Skip to content
Find out how we support MDR.

Sophos NDR on NUC hardware

Sophos NDR now supports installation on Intel NUC 13 systems that we've tested and certified.

Create an NDR appliance image

Sophos NDR uses an appliance to collect data and forward it to the Sophos Data Lake for analysis.

Before you set up your hardware, you must create and download an NDR appliance installation image. You’ll deploy this ISO image as your NDR appliance later.

  1. In Sophos Central, go to Threat Analysis Center > Integrations.
  2. Find and click Sophos Network Detection and Response (NDR).
  3. On the NDR page, in Data Ingest (Security Alerts), click Add Configuration.

    Integration setup steps appears.

  4. In Step 1 enter a name and description for the integration.

  5. In Step 2, select Create new appliance.
  6. To create the new appliance, do as follows:

    1. Enter the appliance name and description. You must enter a unique name.
    2. In Virtual platform., select Hardware.
  7. In Step 3, exclude specific domains and protocols from checking. For example, you might do this if you have a domain that causes false positives.

    You can set up your exclusions later, but you must enter an exclusion list name now.

    1. Enter Exclusion list name.
    2. To exclude a domain, click Domain exclusions. Enter the domain name, for example sophos.com, and click Add.
    3. To exclude a protocol, click Protocol exclusions. You can enter information in either or both of the fields:

      • In the first field, enter a master protocol. For example, TCP or UDP.
      • In the second field, enter a sub-protocol (website). For example, facebook.

      We don't recommend excluding a master protocol completely. Only do this if a high-traffic protocol that isn't usually risky, like a routing protocol, generates too much data.

      Note

      You can export your exclusions as a JSON file. You can also upload exclusions to the list from a JSON file you've exported previously.

    4. Click Add.

    5. Click Save.

      A pop-up shows you the Sophos Appliance Manager credentials. Make a note of them. You'll need Appliance Manager to access and troubleshoot appliances.

      Your new integration now shows in the Configured NDR integrations list.

  8. To download the image, click the three dots in the Actions column and select Download image. You may have to wait for the image to become available for download.

Create USB installation media

You must copy the ISO image to a USB drive. The instructions below describe how to do this using a third-party tool called balenaEtcher.

  1. Click the following link to download balenaEtcher using the appropriate installer for your operating system: Download. Go through the installation process.
  2. Insert a USB stick into your computer or laptop.

    Note

    Make sure that the USB drive does not contain data you want saved.

  3. Start the balenaEtcher application, as follows:

    1. Click on Flash from file
    2. Using the file selection dialog, select the NDR appliance ISO image you downloaded from Sophos Central.
    3. If you see a warning regarding a missing partition table, click Continue.
    4. Click Select target
    5. Select the USB drive on which to install the ISO image.

      Note

      Use caution when selecting the USB device because this will erase all data currently on the drive.

    6. Click Select 1.

    7. Click Flash.
    8. Accept any User Access Control messages.

    Flashing progress will be displayed on the left panel.

    Once the process is complete, you can exit balenaEtcher.

Install and connect system

  1. Unbox the NUC hardware.
  2. Connect the following cables and peripherals to the NUC device:

    • Power cables to the power supplies.
    • HDMI Monitor: A VGA connection can be used via USB-C to VGA adapter (not included)
    • USB Keyboard.
    • Management Network cable to the top network interface port.
    • Capture Network cable to the bottom network interface port.

Update BIOS settings

  1. Power on the system using the power button on the front of the NUC.
  2. Immediately start pressing the F2 button to enter the BIOS Setup screen.
  3. Using the arrow keys, highlight the Power, Performance and Cooling button, then press Enter.
  4. Use the arrow keys to select Secondary Power Settings, then press Enter.
  5. Use the arrow keys to select the After Power Failure drop-down menu, then press Enter.
  6. Change the setting from Power Off to Last State, then press Enter.
  7. Use the arrow keys to select the PCIE ASPM Support setting, then press Enter to uncheck the setting.
  8. Press F10 to save settings and exit.
  9. Use the arrow keys to select OK, then press Enter to save and exit.

Begin installation

  1. Insert the installation USB drive you created earlier into any available USB port of the NUC.
  2. Power on the NUC, or press Ctrl+Alt+Delete to reboot the NUC.
  3. In the boot menu, use the arrow keys to select Install Sophos NDR -- NUC Models, then press Enter.

    The system will take some time to boot. You must wait for the installer to finish loading. The installer is ready when you see the Network connections screen appear.

Configure network interfaces

Configure management IP address

Identify the interface to be used for the management network and connection to Sophos Central.

Configure this interface with an IP address, default gateway, and DNS address. DHCP configuration is possible but not recommended, because the IP address of the appliance may change during a future reboot.

  1. Use the arrow keys to select the management interface, then press Enter.
  2. Select Edit IPv4, then press Enter.
  3. Press Enter on the IPv4 method, then select Manual.
  4. Enter the subnet for the interface in CIDR notation.
  5. Enter the IP address for the interface in the Address field.
  6. Enter the default gateway in the Gateway field.
  7. Enter the DNS server or servers in the Name servers field.
  8. Optional: Enter a domain in the Search domains field.
  9. Use the arrow keys to select Save, then press Enter.

Configure capture interfaces

You configure the capture interfaces (SPAN settings) after installation using the Appliance Manager web UI. See SPAN settings.

For now, disable all remaining network interfaces, as follows:

  1. Use the arrow keys to select the interface, then press Enter.
  2. Select Edit IPv4, then press Enter.
  3. Use the arrow keys to select Disabled, then press Enter.
  4. Use the arrow keys to select Save, then press Enter.

The NUC system includes a Wi-Fi interface named wlo1. The appliance software doesn't use this interface for any purpose, and it should be left marked as disabled.

Installation process

The system is now ready to partition disks and begin the installation process.

Use the arrow keys to select Continue, then press Enter. This confirms the disk partitioning and installation.

Software installation will take some time. Installation is complete when you see the Install complete! message at the top of the screen.

Complete installation

When the installation is complete, use the arrow keys to select Reboot Now, then press Enter.

The exit process will pause and require you to remove the installation media.

Remove the USB drive from the system and press Enter to continue the exit and reboot process.