TTechclick ⚡ XP 0% All lessons
Zscaler · ZPA · Groups & Service EdgeInteractive · L1 / L2 / L3

ZPA Connector Groups, Server Groups & Service Edge — the Binding Chain Behind "No Healthy Connector"

Your segment is perfect, the connector is green — and ZPA still says "no healthy app connector serving this application". The reason lives one layer below the segment: the binding between App Connector → Connector Group and Server Group → App Segment → Segment Group. An app works only when a HEALTHY connector's group is associated to the Server Group that serves it. This lesson teaches that binding graph, connector-group geo placement, Public vs Private Service Edge selection, and the outbound broker/microtunnel handshake.

📅 2026-06-05 · ⏱ 14 min · 2 live demos · 5 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

In ZPA an app works only when a HEALTHY connector's Connector Group is associated to the Server Group that serves the App Segment, and that segment sits in a Segment Group an Access rule targets. This lesson teaches the binding chain — App Connector → Connector Group; Server Group → App Segment → Segment Group → rule — so you can fix "no healthy app connector serving this application", place connector groups by geography, choose Public vs Private Service Edge, and read the outbound broker/microtunnel handshake. 5 infographics, 2 live demos and a 10-question assessment.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

No healthy connector

The #1 binding error: Server Group ↔ Connector Group.

 2

Connector-group geo

Place groups by locality; LB & failover by region.

 3

Public vs Private Edge

When to host a Private Service Edge broker.

 4

Broker & microtunnel

Outbound dial; HEALTHY connector, app still fails.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. ZPA says "no healthy app connector serving this application", yet a connector is green. Where is the fault most likely to be?

Answered in No healthy connector.

2. Mumbai users reach a Mumbai app but every session brokers via Singapore. Why?

Answered in Connector-group geo.

3. An air-gapped datacenter app has no internet egress. Which broker do you put it behind?

Answered in Public vs Private Edge.

Most engineers think…

"The connector is green, so the app must be reachable." Health is reachability — right?

Wrong. A green connector only proves the connector can talk to the broker. An app is reachable only when that connector's Connector Group is associated to the Server Group that serves the App Segment — and the segment sits in a Segment Group a rule targets. Miss that binding and ZPA returns "no healthy app connector serving this application" while every connector glows green. The app lives at the intersection of two guest-lists — Connector Group AND Server Group; miss either and you are turned away.

① "No healthy app connector serving this application" — the #1 binding error

You already learned how to define the segment object itself in the App Segment object-chain lesson — FQDN, explicit ports, Bypass Type, the one-Segment-Group rule. This lesson goes below the segment, into the infrastructure-binding layer that physically connects it to a connector. It is the layer that produces the single most common ZPA error a fresher meets: no healthy app connector serving this application — while every connector shows green.

The binding graph has two halves that must meet at the app. The infra half: an App Connector belongs to an Connector Group; a Server Group is associated to one or more Connector Groups and bound to the App Segment. The policy half: the App Segment sits in exactly one Segment Group that an Access rule targets. An app works only when a HEALTHY connector's Connector Group is associated to the Server Group that serves the App Segment. Break that one association and ZPA has no healthy connector to broker to — full stop.

Figure 1 — The binding graph: the app lives at the intersection of two groups
The ZPA binding graph: an App Connector belongs to a Connector Group, a Server Group is associated to that Connector Group and bound to the App Segment, and the App Segment sits in a Segment Group an Access rule targets — so the app is reachable only at the intersection of the Connector-Group and Server-Group bindings. A graph with two converging halves that meet at the application. On the left, the infrastructure half: an App Connector belongs to a Connector Group, and a Server Group is associated to that Connector Group. On the right, the policy half: the App Segment sits in exactly one Segment Group, which an Access Policy ALLOW rule targets. Both halves meet at the highlighted association edge between the Server Group and the App Segment. A red note shows that if the Server Group is not associated to a healthy Connector Group, ZPA returns no healthy app connector serving this application even though the connector is green. The app is reachable ONLY where the Connector Group meets the Server Group. infra binding the association that serves missing = "no healthy connector" INFRA HALF — who can reach the servers App Connector (172.16.x)outbound-only Linux VM Connector Group (Mumbai)deploy connectors in pairs Server Groupstatic servers OR Dynamic Discovery POLICY HALF — who is allowed in Access Policy ALLOWtargets a Segment Group Segment Groupexactly ONE per segment App Segmentsap.corp.internal · TCP 8443 ⬢ THE ASSOCIATION Server Group ↔ App Segment + ↔ Connector Group bound here Both edges must exist: Server Group ↔ App Segment AND Server Group ↔ a HEALTHY Connector Group. Drop either and ZPA returns "no healthy app connector serving this application" — even with green connectors. Debug both halves: infra (Server Group → Connector Group) and policy (Segment Group → rule).
Read it as a graph, not a stack. The app sits where the two groups meet — the lime edge. Break the Server-Group-to-Connector-Group association and no healthy connector can serve it.

