ZDTA EXAM STUDY GUIDE 2026
QUESTIONS AND DETAILED ANSWERS
The Zero Trust Exchange verifies identity and context via an IdP. Once this is verified policies can
be enforced to do what four actions? - ANSWER-1. Allow
2. Block
3. Isolate
4. Prioritize
Zscaler Private Access (ZPA) configures connectivity to private applications and resources hosted
where? - ANSWER-1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Your private data center
Zscaler integrates with multiple IdP partners and can work with _______. - ANSWER-Zscaler can
integrate with Active Directory, Azure Active Directory, ADFS, Okta, Ping, or really any SAML 2.0-
compliant identity provider
Define Service Provider (SP) and the role it plays with IdP integration with Zscaler. - ANSWER-
Service Provider (SP) - The "Application" Also known as the Relying Party (RP) to the Identity
Provider (IdP) Employs the services of an IdP for the Authentication and Authorization of users
Zscaler acts as a SAML SP
Define Identity Provider (IdP) and the role it plays with IdP integration with Zscaler. - ANSWER-
IdP - Authenticates Users/Devices Provides Identifiers and Identity Assertions for users that wish
to access a service. IdP examples include: Okta, Ping, AD FS, Azure AD
Define Security Assertions and the role it plays with IdP integration with Zscaler. - ANSWER-Also
known as Tokens Issued to users by the IdP Presented to SPs / RPs to confirm authentication
Trust based on PKI Assertions may contain: Authentication, Attribute, or Authorization
statements
Describe the authentication flow for Zscaler utilizing SAML with an IdP initiated SSO. - ANSWER-
1. User Clicks an application.
2. User is redirected to Zscaler. (ZIA or ZPA pending request)
3. User clicks to log into Zscaler (ZIA or ZPA pending request)
,4. User is redirected to SAML IdP login (this can include user attributes and/or group
memberships)
5. User logs into IdP (this can include user attributes and/or group memberships)
6. IdP sends over assertion Identity to user (SAML assertion is encrypted)
7. User sends identity to Zscaler (SAML assertion is encrypted)
8. Zscaler issues auth token to user (assertion is verified)
9. User is given access to the application
What are the advantages of using SCIM? What are the disadvantages? - ANSWER-Advantages -
- Updates information automatically
- Allows users to be deleted (While Auto-Provisioning can add user information, it cannot delete
users from the database)
Disadvantages -
- Not supported by all IdPs
What operations are supported by SCIM? - ANSWER-1. Add Users: As they are assigned to the
ZPA SP in the source IDP
2. Delete Users: Remove ZPA access for users that are either removed from the ZPA SP in the
source IdP, or are removed from the directory completely.
3. Update Users: Update SCIM attributes dynamically (e.g. group memberships)
4. Apply Policy: Based on SCIM user or group attributes.
What is the Zscaler Client Connector (ZCC)? - ANSWER-It is a lightweight app that sits on users'
endpoints and enforces security policies and access controls regardless of device, location, or
application.
What is the recommended mode for Zscaler Client Connector (ZCC) to function when it's
forwarding traffic to Zscaler Internet Access (ZIA) - ANSWER-The recommended mechanism is to
use the Zscaler tunnel.
What are the three authenticated tunnel options (meaning that once the user is enrolled in
Zscaler Client Connector (ZCC)? - ANSWER-1. ZTunnel - Packet Filter Based
2. ZTunnel - Route-Based
,3. ZTunnel with Local Proxy
What are the additional options that support legacy implementations for ZCC? - ANSWER-1.
Enforced PAC mode, which basically instruments the PAC file in the browser, similar to what
you'd get from a group policy object. That means that the browser itself is forced to go to
Zscaler Internet Access via a specified proxy.
2.None, meaning that the policy is not going to do any configuration of proxy or tunneling
mode, and relies on the group policy object or the default configuration within the browser.
