Zscaler SDK for Mobile Apps
Managing App Connectors
Before you begin, see App Connector Deployment Prerequisites, which provides detailed information on virtual machine (VM) image sizing and scalability, supported platform requirements, deployment best practices, and other essential guidelines.
Configuring App Connectors involves the following main tasks:
- Creating an App Connector Provisioning Key.
- Adding App Connectors.
- Deploying App Connectors on the supported platform of your choice.
To manage your App Connectors on the App Connectors page (Configuration & Control > Private Infrastructure > App Connector Management > App Connectors), you can:
- Add an App Connector.
Click Add App Connector.
The Add App Connector window appears.
- In the Add App Connector window:
- a. Choose Key
Create a provisioning key or choose an existing one.
After deployment, the App Connector launches and makes initial contact with the ZSDK cloud. It presents a key as its ID, allowing the ZSDK cloud to verify that this is an authentic App Connector and to identify which App Connector group it belongs to. ZSDK then automatically completes the deployment process.
On the Choose Key tab, choose one of the following options:
- Choose an Existing Provisioning Key: Select an existing provisioning key from the drop-down menu. You can click Clear Selection to remove any selections.
- Create a New Provisioning Key: Generates a new provisioning key for the App Connector's use and is later displayed on the Provisioning Keys page.
- Click Next.
- b. Signing Certificate
- On the Signing Certificate tab, from the drop-down menu, select the certificate that ZSDK uses to sign certificates it issues to the App Connector. If you need to generate a new enrollment certificate, see Generating Zscaler-Issued Enrollment (CA) Certificates.
See image. - Click Next.
To learn more about certificates, see Understanding Certificates.
Close - On the Signing Certificate tab, from the drop-down menu, select the certificate that ZSDK uses to sign certificates it issues to the App Connector. If you need to generate a new enrollment certificate, see Generating Zscaler-Issued Enrollment (CA) Certificates.
- c. App Connector Group
- On the App Connector Group tab, choose one of the following options:
- Select App Connector Group
Select an existing App Connector group from the drop-down menu. You can search for a specific group or click Clear Selection to remove any selections. App Connector groups can be associated with multiple provisioning keys. So, you can assign this App Connector to an existing group that's already associated with a provisioning key.
Close - Add App Connector Group
- Name: Enter a name for the group. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
- Status: Make sure Enabled is selected.
- Description: (Optional) Enter a description for the group.
DNS Resolution Option: Enable the necessary interface for DNS resolution checks. If the App Connectors assigned to that App Connector group should perform DNS resolution checks for applications using only IPv4, select IPv4. If the App Connectors assigned to the App Connector group should perform DNS resolution checks for applications using only IPv6, select IPv6. If you select IPv4 and IPv6, both interfaces can perform resolution checks for applications. The App Connector must have the corresponding interface or interfaces enabled for the DNS resolution checks to work, and the servers hosting your applications must support the selected interface or interfaces. By default, IPv4 and IPv6 is selected.
Select the IPv6 option only if you have end-to-end IPv6 support. If you want to use IPv6, make sure your App Connectors are set up for IPv6. To learn more, see App Connector Deployment Prerequisites and Understanding IPv4 and IPv6 Support.
- TCP Quick Acknowledgement: Enable this for the App Connector group to perform TCP Quick Acknowledgement for applications. TCP Quick Acknowledgement is used to improve the performance of applications that use specific protocols (e.g., Server Message Block Protocol).
- Disable AppProtection: Set to No.
- Persist Local Version Profile: Enable if the App Connector group should persist the local version profile. By default, Disabled is selected.
- Version Profile: Displays the current version profile. The default value is set to Default. To learn more, see Configuring a Version Profile.
- App Connector Software Update Schedule: Schedule the periodic App Connector software update for the group by selecting the day of the week and start time. You can search for a specific day of the week and start time, or click Clear Selection to remove any selections.
- App Connector Location: Enter the location where the App Connectors in the group are set up. The map displays the location you've entered. If you click the location marker on the map, the Latitude, Longitude, and Location Address fields are automatically populated.
- Latitude: Displays the latitude coordinate.
- Longitude: Displays the longitude coordinate.
- Country Code: Displays the country code for the location address you’ve entered.
- Location Details: Displays the location address you've entered.
- Select App Connector Group
- Click Next.
- On the App Connector Group tab, choose one of the following options:
- d. Create Provisioning Key
On the Create Provisioning Key tab:
Name: Enter a name for the provisioning key. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
This name is automatically assigned as a prefix for the name of each App Connector enrolled with it, meaning that all App Connectors in a given App Connector group use the same prefix in each of their App Connector names.
