Zscaler App: Step-by-Step Configuration Guide

This guide takes you step-by-step through the configuration tasks you must complete to begin using the Zscaler App for your organization. Each step links you to the appropriate article for that configuration task.

A. Requirements

See below for system requirements and prerequisite tasks you must have completed before your organization can use the Zscaler App for the Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services.

windows

  • Windows 7, 8, 8.1, or 10
  • Disk usage: 200 MB
  • Memory usage: 150 MB
  • Processor capable of running operating systems supported by the Zscaler App
  • Microsoft .NET Framework 4 and above
  • Whitelisted Zscaler App processes and configured firewall bypasses: While Zscaler has whitelisting agreements for Zscaler App in place with specific endpoint protection vendors such as Trend Micro and Kaspersky Labs, for some endpoint protection products like anti-virus and personal firewall, you may need to perform additional whitelisting to ensure full Zscaler App functionality. See list.

Windows Processes and bypasses

Zscaler recommends that your users' Windows devices have inbound rules that allow the following Zscaler App binaries and processes.

Processes to Whitelist

You can use GPO to define rules that allow the following processes.

NOTE: % is a macro that represents the drive where the program files are located. Program files are usually located on the C drive. There are exceptions; for example, on an Amazon WorkSpace (AWS), the program files are on the D drive.

  • Windows 64-bit
    • %ProgramFiles(x86)%\Zscaler\ZSATray\ZSATray.exe
    • %ProgramFiles(x86)%\Zscaler\ZSATunnel\ZSATunnel.exe
    • %ProgramFiles(x86)%\Zscaler\ZSAService\ZSAService.exe
    • %ProgramFiles(x86)%\Zscaler\ZSAUpdater\ZSAUpdater.exe
    • %ProgramFiles(x86)%\Zscaler\Updater\zscalerappupdater.exe
    • %ProgramFiles(x86)%\Zscaler\Updater\zscalerchecksumverifier.exe
    • %ProgramFiles(x86)%\Zscaler\ThirdParty\CertUtil\certutil.exe
    • %ProgramFiles(x86)%\Zscaler\ThirdParty\Filechecksum\fciv.exe
    • %ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.1.0.exe
    • %ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.2.0.exe
  • Windows 32-bit
    • %ProgramFiles%\Zscaler\ZSATray\ZSATray.exe
    • %ProgramFiles%\Zscaler\ZSATunnel\ZSATunnel.exe
    • %ProgramFiles%\Zscaler\ZSAService\ZSAService.exe
    • %ProgramFiles%\Zscaler\ZSAUpdater\ZSAUpdater.exe
    • %ProgramFiles%\Zscaler\Updater\zscalerappupdater.exe
    • %ProgramFiles%\Zscaler\Updater\zscalerchecksumverifier.exe
    • %ProgramFiles%\Zscaler\ThirdParty\CertUtil\certutil.exe
    • %ProgramFiles%\Zscaler\ThirdParty\Filechecksum\fciv.exe
    • %ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.1.0.exe
    • %ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-1.0.2.0.exe

Bypasses for Firewall

Additionally, if you have a GPO-managed or AV-managed host firewall, you may configure an inbound firewall rule on your endpoint protection product for ZSATunnel.exe processes for all ports, protocols, and network interfaces.

  • ZSATunnel.exe: Inbound and Outbound
  • ZSATray.exe: Outbound
  • ZSAUpdater: Outbound
  • ZSAService.exe: Outbound
  • Zscalerappupdater.exe: Outbound

mac

  • Mac OS X 10.10 and later.
  • Disk usage: 200 MB
  • Memory usage: 150 MB
  • Processor capable of running operating systems supported by the Zscaler App
  • If you will be using the Tunnel mode in your forwarding profile, ensure that you disable the system firewall.
  • Whitelisted Zscaler App processes and configured firewall bypasses: While Zscaler has whitelisting agreements for Zscaler App in place with specific endpoint protection vendors such as Trend Micro and Kaspersky Labs, for some endpoint protection products like anti-virus and personal firewall, you may need to perform additional whitelisting to ensure full Zscaler App functionality. See list.

Mac Whitelist and bypass

Processes to Whitelist

Zscaler recommends that your users' Mac devices have inbound rules that allow the following Zscaler App binaries and processes.

  • /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel
  • /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerService
  • /Applications/Zscaler/Zscaler.app/Contents/MacOS/Zscaler
  • /Applications/Zscaler/.Updater/autoupdate-osx.app/Contents/MacOS/ZscalerUpdater
  • Zscaler App Identifier: com.zscaler.Zscaler

Bypasses for Firewall

Additionally, if you have an AV-managed host firewall, you may configure an inbound firewall rule on your endpoint protection product for ZSATunnel.exe processes for all ports, protocols, and network interfaces.

  • ZscalerTunnel: Inbound and Outbound
  • ZscalerService: Outbound
  • Zscaler: Outbound
  • ZscalerUpdater: Outbound

zia

zpa

  • Configure appropriate security and access settings in the ZPA admin portal.
  • SAML-based authentication must be configured and users provisioned. Note that you cannot use Zscaler App  Portal as an IdP for the ZPA service.
  • To ensure the Zscaler App properly processes traffic for ZPA, ensure the following domains are in the SSL bypass list. If you use a PAC file for Zscaler App, you must add the URLs to the SSL bypass list in the PAC file as well.
    • api.zscalerconnect.net
    • api.zscalershift.net
    • broker.prod.zpath.net
    • samlsp.private.zscaler.com
    • Any domains used by your organization's identity provider (IdP) (for example, example.okta.com)

C. Configure App Profiles

Configure app profiles for Windows and/or MAC OS X computers.

D. Download the Zscaler App

Download the app from the Zscaler App Portal.

E. Prepare the Installer File with Preferred Installer Options

Before installing the App, you can add install options to customize the App for your organization.

F. Install the Zscaler App

You can install the Zscaler App manually on individual computers, or you can use your organization's device management mechanism to deploy the App to your users' computers.

Once the app is installed on users' devices, users can enroll with Zscaler. During enrollment, the app will download the appropriate app profile and administrative settings as configured in the Zscaler App portal.

G. Zscaler App System Location

To learn where the Zscaler App is installed on users' Window or Mac OS X devices, see the following articles:

Also see: