icon-unified.svg
Experience Center

Configuring the Zscaler Incident Receiver for Azure VMs

Before you can use a Zscaler Incident Receiver, you must configure the virtual machine (VM) image for the Incident Receiver on an Azure VM, an Amazon Web Services (AWS) EC2 instance, or an on-premises VM. To learn more, see Configuring the Zscaler Incident Receiver for Amazon Web Services EC2 VMs and Configuring the Zscaler Incident Receiver for On-Premises VMs.

Before you begin deployment, contact Zscaler Support to obtain the Incident Receiver virtual hard disk (VHD) shared access signature (SAS) token. Without it, you cannot set up the Incident Receiver.

Deploying a Zscaler Incident Receiver VM on Azure

To deploy a Zscaler Incident Receiver VM on Azure:

  • To deploy the Zscaler Incident Receiver on an Azure VM, you need:

    • The Zscaler Incident Receiver VHD SAS token.
    • An Azure VM with a minimum of two CPUs and 8 GB of RAM (e.g., a D2as v4 Azure instance) to host the Incident Receiver VM.

    • Access to a storage server that supports Secure File Transfer Protocol (SFTP)/Secure Copy Protocol (SCP) and public key authentication. You must also have a preconfigured account that allows write access to the server’s intended directory. You link the SFTP server to the Incident Receiver VM when you configure storage options later in the process.

      The VHD file includes minimum specifications for various settings (e.g., disk size and network interface). You can increase those specifications as needed.

    • (Optional) A static public IP address for the Incident Receiver VM.

      Zscaler recommends using a static IP address to ensure that the IP address does not change when the VM reboots. Alternatively, you can associate the IP address with a fully qualified domain name (FQDN) and then use the FQDN when configuring the Incident Receiver in the Admin Portal.

    • A security group configured on the Azure instance to allow inbound Internet Content Adaptation Protocol (ICAP) messages from the Feed Central Cloud (FCC) cloud to the correct TCP port on the Incident Receiver VM (e.g., port 1344).
    • A Zscaler Incident Receiver added in the Admin Portal. You need this configuration to complete the VM setup.
    • For Zscaler Incident Receiver to check your network connectivity and get access to and from your IP address, your firewalls must be enabled for the appropriate location. To understand the needed access requirements, see DLP Incident Receiver Connections.
    Close

  • Before you can deploy an Incident Receiver in Azure, you must first create a resource group to hold all resources for the Incident Receiver VM, as well as a storage account for the Incident Receiver VHD file.

      1. Log in to the Azure Management portal.
      2. In the Azure services section, click Resource groups.

        The Resource groups page appears.

        Azure Portal Resource groups page

        Close
      3. Click Create. The Create a resource group page appears.
      4. On the Create a resource group page:
        • Subscription: From the drop-down menu, select the Azure subscription for the resource group.
        • Resource group: Enter a name for the resource group.

        • Region: From the drop-down menu, select the geographical Azure location for the resource group.

          All resources that you create for the Incident Receiver must use the region you select here.

      5. Select the Review + Create tab, wait for the Validation passed message to appear, then click Create.

        You return to the Resource groups page, and the resource group you created is displayed in the list of resource groups.
      Close

      1. Log in to the Azure Management portal.
      2. In the Azure services section, click Storage accounts.

        The Storage accounts page appears.

        Azure Portal Resource groups page

        Close
      3. Click Create. The Create a storage account page appears.
      4. On the Create a storage account page:
        • Subscription: From the drop-down menu, select the Azure subscription for the storage account.
        • Resource group: From the drop-down menu, select the resource group for the Incident Receiver.
        • Storage account name: Enter a name for the storage account.
        • Region: From the drop-down menu, select the same geographical Azure region used for the Incident Receiver resource group.
      5. Keep the default selections for the rest of the options on the Basics tab, then click the Networking tab.
      6. On the Networking tab, ensure that the Enable public access from all networks option is selected.
      7. Select the Review tab, review your selections, then click Create.

