Resources

Arrow Image

Blog & News

Arrow Image

Nutanix Frame and Zscaler Private Access (ZPA)

Nutanix Frame and Zscaler Private Access (ZPA)

Nutanix Frame™ Desktop as a Service (DaaS) solution supports multiple networking models. One of the more popular networking models for enterprises is the Frame Private networking model. This model allows the Frame workload VMs to have private IP addresses on the enterprise private network and access private networking resources and it is the simplest way to inherit existing network security processes.

News & Blog

WRITTEN BY

David Horvath

Senior Solutions Architect

Rich Johnson

Senior Solutions Engineer, ZScaler Technology

James Happel

Systems Engineer, ClearShark

August 4, 2021

TABLE OF CONTENT

However, remote users still need a way to connect to these private networks. The traditional way of implementing this access is to deploy a VPN, but that requires implementing and maintaining software on the user endpoint devices and VPN connections can overload security products like firewalls.

Frame offers a Streaming Gateway Appliance (SGA) to meet this need, but some enterprises may wish to take advantage of the “security as a service” model offered by Zscaler, Inc. Zscaler offers a “DMZ as a service” solution that can provide DMZ type functionality without the complication involved in many DMZ deployments. The Zscaler® service maintains many certifications required by government agencies and it meets the rigorous standards required by the most security conscious organizations.

In this blog you will learn how Zscaler Private Access (ZPA) and Frame DaaS can work together to provide a remote access solution to a private cloud with a simplified administrative model while maintaining a high level of security.

Architecture

Below is an example of a Frame Private networking architecture deployed with a Streaming Gateway Appliance (SGA).

Figure 1. Frame with SGA Architecture
Figure 1. Frame with SGA Architecture

In this Architecture, all the workload subnets only use private IP addressing. The Frame DAAS platform orchestrates the workloads via calls to the Cloud Provider's public API endpoint and communicates with the workloads via an internally initiated connection through an outbound only NAT GW (the green lines on the diagram). The end user authenticates with Frame (the blue line) and then is presented with the desktops and applications to which they have access. When they click on an icon a session is started and the user is redirected to the workload via the SGA appliance, which proxies the session into the appropriate workload (the red lines). In many enterprises, the SGA and the NAT GW sit in a Demilitarized Zone (DMZ) that has a high level of security and monitoring capabilities due to the need to connect directly to the internet.

The Zscaler architecture is similar, but does not require the enterprise to deploy a DMZ for the SGA. Instead, the inbound public connectivity is managed by Zscaler and the private network does not need to allow any inbound connectivity, which simplifies the security model. The Frame platform will still need to connect to the Cloud Providers API, but those endpoints are already public and managed by the cloud provider and some sort of outbound NAT GW will be needed to allow the workloads to talk to the frame platform.

Figure 2. Frame with Zscaler Architecture
Figure 2. Frame with Zscaler Architecture

Setup Frame Private Networking

For the Frame portion of this architecture, you will need to set up a Frame account with Private networking. This setup will use your existing cloud service to set up a private network for Frame workloads. The Zscaler AppConnector appliance will also need to be deployed in a VPC or subnet that has access (at least over TCP port 443) to the private subnets where the workloads will be deployed.

Zscaler Private Access setup

The high level steps for setting Zscaler Private Access (ZPA) to work with Frame are:

Define the Frame Application Segment

Figure 3. Define the application segment
Figure 3. Define the application segment

*.portal.sharkdemo.com is the application segment defined in this example – any requests matching this wildcard domain will be associated with the Nutanix Frame application and serviced by ZPA.

Browser Access mode is selected for this application segment and the X.509 Certificate wild-portal.sharkdemo.com was created and associated with this App Segment.

Figure 4. Associate the certificate
Figure 4. Associate the certificate

Browser Access mode allows a client to use a generic web browser to access this Frame application without the need to install the Zscaler Client Connector on the endpoint. This means that a public DNS CNAME must be created to map *.portal.sharkdemo.com to the Zscaler Private Access cloud.

Figure 5. Wildcard CNAME record
Figure 5. Wildcard CNAME record

Next, we associate the server group (for load distribution and health monitoring) and application segment group (for policy) with this Application Segment. An AppConnector was previously created (outside the scope of this document) and associated with this server group.

Figure 6. Server Group/Application Segment Group Association
Figure 6. Server Group/Application Segment Group Association

Access Policy

An access policy was created to allow access to the Frame application. In this case, an allow policy was created that granted access to the Application Segment group (ZScalerDemo_AWS_VPC_Services) that the Frame application segment is associated with.

Figure 7. Access Policy
Figure 7. Access Policy

Now, if a user opens a web browser and types in the URL .portal.sharkdemo.com it will resolve to the "exporter" component of the ZPA cloud service:

Figure 8. Verify DNS
Figure 8. Verify DNS

User Portal

For ease of use, a user portal was created which will have a direct link to the Frame DaaS application. A user portal allows the actual Frame link to be private and allows for other associated applications to be made available to the user community.

Figure 9. Define User Portal
Figure 9. Define User Portal

The details of the Frame instance on the user portal is shown below...

Figure 10. Frame instance details
Figure 10. Frame instance details

Additional configuration needed to support the Frame service from Browser Access Mode. (Will need to be configured by Zscaler Support)

POST: /zpn/api/v1/admin/configOverrides
Request Body:
{
"configKey": "config.feature.samesite_none",
"configValue": "enabled",
"configValueInt": 1,
"customerId": ***,
"targetGid": ***,
"targetType": "customer"
}

POST: /zpn/api/v1/admin/configOverrides
Request Body:
{
“configKey”: “config.feature.cors_enabled”,
“configValue”: “enabled”,
“configValueInt”: 1,
“customerId”: ,
“targetGid”: ,
“targetType”: “customer”
}

Private DNS

To make sure the connections get routed properly, the Zscaler AppConnector will need to be able to resolve the DNS names that Frame uses to the appropriate workload IP. To do this, create a host file on the AppConnector Virtual Appliance that has an entry for all possible private IP addresses that points to the workload VMs (e.g., 10-0-100-50.portal.sharkdemo.com needs a local host entry pointed to 10.0.100.50).

Finalize Frame Configuration

Now you will need to contact the Frame support team and indicate that you need to change your Frame account to support a "Custom base domain name". You will provide the Frame account name and the DNS domain you are using on your ZPA (in this example *.portal.sharkdemo.com). The Frame support team will be able to update your Frame account to use that domain. When your users launch a virtualized application or desktop, Frame will direct the users to the workloads using the custom domain.

End User Experience

To access their virtualized applications and/or desktops, the end user starts by connecting to the Zscaler portal https://portal.sharkdemo.com where they will need to logon with their Zscaler username.

Figure 11. Portal Login
Figure 11. Portal Login

The user will be redirected the third-party identity provider configured within Zscaler.

Figure 12. Identity provider login
Figure 12. Identity provider login

Once authenticated, you'll be redirected to the ZPA User Portal

Figure 13. ZPA User Portal
Figure 13. ZPA User Portal

Select the Nutanix Frame application - Windows Desktop ABC

This will direct the user to the Nutanix Frame Launchpad. Nutanix Frame will redirect the user to the third-party identity provider configured for user authentication.

Figure 14. Connect to Frame Launchpad
Figure 14. Connect to Frame Launchpad

Once the user has authenticated to the identity provider and returned back to Frame, Frame will verify the user has authorization to access the desktop.

The user waits as the DaaS instance spins up on the backend (could take a minute).

Figure 15. Loading Desktop
Figure 15. Loading Desktop

The user's Desktop as a Service instance will appear...

Figure 16. Frame Session
Figure 16. Frame Session

Conclusion

Combining Zscaler's "security as a service" products with Frame DaaS allows enterprises to leverage leading "as a service" products to deliver a secure, performant, desktop experience to any user with a browser. By using a Zscaler AppConnector service, it does not require that the customer setup and maintain a DMZ or a Streaming Gateway Appliance, easing the overall administrative experience. Zscaler also provides additional protection of important corporate data resources by ensuring that the corporate data never leaves the private network except through approved security processes.

About the Author

Dizzion

Dizzion was founded in 2011 with a visionary mission to redefine the way the world works.

In an era of legacy Virtual Desktop Infrastructure (VDI), Dizzion set out to challenge the status quo by making it simple for all customers to transform their workspace experience. By building a powerful automation and services platform on top of the VMware stack, Dizzion delivered virtual desktops as a service before Desktop as a Service (DaaS) even existed.

David Horvath

Senior Solutions Architect

William Wong is the VP of Service Delivery for Dizzion, responsible for service delivery (professional and managed services), solutions architecture, and support. He works actively with customers to transform their business and operations leveraging DaaS in a hybrid and multi-cloud world. Before joining Dizzion as part of the Frame spinout from Nutanix, William was Head of Enterprise Solutions at Frame and following Nutanix's acquisition of Frame in 2018, Director of Solutions Architecture (Frame) at Nutanix. Prior to his work in DaaS, William led the development and adoption of innovative Internet software solutions and services, including Internet-based credit card and check processing and eCommerce platforms. William spent over 30 years at Cancer Commons, NetDeposit, Hewlett-Packard, VeriFone, and multiple Internet, payment, and eCommerce startups in executive management, program management, engineering management, and executive advisory positions. William received his B.S., M.S., and Ph.D. in Electrical Engineering from Stanford University.

More about the author
Rich Johnson

Senior Solutions Engineer, ZScaler Technology

Rich Johnson is a senior solutions engineer with Zscaler Technology. He has spent the past 30 years working in the networking and computer security industry supporting the US Department of Defense.

More about the author
James Happel

Systems Engineer, ClearShark

James Happel is a Systems Engineer with ClearShark. He has been with ClearShark for almost 3 years and prior to that spent 15 years working on various projects with the US Department of Defense.

More about the author

Subscribe to our newsletter

Register for our newsletter now to unlock the full potential of Dizzion's Resource Library. Don't miss out on the latest industry insights – sign up today!