REFERENCE ARCHITECTURE GUIDE FOR ZPA
6©2022 Zscaler, Inc. All rights reserved.
Geing Started with ZPA
ZPA allows you to define a set of policies, authentication, and application definitions that combine to provide user access
to applications. The ZPA service ensures that applications are available and that users have the correct policy applied. The
following ZPA components and configuration elements compose the foundation for implementing zero trust principles
via user segmentation.
Figure 2.
14
1 4
2
3
6
5
Data CenterCloud Applications
Cloud IdP
Zscaler Central Authority
DMZ
Component overview of the ZPA solution
1. Applications, Application Segments, and Segment Groups – An application is a Fully Qualified Domain Name
(FQDN), local domain name, or IP address that is defined on a standard set of ports. Applications must be defined
within an application segment. Zscaler recommends using FQDN whenever possible. An application segment is
a set of defined applications on shared ports across one or more back-end servers. A segment group is a set of
application segments combined for policy purposes. Applications can be grouped into application segments and
segment groups based on access type, authorized users, etc.
2. SAML and SCIM Aributes – SAML and SCIM aributes such as group membership, role, etc. are used in access
policy rules to provide least-privilege access to applications. These aributes may originate in existing authentication/
authorization repositories, such as Active Directory, binding users to relevant groups that reflect onboarding,
movement to different departments, changes such as termination, etc.
3. Access Policy – Access policy rules enable context-based access control. To configure an access policy rule, you must
first define which applications or segment groups the rule controls, and then define the context required for access.
Additional context for access policies may include device posture, access type, network location, and other context
provided by the SAML Identity Provider (IdP).
4. App Connectors – App Connectors provide a secure, encrypted, authenticated interface between a customer’s
servers and applications and the ZPA cloud for delivering user traffic to back-end applications.
5. Private Service Edge – A ZPA Private Service Edge is a single-tenant instance that provides complete broker
functionality of a ZPA Public Service Edge in an organization’s environment. For an on-premises user connecting via a
local Private Service Edge and local App Connector, all control-plane and data-plane traffic stays within the network;
the Private Service Edge communicates to the Zscaler cloud for management plane (configuration, loing, etc.) and
delivery of user traffic to remote resources.
6. Zscaler Client Connector – Zscaler Client Connector is an agent that resides on your mobile or desktop devices.
Supported on popular operating systems such as Windows, macOS, Android, iOS, and CentOS, this agent connects
your devices to Zscaler’s Zero Trust Exchange. At the ZPA Service Edge, requests are evaluated and approved users
are connected to appropriate applications.