        After the storage account deployment is complete, a confirmation page appears.
      Close
    Close

  • To copy the Incident Receiver VHD file to your Azure storage account using Azure Storage Explorer:

    1. To ensure the fastest copy time, select the appropriate URL for your region:
      • USA: https://zirsvrazureprod.blob.core.windows.net/
      • Europe: https://zirsvrazureprodeu.blob.core.windows.net/
      • Australia: https://zirsvrazureprodau.blob.core.windows.net/
    2. Download and launch Azure Storage Explorer.

    3. Click the Add Account icon (plug icon).

      The Select Resource window appears.

    4. In the Select Resource window, select Storage account or service.

    5. Click Next.

    6. Select Shared access signature URL (SAS).

    7. Click Next.

    8. On the Enter Connection Info page, in the Service URL field, enter the Service URL and SAS token received from the Zscaler Support team.

      The other fields automatically fill in.

    9. Click Next.
    10. A connection summary appears. Review it and click Connect.

    11. After the connection is successful, in the left-side navigation, go to Storage Accounts > zirsvrstorageprod > Blob Containers > zir-image. The VHD file is located here.

    12. Highlight the VHD file and click Copy.
    13. In the left-side navigation, go to the storage account you created and click Paste to add the VHD to your blob containers. The transfer can take some time. The Activities tab at the bottom lets you know when the transfer is complete.
    14. Log in to the Azure Management portal.
    15. Go to your destination blob container. The VHD file appears in the blob container.
    Close

  • To create a security group in Azure:

      1. Log in to the Azure Management portal.
      2. In the Azure services section, click Network security groups.

        The Network security groups page appears.
      3. Click Create. The Create network security group page appears.
      4. In another tab, browse to config.zscaler.com. The Zscaler Config page appears.
      5. From the Cloud drop-down menu at the top left of the page, select your organization's Zscaler cloud.
      6. Go to DLP Incident Receiver. In the Source column of the table, click Zscaler Hub IP Addresses. The Hub IP Addresses page appears, listing all of the outbound connections that you must configure for the Zscaler Incident Receiver to communicate with the Zscaler cloud.

        Close
      7. As needed, click Copy IPs in the Required, Recommended, and Combined columns so you can add those IP addresses to the security group.
      8. Return to the Create network security group page in the Azure Management portal.
      9. On the Create network security group page:
        • Subscription: From the drop-down menu, select the Azure subscription for the security group.
        • Resource group: From the drop-down menu, select the resource group for the Incident Receiver.
        • Name: Enter a name for the security group.
        • Region: From the drop-down menu, select the same geographical Azure region used for the Incident Receiver resource group.

          Azure Portal Network security groups page

          Close
      10. Select the Review + Create tab, wait for the Validation passed message to appear, then click Create.
      11. On the confirmation page that appears, click Go to resource.
      Close

      1. Return to the Azure Management portal. In the left-side navigation, click Inbound security rules.
      2. On the Inbound security rules page, click Add. The Add inbound security rule panel appears.

      3. In the Add inbound security rule panel:

        • Source: From the drop-down menu, select IP Addresses.
        • Service IP addresses/CIDR ranges: Add the incoming traffic IPs for the Zscaler Incident Receiver VM. Ensure that you add the IPs that you copied from the Zscaler Hub IP Addresses page earlier.
        • Service: From the drop-down menu, select Custom.
        • Destination port ranges: Enter the TCP port to use for inbound traffic for the Incident Receiver.
        • Protocol: Select TCP.
        • Action: Select Allow.
        • Priority: Enter a priority ranking for the inbound security rule.
        • Name: Enter a name for the inbound security rule.
        • Description: (Optional) Enter a description for the inbound security rule.

      4. Click Add.
        The rule you created is displayed in the list on the Inbound security rules page.
      Close

      1. Return to the Azure Management portal. In the left-side navigation, click Outbound security rules.
      2. On the Outbound security rule page, click Add. The Add outbound security rule panel appears.