Four binding objects freshers confuse

Tap each card — front is the object, back is the binding trap it hides. We unpack all four across this lesson.

🔌
Connector Group
tap to flip

A group of App Connectors, deployed in pairs per location. Server Groups are associated to Connector Groups; brokering picks the nearest healthy group.

🗄️
Server Group
tap to flip

Bound to the App Segment; associated to Connector Groups. Dynamic Discovery on = resolve the FQDN at request time; off = serve only the static servers you list.

🛰️
Service Edge
tap to flip

The broker that stitches ZCC ↔ connector. Public = Zscaler cloud; Private = you host it locally for low latency / air-gap / data residency.

🩺
Healthy ≠ serving
tap to flip

A green connector only proves it reaches the broker. Serving an app is a Server-Group ↔ Connector-Group binding — health and serving are different things.

Sneha at Infosys faces this

Sneha publishes a new Oracle reporting app on oracle-rpt.corp.internal. The segment is enabled, the Mumbai connector is green — yet users get "no healthy app connector serving this application". Her first instinct is to reboot the connector.

Likely cause

It is not the connector. The App Segment was bound to a Server Group, but that Server Group is not associated to any Connector Group that holds a healthy connector — so ZPA has nothing to broker to.

Diagnosis

Walk the binding, not the connector. Open the segment, read its Server Group, then open that Server Group and check which Connector Group(s) it is associated to and whether they have a healthy connector.

Applications ▸ Application Segments ▸ (segment) ▸ Server Groups
Fix

Associate the Mumbai-DC Connector Group (which holds the healthy connector 172.16.8.21) to the SG-Oracle-RPT Server Group, confirm the server 10.30.12.40:1521 is reachable, and retest.

Verify

The session log shows the app brokered via the Mumbai Connector Group — proof the binding is whole, not just that the connector was green.

Quick check · Q1 of 10 · Remember

In ZPA, which object binds an App Segment to the App Connectors that can actually reach the app servers?

Correct: b. The Server Group is the bridge: it is bound to the App Segment and associated to the Connector Group(s) whose connectors serve the app. (a) the Segment Group is the policy half; (c) Bypass Type decides whether ZPA sees the traffic; (d) Timeout Policy governs reauth — none of them connect the segment to connectors.
👉 So far: the app lives where the Connector Group meets the Server Group. Now let's open the real console and walk the exact binding so you can fix "no healthy app connector".

Walk the binding in the console — App Segment → Server Group → Connector Group

The fix for "no healthy app connector" lives in three screens that must agree. On the App Segment you pick a Server Group; on the Server Group you tick its Dynamic Discovery (or list static servers) and associate one or more Connector Groups; and each Connector Group must hold at least one healthy connector. Below is the Server Group editor — the screen freshers never open when they should.

Here is the Add Server Group screen — recreated so you recognise the live portal.

https://admin.private.zscaler.com  ·  Applications ▸ Server Groups ▸ Add
Applications ▸
Application Segments
Segment Groups
Server Groups
Infrastructure ▸
App Connector Groups
Policy ▸
Applications ▸ Server Groups ▸ Add Server Group
The bridge object: it serves an App Segment and must be associated to a Connector Group with a healthy connector. Empty + Dynamic Discovery off = "no healthy connector".
NameSG-Oracle-RPT
StatusEnabled ▾
1Dynamic Server DiscoveryOn ▾  Off + no static servers = nothing to serve!
Static Servers (if Discovery Off)10.30.12.40 : 1521  ignored while Discovery is On
2App Connector GroupsMumbai-DC ▾  must hold a HEALTHY connector
3Associated App Segmentoracle-rpt.corp.internal  the segment this Server Group serves
4Healthy connectors in group1 of 2 healthy (172.16.8.21)  0 healthy = the error
1 resolve FQDN at request time vs static list   2 WHICH connectors can serve this   3 the app it is bound to   4 0 healthy here = "no healthy app connector"
🖥️ Recreated for clarity — your ZPA console matches this. Path: Applications ▸ Server Groups ▸ Add Server Group. Pins ①②③④ mark the four bindings that decide whether a healthy connector can serve the app.