What type of tunnel is ZTunnel 1.0? - ANSWER-It is an HTTP CONNECT tunnel. So as traffic is
forwarded into the tunnel, it creates a CONNECT method toward the cloud. It doesn't really
encapsulate the traffic. It simply adds some header information
What type of tunnel is ZTunnel 2.0? - ANSWER-It is a DTLS (Datagram Transport Layer Security)
tunnel with fallback to TLS (Transport Layer Security) supporting all client traffic, which means
the Zscaler Firewall, as part of the Zero Trust Exchange, could inspect and apply policy on all
traffic.
Which is best practice ZTunnel 1.0 or 2.0? - ANSWER-With Z-Tunnel 2.0, which is the best
practice option, the tunnel is the control channel and a single tunnel from the client to the Zero
Trust Exchange. Any notifications from the Client Connector admin portal (aka. "Mobile Admin")
are passed through the Zero Trust Exchange directly to the client, and those happen in real time.
Set this up in order to make the decision as to which forwarding profile matches our desired
outcome. - ANSWER-Multiple trusted networks.
What are the enforcing proxy action types? - ANSWER-1. Automatically Detect Settings - The
client sends a WPAD (Web Proxy Auto-Discovery) lookup looking for a proxy.
2. Use Automatic Configuration Script - Explicitly configure where the Zscaler Client Connector
sets your custom system PAC file to download and run through that PAC file configuration for
traffic to be explicitly proxied to a proxy server. Also referred to as a forwarding PAC file.
3. Use Proxy Server for Your LAN -This is a hard-coded proxy import (IP address and a port or an
FQDN and a port) with the ability to bypass local addresses. A local address is something that is
non-fully qualified.
4. Execute GPO Update - The Windows machine will provide a GPO (Group Policy Object)
update/force from Active Directory to set the proxy settings on the machine.
What are the most common configuration items for an application profile? - ANSWER-1 Custom
PAC URL - References the PAC file configured in the ZIA Admin Portal, making decisions on traffic
that should be forwarded or bypassed from the Zero Trust Exchange.
, 2 Override WPAD - Ensures that the system GPO WPAD configuration is prevented, and makes
sure that the WPAD configuration in the forwarding profile is used as a precedence.
3· Restart WinHTTP - specific to Windows devices Ensures that the system refreshes all of the
proxy configuration once Zscaler Client Connector is established.
4· Install Zscaler SSL Certificate - Covered more in the next section. If you aren't pushing out
your own certificates from your own Certificate Authority, then simply enabling this option will
use the one provided by Zscaler. 23
5· Tunnel Internal Client Connector Traffic - Ensures that the health updates and policy traffic
passes through the Zscaler tunnels towards the Zero Trust Exchange. Or more specifically, it
doesn't go direct to the Zero Trust Exchange - it stays within the zero trust tunnels.
6· Cache System Proxy - Ensures that Zscaler Client Connector stores the system proxy state
from before it was installed or enabled, and makes sure that when Zscaler Client Connector is
uninstalled or disabled, a system proxy configuration is reverted and the user can continue to
function as before. And that the Zscaler Client Connector reverts to previous versions of the
Zscaler Client Connector software in the event of an upgrade issue.
What root CA options can ZCC deploy? - ANSWER-1. the Zscaler Root CA
2. custom root CAs
Creating this will allow bypasses for things like UCaaS - ANSWER-Application bypass.
Note:
- it is important to make exclusions and inclusions for traffic at the adapter level.
- Zscaler also provides the ability for inclusions and exclusions of DNS requests.
- It is not necessary to configure Zscaler as the DNS server.
