NSS Outbound Connection Requirements

Looking for the latest changes? Changelog.
  • To ensure that your NSS works correctly in your environment, configure your firewall to allow the outbound connections listed in the following table.
  • There is no need to open inbound connections from the cloud.
Source IP Destination IP Service Port Description
NSS Management IP Address Zscaler Hub IP 443 (TCP) Download of software updates (HTTPS)
NSS Service IP Address Zscaler Hub IP 443(TCP) Connectivity with Central Authority
NSS Management IP Address Remote Support IP 12002 (TCP)

Reverse Tunnel for Remote Support Assistance from Zscaler (This feature is disabled by default, and must be explicitly enabled on NSS. See the Troubleshooting Section in the NSS Guide for usage)1 (SSH)

NSS IP Addresses Local Nameserver IP 53 (UDP) Name Resolution (DNS)
NSS Management IP Address All or Local NTP Server IP 123 (UDP)

Time sync with NTP Servers. Please refer to the latest NSS Guide for configuring sync with local NTP Server. (NTP)

NSS Service IP Address SIEM IP Address TCP SIEM Listening Port Realtime log feed to SIEM

1Remote Support IP

Zscaler Hub IP Addresses

Required IP Addresses
Recommended IP Addresses