The four ways "no healthy connector" actually happens

The error has exactly four root causes, and all four live in the binding — never in the connector binary. (1) The Server Group is not associated to the App Segment. (2) The Server Group's Connector Group holds no healthy connector. (3) Dynamic Discovery is off and no static servers are listed, so the group has nothing to serve. (4) The Connector Group is in the wrong location, so the only group that could serve the app is one nobody is near. Diagnose from the Portal (App Segment → Server Group → Connector Group binding + connector health) and, on the host, journalctl -u zpa-connector.

Decision tree — is there a healthy connector that can serve this app?

Run the four checks in order. The first "no" is your fix.

Figure 2 — "No healthy connector" decision tree: bound? associated? healthy? discovering?
A decision tree for the "no healthy app connector serving this application" error: check whether the Server Group is bound to the segment, whether its Connector Group has a healthy connector, and whether Dynamic Discovery is on or static servers are listed. A four-step decision tree for the no-healthy-connector error. Step one asks whether the App Segment is bound to a Server Group; if no, bind it. Step two asks whether the Server Group is associated to a Connector Group; if no, associate one. Step three asks whether that Connector Group holds a healthy connector; if no, add or fix a connector. Step four asks whether Dynamic Discovery is on or static servers are listed; if no, the Server Group has nothing to serve. Passing all four reaches a green outcome where a healthy connector can broker the app. "No healthy app connector serving this application" — run these 4 in order decision first NO = your fix Segment bound to a Server Group? No Bind a Server Group to the segmentApp Segment ▸ Server Groups Yes SG associated to a Connector Group? No Associate a Connector Grouppick the group near the app Yes Group has a HEALTHY connector? No Add / fix a connectorjournalctl -u zpa-connector Yes Discovery on / static servers listed? No Enable Discovery or add serverselse nothing to serve All four = Yes A healthy connector can serve the app — the error clears. ✓ session brokers via the right group
Walk the four checks top to bottom — the first "No" is exactly what is producing "no healthy app connector serving this application". None of them is the connector binary.

▶ Walk the binding to a healthy connector — then break the association

Press Play for a fully-bound app, then Break it to see the exact moment the Server Group loses its Connector Group and ZPA returns "no healthy connector".

① SEGMENTThe App Segment oracle-rpt.corp.internal:1521 is bound to the Server Group SG-Oracle-RPT
② ASSOCIATESG-Oracle-RPT is associated to the Mumbai-DC Connector Group, which holds a healthy connector
③ HEALTHYThe broker finds connector 172.16.8.21 healthy and able to reach 10.30.12.40
④ SERVEThe connector proxies to the Oracle server — the app is reachable and the session is logged
Press Play to step through a fully-bound app. Then press Break it.
Quick check · Q2 of 10 · Apply

A new App Segment for db.corp.internal stays unreachable. Its Server Group has Dynamic Discovery OFF and lists zero static servers. Why does it fail, and what is the fix?

Correct: c. Dynamic Discovery off means the Server Group serves only the static servers you list — and the list is empty, so there is no destination to broker to. Enable Discovery so ZPA resolves the FQDN at request time, or add the static IPs. (a)/(b)/(d) are real failures but none of them gives the Server Group a server to serve.

Pause & Predict

An admin swears a connector is broken because one app returns "no healthy connector" — yet that same connector serves five other apps perfectly. What is the very first binding you check, and why? Type your guess.

Answer: The Server Group ↔ Connector Group association for THIS app's Server Group. The connector is obviously fine — it serves five other apps — so the problem is that the failing app's Server Group is not associated to that (healthy) Connector Group, or has no servers. Health is per-connector; serving is a per-Server-Group binding. Fix the association, not the connector.
👉 So far: "no healthy connector" is always a binding, never the connector binary. Next — when there are several connector groups, WHICH one serves the app, and why a Mumbai app can broker from Singapore.

② Connector-group location, geo & load-balancing

Once an app is bound and reachable, the next question is which connector serves it. When a Server Group is associated to more than one Connector Group, ZPA brokers each session to the nearest healthy group and fails over to the survivors when one goes unhealthy. Put your Connector Groups in the wrong place and a Mumbai app brokers from Singapore — correct, but slow.

Group locality decides the broker path

An App Connector Group is your unit of locality. Associate the group that physically sits near the app's servers, and on-prem users in that region broker locally. Associate only a distant group and every session hairpins to it. The fix for asymmetric latency is rarely "more connectors" — it is "a Connector Group in the right place, associated to the right Server Group". Group-level load-balancing then spreads sessions across healthy connectors in the chosen group, and failover moves them to a second group if the first region drops.

How to place Connector Groups by app locality

One Connector Group per datacenter/region where apps live, deployed in pairs for resilience. Associate each Server Group to the group(s) that can reach its servers with the lowest latency, primary-first. Add a second region's group to the same Server Group only when you want cross-region failover — ZPA will use it only when the primary group has no healthy connector. Never associate a far group "just in case": it becomes a latency tax the day a session lands on it.

