Articles in this section

See more

Adaptiva IP2P - ZPA Configuration

Avatar
Brady Fourniea
  • Updated
Follow

Summary

Zscaler Private Access (ZPA) is a cloud based VPN type solution which allows end users to access enterprise resources when they are off network such as when they are at home.  ZPA uses Network Address Translation (NAT) to perform this communication which prevents the Adaptiva server from communicating with the Adaptiva client directly.  When ZPA is enabled, the Adaptiva OneSite Cloud client can be configured two different ways to function correctly in this state.

  1. Allow the Adaptiva client to communicate directly to the Adaptiva cloud relay for messaging to the on-premises server and store client content in the CDN.
  2. Use the direct internet connection communication through ZPA cloud-based ZenBroker.

Included in this document is the recommended configuration for ZPA to function with Adaptiva OneSite Cloud.  With both of the above options, the Zscaler client requires the Client Connector Forwarding Policy to be define utilizing the Packet Filter Based for the windows driver.

ZPA Client Connector Forwarding Policy

To view the Windows Driver being utilized for the client connector.  Open the ZPA Administration web interface and select Client Connector.

mceclip1.png

Then click Administration from Client Connector Administration site.  

mceclip2.png

Then Forwarding Profile.

mceclip3.png

Click the pencil to edit the forwarding profile used for Zscaler Private Access and ensure Packet Filter Based is selected in the Windows Driver Selection section.  This is the recommended option from ZScaler

mceclip0.png

Change and Save as needed.

If no forwarding profile is setup then use the latest information from Zscaler to define a forwarding profile for ZPA use.

Close Zscaler Client Connector interface

 

1. Setup for use with Adaptiva Cloud Relay

The only Traffic allowed to the Adaptiva server over ZPA is the connection to the administrative WebUI.  Which can be limited to the Administrators of Adaptiva.

Adaptiva Client Installation Configuration

  1. Run Client setup as Admin
  2. Select the Use Adaptiva Cloud Relay option.                                                                    mceclip2.png
  3. Click upgrade or Install and complete the setup with an additional configurations.

ZPA configuration

Ensure no Adaptiva UDP ports are allowed to communicated over ZPA.  Depending on the configuration of ZPA this may require a blocking policy for the Adaptiva UDP ports.

 

2. Setup for Adaptiva direct Client Communication

The Adaptiva client can also be setup for directly communication to the Adaptiva server over ZPA, however this configuration is more complex and is only recommended for unique scenarios. As an example when the Cloud Relay is not in use.  If Adaptiva CDN is also in use, then the HTTP port used for communication will also need to be exposed to the internet from the Adaptiva server.  This will ensure clients are able to communicate with the Adaptiva Server when ZPA is not turned on.  Otherwise the IBCM fallback settings are also required.

Adaptiva Server Setup

  1. Run Server Setup as Admin.
  2. While installing the Adaptiva server component, select the Enable HTTP Communications option and define an unused TCP port (i.e. 8888).                                                                                     mceclip0.png
  3. Define the rest of the configuration options and complete the setup.

Adaptiva Client Setup

Note: Either the HTTP direct or the Cloud Relay option can be checked but not both on the same client. Both types are connections are supported on the server at the same time so direct http clients and cloud clients can be present within the environment. (i.e. if some clients are not permitted or desired to use the cloud relay while others will only use HTTP direct.)

  1. Run Client Setup on all clients that require HTTP direct communications
  2. When installing the Adaptiva client, select the direct HTTP configuration or the appropriate command-line option as described in the Adaptiva Installation Guide. Include the port number you wish to use for Adaptiva client-to-server communication (http://Adaptivasrv.test.local:8888) The port used during the client install needs to match the port designated in the server install.                mceclip1.png
  3. Click upgrade or Install and complete the setup with an additional configurations.

Adaptiva Client Settings with no CDN

  1. Enable IBCM fallback settings if no CDN is setup.

 

ZPA Configuration

ZPA will require an allow for the HTTP communication port to the Adaptiva Server.  The follow the steps outline how to define an the Application Segment for HTTP direct communication.

  1. Select Administration -> Application Segments                                                                                mceclip0.png
  2. Click Add Application Segment
  3. In the Name field add Name as example (i.e. Adaptiva OneSite)
  4. In the Application field add in the FQDN of the Adaptiva Server (i.e. adaptivasvr.test.local)
  5. Under the port ranges define the custom port defined for the HTTP communication Port selected during the Adaptiva server setup in the TCP Port Ranges section (i.e. 8889).  Ensure No Adaptiva UDP ports are allowed through ZPA (refer to the Adaptiva Port List in the installation guide).               mceclip3.png
    • Alternately both if Web UI access is needed as well over ZPA then the Web UI port can also be included here.  (i.e. TCP Port 9678)                                                       mceclip4.png
  6. Click Next
  7. Add or Select the appropriate Segment Group.
  8. Click Next
  9. Add or Select the appropriate Server Group.
  10. Click Next
  11. Click Save

Adaptiva client will communicate to the on-premises Adaptiva server using the ZPA tunnel.  Content retrieval will go directly to the an Internet Peer, CDN or fallback based on the environment configuration chosen.

Optional: ZPA Configuration for Web UI administration

If access to the Web UI over ZPA is required, then the settings below are needed to ensure access.

Within the ZScaler Administration web interface.  

  1. Select Administration -> Application Segments                                                                               mceclip0.png
  2. Click Add Application Segment
  3. In the Name field add Name as example (i.e. Adaptiva OneSite)
  4. In the Application field add in the FQDN of the Adaptiva Server (i.e. adaptivasvr.test.local)
  5. Under the port ranges only define the custom port defined for the Web UI in the TCP Port (i.e. 9678).  Ensure No Adaptiva UDP ports are allowed through ZPA (refer to the Adaptiva Port List in the installation guide).                       mceclip2.png
  6. Click Next
  7. Add or Select the appropriate Segment Group.
  8. Click Next
  9. Add or Select the appropriate Server Group.
  10. Click Next
  11. Click Save

The new Application segment will now be listed.  This will allow communication to the Adaptiva server for administration purposes only via Web UI over ZPA and will prevent the Adaptiva client from make initial communication with the server causing it to change its location to Internet.  All communication and content downloads will bypass the ZPA cloud.

 

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.