icon-zpa.svg
Secure Private Access (ZPA)

Understanding Client-to-Client Connectivity

In addition to connecting users to private applications, Zscaler Private Access (ZPA) also supports connecting users to other ZPA-enabled devices for remote assistance or remote troubleshooting. An IT admin can initiate a Remote Desktop Protocol (RDP) connection or a Microsoft Remote Assistance (MSRA) connection to a remote end user's device if support is needed. The connection is established by the ZPA infrastructure.

Enabling client-based remote assistance allows for troubleshooting on an end user's Windows, Mac, or Linux device. An admin must configure a regular expression in the ZPA Admin Portal for client-to-client connectivity to work. To learn more, see Validating a Client Hostname.

When configuring application segments for client-to-client connectivity, the configured hostnames or fully qualified domain names (FQDNs) must match the regular expression used to validate a client hostname (e.g., “testPC.example.com” matches the regular expression “.*\.example\.com”).

To successfully enable remote assistance, the client-to-client connected application segment must match the regular expression defined when validating a client hostname. If you have the same namespace for both your applications and workstations and want to limit the remote assistance access only to the admin, Zscaler recommends creating different application segments for client-to-client connectivity and for application access.

For fine-grained access control, Zscaler recommends creating a wildcard application segment that matches with the workstations and with the FQDN matching application segments for the application server.

Windows and Linux devices must have the primary DNS suffix properly configured, and end users' machines must be running Zscaler Client Connector versions 3.9.0.169 or later for Windows, versions 1.4 or later for Linux, or versions 3.7 or later for macOS. An admin must run Zscaler Client Connector with Private Access enabled. To verify that the user's device is registered for remote assistance, confirm that the Valid Hostname field is True for the user's session in the User Status Diagnostics. Additionally, Zscaler Client Connector shows the device's FQDN on the Private Access tab for the Client field if the registration is successful.

Related Articles
Understanding Client-to-Client ConnectivityConfiguring Client-to-Client ConnectivityUnderstanding Server-to-Client ConnectivityConfiguring Server-to-Client ConnectivityAbout Client Connector IP AssignmentAbout IP BindingsAdding IP RangesEditing IP Ranges