Zscaler Deployments & Operations
Zscaler Client Connector Deployment and Operations Guide
This guide describes how to use Zscaler Client Connector and the steps necessary for configuring Zscaler Client Connector. Zscaler Client Connector is a lightweight application that runs on a user’s endpoint device. Zscaler Client Connector automatically forwards all user traffic to the closest Zscaler Public Service Edge and enforces security and access policies across all devices, locations, and applications.
With Zscaler Private Access (ZPA) enabled, users can securely access your organization's internal resources from any location. Using Zscaler Digital Experience (ZDX), Zscaler Client Connector synthetically probes Software as a Service (SaaS) applications or internet-based services (e.g., OneDrive, Gmail, etc.) to triage and pinpoint the source of performance issues.
To learn more, see What is Zscaler Client Connector?
Value of Deploying User Provisioning and Authentication
Using Zscaler Client Connector provides the following benefits:
- Zero Trust policies follow users regardless of devices, locations, or applications accessed.
- Enhances the user experience and streamlines application access.
- Centralizes control and policy management.
- Tracks and monitors user and device activities for IT teams.
- Supports popular operating systems and device types (e.g., laptops, smartphones, tablets, etc.).
- Strictly enforces internet access criteria for users not enrolled in Zscaler Client Connector.
Deployment Phase
The deployment phase initially sets up and integrates Zscaler Client Connector. During the deployment phase, you configure Zscaler Client Connector to meet the needs of your infrastructure. The following sections discuss the steps to deploy Zscaler Client Connector.
Prerequisites
For Zscaler Client Connector deployment, observe the following prerequisites:
- Verify the system requirements.
- Zscaler Client Connector does not require an additional license or subscription. Licensing for ZIA and ZPA includes Zscaler Client Connector.
Deployment Steps
The following steps explain how to deploy Zscaler Client Connector:
- Complete system requirements and prerequisite tasks.
- Allowlist Zscaler Client Connector processes on client firewall and antivirus (AV).
- Allow Zscaler Client Connector communication to the Zscaler cloud through your organization's firewall.
- Download Zscaler Client Connector from an app store.
- (Optional) Customize Zscaler Client Connector with installer options.
- Use your organization’s device management system to deploy Zscaler Client Connector.
Considerations
Review the following considerations:
- If your users are running Zscaler Client Connector in conjunction with virtual private network (VPN) clients or VPN-like applications (e.g., Microsoft DirectAccess), check that users aren’t experiencing interoperability issues.
- For a complete list of recommended steps, see Best Practices for Zscaler Client Connector and VPN Client Interoperability.
- Ensure all authentication traffic goes directly to the identity provider (IdP) destination URL. Users who are off the trusted network and forwarding traffic via Zscaler Client Connector should not experience issues. However, check that other authentication traffic (e.g., PAC files, GRE tunnels, and IPSec tunnels) goes directly to the IdP.
- Make sure traffic destined for the IdP that goes through Zscaler is not intercepted for inspection by Zscaler:
- Adjust SSL Inspection exemptions.
- Adjust Authentication exemptions.
- If you are using Microsoft Windows Autopilot, see the Zscaler and Microsoft Windows Autopilot Deployment Guide.
Operations Phase
This section describes standard practices used to operate Zscaler solutions when integrated with your environment. You can monitor and tune Zscaler Client Connector during operations to meet your infrastructure needs.
Prerequisites
For Zscaler Client Connector operations, observe the following prerequisites:
- Create a standard operating procedure (SOP) for adding domain bypasses in the PAC file used by Zscaler Client Connector.
- Define a process to test configuration changes, such as diverting traffic to a different data center or bypassing a PAC file.
- Test any changes with separate app profiles or PAC files and apply the policy to test users to avoid organization-wide impact.
- Implement a process to clean up test profiles and PAC files.
Common Troubleshooting Items
To learn more about common issues and fixes for Zscaler Client Connector, see What are the common issues faced with Zscaler Client Connector during the deployment process.
Deployment Checklist
Zscaler recommends downloading the Zscaler Client Connector Deployment and Operations Checklist to help plan and implement Zscaler Client Connector: Download PDF
Additional Information
For more Zscaler Client Connector information and troubleshooting instructions, see the Zscaler Support Portal and the Zscaler Zenith Community.