Try JFrog
Guides
Contact SupportTry JFrog
  1. curation
  2. Package Traffic Controller (PTC)

Deploy and Roll Out PTC

Deploy Package Traffic Controller (PTC) in order: Artifactory, workstation trust, then ZIA rules, with phased rollout guidance for SaaS consumption.

Deployment Sequence

Deploy PTC in the following order. Enabling interception before Artifactory and workstation trust are ready can break package installs.

flowchart LR
    Step1["1. Configure JFrog Artifactory\n(repos, Package Reroute API,\nanonymous access, redirect)"]
    Step2["2. Install Zscaler CA\nand trust configuration\non workstations"]
    Step3["3. New terminal sessions\n/ IDE restart\n(pick up env vars)"]
    Step4["4. Activate ZIA rules\n(URL category, SSL inspection,\nredirect rule)"]

    Step1 --> Step2 --> Step3 --> Step4

Required Order of Operations

To deploy PTC in the required order:

  1. Configure JFrog Artifactory: Create a remote repository for each ecosystem, then complete Step 2: Register repositories with Package Reroute using Update Registry Configuration (PUT /artifactory/api/package-reroute/config/{type}) for each package type. PTC does not work without this API request. The repo_key must be a remote repository. Configure anonymous access and verify /package-reroute as described in Configure Artifactory for PTC. Artifactory must be ready before ZIA redirects traffic. Otherwise, installs fail after interception starts.
  2. Set up Zscaler CA and application trust on developer workstations for each client and OS in scope. MDM is optional. Use your endpoint deployment approach. Follow Installation Script and Zscaler trust-store guidance. Trust must be in place before SSL inspection is enabled.
  3. Ask developers to open new terminal sessions or restart IDEs after certificate and environment-variable changes. Most client-specific environment variables are read when a new shell starts, and existing shells keep the old environment.
  4. Configure and activate the ZIA rules (URL category, SSL inspection rule, URL filtering/redirect rule). Enable interception only after Artifactory and workstation trust are fully ready.

Warning: If ZIA rules are activated before Artifactory is configured or before certificate trust works for your package clients, installs can fail with SSL errors or HTTP errors. New terminal sessions or an IDE restart are usually required after env updates.

Gradual Rollout Recommendation

To reduce risk, deploy PTC gradually rather than to the entire organization at once. Phase by audience (pilot groups first) and by package ecosystem (for example npm first, then PyPI, then Docker/OCI) so each path can be validated before wider rollout.

Gradual Rollout Readiness Before ZIA Activation

The Deployment Sequence still applies during phased rollout. Prepare endpoints first, then enable interception for the same cohort.

Practical pattern:

  • Start with a pilot group and a single ecosystem (commonly npm).
  • Confirm trust and successful installs before enabling redirect rules for additional users.
  • Expand in controlled waves using ZIA Groups.
  • Add additional registry domains only after endpoint trust and smoke tests are complete for that stack.

Why Gradual Rollout Is Important

Rolling out every user and every package client at the same time carries risk:

  • Endpoint trust or environment gaps may affect only specific client stacks.
  • Existing network and security policies can behave differently across teams.
  • A phased rollout reduces blast radius and shortens troubleshooting cycles.
  • Different package managers have different TLS and client behaviors.

A phased approach by audience, by registry domains in ZIA, and by configured ecosystems in Artifactory lets you identify and resolve issues with minimal disruption.

Recommended Rollout Phases

PhaseScopePurpose
Phase 1: Lab and Test EnvironmentA controlled lab environment or a small number of test workstationsValidate the full deployment end-to-end: certificate distribution, ZIA rule activation, package install via Artifactory, and Curation policy and audit behavior when enabled.
Phase 2: Pilot GroupA small group of developers (e.g., 5–10 volunteers from a single team)Confirm that the solution works in a real-world environment with real developer workflows, IDEs, and projects. Collect feedback on any issues.
Phase 3: Expanded RolloutA larger team or department (e.g., the full R&D group)Scale the deployment while monitoring for issues. Use Zscaler's scoped deployment (Groups filter) to control which users are affected.
Phase 4: Organization-WideAll developer workstationsFull production deployment after confirming stability in earlier phases.

