TTechclick ⚡ XP 0% All lessons
Zscaler · ZPA · Browser AccessInteractive · L1 / L2 / L3

ZPA Browser Access, End to End — Certificates, Domains & the Clientless Path

A contractor on an unmanaged laptop needs one internal web app — no agent, no VPN. Browser Access makes that happen with a public DNS name, a TLS certificate, and an App Connector doing the fetching. Here is the whole clientless path, the certificate that makes or breaks it, and the five errors you will actually hit.

📅 2026-06-13 · ⏱ 12 min · 2 live demos · 4 diagrams · 2 screenshots · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Configure Zscaler ZPA Browser Access end to end — the clientless reverse-proxy flow, the web-server certificate (public CA, wildcard vs SAN, full chain), the public DNS CNAME, Zscaler-Managed Certificates, and the cert, DNS and SAML errors that break it in production.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The clientless path

Walk the request: browser → public DNS → ZPA → App Connector → app.

 2

Domains & DNS

Why BA needs a public name, and exactly what you CNAME it to.

 3

The certificate

Public CA vs internal, wildcard vs SAN, the full chain — the No.1 ticket.

 4

Build & break it

Create the app, then survive the five real-world failures.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A contractor with no Zscaler agent needs one internal web app. What gets them in?

Answered in The clientless path.

2. Whose certificate does the browser check when it opens a Browser Access URL?

Answered in The certificate.

3. After you create a BA app, what extra step makes the URL resolve on the internet?

Answered in Domains & DNS.

Most engineers think…

Most engineers think Browser Access is just “ZPA without the agent” — flip one checkbox and the same app shows up in a browser.

Wrong. BA is a clientless reverse proxy: the browser does a real TLS handshake against a certificate you supply, reached through a public DNS name you publish. Get the certificate or the DNS wrong and the app is dead before any access policy ever runs. That is why the No.1 BA support ticket was never the policy — it was the certificate.

Picture a video-KYC with your bank. You finish the whole thing inside your phone's browser — the bank installs nothing on your device, never lets you walk into the branch back-office, and you only ever see your account screen. That is exactly what Browser Access does for an internal web app: a contractor on an unmanaged laptop reaches one private app from a plain browser, sees only that app, and never touches your network.

It sounds like “ZPA minus the agent”. It isn't. Browser Access is a reverse proxy: the browser does a real TLS handshake against a certificate you supply, reached through a public DNS name you publish. Get the certificate or the DNS wrong and the app is dead before any access policy is ever evaluated. That is why, for years, the No.1 Browser Access support ticket was never the policy — it was the certificate.

① How a browser with no agent reaches a private app

Start with the journey, because every later decision hangs off it. The user's browser talks to the Zscaler cloud, never to your network. Think of the App Connector as a concierge: you hand your request at the front desk, the concierge fetches the file from a back room you are never allowed to enter, and brings it to you at reception.

Figure 1 — The clientless trust path: untrusted browser to private app
An isometric three-zone diagram: a red untrusted zone with the user's browser, an amber inspection zone with the ZPA Browser Access Service Edge and the Zero Trust Exchange broker, and a blue trusted zone with the App Connector and the private web app. The browser-to-ZPA TLS leg uses your web-server certificate; the App-Connector-to-app TLS leg is re-originated separately. untrusted / internet inspection / broker trusted / private allowed UNTRUSTED ZSCALER CLOUD YOUR DATA CENTRE / VPC Browser no agent · BYOD contractor laptop BA Service Edge terminates your TLS cert + SAML redirect Zero Trust Exchange policy match + pick healthy Connector App Connector dials OUT only re-originates TLS Private web app wiki.corp.local 172.16.20.10:443 TLS leg 1 TLS leg 2 (re-originated) No route to the subnet ever reaches the browser — only the single published app.
Two separate TLS legs, not one tunnel. The browser trusts your certificate at the edge; the App Connector opens a fresh connection to the app. The device never gets a network path.

▶ The clientless request, stage by stage

A contractor opens apps.acme-ext.com in Chrome. Press Play for the healthy path, then Break it to see the most common failure.

