icon-unified.svg
Experience Center

Configuring the Index Tool with VMWare

New or clean deployment of Index Tool requires VM image running on Zscaler OS version 24.

Before you can create index templates for DLP dictionaries (i.e., Exact Data Match (EDM) and Indexed Document Match (IDM) templates), you must install and configure the virtual machine (VM) image for the Index Tool with Amazon Web Services (AWS), Azure, or VMware.

To learn more about the AWS Index Tool, see Configuring the Index Tool with Amazon Web Services and Configuring the Index Tool for Azure VMs.

Since the Index Tool provides access to highly sensitive information, ensure that everyone who has access to it is authorized and authenticated.

Deploying a Zscaler Index Tool with VMware

To deploy a Zscaler Index Tool VM with VMware:

  • To deploy the Zscaler Index Tool on VMware:

    • If your index templates include less than 300 million records, Zscaler recommends the following configuration:
      • Hypervisor: VMware ESX/ESXi version 6.0 or later.
      • CPUs: 4 CPUs. Zscaler requires 4 CPUs because the CPUs ensure that hash generation performance is not impacted.
      • RAM: 16 GB
      • Disk: 600 GB
      • VM Network: 1 Virtual NIC
    • If your index templates include more than 300 million records, Zscaler recommends the following configuration:
      • Hypervisor: VMware ESX/ESXi version 6.0 or later.
      • CPUs: 4 CPUs. Zscaler requires 4 CPUs because the CPUs ensure that hash generation performance is not impacted.
      • RAM: 64 GB
      • Disk: 1 TB
      • VM Network: 1 Virtual NIC
    • A Zscaler Index Tool added in the Admin Portal. You need this configuration to complete the VM setup.
    Close

  • Before you configure the Index Tool VM, you must download it.

    If your index templates include less than 300 million records, you can download the Index Tool VM image from the Admin Portal. To download the Index Tool VM:

    1. Go to Policies > Data Protection > Common Resources > Index Tool.
    2. Click Download Index Tool.
    Close

  • To configure the Index Tool VM:

    1. Make sure you have added an Index Tool Configuration. You need this configuration to complete the VM setup.
    2. In ESX/ESXi, install the Index Tool VM image you downloaded previously.
    3. Log in to the VM as user zsroot. The initial root password for this user is randomly generated.

    4. Change the root password:

      1. Enter the following command:

        sudo zadp change-password
      2. Enter the initial root password, the one that was randomly generated for you.
      3. Enter a new root password.
      4. Re-enter the new root password.

      After the password is changed, you need to log in to zsroot again using the new password.

    5. (Optional) By default, the VM starts using DHCP to obtain the IP address and default router information. If there's no DHCP server available, you can configure this manually:

      1. Enter the following command:

        sudo zadp configure-network
      2. For nameserver, enter c to change the IP address and press Enter.
      3. Enter the IP address and press Enter.
      4. If you want to add a new nameserver enter y, otherwise enter n, and press Enter.

    The VM restarts the network and checks the connection.

    1. Go back to the Admin Portal, and go to PPolicies > Data Protection > Common Resources > Index Tool.
    2. Locate the Index Tool Configuration you added previously, and under the SSL Certificate column, click Download.
    3. Copy over the SSL client certificate.zip file to the VM and install it:

      1. In this example, we're using scp to copy over the file:

        scp <SSL_certificate_zip_filename> zsroot@<vm_ip>:~/

        For example: scp EdmClientCertificate.zip zsroo@10.66.108.100:~/

      2. Enter the following command to install the SSL certificate:

        sudo zadp configure <SSL_certificate_zip_filename>

        For example: sudo zadp configure EdmClientCertificate.zip

      3. Enter the domain namethat is used for the Index Tool's fully qualified domain name (FQDN). For example, if the Index Tool is reachable from indextool.mycompany.com, then the domain name entered here would be mycompany.com. The self-signed certificate would be generated for *.mycompany.com.
      4. Enter a passphrase, then re-enter the passphrase to confirm it.

      5. You are prompted to enter the full path name to the text file where the passphrase is stored. You can also press Enter twice to accept the default location and file, /home/zsroot/zscaler_zadp_webui_certificate_pass.txt.

        If the service was configured properly, the service:

        1. Checks if the network is configured correctly.
        2. Installs the SSL client certificate you specified.
        3. Generates a self-signed SSL server certificate. If you need to install a custom server certificate, see the next step.
        4. Downloads the latest install package.
    4. (Optional) If you need to install a self-signed or custom SSL server certificate:

      1. Enter the following command to install the server certificate:

        sudo zadp install-server-cert
      2. Enter the full path to the PEM formatted certificate file.

      3. Enter the following command to restart the Index Tool service:

        sudo zadp restart

    Go to https://<IP Address of the Index Tool VM> to access the Index Tool. After the Index Tool service has started, you can log in with your Admin Portal login credentials and create Index Templates to use when creating DLP dictionaries. To learn more, see Creating an Exact Data Match Template and Creating an Indexed Document Match Template.

