Project Description
Senior Zscaler engineer needed to guide me over the shoulder while I rebuild the foundational pieces of our ZPA/ZIA setup. I drive the consoles; you advise in real time and explain the why behind each setting.
Context: A current implementation works but isn't scalable, security-focused, or aligned with best practice. Goal is to reset the foundation so those problems don't carry forward, built to a strong security bar, with a structure that scales cleanly across employees, contractors, admins, and third parties without rework.
Constraint: Okta SSO is operational and out of scope. ZIdentity group/role binding is on a separate track. Work fits around both.
In scope:
- Hardened pre-auth machine tunnel with the strongest realistic device trust model
- Least-privilege pre-logon access, no broad LAN substitute
- Group, tunnel, and policy structure built to scale: naming, hierarchy, policy tiers, segment grouping
- ZCC forwarding profiles, posture, and trusted network detection across corporate, home, captive portal, and offline
- Clean binding to EDR and ZIdentity without circular dependencies
- Reliable automatic network drive mapping at logon
- Audit existing app segments (Confluence and similar), identify overly broad wildcard definitions and break them out into properly scoped segments as part of validating the new pattern
Must have: multiple production ZPA + ZIA deployments to a high security bar, group/policy structures that scaled past PoC without rework, deep hands-on ZCC knowledge, and comfort on screen-share sessions.
Short timeline. Remote, screen-share only, no console access required.