In addition to connecting users to private applications, Zscaler Private Access (ZPA) also supports connecting users to other ZPA-enabled devices for remote assistance or remote troubleshooting. An IT admin can initiate a Remote Desktop Protocol (RDP) connection or a Microsoft Remote Assistance (MSRA) connection to a remote end user's device if support is needed. The connection is established by the ZPA infrastructure.

Enabling client-based remote assistance allows for troubleshooting on an end user's Windows, Mac, or Linux device. An admin must configure a regular expression in the ZPA Admin Portal for client-to-client connectivity to work. To learn more, see Validating a Client Hostname.

When configuring application segments for client-to-client connectivity, the configured hostnames or fully qualified domain names (FQDNs) must match the regular expression used to validate a client hostname (e.g., “testPC.example.com” matches the regular expression “.*\.example\.com”).

To successfully enable remote assistance, the client-to-client connected application segment must match the regular expression defined when validating a client hostname. If you have the same namespace for both your applications and workstations and want to limit the remote assistance access only to the admin, Zscaler recommends creating different application segments for client-to-client connectivity and for application access.

For fine-grained access control, Zscaler recommends creating a wildcard application segment that matches with the workstations and with the FQDN matching application segments for the application server.