Horizontal Navigation Bar Page |
---|
|
Section |
---|
![](/download/attachments/146770258/Zscaler-Logo-TM-Blue-RGB-20Dec2016.png?version=1&modificationDate=1616589600488&api=v2)
Zscaler is a cloud hosted, Enterprise Shared Services, ESS, supported service that is currently available to end users within QualityNet organizations. Zscaler was chosen, piloted and deployed due to its ease of use, tight security and cost feasibility. Zscaler will be the preferred method to access tools and applications residing on the QualityNet network as we retire our legacy VPN connectivity technology.
|
Panel |
---|
borderColor | #254b78 |
---|
titleColor | #ffffff |
---|
borderWidth | 1 |
---|
titleBGColor | #254b78 |
---|
borderStyle | solid |
---|
title | Who Will Get Zscaler? |
---|
| The users that require access to the Zscaler solution consist of contractors approved for services connecting to the QualityNet network included but not limited listed below. - AWS Environment
- Splunk
- CloudBees Jenkins
- Ansible Tower
- Tenable Nessus
- Nexus RM
- Nexus IQ
- CMSNet resources
- CyberArk
- CASPER
- Cloudbees Jenkins Enterprise (CJE)
|
For requests outside of the initial onboarding process please refer to the Getting Started tab. |
Horizontal Navigation Bar Page |
---|
id | Getting |
---|
title | Getting Started |
---|
|
Panel |
---|
borderColor | #254b78 |
---|
titleColor | #ffffff |
---|
borderWidth | 1 |
---|
titleBGColor | #254b78 |
---|
borderStyle | solid |
---|
title | Quick Start Notes |
---|
| - Zscaler utilizes a client which must be installed on any Contractor Furnished Equipment (CFE)/Government Furnished Equipment (GFE) computer that will use it.
- Zscaler must be configured for an organization before it can be used on CFE/GFE computers.
- End users must be approved by their SO within HARP prior to obtaining access. Follow steps in Requesting the Zscaler User Access Role within HARP below.
- Contractors installing Zscaler will need administrator rights to successfully install the client.
|
The Zscaler Adoption Process
Organizations Seeking ZscalerIf you are a new organization and need access to the QualityNet environment you will require Zscaler. These organizations will be granted access during the ISG contract onboarding process. For more information please contact to the Contract Engagement team ISGContractorOnboardingServices@cms.hhs.gov. For new organizations, Contract Onboarding can assist you through these processes. Panel |
---|
borderColor | #254b78 |
---|
titleColor | #ffffff |
---|
titleBGColor | #254b78 |
---|
title | ORGANIZATIONS REQUESTING ZSCALER |
---|
| Listed below are the steps for an organization to request Zscaler. Expand the steps below to view the process.
Expand |
---|
title | Step 1: Obtain a HARP ID. |
---|
| All Zscaler users will require a valid HARP ID. For instructions on the process, refer to the HARP page.
|
Expand |
---|
title | Step 2: Install Zscaler. |
---|
| Organizations are required to install the Zscaler client on their corporate machines. Please refer to the Zscaler Installation Instructions page to download copies of installation guides as well as the client installation packages. Additionally, the the client installation packages can be obtained by contacting the Service Center @ 866-288-8914 (TRS: 711), slack channel help-service-center-sos or via email at ServiceCenterSOS@cms.hhs.gov. If you have issues, please submit a Service Request within ServiceNow requesting support for Zscaler Installation. The ticket will be routed to the HIDS Service Delivery End-User & Access team.
|
Expand |
---|
| Once your organization is added to the vetted list, your end users can utilize HARP to request Zscaler as a service. The SO will be able to automatically approve requests from end users.
|
Expand |
---|
title | Step 4: Ready to Go. |
---|
| Once your organization has been added to the vetted list, Zscaler has been installed and the end user has been approved via HARP, you are ready to access and use Zscaler. For information on how to get started, please refer to the Zscaler User Guide.
|
|
If Your Organization Already Has Zscaler and You Are a New User - How to Request? Panel |
---|
borderColor | #254b78 |
---|
titleColor | #ffffff |
---|
borderWidth | 1 |
---|
titleBGColor | #254b78 |
---|
borderStyle | solid |
---|
title | REQUESTING THE ZSCALER USER ACCESS ROLE WITHIN HARP |
---|
| Once you have created your HARP account (For instructions on the process, refer to the HARP page), the next step is to request the Zscaler User Access User role. Expand the steps below to view the process.
Expand |
---|
title | Step 1: Go to https://harp.qualitynet.org/ and log in to your HARP account which will take you to your User Profile. From there, select “User Roles” |
---|
| Go to https://harp.qualitynet.org and log into your HARP account. ![](/download/attachments/146770258/Slack1.PNG?version=1&modificationDate=1616589599046&api=v2)
|
Expand |
---|
title | Step 2: Request a role |
---|
| ![](/download/attachments/146770258/Slack2.PNG?version=1&modificationDate=1616589598763&api=v2)
|
Expand |
---|
title | Step 3: Select the QualityNet Zscaler Program. |
---|
| ![](/download/attachments/146770258/Select%20a%20Program.PNG?version=1&modificationDate=1616589598414&api=v2)
|
Expand |
---|
title | Step 4: Select your Organization. |
---|
| ![](/download/attachments/146770258/Select%20an%20Org1.png?version=1&modificationDate=1616589598126&api=v2)
|
Expand |
---|
title | Step 5: Select the Zscaler User role. |
---|
| ![](/download/attachments/146770258/Select%20Role1.png?version=1&modificationDate=1616589597784&api=v2)
|
Expand |
---|
title | Step 6: You will be notified via email when your role has been approved. |
---|
| Once your role has been approved by your SO, you will then have access to Zscaler |
|
|
Horizontal Navigation Bar Page |
---|
id | Resources |
---|
title | Resources |
---|
|
Info |
---|
| Image Removed Image Added
Zscaler is a cloud hosted, Enterprise Shared Services, ESS, supported service that is currently available to end users within QualityNet organizations. Zscaler was chosen, piloted and deployed due to its ease of use, tight security and cost feasibility. Zscaler will be the preferred method to access tools and applications residing on the QualityNet network as we retire our legacy VPN connectivity technology. |
Tabs Container |
---|
|
Tabs Page |
---|
title | 1. Introuduction- The Zscaler App |
---|
| Zscaler is a cloud-hosted, HIDS-supported service available to end users requiring access to tools and applications residing on the CMS HCQIS network. Utilizing Okta/HARP for authentication, Zscaler will be used more and more as we phase out our VPN connectivity technologies. It was selected, piloted, and deployed due to its ease of use, tight security, and cost feasibility. |
Tabs Page |
---|
title | 2. Starting the Zscaler App in Windows 10 |
---|
| Open the Zscaler AppSome organizations may choose to have Zscaler open automatically when your computer is started or upon a reboot. If the application does not start automatically, do as follows. 1) Click the Windows Start Button. ![](/download/attachments/146770258/image-2023-8-31_13-49-52-1.png?version=1&modificationDate=1693504193278&api=v2)
Figure 1: Windows Start Button in Windows 10 System TraClick the Windows Start Button. 2) To start the application, select Zscaler. ![](/download/thumbnails/146770258/image-2023-8-31_13-53-0-1.png?version=1&modificationDate=1693504381455&api=v2)
Figure 2: Zscaler App on Windows 10 Menu Logging into the Zscaler AppOnce you launch the application, the Zscaler login screen appears as shown below. 1) Click Login (or press Enter on your keyboard), and you will be directed to the Zscaler HARP Login screen. ![](/download/attachments/146770258/image-2023-8-31_13-54-35-1.png?version=1&modificationDate=1693504475909&api=v2)
Figure 3: Zscaler App on Windows 10 Menu 2) Fill out the HARP login screen. - Enter your HARP Username (HARP ID).
- Enter your HARP
- Click in the checkbox to agree with the terms of use.
- Click the Sign In button (or press Enter on your keyboard).
![](/download/attachments/146770258/image-2023-8-31_13-56-19-1.png?version=1&modificationDate=1693504580267&api=v2)
Figure 4: Zscaler HARP Login Screen 3) After Zscaler accepts your entries from the login screen, you will be required to submit a code for the two-factor authentication method that you chose when creating your HARP ID. For this scenario, Short Message Service (SMS) was used. If you have chosen a different two-factor authentication method, your HARP authentication steps may vary. The other two factor authentication choices are: Voice, Google Authenticator, Okta Verify, and Okta Verify Push. - Click the Send code button to receive your CMS verification
- Enter the CMS verification code you received via your choice of two-factor authentication.
- Click the Verify button (or press Enter on your keyboard).
![](/download/attachments/146770258/image-2023-8-31_13-59-19-1.png?version=1&modificationDate=1693504760190&api=v2)
Figure 5: Authentication Screen 4) Depending upon your Windows 10 settings for alerts, you may see up to three alerts as the Zscaler app is loading. Figure 6: App Loading Alerts
5) Once you are logged in, the following screen will be displayed. Note |
---|
NOTE: Username = HARP ID + Domain Created for all HCQIS users. The extension @qualnet.org is not an email address. |
![](/download/attachments/146770258/image-2023-8-31_14-6-21-1.png?version=1&modificationDate=1693505182040&api=v2)
Figure 7: Zscaler Connectivity Screen |
Tabs Page |
---|
title | 3. Logging out of the Zscaler App |
---|
| Logging out of the Zscaler AppUse the following steps to log out of the Zscaler app. 1) Click the Right Arrow button on the top right of the Zscaler screen. ![](/download/attachments/146770258/image-2023-8-31_14-9-49-1.png?version=1&modificationDate=1693505389586&api=v2)
Figure 8: Logout Button on Zscaler Screen 2) If you still wish to still log out of the Zscaler app, press the Continue button (or press Enter on your keyboard). If you do not want to log out press the Cancel button.
![](/download/attachments/146770258/image-2023-8-31_14-11-15-1.png?version=1&modificationDate=1693505475963&api=v2)
Figure 9: Logout Verification Screen 3) If you pressed the Continue button to log out, the screen will change as the application is logging out. ![](/download/attachments/146770258/image-2023-8-31_14-12-3-1.png?version=1&modificationDate=1693505523828&api=v2)
Figure 10: Stopping Service Message |
|
Panel |
---|
borderColor | #254b78 |
---|
titleColor | #ffffff |
---|
borderWidth | 1 |
---|
titleBGColor | #254b78 |
---|
borderStyle | solid |
---|
title | Security Guidelines |
---|
| |
|
Horizontal Navigation Bar Page |
---|
|
Panel |
---|
borderColor | #254b78 |
---|
titleColor | #ffffff |
---|
borderWidth | 1 |
---|
titleBGColor | #254b78 |
---|
borderStyle | solid |
---|
title | Frequently Asked Questions |
---|
|
Expand |
---|
| Zscaler is an alternative to VPN that utilizes a different method of allowing users access to resources within an internal network. It uses tunneling to transmit data between the client and desired resource. This approach eliminates the need to have clients enter into the network directly as is done with VPN. The Zscaler solution is made up of two primary modules; Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). |
Expand |
---|
title | What is Zscaler Internet Access (ZIA)? |
---|
| Zscaler Internet Access (ZIA) is a secure Internet and web gateway delivered as a service from the cloud. Before reaching the user, ZIA inspects every byte of traffic inline across multiple security techniques, even within SSL providing full protection from web and Internet threats. |
Expand |
---|
title | What is Zscaler Private Access (ZPA)? |
---|
| Zscaler Private Access (ZPA) provides secure remote access and works by abstracting a private, internal application from the network on which it resides and provides specific applications access to authorized users via encrypted, per session micro tunnels that are created upon demand. |
Expand |
---|
title | What can I do with Zscaler? |
---|
| When logged into Zscaler (utilizing both ZIA and ZPA) you will be able to reach tools residing on the QualityNet network such as AWS or QualityNet applications. It will also allow access Internet facing sites that your organization’s firewall and anti-virus policies allow access to. |
Expand |
---|
title | What can't I do with Zscaler? |
---|
| When logged into Zscaler (utilizing both ZIA and ZPA), you will not be able to access anything that your organizations Firewall or Anti-virus policies prohibit. Please reach out to your IT Administrator for information regarding policies for your organizations firewall and anti-virus configurations. |
Expand |
---|
title | How can I get Zscaler? |
---|
| Please refer to the How to Request Zscaler Confluence Page. This page provides information for New and Existing QualityNet contractors. SOs should be submitting requests for Zscaler via a ServiceNow request or inquiry with the QualityNet Service Desk. The "How to Request Zscaler" Confluence page lays out all these details. |
Expand |
---|
title | Can I use Outlook with Zscaler? |
---|
| Yes. You can use the Outlook Desktop Application or Outlook on the Web or what is formerly known as OWA. The Outlook desktop application is not fully compatible with Zscaler for QualityNet email and it is recommended to go with the web version. |
Expand |
---|
title | Can I access HCQIS email while on Zscaler? |
---|
| Yes. You can access your QualityNet email while using Zscaler. |
Expand |
---|
title | Can I log out of ZIA and continue with just ZPA? |
---|
| No. The reason for this configuration is to enforce protection of the computer while connected to QualityNet using Zscaler. ZIA provides threat protection for Internet traffic reducing overall risk that the computer will become infected by an external threat while connected to QualityNet. Only a Zscaler Private Access Administrator (not local IT Admin) can turn off ZIA and still remain active with their ZPA account. |
Expand |
---|
title | Can I log out of ZPA and continue with just ZIA? |
---|
| Yes. However, you will not be able to access information or tools residing upon the QualityNet network such as AWS or QualityNet applications such as those residing on QualityNet.org. |
Expand |
---|
title | Does Zscaler replace VPN, VDI or both? |
---|
| The intent is for both QualityNet VPN and QualityNet VID to no longer be needed. Zscaler is intended to be the preferred method of connectivity to QualityNet network tools and applications. With the move to CFE/GFE, and the ability to directly connect to resources within QualityNet, Zscaler will eliminate the need for QualityNet VPN and VDI to be used. |
Expand |
---|
title | How can I do my work with Zscaler if I am currently using HCQIS VPN? |
---|
| If you were previously a QualityNet VPN user, your experience with using Zscaler will only alter minimally from that of VPN. Instead of logging into VPN, you will now log into Zscaler. You will not see any differences in how you access sites or tools except that you will be on a CFE or GFE machine in which your organization may have different settings when browsing the Internet.
If QualityNet VPN remains on your machine and your access remains active, please note that Zscaler and VPN cannot work simultaneously and you would have to log out of one in order to use the other.
Reference the HCQIS Zscaler Users Guide for any login questions. |
Expand |
---|
title | Will Zscaler work with Corporate VPN? |
---|
| Yes. If your organization is using Split-Tunneling or Full-Tunneling settings within your VPN, please be prepared to share your VPN HostName (or IP) with HIDS End User & Access. Additional configurations may be required within your settings to properly route traffic, and allow users to access both corporate systems as well as QualityNet systems simultaneously. |
Expand |
---|
title | How can I do my work with Zscaler if I am currently using VDI? |
---|
| If you were previously a QualityNet VDI user, your experience will be altered while using Zscaler in a positive way. When using VDI, you are on a virtual desktop that has programs loaded onto it based on your role and organization. When using Zscaler, you will be logged only onto your laptop to access programs and tools that are installed or available via the Internet. Reference the HCQIS Zscaler Users Guide for any login questions. |
Expand |
---|
title | I am getting an Endpoint FW/AV error, what should I do? |
---|
| If you or an end user within your organization is receiving the following error when logging into Zscaler “Endpoint FW/AV Error”, then your organizations Firewall (FW) or Antivirus (AV) is blocking Zscaler, causing it to be non-operational. To remedy this, your organization's IT Administrator will have to white-list a specific subnet within your FW or AV.
If you run into this issue during configuration or thereafter, please submit a ticket within ServiceNow referencing the error you received. HIDS will provide the proper subnet to white-list. |
Expand |
---|
title | I cannot access a tool, drive, host or server that I normally could? |
---|
| If you cannot access a tool, drive, host or server that you normally could prior to Zscaler, first bring this up with your organization's IT Administrator or colleagues to ensure that naming conventions are using Fully Qualified Domain Names (FQDN). A FQDN is the complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts: the hostname and the domain name. If FQDN names are being used or were added and access is still not available, then submit a ServiceNow ticket and assign to HIDS End User and Access Team. Please include detailed information such as the tool, host and server name. The HIDS-End User and Access Team may have to add this tool, drive, host or server to your network segment group to ensure all at your organization with access can get to it in the future. |
Expand |
---|
title | Can I use the Zscaler App on my Android, or iOS device? |
---|
| No, not at this time. The mobile (Android and iOS) policies have been disabled at this time. If the use of Zscaler via mobile becomes a necessity for a number of users, this feature could be addressed at a later time. |
Expand |
---|
title | What should I do if I need Zscaler support? |
---|
| If you are experiencing any issues with Zscaler such as installation, errors, loss of service or any other problems, please contact the Service Center @ 866-288-8914 (TRS: 711) or via email at ServiceCenterSOS@cms.hhs.gov. Business hours are 7 am- 7 pm CDT Monday through Friday. Please provide as much information, error codes or screenshots if possible to allow for quick troubleshooting. |
Expand |
---|
title | What should I do if I am receiving a 403 App Not Assigned Error? |
---|
| If you are experiencing this error when attempting to log into Zscaler, your Security Point of Contact needs to open a Service Now Request for your HARP ID to be configured for Zscaler. The ticket should be assigned to HIDS Security IAM. |
Expand |
---|
title | What should I do if I am receiving an Invalid Token Error? |
---|
| If you are experiencing this error when attempting to log into Zscaler, first you should verify you are able to log in and that your token method set up for your HARP ID is working by going to https://harp.qualitynet.org/login/login. I you are able to log in there and the problem with logging into Zscaler continues, then try rebooting your workstation. |
Expand |
---|
title | Is BitLocker the only Windows Disk Encryption supported by Zscaler? |
---|
| According to Zscaler support, the only Windows Disk Encryption supported by Zscaler is BitLocker. All 3rd party encryption is not recognized. An Enhancement Request has been submitted "To provide 3rd party support for encryption products". However, there is no planned/expected release date at this time. |
Expand |
---|
title | Known Zscaler RHEL Connection Issue - Resolution - 4/6/2020 |
---|
| Issue: All RHEL and CENTOS AMIs have routing settings that force the Zscaler networks over the Management interface on the host. Due to this static routing configuration, Zscaler connections will not be allowed to the Functional interface on the host. This will prevent users being able to reach application web pages while logged into Zscaler. Currently VPN and VDI do not use this type of network configuration, so users can connect to both management and application interfaces on the same host.
To resolve this issue please go to the following page that provides detailed information: Linux FAQ |
Expand |
---|
title | Removing Users from ZScaler |
---|
| The ADO or Customer Success Manager will submit a ServiceNow Ticket assigned to the ESS-HARP team.
|
|
|
|