ZPA Private Service Edges are single-tenant instance brokers that provide the functionality of a ZPA Public Service Edge in an organization’s environment. Your organization hosts them either within your site or on a cloud service, but Zscaler manages them. On the other hand, ZPA Public Service Edges are deployed in Zscaler data centers around the world. To learn more, see Understanding Private Service Edges.

As with a ZPA Public Service Edge, a ZPA Private Service Edge manages the connections between Zscaler Client Connector and App Connectors. It registers with the ZPA Cloud. This allows a ZPA Private Service Edge to download the relevant policies and configurations so it can enforce all ZPA policies. It also caches path selection decisions.

ZPA Private Service Edges can be deployed in several forms. Zscaler distributes images for deployment in enterprise data centers and local private cloud environments such as VMware.

• List of platforms supported by ZPA
  • Amazon Web Services (AWS)
  • Docker
  • Google Cloud Platform (GCP)
  • KVM
  • Linux
  • Microsoft Azure
  • VMware Platforms

  ZPA provides Security Technical Implementation Guide (STIG) images for AWS, GCP, Microsoft Azure, and VMware by default. To learn more, see ZPA Private Service Edge Software by Platform.

  Close

Before you begin, see ZPA Private Service Edges Deployment Prerequisites, which provides detailed information on virtual image (VM) sizing and scalability, supported platform requirements, deployment best practices, and other essential guidelines.

Configuring ZPA Private Service Edges involves two main tasks:

1. Adding ZPA Private Service Edges using the ZPA Admin Portal, which includes obtaining a ZPA Private Service Edge Provisioning Key.
2. Deploying ZPA Private Service Edges on the supported platform of your choice.

After a ZPA Private Service Edge is added and deployed, it is displayed on the Private Service Edge page. You can perform additional software management and maintenance tasks after deployment. To learn more, see Managing Deployed ZPA Private Service Edges and About ZPA Private Service Edge Software Updates.

The ZPA Private Service Edge uses the public IP address of the user who connects to the ZPA Private Service Edge to access private resources. After a user connects to a ZPA Private Service Edge, the location of the user is determined by its public IP address, and then a country-based policy for the mapped country is enforced. To learn more, see About Access Policy.

If a user connects to a ZPA Private Service Edge with an RFC 1918 IP address, then the location of the ZPA Private Service Edge is used to evaluate policies with country criteria.

If the location of the ZPA Private Service Edge Group is updated for an existing connection, the ZPA Private Service Edge uses the old location until the next time it makes a new connection. Location changes via a GeoIP configuration override are not supported for ZPA Private Service Edges. To learn more, contact Zscaler Support.

About the Private Service Edges Page

On the Private Service Edges page (Configuration & Control > Private Infrastructure > Private Service Edge Management > Private Service Edge), you can do the following:

1. View a list of applied filters available from the current and previous user sessions. Applied filters must be saved to the user session first before they can be viewed. Use the drop-down menu to select the applied filters to view. To learn more, see Using Tables.
2. Hide the filters on the page by clicking Hide Filters. Click Show Filters to show the filters.
3. Refresh the Private Service Edges page to reflect the most current information.
4. Filter the information that appears in the table. By default, no filters are applied. You can also save applied filters to your preferences so that they're visible in future user sessions. To learn more, see Using Tables.
5. Add a new ZPA Private Service Edges.
6. Expand all the rows in the table to see more information about each ZPA Private Service Edge.
7. View a list of all deployed ZPA Private Service Edges. ZPA Private Service Edges that you've added but have not deployed are not listed. For each deployed ZPA Private Service Edge, you can see:
   • Name: The name of the ZPA Private Service Edge. When expanded, the following information is displayed depending on the defined ZPA Private Service Edge:
     • Description: The description of the ZPA Private Service Edge, if available.
     • Private Service Edge Group: The ZPA Private Service Edge group that the ZPA Private Service Edge is a member of.
     • Private Service Edges Host Platform: The platform that the ZPA Private Service Edge is deployed on (e.g., AWS, ESXi (VMWare)).
     • Private Service Edges Host OS: The run time OS on which the ZPA Private Service Edge is running (e.g., CentOS Linux 7).
     • Private Service Edge Package OS: The compile time OS on which the .rpm binary is packaged (e.g. Enterprise Linux 7).
     • Last Software Update: The date and time the ZPA Private Service Edge was last updated to a newer software version.
     • Public Service Edge: The ZPA Public Service Edge that the ZPA Private Service Edge connects to.
     • Last Connection to Zscaler: The last time the ZPA Private Service Edge connected to Zscaler.
     • Last Disconnect from Zscaler: The last time the ZPA Private Service Edge disconnected from Zscaler.
     • Location: The location where the ZPA Private Service Edge group that the ZPA Private Service Edge belongs to is set up.
     • Public IP: The public IP address of the ZPA Private Service Edge. Disconnected ZPA Private Service Edges show the last known public IP address.
     • Private IP: The private IP address of the ZPA Private Service Edge. Disconnected ZPA Private Service Edges show the last known private IP address.
     • Uptime: The period of time the ZPA Private Service Edge is available for use. Disconnected ZPA Private Service Edges show the value Not Available.
     • Enrollment Certificate: The certificate of the ZPA Private Service Edge used for enrollment.

     • Supporting Files Upgrade Status: When enabled, this field indicates the upgrade status and current version of the supporting files used to map the public IP address of the ZPA Private Service Edge to the country where the IP address is registered.

       The ZPA Private Service Edge indicates Partial Failure for the Upgrade Status if a supporting file fails to upgrade. The Information icon appears next to the supporting file that failed to upgrade. To learn more, see Troubleshooting ZPA Private Service Edges.
       ​​​​See image.

       

       Close

     • Publish IPs or Domains: The IP addresses and domains that clients and App Connectors can use to open a connection to the ZPA Private Service Edge. If this is not specified, then the clients and App Connectors try to connect using the Listen IPs.
     • Listen IPs: The IP addresses that the ZPA Private Service Edge listens on for connection requests from clients and App Connectors only at set addresses. If not configured, the ZPA Private Service Edge listens to all interfaces.
   • Manager Version: The version of the current ZPA Private Service Edge Manager software. To learn more, see Understanding the Manager Software.
   • Current Software Version: The current ZPA Private Service Edge software version.
   • Connection Status: The status of the ZPA Private Service Edge session.
   • Upgrade Status: The status of the last ZPA Private Service Edge software update.
   • Status: Indicates whether the ZPA Private Service Edge is enabled or disabled.
8. Modify the columns displayed in the table.
9. Edit the configuration of a deployed ZPA Private Service Edge.
10. Delete a deployed ZPA Private Service Edge configuration.
11. Display more rows or a different page of the table.
12. Open the Zscaler Help Browser and view Help Portal articles without leaving the ZPA Admin Portal.
13. Go to the Private Service Edge Groups page to manage your ZPA Private Service Edge groups.
14. Go to the Private Service Edge Provisioning Keys page to manage your ZPA Private Service Edge provisioning keys.