Zscaler Private Access MCP Server
Create a powerful Model Context Protocol (MCP) server for Zscaler Private Access (ZPA) in minutes with our AI Gateway. This guide walks you through setting up seamless zero trust network access integration with enterprise-grade security and instant OAuth authentication.
About Zscaler Private Access API
Zscaler Private Access (ZPA) provides secure, zero trust access to private applications without exposing them to the internet. It delivers application-specific access based on identity and context, eliminating the need for traditional VPNs.
Key Capabilities
- Zero Trust Access: Identity-based application access
- Application Segmentation: Microsegmentation at app level
- User Experience: Seamless, VPN-less access
- Policy Engine: Granular access controls
- Connector Management: App connector deployment
- Service Edge: Global cloud infrastructure
- Risk-based Access: Contextual security
- Integration: SAML, SCIM, API support
API Features
- Application API: App configuration
- Policy API: Access policy management
- Connector API: Connector management
- OAuth 2.0: Secure authentication
- Segment API: Microsegmentation
- Analytics API: Access insights
- SAML API: IdP integration
- Provisioning API: User/group sync
What You Can Do with Zscaler ZPA MCP Server
The MCP server transforms ZPA API into a natural language interface, enabling AI agents to:
Application Management
-
App Configuration
- "Add new private application"
- "Configure app segments"
- "Set application domains"
- "Define health checks"
-
App Discovery
- "Discover internal applications"
- "Map application dependencies"
- "Identify shadow IT"
- "Track app usage"
-
App Groups
- "Create application groups"
- "Group by business unit"
- "Set group policies"
- "Manage app relationships"
Access Policy Management
-
Policy Creation
- "Create finance app policy"
- "Set contractor access rules"
- "Configure time-based access"
- "Define location restrictions"
-
Conditional Access
- "Require MFA for sensitive apps"
- "Check device compliance"
- "Verify user risk score"
- "Enforce browser isolation"
-
Policy Testing
- "Test policy effectiveness"
- "Simulate user access"
- "Validate rule logic"
- "Preview policy impact"
Connector Management
-
Connector Deployment
- "Deploy new connectors"
- "Configure connector groups"
- "Set redundancy rules"
- "Monitor connector health"
-
Connector Operations
- "Update connector versions"
- "Restart connectors"
- "Check connectivity"
- "View diagnostics"
-
Load Balancing
- "Configure load distribution"
- "Set failover rules"
- "Monitor performance"
- "Optimize routing"
User & Group Management
-
User Access
- "Grant user access"
- "Revoke permissions"
- "Set access duration"
- "Track user activity"
-
Group Policies
- "Create department groups"
- "Sync from Active Directory"
- "Set group permissions"
- "Manage inheritance"
-
SCIM Provisioning
- "Sync users from IdP"
- "Automate provisioning"
- "Handle deprovisioning"
- "Map attributes"
Analytics & Monitoring
-
Access Analytics
- "Show user access patterns"
- "Track application usage"
- "Monitor failed attempts"
- "Analyze access trends"
-
Performance Metrics
- "Measure app latency"
- "Track connector performance"
- "Monitor user experience"
- "Identify bottlenecks"
-
Security Insights
- "Detect anomalous access"
- "Track risky behaviors"
- "Monitor policy violations"
- "Score access risk"
Security Controls
-
Microsegmentation
- "Create app segments"
- "Isolate critical apps"
- "Define trust boundaries"
- "Control lateral movement"
-
Browser Isolation
- "Enable for risky apps"
- "Configure isolation policies"
- "Set rendering rules"
- "Control downloads"
-
Inspection Policies
- "Enable content inspection"
- "Configure DLP rules"
- "Set malware scanning"
- "Monitor data movement"
Integration Management
-
IdP Integration
- "Configure SAML SSO"
- "Set up OIDC"
- "Map user attributes"
- "Test authentication"
-
SIEM Integration
- "Stream access logs"
- "Send security events"
- "Configure webhooks"
- "Export audit trails"
-
API Automation
- "Automate provisioning"
- "Sync configurations"
- "Orchestrate policies"
- "Integrate workflows"
Incident Response
-
Access Investigation
- "Investigate suspicious access"
- "Trace user activity"
- "Analyze access patterns"
- "Review policy decisions"
-
Emergency Actions
- "Emergency access revoke"
- "Disable applications"
- "Block user groups"
- "Isolate connectors"
-
Forensics
- "Export access logs"
- "Generate audit reports"
- "Create timeline"
- "Document incidents"
Prerequisites
- Access to Cequence AI Gateway
- Zscaler ZPA subscription
- Admin API credentials
- Customer ID
Step 1: Generate ZPA API Credentials
1.1 Access ZPA Admin Portal
- Log in to ZPA admin portal
- Navigate to Administration > API Keys
- Click Add API Key
1.2 Create API Client
- Enter details:
- Name: "AI Gateway ZPA MCP"
- Description: "Zero trust access integration"
- Admin Role: Select role
1.3 Configure Permissions
Select scopes:
- Application Management: Read/Write
- Policy Management: Read/Write
- Connector Management: Read/Write
- Analytics: Read
- Logs: Read
1.4 Save Credentials
- Click Create
- Copy Client ID
- Copy Client Secret
- Note Customer ID
Step 2-4: Standard Setup
Follow standard steps to access AI Gateway, find Zscaler ZPA API, and create MCP server.
Step 5: Configure API Endpoints
- Base URL:
https://config.private.zscaler.com - Select endpoints:
- Application endpoints
- Policy endpoints
- Connector endpoints
- Analytics endpoints
- Click Next
Step 6: MCP Server Configuration
- Name: "Zscaler Private Access"
- Description: "Zero trust network access"
- Configure production mode
- Click Next
Step 7: Configure Authentication
- Authentication Type: OAuth 2.0 (Client Credentials)
- Token URL:
https://config.private.zscaler.com/signin - Grant Type:
client_credentials - Enter Client ID and Secret
- Add Customer ID header
Available Zscaler ZPA API Scopes
Application Management
-
Applications
- Application configuration
- Segment management
- Domain management
- Health monitoring
-
Application Groups
- Group creation
- Member management
- Policy assignment
- Inheritance control
Policy Management
-
Access Policies
- Policy creation
- Rule configuration
- Condition setup
- Priority management
-
Timeout Policies
- Session timeouts
- Idle timeouts
- Reauthentication
- Policy enforcement
Infrastructure
-
Connectors
- Connector management
- Group configuration
- Health monitoring
- Version control
-
Service Edges
- Edge selection
- Geographic routing
- Performance optimization
- Failover configuration
Recommended Scope Combinations
For Security Teams:
Application Management (Read)
Policy Management (Read/Write)
Analytics (Read)
Logs (Read)
For IT Administrators:
Application Management (Read/Write)
Policy Management (Read/Write)
Connector Management (Read/Write)
User Management (Read/Write)
Analytics (Read)
Step 8-10: Complete Setup
Configure security, choose deployment, and deploy.
Using Your Zscaler ZPA MCP Server
With Claude Desktop
{
"servers": {
"zscaler-zpa": {
"url": "your-mcp-server-url",
"auth": {
"type": "oauth2",
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"customer_id": "your-customer-id"
}
}
}
}
Natural Language Commands
- "Create access policy for HR applications"
- "Show all connectors in US-East region"
- "Grant temporary access to contractor for CRM app"
- "Investigate failed access attempts for finance apps"
- "Configure MFA requirement for admin applications"
API Integration Example
// Initialize MCP client
const mcpClient = new MCPClient({
serverUrl: 'your-mcp-server-url',
auth: {
type: 'oauth2',
clientId: 'your-client-id',
clientSecret: 'your-client-secret',
customerId: 'your-customer-id'
}
});
// Create application segment
const appSegment = await mcpClient.zscaler.zpa.createApplicationSegment({
name: "Internal CRM Application",
description: "Customer relationship management system",
enabled: true,
healthCheckType: "DEFAULT",
domainNames: ["crm.internal.company.com"],
serverGroups: [{
id: "216199618143442001" // Server group ID
}],
segmentGroupId: "216199618143442051",
tcpPortRanges: ["443", "443"],
udpPortRanges: [],
icmpAccessType: "NONE",
bypassType: "NEVER",
healthReporting: "ON_ACCESS",
ipAnchored: false,
isCnameEnabled: true
});
// Create access policy
const accessPolicy = await mcpClient.zscaler.zpa.createAccessPolicy({
name: "CRM Access Policy",
description: "Policy for CRM application access",
action: "ALLOW",
operator: "AND",
policySetId: "216199618143442050", // Global policy set
conditions: [
{
operator: "OR",
operands: [
{
objectType: "APP",
lhs: "id",
rhs: appSegment.id
}
]
},
{
operator: "OR",
operands: [
{
objectType: "SAML",
lhs: "department",
rhs: "Sales"
},
{
objectType: "SAML",
lhs: "department",
rhs: "Marketing"
}
]
},
{
operator: "OR",
operands: [
{
objectType: "POSTURE",
lhs: "compliance",
rhs: "compliant"
}
]
}
]
});
// Configure app connector group
const connectorGroup = await mcpClient.zscaler.zpa.createAppConnectorGroup({
name: "US-East Connectors",
description: "Connectors for US East region",
enabled: true,
cityCountry: "New York, US",
location: "New York",
latitude: "40.7128",
longitude: "-74.0060",
versionProfile: {
id: "1" // Default version profile
},
overrideVersionProfile: false,
upgradeDay: "SUNDAY",
upgradeTimeInSecs: "66600", // 2:30 AM
dnsQueryType: "IPV4"
});
// Monitor connector health
const connectorHealth = await mcpClient.zscaler.zpa.getConnectorHealth({
groupId: connectorGroup.id
});
for (const connector of connectorHealth.connectors) {
console.log(`Connector: ${connector.name}`);
console.log(`Status: ${connector.enrollmentStatus}`);
console.log(`Version: ${connector.currentVersion}`);
console.log(`CPU: ${connector.cpuUtilization}%`);
console.log(`Memory: ${connector.memoryUtilization}%`);
console.log(`Last Seen: ${connector.lastSeenTime}`);
if (connector.cpuUtilization > 80 || connector.memoryUtilization > 80) {
// Scale out connectors
await scaleConnectorGroup(connectorGroup.id);
}
}
// User access analytics
const accessAnalytics = await mcpClient.zscaler.zpa.getAccessAnalytics({
startTime: Date.now() - 24 * 60 * 60 * 1000,
endTime: Date.now(),
groupBy: ["user", "application", "accessType"],
metrics: ["accessCount", "uniqueUsers", "dataTransferred", "sessionDuration"]
});
console.log("\nTop Application Usage:");
for (const app of accessAnalytics.topApplications) {
console.log(`${app.name}:`);
console.log(` Users: ${app.uniqueUsers}`);
console.log(` Sessions: ${app.accessCount}`);
console.log(` Avg Duration: ${app.avgSessionDuration} min`);
console.log(` Data: ${app.dataTransferred / 1024 / 1024} MB`);
}
// Conditional access based on risk
const riskBasedPolicy = await mcpClient.zscaler.zpa.createConditionalAccessPolicy({
name: "High Risk User Policy",
description: "Enhanced security for risky users",
action: "REQUIRE_APPROVAL",
conditions: [
{
type: "USER_RISK_SCORE",
operator: "GREATER_THAN",
value: "75"
},
{
type: "APPLICATION_RISK",
operator: "IN",
value: ["HIGH", "CRITICAL"]
}
],
actions: [
{
type: "BROWSER_ISOLATION",
enabled: true
},
{
type: "SESSION_RECORDING",
enabled: true
},
{
type: "APPROVAL_REQUIRED",
approvers: ["security-team@company.com"]
}
]
});
// Emergency access revocation
const emergencyRevoke = async (username, reason) => {
// Revoke all user sessions
const sessions = await mcpClient.zscaler.zpa.getUserSessions({
username: username
});
for (const session of sessions.data) {
await mcpClient.zscaler.zpa.revokeSession({
sessionId: session.id
});
}
// Block user access
await mcpClient.zscaler.zpa.createBlockPolicy({
name: `Emergency Block - ${username}`,
description: `Emergency block: ${reason}`,
action: "DENY",
conditions: [{
type: "USER",
value: username
}],
priority: 1, // Highest priority
expiresAt: Date.now() + 24 * 60 * 60 * 1000 // 24 hours
});
// Notify security team
await notifySecurityTeam({
event: "emergency_access_revoke",
user: username,
reason: reason,
timestamp: new Date().toISOString()
});
};
// Application discovery
const discoveredApps = await mcpClient.zscaler.zpa.discoverApplications({
networks: ["10.0.0.0/8", "172.16.0.0/12"],
ports: [80, 443, 8080, 8443],
discoveryMethods: ["port_scan", "certificate_scan", "service_detection"]
});
console.log(`\nDiscovered ${discoveredApps.total} applications:`);
for (const app of discoveredApps.applications) {
console.log(`- ${app.name || app.hostname}`);
console.log(` IP: ${app.ipAddress}`);
console.log(` Ports: ${app.ports.join(', ')}`);
console.log(` Certificate: ${app.certificate?.subject || 'None'}`);
console.log(` Confidence: ${app.confidence}%`);
// Auto-onboard high confidence apps
if (app.confidence > 90 && !app.isOnboarded) {
await onboardDiscoveredApp(app);
}
}
// Microsegmentation setup
const microSegment = await mcpClient.zscaler.zpa.createMicrosegment({
name: "Finance Apps Segment",
description: "Isolated segment for financial applications",
applications: [
{ id: "app1", name: "ERP System" },
{ id: "app2", name: "Payment Gateway" }
],
allowedUsers: ["finance-team"],
allowedGroups: ["Finance", "Audit"],
isolationPolicy: "STRICT",
inspectionEnabled: true,
recordingSessions: true
});
// Generate compliance report
const complianceReport = await mcpClient.zscaler.zpa.generateComplianceReport({
framework: "SOC2",
period: {
start: "2025-01-01",
end: "2025-01-31"
},
sections: [
"access_control",
"least_privilege",
"segmentation",
"monitoring",
"audit_logs"
],
includeEvidence: true
});
// Real-time monitoring
const monitor = await mcpClient.zscaler.zpa.startRealtimeMonitoring({
events: [
"access_granted",
"access_denied",
"policy_violation",
"connector_health",
"suspicious_activity"
]
});
monitor.on('event', async (event) => {
console.log(`Event: ${event.type}`);
console.log(`Details: ${JSON.stringify(event.data)}`);
if (event.type === 'suspicious_activity') {
await investigateSuspiciousActivity(event);
}
});
Common Use Cases
Zero Trust Access
- Application-specific access
- Identity-based policies
- Contextual access control
- Least privilege enforcement
Application Security
- Application discovery
- Microsegmentation
- Browser isolation
- Session recording
Connector Management
- Deployment automation
- Health monitoring
- Load balancing
- Failover configuration
Compliance & Audit
- Access auditing
- Policy compliance
- Report generation
- Evidence collection
Security Best Practices
-
API Security:
- Use OAuth 2.0 tokens
- Implement token rotation
- Monitor API usage
- Apply rate limiting
-
Access Control:
- Implement least privilege
- Use conditional access
- Require MFA for sensitive apps
- Regular access reviews
-
Monitoring:
- Enable session recording
- Monitor anomalies
- Track policy violations
- Real-time alerting
Troubleshooting
Common Issues
-
Connection Problems
- Verify connector status
- Check network connectivity
- Review firewall rules
- Validate DNS resolution
-
Access Denied
- Check policy configuration
- Verify user attributes
- Review policy priority
- Test with policy simulator
-
Performance Issues
- Monitor connector load
- Check geographic routing
- Review connection paths
- Optimize policy rules
Getting Help
- Documentation: AI Gateway Docs
- Support: support@cequence.ai
- Zscaler Support: help.zscaler.com
Copyright © 2025 Cequence Security.