Exciting news! We are redesigning the Arctic Wolf Help Documentation site to provide a better user experience. Our new site will launch on May 1, 2024.

Legacy Virtual Sensor Installation in a VMWare Environment

Updated Apr 4, 2024

Legacy Virtual Sensor Installation in a VMWare Environment

This procedure is for Arctic Wolf® virtual appliance images that were downloaded before June 14, 2023. For appliance images that were downloaded on or after June 14, 2023, see Install a vSensor on a standalone ESXi server.

Install a vSensor using VMware vSphere

You can install a Virtual Sensor (vSensor) by downloading the vSensor as an OVA package and deploying it onto a VMware ESXi hypervisor.

Requirements

Steps

  1. Deploy the vSensor OVA using vCenter Server.
  2. (Optional) Encrypt the vSensor VM.
  3. Verify that the vSensor deployed correctly.
  4. Connect the vSensor to the Arctic Wolf Platform.
  5. Activate the vSensor.

Notes:

  • Each vSensor VM supports up to two network interfaces: one for management, and one for mirroring traffic. If you need additional network interfaces, you must deploy additional vSensor VMs.
  • If deploying multiple vSensor instances, Arctic Wolf recommends reusing the OVA file. You must repeat the installation and activation process for each vLC.
  • Cloning a vSensor instance is not supported because this method introduces operational errors in both the original vSensor and the cloned instance.

Step 1: Deploy the vSensor OVA using vCenter Server

  1. Open the Deploy OVF Template wizard.

  2. In the Select an OVF template section, select the virtual appliance OVA file, and then click Next.

  3. In the Select a name and folder section, enter a name for the virtual machine (VM) of the virtual appliance, and the VM folder that it will deploy to, for example <site_name>_Arctic-Wolf, and then click Next.

  4. In the Select a compute resource section, select the ESXi host or cluster that you want to deploy the virtual appliance to, and then click Next.

  5. In the Review details section, verify the VM template details that you set, and then click Next.

  6. In the Configuration section, select the Virtual Sensor model that you are using.

    Note: To view your available vSensor models, sign in to the MDR Dashboard, and then click Accounts > Arctic Wolf Appliance Management.

  7. In the Select Storage section:

    1. Select the virtual disk format and the storage volume that you want to deploy the virtual appliance to.
    2. Click Next.
  8. In the Select networks section:

    1. Choose the Management Network to connect the virtual appliance to. Log traffic is sent to the virtual appliance over this network.

      Note: If your firewall performs SSL/TLS inspection, add the sensor management IP address to your AllowList and verify that your firewall allows outbound access from that IP address over port 443. To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click > Allowlist Requirements, and then view the IP addresses in the section for your product.

    2. Set the First Mirror Network to Mirror Port Group. This sets the first mirror port as lan0 for the vSensor.

    3. Click Next.

  9. If you are configuring a proxy server, in the Customize template section, configure these settings:

    1. Select the Use Proxy checkbox.
    2. In the Proxy Server IP field, enter the proxy server IP address.
    3. In the Proxy server port field, enter the proxy server port number.
    4. Configure other fields as needed, and then click Next.
  10. In the Additional settings section:

    Tip: If needed, expand these fields to set the corresponding values.

    1. In the Identification field, enter a short name to identify the virtual appliance instance in the MDR Dashboard.

    2. In the Network Configuration field, select DHCP or enter a static IP address for the virtual appliance network interface configuration.

      Note: If you select DHCP, you must use a DHCP reservation to prevent log collection and connection errors, or assign a static IP address.

    3. Click Next.

  11. In the Ready to complete section, review the summary of the virtual appliance deployment, and then click Finish to start the deployment.

    Note: The OVA image upload can take a while to upload. You can see the progress of the upload in the Recent Tasks tab in the vSphere Client.

  12. After the deployment is complete, turn the virtual appliance VM power on.

  13. If you are configuring the optional layer 3 mirroring, contact your CST and provide this information:

    • Confirmation that lan0 interface is used
    • IP address and netmask of the optional LAN interface
    • TCP/IP port, if the default port (4789) is not used for a VXLAN environment

Step 2: (Optional) Encrypt the vSensor VM

While optional, Arctic Wolf strongly recommends that you encrypt the virtual appliance. This provides one more layer of protection to all data that is stored on or moving through the appliance.