      3. In the Add outbound security rule panel:

        • Source: From the drop-down menu, select IP Addresses.
        • Service IP addresses/CIDR ranges: Add the outgoing traffic IPs for the Zscaler Incident Receiver VM.
        • Service: From the drop-down menu, select Custom.
        • Destination port ranges: Enter the TCP port to use for outbound traffic for the Incident Receiver.
        • Protocol: Select TCP.
        • Action: Select Allow.
        • Priority: Enter a priority ranking for the outbound security rule.
        • Name: Enter a name for the outbound security rule.
        • Description: (Optional) Enter a description for the outbound security rule.

      4. Click Add.
        The rule you created is displayed in the list on the Outbound security rules page.
      Close

    To learn more, refer to the Microsoft Azure documentation.

    Close

  • To create the Incident Receiver VM, you must first create a managed disk that you then use to launch the Azure VM instance that hosts the Incident Receiver.

      1. Log in to the Azure Management portal.
      2. Click Create a resource, then use the search bar to find Managed Disks.
      3. On the search results page, click Create > Managed Disks.

        The Create a managed disk page appears.

        Azure Portal create managed disk page

        Close
      4. On the Create a managed disk page, select the Basics tab if needed.
      5. On the Basics tab:
        • Subscription: From the drop-down menu, select the Azure subscription for the managed disk.
        • Resource group: From the drop-down menu, select the resource group you are using for the Incident Receiver.
        • Disk name: Enter a name for the managed disk.
        • Region: From the drop-down menu, select the same geographical Azure region used for the Incident Receiver resource group.
        • Availability zone: From the drop-down menu, select an Azure availability zone, as needed for your organization.
        • Source type: From the drop-down menu, select Storage blob.
        • Under the Source blob, click Browse, then go to the storage account where the Incident Receiver VHD file is stored.
        • Select the VHD file, then click Select.

        • On the Create a managed disk page, for the OS type option, select Linux.

          Zscaler supports only Linux as the operating system for Azure instances of the Incident Receiver.

        • From the Security type drop-down menu, select Standard.

        • For the VM generation option, select Generation 1.

          Zscaler supports only Generation 1 VMs for Azure instances of the Incident Receiver.

        • For the Size option, click Change size. The Select a disk size page appears.
        • From the Storage type drop-down menu, select Premium SSD (locally-redundant storage).
        • In the Custom disk size (GiB) field, enter 500.
        • Click OK.
      6. On the Create a managed disk page, select the Networking tab.
      7. Select Disable public and private access.
      8. Select the Review + Create tab, wait for the Validation passed message to appear, then click Create.
      9. On the confirmation page that appears, click Go to resource.
      Close

      1. On the overview page for the managed disk you created, click Create VM.

        The Create a virtual machine page appears.

        Azure virtual machine creation

        Close
      2. Ensure that the Subscription and Resource group options match the options you selected when creating the managed disk.
      3. In the Virtual machine name field, enter a name for the VM.
      4. From the Size drop-down menu, select See all sizes. The Select a VM size page appears.
      5. Select D2as_v4 from the list, then click Select.

        Azure VM size selection

        Close
      6. On the Create a virtual machine page, in the Public inbound ports section, select None.
      7. From the License type drop-down menu, select Other.
      8. Select the Networking tab. Then, for the NIC network security group option, select Advanced.
      9. From the Configure network security group drop-down menu, select the network security group you created earlier.
      10. Select the Review + Create tab, wait for the Validation passed message to appear, then click Create.
      11. On the confirmation page that appears, click Go to resource.

      12. On the resource page that appears, click Serial Console.


        The Serial console page for the VM appears, showing the console output for the Incident Receiver.

        The VM deployment takes several minutes. When a prompt to change the zsroot password appears in the serial console output, the Incident Receiver is ready to be configured.

      Close
    Close

  • To configure the Incident Receiver VM:

    1. Ensure that you have added a Zscaler Incident Receiver in the Admin Portal. You need this configuration to complete the VM setup.
    2. Log in to the VM as user zsroot. The initial root password for this user is randomly generated.
    3. Change the root password:

      1. Enter the following command:

        sudo zirsvr change-password

      2. Enter the initial root password, which was randomly generated for you.

      3. Enter a new root password.

      4. Re-enter the new root password.
    4. In the Admin Portal, go to Policies > Data Protection > Common Resources > DLP Incident Receiver. Then select the Zscaler Incident Receiver tab.

