NSS Advanced Deployment

NSS Advanced Deployment

This article describes additional features that may facilitate deploying NSS, in cases where you have specific requirements or restrictions. It includes the following topics:

Sometimes, the default management interface cannot be used for SSH due to VLAN restrictions. In those cases, Zscaler recommends that you add an additional interface just for management, so the first interface is used only for control connections to the cloud. (For more information about the interfaces used by NSS, see NSS Requirements.)

There are two ways to add a second management interface:

  • Zscaler recommends that you log into the vSphere client and configure the additional interface from the console tab. See Configuring Additional Interfaces from the Console below.  
  • Alternatively, you can manually configure the second management interface. See instructions. 

 To manually add a management interface:

  1. Shut down the NSS and stop the VM.
  2. Using the VSphere client, assign an additional interface to the VM. Map it to an appropriate network or VLAN.
  3. Boot the NSS.
  4. Run ifconfig and ensure that the em2 interface is active.
  5. Update the system configuration file /etc/rc.conf to configure the interface automatically after each system restart. To do this, run:
    sudo vi /etc/rc.conf
    • Add the em2 interface to the list of network interfaces. Modify the line that starts with network_interfaces and change it to:
      network_interfaces=“em0 em1 em2 lo0”
    • Add a new line at the end of the file: 
      Ensure that you replace <subnet-ip-address> with the IP address of the subnet. Following is an example: ifconfig_em2=“”
    • The default gateway is automatically added via the em0 interface. To add a static route to a different subnet or VLAN for the newly added em2 interface, add the following lines at the end of the file:
      route_em2=“-net <
      destination-subnet> <gateway-ip-address>”
      Replace <destination-subnet> with the IP address of the destination subnet and replace <gateway-ip-address> with the appropriate gateway IP address. Following is an example: 
      EXAMPLE: static_routes=“em2”
  6. Reboot the VM.
  7. To verify the changes, ping the newly added subnet gateway and run the following to print the route information:
    sudo netstat -rn

The Zscaler NSS typically uses the service interface to download logs from the Nanolog in the Zscaler cloud and send them to the SIEM. (For more information about the interfaces used by NSS, see NSS Requirements.)

Some organizations though may need to use one interface to connect to th Zscaler cloud and another interface to connect to the SIEM. For example, an organization may have a SIEM in a management LAN that is not routed to the Internet, and it may also have a service LAN that is routed to the Internet, but not to the management LAN, as shown in the following illustration.

Diagram of a company that has SIEM in management LAN not routed to internet and a service LAN routed to internet but not to management LAN

If your organization has a similar requirement, you can configure a second service interface. You can then use one interface to connect to the Zscaler cloud to download the logs and a different interface to send the logs to the SIEM located in the management LAN. To learn how to configure a second service interface, see Configuring Additional Interfaces from the Console below.

To configure a second management interface and service interface, first ensure that you run the sudo nss configure command to set your network settings (see How do I configure and start an NSS on the vSphere client?), and then run the following command to specify the IP addresses for the additional interfaces and their corresponding routes.

sudo nss configure split-interface

Screenshot of FreeBSD command prompt showing the command sudo nss configure split-interface

If you have a local NTP Server, you can configure the NSS to synchronize time with that server, as follows:

  1. Run the following as root:
    crontab -e
  2. Add the following line: 
    */10 * * * * ntpdate <ntp-server-name>
  3. Save and exit.

The time synchronization command will run every 10 minutes.