AZ Asia-Pacific - Zscaler Help Centre
All Categories Zscaler Private Access App Segment: Active Directory

App Segment: Active Directory

ZPA is capable to work with Active Directory, Kerberos, DNS, SCCM and DFS. It is important to consider the implication Application Segments when defining the Active Directory since ZPA performs DNS proxy functions, SNAT server connections. Since user application request may passed through multiple app connectors serving the application, potentially user are presented to be accessing through multiple locations which affects AD site selection.

Domain Controller Enumeration & Group Policy Requirements

  • Dedicated Connector groups for Active Directory servers

  • App connectors have connectivity to AD on respective ports and IP addresses

    • TCP/88: Kerberos

    • TCP/464: Kerberos Password Change

    • TCP/3268: Global Catalog

    • TCP/3269: Global Catalog SSL (Optional)

    • TCP/135: MSRPC

    • TCP/139: Common Internet File Service (CIFS)

    • TCP/445: CIFS

    • TCP/49152-65535: High Ports for RPC

    • UDP/88: Kerberos

    • UDP/123: NTP

    • UDP/464: Kerberos Password Change

    • UDP/389: LDAP

    • UDP/445: CIFS

  • Enable "Dynamic Server Discovery" server groups with defined reachable App Connector Group

  • Define Wildcard application segment e.g. *.exampleorg.com

    • Application segment to be configured with the AD server group

AD Authentication

For Kerberos authentication to work, the wildcard domain needed to be defined for lookups within the AD server farm

  • Required ports to defined for Kerberos Authentication

    • TCP/88: Kerberos

    • TCP/464: Kerberos Password Change

    • UDP/88: Kerberos

  • AD Application segment to defined for the configured AD server group