Prerequisites

You will need the following to deploy the ZAB:

  • Hypervisor
    • VMware ESX/ESXi v5.0 and above
  • Virtual Machine
    • 2 GB RAM minimum. Increases with the number of users.
    • 64-bit Xeon CPU. Two cores assigned to the VM.
    • 1 network interface with a static IP address
      This IP address is used for control and data connections to the Zscaler cloud and to connect to the directory server. Your administrator can also use it to make an SSH connection to the VM.
  • Zscaler service
    • A subscription to the ZAB
    • Super admin access to the service
    • Log in information for the directory server

Firewall Requirements

The ZAB requires only outbound connections to the Zscaler service. It does not require any inbound connections to your network from the Zscaler service. Ensure that your outbound firewall is configured to allow the necessary connections. To view the firewall requirements, go to the following:  

https://ips.<zscaler-cloud-name>/addresses/zab.html

The <zscaler-cloud-name> depends on the Zscaler cloud administrative URL. For example, if you log in to admin.zscaler.net, then go to https://ips.zscaler.net/addresses/zab.html

To learn how you can find your cloud name, click here.

Verify subscription

Log in to the Zscaler service and go to Administration > Settings > Company Profile > Subscriptions tab to verify that your organization is subscribed to the ZAB

Verify subscription

Register ZAB

To register a new ZAB, log in to the service and do the following:

  1. Go to Administration > Authentication > Authentication Settings > Authentication Bridges tab.
  2. Click Add and enter a name for the ZAB.
  3. Click Save to exit the dialog.
  4. Activate the change.
Register ZAB

Download the ZAB

  1. Go to Administration > Authentication > Authentication Settings > Authentication Bridges tab.
  2. Click Download ZB VM.
    The ZAB can synchronize and authenticate hundreds of thousands of users. The ZAB specifications are determined by the number of users that the ZAB provisions. Specify the number of users that the ZAB synchronizes, and optionally, authenticates. Then, click Compute to compute the appropriate resources for your ZAB.
    See screen.
  3. Click Download ZAB VM.

Compute ZAB resources

Compute ZAB resources

Download the SSL certificate

The ZAB uses this certificate to authenticate itself to the Zscaler service. To download the SSLcertificate:

  1. Go to Administration > Authentication > Authentication Settings > Authentication Bridges tab.
  2. Click Download in the SSL Certificate column of the new ZAB.
Download the SSL certificate

Configure the ZAB

Do the following to configure the ZAB:

A. Configure the network settings.

B. Install the client certificate.

C. Install the server certificate.

D. Install the ZAB software and start it.

You can view the troubleshooting commands, in case there are configuration issues.
See Troubleshooting.

Config Zab - network settings

Do the following to configure the network settings of the ZAB:

  1. Log in with the following:
    Username: zsroot
    Password: zsroot
    See screen.
  2. Zscaler strongly recommends that you change this default password by running the command passwd.
    1. To change the password, enter passwd and your username.
      • For example, if you are using the default username, the command is passwd zsroot.
    2. When prompted, specify the following:
      • Your current password
        • For example, if you are using the default password, enter zsroot.
      • Your new password
        See screen.
  3. Switch to a superuser, by entering the following command
    sudo su -
    Enter the password zsroot when prompted.
    See screen.
    Zscaler strongly recommends that you change the default password.
  4. Configure the network settings. Enter zab configure and when prompted, specify the following:
    • Name server IP address
    • ZAB IPaddress and netmask
    • ZEN IPaddress
      See screen.
  5. To verify the configuration, enter the following command: zab dump-config
    See screen.

Configure network settings image 1

Configure network settings image 1

command passwd

command passwd

Configure network settings image 2

Configure network settings image 2

Configure network settings image 3

Configure network settings image 3

Configure network settings image 4

Configure network settings image 4

client certificate

Install the certificate that you downloaded from the Zscaler service. It is used to authenticate the ZAB to the service.

Do the following:

  1. Copy the client certificate securely to the ZAB VM. Zscaler recommends that you use SCP or SFTP instead of FTP.
  2. On the ZAB, run the following command to install the ZAB: zab install-client-cert ZabCert.zip.
    See screen.
  3. Run zab dump-config to verify that the ZAB is associated with the Zscaler cloud and with your organization.
    See screen.

