How to set up an NSS server

A subscription to either NSS for web or NSS for firewall

-

VM specifications (See Recommended EC2 to get your recommended instance specifications)

• EC2 instance type

  • One of the following dual-core instances: t2.medium, m4.large, r4.large, or r4.xlarge.

  • NSS uses one core for the control plane and another core for the data plane.

• Instance memory

•  

  • 8 GB for up to 15,000 users, 16 GB for up to 40,000 users, 32 GB for up to 100,000 users

• EBS Storage Volume Type (Magnetic is good enough, but General Purpose SSD is recommended)

• Data disk size: 500 GB

Network specs

• Two network interfaces:

•  

  • The first network interface is the management IP address. It's used for control connections to the Zscaler cloud and to make an SSH connection to the NSS VM for configuration and management. You can customize the deployment and define a separate IP address for the SSH connection to the NSS VM.

  • The second network interface is the service IP address. It's is used for data connections to the Zscaler cloud and to the Devo Relay.

• Two elastic IPs: to assign a public IP address with both network interfaces

Bandwidth for log download: 11 Mbps for 10,000 users

-

Firewall requirements

It's mandatory to deploy the NSS instance behind a VM network security group. The NSS instance requires only outbound connections to the Zscaler cloud. It doesn't require any inbound connections to your network from the Zscaler cloud. To view the firewall requirements for your specific account, refer to the Zscaler Cloud Configuration Requirements for your Zscaler cloud: https://config.zscaler.com/ Cloud Name>/nss

You can find the name of your Zscaler cloud in the URL you use to log in to the Zscaler service. For example, if you log in to admin.zscaler.net, then go to config.zscaler.com/zscaler.net/nss

The IP ranges are necessary to ensure that the service isn't affected by future Zscaler cloud expansion.