The Zscaler Private Access (ZPA) service enables organizations to provide access to internal applications and services while ensuring the security of their networks. ZPA is an easier to deploy, more cost-effective, and more secure alternative to VPNs. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. With ZPA, application access does not require network access.

While ZPA is for connecting users to an enterprise's internal applications, Zscaler Internet Access (ZIA) is for connecting users to public applications on the internet. To learn more about ZIA architecture, see About the ZIA Cloud Architecture.

Additionally, ZPA decouples applications from the physical network so you can provide seamless connectivity to private internal applications and assets whether they are in the cloud, the data center, or both. It also adjusts dynamically to network changes, so you can move your resources without impacting user access.

You can configure settings and policies on a central ZPA Admin Portal, which also feature dashboards where you can see your users and the apps they access, and monitor the health of your servers and resources. You can configure ZPA to automatically discover servers and applications when users request them, or you can configure them manually as well. You then define policies that specify which apps users or groups can use, and ZPA allows them to connect to those apps only. ZPA renders your applications invisible to all but the authorized users and unroutable to anyone.

Like all Zscaler offerings the ZPA service is based on Zscaler’s global cloud platform. So, there is no requirement for additional hardware or upgrades to existing hardware.

To learn more, see the ZPA Overview.

Key Features and Benefits

Below are ZPA key features and benefits:

• Seamless User Experience: Policy-driven connectivity that dynamically adjusts to network changes.
• Enhanced Security: Application-specific connectivity without ever bringing users on-net.
• Ease of Deployment: Does not require hardware or hardware upgrades.
• Instant Deployment and Discovery: Can automatically discover applications so you can easily build policies around them.
• Single Sign-On (SSO): ZPA is tied directly to your existing authentication infrastructure, leveraging SSO to further reduce complexity.
• Real-Time Visibility: Dashboards provide unparalleled visibility into your users and applications, and the health of your organization's applications and servers

How Does ZPA Work?

ZPA uses Zscaler's cloud-based, elastically scalable infrastructure to deliver seamless connectivity to your private internal applications and assets. Below are its key components:

• Zscaler Client Connector: Installed on your users' devices, the Zscaler Client Connector connects to the ZPA cloud to enable granular, policy-based access to your organization’s internal resource.

Zscaler Client Connector can also forward your users' traffic to the Zscaler cloud to secure their internet traffic as well. To learn more, see What is the Zscaler Client Connector?

• App Connectors: Lightweight virtual machines (VM) that are installed in the data centers that host your servers and applications. They connect to ZPA Public Service Edges or ZPA Private Service Edges only to provide users access to applications in your data center, and do not accept inbound connections. To learn more, see About App Connectors.
• Global Zscaler Cloud: Stitches all components together. The Central Authority (CA) provides a central location for software updates as well as policy and configuration settings. The ZPA Public Service Edges or ZPA Private Service Edges enforce user policies and provides secure transport to the App Connectors.

Users install Zscaler Client Connector on their devices and can then log into an application using SAML 2.0-based SSO credentials. When users request access to an internal application Zscaler Client Connector uses geo-location technology to locate the ZPA Public Service Edge or ZPA Private Service Edge closest to them. Zscaler Client Connector presents its certificate to the ZPA Public Service Edge or ZPA Private Service Edge to confirm its identity and then establishes a secure tunnel to the ZPA Public Service Edge or ZPA Private Service Edge. The ZPA Public Service Edge or ZPA Private Service Edge then retrieves the user's policies from the CA, and depending on the internal application requested by the user, the ZPA Public Service Edge or ZPA Private Service Edge contacts the appropriate App Connector. The App Connector presents its certificate to the ZPA Public Service Edge or ZPA Private Service Edge, and once the ZPA Public Service Edge or ZPA Private Service Edge confirms the App Connector's identity, it allows the App Connector to connect to it.

Once the connection is established between the user's device and the application the traffic traversing the solution remains completely isolated.

Because ZPA is built on the premise of zero trust for your private applications the traffic is isolated from Zscaler as well.

ZPA admins can view dashboards and diagnostics to filter for detailed information about users and applications as well as monitor the health of their organization's applications, servers, and App Connectors.