What are the high-level steps and considerations for deploying the Zscaler Client Connector?

When deploying ANY software to an enterprise space, it's often best to have a methodical process. In today's article, I'd like to step through a high-level summary of the steps to consider/execute when installing the Zscaler Client Connector.

1. Determine which tunneling architecture/mode the client will use. Zscaler has a few choices (Z-Tunnel 1.0 and 2.0), each with unique benefits and trade-offs. For more details on this, check out this article here.
2. Ensure that the client connector is allowed by local antivirus. By definition, the client connector app is sending user traffic to Zscaler's infrastructure. That can naturally make some overzealous endpoint protection software nervous 😄. As such, it's a good idea to have Zscaler pre-authorized in advance of full deployment.
3. Allow traffic at a network level (local and on-premise firewalls). Similar to item #2, the network also needs to allow communication between the client and Zscaler infrastructure.
4. Configure authentication. A major pillar of zscaler is having granularity to enforce protection down to a user/group level. In order to do that, the platform needs to know who a user is. This step focuses on connecting the solution with the Identity Provider for an environment and making it as frictionless as possible (ideally also leveraging SSO workflows).
5. Configure what's displayed for user-visible components. This tends to vary from customer to customer. Some environments want users to have more control and visibility to apps/notifications, while others want less. Wherever that line is, this is the part of the deployment motions where that baseline would be defined.
6. Configured Trusted Networks and forwarding logic. This is actually a huge topic worthy of its own article but in short, this is where you'd configure exceptions to traffic forwarding and if this makes a difference depending on where the user resides.
7. Configuring App Profiles. This is tightly related to the forwarding component and helps define how ZCC manages the tunnel and handles the traffic after it's captured the traffic but before sending it to the Zscaler cloud. Think of it like the egress and behavior policy.
8. Select release and deploy the agent. This is both the simplest and most complex part. After the preparation is done, the agent needs to be pushed out to assets. This can either be done via system tooling (like UEM) or manually.
9. Select/configure update policy. Where appropriate, the client connector can be configured for self-updating via auto-update policies.

For more details on this process and methodology, check out the following resources:

https://help.zscaler.com/zscaler-client-connector/best-practices-zscaler-client-connector-deployment