Enabling Zero Trust Access with Zscaler Private Access (ZPA)
Zscaler App Connectors are lightweight VMs deployed within your internal network to securely broker access to private apps. They initiate outbound-only TLS tunnels to Zscaler, eliminating inbound firewall rules and VPN exposure.
Linux VM (Ubuntu 18.04+ or RHEL 7/8)
2 vCPU / 4 GB RAM minimum
Outbound access to:
TCP 443 (Zscaler Cloud)
UDP 123 (NTP)
L3 network access to internal apps
Provisioning key from ZPA portal
1. Create App Connector in ZPA Portal
Go to Administration → App Connectors
Click Add, assign a name, location, and generate the Provisioning Key
2. Deploy the App Connector VM
Download and extract the zpa-connector.tgz
mkdir -p /opt/zscaler/
cd /opt/zscaler/
tar -xvzf zpa-connector.tgz
./install.sh
3. Apply Provisioning Key
vi /opt/zscaler/var/provision_key
Paste in the key, then:
systemctl start zpa-connector
4. Verify in ZPA Portal
Connector should appear online within minutes.
Create Connector Groups
Define Server Groups with IPs or FQDNs
Create Application Segments (RDP, SSH, HTTP, etc.)
Set up Access Policies by user/group and app
The App Connector never accepts inbound connections. All traffic is user-initiated and brokered through Zscaler’s cloud. This reduces attack surface and simplifies firewall posture.