Deployment and Rollout

Deployment Sequence

This section is critical. The deployment steps must be performed in the exact order below. Performing them out of order will cause package installs to fail.

flowchart LR
    Step1["1. Configure JFrog Artifactory\n(repos, Package Reroute API,\nanonymous access, redirect)"]
    Step2["2. Install Zscaler CA\nand trust configuration\non workstations"]
    Step3["3. New terminal sessions\n/ IDE restart\n(pick up env vars)"]
    Step4["4. Activate ZIA rules\n(URL category, SSL inspection,\nredirect rule)"]

    Step1 --> Step2 --> Step3 --> Step4

Required Order of Operations

Step	Action	Why This Order Matters
1	Configure JFrog Artifactory — Create remote and virtual repositories, then complete the mandatory Step 3: Register repositories with Package Reroute using Update Registry Configuration (`PUT /artifactory/api/package-reroute/config/{type}`) for each package type. PTC does not work without this API call. Map each registry type to the correct `repo_key`; optionally enable JFrog Curation on remotes where you want Catalog policy checks (PTC works without Curation — see Prerequisites); configure anonymous access (see Configure Artifactory for PTC); for JFrog Cloud, optionally restrict access with the MyJFrog IP/CIDR allowlist (not used for self-hosted); verify the Router PTC path responds (see Step 6: Verify the Redirect Endpoint — `/package-reroute`). The REST API for Package Reroute always lives under the fixed prefix `/artifactory/api/package-reroute/`; that URL segment is not configurable.	Artifactory must be fully configured and ready to receive traffic before ZIA starts redirecting requests to it. If ZIA redirects to an Artifactory instance that is not set up, or Package Reroute is not registered for the package type, all package installs will fail. ZIA’s redirect URL must use the PTC path your release serves (package-reroute — see How It Works).
2	Set up the Zscaler CA and application trust on developer workstations for each client and OS you intercept. MDM is not mandatory—use MDM, other endpoint tooling, imaging, login scripts, or guided manual steps. Exact variables and checks are per package manager and platform; follow the `scripts/` README and Zscaler’s trust-store documentation (see Installation Script and Prerequisites). Ensure certificate material is in user-readable paths.	Trust must be in place before SSL inspection is enabled. Without it, TLS to intercepted registries fails. Details are not duplicated in this doc because they change by client and OS.
3	Advise developers to open new terminal sessions or restart IDEs after certificate and environment-variable changes	Most client-specific environment variables are read when a new shell starts. Existing terminals and IDE-embedded shells keep the old environment until closed. That is normal: if an old session still fails TLS, developers typically open a new tab or restart the IDE on their own—not a major incident and not something that should force a coordinated fleet-wide reboot.
4	Configure and activate the ZIA rules (URL category, SSL inspection rule, URL filtering/redirect rule)	Only after Artifactory is ready and certificate trust + env configuration are deployed should traffic interception begin. Enabling ZIA before certs are trusted will break package installs for affected clients.

Warning: If ZIA rules are activated before Artifactory is configured or before certificate trust works for your package clients, installs can fail with SSL errors (missing or untrusted CA) or HTTP errors (Artifactory not ready). That can be disruptive at scale. Mandatory mass reboots alone do not fix this: remind people that new terminals or an IDE restart pick up updated environment variables. Always follow the sequence above.

Gradual Rollout Recommendation

To reduce risk, deploy PTC gradually rather than to the entire organization at once. You can phase by people (labs, pilots, departments—often using Zscaler Groups) and also by package ecosystem: turn on interception and routing for one registry or client stack at a time (for example npm first, then PyPI, then Docker/OCI later) by narrowing the ZIA URL category and matching Artifactory Package Reroute / repo_key configuration. You do not need to redirect every supported package type on day one.

Gradual rollout: space workstation readiness from ZIA activation

The Deployment Sequence already requires Artifactory first, then Zscaler CA and client trust on workstations, and only then ZIA rules that intercept registry traffic. In a gradual rollout, treat that last step as time-shifted from the earlier steps—not every machine receives certificates, trust-store updates, or install scripts on the same day, and open terminals and IDE-embedded shells keep the old environment until developers open a new tab or restart the IDE (see Step 3 in the deployment table).

Practical pattern:

Pilot or department first: Push workstation trust and client configuration to a small cohort, give them a short soak window (communication + a few days is common), and verify installs against the redirect path before you enable or widen ZIA interception for that cohort.
Then enable ZIA for the same cohort (scoped Groups in ZIA align with who is supposed to be on the new path). Avoid turning on SSL inspection and redirect rules for a population that has not yet had trust and env changes land—or you will see TLS failures and support noise that are not Artifactory defects.
Expand in waves: Add the next batch of workstations (MDM, imaging, or manual steps), wait for readiness signals (spot checks, helpdesk volume), then extend ZIA scope or the next Zscaler Group—rather than enabling ZIA org-wide while certificates are still propagating.
Same idea inside a phase: Even when you only change ZIA (for example adding a second registry domain to the URL category), confirm the clients that will hit that domain already have trust and env guidance applied for that stack before you flip the rule.

