by Kit Ainscough 12 months ago
130
More like this
IOS v13 enabled SCEP with SSO (extension)
KDC discovery (location based) enables tighter scope
IOS v8 enabled SCEP with SSO
Simple Certificate Enrollment Protocol
Test config, import attributes
3 Complete IdP setup in ZPA
2 Add ZPA Enterprise App in AAD
1 Add new IdP in ZPA for Use auth
CNAME record
BA certificate
Access Policy Building blocks
Operands
ZCC / BA
Select SAML / SCIM attribute values
Select App Segments
Select Segment Groups
Select ZCC posture profiles
Conditions
SAML / SCIM attributes
Segment Groups
App Segments
Client Connector Posture profiles
Client Connector Trusted Networks
Machine Groups
Client Types
Configuration
Recommendation
create a subordinate CA for the Private Service Edges
use the same root CA as the one used for the Client Connector users
Requirements
Private to Public
Multiple trusted networks
Failover
Relay
Hybrid
External Users/Branch Office
Internal Users
Activation
Common use cases
Branch
Local SE
Hybrid workforce
On-prem
2
1
Why?
Process
4 Upload signed CSRs to ZPA
upload signed CSR for ZCC
upload signed CSR for AppConnector
3 submit CSRs to root CA for signing
each CSR (ZCC, App) to be signed by CA
2 generate CSRs for client and App connectors (each)
1 upload root CA certificate
upload the cert into ZPA instance
export root CA cert from enterprise private CA
Double Encryption
Useful if legacy apps do not encrypt data transport (ie telnet, http)
used when traffic is encrypted as it transits ZPA enfrastructure
use enterprise CA to establish trust for ZPA connections
Subordinate CAs created in ZPA (signed by Enterprise private root CA)
The private keys never leave the ZPA CAs
create subsidiary CA for App Connectors
create subsidiary CA for Client Connectors
Bring Your Own Encryption
ZIA tunnels
IPSEC / GRE
DMZ with split DNS
DMZ
Explicit Proxy
Upon sucessful authentication, appropriate policy is enforced
User is challenged for authentication
Administrator creates policy for groups or users
departments
used for policies and reporting
users can only belong to one department
no limit to users in a department
groups
users can belong to <128 groups
no limit to users in a group
manual
Zscaler hosted DB
CSV import
SAML auto-provisioning
LDAP bind
Zscaler Authentication Bridge (ZAB)
File Type
URL & Cloud App
Cloud Sandbox
Cloud Firewall
ATP
Malware Protection
CASB
DLP
Explicit Proxy / Mobile
PAC
ZCC
Transparent Proxy / Fixed
Surrogate IP
dynamic address
Dedicated Proxy port
IPSEC
Dead Peer Detection (DPD)
CIA
Authentication
PSK
Integrity
Confidentiality
IKE
Phase 2
set up SAs
PFS
renewal of SA keys
negotiate parameters
Phase 1
setup secure channel for Phase 2
authenticate peers
< 400 Mbps
static address
GRE
Technicals
GRE MSS = GRE MTU(1476) - IP(20) - TCP(20) = 1436
GRE MTU = WAN link MTU(1500) - IP(20) - GRE(4) = 1476
WAN link MSS = WAN link MTU - IP(20) - TCP(20) = 1460
WAN link MTU = 1500
no mechanism for tunnel failures
ensure no NAT, otherwise < 250 Mbps
<1 Gbps
Recommended
enable User authentication
enable Surrogate IP
tunnel web traffic via GRE without NAT
implement monitoring and automated tunnel failover
two GRE tunnels to two different DC in active/standby
