How do I configure and start an NSS on the vSphere client?


How do I configure and start an NSS on the vSphere client?

Before you configure and start the Nanolog Streaming Service (NSS) on the vSphere client, ensure that you have downloaded the NSS OVA file and SSL certificate from the Zscaler admin portal. See How do I download an NSS from the admin portal?

To configure the NSS virtual appliance on the ESX/ESXi server, log in to the vSphere client and do the following:

  1. Import the NSS OVA file.
  2. Configure the network.
  3. Install the SSL certificate.
  4. Download the NSS Binaries. 
  5. Start NSS.
  6. Verify the configuration.

Go to File > Deploy OVF Template and use the Deploy OVF Template wizard to deploy the NSS virtual machine (VM).

  1. Select the NSS VM and click either the Power On button or Power On the virtual machine.
  2. On the Console tab, log in at the FreeBSD command prompt with the following:
    • Username: zsroot
    • Password: zsroot
      NOTE: Zscaler strongly recommends that you change this default password by running the command passwd. For more details about running this command, click here.
      The default login credentials are different from those that were used in NSS VM versions earlier than 4.2.1.
      By default, root login is not permitted. Administrators must use the utility sudo to run a command with higher privileges.
  3. Configure the network by entering sudo nss configure and specify the following. See image.
    • Set the DNS server IP address.
      For example: 192.168.1.1
    • Set the management interface IP with CIDR netmask. You will use the management IP address for SSH or FTP.
      For example: 192.168.3.1/16
    • Set the default gateway for the management IP address.
      For example: 192.168.1.1
    • Set the service IP address with CIDR netmask. NSS uses the service IP address to communicate with the Zscaler cloud and with the SIEM.
      For example: 192.168.3.2/16
    • Set the default gateway for the service IP address.
      For example: 192.168.1.1
      Note that the management IP address and service IP address can be on different subnets, as long as the DNS server can be reached on both subnets.

 Screenshot of FreeBSD command prompt showing how to configure sudo nss configure. This is to configure an NSS on the vSphere client.

  1. To change the password, enter passwd and your username.
    • For example, if you are using the default username, the command is passwd zsroot.
  2. When prompted, specify the following:
    • Your current password
      For example, if you are using the default password, enter zsroot.
    • Your new password

Screenshot of FreeBSD command prompt login to change your password.

 NSS uses this certificate to authenticate itself to the Zscaler service. Ensure that the SSL certificate is installed on only one active NSS VM at a time. Having multiple NSS VMs that use only one certificate causes cloud connection flapping, which disrupts the streaming of logs to the NSS.

  1. Navigate to the SSL certificate that you saved.
  2. Use FTP, SCP or SFTP to upload it to the management IP address of NSS.
  3. On the vSphere client, click the Console tab, and log in with the following credentials:
    • Username: zsroot
    • Password: zsroot
  4. Go to the Console tab or use SSH to connect to the management IP address.
  5. Run the command sudo nss install-cert
    • Specify the path to the uploaded certificate bundle.
  6. Check the configuration by running the command sudo nss dump-config

You will need to download the NSS binaries once, before starting the NSS.

  1. On the vSphere client, click the Console tab or use SSH to connect to the management IP address.
  2. Run the command sudo nss update-now to download and install the NSS binaries.
    After the NSS starts, it will automatically download and install new binaries when they’re available.
  1. On the vSphere client, click the Console tab or use SSH to connect to the management IP address.
  2. Run the command sudo nss start
    • Ensure that the command shows that the NSS virtual appliance started successfully.
      It may take a few minutes for the NSS to start streaming logs to the SIEM.
    • To enable the NSS to start automatically after a restart, run the command sudo nss enable-autostart
    • You can also explore other options by running: sudo nss help

To verify the configuration, run the following command:
sudo nss troubleshoot netstat|grep tcp
When the output of the command is displayed, verify that the following TCP connections are established in the following order:

  • Connection to the Zscaler cloud on port 9422: This is the control connection that is used to authenticate NSS to the Zscaler Central Authority and to download the configuration.
  • Connection to the SIEM: This is the long-lived TCP connection to the SIEM on the specified log data port. If there are multiple feeds configured, multiple connections must be listed.
  • Connection to the Zscaler cloud on port 9431: This is the data connection to the Nanolog so it can stream the logs.
    The absence of any one of the connections above, even after waiting a few minutes, usually indicates that there is a firewall configuration issue and the logs cannot be streamed. To troubleshoot issues, see Troubleshooting NSS.