Phasing by package type (optional): Within any phase above, you can keep ZIA’s custom URL category minimal (e.g., only registry.npmjs.org until npm is stable), then add domains for PyPI, container registries, Hugging Face, and so on as you validate each stack. Align Artifactory Package Reroute repo_key settings so only ecosystems you intend to govern are in the path. This is independent of JFrog vs. Zscaler ownership: Zscaler controls which hostnames are intercepted; JFrog controls which repository serves each type.

What to Monitor at Each Phase

  • Package installs succeed without SSL errors
  • Download and install time stays acceptable for your teams (throughput may differ from a direct path to the public registry—for example on first fetch, cache miss, or extra redirect hops—so compare against your own baseline and adjust capacity or caching if installs feel too slow)
  • Packages appear in Artifactory's cached artifacts
  • Curation audit log shows expected entries (only if JFrog Curation is enabled on the resolving remotes)
  • Artifactory system logs show package reroute lines (user, original and target URLs, registry type, user agent)—see Package reroute logs (Artifactory)
  • npm audit and other POST-based commands continue to work normally
  • Lock file behavior is acceptable (see Lock File Considerations for npm. Minor URL differences are expected and not a blocking issue.)
  • No unexpected workstation or application breakage from the installation script
  • When you add another registry domain or package client to the rollout, re-run targeted smoke tests for that client (install, lock files, TLS) before expanding scope further

You can use the following command during pilot verification to confirm package installation behavior from a workstation:

npm install <PACKAGE_NAME> --loglevel verbose

Where:

  • <PACKAGE_NAME> is the public package name used for your pilot smoke test.

For example:

npm install express --loglevel verbose

Consumption Impact for SaaS Customers

If your JFrog Artifactory instance is a SaaS (cloud-hosted) subscription, be aware that deploying PTC will affect your consumption metrics.

How Consumption Is Affected

When PTC is active, all developer workstations that install packages through the redirected flow will generate traffic against your JFrog Artifactory instance. This means:

  • Every package download that was previously going directly to the public registry will now be routed through and served by your Artifactory instance.
  • Each workstation added to the PTC deployment increases the total volume of requests and data transfer against your Artifactory subscription.
  • Cached packages reduce repeated upstream fetches, but the initial download of each package version will count toward consumption.

Recommendation

Before deploying PTC across your organization, review your current SaaS subscription limits and projected consumption increase with your JFrog account team. The gradual rollout approach (see Gradual Rollout Recommendation) also helps you monitor consumption growth incrementally rather than experiencing a sudden spike.

Frequently Asked Questions

This section provides answers to frequently asked questions about deploying Package Traffic Controller (PTC).

FAQs
Q: What is the required deployment order for PTC?

A: Configure JFrog Artifactory and Package Reroute first, deploy workstation trust for the Zscaler CA, have developers open new terminal sessions, then activate ZIA rules. See Deployment Sequence.

Q: Why deploy PTC gradually instead of org-wide on day one?

A: Phased rollout limits blast radius when certificate trust, client quirks, or ZIA policy issues appear. Use Zscaler Groups and narrow URL categories per ecosystem. See Gradual Rollout Recommendation.

Q: Does PTC increase JFrog Cloud consumption?

A: Yes. Redirected package downloads count against your Artifactory SaaS subscription because traffic is served through your instance. Review limits with your JFrog account team before org-wide rollout. See Consumption Impact for SaaS Customers.

Q: Do developers need a full machine reboot after certificate changes?

A: No. New terminal sessions or an IDE restart pick up updated environment variables. Mandatory fleet-wide reboots alone do not fix TLS trust issues.

Related Topics

Updated 12 days ago