The "Forwarding Profile PAC" steers traffic ____________ from the ___________. - ANSWER-1.
toward or away
2. client connector
Note: A Forwarding Profile PAC gets defined within the forwarding profile and it steers traffic
toward or away from Zscaler Client Connector. It's essentially the system PAC file, stating which
HTTP proxy is going to be used for a specific URL
QUESTIONS AND DETAILED ANSWERS
The Zero Trust Exchange verifies identity and context via an IdP. Once this is verified policies can
be enforced to do what four actions? - ANSWER-1. Allow
2. Block
3. Isolate
4. Prioritize
Zscaler Private Access (ZPA) configures connectivity to private applications and resources hosted
where? - ANSWER-1. Infrastructure as a Service (IaaS)
2. Platform as a Service (PaaS)
3. Your private data center
Zscaler integrates with multiple IdP partners and can work with _______. - ANSWER-Zscaler can
integrate with Active Directory, Azure Active Directory, ADFS, Okta, Ping, or really any SAML 2.0-
compliant identity provider
Define Service Provider (SP) and the role it plays with IdP integration with Zscaler. - ANSWER-
Service Provider (SP) - The "Application" Also known as the Relying Party (RP) to the Identity
Provider (IdP) Employs the services of an IdP for the Authentication and Authorization of users
Zscaler acts as a SAML SP
Define Identity Provider (IdP) and the role it plays with IdP integration with Zscaler. - ANSWER-
IdP - Authenticates Users/Devices Provides Identifiers and Identity Assertions for users that wish
to access a service. IdP examples include: Okta, Ping, AD FS, Azure AD
Define Security Assertions and the role it plays with IdP integration with Zscaler. - ANSWER-Also
known as Tokens Issued to users by the IdP Presented to SPs / RPs to confirm authentication
Trust based on PKI Assertions may contain: Authentication, Attribute, or Authorization
statements
Describe the authentication flow for Zscaler utilizing SAML with an IdP initiated SSO. - ANSWER-
1. User Clicks an application.
2. User is redirected to Zscaler. (ZIA or ZPA pending request)
3. User clicks to log into Zscaler (ZIA or ZPA pending request)
,4. User is redirected to SAML IdP login (this can include user attributes and/or group
memberships)
5. User logs into IdP (this can include user attributes and/or group memberships)
6. IdP sends over assertion Identity to user (SAML assertion is encrypted)
7. User sends identity to Zscaler (SAML assertion is encrypted)
8. Zscaler issues auth token to user (assertion is verified)
9. User is given access to the application
What are the advantages of using SCIM? What are the disadvantages? - ANSWER-Advantages -
- Updates information automatically
- Allows users to be deleted (While Auto-Provisioning can add user information, it cannot delete
users from the database)
Disadvantages -
- Not supported by all IdPs
What operations are supported by SCIM? - ANSWER-1. Add Users: As they are assigned to the
ZPA SP in the source IDP
2. Delete Users: Remove ZPA access for users that are either removed from the ZPA SP in the
source IdP, or are removed from the directory completely.
3. Update Users: Update SCIM attributes dynamically (e.g. group memberships)
4. Apply Policy: Based on SCIM user or group attributes.
What is the Zscaler Client Connector (ZCC)? - ANSWER-It is a lightweight app that sits on users'
endpoints and enforces security policies and access controls regardless of device, location, or
application.
What is the recommended mode for Zscaler Client Connector (ZCC) to function when it's
forwarding traffic to Zscaler Internet Access (ZIA) - ANSWER-The recommended mechanism is to
use the Zscaler tunnel.
What are the three authenticated tunnel options (meaning that once the user is enrolled in
Zscaler Client Connector (ZCC)? - ANSWER-1. ZTunnel - Packet Filter Based
2. ZTunnel - Route-Based
,3. ZTunnel with Local Proxy
What are the additional options that support legacy implementations for ZCC? - ANSWER-1.
Enforced PAC mode, which basically instruments the PAC file in the browser, similar to what
you'd get from a group policy object. That means that the browser itself is forced to go to
Zscaler Internet Access via a specified proxy.
2.None, meaning that the policy is not going to do any configuration of proxy or tunneling
mode, and relies on the group policy object or the default configuration within the browser.
