Prerequisites and Installation Script

Prerequisites

Before configuring PTC, ensure the following requirements are met.

Zscaler Requirements

ZIA Admin Portal Access: You need administrative access to the Zscaler Internet Access (ZIA) Admin Portal to create URL categories, SSL inspection rules, and URL filtering rules.

Zscaler Client Connector (ZCC): ZCC must be deployed on all developer workstations that will be part of the PTC solution. ZCC routes network traffic through Zscaler for inspection.

Z-Tunnel mode and SSL inspection (Zscaler): PTC depends on ZIA being able to SSL-inspect the HTTPS flows to the public registries you intercept, so URL filtering can redirect those requests to Artifactory. Whether your Zscaler Client Connector tunnel mode and forwarding path support that for your OS and policy set is determined by Zscaler, not JFrog. JFrog’s lab validation and the ZIA walkthrough in this document were exercised with Z-Tunnel 2.0; your tenant may use Z-Tunnel 1.0 or 2.0 per Zscaler’s guidance and your administrator’s design—do not treat “2.0 only” as a product requirement from JFrog. Confirm tunnel choice, traffic forwarding, and SSL inspection eligibility with Zscaler’s documentation and your Zscaler team—for example About Z-Tunnel 1.0 and Z-Tunnel 2.0. If SSL inspection cannot be applied to the relevant client traffic, the redirect flow described here will not work as intended.

CA certificate: The Zscaler CA certificate is already distributed to the developer machine by ZCC. However, some package managers and applications still need the certificate in an application-specific trust store or PEM path. MDM is optional: use MDM (e.g., Intune, Jamf), other deployment tooling, or controlled manual steps—especially for labs and pilots. At enterprise scale, automated distribution is strongly recommended. The certificate file must be copied to a location with user-level read access, not a root-only location (see Before Step 2: Verify trust stores for your package clients for details).

Workstation install scripts, environment variables, OS coverage, MDM notes, and “configure without the script” minimums are maintained in the repository README under scripts/ (see Installation Script).

For detailed instructions, see: Adding Custom Certificate to an Application-Specific Trust Store

Target Group (Scoped Deployments Only): If you plan to scope PTC to a specific group (e.g., R&D), ensure the target group exists in Zscaler. Groups can be configured via:

Directory Sync / SCIM: Synced from your identity provider
Local: Created manually under Administration > User Management > Groups in the ZIA Admin Portal

JFrog Artifactory Requirements

Artifactory instance: You need a running JFrog Artifactory deployment. PTC (Package Reroute) availability follows your JFrog license and entitlements—often aligned with Enterprise X or Enterprise+, but verify your exact SKU and feature flags with your JFrog account team rather than assuming from tier names alone.

Hostname / URL: Use the same HTTPS host your developers and automation use to reach Artifactory—for JFrog Cloud this is typically https://<your-subdomain>.jfrog.io (for example https://acme.jfrog.io). Self-hosted installations use the hostname (and optional context path) your organization configured. That value is what you substitute for <YOUR_ARTIFACTORY_URL> elsewhere in this guide.

Artifactory must have the appropriate repository layout for each package type you intend to serve through PTC—not only npm. The npm registry below is one example; repeat the same pattern (correct Artifactory package type, upstream URL, Package Reroute repo_key, and matching ZIA URL category entries) for every ecosystem you enable (for example PyPI, Docker/OCI, Hugging Face, per Supported Package Types (GA) and Package Reroute Config API).

A remote repository is required for PTC — it proxies the public registry upstream and is the target of the repo_key in the Package Reroute configuration. Optionally, you can point PTC at a virtual repository that includes that remote, which allows you to aggregate multiple sources or apply additional resolution rules; a virtual is not required and is not covered in the standard setup below.

Example — npm: A remote npm repository whose upstream is https://registry.npmjs.org.

Curation Best Practice: When you use JFrog Curation, enable Curation on the remote repository directly. If you are using a virtual repository, the curated remote should be last in the virtual’s resolution order.

JFrog Curation (optional): Enabling Curation on the relevant remote repositories is not mandatory for PTC. The redirect, repository resolution, and caching flow works without Curation. If Curation is off, you do not get JFrog Catalog policy evaluation, Compliant Version Selection (CVS), or Curation audit entries for those downloads—only standard Artifactory repository behavior applies. Turn on Curation when you want that governance layer.

