mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
3.3 KiB
3.3 KiB
ZPA ZTNA Configuration Workflow
Phase 1: Planning and Prerequisites (Week 1)
1.1 Architecture Design
- Map current VPN access patterns: which users access which applications
- Identify all internal applications by FQDN, IP, and port
- Group applications into logical segments by business function and sensitivity
- Design App Connector placement: minimum 2 connectors per data center for HA
- Plan DNS resolution: App Connectors must resolve all application FQDNs
1.2 Identity Provider Integration
- Configure SAML 2.0 or OIDC integration with corporate IdP (Okta, Entra ID, Ping)
- Map IdP user groups to ZPA access policy groups
- Configure SCIM provisioning for automated user/group sync
- Test SSO authentication flow end-to-end
Phase 2: Infrastructure Deployment (Week 2-3)
2.1 App Connector Deployment
- Provision Linux VMs (CentOS/RHEL/Ubuntu) meeting minimum specs (2 vCPU, 4GB RAM)
- Ensure outbound HTTPS (443) to ZPA cloud domains (*.private.zscaler.com, *.zpath.net)
- Generate provisioning keys in ZPA Admin Portal (one per App Connector Group)
- Install and configure App Connector packages
- Verify connector enrollment and health status in portal
- Deploy second connector per group for high availability
2.2 Server Group and Application Segment Configuration
- Create server groups mapping to App Connector groups
- Add application servers with FQDNs and ports to server groups
- Create application segments grouping related applications
- Configure health monitoring for each segment
- Test application reachability from App Connector
Phase 3: Policy Configuration (Week 3-4)
3.1 Access Policy Design
- Create allow rules ordered from most specific to least specific
- Map IdP groups to application segments in each rule
- Add device posture profile requirements to rules
- Configure time-based restrictions for contractor access
- Create default deny rule as the last policy rule
- Test each policy rule with representative users
3.2 Device Posture Configuration
- Define posture profiles for each device category (managed, developer, BYOD)
- Integrate CrowdStrike ZTA scores for real-time posture
- Configure OS version, encryption, and firewall requirements
- Test posture evaluation with compliant and non-compliant devices
Phase 4: User Migration (Week 4-6)
4.1 Client Connector Deployment
- Deploy Zscaler Client Connector via MDM (Intune, Jamf, SCCM)
- Configure auto-enrollment with IdP authentication
- Test client connectivity to ZPA cloud
- Validate application access through Client Connector
4.2 Phased Rollout
- Phase 1: IT/Security team (50 users) - validate all segments
- Phase 2: Engineering (200 users) - validate developer tools
- Phase 3: Business users (remaining) - validate general applications
- Monitor access logs for denials and policy gaps at each phase
Phase 5: Browser Access Configuration (Week 5)
- Enable Browser Access for applications requiring clientless access
- Configure custom domains and TLS certificates
- Set session timeout and clipboard/file transfer policies
- Test with contractor accounts
Phase 6: VPN Decommission (Week 7-8)
- Run VPN and ZPA in parallel for 2-3 weeks
- Monitor VPN usage to identify remaining dependencies
- Migrate remaining applications and users
- Disable VPN and redirect users to ZPA
- Decommission VPN infrastructure