    5. Locate the Zscaler Incident Receiver you added previously. In the Certificate column, click Download.

    6. Copy over the certificate .zip file to the VM and install it:

      1. The following example uses SCP to copy over the file:

        scp <certificate_zip_filename> zsroot@<ip>:/home/zsroot

        For example: scp IncidentReceiverCertificate.zip zsroot@10.66.108.100:/home/zsroot

      2. Enter the following command to install the SSL certificate:

        sudo zirsvr configure ~/<certificate_zip_filename>

        For example: sudo zirsvr configure ~/IncidentReceiverCertifcate.zip

    7. For icaps_port, enter the Zscaler Incident Receiver port number that you previously added to the Zscaler Incident Receiver URI in the Admin Portal.

      (Optional) You can enter a different port number to change the Incident Receiver’s port number. However, you must also update the Incident Receiver’s URI in the Admin Portal to include the new port number. To learn more, see Adding a Zscaler Incident Receiver.

    8. Specify that your Azure Incident Receiver uses SFTP storage, then configure the storage server and public key authentication:

      • If you are using your Incident Receiver with Workflow Automation, use the information for your Filewatcher VM when configuring the SFTP storage. To learn more, see Configuring the DLP Application Integration Using Azure.

        1. To specify that the Incident Receiver forwards data to the SFTP storage, enter SFTP.
        2. For storage_sftp_fqdn, enter the FQDN for the storage server.
        3. For storage_sftp_port, enter the upload port of the SFTP server.
        4. For storage_dir, enter the storage server directory.
        5. For storage_sftp_username, enter a username for storage server login.

        6. To set up the public key, enter a password for the username. This password is used temporarily and is not saved.

        If the SFTP server doesn't allow password-based authentication, you receive an error that the service is unable to update the public key on the server. If you receive that error, add the contents of the public key to the authorized_keys file on the SFTP server:

        1. Copy the contents from the file /.ssh/id_ed25519.pub.
        2. On the SFTP server, add the copied content to the end of the following file: /.ssh/authorized_keys.

        3. On the Incident Receiver VM, enter the following command:

          sudo zirsvr configure ~/<certificate_zip_filename>
        Close

      By default, the Incident Receiver Health Check is enabled. The health check notes if there are any changes in behavior and is set to 5 minute intervals. To verify the Health Check is working, you receive the Health Status JSON <systmld>_<iphash>_ir_health_status_timestamp.json file in your evidence folder. If you would like to disable the Health Check, contact Zscaler Support.

      • {
"ipAddress":"10.66.103.169",
"version":"6.3.2404",
"updatedAt":"1726848892",
"systemId":"65533",
"lastIncidentReceivedAt":"1726828921",
"lastFileUploadSuccessAt":"1726828921",
"storageType": "SFTP",
"storageLocation":"/sc/temp",
"healthcheckIntervalInSec":"300"
}
        Close

      If the Zscaler Incident Receiver was configured properly, it:

      • Downloads the latest build
      • Installs the certificate you specified
      • Checks whether the service is configured correctly
      • Starts the service

      After the Zscaler Incident Receiver service has started, you can add it to the Data Loss Prevention (DLP) policy rule. To learn more, see Configuring DLP Policy Rules with Content Inspection, Configuring DLP Policy Rules without Content Inspection, and Configuring the SaaS Security API DLP Policy.

      You can log in to the storage server to see information about DLP policy violations. For each policy violation, the storage server creates a directory containing the policy-violating file and a JSON file for the DLP policy scan metadata.

      Download a sample JSON file for Endpoint DLP policy

      Download a sample JSON file for DLP policy with and without content inspection

      Download a sample JSON file for SaaS Security DLP policy

    Close

Updating and Customizing a Deployed Zscaler Incident Receiver VM

With your Incident Receiver VM running, you can update and customize the VM based on your organization's needs.

