Building a Zscaler Lab

Welcome to my Blog on building out my Zscaler Personal Tenant. I will walk through the required steps to create and connect my Home Lab environment to my Zscaler Cloud Zero Trust Exchange Tenant.

Here’s the breakdown.


My lab has two main Identity Sources or Providers. (IdP)

Azure AD now called Microsoft Entra ID will be my primary Identity Provider with Local User accounts synced from my On Prem Microsoft Active Directory. Technically you could say this is only one ID Source but I see distinctly different uses here even though they are synced together.


I have two Datacenter locations, each of them operating as independent locations. Each has its own Edge Firewall in place. They are interconnected via an IPSEC VPN tunnel for ease of access and management during deployment. This however will prove to be our first major use case for connecting to the Zscaler Zero Trust Exchange. Enabling secure communications between each Datacenter WITHOUT a VPN and WITHOUT opening any External Firewall Ports.

Inside each Datacenter is a Nested VMware ESXi Cluster of vSphere Hosts with a Single NSX Manager controlling both environments. The goal here is to show how and where adding Zscaler to your Datacenter Environment can increase the level of Security that protects your most critical Infrastructure. While at the same time enabling Secure connectivity to the Applications inside each location and Secure Connectivity to the Management Plane (vCenter, NSX Manager, etc).

Existing Infrastructure for this Build:

  • VMware vSphere Hosts (nested)
  • VMware vCenter Servers (1 in each site, not linked)
  • VMware NSX Manager
  • Microsoft Server 2022 Active Directory
  • Microsoft Certificate Authority Services (offline Root with Issuing CA)
  • Firewalls for Connectivity
  • VLAN backed networking for ease of initial deployment
  • Simple BGP Pairing between NSX T0 and pFsense Gateway
  • M365 Account with Entra ID
  • Open EMR
  • WordPress