ZPA Terraform Provider Video Series Ep.8 - ZPA Browser Access Application Segment

Browser Access allows you to leverage a web browser for user authentication and application access over ZPA, without requiring users to install Zscaler Client Connector on their devices. For certain use cases, it might not be feasible or desirable to install Zscaler Client Connector on all devices. For example, you might want to:

  • Control user access to applications on devices with operating systems that are not currently supported by Zscaler Client Connector.
  • Provide third-party access to applications on devices that might not be owned or managed by your company (e.g., contractor or partner-owned devices).

Browser Access enhances your ZPA experience by enabling you to:

  • Make applications accessible for your users from any web browser without requiring Zscaler Client Connector or browser plugins and configurations.
  • Use your existing Identity Provider (IdP) to provide access to your current users, contractors, and other third-party users without managing an internet footprint.

Terraform Registry Example:

Important Note: Util ZPA Terraform Provider version v2.3.2 the name of the browser access application segment resource was: “zpa_browser_access”. Starting on ZPA Terraform Provider version v2.4.0, the name of the resource has been changed to “zpa_application_segment_browser_access”. The previous name is still supported; however, Terraform will trigger a warning at the end of each apply process.

In this video, we’ll explore


0:00:03;20 – 0:00:17;26 – Introduction
0:00:18;03 – 0:01:12;05 – Introduction to Browser Access Application Segment
0:01:14;14 – 0:01:36;29 – Browser Access Application Segment UI
0:01:38;29 – 0:02:21;18 – Terraform Browser Access Application Segment API Workflow
0:02:23;12 - 0:03:05;08 – Terraform Registry Documentation
0:03:05;20 - 0:03:28;18 – Browser Access Certificate Out-of-Band Onboard
0:03:30;23 – 0:04:08;18 – Configuring Application Segments with Terraform
0:04:08;20 – 0:04:28;07 – Executing Terraform
0:04:28;08 – 0:05:49;21 – Summary


Hi, my name is William Guilherme, and I am a Solutions Architect with the Zscaler Technology Alliances team.

In this video, we’ll go through the configuration process, on how to create a browser access application segment using the ZPA Terraform provider.

The Browser Access Application Segment is similar to the traditional Application Segment resource, we saw in episode 7 of this series.

The main difference is that this type of application segment is used specifically to support use cases where the Zscaler Client Connector agent cannot be installed, or the device Operating system does not support the Zscaler Client Connector Agent.

You can enable the browser access feature before or after the application segment has already been created.

Similar to a traditional application segment, it supports both IPv4 addresses and FQDNs; however, you can only configure a browser access application segment, to support either HTTP or HTTPS protocols.

Finally, a browser access application segment requires a browser certificate, and that certificate can be a wildcard certificate, which can be associated either with a single or multiple application segments

As we’ve seen previously, Browser Access is 1 among 3 other types of application segments that can be configured depending on the use case. In this video, we’ll focus exclusively on the Browser access application segment.

Once enabled, you can then select your browser certificate, the protocol (HTTP or HTTPS), and the port among other options.

The workflow used by Terraform in order to create a browser access application segment is to first validate every parameter considered as required during run-time.

Terraform will use your desired state configuration, and validate if all required parameters have been provided at the planning stage. If all parameters and syntaxes are validated:

  1. Terraform, then will first look for the ID of a validated Browser Access Certificate
  2. Then validate if a segment group ID and Server Group have been provided
  3. Once these parameters have been validated, Terraform will send a POST call to the application segment endpoint, and finally provision the browser access application segment in the ZPA portal.

To see an example of a browser access application segment configuration, navigate to the Terraform registry documentation portal.

Search for Zscaler in the search bar and then, navigate to the “Documentation tab”.

Then select the zpa_application_segment_browser_access resource on the left-hand side.

Here, you will have a detailed example with all the required parameters to initiate your configuration including all the necessary dependencies.

Finally, navigate to the Browser Access Certificate Data source and choose zpa_ba_certificate

You can copy both of these examples, paste into your Terraform configuration file, and then customize them according to your needs.

As previously mentioned, the Browser Access Certificate at this point, cannot be provisioned via API or Terraform itself, and must be managed out-of-band by navigating to the ZPA management console for the onboarding:


  • Select Administration
  • Certificates
  • And check the name of the certificate you’d like to Terraform to associate with the new browser access application segment.

To start with the configuration, open you’re preferred code editor, and customize the configuration according to your needs.

As we’ve mentioned before, in this configuration the following parameters are mandatory and are validated by Terraform during the planning process.

  • Name
  • Segment_group_id
  • tcp_port_range
  • domain_names
  • Server_group_id
  • Clientless_apps.
    • Within clientless_apps, the following parameters are required:
      • Domain
      • Application_protocol
      • Application_port
      • Certificate_id, which, in this example, we are using a data source to query the ID of our browser certificate, which was onboarded out-of-band.
  • Notice, that in previous versions up to 2.3.2 of the ZPA Terraform provider, the browser access application segment resource was called: zpa_browser_access; however, starting in version 2.4.0, the resource is now called: zpa_application_segment_browser_access. The previous resource name is still supported and does not impact existing resources that have already been created.

Finally, we can run the command terraform apply, to initiate the resource configuration of the new browser access application segment in the ZPA portal.

Notice that the certificate_id was successfully associated with our application segment, along with all the other required parameters.

In summary:

  • The browser access application segment resource allows users to leverage a web browser for authentication and application access.

  • A Browser access certificate is required; however, currently the certificate cannot be onboarded via API or Terraform and must be managed out-of-band via the management portal.

  • Similar to a traditional application segment, a browser application segment supports the configuration of IPv4 Addresses, and FQDNs

  • TCP and UDP port ranges are supported and cannot overlap with other
    application segments using the same TCP or UDP ports.

  • The browser application segment only supports HTTP and HTTPS protocols

  • A segment group, and server group objects are required.

  • An application segment can only be associated with a single segment group but can be associated with 1 or more server group resources.

  • Terraform validates the following parameters at run-time: Name,
    Domain_Names, TCP and UDP Port Ranges, Segment Group ID and
    Server Group ID, and mandatory parameters within the clientless_apps menu.

Finally, it can optionally be associated with all other policy types in ZPA
for further segmentation such as: Access Policies, Timeout Policies,
Forwarding Policies, and Inspection Policies

1 Like