Zscaler Private Access

Below is my requirement.
I want users to use their laptops/PCs from home & access company’s desktop via SSL VPN.
Can Zscaler private access provide it ?
This is to enable remote access from home to company PCs via SSL VPN.
How does it works ?

You can create RDP application access and install a zapp agent on your home PC. As of now there no browser based access for RDP.

alternatively you can publish RDP over https by following the steps in the article https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin and publish this over the Browser access or user portal.

This applicable for server machines not for desktop versions I guess.

Thanks. Help in clarifying the below.

  1. The ZAPP will be using only SSL port (TCP 443) to connect to my DC via ZEN - Let me know if this is correct.
  2. I don’t need to open RDP port 3389
  3. I am not looking for browser based RDP. Once my ZAPP SSL VPN is established , i want to use windows "mstsc to allow access to my desktop in my DC.

Let me know if the above is possible.

Rajeev,

You dont need to open RDP port 3389 in your inbound FW, but you will need to configure the domain/IP of your RDP server+ TCP 3389 as an app segment in ZPA. Once this is done, you can run mstc and test access.

Thanks.
Is it similar to Big IP F5 as explained in the below ?

https://devcentral.f5.com/s/articles/Remote-Desktop-Protocol-RDP-using-an-SSL-VPN

I am attached diagram for clear understanding of my requirement. Let me know if it can be achieved with Zscaler. Below are the queries

User uses ZAPP SSL VPN client to connect to the remote desktop in the DC
How it can be achieved

Questions:

  1. Connectivity between Zscaler App & the Zen node will be on TCP 443 ? Is this right ?
  2. Connectivity between Zen Node & DC will be on TCP 443 ? Is this right ?
  3. zAPP connector will be installed in DC ? How many zAPP connector is required ?
  4. What is the role of zAPP Connector?
  5. Will the traffic from the users PC to the remote desktop will be encrypted ?
  6. Is it required to have IPSec VPN between Zen Node & zApp Connector ?

User uses ZAPP SSL VPN client to connect to the remote desktop in the DC
How it can be achieved

Questions:

  1. Connectivity between Zscaler App & the Zen node will be on TCP 443 ? Is this right ?
  2. Connectivity between Zen Node & DC will be on TCP 443 ? Is this right ?
  3. zAPP connector will be installed in DC ? How many zAPP connector is required ?
  4. What is the role of zAPP Connector?
  5. Will the traffic from the users PC to the remote desktop will be encrypted ?
  6. Is it required to have IPSec VPN between Zen Node & zApp Connector ?

  1. Connectivity between Zscaler App & the Zen node will be on TCP 443 ? Is this right ?
    Yes This is a TLS 1.2 connection.
  2. Connectivity between Zen Node & DC will be on TCP 443 ? Is this right ?
    Yes This is also a TLS 1.2 connection. Having said that this is outbound TCP 443 from DC to ZEN
  3. zAPP connector will be installed in DC ? How many zAPP connector is required ?
    it is not ZAPP connector it is Zconnector which would be installed at DC or Cloud wherever your private applications are hosted.
    ** Each Zconnector can handle 500Mbps throughput, based on the bandwidth required to access your internal applications you can chose to deploy the number of connectors.**
    ** for HA it is recommended to deploy Connectors in N+1 mode.**
  4. What is the role of zAPP Connector?
    Zconnector performs the below:
    ** 1. Establishes the outbound 443 connectivity to Zscaler Cloud.**
    ** 2. Acts as a client for applications. Thus securing the private applications from external network. in your internal firewall if any is there between connector and Applications, you just need to allow the connector to talk to applications.**
    ** 3. Eliminates the need for Load balancer, DDOS and other inbound devices.**
  5. Will the traffic from the users PC to the remote desktop will be encrypted ?
    The Traffic from User’s PC to Connector is encrypted. From the Connector to the RDP server it is the standard 3389 port communication.
  6. Is it required to have IPSec VPN between Zen Node & zApp Connector ?
    No VPN connectivity required from the DC To Zscaler cloud. Zconnector establishes the outbound 443 communication to Zscaler ZEN.
1 Like

As per the article it can be applied for Windows 10 devices as well.

Hi Rajesh - Thanks.
I am looking for accessing Windows 10 PCs remotely using RDP

I understood your explanation. Some more queries from my side

  1. The zAPP in the client side can be integrated with Azure AD for authentication ? Please clarify it. From my understanding it is possible
  2. For SSL VPN access it requires IP Address to be assigned to the client.
    Also local DNS needs to be assigned to the client.

For example if my PC in DC is having hostname mypcdes001 . I need to RDP to this hostname to get access. So in this case I need my internal DNS to resolve to its original IP.
So would like to understand who will assign the IP Address & DNS IP to the client once the SSL VPN is established.
Will my client be part of the IP Address from my DC network range so that it can reach to my PCs.

Hi Rajeev, Please refer https://help.zscaler.com/zpa/configuration-guide-microsoft-azure-ad for Azure AD auth.

on point #2 Zscaler solution is based on ZTNA and not SSL VPN. We help to replace the SSL and traditional VPNs. the IP address and DNS assignment is done by Zscaler cloud for the client. When you try to lookup for the hostname it would resolve a synthetic IP which will point to Zscaler cloud. The actual hostname to IP resolution happens at the Connector side, hence it is important to make sure connector has proper DNS configuration done.

Your client will not be part of your DC Network. as i said it is ZTNA tech based solution.

Looking at your queries i believe you need more insights about the ZPA solution, would suggest you to connect with your local Sales Engineer of Zscaler to get deep dive of the solution.

1 Like

Thanks.
1 thing i am not able to understand with ZPA is below.
I have my internal application say https://intra.myapplication.com which i access when i am in my office network. This URL is published in my internal DNS servers.

But when I want to access it from the PC on internet using ZPA how will i access the same application.
Will i be able to access the same URL like https://intra.myapplication.com which is not published on internet.
Or will there be any dash board like web page where i can see all my authorized application & via that dashboard i can access my allowed application.

Go here,
https://help.zscaler.com/zpa/about-browser-access
https://help.zscaler.com/zpa/user-portal

Thanks.
1 clarification.

If i use ZApp agent, still i need to use user portal to access my applications ?
Or
User browser portal is used only when not using zApp agent ?

User portal can be used the scenario where you cannot use ZAPP agents and applications are on http and https based…

If ZAPP agent can used for all ports and protocol access.

Thanks
So can i use Zapp to access http & https applications ?
If yes then user portal is not required ?
So in that case using Zapp how will i access my application [https://intra.myapplication.com]

if possible can we have whats app call to discuss it

So can i use Zapp to access http & https applications ? – You can

  1. Create connector near to your application
  2. server and server group configuration
  3. Application segment and policy

Thanks. So after doing the above, from my PC i need to type the below URL
[https://intra.myapplication.com]

The Zapp in my PC will take the traffic to my Data center where my application is hosted ? Is that right ?