Server, you can configure the ZAB to synchronize time with that server, as follows:

  1. Run the following as root:
crontab -e
  1. Add the following line: 
*/10 * * * * ntpdate <ntp-server-name>
  1. Save and exit.

The time synchronization command will run every 10 minutes.