Purpose
 

This document outlines the steps for adding a web application or URL to Zscaler Private Access (ZPA) specifically to bypass Zscaler Internet Access (ZIA) when standard ZIA troubleshooting methods, such as SSL decryption bypass or traffic policy adjustments, fail to resolve connection issues for users. This approach provides a secure alternative for applications with unique requirements that conflict with ZIA's proxy architecture.


 Prerequisites

Ensure the following before proceeding:

  • Access to the ZPA Admin Portal
  • Understanding of the web app’s:
    • URL(s)
    • Port(s)
    • Traffic behavior
  • Confirmed failure of standard ZIA troubleshooting, including:
    • SSL decryption bypass
    • URL filtering/firewall adjustments
  •  Functional ZPA App Connector(s) with connectivity to the target application
  •  Awareness of any ZIA policies potentially affecting the application


🔧 Step-by-Step Configuration

1. Log in to ZPA Admin Portal

  • Navigate to your ZPA Admin Portal.
  • Authenticate using administrator credentials.

2. Navigate to Application Segments

  • Go to Applications → Application Segments in the left-hand menu.

3. Add a New Application Segment

  • Click “Add Application Segment”.

4. Configure General Settings

  • Name: Use a descriptive name (e.g., ZIA Bypass - [App Name]).
  • Domain Names: Enter the FQDN(s) and subdomains:
    • Exampleapp.example.comapi.app.example.com
  • Description: Clearly state why ZPA is required:
    • Examples:
      • "ZIA proxy incompatibility due to custom headers/authentication"
      • "SSL decryption issues unresolved"
  • TCP/UDP Ports: List the ports used by the app (e.g., 44380809443)
  • (Optional) Double Encryption: Enable if extra security is required.
  • (Optional) Health Reporting: Enable to monitor app availability.

5. Configure Server Groups

  • Go to the Server Groups tab.
  • Click “Add Server Group”.
  • Select the server group(s) with the App Connector(s) that have access to the application.
  • Click Save.

6. Configure Application Segment Settings

  • Bypass Type: Set to Never Bypass (ensures traffic is routed via ZPA)
  • Inspection Settings: Configure if ZPA inspection is needed.
  • (Optional) Clientless Access: Enable for browser-based access without the Zscaler App.
  • (Optional) Enforce User Authentication: Enable if user auth is required.

7. Save the Application Segment

  • Click “Save” to finalize the application segment.

8. Configure Access Policies

  • Go to Policy → Access Policy
  • Create or modify an existing access policy:
    • Define users, groups, and locations
    • Select the newly created application segment
    • Set Action to Allow
  • Save the policy.

9. Testing

  • Have users connect to ZPA via the Zscaler App
  • Confirm:
    • Site is accessible
    • ZIA is not intercepting traffic
    • App functions as expected