NSS VMs in active-cold standby setup, have same IP address?

When configuring one NSS as two virtual machines identified by the same certificate, One VM can be the active NSS and the other VM can be a cold standby. But these VMs using different IPs? If it’s in different physical locations then it will be 2 different IPs in most cases. But in ZIA portal NSS configured with only 1 IP. Any hints on this?

Hi Nirutheegan,
You can have same IP address as the other one is in cold standby (power off state or isolate from network).

Ramesh M

1 Like

Thanks Ramesh for your response. But configuring same IP is not always possible, especially if we want to achieve site level redundancy. Is my understanding correct?

Hi @Nirutheegan

Refer below

Deploying Multiple NSS Virtual Machines

For full site redundancy, each organization can subscribe to up to two NSS servers for each type of traffic and deploy each pair in an active-active configuration. Each NSS supports up to 8 parallel feeds. Each feed can have a different list of fields, a different format, and different filters.

When you register a new NSS in the Zscaler service, you are required to download an SSL certificate, which you then upload to the new NSS that you configure. The newly configured NSS then uses the certificate to authenticate itself to the Zscaler service. You can configure one NSS as two virtual machines identified by the same certificate, as long as they do not try to connect to the Nanolog at the same time. One VM can be the active NSS and the other VM can be a cold standby. Zscaler strongly recommends against running both VMs as active because this will result in frequent connection resets and a failure to stream the logs.

For completely redundant site configurations, if your organization has two SIEMs, Zscaler recommends using two NSS subscriptions, so both NSS VMs can stream logs to the SIEMs at the same time. Each NSS will run independently, with different configurations, and stream logs to two separate SIEMs. This is not recommended if you use a single SIEM, because each NSS will send copies of the same logs to the SIEM, which might not be able to remove the duplicates.

1 Like

@Gaurav_Mahajan, thanks mate. But unfortunately it couldn’t answer my query. If I have 1 NSS subscription (i.e. I can configure only 1 IP address in ZIA portal) and want to achieve active-cold standby with site level redundancy, how to do it?

If there are 2 NSS subscriptions then best way to achieve full redundancy is to setup 2 separate NSS VMs with different certificate & IP address in different locations as active-hot standby mode. So hot standby member will take over immediately without any manual intervention and resume connections if active VM is down. Anyone did it before for NSS?