icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring the Index Tool with Amazon Web Services

Before you can create index templates for DLP dictionaries (i.e., Exact Data Match (EDM) and Indexed Document Match (IDM) templates), you must configure the virtual machine (VM) image for the Index Tool with Amazon Web Services (AWS), Azure, or VMware.

To learn more about the VMware Index Tool, see Configuring the Index Tool for Azure VMs and Configuring the Index Tool with VMware.

Since the Index Tool provides access to highly sensitive information, ensure that everyone who has access to it is authorized and authenticated.

Deploying a Zscaler Index Tool VM with AWS

To deploy a Zscaler Index Tool VM on Amazon Web Services:

  • To deploy the Zscaler Index Tool on an Azure VM:

    • If your index templates include less than 300 million records, Zscaler recommends the following configuration:
      • Hypervisor: AWS EC2
      • CPUs: 4 CPUs. Zscaler requires 4 CPUs because the CPUs ensure that hash generation performance is not impacted.
      • RAM: 16 GB
    • If your index templates include more than 300 million records, Zscaler recommends the following configuration:
      • Hypervisor: AWS EC2
      • CPUs: 4 CPUs. Zscaler requires 4 CPUs because the CPUs ensure that hash generation performance is not impacted.
      • RAM: 64 GB
    • You need a Zscaler Index Tool added in the ZIA Admin Portal. You need this configuration to complete the VM setup.
    Close
  • Request the Index Tool VM from Zscaler Support

    Before you can configure the Index Tool VM with AWS, you must contact Zscaler Support and request the Index Tool VM for your shared AWS account and region. Zscaler Support then provides you with the shared Index Tool VM information, Amazon Machine Image (AMI) ID and description to use when configuring the Index Tool with AWS.

    Make note of the AMI ID and name that was shared with your account. You need this information when configuring the Index Tool VM with AWS.

    Close
  • Configure the Index Tool VM

    1. Make sure you have added an Index Tool Configuration. You need this configuration to complete the VM setup.
    2. Log in to the AWS Management web UI or console.
    3. In the AWS Management console, click the Services icon at the top left of the page. The Services navigation menu is displayed.
    4. Go to Compute > EC2. The EC2 Management Console appears.
    5. Create a security group to be used in the configuration of the Index Tool VM:
      1. In another window, go to config.zscaler.com. The Zscaler Config page is displayed.
      2. Select your organization's Zscaler cloud from the Cloud drop-down menu at the top left of the page.
      3. Go to Zscaler Index Tool Requirements. The Zscaler Index Tool Requirements page lists all of the outbound connections that need to be configured for the Zscaler Index Tool to communicate with the Zscaler cloud.
      4. Make note of all of the IPs that are listed in the different tables on this page because you need to add them to the security group.
      5. Return to the EC2 Management Console, and go to Network & Security > Security Groups. The Security Groups page is displayed.
      6. On the Security Groups page, click Create security group in the top right of the page. The Create security group page is displayed.
      7. On the Create security group page:

        • Basic details: Enter a name for the security group in the Security Group Name field.
        • Inbound rules: Add only necessary incoming traffic IPs for the Index Tool VM. The Index Tool VM does not require an open port for internet traffic.

        Since the Index Tool provides access to highly sensitive information, ensure that everyone who has access to it is authorized and authenticated.

        • Outbound Rules: Add the outgoing traffic IPs that you gathered earlier from the Zscaler Index Tool Requirements page at config.zscaler.com.
      8. Click Create security group at the bottom right of the page.
    6. Launch an instance for the Index Tool VM:
      1. In the EC2 Management Console, go to Instances > Instances. The Instances page is displayed.
      2. On the Instances page, click Launch instances at the top right of the page. The Launch an instance page is displayed.
      3. (Optional) In the Name and tags section, enter a name for the Index Tool VM in the Name field.
      4. In the Application and OS Images (Amazon Machine Image) section:

        1. Click the My AMIs tab.
        2. Select the Shared with me option.
        3. In the Amazon Machine Image (AMI) drop-down menu, select the AMI image that Zscaler Support shared with you. For example, Zscaler ADP/EDM 500GB (6.2r.46.331757).

