NSS Outbound Connection Requirements

Looking for the latest changes? Changelog.
  • To ensure that your NSS works correctly in your environment, configure your firewall to allow the outbound connections listed in the following table.
  • There is no need to open inbound connections from the cloud.
Source IP Destination IP Service Port Description
NSS Management IP Address Zscaler Hub IP 443 (TCP) Download of software updates (HTTPS)
NSS Service IP Address Zscaler Hub IP 443(TCP) Connectivity with Central Authority
NSS Service IP Address Zscaler Hub IP 9422 (TCP) Cloud Authentication(SSL)
NSS Service IP Address Zscaler Hub IP 9431 (TCP) Real-time Log retrieval from Zscaler Nanolog (SSL)
NSS Management IP Address Remote Support IP 12002 (TCP)

Reverse Tunnel for Remote Support Assistance from Zscaler (This feature is disabled by default, and must be explicitly enabled on NSS. See the Troubleshooting Section in the NSS Guide for usage)1 (SSH)

NSS IP Addresses Local Nameserver IP 53 (UDP) Name Resolution (DNS)
NSS Management IP Address All or Local NTP Server IP 123 (UDP)

Time sync with NTP Servers. Please refer to the latest NSS Guide for configuring sync with local NTP Server. (NTP)

NSS Service IP Address SIEM IP Address TCP SIEM Listening Port Realtime log feed to SIEM

1Remote Support IP 199.168.148.101

Zscaler Hub IP Addresses

Required IP Addresses
165.225.44.0/24165.225.75.0/24
104.129.202.0/24165.225.108.0/24
8.25.203.0/24 27.251.211.238/32
216.52.207.64/26213.152.228.0/24
64.74.126.64/26 70.39.159.0/24
137.83.128.0/1872.52.96.0/26
89.167.131.0/24104.129.192.0/23
104.129.194.0/23104.129.196.0/23
185.46.212.0/22199.168.148.0/24
165.225.72.0/22199.168.149.0/24
199.168.150.0/24199.168.151.0/24
209.51.184.0/26216.218.133.192/26
Recommended IP Addresses
104.129.192.0/20
165.225.0.0/17
165.225.192.0/18
199.168.148.0/22