icon-zscaler-deployments-operations.svg
Zscaler Deployments & Operations

Disaster Recovery Deployment and Operations Guide

This deployment and operations guide describes the benefits of using disaster recovery and the steps necessary for configuring Zscaler Internet Access (ZIA) to add disaster recovery to your security posture.

ZIA Disaster Recovery ensures business continuity when an event impacts the global Zscaler cloud infrastructure. Disaster recovery provides an organization's users access to critical applications by ensuring access even if the Zscaler cloud isn’t accessible.

To learn more, see About Disaster Recovery and Zscaler Resilience.

Value of Deploying Disaster Recovery

ZIA disaster recovery provides the following benefits:

  • Business continuity with uninterrupted security in case of:
    • Brownout
    • Blackout
    • Catastrophic failure
  • Avoids costly business interruptions or loss of productivity due to lack of access to critical apps.

Deployment Phase

The deployment phase includes initially setting up and integrating Zscaler solutions into an existing network infrastructure. During the deployment phase, you configure disaster recovery to meet the needs of your infrastructure. The deployment phase includes preparation steps needed to enable disaster recovery. The following sections discuss steps to deploy disaster recovery in ZIA.

Prerequisites

ZIA disaster recovery might require an additional license for your organization. Check with your Zscaler Account team to verify the necessary licensing requirements.

The following prerequisites are required for ZIA disaster recovery on the applicable devices:

  • ZIA disaster recovery is available for certain Zscaler Client Connector versions:
    • Zscaler Client Connector version 4.0 or later for Windows
    • Zscaler Client Connector version 3.71.38 or later for macOS
  • Disaster recovery must be enabled for your organization. Check with your Zscaler Account team to enable disaster recovery.
  • Disaster recovery requires a modifiable, customer-owned public DNS record.

Deployment Steps

The following sections cover deployment instructions for ZIA disaster recovery:

  1. Create a DNS TXT Record. Modify the record format values according to your organization’s needs. To learn more, see About the Zscaler DNS Record Generator.
  2. Enable Disaster Recovery on an App Profile:
    1. Specify the Activation Domain Name used for the DNS text (TXT) record.
    2. (Optional) Upload a public key in order to create a signed DNS record.
    3. Specify a traffic forwarding action in case of disaster recovery:
      1. Send Traffic Direct: All traffic bypasses Zscaler Client Connector, giving the user access to all applications through direct internet access.
      2. Disable Internet Access: All traffic is dropped at the endpoint and users do not have access.
      3. Pre-selected Destinations: The admin selects to block or allow access to specific URLs using a custom PAC file:
        • (Optional) Enable Use Zscaler Pre-selected Destinations.
        • (Optional) Enable Use Custom Destinations.
    4. (Optional) Enable Part of ZIA Disaster Recovery Test Group if this profile is for testing purposes. To learn more, see Configuring Disaster Recovery Test Mode.

Considerations

Review the following considerations:

  • You can find Zscaler pre-selected destinations here.
  • You can define a combination of Zscaler pre-selected destinations and custom destinations for access in a PAC file. This is not a mutually exclusive choice.
  • Custom destination URLs take precedence over Zscaler pre-selected destinations. You can block certain Zscaler pre-selected destinations by placing them in the custom destinations PAC file and forwarding the traffic to destination Block.
  • An example of the custom PAC file syntax is shown in About Disaster Recovery.
  • You cannot use ZIA Virtual Service Edges or Private Service Edges in conjunction with disaster recovery.
  • You cannot use any other traffic forwarding decisions than allowing direct access or blocking access to destinations in conjunction with disaster recovery.
  • Zscaler recommends testing disaster recovery through the disaster recovery test mode with a handful of users prior to deployment in production environments.
  • End users receive an HTTP 403 error if they try to open any blocked page when disaster recovery is on.
  • Zscaler Client Connector shows Service Status Safe Mode when disaster recovery mode is on.
  • When disaster recovery is triggered for a client, that client can only access destinations that are specified as accessible during disaster recovery. Limited access is enforced until disaster recovery is disabled for the client. Even when ZIA services are restored, client machines do not automatically reconnect to the Zscaler cloud until disaster recovery is disabled.

Operations Phase

This section describes common practices used to operate Zscaler solutions when integrated with your environment. You can enable, monitor, and tune ZIA disaster recovery to meet your infrastructure needs.

To enable disaster recovery, customers must adjust the DNS TXT record. At minimum:

  • Indicate the DNS record version with v=1.
  • Enable disaster recovery with b=on.
  • Enable disaster recovery for ZIA with k=zia (and potentially ZPA with k=all).

To learn more, see About the Zscaler DNS Record Generator.

Choose the lowest time to live (TTL) possible in the DNS TXT record for swift DNS update propagation downstream (Zscaler recommends 30 seconds).

For testing, after completing the deployment steps described previously, adjust the DNS TXT record as follows:

  • v=1
  • b=test
  • k=zia (for ZIA) or k=all (for ZIA and ZPA)

For more information see Configuring Disaster Recovery Test Mode.

Common Troubleshooting Tips

  • During a catastrophic failure, assume that the ZIA Admin Portal is inaccessible and configuration changes or client enrollments are not possible.
  • Zscaler Client Connector checks the DNS TXT record every 200 seconds.
  • Take DNS propagation times into account when waiting for Safe Mode to trigger in the Zscaler Client Connector after updating the DNS TXT record.

Deployment and Operations Checklist

Zscaler recommends downloading the ZIA Disaster Recovery Deployment and Operations Checklist to help plan and implement ZIA disaster recovery: Download PDF

Additional Information

For more SaaS Security information and troubleshooting instructions, see the Zscaler Support Portal and the Zscaler Zenith Community.

Related Articles
Advanced Sandbox Deployment and Operations GuideAuthentication Deployment and Operations GuideBandwidth Control Deployment and Operations GuideCloud App Control Deployment and Operations GuideIsolation Deployment and Operations GuideDisaster Recovery Deployment and Operations GuideDLP Deployment and Operations GuideDNS Control Deployment and Operations GuideFirewall Deployment and Operations GuideIPS Control Deployment and Operations GuideLocal Breakouts Deployment and Operations GuideSaaS Security Deployment and Operations GuideSIEM and ZIA Integration Deployment and Operations GuideSSL Inspection Deployment and Operations GuideURL Filtering Deployment and Operations GuideThreat Protection Deployment and Operations GuideZIA Policy Leading Practices GuideZIA SSL Inspection Leading Practices Guide