Secure Private Access (ZPA)
Configuring Business Continuity Settings
Business Continuity provides access to your applications during ZPA-related cloud outages or Internet Service Provider (ISP) outages. Configuring the Business Continuity settings in ZPA is the first step in enabling Business Continuity for your organization. To learn more about additional prerequisites and an overview of the feature, see Understanding Business Continuity.
FQDN or SNI in Business Continuity
Business Continuity requires DNS servers hosted in your organization's infrastructure to resolve the fully qualified domain names (FQDNs). The following table shows examples of FQDNs or Server Name Indication (SNI) that are used in Business Continuity.
Component | FQDN or SNI |
---|---|
Zscaler Client Connector |
|
Zscaler Client Connector TLS connections to the Private Cloud Controller |
|
Zscaler Client Connector TLS connections to the ZPA Private Service Edge |
|
ZPA Private Service Edges and App Connectors |
|
Configuring Business Continuity Settings
To configure Business Continuity settings for ZPA:
- Go to Configuration & Control > Business Continuity > Settings.
- On the Settings page, configure the following Business Continuity settings as needed:
- General Information
Business Continuity Domain: Enter a valid domain name for Business Continuity. The Business Continuity Domain is used by the following components:
- Zscaler Client Connector to contact the Private Cloud Controller and ZPA Private Service Edges (e.g., any2bcp.<business_continuity_domain>, c2site.<business_continuity_domain> for new users, and c2.<business_continuity_domain> for enrolled users)
- App Connectors for control channel to Private Cloud Controller (e.g., co2bcp.<business_continuity_domain>)
- ZPA Private Service Edges for control channel to Private Cloud Controller (e.g., pb2bcp.<business_continuity_domain>)
- Private Cloud Controllers for authenticating users and validating assertions received from the IdP (e.g., bcpsp.<business_continuity_domain>)
- A Business Continuity SP FQDN is generated per Private Cloud Controller for the authentication of users in Business Continuity (e.g., bcpsp-<pccgid>.<business_continuity_domain>)
To learn more, see FQDN or SNI in Business Continuity.
Changing the Business Continuity Domain initiates a new enrollment process for Private Cloud Controllers, and updates the SP Assertion Consumer Service URL and Entity ID.
New User Enrollment: Enable to enroll new users during Business Continuity.
Mutual TLS authentication between users and ZPA Private Service Edges are not supported for new user enrollment during Business Continuity.
- Primary Control Channel Path
Select Private Cloud Controller to allow App Connectors and ZPA Private Service Edges to use Private Cloud Controllers for control channels like configuration downloads, configuration updates, and logging even during normal operations and when not in Business Continuity. Select Public Cloud to use the Zscaler Zero Trust Exchange (ZTE). By default, App Connectors and ZPA Private Service Edges establish a control channel to the ZTE during normal operations.
Close - Control Channel Recovery
- Maximum Wait Time to Enter Business Continuity Mode (App Connectors and Private Service Edges): Enter an integer to specify the duration (in minutes or hours) that App Connectors and ZPA Private Service Edges must wait before switching to Business Continuity. You can select the duration as Minute(s) or Hour(s) from the drop-down menu. By default, 2 Minute(s) is selected. The minimum limit for this field is 1 minute. The maximum limit for this field is 8 hours, or 480 minutes.
- Switch Users to Public Cloud: Select Time-Based to switch users to the public cloud after the maximum wait time to exit Business Continuity. Select Automatic to switch users to the public cloud when there are no active connections. By default, this is disabled.
- Maximum Wait Time to Exit Business Continuity Mode (Users): Enter an integer to specify the duration (in minutes, hours, or days) that ZPA Private Service Edges must wait before sending a message to Zscaler Client Connector to try and re-establish the control and data channel to the ZTE. You can select the duration as Minute(s), Hour(s), or Day(s) from the drop-down menu. By default, 60 Minute(s) is selected. The minimum supported value is 10 minutes. The maximum limit for this field is 7 days, 168 hours, or 10,080 minutes. This field is visible only after Switch Users to Public Cloud is enabled.
- Business Continuity IdP Configuration
- IdP Metadata File: Upload the IdP metadata file used to authenticate users for Business Continuity. Click Upload File to navigate to the IdP metadata file.
- IdP Certificate: The uploaded IdP certificate. Click the Copy icon to copy the IdP certificate to your clipboard. This field is autopopulated with the IdP certificate details from your IdP configuration.
- Single Sign-On URL: The single sign-on URL for the IdP configuration. Click the Copy icon to copy the single sign-on URL to your clipboard. This field is autopopulated with the single sign-on URL details from your IdP configuration.
- IdP Entity ID: The IdP entity ID for the IdP configuration. Click the Copy icon to copy the IdP entity ID to your clipboard. This field is autopopulated with the IdP entity ID from your IdP configuration.
- General Information
- Click Save.
The Service Provider Information appears. - For Service Provider Information:
- Metadata: The service provider metadata based on your IdP configuration and the entered Business Continuity Domain. Click Download Metadata to download the service provider metadata.
- Assertion Consumer Service URL: The service provider URL based on the entered Business Continuity Domain. This text is read-only. Click the Copy icon to copy the service provider URL.
- Certificate: The service provider certificate based on the entered Business Continuity Domain. Click Download Certificate to download the service provider certificate.
- Entity ID: The service provider entity ID based on the entered Business Continuity Domain. Click the Copy icon to copy the service provider entity ID.