NSS Requirements

You will need the following to deploy NSS:

  • A subscription to either an NSS for Web Logs or an NSS for firewall logs.
  • Virtual Machine Specs
    • VM CPU: 2 cores. NSS uses one core for the control plane and another core for the data plane.
    • VM Memory: 8GB for up to 15,000 users, 16 GB for up to 40,000 users, 32 GB for up to 100,000 users
    • VM Disk space: 500 GB
  • Host Specs
    • Hypervisor: VMware ESX/ESXi v5.0 and above
    • Host CPU: 64-bit Xeon or equivalent
    • VMware vSphere Client or vCenter
  • Network Specs
    • VM Network: 2 Virtual NICs  (You may optionally need two additional virtual NICs as described in Advanced Deployment.)
    • Bandwidth for log download: 11 Mbps for 10,000 users
    • IP Addresses: The following table lists the IP addresses and the interfaces on which they're configured. Internal IP addresses are allowed. Note that the management IP address and service IP address can be on different subnets, as long as the DNS server can be reached on both subnets.
Virtual Interface IP Address Description

em0 (First network adapter)

Management IP Address

This is used for control connections to the Zscaler cloud and to make an SSH connection to the NSS VM for configuration and management.
Note that you can customize the deployment and define a separate IP address for the SSH connection to the NSS VM. See Advanced Deployment.

em1 (Second network adapter)

Service IP Address

This is used for data connections to the Zscaler cloud and to the SIEM.

em2 (Third network adapter)

(Optional)  Second Management IP Address

In cases where the default management interface cannot be used for SSH due to VLAN restrictions, Zscaler recommends that you add an additional interface just for management, so the first interface is used only for control connections to the cloud. See Advanced Deployment.

em3 (Fourth network adapter)

(Optional) Second Service IP Address

In cases where the default service interface cannot be used to connect to the Zscaler cloud and to the SIEM, you can add an additional service interface, so one service interface can be used to connect to the Zscaler cloud, and a separate interface can be used to connect to the SIEM.

Firewall Requirements

You can deploy the NSS behind a firewall. The NSS requires only outbound connections to the Zscaler cloud. It does not require any inbound connections to your network from the Zscaler service cloud. To view the firewall requirements, go to the following:  

https://ips.<zscaler-cloud-name>/addresses/nss.html

The <zscaler-cloud-name> can be found in the URL you use to log in to the Zscaler admin portal. For example, if you log in to admin.zscaler.net, then go to https://ips.zscaler.net/addresses/nss.html

The IP ranges are necessary to ensure that the service isn't affected by future Zscaler cloud expansion.