    Close

Updating and Customizing a Deployed Index Tool VM

With your Index Tool VM running, you can update and customize the VM based on your organization's needs.

  • If you successfully configured the Index Tool, the service automatically downloads the latest install package before it starts.

    To manually update the service:

    1. Enter the following command to stop the service:

      sudo zadp stop

    2. Enter the following command to install the update:

      sudo zadp update-now

    3. Enter the following command to start the service:

      sudo zadp start
    Close

  • Run the Index Tool VM in Explicit Proxy Mode

    1. Log in to the VM as user zsroot.
    2. Enter the following command:
    sudo zadp configure-network
    1. For Do you require a proxy server configuration?, enter y and press Enter.
    2. For proxyserver, enter the IP address of your proxy server (e.g., proxy.zscaler.net) and press Enter.
    3. For proxyport, enter your proxy port number (e.g., 9443) and press Enter.
      The VM then tests the connection and when this is successful, the configuration is complete.

    To remove the explicit proxy configuration:

    1. Enter the following command:

      sudo zadp configure-network
    2. For Do you require proxy server configuration?, enter n and press Enter.
    3. For Do you want to delete current proxy configuration?, enter y and press Enter.

    Requirements for Explicit Proxy Mode

    If you're using explicit proxy mode, DNS and NTP connections are not tunneled, meaning, you need an internal DNS server to run in this mode. The Index Tool needs to have DNS resolution for the current Master CA IP, update server, and the NTP server. The Index Tool host also needs to be able to query a DNS server to resolve the following settings:

    • smcacluster.<Zscaler cloud Name>
    • update1.<Zscaler cloud Name>
    • update2.<Zscaler cloud Name>
    • zdistribute.<Zscaler cloud Name>
    • The NTP server. By default, the Index Tool VM has the following FQDNs for NTP servers configured:
      • 0.freebsd.pool.ntp.org
      • 1.freebsd.pool.ntp.org
      • 2.freebsd.pool.ntp.org

    You can override these FQDNs to your internal IP address in your DNS server configuration or using other methods.

    In addition, since the proxy configuration doesn't allow authentication, you need to configure the proxy server to allow specific IP/MAC addresses without user and password authentication.

    The proxy server must also allow SSL bypass for communication from the VM to a specific set of IP addresses. These IPs are listed at config.zscaler.com/<Zscaler cloud Name>.net/edm. You can find your cloud name in the URL that your admins use to log in to the Zscaler service. For example, if an organization logs in to admin.zscalertwo.net, then that organization's cloud name is zscalertwo. So, you would go to config.zscaler.com/zscalertwo.net.

    Close

  • To configure the Index Tool service to run without elevated privileges:

    1. Log in to the VM as user zsroot.
    2. Enter the following command to stop the service:
    sudo zadp stop
    1. Open the /sc/conf/sc.conf file and update the value for zadp_ui_port to a port number higher than 1,000.
    2. Enter the following command to restart the service:
    sudo zadp start
    Close

  • An admin can request remote assistance and allow Zscaler Support to log in to an Index Tool without having to open a firewall connection for inbound traffic. This feature is disabled by default and must be enabled explicitly for the duration that remote support assistance is required.

    • To enable Zscaler Support to access your Index Tool:
    sudo zadp support-access-start

    This creates a long-lived SSH tunnel to the Zscaler cloud and sets up remote port forwarding. Zscaler Support can then use this tunnel to log in to your Index Tool.

    • To disable Zscaler Support access to your Index Tool:
    sudo zadp support-access-stop

    This brings down the long-lived SSH tunnel to the Zscaler cloud and all the remote connections.

    • To check the status of the Zscaler Support access to your Index Tool:
    sudo zadp support-access-status
    Close

Index Tool VM Commands

The following commands can be used to configure, update, and troubleshoot your VM.

CommandDescription
sudo zadp stopStops the Zscaler Index Tool service.
sudo zadp startStarts the Zscaler Index Tool service.
sudo zadp update-nowUpdates the Zscaler Index Tool service. The service must be stopped before you can run this command.
sudo zadp restartRestarts the Zscaler Index Tool service.
sudo zadp statusDisplays whether the Zscaler Index Tool service is running or stopped.
sudo zadp force-update-nowForces the Zscaler Index Tool service to update to the latest version regardless of what version is on the VM. The service is automatically stopped before the update begins.
sudo zadp troubleshootRuns a series of checks to help troubleshoot issues, such as checking the installed certificate, the zcloud server configuration, all services, and whether or not an update is needed.
sudo zadp collect-diagnosticsCreates a file with diagnostic information to send to Zscaler Support for troubleshooting purposes.
sudo zadp configure-syslog-serverConfigures external syslog server forwarding on the Zscaler Index Tool to forward file SFTP events and to log any critical changes to the configuration files monitored by the Index Tool. The external syslog server forwarding happens over UDP port 514, which cannot be modified.
Related Articles
About the Index ToolAdding an Index Tool ConfigurationModifying an Index Tool ConfigurationConfiguring the Index Tool with Amazon Web ServicesConfiguring the Index Tool with AzureConfiguring the Index Tool with VMWare