      5. In the Instance type section, in the Instance type drop-down menu, select the appropriate instance type required for the Index Tool VM. The instance type depends on the total number of cells that you plan to use within the Index Tool VM. For example, if you plan to use less than 500 million cells, select the t2.large instance type, t3.large instance type, or something similar. If you plan to use more than 500 million cells, select the t2.xlarge instance type, t3.xlarge instance type or something similar.
      6. In the Key pair (login) section, in the Key pair name drop-down menu, select either your key pair name or the Proceed without a key pair (Not recommended) option.
      7. In the Network settings section, under Firewall (security groups):

        1. Select the Select existing security group option.
        2. In the Security groups drop-down menu, select the security group you previously created.

        AWS automatically assigns the network IP address for the instance. You do not need to enter the IP address information unless it is required by your organization.

      8. Click Launch instance in the lower right of the page. A message is displayed stating that the launch of the instance was successfully initiated and it lists the instance ID that was created.
      9. Right-click the instance ID, and select Open Link in New Tab. The Instances page is displayed listing the instance with an Instance state of Pending. After a few seconds, the Instance state changes from Pending to Running.
      10. On the Instances page, click the Instance ID. The Instance summary page is displayed. On the Instance summary page, you can view the details for the instance, including the IP addresses that were assigned to the instance.

        If you are using a public IP address, when you shut down and restart the instance, the IP address changes.

      11. On the Instance summary page, in the Actions drop-down menu, select Monitor and troubleshoot and then select Get instance screenshot. The Get instance screenshot page is displayed. After the instance is fully started, the page displays the initial root password for the VM instance. The initial root password for this user is randomly generated. Make note of the initial root password.
      12. Log in to the VM as user zsroot with the initial root password. Enter an SSH command to the IP address of the VM instance.
      13. Change the root password:

        1. Enter the following command:

          sudo zadp change-password
        2. Enter the initial root password, the one that was randomly generated for you.
        3. Enter a new root password.
        4. Re-enter the new root password.

        After the password is changed, you need to log in to zsroot again using the new password.

    7. Return to the ZIA Admin Portal, and go to Administration > Index Tool.
    8. Locate the Index Tool Configuration you added previously, and under the SSL Certificate column, click Download.
    9. Copy the SSL client certificate.zip file to the VM and install it:
      1. In this example, scp is used to copy the file:

        scp <SSL_certificate_zip_filename> zsroot@<vm_ip>:~/

        For example:

        scp EdmClientCertificate.zip zsroot@10.66.108.100:~/
      2. Enter the following command to install the SSL certificate:

        sudo zadp configure <SSL_certificate_zip_filename>

        For example: sudo zadp configure EdmClientCertificate.zip

      3. Enter the domain name that is used for the Index Tool's fully qualified domain name (FQDN). For example, if the Index Tool is reachable from indextool.mycompany.com, then the domain name entered here is mycompany.com.The self-signed certificate would be generated for *.mycompany.com.
      4. Enter a passphrase, then re-enter the passphrase to confirm it.

      5. You are prompted to enter the full path name to the text file where the passphrase is stored. You can also press Enter twice to accept the default location and file, /home/zsroot/zscaler_zadp_webui_certificate_pass.txt.

        If the service was configured properly, it:

        • Checks if the network is configured correctly
        • Installs the SSL client certificate you specified
        • Generates a self-signed SSL server certificate. If you need to install a custom server certificate, see the next step.
        • Downloads the latest install package
    10. (Optional) If you need to install a self-signed or custom SSL server certificate:
      1. Enter the following command to install the server certificate:

        sudo zadp install-server-cert                               
      2. Enter the full path to the PEM-formatted certificate file.
      3. Enter the following command to restart the Index Tool service:

        sudo zadp restart
    11. Go to https://<IP Address of the Index Tool VM> to access the Index Tool. After the Index Tool service has started, you can log in with your ZIA Admin Portal login credentials and create Index Templates to use when creating DLP dictionaries. To learn more, see Creating an Exact Data Match Template and Creating an Indexed Document Match Template.
    Close

Updating and Customizing a Deployed Index Tool VM

With your Index Tool VM running, you can update and customize the VM based on your organization's needs.

  • If you successfully configured the Index Tool, the service automatically downloads the latest install package before it starts. To manually update the service:

    1. Enter the following command to stop the service:
    sudo zadp stop
    1. Enter the following command to install the update:
    sudo zadp update-now
    1. Enter the following command to start the service:
    sudo zadp start
    Close
  • You can run the tool in explicit proxy mode. To do this:

    1. Log in to the VM as user zsroot.
    2. Enter the following command:
    sudo zadp configure-proxy

    AWS manages network configuration, so you cannot directly configure the network from the Incident Receiver VM.

