This article describes additional features that may facilitate deploying NSS, in cases where you have specific requirements or restrictions. It includes the following topics:
Sometimes, the default management interface cannot be used for SSH due to VLAN restrictions. In those cases, Zscaler recommends that you add an additional interface just for management, so the first interface is used only for control connections to the cloud. (For more information about the interfaces used by NSS, see NSS Requirements.)
There are two ways to add a second management interface:
The Zscaler NSS typically uses the service interface to download logs from the Nanolog in the Zscaler cloud and send them to the SIEM. (For more information about the interfaces used by NSS, see NSS Requirements.)
Some organizations though may need to use one interface to connect to th Zscaler cloud and another interface to connect to the SIEM. For example, an organization may have a SIEM in a management LAN that is not routed to the Internet, and it may also have a service LAN that is routed to the Internet, but not to the management LAN, as shown in the following illustration.
If your organization has a similar requirement, you can configure a second service interface. You can then use one interface to connect to the Zscaler cloud to download the logs and a different interface to send the logs to the SIEM located in the management LAN. To learn how to configure a second service interface, see Configuring Additional Interfaces from the Console below.
To configure a second management interface and service interface, first ensure that you run the sudo nss configure command to set your network settings (see How do I configure and start an NSS on the vSphere client?), and then run the following command to specify the IP addresses for the additional interfaces and their corresponding routes.
sudo nss configure split-interface
During a split-interface configuration, NSS will also ask for an smnet_route. If your SIEM is in a different network compared to the NSS smnet interface (em3=zs1) subnet, you can enter specific routes for feeds.
[root@NSS /sc/update]# nss configure split-interface
ifconfig_em2 (Internal Management interface IP address with netmask) [220.127.116.11/23]:
route_net:-net 18.104.22.168/12 22.214.171.124 (Options <c:change, d:delete, n:no change>) [n]
Do you wish to add a new route_net? <n:no y:yes> [n]:
smnet_dev=em3 (Internal Service interface IP address with netmask) [10.10.35.20/24]:
Do you wish to add a new smnet_route? <n:no y:yes> [n]: y
Atleast one entry required for smnet_route
smnet_route (Static route for Siem N/w ,e.g (network/subnet/gateway): 126.96.36.199/21/10.10.35.1) : 188.8.131.52/2/184.108.40.206
Do you wish to add a new smnet_route? <n:no y:yes> [n]: 220.127.116.11/2/18.104.22.168
The time synchronization command will run every 10 minutes.
Some customers may have a Non-Default Internet Route environment. This will prevent NSS from establishing connections to the Zscaler cloud services. For this scenario, you can configure NSS in an explicit proxy mode, so that it tunnels all Zscaler cloud-bound connections through a proxy. These include TCP connections from NSS to Nanolog, SMCA, or SMCDSS for updates.
Note the following:
To configure NSS in explicit proxy mode: