Skip to content
Find out how we support MDR.

Deploy a VM for integrations

When you integrate some third-party products with Sophos Central, you need a VM to host the appliance that collects data from them and forwards it to Sophos.

Currently Sophos supports VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

After you've configured and downloaded a VM image for the integration, deploy it as described below. Then you can configure the third-party product to send data to it.

Click the tab for your platform below to see the instructions.

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy a new VM, you must create the OVA file again in Sophos Central.

On your ESXi host, do as follows:

  1. Select Virtual Machines.
  2. Click Create/Register VM.

    Create/Register VM tab.

  3. In Select creation type, select Deploy a virtual machine from an OVF or OVA file. Click Next.

    Select creation type.

  4. In Select OVF and VMDK files, do as follows:

    1. Enter the VM name.
    2. Click the page to select files. Select the OVA file you've downloaded.
    3. Click Next.

    Select OVA file.

  5. In Select storage, select Standard storage. Then select the datastore where you want to put your VM. Click Next.

    Select storage.

  6. In Deployment options, enter settings as follows.

    1. SPAN1 and SPAN2. You don't need these for integrations. Select any port group as a placeholder and disconnect it in the VM settings later.
    2. In SYSLOG, select the port that will receive syslog data from your third-party product.
    3. In MGMT, select the management interface for the appliance. This interface lets the appliance send data to the Sophos Data Lake.

      You set up this interface earlier in Sophos Central in Internet-facing network port settings.

      If you selected DHCP during setup, make sure the VM can get an IP address via DHCP.

    4. In Disk Provisioning, make sure Thin is selected.

    5. Make sure Power on automatically is selected.
    6. Click Next.

    Deployment options.

  7. Skip the Additional settings step.

  8. Click Finish. Wait for the new VM to appear in the VMs list. This can take a few minutes.

    Ready to complete.

  9. Power on the VM and wait for installation to complete.

    The VM boots for the first time and checks that it can connect to the correct port groups and to the internet. Then it reboots. This can take up to 10 minutes.

  10. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.

  11. Select the Integration Appliances tab and find the appliance on the VM you just deployed. The status icon shows Connected.

    Appliance status.

The Zip file you downloaded in Sophos Central contains the files you need to deploy your VM: virtual drives, seed.iso, and a Powershell script.

To deploy the VM, do as follows:

  1. Extract the Zip file to a folder on your hard drive.
  2. Go to the folder, right-click the ndr-sensor.ps1 file, and select Run with PowerShell.
  3. If you see a Security Warning message, click Open to allow the file to run.

    You're prompted to answer a series of questions.

  4. Give the VM a name.

  5. The script shows the folder where the VM files will be stored. This is a new folder in your default installation location for virtual drives. Enter C to allow the script to create it.
  6. Enter the number of processors (CPUs) to use for the VM.
  7. Enter the amount of memory to use in GB.
  8. The script shows a numbered list of all your current vSwitches.

    Select the vSwitch you want to attach the management interface to and enter its number. This interface lets the appliance send data to the Sophos Data Lake.

    You set up this interface earlier in Sophos Central in Internet-facing network port settings.

    If you selected DHCP during setup, make sure the VM can get an IP address via DHCP.

    Select the vSwitch.

  9. Enter the vSwitch you want to attach to the syslog interface.

    This is the vSwitch that will receive syslog data from your third-party product.

  10. You don't need to specify vSwitches for capturing network traffic. These settings are only relevant if you have Sophos NDR. Select any vSwitch as a placeholder and disconnect it in the VM settings later.

    The PowerShell script sets up the VM in Hyper-V. You'll see an Installation Completed Successfully message.

  11. Use any key to exit.

  12. Open the Hyper-V Manager to see the VM added to the list of virtual machines. If you need to change any settings, you can. Then power it on.

    The VM boots for the first time and checks that it can connect to the correct vSwitches and the internet. Then it reboots. This can take up to 10 minutes.

  13. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.

  14. Select the Integration Appliances tab and find the appliance on the VM you just deployed. The status icon shows Connected.

    Appliance status.