Configure the zab - install cert image

Configure the zab - install cert image

Configure the zab - zab dump config image

Configure the zab - zab dump config image

server certificate

The ZAB acts as a web server that authenticates users against your Active Directory or LDAP server. Because it processes HTTPS transactions, the ZAB must host a private SSL certificate to secure the transactions. Your organization can install your own certificate signed by a trusted Certificate Authority or a self-signed certificate.

To install the server certificate, enter the following command: zab install-server-cert

  • If you have a server certificate, do the following:
    • Copy the certificate and the private key.
    • Specify the path of the certificate.
    • Specify the path of the key.
    • Optionally, specify a password to decrypt the key
  • If you are using ZAB to provision users, but not to authenticate them, you can allow the system to generate a self-signed certificate. Press enter when prompted for the certificate and complete the questions.

zab software

  1. To download the ZAB software for the first time, enter the following command: zab update-now
    See screen.
  2. To start the ZAB, enter the following command: zab start
    See screen.
  3. Run zab enable-autostart
    See screen.
  4. Verify that the ZAB is operational by running the following commands:
    zab status displays the process running.
    See screen.
    sockstat -4 shows that the ZABis making outbound connections.
    See screen.

Install zab software - zab update now

Install zab software - zab update now

Install zab software - zab start

Install zab software - zab start

Install zab software - autostart

Install zab software - autostart

Install zab software - zab status

Install zab software - zab status

Install zab software - sockstat

Install zab software - sockstat

Troubleshooting

Following are some commands that you can use to troubleshoot your configuration:

  • zab -h
    Lists the ZAB commands.
  • zab test-firewal
    Runs a script to test access to the outbound firewall.
  • zab collect-diagnostics
    Collects all the relevant log files and configuration files, and then places them in a zip file. You can send the zip file to Zscaler Support for troubleshooting.
  • zab enable-remote-debugging
    Allows Zscaler Support to examine and diagnose configuration errors. This feature is disabled by default. Run the command to enable it.
  • zab support-access-start
    Allows Zscaler Support to log in to your ZAB via SSH, if your organization requires assistance. An interactive shell is often useful when additional troubleshooting assistance is required. This feature is disabled by default. Run the command to enable it.

Configure Synchronization Settings

After you configure the ZAB, you must then configure the service to synchronize with the ZAB. You can optionally configure the service to use the ZAB for authentication as well.

To configure the service to synchronize with the ZAB, log in to the service and do the following:

  1. Go to Administration > Authentication > Authentication Settings.
  2. From the Authentication Profile tab, choose Active Directory as the Directory Type.
  3. Click Setup Wizard to start the wizard.
    See screen.
  4. Complete the fields in the Directory Server window and ensure that you specify the following values:
    • Authentication Agent Hosting: Choose Enterprise.
    • Directory Server IP Address: Enter the IP address of the directory server to which the ZAB connects.
      See screen.
  5. In the Directory Server Authentication window, specify any user in the BIND DN field. It does not have to be an administrator.
    See screen.
  6. The Detected Settings window shows that the wizard has successfully connected to the directory server and pre-populated the Base DN field. Click Next.
    See screen.
  7. In the Lookup Parameters window, specify a user to enable the service to discover the LDAP attributes it needs. Choose Auto from the Lookup Parameters filter list, and enter an email address, login name, DN, or LDAP attribute.
    See screen.
    The Synchronization window displays the synchronization results.
    See screen.
  8. In the Authentication Parameters window, verify whether the user information was synchronized correctly.
    See screen.
    If your organization is using the ZAB for authentication as well, ensure that the ZAB URL is specified in the Authentication Agent Address field. If your organization is using another authentication mechanism, such as SAML or LDAP, the Authentication Agent Address field can contain any IP address.
  9. Click Finish.

 

setup wizard start

setup wizard start

setup wizard 1

setup wizard 1

setup wizard 2

setup wizard 2

setup wizard 3

setup wizard 3

setup wizard 4

setup wizard 4

step wizard 4a

step wizard 4a

setup wizard 5

setup wizard 5

Configuring a Local NTP Server

Optionally, if you have a local NTP Server, you can configure the ZAB to synchronize time with that server, as follows:

  1. Run the following as root:
    crontab -e
  2. Add the following line:
    */10 * * * * ntpdate <ntp-server-name>
  3. Save and exit.

The time synchronization command will run every 10 minutes.