Quick check · Q3 of 10 · Apply

Mumbai users reach a Mumbai-datacenter app, but every session brokers via a Singapore Connector Group, adding ~60 ms. What is the cause and fix?

Correct: a. ZPA brokers to the nearest healthy associated Connector Group, and if Singapore is the only group on that Server Group then Singapore is the nearest one ZPA can use. Associate a Mumbai-local Connector Group with that Server Group. (b) is invented; (c) Double Encrypt is a per-segment cost knob, not a routing control; (d) Segment Groups have no locality.

Load-balancing & failover are a property of the association

Brokering, load-balancing and failover all hang off the Server-Group-to-Connector-Group association, not off the segment. Associate two Connector Groups in two regions to one Server Group and ZPA balances within the nearest healthy group and fails over to the other region if every connector there goes unhealthy. This is how you get regional resilience without touching the App Segment at all — and why "the connector is up" never proves "the right group is serving this app".

Rahul at TCS faces this

Rahul's Bengaluru users get great latency to a Bengaluru app, but during a regional power event the whole app went dark even though a healthy Hyderabad connector group existed. He assumed failover was automatic.

Likely cause

The app's Server Group was associated to only the Bengaluru Connector Group. With no second group on that Server Group, there was nothing for ZPA to fail over to when Bengaluru's connectors went unhealthy.

Diagnosis

Open the Server Group and count how many Connector Groups it is associated to, and in which regions.

Applications ▸ Server Groups ▸ (group) ▸ App Connector Groups
Fix

Associate the Hyderabad Connector Group to the same Server Group as a secondary. ZPA keeps brokering local to Bengaluru day-to-day and fails over to Hyderabad when Bengaluru has no healthy connector.

Verify (L2/L3)

Pull a Bengaluru connector and confirm sessions for that app re-broker via Hyderabad with no user re-login.

Figure 3 — Connector Groups by region: the broker picks the nearest healthy group, fails over to the rest
A regional load-balancing diagram: one Server Group is associated to a Mumbai and a Singapore Connector Group, and the broker routes Mumbai users to the nearby Mumbai group, with automatic failover to Singapore only when the Mumbai group has no healthy connector. A geography diagram. A Server Group in the centre is associated to two Connector Groups: a primary Mumbai group near the app and a secondary Singapore group in another region. Mumbai users broker through the local Mumbai group with low latency along a green path. If the Mumbai group loses all healthy connectors, a dashed failover path routes sessions to the Singapore group instead, at higher latency. A red note warns that associating only the distant Singapore group forces every Mumbai session to hairpin far away. Brokering follows group locality — nearest HEALTHY group wins primary — local, low latency failover — distant, higher latency Mumbai user (ZCC) wants oracle-rpt app Server Group associated to 2 Connector Groups primary: Mumbai · failover: Singapore Mumbai Connector Group 172.16.8.21 · 172.16.8.22 (pair) ✓ healthy · local to the app primary Singapore Connector Group 172.20.4.10 · 172.20.4.11 used only if Mumbai unhealthy failover Associate the LOCAL group as primary; add a remote group only for failover. Associate only the distant group and EVERY Mumbai session hairpins to Singapore — correct, but slow.
Locality is the whole game: the broker uses the nearest healthy associated group. Put the local group first, keep the remote group as failover only.
On the App Connector VM — confirm the connector is healthy and serving its group
sudo systemctl status zpa-connector --no-pager | head -3
journalctl -u zpa-connector -n 5 --no-pager | grep -i broker
sudo zpa-connector troubleshoot status
dig +short oracle-rpt.corp.internal
Expected output
● zpa-connector.service - Zscaler App Connector — active (running)
broker: connected to mtunnel.zpath.net (Mumbai) — outbound 443
status: HEALTHY  group=Mumbai-DC  served_segments=6  latency=2ms
10.30.12.40

A HEALTHY connector with group=Mumbai-DC and a connected broker proves the infra half is fine. If the app still fails, the gap is the Server-Group-to-Connector-Group association or the policy half — not this connector.

Karthik at Flipkart faces this

Karthik adds a Pune Connector Group for a new office. App latency for Pune users stays high — every session still brokers from the original Hyderabad group, 800 km away.

Likely cause

The Pune Connector Group was deployed and is healthy, but it was never associated to the app's Server Group — so ZPA cannot use it and keeps brokering via the only group on that Server Group: Hyderabad.

Diagnosis

Open the app's Server Group and check whether the Pune Connector Group appears in its association list.