① ResolvePublic DNS resolves apps.acme-ext.com → CNAME → a Zscaler BA host.
② TLS + authZPA presents your web-server certificate; unauthenticated → SAML redirect to the IdP.
③ BrokerZero Trust Exchange matches the access policy and picks a healthy App Connector.
④ FetchApp Connector opens a fresh TLS to 172.16.20.10:443 and streams the page back.
Press Play to walk the healthy path. Then press Break it to see what happens with no public CNAME.
Quick check · Q1 of 10

In a Browser Access session, which component opens the actual connection to the private web app?

Correct: c. The App Connector dials outbound to the Zero Trust Exchange and is the only thing that touches the private app — it re-originates a separate TLS leg. The browser only ever reaches Zscaler (a, b are halves of the path); the IdP only proves identity (d).

Pause & Predict

If Browser Access is clientless — no agent on the device — where does full device posture get checked? Type your guess.

Answer: It mostly can't. Full posture (disk encryption, AV, patch state) relies on the Zscaler Client Connector agent — and clientless BA has no agent. You only get browser- and identity-level signals. You can partially recover trust with Chrome Enterprise device-trust connectors, but that is browser trust, not system posture. This is the deliberate trade-off of clientless access.

🏛 Architect note. Between the broker and the App Connector the session rides a Microtunnel inside a TLS tunnel to the Zero Trust Exchange. An optional double_encrypt flag adds a second encryption layer across the ZPA fabric — but it is mutually exclusive with Browser Access on the same segment (more on that in §4).

The words you need first

Four ideas carry the whole lesson. Tap each card.

🌐
Clientless / Browser Access
tap to flip

ZPA serves one internal web app to any browser, no ZCC agent. So what: contractors and BYOD reach the app without installing anything.

🔁
Reverse proxy
tap to flip

ZPA terminates the user's HTTPS and re-originates a fresh request to the app. So what: the user touches the published app, never your network.

📜
Web-server certificate
tap to flip

The TLS cert ZPA presents for the BA URL — you supply it, or let Zscaler manage it. So what: if the browser doesn't trust it, the app is blocked before login.

🪪
Application domain
tap to flip

The public FQDN users type; it CNAMEs to the Zscaler cloud. So what: no public CNAME = the URL doesn't resolve = nobody gets in.

② The application domain and the public CNAME

Here is the part people skip and then spend an afternoon debugging. The browser resolves the Browser Access URL over the public internet — it has no tunnel and no agent to hand it an internal answer. So every BA app needs a publicly-resolvable name, and you must point that name at Zscaler yourself.

When you save a BA app, ZPA generates a Canonical Name (CNAME). You copy it and create a public DNS CNAME record: your external FQDN (e.g. apps.acme-ext.com) → that Zscaler host. That record is what makes the URL resolve for the user on the open internet.

Figure 2 — Two DNS lookups: one public (to Zscaler), one internal (at the Connector)
A left-to-right flow: the user types the external FQDN, public DNS returns a CNAME to the Zscaler Browser Access edge, the edge brokers to the App Connector, and the App Connector uses internal DNS to resolve the internal hostname to its real private IP. Where each name gets resolved User types apps.acme-ext.com PUBLIC DNS CNAME → Zscaler host you publish this record BA Service Edge brokers to a Connector App Connector asks INTERNAL DNS INTERNAL DNS wiki.corp.local → 172.16.20.10 Private app :443 ← forget this record and nobody resolves the URL point the Connector at PUBLIC DNS here → DNS loop
Two different resolvers. Public DNS sends the user to Zscaler; internal DNS at the App Connector finds the real app. Mix them up and you get either NXDOMAIN or a resolution loop.
Verify the public CNAME is published (run from any internet host)
dig +short apps.acme-ext.com CNAME
dig +short apps.acme-ext.com
Expected output
bba-12ab34.private.zscaler.com.
bba-12ab34.private.zscaler.com.
165.225.xx.xx

If the first line is empty, the CNAME was never published — that is an NXDOMAIN for every external user, no matter how perfect the policy is. On the App Connector side it is the opposite mistake: the Connector must use internal DNS that resolves wiki.corp.local to its real private IP. Point it at public DNS and the internal name resolves back to the Zscaler address — a loop.

Sneha at Infosys faces this

A new Browser Access app works for nobody outside the office. Browsers just say “site can't be reached”.

Likely cause

The public DNS CNAME record was never created — the external FQDN doesn't point at Zscaler, so it doesn't resolve on the internet.

Diagnosis

dig +short apps.acme-ext.com CNAME returns nothing. Re-open the Browser Access table and copy the Canonical Name.

