ZPA application segment configuration for browser access with SIPA enabled

avshch · March 5, 2023, 3:53pm

Hello,
Trying to configure access to reuters.com via SIPA for browser access.
How can ssl certificate for reuters.com could be uploaded for browser access with SIPA enabled when configuring ZPA application segment?

when trying to upload a cert via “CERTIFICATE MANAGEMENT” from ZPA Management portal, get the error message:
A matching CSR was not found or a private key was not present within the uploaded certificate

ramesh.mani1 · March 6, 2023, 1:56am

You can add this in user portal as external url. Not necessary to upload the certificate. I guess this is externally hosted url.

avshch · March 6, 2023, 2:18am

@ramesh.mani1 yes the site is hosted by another company.

pvanroosbroek · March 6, 2023, 9:48am

Hi Alex. Browser access is typically used to provide access to internal websites for third parties, i.e. browser access should not be required when accessing a public website such as reuters.com.
You could configure SIPA and browser access for the same app segment, but they will not be used simultaneously as they serve different purposes.

The error you observe when uploading the certificate can be attributed to the absence of a CSR in the ZPA admin portal. There are two paths to consider when uploading a certificate file:

Creating the CSR file inside the ZPA admin portal. The proper process here is to create a CSR in the portal, download it, have it signed by your public CA provider (e.g. GoDaddy), and upload the resulting certificate file to the admin portal
If you already have a signed certificate, you should upload the certificate file with the private key in a single file. The file format should look like this:

-----BEGIN CERTIFICATE-----
<certificate content>
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
<private key>
-----END PRIVATE KEY-----

avshch · March 6, 2023, 12:13pm

@pvanroosbroek thank you for your reply. I was using reuters.com as an example. We are dealing with
access to some legacy .gov web-site. The access is locked by the government to a specific public ip address for each company. It does sound like SIPA might not work for this use case.
Does ZScaler have any other method to accommodate this requirement?
Thanks,

pvanroosbroek · March 7, 2023, 8:42am

Hi Alex. That’s precisely what SIPA does. That said, if your use case is to send traffic to a specific destination from one particular source IP address, then you won’t need the Browser Access feature.
Configuring SIPA for the government website(s) you refer to should do the trick.

avshch · March 7, 2023, 2:23pm

@pvanroosbroek what does “browser access” feature do?

pvanroosbroek · March 8, 2023, 8:11am

Hi Alex. Browser Access allows users to access internal resources without the Client Connector installed, i.e. the user can access the resource from within the browser. Before accessing the resource, the user is redirected for authentication from within the browser, and upon successful authentication, the user is forwarded to the application. Restricting access to resources is defined in the access policy.
More information is here: About Browser Access | Zscaler.