    1. For Do you require a proxy server configuration?, enter y and press Enter.
    2. For proxyserver, enter the IP address of your proxy server (e.g., proxy.zscaler.net) and press Enter.
    3. For proxyport, enter your proxy port number (e.g., 9443) and press Enter.
      The VM then tests the connection and when this is successful, the configuration is complete.

    To remove the explicit proxy configuration:

    1. Enter the following command:
    sudo zadp configure-proxy
    1. For Do you require proxy server configuration?, enter n and press Enter.
    2. For Do you want to delete current proxy configuration?, enter y and press Enter.

    Requirements for Explicit Proxy Mode

    If you're using explicit proxy mode, DNS and NTP connections are not tunneled, meaning, you need an internal DNS server to run in this mode. The Index Tool needs to have DNS resolution for the current Master CA IP, update server, and the NTP server. The Index Tool host also must be able to query a DNS server to resolve the following settings:

    • smcacluster.<cloudname>
    • update1.<cloudname>
    • update2.<cloudname>
    • zdistribute.<cloudname>
    • The NTP server. By default, the Index Tool VM has the following FQDNs for NTP servers configured:
      • 0.freebsd.pool.ntp.org
      • 1.freebsd.pool.ntp.org
      • 2.freebsd.pool.ntp.org

    You can override these FQDNs to your internal IP address in your DNS server configuration or using other methods.

    In addition, since the proxy configuration doesn't allow authentication, you must configure the proxy server to allow specific IP/Mac addresses without user and password authentication.

    The proxy server must also allow SSL bypass for communication from the VM to a specific set of IP addresses. These IPs are listed at config.zscaler.com/<cloudname>.net/edm. You can find your cloud name in the URL that your admins use to log in to the Zscaler service. For example, if an organization logs in to admin.zscalertwo.net, then that organization's cloud name is zscalertwo. So, you would go to config.zscaler.com/zscalertwo.net. To learn more, see What is my cloud name for ZIA?

    Close
  • To configure the Index Tool service to run without elevated privileges:

    1. Log in to the VM as user zsroot.
    2. Enter the following command to stop the service:
    sudo zadp stop
    1. Open the /sc/conf/sc.conf file and update the value for zadp_ui_port to a port number higher than 1,000.
    2. Enter the following command to restart the service:
    sudo zadp start
    Close
  • An admin can request remote assistance and allow Zscaler Support to log in to an Index Tool without having to open a firewall connection for inbound traffic. This feature is disabled by default and must be enabled explicitly for the duration that remote support assistance is required.

    • To enable Zscaler Support to access your Index Tool:
    sudo zadp support-access-start

    This creates a long-lived SSH tunnel to the Zscaler cloud and sets up remote port forwarding. Zscaler Support can then use this tunnel to log in to your Index Tool.

    • To disable Zscaler Support access to your Index Tool:
    sudo zadp support-access-stop

    This brings down the long-lived SSH tunnel to the Zscaler cloud and all the remote connections.

    • To check the status of the Zscaler Support access to your Index Tool:
    sudo zadp support-access-status
    Close

Index Tool VM Commands

The following commands can be used to configure, update, and troubleshoot your VM:

CommandDescription
sudo zadp stopStops the Zscaler Index Tool service.
sudo zadp startStarts the Zscaler Index Tool service.
sudo zadp update-nowUpdates the Zscaler Index Tool service. The service must be stopped before you can run this command.
sudo zadp restartRestarts the Zscaler Index Tool service.
sudo zadp statusDisplays whether the Zscaler Index Tool service is running or stopped.
sudo zadp force-update-nowForces the Zscaler Index Tool service to update to the latest version regardless of what version is on the VM. The service is automatically stopped before the update begins.
sudo zadp troubleshootRuns a series of checks to help troubleshoot issues, such as checking the installed certificate, the zcloud server configuration, all services, and whether or not an update is needed.
sudo zadp collect-diagnosticsCreates a file with diagnostic information to send to Zscaler Support for troubleshooting purposes.
sudo zadp configure-syslog-serverConfigures external syslog server forwarding on the Zscaler Index Tool to forward file SFTP events and to log any critical changes to the configuration files monitored by the Index Tool. The external syslog server forwarding happens over UDP port 514, which cannot be modified.
Related Articles
About the Index ToolAdding an Index Tool ConfigurationModifying an Index Tool ConfigurationConfiguring the Index Tool with Amazon Web ServicesConfiguring the Index Tool with AzureConfiguring the Index Tool with VMWare