Applications ▸ Server Groups ▸ (group) ▸ App Connector Groups
Fix

Associate the Pune Connector Group to that Server Group (primary for Pune users), keeping Hyderabad as failover. Deploying connectors is not enough — the association is what makes a group usable.

Verify

Pune sessions now broker via the local Pune group and round-trip latency drops sharply in the session log.

Pause & Predict

A Server Group is associated to two Connector Groups — Mumbai (primary, local) and Singapore (secondary). Mumbai's two connectors both go unhealthy. What happens to in-flight and new sessions, and why? Type your guess.

Answer: ZPA fails over to the Singapore group because both groups are associated to the same Server Group — new sessions broker via Singapore (higher latency but working), and existing sessions re-broker there without a user re-login. If Singapore were not associated, you would instead get "no healthy app connector serving this application". Failover is a property of the association, not the segment.
👉 So far: place Connector Groups by locality; the broker picks the nearest healthy associated group and fails over to the rest. Next — Public vs Private Service Edge: where the broker itself lives.

③ Public vs Private Service Edge selection

Every session is stitched together by a Service Edge — the broker. By default that broker is a Public Service Edge in a Zscaler data center, near zero hardware for you. But for an app in your own datacenter, the client picks a Public Edge PoP and traffic hairpins out to the cloud and back. A Private Service Edge (PSE) is a single-tenant broker you host (still Zscaler-managed) so on-prem clients broker locally — the right answer for low-latency local apps, air-gapped/no-internet-egress environments, and data residency. For the deep VPN-replacement comparison see ZPA vs VPN & the Private Service Edge.

Here is the Service Edge selection screen — recreated so you recognise the live portal.

https://admin.private.zscaler.com  ·  Infrastructure ▸ Service Edges
Infrastructure ▸ Service Edges — Private Service Edge Group: PSE-Mumbai-DC
Brokering EdgePrivate Service Edge ▾   (default = Public)
1Why PrivateLow latency · air-gapped · data residency
2Hosted onVMware / AWS / Azure / GCP (you host)  licensed add-on
3Outbound to ZPA cloudTCP 443 only (Zscaler-managed)
StatusEnrolled · Healthy
4Trade-offYou host, patch & monitor it
🖥️ Recreated for clarity — your ZPA console matches this. Path: Infrastructure ▸ Service Edges. Pin ① is the whole point: a Private Service Edge brokers locally so on-prem clients never hairpin to a cloud PoP — at the cost of hosting it (pins ②④).

▶ Watch the client pick an edge — then break it with the wrong edge

Press Play for a local Private-Edge broker, then Break it to see the hairpin when only a far Public Edge is available.

① REQUESTThe on-prem client in the Mumbai DC asks for a same-building app
② SELECT EDGEZCC picks the nearest healthy edge — the local Private Service Edge in the DC
③ BROKERThe PSE stitches the M-Tunnel to the local connector — no internet hairpin
④ REACHThe connector proxies to the local app — round-trip stays in the building
Press Play to watch the local-edge broker. Then press Break it.
Quick check · Q4 of 10 · Apply

An app in your own datacenter hairpins out to a far Zscaler Public Service Edge and back, adding latency for on-prem users. Which design fixes it, and what is the trade-off?

Correct: d. A Private Service Edge brokers sessions locally, removing the cloud round-trip for on-prem users and keeping traffic in-region — at the cost of hosting, licensing and monitoring it (Zscaler still manages it). (a) destroys zero-trust visibility; (b) more connectors do not stop the hairpin to a far edge; (c) Segment Groups have nothing to do with the broker location.

Sneha at Infosys faces this

Sneha must publish an air-gapped lab app on 10.30.40.0/24 with no internet egress at all. She wants zero-trust access without poking a hole to the internet, and asks whether ZPA can even reach it.

Likely cause

A Public Service Edge brokers in the Zscaler cloud, which an air-gapped segment cannot reach — there is no internet path for the client to hairpin out to a PoP.

Diagnosis

Confirm the segment's users would need to broker via a Public Edge over the internet, which the air-gap forbids.

Infrastructure ▸ Service Edges (Public vs Private)
Fix

Deploy a Private Service Edge inside the air-gapped zone so the client and PSE broker entirely on the internal network. The PSE's own control channel to the ZPA cloud is the only outbound path you allow.

Verify (L2/L3)

The lab app is reachable from authorised users, and the session log shows brokering via the local PSE, never a cloud PoP.

Karthik at Wipro faces this

Karthik's on-prem users hit latency hairpinning to a far Zscaler PoP for a local finance app in the same datacenter. He is asked to cut the round-trip without losing zero-trust.

