Configuring Zscaler Private Access for ZTNA

When to Use

• When replacing traditional VPN concentrators with application-level zero trust access
• When providing remote users secure access to internal applications without network-level connectivity
• When implementing least-privilege access where users only see authorized applications
• When needing to make internal applications invisible to unauthorized users and the internet
• When integrating ZTNA with existing SASE architecture using Zscaler Internet Access (ZIA)

Do not use for applications requiring raw UDP access (ZPA primarily supports TCP), for providing full network-level access equivalent to site-to-site VPN (use ZPA AppProtection or branch connector instead), or when the organization requires on-premises-only access control without cloud dependency.

Prerequisites

• Zscaler Private Access subscription (Business or Transformation edition)
• Identity provider configured: Okta, Microsoft Entra ID, Ping Identity, or SAML 2.0 IdP
• App Connector VM requirements: Linux VM (CentOS 7/8, RHEL 7/8, Ubuntu 18.04+, Amazon Linux 2) with 2 vCPU, 4GB RAM minimum
• Outbound connectivity from App Connector to ZPA cloud on port 443 (no inbound ports required)
• DNS resolution from App Connector to internal application FQDNs