Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying App Connectors, defining application segments, configuring access policies based on user identity and device posture, and integrating with IdPs.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionconfiguring-zscaler-private-access-for-ztnaExecute the skills CLI command in your project's root directory to begin installation:
Fetches configuring-zscaler-private-access-for-ztna from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate configuring-zscaler-private-access-for-ztna. Access via /configuring-zscaler-private-access-for-ztna in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | configuring-zscaler-private-access-for-ztna |
| description | 'Configuring Zscaler Private Access (ZPA) to replace traditional VPN with zero trust network access by deploying App Connectors, defining application segments, configuring access policies based on user identity and device posture, and integrating with IdPs. ' |
| domain | cybersecurity |
| subdomain | zero-trust-architecture |
| tags | - zscaler - zpa - ztna - zero-trust - app-connector - access-policy - sase |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.AA-01 - PR.AA-05 - PR.IR-01 - GV.PO-01 |
Do not use for applications requiring raw UDP access (ZPA primarily supports TCP), for providing full network-level access equivalent to site-to-site VPN (use ZPA AppProtection or branch connector instead), or when the organization requires on-premises-only access control without cloud dependency.
App Connectors establish outbound-only tunnels to the ZPA cloud, providing access to internal applications.
# Download and install App Connector on Linux VM
# Obtain provisioning key from ZPA Admin Portal > Administration > App Connectors
# For RHEL/CentOS
sudo yum install -y https://yum.private.zscaler.com/yum/el7/zpa-connector-latest.rpm
# For Ubuntu/Debian
curl -sS https://dist.private.zscaler.com/apt/pubkey.gpg | sudo apt-key add -
echo "deb https://dist.private.zscaler.com/apt stable main" | sudo tee /etc/apt/sources.list.d/zpa.list
sudo apt update && sudo apt install -y zpa-connector
# Configure the connector with provisioning key
sudo /opt/zscaler/bin/zpa-connector configure \
--provision-key "PROVISIONING_KEY_FROM_PORTAL"
# Start the connector service
sudo systemctl enable zpa-connector
sudo systemctl start zpa-connector
# Verify connector status
sudo systemctl status zpa-connector
sudo /opt/zscaler/bin/zpa-connector status
# Deploy second connector for HA (minimum 2 per site)
# Repeat on second VM with same App Connector Group provisioning key
Map internal applications to server groups and create application segments.
ZPA Admin Portal Configuration:
1. Server Groups:
Navigate to: Administration > App Connectors > Server Groups
- Name: "DC-East-Servers"
- App Connector Group: "DC-East-Connectors"
- Servers:
- hr-portal.internal.corp (10.1.1.50, TCP 443)
- finance-app.internal.corp (10.1.1.51, TCP 443)
- git.internal.corp (10.1.2.10, TCP 22, 443)
2. Application Segments:
Navigate to: Resources > Application Segments > Add Application Segment
- Name: "HR Applications"
- Domain/URL: hr-portal.internal.corp
- TCP Ports: 443
- Server Group: DC-East-Servers
- Health Reporting: Continuous
- Bypass Type: Never (force all traffic through ZPA)
- Name: "Engineering Tools"
- Domain/URL: git.internal.corp, ci.internal.corp, wiki.internal.corp
- TCP Ports: 22, 80, 443
- Server Group: DC-East-Servers
- Segment Group: "Engineering Segment Group"
Define who can access which application segments based on identity and device posture.
ZPA Admin Portal > Policies > Access Policy:
Rule 1: HR Team Access
- Name: "HR Portal Access"
- Action: ALLOW
- Criteria:
- User Groups: "HR-Department" (from IdP)
- Application Segment: "HR Applications"
- Device Posture Profile: "Corporate Managed Device"
- Client Type: Zscaler Client Connector
- Conditions:
- SAML Attribute: department = "Human Resources"
- Device Trust Level: "HIGH" (CrowdStrike ZTA score > 70)
Rule 2: Engineering Access
- Name: "Engineering Tools Access"
- Action: ALLOW
- Criteria:
- User Groups: "Engineering-Team", "DevOps-Team"
- Application Segment: "Engineering Tools"
- Device Posture Profile: "Developer Workstation"
- Conditions:
- Machine Group: "Engineering Laptops"
Rule 3: Contractor Limited Access
- Name: "Contractor Wiki Access"
- Action: ALLOW
- Criteria:
- User Groups: "External-Contractors"
- Application Segment: "Wiki Only"
- Client Type: Zscaler Client Connector OR Browser Access
- Conditions:
- Time Window: Mon-Fri 08:00-18:00 EST
Rule 4: Default Deny
- Name: "Block All Other Access"
- Action: DENY
- Criteria: All Users, All Applications
- Log: Enabled
Integrate device posture signals from endpoint security tools.