ZPA Admin Portal → Browser Access → [app] → Canonical Name (CNAME) → Copy
Fix

Add a public DNS CNAME: apps.acme-ext.com → bba-xxxx.private.zscaler.com. Or switch to Zscaler-Managed Certificates, which auto-publish the CNAME.

Verify

dig +short now returns the Zscaler host, and the URL loads. Allow a few minutes for DNS propagation.

Quick check · Q2 of 10

A new BA app fails for all external users; dig apps.acme-ext.com returns NXDOMAIN. The single most likely cause?

Correct: a. NXDOMAIN means the name itself doesn't resolve — a DNS problem, before TLS or auth ever happen. An expired cert (b) gives a cert warning, not NXDOMAIN; a dead Connector (c) gives a 5xx/timeout after the page resolves; SAML (d) only matters once you've reached Zscaler.

Pause & Predict

Your App Connector needs to find wiki.corp.local. Which DNS should it use — public or internal? Type your guess.

Answer: Internal DNS. The Connector must resolve the internal hostname to its real private IP (e.g. 172.16.20.10). Point it at public DNS and the internal name resolves back to the Zscaler edge — a loop — and the app breaks intermittently.

③ The certificate — the No.1 Browser Access support ticket

At TLS leg 1 the browser validates a certificate, and there is no Zscaler client on the device to quietly trust anything. So the cert ZPA presents must chain to a CA the browser already trusts. Three knobs decide whether it works.

1. Public CA vs internal CA

You can upload a cert signed by a public CA, or a self-signed / internal-CA cert. For unmanaged and BYOD users the internal root simply isn't on their device, so the real-world rule is: use a publicly-trusted certificate unless every device that will ever use the app has your private root pre-installed.

2. The full chain, not just the leaf

Upload the leaf + all intermediates. The classic “works for some users, not others” bug is a missing intermediate: managed laptops got the root via GPO and paper over it; BYOD machines don't, so they fail. The error is the same on both — NET::ERR_CERT_AUTHORITY_INVALID.

3. Wildcard vs SAN

A wildcard *.acme.com covers apps.acme.com but not apps.eu.acme.com — wildcards match one level only. For multi-level or specific hostnames, use a SAN certificate.

🖥️ This is the screen you'll use — ZPA Admin Portal → Application Segments → [your segment] → Browser Access → Add Application. (Recreated for clarity — your console matches this.)

admin.zscaler.net · Browser Access
Name
Internal Wiki (BA)
Domain 1
apps.acme-ext.com
Application Protocol
HTTPS
Application Port
443
Certificate 2
Zscaler-Managed
Allow Options
⨯ Off  ·  on = forward unauthenticated OPTIONS preflight
Use Untrusted Certificates
⨯ Off  ·  on = trust the back-end app's own cert
Canonical Name (CNAME) 3
bba-12ab34.private.zscaler.com   📋 Copy
Save

the public FQDN users type · the cert ZPA presents (pick Zscaler-Managed for auto-renew + auto-DNS, or an uploaded cert) · the read-only CNAME you must paste into public DNS.

Two more cert gotchas worth memorising. First, generate the CSR inside the ZPA portal (Administration → Certificates). ZPA only holds the private key for CSRs it generated; bring an externally-minted cert and the upload fails with “A matching CSR was not found or a private key was not present.”

Second — and this is the big 2025 change — turn on Zscaler-Managed Certificates. Announced June 2025, it auto-generates and auto-renews the BA cert and auto-publishes the public CNAME. That single switch removes most of the war stories in this section — expired certs, missing intermediates, and forgotten DNS records all disappear.

Figure 3 — Before / after: why the certificate chain decides everything
Two side-by-side panels. Left: a leaf-only or internal certificate, the browser cannot reach a trusted root, the page is blocked with NET::ERR_CERT_AUTHORITY_INVALID. Right: leaf plus intermediates chaining to a trusted public root, the browser trusts it and the page loads. ✗ Leaf only / internal CA Leaf cert (the app) Intermediate — MISSING Root — not reachable NET::ERR_CERT_AUTHORITY_INVALID ✓ Full chain to public root Leaf cert (the app) Intermediate(s) ✓ Trusted public root ✓ 🔒 Page loads — no warning
Same app, same user. The only difference is whether the browser can walk the chain to a root it trusts. Upload the full chain — or let Zscaler-Managed Certificates handle it.
Prove the served chain is complete (run from any host)
echo | openssl s_client -connect apps.acme-ext.com:443 -servername apps.acme-ext.com -showcerts 2>/dev/null \
  | openssl x509 -noout -subject -issuer
Expected output
subject=CN = apps.acme-ext.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1

Rahul at TCS faces this

The BA app opens fine on office laptops, but contractors on personal laptops get NET::ERR_CERT_AUTHORITY_INVALID.

