Secure Private Access (ZPA)
Deploying Machine Tunnels for Pre-Windows Login
A machine tunnel allows a user's Windows device to establish a connection to a private service before the user is logged in to the Zscaler Client Connector. To use a machine tunnel, you need to configure Machine Groups and Machine Provisioning Keys in the ZPA Admin Portal and add keys to the Zscaler Client Connector profile rules for Windows. To learn more, see About Machine Tunnels and About Machine Groups.
To deploy Machine Tunnels for Pre-Windows Login:
- Create the Machine Provisioning Key and Machine Group within the ZPA Admin Portal.
- In the Zscaler Client Connector Portal, add the Machine Provisioning Key (Machine Token) to the Zscaler Client Connector profile rule. To learn more, see Configuring Zscaler Client Connector Profiles.
- In the Zscaler Client Connector, click More > Update Policy. This allows the Zscaler Client Connector to enroll in the Machine Group via the Zscaler Client Connector profile rule created in the previous step.
There are two methods to verify successful Machine Tunnel deployment:
- Client-side validation
After deploying the Machine Group, restart, logoff, or lock the computer to return to the Windows Login screen. If the Machine Tunnel deployment was successful, you will see a Zscaler Diagnostics tab.
From this tab, the user has access to several troubleshooting options. Click Get Status to verify the tunnel status.
- Cloud-side validation
- In the Zscaler Client Connector Portal, click Enrolled Devices.
- Under the Devices left-navigation pane, select Machine Tunnel. Here you can view successfully enrolled Machine Tunnels. To learn more, see About Enrolled Devices.
- In the ZPA Admin Portal, go to Dashboard > Users. Active Machine Tunnel devices are shown on the Current Connected Users dashboard.
