What is Zscaler Private Access?

What is Zscaler Private Access?

The Zscaler Private Access (ZPA) service enables organizations to provide access to internal applications and services while ensuring the security of their networks. ZPA is an easier to deploy, more cost-effective, and more secure alternative to VPNs. Unlike VPNs, which require users to connect to your network to access your enterprise applications, ZPA allows you to give users policy-based secure access only to the internal apps they need to get their work done. With ZPA, application access does not require network access.

Additionally, ZPA decouples applications from the physical network so you can provide seamless connectivity to private internal applications and assets whether they are in the cloud, the data center, or both. It also adjusts dynamically to network changes, so you can move your resources without impacting user access.

You can configure settings and policies on a central ZPA Admin Portal, which also feature dashboards where you can see your users and the apps they access, and monitor the health of your servers and resources. You can configure ZPA to automatically discover servers and applications when users request them, or you can configure them manually as well. You then define policies that specify which apps users or groups can use, and ZPA allows them to connect to those apps only. ZPA renders your applications invisible to all but the authorized users and unroutable to anyone.

Like all Zscaler offerings, the ZPA service is based on Zscaler’s global cloud platform, so there is no requirement for additional hardware or upgrades to existing hardware.

To learn more, see the ZPA Overview.

Key Features and Benefits

Below are ZPA key features and benefits:

  • Seamless User Experience – Policy-driven connectivity that dynamically adjusts to network changes.
  • Enhanced Security – Application-specific connectivity without ever bringing users on-net.
  • Ease of Deployment – Does not require hardware or hardware upgrades.
  • Instant Deployment and Discovery – Can automatically discover applications so you can easily build policies around them.
  • Single Sign-On (SSO) – ZPA is tied directly to your existing authentication infrastructure, leveraging single sign-on to further reduce complexity.
  • Real-Time Visibility – Dashboards provide unparalleled visibility into your users and applications, and the health of your organization's applications and servers

How Does ZPA Work?

ZPA uses Zscaler's cloud-based, elastically scalable infrastructure to deliver seamless connectivity to your private internal applications and assets. Below are its key components:

  • Zscaler App: Installed on your users' devices, the Zscaler App (Z App) connects to the ZPA cloud to enable granular, policy-based access to your organization’s internal resource. 

Z App can also forward your users' traffic to the Zscaler cloud to secure their internet traffic as well. To learn more, see What is the Zscaler App?

  • Connectors:  Lightweight virtual machines (VM) that are installed in the data centers that host your servers and applications. They connect to the Zscaler Enforcement Node (ZEN) only to provide users access to applications in your data center. They do not accept inbound connections. To learn more, see About Connectors.
  • Global Zscaler Cloud: Stitches all components together. The Central Authority provides a central location for software updates, and policy and configuration settings. The ZEN enforces user policies and provides secure transport to the Connectors.

Users install the Z App on their devices and log in to the app using their SAML single sign-on credentials. When the user requests access to an internal application, the Z App uses geo-location technology to locate the ZEN closest to the user.  The Z App presents its certificate to the ZEN to confirm its identity, and then establishes a secure tunnel to the ZEN. The ZEN retrieves the user’s policies from the Central Authority, and depending on the internal app requested by the user, the ZEN contacts the appropriate Connector.  The Connector presents its certificate to the ZEN and once the ZEN confirms the Connector's identity, it allows the Connector to connect to it.

Once the connection is established between the user's device and the application, the traffic traversing the solution remains completely isolated.

Because ZPA is built on the premise of zero trust for your private applications, the traffic is isolated from Zscaler as well.

Admins can view the dashboards to view information about the users and applications and monitor the health of your organization's applications and servers.