Likely cause

The cert was signed by the company's internal CA (or shipped leaf-only). Office laptops have that root via GPO; contractor BYOD machines don't, so the chain can't be validated.

Diagnosis

The “some users only” pattern is the tell. Run the openssl s_client check above and inspect the issuer chain.

Administration → Certificates → re-issue with full chain
Fix

Re-issue with a public-CA cert including the full intermediate chain — or switch the app to Zscaler-Managed Certificates so the trust problem disappears.

Verify

A contractor on BYOD loads the app with a clean padlock — no warning, no “Proceed anyway”.

Quick check · Q3 of 10

A BA app loads on corporate laptops but contractors on BYOD get NET::ERR_CERT_AUTHORITY_INVALID. Best fix?

Correct: b. The browser can't reach a trusted root — fix the trust, not the symptom. A public-CA cert with full chain is trusted everywhere; Managed certs do the same automatically. “Proceed anyway” (a) trains users to ignore warnings; disabling TLS (c) is worse; AD membership (d) has nothing to do with cert trust.

Pause & Predict

You upload only the leaf certificate — no intermediate. Predict which users break first, and which don't. Type your guess.

Answer: BYOD / contractor devices break first — they lack the intermediate and root, so the chain can't be completed. Managed corporate laptops often still work because the intermediate/root was pushed via GPO, hiding the bug. That asymmetry — “works for staff, fails for contractors” — is the fingerprint of a missing chain.

④ Build the app — then survive the five failures

The build is short once the cert and DNS are sorted. Five steps:

  1. Certificate — pick Zscaler-Managed, or generate a CSR in Administration → Certificates, get it signed, upload the full chain.
  2. Enable Browser Access on the application segment; set the Domain, Application Protocol (HTTP/HTTPS only), Port, and the Certificate.
  3. Publish DNS — copy the Canonical Name and add the public CNAME (skipped automatically with Managed certs).
  4. Access policy + IdP — a default-deny access policy with a SAML IdP so the user can authenticate clientlessly.
  5. Internal DNS — point the App Connector at internal DNS that resolves the app's real IP.

Now the part that fills support queues. Here are the five failures, each as a symptom you'll actually see in the wild.

The five Browser Access failures

1. Cert untrusted / chain incomplete — symptom: NET::ERR_CERT_AUTHORITY_INVALID for some users. Fix: public-CA cert, full chain, or Managed certs.

2. Name mismatch — symptom: NET::ERR_CERT_COMMON_NAME_INVALID. Cause: the external FQDN isn't in the cert's SAN, or a wildcard was used for a multi-level host. Fix: SAN must list the exact FQDN.

3. DNS loop — symptom: BA flaky / Connector DNS errors. Cause: the App Connector resolves the internal name via public DNS. Fix: split-DNS to the real internal IP.

4. SAML redirect loop — symptom: user bounces back to the IdP sign-in, often only in Chrome with third-party cookies blocked. Fix: set SameSite=None on BA/auth cookies, allow the cookie, check clock sync.

5. App renders broken — symptom: page loads but images 404 and links point at intranet.corp.local. Cause: the app hardcodes internal absolute URLs; BA does not deep-rewrite page bodies. Fix: relative URLs, or publish each internal host as its own BA app.

🖥️ The failure you must recognise on sight — failure #1, the untrusted certificate chain. (Recreated for clarity — your browser shows this.)

🔒̶ https://apps.acme-ext.com
⚠️
Your connection is not private
Attackers might be trying to steal your information from apps.acme-ext.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
Back to safety

Cause → effect: an internal-CA or leaf-only certificate (Figure 3, left panel) produces exactly this on any device that lacks the root. The fix lives in the certificate, never in the browser.

▶ What the browser checks at TLS leg 1

The certificate handshake, step by step. Press Play, then Break it to drop the intermediate.