To help distinguish between the different App Connectors in a group, each App Connector also has a number automatically added to its name upon being enrolled. This number signifies that it is the nth App Connector to be enrolled with the key. For example, if you enter AWS Oregon as a provisioning key name in this step, the first App Connector you enroll with this key is named AWS Oregon-1. The next App Connector you enroll with the same key is named AWS Oregon-2, and so on.
Maximum Reuse of Provisioning Key: Enter the maximum number of instances where this key can be used to enroll an App Connector. After adding the App Connector, this number can be modified.
The Instances of Provisioning Key Reuse field cannot be modified. ZSDK tracks the number of App Connectors enrolled in this App Connector group and automatically displays the number in this field. This helps ensure that keys are not being used improperly by unknown parties to enroll App Connectors.
- Click Next.
- e. Review
- On the Review tab, review your configuration settings.
See image. - Click Save.
- On the Review tab, review your configuration settings.
- f. Review Documentation
On the Review Documentation tab:
- Copy Provisioning Key: Copy the App Connector provisioning key. You need to enter this key when you deploy the App Connector to a platform. You can click the Copy icon to copy the key to your clipboard.
- Review Documentation: Choose the platform you want to deploy your App Connector on, and follow the instructions that appear. To learn more, see the App Connector Deployment Guide for your supported platform.
- Click Done.
- a. Choose Key
- Edit an App Connector.
- Locate the App Connector that you want to modify by clicking the corresponding Edit icon.
In the Edit App Connector window, you can modify the following fields:
- Name: The name of the App Connector.
- Description: The description for the App Connector.
- Status: Enable or disable the App Connector.
- App Connector Group: You can edit the App Connector group settings if needed.
- App Connector Group Settings
- Name: The name for the group. The name cannot contain special characters, with the exception of periods (.), hyphens (-), and underscores ( _ ).
- Status: Enable or disable the group.
- Description: (Optional) The description for the group.
DNS Resolution Option: The necessary interface for DNS resolution checks. If the App Connectors assigned to that App Connector group should perform DNS resolution checks for applications using only IPv4, select IPv4. If the App Connectors assigned to the App Connector group should perform DNS resolution checks for applications using only IPv6, select IPv6. If you select IPv4 and IPv6, both interfaces can perform resolution checks for applications. The App Connector must have the corresponding interface or interfaces enabled for the DNS resolution checks to work, and the servers hosting your applications must support the selected interface or interfaces. By default, IPv4 and IPv6 is selected.
Select the IPv6 option only if you have end-to-end IPv6 support. If you want to use IPv6, make sure your App Connectors are set up for IPv6. To learn more, see App Connector Deployment Prerequisites and Understanding IPv4 and IPv6 Support.
- TCP Quick Acknowledgement: Enable this for the App Connector group to perform TCP Quick Acknowledgement for applications. TCP Quick Acknowledgement is used to improve performance of applications that use specific protocols (e.g., Server Message Block Protocol).
- Disable AppProtection: Set to No.
- Persist Local Version Profile: Enable if the App Connector group should persist the local version profile. By default, Disabled is selected.
- Version Profile: Displays the current version profile. The default value is set to Default. To learn more, see Configuring a Version Profile.
- App Connector Software Update Schedule: Schedule the periodic App Connector software update for the group by selecting the day of the week and start time. You can search for a specific day of the week and start time, or click Clear Selection to remove any selections.
- App Connector Location: Enter the location where the App Connectors in the group are set up. The map displays the location you've entered. If you click the location marker on the map, the Latitude, Longitude, and Location Address fields are automatically populated.
- Latitude: Displays the latitude coordinate.
- Longitude: Displays the longitude coordinate.
- Country Code: Displays the country code for the location address you’ve entered.
- Location Details: Displays the location address you've entered.
- App Connector Group Settings
- Click Save.
- Delete an App Connector.
- Locate the App Connector you want to delete by clicking the corresponding Delete icon.
In the Delete Confirmation window, select the checkbox to confirm the deletion request.
- Click Delete.
After an App Connector is added and deployed, it is displayed on the App Connector page.
You can perform additional software management and maintenance tasks after deployment. To learn more, see Maintaining Deployed App Connectors and App Connector Software Updates.
Consideration
To replace a deployed App Connector, you must delete the configuration and then re-enroll it. However, you can apply the new App Connector provisioning key to the VM image that you already deployed by replacing the old key.