Zscaler App: Step-by-Step Configuration Guide


Zscaler App: Step-by-Step Configuration Guide

This guide takes you step-by-step through the configuration tasks you must complete to begin using the Zscaler App for your organization. Each step links you to the appropriate article for that configuration task.

A. Requirements

See below for system requirements and prerequisite tasks you must have completed before your organization can use the Zscaler App for the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services.

  • Windows 7, 8, 8.1, or 10
  • Disk usage: 200 MB
  • Memory usage: 150 MB
  • Processor capable of running operating systems supported by the Zscaler App
  • Microsoft .NET Framework 4 and above
  • Whitelisted Zscaler App processes and configured firewall bypasses: While Zscaler has whitelisting agreements for Zscaler App in place with specific endpoint protection vendors such as Trend Micro and Kaspersky Labs, for some endpoint protection products like anti-virus and personal firewall, you may need to perform additional whitelisting to ensure full Zscaler App functionality. See list.

    Zscaler recommends that your users' Windows devices have inbound rules that allow the following Zscaler App binaries and processes.

    Processes to Whitelist

    You can use GPO to define rules that allow the following processes.

    NOTE: % is a macro that represents the drive where the program files are located. Program files are usually located on the C drive. There are exceptions; for example, on an Amazon WorkSpace (AWS), the program files are on the D drive.

    • Windows 64-bit
      • %ProgramFiles(x86)%\Zscaler\ZSATray\ZSATray.exe
      • %ProgramFiles(x86)%\Zscaler\ZSATunnel\ZSATunnel.exe
      • %ProgramFiles(x86)%\Zscaler\ZSAService\ZSAService.exe
      • %ProgramFiles(x86)%\Zscaler\ZSAUpdater\ZSAUpdater.exe
      • %ProgramFiles(x86)%\Zscaler\Updater\zscalerappupdater.exe
      • %ProgramFiles(x86)%\Zscaler\Updater\zscalerchecksumverifier.exe
      • %ProgramFiles(x86)%\Zscaler\ThirdParty\CertUtil\certutil.exe
      • %ProgramFiles(x86)%\Zscaler\ThirdParty\Filechecksum\fciv.exe
      • %ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.1.0.exe
      • %ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.2.0.exe
    • Windows 32-bit
      • %ProgramFiles%\Zscaler\ZSATray\ZSATray.exe
      • %ProgramFiles%\Zscaler\ZSATunnel\ZSATunnel.exe
      • %ProgramFiles%\Zscaler\ZSAService\ZSAService.exe
      • %ProgramFiles%\Zscaler\ZSAUpdater\ZSAUpdater.exe
      • %ProgramFiles%\Zscaler\Updater\zscalerappupdater.exe
      • %ProgramFiles%\Zscaler\Updater\zscalerchecksumverifier.exe
      • %ProgramFiles%\Zscaler\ThirdParty\CertUtil\certutil.exe
      • %ProgramFiles%\Zscaler\ThirdParty\Filechecksum\fciv.exe
      • %ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.1.0.exe
      • %ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.2.0.exe

    Bypasses for Firewall

    Additionally, if you have a GPO-managed or AV-managed host firewall, you may configure an inbound firewall rule on your endpoint protection product for ZSATunnel.exe processes for all ports, protocols, and network interfaces.

    • ZSATunnel.exe: Inbound and Outbound
    • ZSATray.exe: Outbound
    • ZSAUpdater: Outbound
    • ZSAService.exe: Outbound
    • Zscalerappupdater.exe: Outbound
    • Mac OS X 10.10 and later.
    • Disk usage: 200 MB
    • Memory usage: 150 MB
    • Processor capable of running operating systems supported by the Zscaler App
    • If you will be using the Tunnel mode in your forwarding profile, ensure that you disable the system firewall.
    • Whitelisted Zscaler App processes and configured firewall bypasses: While Zscaler has whitelisting agreements for Zscaler App in place with specific endpoint protection vendors such as Trend Micro and Kaspersky Labs, for some endpoint protection products like anti-virus and personal firewall, you may need to perform additional whitelisting to ensure full Zscaler App functionality. See list.

    Zscaler recommends that your users' Mac devices have inbound rules that allow the following Zscaler App binaries and processes.

    Processes to Whitelist

    • /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel
    • /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerService
    • /Applications/Zscaler/Zscaler.app/Contents/MacOS/Zscaler
    • /Applications/Zscaler/.Updater/autoupdate-osx.app/Contents/MacOS/ZscalerUpdater
    • Zscaler App Identifier: com.zscaler.Zscaler

    Bypasses for Firewall

    Additionally, if you have an AV-managed host firewall, you may configure an inbound firewall rule on your endpoint protection product for ZSATunnel.exe processes for all ports, protocols, and network interfaces.

    • ZscalerTunnel: Inbound and Outbound
    • ZscalerService: Outbound
    • Zscaler: Outbound
    • ZscalerUpdater: Outbound
    • Configure appropriate security and access settings in the Zscaler admin portal.
    • You must have one of the following for authentication:
    • Configure your organization's firewall to allow the necessary connections. For detailed information about the traffic your firewalll must allow, go to https://ips.<your cloud name>/zscaler_app. To learn how to find your cloud name, see What is my cloud name? For example, if your cloud name is zscalertwo.net, you would go to: https://ips.zscalertwo.net/zscaler_app.
    • If you want to enable SSL inspection for users running the Zscaler App, enable SSL scanning for mobile traffic in the admin portal. (See E. Define your policy for SSL inspection in How do I deploy SSL inspection?) Additionally, when you configure your App Profile, you must ensure that the Install Zscaler SSL Certificate option has been turned on.
    • Configure appropriate security and access settings in the ZPA admin portal.
    • SAML-based authentication must be configured and users provisioned. Note that you cannot use Zscaler App  Portal as an IdP for the ZPA service.
    • To ensure the Zscaler App properly processes traffic for ZPA, ensure the following domains are in the SSL bypass list. If you use a PAC file for Zscaler App, you must add the URLs to the SSL bypass list in the PAC file as well. 
      • api.zscalerconnect.net
      • api.zscalershift.net
      • broker.prod.zpath.net
      • samlsp.private.zscaler.com
      • Any domains used by your organization's identity provider (IdP) (for example, example.okta.com)

    B. Configure Administration Settings

    1. Configure an Acceptable Use Policy (AUP).
    2. Configure app update settings.
    3. Configure forwarding profiles.
    4. Configure support settings.
    5. Configure fail-open settings.
    6. If necessary, configure settings to use the Zscaler App Portal as your IDP.
    7. If necessary, configure device posture profiles. This is applicable only if you use the Zscaler Private Access (ZPA) service.

    C. Configure App Profiles

    Configure app profiles for Windows and/or MAC OS X computers.

    D. Download the Zscaler App

    Download the app from the Zscaler App Portal.

    E. Prepare the Installer File with Preferred Installer Options

    Before installing the App, you can add install options to customize the App for your organization.

    F. Install the Zscaler App

    You can install the Zscaler App manually on individual computers, or you can use your organization's device management mechanism to deploy the App to your users' computers.

    Once the app is installed on users' devices, users can enroll with Zscaler. During enrollment, the app will download the appropriate app profile and administrative settings as configured in the Zscaler App portal.

    G. Zscaler App System Location

    To learn where the Zscaler App is installed on users' Window or Mac OS X devices, see the following articles:

    Also see: