Transcript
In this series of short videos, we'll be taking a look at recommendations for forwarding your traffic to the Zero Trust Exchange. This is Part 8, Disaster Recovery. Zscaler heavily recommends that you configure Disaster Recovery for Zscaler Internet Access, so that we can continue to provide secure access to the Internet for your users, even in the event of a Zero Trust Exchange outage. Configuring Disaster Recovery for ZIA is a three-step process. First, you should decide how ZIA should behave when in Disaster Recovery mode. You have the choice of three behaviors. One, Fail Open mode. In this mode, users go directly to the Internet, bypassing ZIA entirely with no security restrictions. This is generally not recommended, as users will not be protected for the duration of the outage. Two, Fail Close mode. If selected, users will have no access to the Internet during Disaster Recovery. This is the most secure option, but is generally not recommended, as it will leave your users unable to work during outages. Third, Controlled Fail Open. This allows the client connector to allow access to destinations based on policy you have defined in a custom Disaster Recovery pack file, which is hosted on your own infrastructure. This is the recommended failover action in most cases, and it will allow your users to continue to use any critical business applications you have defined while the outage is resolved, while continuing to block access to potentially risky or malicious domains. Once this choice is made, the second step of the process is to perform a one-time Disaster Recovery configuration. If you've chosen to go with the Controlled Fail Open mode, configure and host your custom Disaster Recovery pack file that will define what destinations users are allowed access to. Then, pre-create your Disaster Recovery activation DNS records inside the ZIA admin portal. You should make sure to create separate records to activate Disaster Recovery for all users to enter Disaster Recovery test mode and to disable Disaster Recovery. Finally, define your processes for triggering Disaster Recovery mode. Note that triggering Disaster Recovery mode for ZIA is a manual process. The final step is to test Disaster Recovery mode to validate that it works as expected. To do this, create or edit an app profile in the ZCC admin portal and enable the Activate Test Mode setting for that app profile, then assign it to your test users. Then, trigger Disaster Recovery test mode by uploading the test mode DNS record you pre-created to the DNS server for the configured Disaster Recovery domain name. This will trigger Disaster Recovery for users who have the test mode app profile. Verify that these users are only able to access the destinations you configured in your custom Disaster Recovery pack file. Once you have validated this, deactivate DR mode by uploading the Disaster Recovery deactivation DNS record. Zscaler recommends that you perform the steps to test Disaster Recovery mode on a regular basis, at least once every 12 months. That's it for this video. Thanks for watching.