Skip to main content
warning

This document is a work in progress, and the information is not yet complete and might not be fully correct.

Create & Manage ZScaler Application Segment

Please follow the instructions in this guide to help with onboarding and managing the Application Segment for ZScaler through the Resource Admin interface in EmpowerID.

tip
  • The Self Service Wizard (Workflow) OnboardZscalerApplicationSegment supports a comprehensive and user-friendly process for onboarding application segments. The details of how to onboard the application segments are provided in the section Onboard Application Segments.
  • The Self-Service Workflow for Managing Zscaler Application Segments supports the management of application segments. This includes deleting segments, configuring applications and ports, editing general information, managing protected resources, and editing server groups. If you need to perform any of these actions, you can find detailed instructions in the Manage Application Segments section.

Understand Key Configurations

Before you begin onboarding, deleting, or updating application segments, kindly familiarize yourself with the key configurations that you can make for the application segments. Gathering or deciding on these configurations in advance can streamline the process. If you are already familiar with ZScaler systems and configurations in EmpowerID, you may skip this section and proceed to the following steps.

ConfigurationDescription
TCP Port RangesTCP port ranges for the application segment being configured, specifying minimum and maximum values (e.g., From = 21, To = 30).
UDP Port RangesUDP port ranges for the application segment being configured, specifying minimum and maximum values.
BypassEnable or disable the user's ability to bypass ZPA to access ZScaler-configured applications.
Double EncryptionEnable double encryption to add an extra layer of security for traffic between Client Connector and App Connector.
ICMP AccessEnable ICMP access for ZPA clients to reach applications in this segment. Default is Disabled.
Bypass During ReAuthenticationDecide whether application access during reauthentication bypasses ZPA (Enabled) or not (Disabled). Applies to Zscaler Client Connector-specific applications.
Health ReportingChoose continuous reporting or on-access reporting of App Connector health status for all applications within an application segment.
Client Connector can receive CNAMEConfigure whether App Connector should return CNAME records to Client Connector (Enabled) or not (Disabled)
App Connector Selection MethodChoose Closer to Application to enable App Connector or Closer to User to disable it. Ensure App Connectors can perform reachability checks for the chosen application.

Crete Application Segments

Please follow the instructions below to help onboard an application segment in ZScaler through the Resource Admin interface. If you are unsure about the configurations you should make, please make sure to understand the key attributes in the previous section first.

  1. Navigate to Applications

    • Go to Resource AdminApplications.
    • Search for the ZScaler application.
    • Click on the gear icon and select the Onboard ZScaler Segment menu item.

  2. Select Account Store & Enter FQDNs
    This will initiate the workflow to onboard the application segments. In the first screen, you must choose the account store and add FQDNs.

    • Select the Account Store created for ZScaler. The dropdown will only show account stores of type Zscaler.
    • Enter one or more domains for the application segment. Use the Add New Item button to add new domains or delete existing ones using the trash icon.
      image-20240715-085843.png

  3. Configure Port Ranges and Additional Settings
    This screen allows you to set up port ranges, additional configurations, and common settings. Once you have input all the values in each section, click Next to proceed.

    • TCP Port Ranges: In the text boxes for the From and To values, enter valid TCP port ranges.
    • UDP Port: Input the valid UDP port range, with the minimum in the From and the maximum in the To text boxes.
      image-20240715-091754.png
    • Bypass: Enable / Disable the Bypass feature to specify whether users can bypass ZPA to access an application configured in ZScaler.
    • Double Encryption: Enable double encryption if required. This adds a second layer of encryption for traffic between the Client Connector on your users' devices and the App Connector.
    • ICMP Access: Enable ICMP if you want ZPA clients to allow access to the applications in this App Segment via ICMP. By default, this is set to Disabled.
    • Bypass During ReAuthentication: Decide whether to allow bypass during authentication processes. This setting indicates whether application access during reauthentication bypasses ZPA (when Enabled) or not (when Disabled). This feature only applies to Zscaler Client Connector-specific applications.
      image-20240715-091846.png
    • Health Reporting: Choose whether the App Connector reports the health status of all applications within an application segment continuously (Continuous) or while a user is accessing it (On Access).
    • Client Connector can receive CNAME: Choose if the App Connector should return CNAME records to Client Connector (Enabled) or not (Disabled).
    • App Connector Selection Method: Select Closer to Application to enable the App Connector or Closer to User to disable it. Ensure App Connectors can perform reachability checks for the chosen application.
      image-20240715-092005.png

  4. Add to Segment Group
    This screen displays all segment groups. Users can select one segment group from this screen to link it to the created application segment.

  • Select the segment group to add and click Next to proceed.
    image-20240715-092514.png
  1. Associate Server Groups
  • Search and Select the checkbox for the server groups to associate with the application segment and click Next to proceed.
    image-20240715-095050.png
  1. Review the information to ensure accuracy. You can make changes before submitting the application segment and saving the configurations.

You have successfully created or onboarded the application segments in ZScaler to EmpowerID.

Manage Application Segments

Please follow the instructions below to manage the already onboarded application segments.

tip

The workflow supports multiple actions, and you will be prompted to choose among these options. The summary below provides descriptions of each action and what you can perform by selecting it.

  • Delete Application Segment: Permanently remove an application segment.
  • Application and Ports Configuration: Add or Remove configurations for applications (FQDNs) and port ranges (TCP and UDP).
  • Edit General Information: Add/Update/Remove the segment name, description, status (enabled/disabled), and IP anchoring settings. Additionally, it allows you to manage common configuration data like Bypass type, Health Reporting, and Double Encryption.
  • Manage Protected Application Resource : Update the protected application resource linked to the application segment.
  • Edit Server Groups: Add or remove server groups associated with the application segment.

  1. Navigate to Applications

    • Go to Resource AdminApplications.
    • Search for the ZScaler application.
    • Click on the gear icon and select the Onboard ZScaler Segment menu item.

  2. Select Segment Group

    • Search for the segment group.
    • Click on the segment group to select it, and click on Next.
      image-20240715-100759.png

  3. Select the action to perform on the application segment. We have already discussed the actions and options. Based on your selection, choose the appropriate tab for additional information.

View Application Segment

  1. On the navbar, expand Identity Administration and click Specialized Systems.
  2. Click on ZScaler Manager
    image-20240708-081504.png
  3. Select the Applications tabs to view all the applications.image-20240708-082356.png
  4. Click on the link in the Name column to open the view page.
  5. You will be directed to the details page for the selected application. There, you can find the Domains, TCP & UDP Port Ranges, and Server Groups associated with the application.
    image-20240708-081803.png

View Segment Groups

  1. On the navbar, expand Identity Administration and click Specialized Systems.
  2. Click on ZScaler Manager
  3. Select the Segment Groups tab.
    image-20240708-082315.png
  4. Click on the link in the Name column to open the view page.
  5. You will be directed to the details page for the selected segment group. There, you can find the Application Segments associated with the group.
    image-20240708-083229.png

See Also

Create and Manage Zscaler Access Policy

View Zscaler Resources