① ConnectBrowser opens apps.acme-ext.com:443 at the Zscaler edge.
② PresentZPA sends the leaf + intermediate certificates it holds for this app.
③ Walk chainBrowser climbs leaf → intermediate → a root in its trust store.
④ TrustChain ends at a trusted root → padlock, page loads.
Press Play for a trusted chain. Then press Break it to drop the intermediate and watch it fail.

🔧 Engineer note. Two more boundaries bite teams late. Double Encryption is mutually exclusive with Browser Access on the same segment — enable it for compliance and BA on that segment goes dead silently; keep them on separate segments. And BA serves web only (HTTP/HTTPS); clientless RDP/SSH/VNC is Privileged Remote Access (PRA), and anything non-web needs the full ZCC tunnel.

Quick check · Q4 of 10

You need one certificate to cover hr.acme.com, wiki.acme.com and vpn.acme.com. Cheapest valid option?

Correct: a. All three are a single label under acme.com, so one wildcard *.acme.com covers them — cheapest and valid. Three certs (b) work but cost more; a SAN (c) also works but isn't the only option here; disabling validation (d) is never acceptable. (If one host were hr.eu.acme.com, the wildcard would fail and you'd need a SAN.)

One screen to remember it all

Figure 4 — Browser Access on one screen (revision card)
Nine summary tiles: the object chain, certificate rules, public CNAME, Zscaler-Managed certificates, the five failures, Double Encryption exclusivity, BA versus PRA versus ZCC, no device posture, and verification commands. Browser Access — the one-screen recap ① Object chain Segment → enable Browser Access → Domain + Protocol + Port + Certificate HTTP / HTTPS only ② Certificate rules Public CA (BYOD-safe) Upload FULL chain Wildcard = 1 level; else SAN CSR from inside ZPA ③ Public CNAME Copy Canonical Name → public DNS CNAME record Connector → INTERNAL DNS no record = NXDOMAIN ④ Managed certs (2025) Auto-generate + renew Auto-publish the CNAME Kills most cert tickets use it unless you can't ⑤ The five failures cert-untrusted · name-mismatch DNS loop · SAML loop broken rendering (hardcoded internal links) ⑥ Two hard boundaries Double Encrypt ✗ with BA (same segment) → dead No full device posture (clientless = no agent) ⑦ BA vs PRA vs ZCC BA = clientless WEB (HTTP/HTTPS) PRA = clientless RDP / SSH / VNC ZCC = full tunnel, everything else non-web works on ZCC, not BA ⑧ Prove it from the wire dig +short apps.acme-ext.com CNAME openssl s_client -connect host:443 -showcerts + Browser Access error codes / clientless diagnostics in the portal
Screenshot this. It is the whole lesson — object chain, cert rules, DNS, Managed certs, the five failures, the two boundaries, and how to prove it works.
Prove it worked — from evidence, not the config screen

A green form doesn't mean a working app. Confirm three things from outside the portal: dig +short <fqdn> CNAME returns the Zscaler host, openssl s_client … -showcerts shows a complete chain to a public root, and the app loads with a clean padlock on a device that has none of your internal roots. For deeper triage, use the portal's Browser Access error codes and clientless access diagnostics.

App Connector simulator ZPA troubleshooting lab

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Zscaler docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Browser Access supports which application protocols?

Correct: d. Browser Access is a clientless reverse proxy for web apps — HTTP/HTTPS only. Clientless RDP/SSH/VNC is Privileged Remote Access (PRA), not BA; arbitrary TCP/UDP and ICMP need the ZCC tunnel.
Q6 · Apply

A contractor on an unmanaged laptop must reach exactly one internal web app, with no software install allowed. Which ZPA capability fits?

Correct: b. “Clientless, one web app, no install” is the exact use case for Browser Access. ZCC (a) needs the agent; SIPA (c) and Double Encryption (d) are segment features, not access methods.
Q7 · Analyze

Users loop back to the IdP sign-in page only in Chrome with third-party cookies blocked. Most likely fix?

Correct: c. A redirect loop tied to blocked third-party cookies is a cross-site cookie problem in the SAML handoff — SameSite=None lets the cookie survive. The cert (a), Connector (b) and port (d) aren't involved when the symptom is cookie-specific.
Q8 · Analyze

A BA app's login page loads, but every image 404s and the browser console shows requests to intranet.corp.local. Root cause?