  • If you have successfully configured the service, the service automatically downloads the latest build before it starts. To manually update the service:

    1. Enter the following command to stop the service:

      sudo zirsvr stop

    2. Enter the following command to install the update:

      sudo zirsvr update-now

    3. Enter the following command to start the service:

      sudo zirsvr start
    Close

  • To run the Incident Receiver in explicit proxy mode:

    1. Log in to the VM as user zsroot.

    2. Enter the following command:

      sudo zirsvr configure-proxy
    3. For Do you require a proxy server configuration? enter y and press Enter.
    4. For proxyserver enter the IP address of your proxy server (e.g., proxy.zscaler.net) and press Enter.
    5. For proxyport enter your proxy port number (e.g., 1344) and press Enter.

    The VM then tests the connection. When it is successful, the configuration is complete.

    To remove the explicit proxy configuration:

    1. Enter the following command:

      sudo zirsvr configure-proxy
    2. For Do you require proxy server configuration? enter n and press Enter.
    3. For Do you want to delete current proxy configuration? enter y and press Enter.

    Requirements for Explicit Proxy Mode

    If you're using explicit proxy mode, DNS and Network Time Protocol (NTP) connections are not tunneled, meaning you need an internal DNS server to run in this mode. The Zscaler Incident Receiver must have DNS resolution for the current Master Certificate Authority (CA) IP, the update server, and the NTP server. The Zscaler Incident Receiver host also must be able to query a DNS server to resolve the following:

    • smcacluster.<cloudname>
    • update1.<cloudname>
    • update2.<cloudname>
    • zdistribute.<cloudname>
    • The NTP server. By default, the VM has the following FQDNs for NTP servers configured:
      • 0.freebsd.pool.ntp.org
      • 1.freebsd.pool.ntp.org
      • 2.freebsd.pool.ntp.org

    You can override these FQDNs to your internal IP address in your DNS server configuration or using other methods.

    In addition, since the proxy configuration doesn't allow authentication, you must configure the proxy server to allow specific IP/MAC addresses without user and password authentication.

    Close

  • You can use the Mutual Transport Layer Security (MTLS) method to support client authentication for the Zscaler Incident Receiver. MTLS is a method for mutual authentication. It ensures that parties at each end of the connection are who they claim to be. Zscaler provides the MTLS CA Certificate for the Zscaler Incident Receiver, and you have the option to enable mutual authentication for the Zscaler Incident Receiver, which then uses this certificate for client authentication.

    To run the Incident Receiver VM with mutual transport security enabled:

    1. Log in to the VM as user zsroot.
    2. Enable MTLS by updating the icap_mtls_enabled parameter to 1 (icap_mtls_enabled=1). By default, this parameter is disabled.

    3. Enter the following command to restart the Zscaler Incident Receiver service:

      sudo zirsvr restart
    Close

  • If you notice that SFTP upload is slower than expected, or if you notice that the Zscaler Incident Receiver internal queue is full, you can configure the Zscaler Incident Receiver VM to allow multiple simultaneous SFTP connections. You can find the logs for the Incident Receiver internal queue at /sc/log/zirsvr.log.

    To configure this setting:

    1. Log in to the VM as user zsroot.
    2. Specify the number of simultaneous SFTP connections by updating the storage_sftp_conn_max parameter to a value from one to 16 (e.g., storage_sftp_conn_max=2). By default, this parameter has a value of 1.

    3. Enter the following command to restart the Zscaler Incident Receiver service:

      scp sudo zirsvr restart
    • Before enabling this setting in your production environment, be sure to conduct thorough end-to-end testing.
    • If changing this setting does not solve the problem of the Zscaler Incident Receiver internal queue filling up, you might also need to change the specifications on your SFTP server to ensure faster throughput, or you may need to configure multiple incident receivers with load balancing.
    • If you need assistance enabling this setting in your environment, contact Zscaler Support.
    Close

  • An admin can request remote assistance and allow Zscaler Support to log in to an Incident Receiver without having to open a firewall connection for inbound traffic. This feature is disabled by default. You must explicitly enable it for the duration that you require remote support assistance.

