icon-zpa.svg
Secure Private Access (ZPA)

About Applications

An application is a fully qualified domain name (FQDN), local domain name, or IP address that you define on a standard set of ports. Applications must be defined within an application segment.

To enable application discovery, you can define an application as an FQDN in wildcard format or as an IP subnet.

An application segment is a grouping of defined applications, based upon access type or user privileges. So, ZPA features such as double encryption, health reporting, etc. are configured per application segment.

Defining your applications in application segments enables you to:

  • Restrict access to excess ports for the application, reducing the application’s attack surface.
  • Leverage those application segments in access policies to restrict user groups that can access them, as well as reduce lateral movement.
  • Apply advanced capabilities such as Browser Access, Isolation, AppProtection, and data loss prevention that you are licensed for.

Read about the following key configuration options available for your applications before configuring an application segment within ZPA:

About the Defined Application Segments Page

On the Defined Application Segments page (Resource Management > Application Management > Application Segments > Defined Application Segments), you can do the following:

  1. Validate a client hostname.

    If you are using a Microtenant, this option is hidden.

  2. View and add DNS search domains.

    DNS search domains are unique per customer. When configuring Microtenants, DNS search domains that are added in the default tenant are inherited across Microtenants.

  3. Add an application segment.
  4. Select the Show Recommendation Before Editing option.
  5. Open the Column Menu to:
    • Expand all rows in the table to see more information about each application segment. Alternatively, you can click on the Expand icon next to the name to see more information about the selected application segment.
    • Set application segment configuration warnings.
    • Download the configuration information for the application segments to a CSV file. The file lists the application segments based on the selected table filters.
  6. Filter the information that appears in the table. By default, no filters are applied.

    If you are using a Microtenant, then the Microtenant Ownership Type filter is available. By default, the Configured within Microtenant filter option is applied to show the application segments configured within that specific Microtenant. The options for the filter are based on access type (Global, Configured with Microtenant, Shared to this Microtenant, and Share from this Microtenant). The only available operator for this filter type is Equals.

  7. View a list of all application segments that were configured for your organization. For each application segment, you can see:
    • Name: The name of the application segment. When you expand the row for an application segment, you can

      • Description: (Optional) Enter a description for the application segment.
      • Segment Group: The segment group that the application segment is a member of.
      • Server Groups: The server groups that the applications are hosted on.
      • Double Encryption: Indicates whether Double Encryption is enabled or disabled for all applications. By default, if a Browser Access-enabled application was defined, Double Encryption is disabled.
      • Bypass: Indicates whether users can bypass ZPA to access applications.
      • Zscaler Client Connector can receive CNAME: Indicates if Zscaler Client Connector receives CNAME DNS records from App Connectors.
      • Source IP Anchor: Indicates if Source IP Anchoring, for use with Zscaler Internet Access (ZIA), is enabled or disabled for all applications.
      • ICMP Access: Indicates if ICMP communication is enabled or disabled for all applications.
      • App Connector Closest to Application: Indicates if the App Connector is closest to the application (Enabled) or closest to users (Disabled).
      • Inspect Traffic with ZIA: Indicates if the traffic for the application segments is enabled to be inspected with ZIA.
      • Active Directory Inspection: Indicates if the traffic for the application segment is inspected with Active Directory (AD) Protection protocols.
      • Auto App Protection: Indicates if the traffic for the application segment is inspected with AppProtection protocols.
      Close

      If an application segment is missing required settings, the yellow Caution icon (Yellow Caution Icon) appears next to its name within the table. Edit the application segment to resolve the configuration issues. If an application segment is Source IP Anchoring-enabled, the Information icon (Information Icon) appears next to its name within the table.

    • Applications: A list of up to three defined applications within the application segment. Browser Access enabled-applications are denoted by a Browser Access icon (Browser Access Icon). Privileged Remote Access-enabled applications are denoted by a Privileged Remote Access icon (). All other applications are denoted by a Zscaler Client Connector icon (Zscaler Client Connector Icon). If there are more than three applications, then only the number of defined applications appears.

      For all applications, there is a link to view the Application Segment details with a list of all the applications for the application segment.

      • TCP Port Ranges: The TCP port ranges being used to access applications.
      • UDP Port Ranges: The UDP port ranges being used to access applications.
      • Certificate: The certificate that matches the fully qualified domain the user accesses when using Browser Access, Isolation, or Privileged Remote Access.
      • Protocol: The protocol that the application is using. Use HTTP or HTTPS for Browser Access and Browser Isolation. Use VNC, SSH, or RDP for Privileged Remote Access.
      • Server Port: The web server port number used when a request is made to access a Browser Access-enabled or Privileged Remote Access-enabled application.
      • Use Untrusted Certificates: Indicates whether Use Untrusted Certificates is enabled or disabled for a Browser Access-enabled or Privileged Remote Access-enabled application.
      Close

    • Status: Indicates that the application segment is enabled or disabled.
    • Health Reporting: Indicates whether health reporting for the application is Continuous, On Access, or None. To learn more, see About Health Reporting.
  8. View a configuration graph of connected objects.

  9. Copy an existing application segment.
  10. Move the application segment to a Microtenant.

    The Move icon is only visible if there are one or more Microtenants available. If you are using a Microtenant, the Share icon (Share Icon) appears. If you share an application segment with another Microtenant, it appears as Shared to when you expand the application segment.

  11. Edit an existing application segment.
  12. Download the configuration information for an application segment to a CSV file.
  13. Delete an application segment.

Zscaler recommends you consider the following when deleting an application segment:

  • If an application segment is referenced in a segment group and has a policy configured, the delete action is unavailable. An admin must manually review and remove the link to the policy to successfully delete the application segment. If an application segment is referenced by ZIA for Source IP Anchoring, the delete action is unavailable. A Lock icon (Lock icon within the tables of the ZPA Admin Portal) appears in its place. To learn more, see About Source IP Anchoring.
  • If an application segment is configured using Zscaler Deception, then the copy, edit, and delete options are unavailable.
  1. Depending on your ZPA Admin Portal subscriptions, you can see the following pages:
Application Segments page within the ZPA Admin Portal
Related Articles
About ApplicationsConfiguring Defined Application SegmentsEditing Defined Application SegmentsAbout AI-Powered Recommendations for Application SegmentsConfiguring AI-Powered RecommendationsMerging AI-Powered RecommendationsSharing Defined Application SegmentsConfiguring AI-Powered Recommendations SettingsValidating a Client HostnameAdding DNS Search DomainsSetting Application Segment Configuration WarningsAbout AppProtection ApplicationsAbout Privileged Remote Access Applications About Application DiscoveryAbout Application AccessUnderstanding Double EncryptionUnderstanding Health ReportingDefining a Dynamically Discovered ApplicationConfiguring Bypass SettingsDisabling Access to ApplicationsUnderstanding Source IP Anchoring DirectUsing Application Segment MultimatchAbout Application Segment ImportUsing Application Segment ImportMerging Imported Application Segments