Zscaler Selects Red Hat Enterprise Linux 9 (RHEL 9) as Next-Gen Private Access Operating System

Zscaler Blog

Zscaler Selects Red Hat Enterprise Linux 9 (RHEL 9) as Next-Gen Private Access Operating System

What's new?

On June 30, CentOS 7 will reach end of life, requiring migrations in many software stacks and server environments. In advance of this, Zscaler has selected Red Hat Enterprise Linux 9 as the next-generation operating system for Zscaler Private Access^TM(ZPA). RHEL 9 is the modern enterprise equivalent to CentOS 7, backed by Red Hat, and supported through 2032. This continues ZPA's proven stability and resiliency on open source Linux platforms and builds on 10 years of maturity on Red Hat Enterprise Linux-based derivatives. What's more, this transition can be done with no impact to operations or user access.

When will it be released?

Pre-built images for all ZPA-supported platforms are targeted for release in May 2024. All ZPA images, including containers, hypervisors, and public cloud offerings, will be replaced with RHEL 9. This is the recommended deployment for all future App Connector and Private Service Edge components, and customers should begin migration immediately on release. For customers that manage their own Red Hat base images, Zscaler is targeting the end of April 2024 for release of RHEL 9-native Red Hat Package Manager (RPM) and repositories.

New Enterprise OS Without Licensing Fees

To ensure an excellent experience for our customers, Zscaler will provide operating system licenses for all RHEL 9 images on supported platforms. This continues our commitment to secure, open source platforms without imposing additional licensing costs on our customers.

We also understand the need for control over security baseline images that meet your security posture and will continue to provide RPM options through support of RHEL 8 and RHEL 9. These software packages are bring-your-own-license (BYOL) and won't conflict with any existing Red Hat enterprise license agreements you may hold.

CentOS 7 End of Life

The CentOS Project and Red Hat will be ending the final extended support for CentOS 7 and RHEL 7 on June 30, 2024. While we aim to provide RHEL 9 support in advance of this date (and do currently support RHEL 8 with RPMs), we recognize that the transition is a large undertaking, affecting all enterprise data centers, and operations and will take time to transition over to new operating systems and software.

In light of this, we want to provide ample time to migrate while considering the security implications of continuing to support an obsolete operating system. Zscaler will support existing CentOS 7 deployments, RPMs, and distribution servers until December 24, 2024. We are confident our ZPA architecture and design uniquely position us to continue to support CentOS 7 past its expiry date. See End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.xfor more details on CentOS EOL and the ZPA white paper for architecture and security design.

While we have ample controls in place and the utmost confidence, there is always inherent risk in using an unsupported server operating system. Zscaler will not provide backported operating system patches during this transition, but will maintain the ZPA software and supporting security libraries.

Lightweight and Container Orchestration Ready

Following Zscaler's cloud-native and best-in-class zero trust approach, ZPA infrastructure components are designed to be lightweight, container ready, and quickly deployed. This allows App Connector and Private Service Edge the benefit of being scaled and migrated without worry for previously deployed instances or operating system upgrade paths. For these reasons, the migration best practice is to deploy new App Connectors and Private Service Edges. Zscaler does not provide direct operating system upgrade paths for currently deployed infrastructure components.

In further support of this, we offer Open Container Initiative (OCI) compatible images for Docker CE, Podman, and Red Hat OpenShift Platform. These images as well as the public cloud marketplaces are fully ready for autoscale groups, supporting quick scale up and scale down.

Migration and Support Excellence

Zscaler understands your concerns and will fully support you throughout this transition process. Our Technical Account Managers, Support Engineers, and Professional Services are ready to address all concerns related to migration. If a temporary increase of App Connector or PSE limits are needed in your environment to complete migration, there will be no extra licensing costs.

Below are the steps to help you replace CentOS 7 instances with RHEL 9. The enrollment and provisioning of new App Connectors and Private Service Edges can be automated in a few steps using Terraform (infrastructure-as-code) or Container Orchestration to simplify deployment further.

App Connector Migration Steps:

1. Create new App Connector Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 App Connectors to the old App Connector Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.)
2. Update the App Connector group's version profile to "default - el9" so that it's able to receive the proper binary updates

(This version profile can be set as default for the tenant once all connectors are moved to RHEL 9)

1. Deploy new VMs using the upcoming RHEL 9 OVAs and newly created provisioning keys (templates can be used)
2. Add the new App Connector Groups to each respective Server Group

1. (Optional) In the UI, disable the app connector groups five minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down
2. During regional off-hours, remove the CentOS 7 App Connector Groups
   

Private Service Edge Migration Steps:

1. Create new Service Edge Groups and provisioning keys for each location (Note: do not reuse existing provisioning keys as it will add the new RHEL 9 PSEs to the old Service Edge Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.)
2. Update the Service Edge Group's version profile to "Default - el9" so that it's able to receive the proper binary updates

(This version profile can be set as default for the tenant once all connectors and PSEs are moved to RHEL 9)

1. Deploy new VMs using the upcoming RHEL 9 OVAs and the newly created provisioning keys (templates can be used)
2. Add trusted networks and enable "publicly accessible" (if applicable) on the new Service Edge Groups
   
3. (Optional) In the UI, disable the Service Edge Groups 15 minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down
4. During regional off hours, remove trusted networks and disable public access (if applicable) on CentOS 7 Service Edge Groups
   

Please reach out to your respective support representatives for further assistance and information as needed.

For more information:

Zscaler Private Access Website

Zscaler Private Access | Zero Trust Network Access (ZTNA)

End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x

ZPA App Connector Software by Platform

ZPA Private Service Edge Software by Platform

Explore more Zscaler blogs

Get the latest Zscaler blog updates in your inbox