What type of tunnel is ZTunnel 1.0? - ANSWER-It is an HTTP CONNECT tunnel. So as traffic is
forwarded into the tunnel, it creates a CONNECT method toward the cloud. It doesn't really
encapsulate the traffic. It simply adds some header information
What type of tunnel is ZTunnel 2.0? - ANSWER-It is a DTLS (Datagram Transport Layer Security)
tunnel with fallback to TLS (Transport Layer Security) supporting all client traffic, which means
the Zscaler Firewall, as part of the Zero Trust Exchange, could inspect and apply policy on all
traffic.
Which is best practice ZTunnel 1.0 or 2.0? - ANSWER-With Z-Tunnel 2.0, which is the best
practice option, the tunnel is the control channel and a single tunnel from the client to the Zero
Trust Exchange. Any notifications from the Client Connector admin portal (aka. "Mobile Admin")
are passed through the Zero Trust Exchange directly to the client, and those happen in real time.
Set this up in order to make the decision as to which forwarding profile matches our desired
outcome. - ANSWER-Multiple trusted networks.
What are the enforcing proxy action types? - ANSWER-1. Automatically Detect Settings - The
client sends a WPAD (Web Proxy Auto-Discovery) lookup looking for a proxy.
2. Use Automatic Configuration Script - Explicitly configure where the Zscaler Client Connector
sets your custom system PAC file to download and run through that PAC file configuration for
traffic to be explicitly proxied to a proxy server. Also referred to as a forwarding PAC file.
3. Use Proxy Server for Your LAN -This is a hard-coded proxy import (IP address and a port or an
FQDN and a port) with the ability to bypass local addresses. A local address is something that is
non-fully qualified.
4. Execute GPO Update - The Windows machine will provide a GPO (Group Policy Object)
update/force from Active Directory to set the proxy settings on the machine.
What are the most common configuration items for an application profile? - ANSWER-1 Custom
PAC URL - References the PAC file configured in the ZIA Admin Portal, making decisions on traffic
that should be forwarded or bypassed from the Zero Trust Exchange.
, 2 Override WPAD - Ensures that the system GPO WPAD configuration is prevented, and makes
sure that the WPAD configuration in the forwarding profile is used as a precedence.
3· Restart WinHTTP - specific to Windows devices Ensures that the system refreshes all of the
proxy configuration once Zscaler Client Connector is established.
4· Install Zscaler SSL Certificate - Covered more in the next section. If you aren't pushing out
your own certificates from your own Certificate Authority, then simply enabling this option will
use the one provided by Zscaler. 23
5· Tunnel Internal Client Connector Traffic - Ensures that the health updates and policy traffic
passes through the Zscaler tunnels towards the Zero Trust Exchange. Or more specifically, it
doesn't go direct to the Zero Trust Exchange - it stays within the zero trust tunnels.
6· Cache System Proxy - Ensures that Zscaler Client Connector stores the system proxy state
from before it was installed or enabled, and makes sure that when Zscaler Client Connector is
uninstalled or disabled, a system proxy configuration is reverted and the user can continue to
function as before. And that the Zscaler Client Connector reverts to previous versions of the
Zscaler Client Connector software in the event of an upgrade issue.
What root CA options can ZCC deploy? - ANSWER-1. the Zscaler Root CA
2. custom root CAs
Creating this will allow bypasses for things like UCaaS - ANSWER-Application bypass.
Note:
- it is important to make exclusions and inclusions for traffic at the adapter level.
- Zscaler also provides the ability for inclusions and exclusions of DNS requests.
- It is not necessary to configure Zscaler as the DNS server.
The "Forwarding Profile PAC" steers traffic ____________ from the ___________. - ANSWER-1.
toward or away
2. client connector
Note: A Forwarding Profile PAC gets defined within the forwarding profile and it steers traffic
toward or away from Zscaler Client Connector. It's essentially the system PAC file, stating which
HTTP proxy is going to be used for a specific URL