Anonymous access: Enable Allow Anonymous Access at the platform level, then grant the anonymous user rights on the repositories in the PTC chain. If the Package Reroute repo_key is a virtual repository, grant the anonymous user Read on that virtual. If it is a remote, or a remote behind the virtual, grant Read and Deploy/Cache (per package type) so anonymous users can fetch and cache from the upstream registry. Use permission targets scoped to those repo keys (for example npm-virtual-registry and npm-remote-registry), not only the remote or only the virtual.

Checklist

ZIA Admin Portal access confirmed
ZCC deployed on target developer workstations, with tunnel mode and ZIA forwarding suitable for SSL inspection on the registry traffic you intercept (JFrog’s examples used Z-Tunnel 2.0; confirm 1.0 vs 2.0 with Zscaler—see About Z-Tunnel 1.0 and Z-Tunnel 2.0)
Zscaler CA certificate and client trust configuration applied on target workstations (MDM optional)
Target group defined in Zscaler (if using scoped deployment)
JFrog Artifactory instance hostname known
Repositories created for each package type you roll out (npm, PyPI, Docker, Hugging Face, etc.)
JFrog Curation enabled on remote repositories (optional—required only if you want Catalog policy checks and Curation audit for that path)
Anonymous access configured on Artifactory

Installation Script

Important — this is not JFrog-specific. The certificate installation described below is a general requirement for Zscaler SSL inspection to work properly on any workstation. Any application or CLI tool that makes HTTPS calls through a Zscaler-inspected network must trust the Zscaler root CA certificate. This applies regardless of whether JFrog Artifactory or PTC is involved. For the authoritative reference on Zscaler SSL inspection certificate deployment, see Zscaler's official documentation: Adding Custom Certificate to an Application-Specific Trust Store.
PTC relies on workstation certificate installation you deploy with the approach that fits your organization (MDM is not required—endpoint management, imaging, scripts, or manual steps are all valid). The scripts extract or reference the Zscaler CA and set environment variables so Node.js (npm and related clients) and Python/pip trust TLS through SSL inspection, as an example.

Lab-tested scripts — customer adjustments may be required. The installation scripts provided in the repository were developed and validated in JFrog's internal lab and network environment. Every organization's endpoint configuration, certificate chain, MDM tooling, and security policies differ. You should review and adapt the scripts to fit your specific environment before deploying them broadly. Use them as a reference implementation, not a drop-in solution.
This product documentation does not duplicate the script README. For authoritative detail, use:

Repository root overview: README.md (links to the script guide)
Scripts and full documentation: scripts/README.md in the package-reroute repository (PTC)—your organization’s clone or branch name may differ; the script layout is scripts/README.md at the repository root.

That README includes: supported OSes, package clients (npm, pnpm, yarn via Node; pip/pipenv/uv with validation notes), environment variables with version applicability, flowchart, test coverage, MDM validation on Action1 (other MDMs may need adjustment), which clients require env-based configuration (typically older npm/Python) vs. which may not need extra environment variables when the OS trust store is sufficient, and the minimum variables needed if you implement the same behavior without the scripts.

At a glance

Topic	Where it lives
Client list, env vars, Node/Python version notes	`scripts/README.md`
CLI options, validation scripts, automated tests	Same repository under `scripts/`
Why order matters (Artifactory → certs → new sessions → ZIA)	Deployment Sequence in this document

Run the installation before ZIA rules that intercept registry traffic are activated (see Deployment Sequence).

Frequently Asked Questions

This section provides answers to frequently asked questions about PTC prerequisites and installation scripts.

FAQs

Q: What Zscaler access do I need before configuring PTC?

A: You need ZIA Admin Portal access to create URL categories, SSL inspection rules, and URL filtering redirect rules. Zscaler Client Connector must be installed on target workstations. See Zscaler Requirements.

Q: Is MDM required to distribute the Zscaler CA certificate?

A: No. MDM (Intune, Jamf, and similar tools) is optional. You can use imaging, configuration management, login scripts, or guided manual steps—especially in labs and pilots.

Q: Is JFrog Curation mandatory for PTC to work?

A: No. PTC redirect, proxy, and cache work without Curation. Enable Curation when you want Catalog policy checks and audit entries on resolving remotes. See Step 4: Enable JFrog Curation (optional).

Q: Where is the authoritative client and OS matrix for install scripts?

A: Use scripts/README.md in the package-reroute repository for supported clients, environment variables, and validation steps. See Installation Script.