Document toolboxDocument toolbox

Run NSS server

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
4 min read

The following NSS configuration steps are run through an SSH terminal connection. The connection must use basic authentication. Use zsroot/zsroot when prompted for credentials.

Zscaler recommends changing the default password.

Before starting, do the following:

  • Ensure you have completed the EC2 Provisioning guide.

  • Note the private IP of the service network interface (eth1) you created in your AWS account.

    1. In your AWS account, go to the Amazon EC2 console.

    2. On the side menu, go to Network & Security → Network Interfaces.

    3. Click on the service network interface (eth1) you created.

    4. On the bottom of the page, click on the Details tab, and note the Primary private IPv4 IP.

To configure the NSS virtual appliance on the VM, follow the steps below:

Copy the SSL certificate

  1. Copy the downloaded file from the admin portal to the VM, using FTP, SCP, or SFTP.  

  2. Look up the public hostname or IP address of your instance in the VM. 

Remote login to the VM instance

  1. Use an SSH command such as follows to get shell access to the VM

    ssh zsroot@Public-Host-Name

     

  2. Use the following username/password: zsroot/zsroot.

Install the SSL certificate

NSS uses an SSL certificate to authenticate itself to the Zscaler service. Make sure that the SSL certificate is installed on only one active NSS VM at a time. Having multiple NSS VMs that use only one certificate causes cloud connection flapping, which disrupts the streaming of logs to the NSS.

  1. Copy the NssCertificate.zip file to the /home/zsroot root directory.

  2. Run the following command:

    sudo nss install-cert NssCertificate.zip

  3. Check the configuration by running the command:

    sudo nss dump-config

Configure the NSS network settings

  1. Enter the command netstat -rn and note down the default gateway IP address. For example:

  2. Configure the NSS network (service interface only). You will be prompted for several IP configurations.

  3. Enter the command sudo nss configure and use the following inputs:

    • Enter a name server (e.g. 172.31.0.2). You can either change (C), delete (D), or not change it (N). In this case, enter N.

    • You can add a name server if you want. In this case, enter N.

    • Enter the service interface IP address with netmask (smnet_dev). This is the private IP address of the second network interface (service interface - eth1) created in the VM. To get the private IP address, look at the private IP of the second network interface you created in your AWS account.

      1. In your AWS account, go to the Amazon EC2 console.

      2. On the side menu, go to Network & Security → Network Interfaces.

      3. Click on the service network interface (eth1) you created.

      4. On the bottom of the page, click on the Details tab, and note the Primary private IPv4 IP.

  4. Enter the service interface default gateway IP address (smnet_dflt_gw). This is the default gateway IP address (e.g. 172.31.16.1). You can find it by running the command netstat -r

The first network interface (management network) is configured by default when you start the VM.

Download the NSS binaries

Before starting the NSS service, run the following command to download and install the NSS binaries:

After the first NSS software deployment, the software is automatically updated with new versions. Run the following command to verify that the latest version was installed successfully:

Start NSS

Unless you are planning to use this instance for passive backup, run the command sudo nss start and do the following: 

  1. Make sure that the command shows that the NSS virtual appliance started successfully. It may take a few minutes for NSS to start streaming logs to the SIEM.

  2. To enable NSS to start automatically after a restart, run the command:

  3. You can also explore other options by running the command:

Verify the configuration

To verify the configuration, run the command: 

When the output of the command is displayed, verify that the following TCP connections are established in the following order:

  1. Connection to the Zscaler cloud on port 443 - This is the control connection that is used to authenticate NSS to the Zscaler Central Authority and to download the configuration. It's also the data connection to the Nanolog so it can stream the logs.

  2. Connection to the Devo Relay - This is the long-lived TCP connection to the Devo Relay on the specified log data port. If there are multiple feeds configured, multiple connections must be listed.