ZPA Admin Portal > Administration > Device Posture:
Profile 1: Corporate Managed Device
- CrowdStrike Falcon: Running, ZTA Score >= 60
- OS: Windows 10 21H2+, macOS 13+, Ubuntu 22.04+
- Disk Encryption: Enabled (BitLocker/FileVault)
- Firewall: Enabled
- Screen Lock: Enabled
Profile 2: Developer Workstation
- Inherits: Corporate Managed Device
- CrowdStrike Falcon: ZTA Score >= 70
- Patch Level: Within 30 days of latest
- Certificate: Valid corporate certificate present
Profile 3: BYOD Device
- OS: Latest minus 1 version
- Browser: Chrome 120+ or Edge 120+
- Antivirus: Any recognized AV running
Configure Browser Access for users without Zscaler Client Connector installed.
ZPA Admin Portal > Resources > Application Segments:
For "HR Applications" segment:
- Enable Browser Access: Yes
- Browser Access Type: HTTPS
- Custom Domain: hr.access.company.com
- Certificate: Upload TLS certificate for custom domain
- Authentication: SAML via corporate IdP
- Session Timeout: 4 hours
- Clipboard Control: Disabled for sensitive apps
- File Upload/Download: Restricted
For Browser Access Portal:
- Portal URL: access.company.com
- IdP: Microsoft Entra ID (SAML 2.0)
- MFA: Required
- Applications shown: Only authorized per user group
Set up log streaming for SIEM integration and continuous monitoring.
ZPA Admin Portal > Administration > Log Streaming Service:
Log Receiver Configuration:
- Name: "Splunk-SIEM"
- Type: Splunk (HEC)
- Destination: https://splunk-hec.company.com:8088
- HEC Token: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
- Log Types:
- User Activity: Enabled
- App Connector Status: Enabled
- Audit Logs: Enabled
- Browser Access: Enabled
# Splunk search for ZPA access anomalies
index=zscaler_zpa sourcetype=zpa:useractivity
| where action="denied"
| stats count by user, application, policy_name
| where count > 10
| sort -count
| Term | Definition |
|---|---|
| App Connector | Lightweight Linux service that creates outbound-only encrypted tunnels from internal networks to ZPA cloud, providing access to applications without inbound ports |
| Application Segment | Logical grouping of internal applications defined by FQDN/IP and ports, mapped to server groups for access policy enforcement |
| Server Group | Collection of application servers associated with App Connector groups that can serve requests for application segments |
| Access Policy | Rules defining which users/groups can access which application segments under what conditions (device posture, time, location) |
| Zscaler Client Connector | Endpoint agent installed on user devices that routes traffic to ZPA cloud for policy enforcement and application access |
| Browser Access | Clientless ZTNA option allowing application access through a web browser without requiring Zscaler Client Connector installation |
Context: A financial services firm with 500 employees uses Cisco AnyConnect for remote access. VPN split-tunnel configuration creates security gaps, and full-tunnel mode causes performance issues. The firm needs application-level access control for SOX compliance.
Approach:
Pitfalls: App Connector DNS must resolve all internal FQDNs used in application segments. Wildcard domain segments can cause performance issues if too broad. Browser Access does not support all web application frameworks (WebSocket-heavy apps may require Client Connector). CrowdStrike ZTA integration requires Falcon sensor deployment on all endpoints before enforcing posture policies.
ZPA ZTNA Deployment Report
==================================================
Organization: FinanceCorp
Deployment Date: 2026-02-23
INFRASTRUCTURE:
App Connectors: 4 (2x DC-East, 2x DC-West)
Connector Status: All healthy
Connector Version: 24.1.2
APPLICATION COVERAGE:
Application Segments: 20
Total Applications: 45
Server Groups: 4
Segment Groups: 6
ACCESS POLICIES:
Total Rules: 12
Allow Rules: 11
Deny Rules: 1 (default deny)
Device Posture Profiles: 3
USER ACCESS (last 30 days):
Active Users: 487 / 500
Total Sessions: 124,567
Allowed Sessions: 123,890 (99.5%)
Denied Sessions: 677 (0.5%)
Browser Access Sessions: 2,341
VPN MIGRATION:
Users migrated to ZPA: 487 / 500
VPN decommission date: 2026-03-15
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
configuring-zscaler-private-access-for-ztna is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
configuring-zscaler-private-access-for-ztna fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: configuring-zscaler-private-access-for-ztna is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added configuring-zscaler-private-access-for-ztna from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
We added configuring-zscaler-private-access-for-ztna from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Keeps context tight: configuring-zscaler-private-access-for-ztna is the kind of skill you can hand to a new teammate without a long onboarding doc.
configuring-zscaler-private-access-for-ztna fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
configuring-zscaler-private-access-for-ztna is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
configuring-zscaler-private-access-for-ztna fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
configuring-zscaler-private-access-for-ztna is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 44