1. Allow
The Zero Trust Exchange verifies identity and context via
2. Block
an IdP. Once this is verified policies can be enforced to do
3. Isolate
what four actions?
4. Prioritize
1. Infrastructure as a Service (IaaS)
Zscaler Private Access (ZPA) configures connectivity to pri-
2. Platform as a Service (PaaS)
vate applications and resources hosted where?
3. Your private data center
Zscaler can integrate with Active Directory, Azure Active Di-
Zscaler integrates with multiple IdP partners and can work
rectory, ADFS, Okta, Ping, or really any SAML 2.0-compliant
with .
identity provider
Service Provider (SP) - The "Application" Also known as the
Define Service Provider (SP) and the role it plays with IdP Relying Party (RP) to the Identity Provider (IdP) Employs
integration with Zscaler. the services of an IdP for the Authentication and Autho-
rization of users Zscaler acts as a SAML SP
IdP - Authenticates Users/Devices Provides Identifiers and
Define Identity Provider (IdP) and the role it plays with IdP
Identity Assertions for users that wish to access a service.
integration with Zscaler.
IdP examples include: Okta, Ping, AD FS, Azure AD
Also known as Tokens Issued to users by the IdP Presented
Define Security Assertions and the role it plays with IdP to SPs / RPs to confirm authentication Trust based on
integration with Zscaler. PKI Assertions may contain: Authentication, Attribute, or
Authorization statements
1. User Clicks an application.
2. User is redirected to Zscaler. (ZIA or ZPA pending re-
quest)
3. User clicks to log into Zscaler (ZIA or ZPA pending re-
Describe the authentication flow for Zscaler utilizing SAML
quest)
with an IdP initiated SSO.
4. User is redirected to SAML IdP login (this can include
user attributes and/or group memberships)
5. User logs into IdP (this can include user attributes
and/or group memberships)
, ZDTA Exam Test Questions with Answers Graded A+
6. IdP sends over assertion Identity to user (SAML asser-
tion is encrypted)
7. User sends identity to Zscaler (SAML assertion is en-
crypted)
8. Zscaler issues auth token to user (assertion is verified)
9. User is given access to the application
Advantages -
- Updates information automatically
- Allows users to be deleted (While Auto-Provisioning can
What are the advantages of using SCIM? What are the add user information, it cannot delete users from the
disadvantages? database)
Disadvantages -
- Not supported by all IdPs
1. Add Users: As they are assigned to the ZPA SP in the
source IDP
2. Delete Users: Remove ZPA access for users that are
either removed from the ZPA SP in the source IdP, or are
What operations are supported by SCIM?
removed from the directory completely.
3. Update Users: Update SCIM attributes dynamically (e.g.
group memberships)
4. Apply Policy: Based on SCIM user or group attributes.
It is a lightweight app that sits on users' endpoints and
What is the Zscaler Client Connector (ZCC)? enforces security policies and access controls regardless
of device, location, or application.
What is the recommended mode for Zscaler Client Con-
The recommended mechanism is to use the Zscaler tun-
nector (ZCC) to function when it's forwarding traflc to
nel.
Zscaler Internet Access (ZIA)
, ZDTA Exam Test Questions with Answers Graded A+
What are the three authenticated tunnel options (mean- 1. ZTunnel - Packet Filter Based
ing that once the user is enrolled in Zscaler Client Connec- 2. ZTunnel - Route-Based
tor (ZCC)? 3. ZTunnel with Local Proxy
1. Enforced PAC mode, which basically instruments the
PAC file in the browser, similar to what you'd get from a
group policy object. That means that the browser itself
is forced to go to Zscaler Internet Access via a specified
What are the additional options that support legacy im-
proxy.
plementations for ZCC?
2. None, meaning that the policy is not going to do any
configuration of proxy or tunneling mode, and relies on
the group policy object or the default configuration within
the browser.
It is an HTTP CONNECT tunnel. So as traflc is forwarded
into the tunnel, it creates a CONNECT method toward the
What type of tunnel is ZTunnel 1.0?
cloud. It doesn't really encapsulate the traflc. It simply
adds some header information
It is a DTLS (Datagram Transport Layer Security) tunnel
with fallback to TLS (Transport Layer Security) supporting
What type of tunnel is ZTunnel 2.0? all client traflc, which means the Zscaler Firewall, as part
of the Zero Trust Exchange, could inspect and apply policy
on all traflc.
With Z-Tunnel 2.0, which is the best practice option, the
tunnel is the control channel and a single tunnel from the
client to the Zero Trust Exchange. Any notifications from
Which is best practice ZTunnel 1.0 or 2.0?
the Client Connector admin portal (aka. "Mobile Admin")
are passed through the Zero Trust Exchange directly to the
client, and those happen in real time.
Set this up in order to make the decision as to which
Multiple trusted networks.
forwarding profile matches our desired outcome.
What are the enforcing proxy action types?
, ZDTA Exam Test Questions with Answers Graded A+
1. Automatically Detect Settings - The client sends a WPAD
(Web Proxy Auto-Discovery) lookup looking for a proxy.
2. Use Automatic Configuration Script - Explicitly config-
ure where the Zscaler Client Connector sets your custom
system PAC file to download and run through that PAC file
configuration for traflc to be explicitly proxied to a proxy
server. Also referred to as a forwarding PAC file.
3. Use Proxy Server for Your LAN -This is a hard-coded
proxy import (IP address and a port or an FQDN and a
port) with the ability to bypass local addresses. A local
address is something that is non-fully qualified.
4. Execute GPO Update - The Windows machine will pro-
vide a GPO (Group Policy Object) update/force from Active
Directory to set the proxy settings on the machine.
1 Custom PAC URL - References the PAC file configured
in the ZIA Admin Portal, making decisions on traflc that
should be forwarded or bypassed from the Zero Trust
Exchange.
2 Override WPAD - Ensures that the system GPO WPAD
configuration is prevented, and makes sure that the WPAD
configuration in the forwarding profile is used as a prece-
dence.
What are the most common configuration items for an
3· Restart WinHTTP - specific to Windows devices Ensures
application profile?
that the system refreshes all of the proxy configuration
once Zscaler Client Connector is established.
4· Install Zscaler SSL Certificate - Covered more in the next
section. If you aren't pushing out your own certificates
from your own Certificate Authority, then simply enabling
this option will use the one provided by Zscaler. 23
5· Tunnel Internal Client Connector Traflc - Ensures that
the health updates and policy traflc passes through the