Correct: d. The page itself loaded (so cert and DNS are fine) but sub-resources point at an internal-only hostname the clientless user can't reach. BA is a reverse proxy, not a link-rewriter — fix the app to use relative URLs, or publish each internal host as its own BA app.
Q9 · Evaluate

A compliance team enables Double Encryption on the same segment serving a working BA app, and BA stops working. Best explanation and decision?

Correct: a. Double Encryption and Browser Access can't coexist on the same application segment — turning one on silently kills the other. The right call is architectural: split them across segments. The other options chase unrelated symptoms.
Q10 · Evaluate

A thick-client app on proprietary TCP port 8472 “works over ZCC.” A team wants to also publish it via Browser Access for BYOD users. Best guidance?

Correct: c. Browser Access is web-only; a proprietary TCP protocol can't be served clientlessly through a reverse proxy. The honest answer is the architectural boundary — that workload stays on ZCC (or gets re-architected as a web app). Allow Options (b) and wildcard certs (d) are unrelated.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: Why does a Browser Access URL need a public DNS CNAME AND a publicly-trusted certificate, when the app itself is private? Then compare to the expert version.

Expert version: Because the user is clientless. The browser resolves the name on the public internet (so the name must point at Zscaler via a public CNAME) and validates the certificate directly against its own trust store (so the cert must chain to a public root — there is no agent to push trust). The app stays private: only the App Connector, dialling outbound, ever touches it.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Browser Access (BA)
Clientless access to one internal web app through ZPA — the user needs only a browser, no Zscaler agent.
Clientless
No software installed on the device; access happens entirely in the browser.
Reverse proxy
ZPA terminates the user's HTTPS at the edge and re-originates a fresh request to the app — the user never touches the network.
App Connector
The lightweight VM/container beside the private app; it dials outbound to the Zero Trust Exchange and brokers the session.
Application domain (FQDN)
The public hostname users type; it must CNAME to the Zscaler cloud.
Canonical Name (CNAME)
The Zscaler-side host your public DNS record points at; shown with a Copy icon in the Browser Access table.
Web-server certificate
The TLS certificate ZPA presents for the BA URL — supplied by you or managed by Zscaler.
Full chain
Leaf + all intermediate certificates; a missing intermediate causes “works for some users” failures.
Wildcard vs SAN
Wildcard *.acme.com matches one label level only; a SAN cert lists each exact hostname.
Zscaler-Managed Certificates
2025 feature — ZPA auto-generates, auto-renews and serves the BA cert and auto-publishes the CNAME.
Double Encryption
An extra encryption layer across the ZPA fabric — mutually exclusive with Browser Access on the same segment.
PRA
Privileged Remote Access — clientless RDP/SSH/VNC in the browser; the non-web sibling of Browser Access.

📚 Sources

  1. Zscaler Help — About Browser Access. help.zscaler.com/zpa/about-browser-access
  2. Zscaler Help — Browser Access (Canonical Name / CNAME, BA table). help.zscaler.com/zpa/browser-access
  3. Zscaler Help — About (Web Server) Certificates & Uploading Web Server Certificates. help.zscaler.com/zpa
  4. Zscaler Help — Using Wildcard Certificates for Browser Access Applications. help.zscaler.com/zpa/using-wildcard-certificates-browser-access-applications
  5. Zscaler Blog (Jun 2025) — ZPA Browser Access made easier: Zscaler-Managed Certificates & Unified Portal. zscaler.com/blogs
  6. Zscaler Help — Defining a Browser Access Application with Different External vs Internal Domains. help.zscaler.com/zpa
  7. Microsoft Learn — Configure ZPA SSO with Microsoft Entra ID (SAML SP-initiated flow). learn.microsoft.com
  8. Zscaler Community — BA app-segment config, cert-upload (“matching CSR not found”), DNS resolution threads. community.zscaler.com
  9. Zscaler Terraform provider — zpa_application_segment_browser_access (field schema). registry.terraform.io/providers/zscaler/zpa

What's next?

You can publish a clientless web app and prove it works. Next: clientless RDP, SSH and VNC — and the certificate, SNI and SAML mechanics that sit under both Browser Access and Privileged Remote Access.

Next · Browser Access & PRA: Clientless Zero Trust → Practice on exam.techclick.in →