On June 30, CentOS 7 will reach end of life, requiring migrations in many software stacks and server environments. In advance of this, Zscaler has selected Red Hat Enterprise Linux 9 as the next-generation operating system for Zscaler Private Access^TM (ZPA). RHEL 9 is the modern enterprise equivalent to CentOS 7, backed by Red Hat, and supported through 2032. This continues ZPA’s proven stability and resiliency on open source Linux platforms and builds on 10 years of maturity on Red Hat Enterprise Linux-based derivatives. What’s more, this transition can be done with no impact to operations or user access.

When will it be released?

Pre-built images for all ZPA-supported platforms are targeted for release in May 2024. All ZPA images, including containers, hypervisors, and public cloud offerings, will be replaced with RHEL 9. This is the recommended deployment for all future App Connector and Private Service Edge components, and customers should begin migration immediately on release. For customers that manage their own Red Hat base images, Zscaler is targeting the end of April 2024 for release of RHEL 9 Red Hat Package Manager (RPM) software packages and repositories.

New Enterprise OS Without Licensing Fees

To ensure an excellent experience for our customers, Zscaler will provide operating system licenses for all RHEL 9 images on supported platforms. This continues our commitment to secure, open source platforms without imposing additional licensing costs on our customers.

We also understand the need for control over security baseline images that meet your security posture and will continue to provide RPM options through support of RHEL 8 and RHEL 9. These software packages are bring-your-own-license (BYOL) and won’t conflict with any existing Red Hat enterprise license agreements you may hold.

CentOS 7 End of Life

The CentOS Project and Red Hat will be ending the final extended support for CentOS 7 and RHEL 7 on June 30, 2024. While we aim to provide RHEL 9 support in advance of this date (and do currently support RHEL 8 with RPMs), we recognize that the transition is a large undertaking, affecting all enterprise data centers, and operations and will take time to transition over to new operating systems and software.

In light of this, we want to provide ample time to migrate while considering the security implications of continuing to support an obsolete operating system. Zscaler will support existing CentOS 7 deployments, RPMs, and distribution servers until December 24, 2024. We are confident our ZPA architecture and design uniquely position us to continue to support CentOS 7 past its expiry date. See End-of-Support for CentOS 7.x, RHEL 7.x, and Oracle Linux 7.x for more details on CentOS EOL and the ZPA white paper for architecture and security design.

While we have ample controls in place and the utmost confidence, there is always inherent risk in using an unsupported server operating system. Zscaler will not provide backported operating system patches during this transition, but will maintain the ZPA software and supporting security libraries.

Lightweight and Container Orchestration Ready

Following Zscaler’s cloud-native and best-in-class zero trust approach, ZPA infrastructure components are designed to be lightweight, container ready, and quickly deployed. This allows App Connector and Private Service Edge the benefit of being scaled and migrated without worry for previously deployed instances or operating system upgrade paths. For these reasons, the migration best practice is to deploy new App Connectors and Private Service Edges. Zscaler does not provide direct operating system upgrade paths for currently deployed infrastructure components.

In further support of this, we offer Open Container Initiative (OCI) compatible images for Docker CE, Podman, and Red Hat OpenShift Platform. These images as well as the public cloud marketplaces are fully ready for autoscale groups, supporting quick scale up and scale down.

Migration and Support Excellence

Zscaler understands your concerns and will fully support you throughout this transition process. Our Technical Account Managers, Support Engineers, and Professional Services are ready to address all concerns related to migration. If a temporary increase of App Connector or PSE limits are needed in your environment to complete migration, there will be no extra licensing costs.

Below are the steps to help you replace CentOS 7 instances with RHEL 9. The enrollment and provisioning of new App Connectors and Private Service Edges can be automated in a few steps using Terraform (infrastructure-as-code) or Container Orchestration to simplify deployment further.

App Connector Migration Steps:

Prerequisites:

A fresh install should be used for all deployments
The EL9 repository must be used with RHEL 9 base OS. Older platform binaries (EL7/EL8) are not supported
The /opt/zscaler/var folder needs to be empty before install
Yum upgrades from EL7/EL8 to RHEL 9 are not supported
Requires ESXi version 7.0 Update 2 or newer, including ESXi 8.x

Create new App Connector Groups and provisioning keys for each location
(Note: Do not reuse existing provisioning keys as it will add the new RHEL 9 App Connectors to the old App Connector Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.)
Make sure the Default version profile is inherited from the tenant default or set manually to the Default profile if using “Persist Local Version Profile”

(Optional) If you have old App Connectors (el7/el8), please use the following commands before clearing contents of /opt/zscaler/var/

# systemctl stop zpa-connector

# yum remove zpa-connector

# rm -rf /opt/zscaler/var/*

Follow the step-by-step guide to deploy new VMs using the upcoming RHEL 9 images and newly created provisioning keys. Ensure the yum repository is pointing to RHEL 9
https://yum.private.zscaler.com/yum/el9
(Note: Only RHEL 9 repositories and RPMs are supported on RHEL 9.)
Add the new App Connector Groups to each respective Server Group

(Optional) In the UI, disable the app connector groups five minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down
During regional off-hours, remove the CentOS 7 App Connector Groups

Private Service Edge Migration Steps:

Prerequisites:

A fresh install should be used for all deployments
The EL9 repository must be used with RHEL 9 base OS. Older platform binaries (EL7/EL8) are not supported
The /opt/zscaler/var folder needs to be empty before install
Yum upgrades from EL7/EL8 to RHEL9 are not supported
Requires ESXi version 7.0 Update 2 or newer, including ESXi 8.x

Create new Service Edge Groups and provisioning keys for each location
(Note: Do not reuse existing provisioning keys as it will add the new RHEL 9 Private Service Edges to the old Service Edge Groups. Mixing different host OS and Zscaler software versions in a single group is not supported.)
Make sure the Default version profile is inherited from the tenant default or set manually to the Default profile if using “Persist Local Version Profile”

(Optional) If you have old Private Service Edges (el7/el8), please use the following commands before clearing contents of /opt/zscaler/var/

# systemctl stop zpa-service-edge

# yum remove zpa-service-edge

# rm -rf /opt/zscaler/var/*

Follow the step-by-step guide to deploy new VMs using the upcoming RHEL 9 images and newly created provisioning keys. Ensure the yum repository is pointing to RHEL 9.

https://yum.private.zscaler.com/yum/el9

(Note: Only RHEL 9 repositories and RPMs are supported on RHEL 9.)

Add trusted networks and enable “publicly accessible” (if applicable) on the new Service Edge Groups
(Optional) In the UI, disable the Service Edge Groups 15 minutes prior to the regional off-hours maintenance window to allow connections to gradually drain down
During regional off hours, remove trusted networks and disable public access (if applicable) on CentOS 7 Service Edge Groups