    • To enable Zscaler Support to access your Incident Receiver, enter the following command:

      sudo zirsvr support-access-start

      This command creates a long-lived SSH tunnel to the Zscaler cloud and sets up remote port forwarding. Zscaler Support can then use this tunnel to log in to your Incident Receiver.

    • To disable Zscaler Support access to your Incident Receiver, enter the following command:

      sudo zirsvr support-access-stop

      This command brings down the long-lived SSH tunnel to the Zscaler cloud and all the remote connections.

    • To check the status of the Zscaler Support access to your Incident Receiver, enter the following command:

      sudo zirsvr support-access-status
    Close

  • If your organization requires you to update your SSH key, upgrade to the ED25519 key. To upgrade:

    1. Run the following command:

      sudo zirsvr troubleshoot

      If you see the following warning, you must update your SSH key:

      Checking SFTP server connection
	 External SFTP server is configured as ...
	 SFTP server is setup correctly, connection, read, and write are all successful. However, disk quota is not checked.
	 Warning: SFTP is configured with older key type "rsa", consider upgrading it to newer keytype "ed25519" using command "sudo zirsvr update-sshkey". If your SFTP server is a Windows based server, please read SFTP server's Admin Guide.

      You can do a snapshot of your VM before executing the following command.

    2. Run the following command:

      sudo zirsvr update-sshkey

      If the SSH key was migrated correctly:

      • It creates an SSH key with ED25519 to the file authorized_keys under the directory /home/zsroot/.ssh.
      • It adjusts the file /sc/conf/sc.conf to use the new ED25519 key.

      • On a Linux-based SFTP server, it uses a new public key.

        If your SFTP server doesn't support ssh-copy-id, you receive a message that the operation was unsuccessful. To update the SSH public key with the new ED25519 key, contact Zscaler Support.

    Close

Zscaler Incident Receiver Commands

You can use the following commands to configure, update, and troubleshoot your VM.

  • CommandDescription
    sudo zirsvr stopStops the Zscaler Incident Receiver service.
    sudo zirsvr startStarts the Zscaler Incident Receiver service.
    sudo zirsvr update-nowUpdates the Zscaler Incident Receiver service. The service must be stopped before you can run this command.
    sudo zirsvr configure-sftpUpdates the SFTP server that the Incident Receiver uses.
    sudo zirsvr restartRestarts the Zscaler Incident Receiver service.
    sudo zirsvr statusDisplays whether the Zscaler Incident Receiver service is running or stopped.
    sudo zirsvr force-update-nowForces the Zscaler Incident Receiver service to update to the latest version regardless of what version is on the VM. The service is automatically stopped before the update begins.
    sudo zirsvr troubleshootRuns a series of checks to help troubleshoot issues, such as checking the installed certificate, the Zscaler cloud server configuration, all services, and whether or not an update is needed.
    sudo zirsvr collect-diagnosticsCreates a file with diagnostic information to send to Zscaler Support for troubleshooting purposes.
    sudo zirsvr configure-syslog-serverConfigures external syslog server forwarding on the Zscaler Incident Receiver to forward file SFTP events and to log any critical changes to the configuration files monitored by the Incident Receiver. The external syslog server forwarding happens over UDP port 514, which cannot be modified.
    sudo zirsvr install-server-certInstalls server certificates.
    sudo zirsvr update-sshkeyCreates a new SSH key and updates Zscaler Incident Receiver to use the new SSH key as authentication.
    Close
Related Articles
About Zscaler Incident ReceiverAdding a Zscaler Incident ReceiverModifying a Zscaler Incident ReceiverConfiguring the Zscaler Incident Receiver for On-Premises VMsConfiguring the Zscaler Incident Receiver for Amazon Web Services EC2 VMsConfiguring the Zscaler Incident Receiver for Azure VMsAbout ICAP Receivers for DLPAbout ICAP Communication Between Zscaler and DLP ServersEnabling Secure ICAPEnabling Unencrypted ICAPAdding an ICAP Receiver for DLPConfiguring the ICAP Server with the Mutual Transport Layer Security (MTLS) CA Certificate