NSS Advanced Deployment

NSS Advanced Deployment

This article describes additional features that may facilitate deploying NSS, in cases where you have specific requirements or restrictions. It includes the following topics:

Sometimes, the default management interface cannot be used for SSH due to VLAN restrictions. In those cases, Zscaler recommends that you add an additional interface just for management, so the first interface is used only for control connections to the cloud. (For more information about the interfaces used by NSS, see NSS Requirements.)

There are two ways to add a second management interface:

  • Zscaler recommends that you log into the vSphere client and configure the additional interface from the console tab. See Configuring Additional Interfaces from the Console below.  
  • Alternatively, you can manually configure the second management interface. See instructions. 

 To manually add a management interface:

  1. Shut down the NSS and stop the VM.
  2. Using the VSphere client, assign an additional interface to the VM. Map it to an appropriate network or VLAN.
  3. Boot the NSS.
  4. Run ifconfig and ensure that the em2 interface is active.
  5. Update the system configuration file /etc/rc.conf to configure the interface automatically after each system restart. To do this, run:
    sudo vi /etc/rc.conf
    • Add the em2 interface to the list of network interfaces. Modify the line that starts with network_interfaces and change it to:
      network_interfaces=“em0 em1 em2 lo0”
    • Add a new line at the end of the file: 
      Ensure that you replace <subnet-ip-address> with the IP address of the subnet. Following is an example: ifconfig_em2=“”
    • The default gateway is automatically added via the em0 interface. To add a static route to a different subnet or VLAN for the newly added em2 interface, add the following lines at the end of the file:
      route_em2=“-net <
      destination-subnet> <gateway-ip-address>”
      Replace <destination-subnet> with the IP address of the destination subnet and replace <gateway-ip-address> with the appropriate gateway IP address. Following is an example: 
      EXAMPLE: static_routes=“em2”
  6. Reboot the VM.
  7. To verify the changes, ping the newly added subnet gateway and run the following to print the route information:
    sudo netstat -rn

The Zscaler NSS typically uses the service interface to download logs from the Nanolog in the Zscaler cloud and send them to the SIEM. (For more information about the interfaces used by NSS, see NSS Requirements.)

Some organizations though may need to use one interface to connect to th Zscaler cloud and another interface to connect to the SIEM. For example, an organization may have a SIEM in a management LAN that is not routed to the Internet, and it may also have a service LAN that is routed to the Internet, but not to the management LAN, as shown in the following illustration.

Diagram of a company that has SIEM in management LAN not routed to internet and a service LAN routed to internet but not to management LAN

If your organization has a similar requirement, you can configure a second service interface. You can then use one interface to connect to the Zscaler cloud to download the logs and a different interface to send the logs to the SIEM located in the management LAN. To learn how to configure a second service interface, see Configuring Additional Interfaces from the Console below.

To configure a second management interface and service interface, first ensure that you run the sudo nss configure command to set your network settings (see How do I configure and start an NSS on the vSphere client?), and then run the following command to specify the IP addresses for the additional interfaces and their corresponding routes.

sudo nss configure split-interface

Screenshot of FreeBSD command prompt showing the command sudo nss configure split-interface

During a split-interface configuration, NSS will also ask for an smnet_route. If your SIEM is in a different network compared to the NSS smnet interface (em3=zs1) subnet, you can enter specific routes for feeds.
[root@NSS /sc/update]# nss configure split-interface
ifconfig_em2 (Internal Management interface IP address with netmask) []:
route_net:-net (Options <c:change, d:delete, n:no change>) [n]
Do you wish to add a new route_net? <n:no y:yes> [n]:
smnet_dev=em3 (Internal Service interface IP address with netmask) []:
Do you wish to add a new smnet_route? <n:no y:yes> [n]: y
Atleast one entry required for smnet_route
smnet_route (Static route for Siem N/w ,e.g (network/subnet/gateway): []:
Do you wish to add a new smnet_route? <n:no y:yes> [n]:

If you have a local NTP Server, you can configure the NSS to synchronize time with that server, as follows:

  1. Run the following as root:
    crontab -e
  2. Add the following line: 
    */10 * * * * ntpdate <ntp-server-name>
  3. Save and exit.

The time synchronization command will run every 10 minutes.

Some customers may have a Non-Default Internet Route environment. This will prevent NSS from establishing connections to the Zscaler cloud services. For this scenario, you can configure NSS in an explicit proxy mode, so that it tunnels all Zscaler cloud-bound connections through a proxy. These include TCP connections from NSS to Nanolog, SMCA, or SMCDSS for updates.

Note the following:

  • Connections from NSS to SIEM are not tunneled
  • DNS connections are not tunneled and an internal DNS server will be required in this mode. NSS needs DNS resolution for the current Master CA IP, update server, and the NTP server. The NSS host needs to be able to query a DNS server to resolve the following: smcacluster.<cloudname>, update1.<cloudname>, update2.<cloudname>, and the NTP server.

To configure NSS in explicit proxy mode:

  1. Run the nss configure command to configure the two network interfaces.
  2. Run nss configure proxy command. 
    [root@NSS /tmp]# nss configure proxy
    proxyserver (Proxy Host ) []:
    proxyport (Proxy Port ) [3128]:
    Successfully configured proxy
  3. To undo this configuration, --wipe may be used:
    nss configure proxy --wipe
  4. Once NSS starts, it will try to connect to SMCA or Nanolog using the proxy it configured. In the smnet=netstat command, there should be two proxy connections, one for SMCA and the other for Nanolog.