Likely cause

The Public Service Edge brokers the session in a Zscaler cloud PoP, so a same-building app hairpins out and back — 2–4 extra hops of latency.

Diagnosis

Confirm the brokering edge is a remote Public Service Edge, not local, for that segment's users.

Infrastructure ▸ Service Edges (Public vs Private)
Fix

Deploy a Private Service Edge in the datacenter so on-prem users broker locally. Trade-off: a PSE is a licensed add-on you host, patch and monitor — partly reintroducing the appliance ops ZPA was meant to remove.

Verify (L2/L3)

Latency for local-DC users drops sharply and the session log shows brokering via the PSE, not the far PoP.

Pause & Predict

A team insists "a Private Service Edge means Zscaler can no longer manage our brokering". Is that right? What exactly does the customer own vs Zscaler with a PSE? Type your guess.

Answer: Wrong. A Private Service Edge is a single-tenant broker you host on VMware/AWS/Azure/GCP, but Zscaler still manages it — it downloads the same policies and config as a Public Edge and enforces the same zero-trust rules. The customer owns the hosting, sizing, patching and monitoring; Zscaler owns the brokering logic. You gain local latency and data residency, not a separate policy plane.
Figure 4 — Public vs Private Service Edge: latency, hairpin, air-gap, ownership
A side-by-side comparison of the Public Service Edge, which is zero-hardware but hairpins on-prem traffic to a Zscaler cloud PoP, and the Private Service Edge, which brokers locally for low latency, air-gap and data residency at the cost of hosting and licensing it. A two-panel comparison. The left panel shows the Public Service Edge path: an on-prem client hairpins out over the internet to a Zscaler cloud PoP broker and back to a same-building app, adding latency. The right panel shows the Private Service Edge path: the same client brokers via a local Private Service Edge inside the datacenter with no internet hairpin, keeping the round-trip local and in-region. A bottom band lists the ownership trade-off: Public is zero-hardware and Zscaler-hosted, Private is customer-hosted but still Zscaler-managed, chosen for latency, air-gap and data residency. Where the broker lives changes everything for a local app local, no hairpin hairpin to a cloud PoP Public Service Edge On-prem clientMumbai DC Public Edge PoPfar Zscaler cloud internet hairpin Local appsame building +2–4 hops · out and back zero hardware · Zscaler-hosted Private Service Edge On-prem clientMumbai DC Private Edge (PSE)local broker Local appno internet hairpin round-trip stays local · in-region you host · Zscaler still manages it Public = simpler & zero-hardware · Private = local latency, air-gap & data residency. Pick a PSE for latency-sensitive local apps, no-internet-egress zones, or sovereignty — and own the hosting + patching.
Same client, same app. A Public Edge hairpins to a far PoP; a Private Edge brokers in the building. Choose the PSE for latency, air-gap and data-residency cases — and accept you host it.

④ Broker assignment & microtunnel establishment

Under every binding sits one mechanism: the App Connector dials outbound to the broker (Service Edge) on TCP 443 — no inbound ports — and the microtunnel (M-Tunnel) is built on top of that session. This is why a connector can show HEALTHY (its broker connection is up) and an app can still fail: health proves the broker dial, not the Server-Group binding. This section reads the handshake so you can tell the two apart.

Figure 5 — Outbound broker dial + microtunnel, plus the Groups & Service-Edge one-card cheat-sheet
The outbound broker dial and microtunnel: the App Connector opens an outbound TCP 443 session to the Service Edge with zero inbound ports, the client also reaches the edge, and the microtunnel is stitched ZCC to Service Edge to App Connector to app server — paired with a one-card Groups and Service-Edge cheat-sheet. The top half shows the handshake flow. The App Connector dials outbound on TCP 443 to the Service Edge broker with no inbound ports opened. The ZCC client also connects to the same Service Edge. The Service Edge then stitches an end-to-end microtunnel from the client through the edge to the connector and on to the app server. A note explains that because the connector only proves its outbound broker dial, it can show healthy while an app still fails on the Server-Group binding. The bottom half is a three-cell cheat-sheet: the binding chain, the Public-versus-Private Service Edge trade-off, and the healthy-is-not-serving rule. The connector dials OUT; the microtunnel rides on top outbound dial (TCP 443) stitched microtunnel ZCC clientuser device Service Edge (broker)Public PoP or Private (PSE) App Connector (172.16.8.21)outbound-only · 0 inbound ports connects up dials OUT 443 App server10.30.12.40:1521 end-to-end MICROTUNNEL (M-Tunnel): ZCC ↔ edge ↔ connector ↔ app HEALTHY = the broker dial is up. It does NOT prove the Server-Group binding. The binding chain Connector → Connector Group Server Group → App Segment Segment → Segment Group → rule Server Group ↔ Connector Group missing = "no healthy connector" Public vs Private Edge Public zero hardware · hairpins local apps Private (PSE) local latency · air-gap · residency you host; Zscaler still manages Healthy ≠ serving Health = broker dial is up Serving = Server-Group ↔ Connector-Group binding Connector dials OUT 443 zero inbound ports — ever
Read the handshake: the connector dials OUT to the broker and the microtunnel rides on top. That outbound dial is all "HEALTHY" proves — the cheat-sheet below is your last-minute revision of the whole binding layer.

▶ Walk the broker dial + microtunnel — then break it where HEALTHY misleads

Press Play for the outbound handshake, then Break it to see the connector stay HEALTHY while the app fails on the binding.

① DIAL OUTThe App Connector opens an outbound TCP 443 session to the Service Edge — no inbound ports
② CLIENT UPZCC connects to the same Service Edge; the connector now shows HEALTHY
③ STITCHThe edge stitches the M-Tunnel ZCC ↔ edge ↔ connector for an allowed Server Group
④ SERVEThe connector proxies to the app server — reachable, because the binding is intact
Press Play to watch the outbound handshake. Then press Break it.
Prove the app is served — from the session log + connector log, not "green"

Never trust "the connector is green" as proof an app works. Confirm it the right way: the session log shows the app brokered via the expected Connector Group (not APP_NOT_REACHABLE / "no healthy connector"), and on the host journalctl -u zpa-connector shows the outbound broker line and the served Server Group. Green is the broker dial; the session log is access truth. If the connector is HEALTHY but the app fails, the gap is always the Server-Group ↔ Connector-Group binding or the policy half.

👉 You can now diagnose "no healthy app connector", place Connector Groups by region, choose Public vs Private Service Edge, and read the outbound broker/microtunnel handshake. Lock it in below, then go hands-on in the App Connector lab.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Zscaler docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Analyze

A new App Connector shows HEALTHY in the portal, yet one specific app still returns "no healthy connector serving this application". What does that prove?

Correct: c. A green connector only proves its outbound broker dial is up. Serving an app is a Server-Group-to-Connector-Group binding, so a perfectly healthy connector cannot serve an app whose Server Group is not associated to its Connector Group. (a)/(d) would make the connector unhealthy; (b) causes a brownout, not this exact error.
Q6 · Analyze

How does an App Connector establish its control channel to the broker, and what inbound firewall ports must you open for it?

Correct: b. The App Connector opens an outbound TCP 443 session to the Service Edge (UDP 443 for DTLS) and the M-Tunnel is stitched on top of it — no inbound ports are ever required. (a)/(c)/(d) re-expose the network and describe a VPN gateway, exactly what ZPA replaces.
Q7 · Analyze

You add a second Connector Group in a new region to a Server Group for resilience. A region-wide outage hits the primary group. What happens to sessions?

Correct: d. Because both Connector Groups are associated to the same Server Group, ZPA balances within the nearest healthy group and fails over to the surviving region when the primary group has no healthy connector — automatically, with no segment change and no re-login. (a)/(b)/(c) misstate the failover model.
Q8 · Analyze

A segment is bound to a Server Group, the Server Group is associated to a healthy Connector Group, but users still cannot reach the app. Which remaining link should you check?

Correct: a. The infra half (Server Group → Connector Group) is intact, so the gap is on the policy half: the segment must be in a Segment Group that an ALLOW rule targets, or default-deny wins with no error. (b) re-checks what already passed; (c)/(d) are unrelated and (d) causes a brownout.
Q9 · Evaluate

Two teams ask whether to put their air-gapped, no-internet-egress app behind a Public or Private Service Edge. Which is correct and why?

Correct: b. A Private Service Edge brokers entirely on the internal network, so an air-gapped app with no internet egress is reachable without hairpinning to a cloud PoP — at the cost of hosting and licensing the PSE (Zscaler still manages it). (a) needs the cloud round-trip the air-gap forbids; (c) is false; (d) is irrelevant to the broker location.
Q10 · Evaluate

Given CVE-2025-54982 (Zscaler's SAML SP failed to verify the IdP signature, allowing forged assertions and full ZIA+ZPA auth bypass), what does it imply for your connector/server-group design?

Correct: c. Your careful Server-Group/Connector-Group bindings only matter for a correctly-verified identity; the CVE showed the SAML trust sits upstream of all per-app control. It was patched server-side across all clouds with no customer action, but the lesson stands — confirm your IdP configuration. (a) overstates; (b)/(d) describe remediations that never applied.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why can a connector be HEALTHY and an app still return "no healthy app connector serving this application"? Then compare to the expert version.

Expert version: Because connector health and app serving are two different things. A green connector only proves its outbound broker dial is up; serving an app requires its Connector Group to be associated to the Server Group that is bound to the App Segment. If that Server-Group-to-Connector-Group association is missing — or the Server Group has no servers (Discovery off, no static list) — ZPA has nothing to broker to and returns "no healthy app connector", even while the connector glows green. The fix is always the binding for that app, never the connector binary.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

App Connector
A lightweight outbound-only Linux VM inside your network that dials out to the Service Edge on TCP 443 and proxies user sessions to private apps — zero inbound ports. Deployed in pairs per location.
App Connector Group
A logical group of App Connectors, usually one per datacenter/region. Server Groups are associated to Connector Groups; brokering picks the nearest healthy group and fails over to the rest.
Server Group
The bridge object: bound to an App Segment and associated to one or more Connector Groups. With Dynamic Server Discovery on, it resolves the app FQDN at request time; off, it serves only the static servers you list.
Dynamic Server Discovery
When on, ZPA resolves the app FQDN at request time and tracks each resolved IP as a separately load-balanced server. Off + an empty static-server list = the Server Group has nothing to serve.
No healthy app connector
The error ZPA returns when no healthy connector's Connector Group is associated to the Server Group that serves the App Segment — shown even while connectors are green. Always a binding, never the binary.
Connector-group location
Where a Connector Group physically sits. Associate the local group to a Server Group so on-prem users broker locally; an only-distant group makes every session hairpin far away.
Load-balancing & failover
Properties of the Server-Group-to-Connector-Group association. ZPA balances within the nearest healthy group and fails over to a second associated region when the first has no healthy connector.
Service Edge
The broker that stitches the ZCC-side and connector-side tunnels. Public = multi-tenant Zscaler cloud DCs; Private (PSE) = a single-tenant broker you host (still Zscaler-managed) for low latency, air-gap and data residency.
Private Service Edge (PSE)
A customer-hosted, Zscaler-managed broker for latency-sensitive local apps, air-gapped/no-internet-egress zones and data residency. Trade-off: you host, size, patch and monitor it; it is a licensed add-on.
Microtunnel (M-Tunnel)
The end-to-end encrypted channel ZCC ↔ Service Edge ↔ App Connector ↔ app server, built on top of the connector's outbound session. A HEALTHY connector proves only the broker dial, not the binding.
Segment Group
The policy half: a container that bundles Application Segments. A segment belongs to exactly ONE Segment Group, and Access Policy rules target the group, never a bare segment.
Application Segment
The object that defines a private app by FQDN/IP + ports. It is bound to a Server Group (infra half) and placed in a Segment Group (policy half) — both must be intact for access.

📚 Sources

  1. Zscaler Help — About Server Groups + Enabling Dynamic Server Discovery (a Server Group is bound to App Segments and specifies the App Connector Groups that can access them; Discovery resolves the FQDN and tracks each resolved IP as a load-balanced server). help.zscaler.com/zpa
  2. Zscaler Help — About App Connector Groups + App Connector Groups (group connectors per location, deploy in pairs; Server Groups associate to Connector Groups; nearest healthy group brokers, with regional failover). help.zscaler.com/zpa
  3. Zscaler Help — About Private Service Edges + Understanding Service Edges (single-tenant customer-hosted broker, Zscaler-managed; downloads the same policy as a Public Service Edge; low-latency / air-gap / data-residency use cases). help.zscaler.com/zpa
  4. Zscaler Help — Understanding the Private Access Architecture (the App Connector authenticates the path between app servers and the Zero Trust Exchange; the M-Tunnel is an on-demand end-to-end channel ZCC ↔ Service Edge ↔ App Connector ↔ app server; connector dials outbound, zero inbound ports). help.zscaler.com/zpa
  5. Practitioner threads + community deep-dives — "no healthy app connector serving this application" root causes (Server Group not associated, Connector Group has no healthy connector, Discovery off with no static servers, wrong-location group). community.zscaler.com / r/Zscaler
  6. NVD — CVE-2025-54982, Zscaler SAML SP signature not verified (CWE-347, CVSS 9.6) → forged SAML assertion → full ZIA+ZPA auth bypass; patched server-side, no customer action. nvd.nist.gov

What's next?

You can now read the whole binding layer. Next, fold it into a single end-to-end fault tree: the ZPA troubleshooting playbook stitches identity, segments, groups and Service Edge into one diagnostic flow.

Next · ZPA Troubleshooting Playbook — the full fault tree → Practice on exam.techclick.in →