Virtual Scanner Installation in VMware vSphere
Updated Sep 15, 2023Install a vScanner using VMware vSphere
As part of Arctic Wolf® Managed Risk, install a Virtual Scanner (vScanner) to perform continuous risk monitoring and vulnerability assessments. vScanner provides context for vulnerabilities that you may have in your environment.
Requirements
-
vSphere with vCenter 6.5 or newer
-
The appropriate Arctic Wolf permissions to complete the virtual scanner deployment. Contact your Concierge Security® Team (CST) to confirm who in your organization has these permissions.
-
These system resources:
Note: Reducing or limiting resource allocations below the specified requirements impacts vLC performance.
- 8 vCPUs
- 16 GB RAM
- 40 GB storage
Before you begin
- Make sure you have the appropriate Arctic Wolf permissions to complete the vScanner deployment. Contact your Concierge Security Team© (CST) to confirm who in your organization has these permissions.
- Add all necessary IP addresses, ports, and services to your allowlist for full vScanner functionality.
Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Scanners.
- If you rate-limit the vScanner with Quality of Service (QoS), remove this for best performance.
- If your firewall provides SSL/TLS inspection, do not perform this inspection on the vScanner management IP address.
- If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the vScanner management IP address.
Steps
- Download the vScanner image.
- Deploy the vScanner.
- Verify that the vScanner deployed correctly.
- Configure the vScanner.
- Activate the vScanner.
Step 1: Download the vScanner image
Note: The virtual appliance image file must be downloaded on or after June 14, 2023. For appliance images downloaded prior to June 14, 2023, see Legacy vScanner Installation.
-
Sign in to the Risk Dashboard.
Note: The Risk Dashboard is only compatible with Google Chrome.
-
In the navigation menu, click Downloads.
-
In the Download a Scanner Virtual Machine image for your virtualization infrastructure list, select VMware ESXi.
-
Click Download Scanner VM.
A new Arctic Wolf Portal web page opens.
-
In the Virtual Network Appliances section, click Download Virtual Network Appliance to download the OVA file.
Tip: If your browser downloads the OVA file in
.ovf
format, rename the file to change the file extension to.ova
.
Step 2: Deploy the vScanner
-
Sign in to your vSphere client.
-
Right-click your resource pool, and then click Deploy OVF Template.
-
On the Select an OVF template page:
- Select Local file.
- Click UPLOAD FILES.
- Select the downloaded OVA file, and then click Open.
- Click Next.
-
On the Select a name and folder page:
- In the Virtual machine name field, enter a name for the vScanner.
- Select the location for the virtual machine, and then click Next.
- Click Next.
-
On the Select a compute resource page:
- Select a destination compute resource.
- Click Next.
-
On the Review details page, click Next.
-
On the Configuration page, select AWN Risk Scanner.
-
On the Select storage page:
-
(Optional) Select Encrypt this virtual machine. See the VMware vSphere product documentation for steps to encrypt an existing virtual machine or virtual disk.
Tip: While optional, Arctic Wolf strongly recommends that you encrypt the vScanner to ensure that all data stored and flowing through the appliance has an additional layer of protection.
-
Select the storage location for the configuration and disk files, and then click Next.
-
-
On the Select networks page:
-
Select the appropriate Destination Network.
Log traffic is sent to the vScanner over this network.
-
Click Next.
-
-
On the Ready to complete page, click Finish.
Note: The OVA image may take some time to upload. In the vSphere Client, you can check the progress of the upload on the Recent Tasks tab.
Step 3: Verify that the vScanner deployed correctly
- If the vScanner power is off, right-click your virtual machine in the vSphere Client, and then click Power > Power On.
- Check if the vScanner VM power is on.
- Verify that the VM IP address is reported in the VM summary.
Step 4: Configure and activate the vScanner
-
In the vSphere web UI, right-click your virtual machine, and then click Power > Power On.
-
Right-click your virtual machine, and then click Console > Open Console.
-
When prompted, press Enter three times to initiate the serial console session.
-
At the Select an option to configure your management interface with prompt, select DHCP or enter a static IP address for the vScanner management interface.
Note: If you select DHCP, you must use a DHCP reservation to prevent log collection and connection errors.
-
Click Next.
-
At the Use a proxy? prompt, do one of these actions:
- If your vScanner traffic needs to go through a proxy server, select Yes, and then configure these fields:
- Server IP address — Enter the proxy server IP address for your appliance.
- Server port — Enter the proxy server port.
- If your vScanner traffic does not need to go through a proxy server, select No.
- If your vScanner traffic needs to go through a proxy server, select Yes, and then configure these fields:
-
Click Next.
-
At the Do you want to verify your network connection? prompt, select one of these options:
-
Yes
A series of connectivity tests run.
-
No
-
-
Click Next.
-
At the Tell us about the application you are configuring prompt, configure these settings:
-
In the Shorthand field, enter the shorthand name for the vScanner.
-
Select Scanner.
-
-
Click Next.
-
When prompted, do one of these actions to connect the vScanner to the Arctic Wolf Platform:
- Using a mobile device — Scan the QR code displayed in the console window, and then follow the on-screen prompts.
- Using a web browser — Enter the displayed URL into a web browser, and then follow the on-screen prompts.
Note: QR codes expire after 15 minutes. A new code appears in the console if the QR code expires.
After the vScanner successfully connects to the Arctic Wolf Platform, a prompt replaces the QR code, asking you to go to the Arctic Wolf Appliance Management.
Step 5: Activate the vScanner
Note: Only the user who performed the steps to configure the vScanner can activate the vScanner.
-
In the Arctic Wolf Portal, click Account > Arctic Wolf Appliance Management.
-
Locate the name or the serial number of the vScanner you want to activate.
-
In the Actions column, click Activate virtual appliance, and then click Activate Virtual Network Appliance when prompted.
The console displays Appliance activation in progress, please wait.
-
When prompted, press Enter three times to activate the console.
Next steps
- Schedule host identification and vulnerability scans. See Manage Risk Scanner configuration for more information.
Reconfigure a vScanner using VMware vSphere
- In the vSphere web UI, right-click your virtual machine, and then click Console > Open Console.
- When prompted, press Enter three times to initiate the serial console session.
- Change the required settings.
Uninstall a vScanner using VMware vSphere
- Decommission the vScanner:
-
Sign in to the Arctic Wolf Portal.
-
Click Account > Arctic Wolf Appliance Management
A list of deployed virtual appliances appear on the Arctic Wolf Appliance Management page.
-
Locate the short name or serial number of the vScanner that you want to decommission.
-
Under Actions, click Decommission Virtual Appliance, and then select Decommission Virtual Appliance when prompted.
-
- Turn off the vScanner VM power.
- In the vSphere Client, select the vScanner, and then click Delete from Disk.