See the VMware vSphere product documentation for steps to encrypt an existing virtual machine or virtual disk.

Step 3: Verify that the vSensor deployed correctly

  1. If the virtual appliance is off, power on the virtual appliance VM.
  2. In the vCenter Server or vSphere Client, make sure the virtual appliance VM is running.
  3. Verify that the VM IP address is reported in the VM summary.

Step 4: Connect the vSensor to the Arctic Wolf platform

  1. Select one of these options to open the newly deployed virtual appliance VM console:

    • Launch Web Console — Opens the VM console in a web browser window.
    • Launch Remote Console — Launches the VMware Remote Console application.
  2. Look for a QR code:

    • If a QR code appears — Continue to the next step.
    • If a QR code does not appear — The virtual appliance cannot access the services required to connect, likely because of internet connectivity.
  3. Connect the virtual appliance to the Arctic Wolf Platform using one of these methods:

    • On a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.

      Tip: If needed, sign in to your Arctic Wolf account on your mobile device as part of this process.

    • In a web browser — Enter the URL that appears below the QR code. Or, go to https://auth.arcticwolf.com/activate, and then enter the eight-character device activation code displayed in the console window in this hyphenated format: AAAA-AAAA.

    Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.

    After the virtual appliance successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to sign in to the MDR Dashboard, and then click Accounts > Arctic Wolf Appliance Management.

Step 5: Activate the vSensor

Note: Only the user who completed connect the vSensor to the Arctic Wolf platform can activate a deployed vSensor.

  1. Sign in to the MDR Dashboard.

  2. Click Accounts > Arctic Wolf Appliance Management.

  3. Find the appliance that you want to activate.

  4. In the Actions column, click Activate virtual appliance, and then click Activate Virtual Network Appliance when prompted.

    After the virtual appliance successfully connects to the Arctic Wolf Platform, the Arctic Wolf logo appears in the console. The logo can take up to 15 minutes to appear.

    If the logo does not appear after 15 minutes, contact your Concierge Security® Team (CST) at security@arcticwolf.com.

Configure vSensor in a mirroring deployment

To configure vSensor in a mirorring deployment, follow the instructions to create a port mirroring session in the VMware documentation.

Optional layer 3 mirroring configuration

This image provides a simplified network map of a Arctic Wolf vSensor with mirroring deployment:

Network with mirroring deployment

Callout Description
A Arctic Wolf vSensor with mirroring deployment
B Management port network connection
C Network switch
D Firewall
E Internet

Reconfigure a vSensor using VMware vSphere

You can change these network settings for a deployed Arctic Wolf :

To change these settings:

  1. Shut down the virtual appliance that you want to reconfigure.

  2. Wait for the VM to shut down.

  3. In vCenter Server or vSphere Client, select the Configure tab.

  4. Select vApp Options from the navigation pane.

    Note: Do not disable vApp Options for a deployed virtual appliance. Disabling this functionality removes all properties used to configure the network settings of the VM.

  5. For each network setting you want to configure, complete these steps:

    1. In the Properties section, select the virtual appliance item that you want to reconfigure.

      For example, select the option that lets you reconfigure the network interface.

    2. Above the table, click Set Value and enter the new value for the property.

      Note: Do not click Edit. The Edit option lets you edit the name of the property, not the value assigned to it.

  6. Restart the virtual appliance VM.

Uninstall a vSensor using VMware vSphere

  1. Decommission the sensor:

    1. Sign in to the MDR Dashboard.
    2. Click Account > Arctic Wolf Appliance Management.
    3. Find the appliance that you want to decommission.
    4. In the Actions column, click Decommission Virtual Appliance, and then select Decommission Virtual Appliance when prompted.
  2. Power down the virtual appliance VM.

  3. In the vCenter Server or vSphere Client, select the virtual appliance deployment, and then select Delete from Disk.

See also