Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Products & Solutions

Zscaler Selects Red Hat Enterprise Linux 9 (RHEL 9) as Next-Gen Private Access Operating System

image

Latest News

On June 30, 2024, CentOS 7 reached end of life, requiring migrations in thousands of software stacks and server environments. In anticipation of this, Zscaler selected Red Hat Enterprise Linux 9 as the next-generation operating system for Zscaler Private AccessTM (ZPA). RHEL 9 is the modern enterprise equivalent to CentOS 7, backed by Red Hat, and supported through 2032. This continues ZPA’s proven record of stability and resiliency on open source Linux platforms and builds on 10 years of maturity on the Red Hat Enterprise Linux platform. To ensure a straight-forward and smooth transition, the solution was built with no impact to business operations in mind.

Software Release Dates

Pre-built images on supported platforms were released in June 2024. All ZPA images, including containers, hypervisors, and public cloud offerings, were replaced with RHEL 9. It is now the recommended deployment for all future App Connector and Private Service Edge components. Customers who have not yet started migration already should begin to immediately. For customers that manage their own Red Hat base images, RHEL 9 RPM software packages and repositories were released in May.

New Enterprise OS Without Licensing Fees

To ensure an excellent experience for our customers, Zscaler is providing operating system licenses for RHEL 9 images on supported platforms. This continues our commitment to secure, open source platforms without imposing additional licensing costs on our customers. It’s important to note that Hyper-V and Azure/AWS China Clouds do not have official images and therefore do not have Zscaler-provided RHEL licensing.

We also understand the need for control over security baseline images that meet your security posture and will continue to provide RPM options through support of RHEL 8 and RHEL 9. These software packages are used with bring-your-own-license (BYOL) operating system deployments and won’t conflict with any existing Red Hat enterprise license agreements you may hold.

CentOS 7 End of Life

The CentOS Project and Red Hat ended support for CentOS 7 and RHEL 7 on June 30, 2024. While it is of the utmost urgency to transition to a modern, supported, and secure operating system, we recognize that the transition is a large undertaking, affecting all enterprise data centers and business operations; it will take time to transition over to new operating systems and software.

In light of this, Zscaler will provide ample time to migrate while considering the security implications of an obsolete operating system. Existing CentOS 7 deployments, RPMs, and distribution servers will be supported until December 24, 2024. We are confident our ZPA architecture and design uniquely position us to continue to support CentOS 7 past its expiry date. See End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x for more details on CentOS EOL and the ZPA white paper for architecture and security design.

While we have the utmost confidence, there is always inherent risk in using an unsupported server operating system. To ease the burden and risk to customers, Zscaler licensed a third-party repository to provide long-term support for CentOS 7 until the EOS date. Instructions to configure LTS support can be found at CentOS 7 Configuration for Long-Term Zscaler Support.

Lightweight and Container Orchestration Ready

Following Zscaler’s cloud-native and best-in-class zero trust approach, ZPA infrastructure components are designed to be lightweight, container ready, and quickly deployed. This allows App Connector and Private Service Edge the benefit of being scaled and migrated without worry for previously deployed instances or operating system upgrade paths.

ZPA offers Open Container Initiative (OCI) compatible images for Docker CE, Podman, Red Hat OpenShift Platform, and soon Kubernetes (k8s). These images as well as the public cloud marketplaces are fully ready for autoscale groups, supporting quick and easy scale up. Clean-up of scaled down or removed pods is available through App Connector Settings for auto-delete.

Operating System Packages in Zscaler RHEL Repositories

You may have run into issues with missing support tools and other packages during RHEL 9 deployment. Zscaler’s Red Hat licensing requires a satellite repository to receive security updates. In the first phase of RHEL 9 support, this is an open delta mirror with security packages for the RHEL 9 base image. We listened to customer feedback and have finished adding the first batch of third-party packages to this mirror. They can be installed normally from the os-updates repository using dnf / yum commands.

In H1CY25, Zscaler is targeting release of a full SNI-authenticated repository that will mirror all packages included in the official Red Hat repositories for RHEL 9. At that time, enrollment to the ZPA cloud will be required to download packages, but all RHEL base packages will be supported by default. While we don’t encourage or recommend that third-party repositories be installed to the pre-built ZPA images, you may do so to support compliance requirements around EDR, EPP, and other inventory and maintenance tools.

Note that SNMP adds a vulnerability vector with a listening service and isn’t recommended. Customers may opt to accept this risk at their own discretion using the net-snmp package. EDR and EPP tools are also not generally recommended as best practice, due to the potential to introduce incompatibilities and the high CPU and RAM consumption that’s been observed (>80% at idle traffic). Customers employing this additional software must accept and take full responsibility for these risks.

In the interim of full SNI-authenticated repository support, you may request additional OS packages from the RHEL 9 package manifest through your account team. Zscaler will review and approve any valid package in the manifest. Updates will be published to the current os-updates repository on a monthly basis.

STIG Hardening for App Connector and PSE

To further improve the security posture of App Connector and PSE, Zscaler is working to provide STIG hardening on all supported platforms. This uses the built-in mechanism in RHEL 9 to enforce STIG hardening along with meeting the requirements for partition mapping and configuration. The first phase of STIG deployment is targeted for 4QCY24 and will include all supported platforms except App Connector for Azure. App Connector STIG images for Azure will be announced at a later date.

To learn more about RHEL 9 STIG hardening, see the link below.

DISA STIG for Red Hat Enterprise Linux 9 Blog

Red Hat Enterprise Linux 9 Security Technical Implementation Guide

Migration and Support Excellence

Zscaler understands your concerns and will fully support you throughout this transition process. Our Technical Account Managers, Support Engineers, and Professional Services are ready to address your migration challenges. If a temporary increase of App Connector or PSE limits are needed in your environment to complete migration, there will be no extra licensing costs.

The migration steps to replace CentOS 7 instances with RHEL 9 can be found on our official help portal via the links below. The enrollment and provisioning of new App Connectors and Private Service Edges can be automated in a few steps using Terraform (infrastructure-as-code) or Container Orchestration to simplify deployment further.

Red Hat Enterprise Linux 9 Migration for App Connectors

Red Hat Enterprise Linux 9 Migration for Private Service Edges

Please reach out to your respective Zscaler support representatives for further assistance and information as needed.

 

For more information:

Zscaler Private Access Website

End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x 

ZPA App Connector Software by Platform

ZPA Private Service Edge Software by Platform

 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.