Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=DeployVMCollector

Deploy appliances

When you integrate some third-party products with Sophos Central, you need an appliance that collects data from them and forwards it to Sophos. The appliance is hosted on a VM.

Currently Sophos supports VMware ESXi 6.7 Update 3 or later, Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later, and Amazon Web Services (AWS).

Note

Syslog data sent to the appliance isn't secure. If your appliance is hosted in the cloud, don't send the data via the public internet.

This page is for ESXi and Hyper-V appliances. It assumes that you've configured and downloaded an image for the integration appliance. Now you deploy it as described below.

Note

If you want to use an appliance on AWS for your third-party integration, see Add integrations on AWS.

Click the tab for your platform below to see the instructions.

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy a new VM, you must create the OVA file again in Sophos Central.

On your ESXi host, do as follows:

  1. Select Virtual Machines.

  2. Click Create/Register VM.

    Create/Register VM tab.

  3. In Select creation type, select Deploy a virtual machine from an OVF or OVA file. Click Next.

    Select creation type.

  4. In Select OVF and VMDK files, do as follows:

    1. Enter the VM name.
    2. Click the page to select files. Select the OVA file you've downloaded.
    3. Click Next.

    Select OVA file.

  5. In Select storage, select Standard storage. Then select the datastore where you want to put your VM. Click Next.

    Select storage.

  6. In Deployment options, enter settings as follows.

    1. SPAN1 and SPAN2. You don't need these for integrations. Select any port group as a placeholder and disconnect it in the VM settings later.
    2. In SYSLOG, select the port that will receive syslog data from your third-party product.

    3. In MGMT, select the management interface for the appliance. This interface lets the appliance send data to the Sophos Data Lake.

      You set up this interface earlier in Sophos Central in Internet-facing network port settings.

      If you selected DHCP during setup, make sure the VM can get an IP address via DHCP.

    4. In Disk Provisioning, make sure Thin is selected.

    5. Make sure Power on automatically is selected.
    6. Click Next.

    Deployment options.

  7. Skip the Additional settings step.

  8. Click Finish. Wait for the new VM to appear in the VMs list. This can take a few minutes.

    Ready to complete.

  9. Power on the VM and wait for installation to complete.

    The VM boots for the first time and checks that it can connect to the correct port groups and to the internet. Then it reboots. This can take up to 10 minutes.

  10. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.

  11. Select the Integration Appliances tab and find the appliance on the VM you just deployed. The status icon shows Connected.

    Appliance status.

Now configure your third-party product to send data to the appliance. Go back to the integration instructions for that product to see how.

The Zip file you downloaded in Sophos Central contains the files you need to deploy your VM: virtual drives, seed.iso, and a Powershell script.

To deploy the VM, do as follows:

  1. Extract the Zip file to a folder on your hard drive.
  2. Go to the folder, right-click the ndr-sensor.ps1 file, and select Run with PowerShell.

  3. If you see a Security Warning message, click Open to allow the file to run.

    You're prompted to answer a series of questions.

  4. Give the VM a name.

  5. The script shows the folder where the VM files will be stored. This is a new folder in your default installation location for virtual drives. Enter C to allow the script to create it.
  6. Enter the number of processors (CPUs) to use for the VM.
  7. Enter the amount of memory to use in GB.

  8. The script shows a numbered list of all your current vSwitches.

    Select the vSwitch you want to attach the management interface to and enter its number. This interface lets the appliance send data to the Sophos Data Lake.

    You set up this interface earlier in Sophos Central in Internet-facing network port settings.

    If you selected DHCP during setup, make sure the VM can get an IP address via DHCP.

    Select the vSwitch.

  9. Enter the vSwitch you want to attach to the syslog interface.

    This is the vSwitch that will receive syslog data from your third-party product.

  10. You don't need to specify vSwitches for capturing network traffic. These settings are only relevant if you have Sophos NDR. Select any vSwitch as a placeholder and disconnect it in the VM settings later.

    The PowerShell script sets up the VM in Hyper-V. You'll see an Installation Completed Successfully message.

  11. Use any key to exit.

  12. Open the Hyper-V Manager to see the VM added to the list of virtual machines. If you need to change any settings, you can. Then power it on.

    The VM boots for the first time and checks that it can connect to the correct vSwitches and the internet. Then it reboots. This can take up to 10 minutes.

  13. In Sophos Central, go to Threat Analysis Center > Integrations > Configured.

  14. Select the Integration Appliances tab and find the appliance on the VM you just deployed. The status icon shows Connected.

    Appliance status.

Now configure your third-party product to send data to the appliance. Go back to the integration instructions for that product to see how.