To define applications for Browser Access within an existing application segment:

1. Go to Resource Management > Application Management > Application Segments > Defined Application Segments.
2. Locate the application segment you want to modify in the table, then click the Edit icon.

The Edit Application Segment window appears.

3. In the Edit Application Segment window, on the Define Applications tab:

• For Applications:

1. Enter the fully qualified domain name (FQDN) associated with the application.
2. Select the Browser Access checkbox, then complete the following steps:
   1. Select a Browser Access (i.e., web server) certificate from the drop-down menu. You can click Clear All to remove any selections. To learn more, see About Browser Access (Web Server) Certificates.
   2. From the drop-down menu, select the protocol you want ZPA to use when a request is made to access the application. If your web server supports HTTPS, select this protocol from the drop-down menu. Otherwise, select HTTP. You can click Clear All to remove any selections.

ZPA inserts a Via header in HTTP requests made using Browser Access.

3. Enter the port number. By default, port 80 is entered for HTTP and 443 is entered for HTTPS.
4. If you selected HTTPS in step ii above, Use Untrusted Certificates is selected by default. If this setting is not selected, requests to access the application using untrusted web server certificates will not succeed.
5. (Optional) Select Allow Unauthenticated OPTIONS Request to allow ZPA to forward an unauthenticated HTTP preflight OPTIONS request from the browser to the application.

ZPA will only accept valid OPTIONS requests that include the headers Access-Control-Request-Headers, Access-Control-Request-Method, and Origin in the HTTP request. If these are not present, ZPA will not forward the OPTIONS request to the application.

ZPA will accept CORS requests if the requests are issued by one valid Browser Access domain to another Browser Access domain. The application server requires with credentials mode be added to the javascript. This is to allow the browser to pass cookies to the front end javascript. The application server must also allow requests where the Origin header is set to null or to a valid Browser Access application.

See image.

3. Click Add More to add more domains for each application you want to define.

• For Zscaler Client Connector Access, enter the TCP Port Ranges that can be used to access the application. The port range must include the port specified previously. Also, you must use TCP port ranges.

For example, if you want to specify the port range 80 - 90, for From... enter 80, and for To..., enter 90. If you only want to specify one port, you can enter the same number (e.g., 80) for From... and To.... Click Add More to add more TCP port ranges.

Zscaler recommends excluding DNS traffic (port 53) from TCP and UDP port ranges.

See image.

You can't enable Double Encryption for applications where Browser Access is enabled.

4. Make sure that the rest of the configuration is correct, then click Save. To learn more, see Configuring Application Segments.

After saving, you are returned to the Application Segments page.

5. Copy the Canonical Name (CNAME).
   1. Go to Resource Management > Application Management > Browser Access.
   2. Expand to view the application within the table.
   3. Click the Copy icon next to the Canonical Name (CNAME). You will need this CNAME record for your public DNS.

See image.

6. Add the CNAME information you just copied to your public DNS and verify that the FQDN for the Browser Access enabled application resolves to the record.

To properly resolve Browser Access enabled applications, the App Connector must use an internal DNS. If an internal DNS is not used, it will result in a DNS loop.

For example, for a CNAME of:

marketing.mockcompany.com. CNAME 3077.217246660302995456.h.d.zpa-app.net.

You would need to verify that marketing.mockcompany.com. resolves to 3077.217246660302995456.h.d.zpa-app.net..