Zscaler App Deployment: Best Practices Guide


Zscaler App Deployment: Best Practices Guide

Below are best practices you can follow to ensure successful deployment of the Zscaler App for your organization.

Prerequisites

As a first step, submit your Zscaler App Pre-Deployment Form. This form helps you gather information required for deploying the Zscaler App.

Phased Approach for Deployment

Zscaler recommends a four-phased approach to deployment.

Phased Approach for Deployment

Phase 1: IT Test

Begin by deploying the app to about 25-50 users in your organization's IT group.

Goal: To discover different use cases for the Zscaler App in your organization and ensure that the App is properly configured for those use cases.

Success Criteria: No blockers exist for moving to the next phase.

Recommended Tests:

  1. Test Interoperability with VPN Clients
  2. Test Functionality On and Off Trusted Networks
  3. Test Traffic Exemptions
  4. Test SSL Inspection
  5. Test Custom App Profiles

Platform Configuration:

Gather as much information as possible about the computers being used by your organization. See below for some of the information you'll want to collect about your users' computers. Zscaler recommends you test the Zscaler App on as many different computers as possible in each phase. This will allow you to discover and resolve any issues the Zscaler App may encounter on different computer images and in different infrastructures, before the App is fully deployed to all users.

For the Windows and Mac computers users will be on, gather the following information:

  • Versions: What OS versions are being used?
  • Browsers: What browsers are being used?
  • VPN: What VPN clients are being used?
  • Antivirus: What antivirus solutions are being used?
  • Firewall: What firewalls are being used?
  • Management: What computer management mechanisms are being used?
  • Application Distribution: How are application packages distributed?
  • Other: Take note of any other platform features that may impact Zscaler App functionality.

If your users will be running the Zscaler App in conjunction with VPN clients or applications that function like VPNs (for example, Microsoft DirectAccess), take steps to ensure users don't face interoperability issues. Zscaler recommends selecting Tunnel with Local Proxy as the forwarding profile action in your forwarding profiles.

See Best Practices for Zscaler App and VPN Client Interoperability for a complete list of recommended steps.

Confirm that users can run the Zscaler App with VPN clients together without any connectivity issues.

Take steps to ensure the Zscaler App forwards traffic properly on and off trusted networks. The Zscaler App must be able to detect trusted networks and untrusted networks and and forward user traffic as configured in forwarding profiles. Try configuring your forwarding profiles so that the Zscaler App disables its services when users are on trusted networks that have GRE or IPsec tunnels forwarding traffic to Zscaler. Then, test the configuration to ensure the Zscaler App behaves as expected, and user traffic is sent to Zscaler through the GRE or IPsec tunnels rather than through the Zscaler App.

See Configuring Forwarding Profiles for the Zscaler App for complete instructions.

Confirm that the Zscaler App properly forwards traffic on and off trusted networks.

Some applications or websites your users access may be incompatible with proxy services enabled by the Zscaler App. If so, create PAC files so you can exempt some user traffic from being forwarded with the Zscaler App. You can specify the URL for this PAC file when configuring the Zscaler App profile and forwarding profiles. If you have DNS resolve, add this function to the forwarding profile PAC file only, to avoid duplication of the DNS query.

Confirm that traffic to applications or websites specified as exempt from Zscaler App in the PAC file are not forwarded by the Zscaler App, and ensure users can access them properly with the Zscaler App running.

If you want Zscaler to perform SSL inspection on traffic forwarded by the Zscaler App, you must:

  • Turn on the Install Zscaler SSL Certificate option when configuring App profiles. If you want to use your organization's custom SSL certificate, upload the custom certificate in the Advanced Configuration page (Administration > Zscaler App Support) and Zscaler automatically uses this certificate for the Zscaler App.
  • Enable SSL Scanning for Mobile Traffic on the SSL Inspection page of the Zscaler admin portal.
  • Ensure all applications that perform certificate pinning are specified under Do Not Inspect these Applications on the SSL Inspection page in the Zscaler admin portal.
  • Conduct tests recommended by Best Practices for Testing and Rolling Out SSL Inspection.

Confirm that SSL inspection is correctly performed on traffic forwarded by the Zscaler App.

Try configuring custom App Profiles to ensure the Zscaler App functions as intended for your organization. In particular, Zscaler recommends selecting the following options when configuring App Profiles:

  • If you want to enable SSL inspection of traffic forwarded by the Zscaler App, select Install Zscaler SSL Certificate.
  • For Log Mode, select Debug in Phase 1 and Error in Phase 4.
  • If configuring App Profiles for Windows users and if the App will be running in Tunnel with Local Proxy mode:
    • Disable Loopback Restriction: Required for Tunnel with Local Proxy mode
    • Override WPAD: Unless the devices must utilize WPAD, Zscaler recommends selecting this option for fresh installations where WPAD is still present or received by DHCP.
    • Restart WinHTTP Service: Zscaler recommends selecting this option to delete any cached WPAD settings.

Confirm that the custom App Profiles allows the Zscaler App to meet the needs of your organization.

Phase 2: Pilot

Expand the group of users by deploying the app to another 100-150 users in your organization's IT group.

Goal: To ensure Zscaler App functionality on a variety of platforms, with different applications and use cases.

Success Criteria: No blockers exist for moving to the next phase.

Platform Configuration:

Gather as much information as possible about the computers being used by your organization. See below for some of the information you'll want to collect about your users' computers. Zscaler recommends you test the Zscaler App on as many different computers as possible in each phase. This will allow you to discover and resolve any issues the Zscaler App may encounter on different computer images and in different infrastructures, before the App is fully deployed to all users.

For the Windows and Mac computers users will be on, gather the following information:

  • Versions: What OS versions are being used?
  • Browsers: What browsers are being used?
  • VPN: What VPN clients are being used?
  • Antivirus: What antivirus solutions are being used?
  • Firewall: What firewalls are being used?
  • Management: What computer management mechanisms are being used?
  • Key Applications: What key applications are being used?
  • Application Distribution: How are application packages distributed?
  • Other: Take note of any other platform features that may impact Zscaler App functionality.

Phase 3: End User Group

Deploy the Zscaler App to 200-300 end users in your organization.

Goal: To ensure Zscaler App functionality for a smaller group of end users before full deployment to all end users.

Success Criteria: No blockers exist for moving to the next phase.

Platform Configuration:

Gather as much information as possible about the computers being used by your organization. See below for some of the information you'll want to collect about your users' computers. Zscaler recommends you test the Zscaler App on as many different computers as possible in each phase. This will allow you to discover and resolve any issues the Zscaler App may encounter on different computer images and in different infrastructures, before the App is fully deployed to all users.

For the Windows and Mac computers users will be on, gather the following information:

  • Versions: What OS versions are being used?
  • Browsers: What browsers are being used?
  • VPN: What VPN clients are being used?
  • Antivirus: What antivirus solutions are being used?
  • Firewall: What firewalls are being used?
  • Management: What computer management mechanisms are being used?
  • Key Applications: What key applications are being used?
  • Application Distribution: How are application packages distributed?
  • Other: Take note of any other platform features that may impact Zscaler App functionality.

Phase 4: Remaining User

Deploy the Zscaler App to the remaining end users in your organization.

Goal: To ensure Zscaler App functionality for full deployment to all end users.

Success Criteria: No blockers exist.