This is complementary to phasing by package ecosystem and by Zscaler Groups: you are also phasing when the network starts intercepting relative to how far along endpoint preparation is.

Why Gradual Rollout Is Important

Rolling out every user and every package client at the same time carries risk:

The installation script may encounter edge cases on specific workstation configurations that cause breakage.
Unforeseen interactions with existing security policies, network configurations, or developer tooling may surface.
If something goes wrong, the blast radius is the entire developer population and every language/runtime that shares the same rules.
Different package managers (npm vs. pip vs. container pulls) have different TLS and tooling quirks; phasing by package type isolates those variables.

A phased approach—by audience, by registry domains in ZIA, and by which ecosystems you have configured end-to-end in Artifactory—lets you identify and resolve issues with minimal disruption.

Recommended Rollout Phases

Phase	Scope	Purpose
Phase 1: Lab / Test Environment	A controlled lab environment or a small number of test workstations	Validate the full deployment end-to-end: certificate distribution, ZIA rule activation, package install via Artifactory, and—if you enabled it—Curation policy and audit behavior.
Phase 2: Pilot Group	A small group of developers (e.g., 5–10 volunteers from a single team)	Confirm that the solution works in a real-world environment with real developer workflows, IDEs, and projects. Collect feedback on any issues.
Phase 3: Expanded Rollout	A larger team or department (e.g., the full R&D group)	Scale the deployment while monitoring for issues. Use Zscaler's scoped deployment (Groups filter) to control which users are affected.
Phase 4: Organization-Wide	All developer workstations	Full production deployment after confirming stability in earlier phases.

Phasing by package type (optional): Within any phase above, you can keep ZIA’s custom URL category minimal (e.g., only registry.npmjs.org until npm is stable), then add domains for PyPI, container registries, Hugging Face, and so on as you validate each stack. Align Artifactory Package Reroute repo_key settings so only ecosystems you intend to govern are in the path. This is independent of JFrog vs. Zscaler ownership: Zscaler controls which hostnames are intercepted; JFrog controls which repository serves each type.

What to Monitor at Each Phase

Package installs succeed without SSL errors
Download and install time stays acceptable for your teams (throughput may differ from a direct path to the public registry—for example on first fetch, cache miss, or extra redirect hops—so compare against your own baseline and adjust capacity or caching if installs feel too slow)
Packages appear in Artifactory's cached artifacts
Curation audit log shows expected entries (only if JFrog Curation is enabled on the resolving remotes)
Artifactory system logs show package reroute lines (user, original and target URLs, registry type, user agent)—see Package reroute logs (Artifactory)
npm audit and other POST-based commands continue to work normally
Lock file behavior is acceptable (see Lock file considerations (npm) — minor URL differences are expected and not a blocking issue)
No unexpected workstation or application breakage from the installation script
When you add another registry domain or package client to the rollout, re-run targeted smoke tests for that client (install, lock files, TLS) before expanding scope further

Consumption Impact for SaaS Customers

If your JFrog Artifactory instance is a SaaS (cloud-hosted) subscription, be aware that deploying PTC will affect your consumption metrics.

How Consumption Is Affected

When PTC is active, all developer workstations that install packages through the redirected flow will generate traffic against your JFrog Artifactory instance. This means:

Every package download that was previously going directly to the public registry will now be routed through and served by your Artifactory instance.
Each workstation added to the PTC deployment increases the total volume of requests and data transfer against your Artifactory subscription.
Cached packages reduce repeated upstream fetches, but the initial download of each package version will count toward consumption.

Recommendation

Before deploying PTC across your organization, review your current SaaS subscription limits and projected consumption increase with your JFrog account team. The gradual rollout approach (see Gradual Rollout Recommendation) also helps you monitor consumption growth incrementally rather than experiencing a sudden spike.

Frequently Asked Questions

This section provides answers to frequently asked questions about deploying Package Traffic Controller (PTC).

FAQs

Q: What is the required deployment order for PTC?

A: Configure JFrog Artifactory and Package Reroute first, deploy workstation trust for the Zscaler CA, have developers open new terminal sessions, then activate ZIA rules. See Deployment Sequence.

Q: Why deploy PTC gradually instead of org-wide on day one?

A: Phased rollout limits blast radius when certificate trust, client quirks, or ZIA policy issues appear. Use Zscaler Groups and narrow URL categories per ecosystem. See Gradual Rollout Recommendation.

Q: Does PTC increase JFrog Cloud consumption?

A: Yes. Redirected package downloads count against your Artifactory SaaS subscription because traffic is served through your instance. Review limits with your JFrog account team before org-wide rollout. See Consumption Impact for SaaS Customers.

Q: Do developers need a full machine reboot after certificate changes?

A: No. New terminal sessions or an IDE restart pick up updated environment variables. Mandatory fleet-wide reboots alone do not fix TLS trust issues.