Microsoft Hyper-V Startup Guide

Includes Installation Instructions for loading SafeConnect into your Hyper-V Gen2 environment from an VHDX file.


This document is intended to be used as a guide to install a Virtual Machine (VM) version of the SafeConnect Policy Enforcer appliance within a Hyper-V virtual environment. You should be familiar with the Hyper-V Manager Console prior to attempting this task. If technical support is required during the installation, please use the contact information below for assistance.

Impulse Customer Support
(813) 607-2771


The Impulse Enforcer VM image requires 16Gig of memory of dedicated memory with 300Gig thin provisioned storage partition and 2 shared quad core CPUs (2-3Ghz). This configuration allows for up to 25,000 concurrent connections.

To add the new machine to your inventory, launch your Hyper-V Manager Console. The image uses Hyper-V Generation 2.


Click New > Virtual Machine


Specify Name and Location:

Enter a name for your SafeConnect virtual machine and a storage location, if applicable.


Specify Generation:

Select Generation 2 as the version


Assign Memory:

Assign Memory to 16000 MB


Configure Network:

Select the Connection type from the Connection drop down


Connect Virtual Hard Disk:

Select Use an existing virtual hard disk and browse to your SafeConnect vhdx.

Click Next


When finished y ou may then click: “ Finish ” to cl ose the dialogue window.

Once VM is created you will need to verify 2 virtual processors are assigned to the VM. You can do this by right clicking on the virtual machine and selecting Processor. Under ‘Number of virtual processors’ ensure there are 2.


Once complete click OK and start the SafeConnect virtual machine.

The Impulse Policy Enforcer Hyper-V Template is now successfully deployed wi thin your v irtual environment.

IP Reconfiguration

Once the virtual appliance is powered on, connect to the console and login with the username “admin” and the password “admin”. After logging in, the consoled configuration utility will be launched. The resulting pages will prompt the user to update the admin password, configure the IP address settings and enter a license key. A License Key will need to be available prior to starting this step. If no license key is available, please contact for assistance.

Safe•Connect VMs are typically placed in a network management or dedicated subnet. This subnet must be directly connected to any Layer 3 device (router/L3 switch) SafeConnect will be integrated with. This subnet cannot be a user device subnet. NOTE – If the SafeConnect VM is placed in a subnet that is not directly connected to a Layer 3 device that is part of the integration, Policy-Based Routing (PBR) will not function.

Reset Admin Password

Configure Appliance Network Settings

Enter License Key


Write down the Web Login URL. The console utility displays formats for the default hostname and the IP address of the appliance. If this is a brand new installation, the IP address format will likely need to be used as DNS may not yet be configured.

Exit Appliance Basic System Configuration. Further configuration can be completed by opening (alternatively https://<appliance_IP>:8443/manage) in your web browser.

Remote Access Requirements

Remote Access Requirements

The Access Requirements below are used to facilitate installation, testing, training, support, monitoring, backups and upgrades of your SafeConnect Appliance(s) which is included as part of your Managed Service.

  • Allow outbound ssh (port 22) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):

  • Allow outbound https (port 443) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):

  • Allow outbound HTTP (port 80) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):

    • Service Name: Squid (Used for proxying remediation resources)

    • Service: HTTP

  • Allow outbound HTTP/HTTPS (port 80 and 443) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):

    • Service Name: Amazon Web Services (Appliance Configuration Backups)

    • Resources:




  • Allow outbound for following services from host x.x.x.x (SafeConnect Appliance Private IP):

    • Services: HTTPS, DNS, NTP

NOTE – Outbound access rules are only applicable if outbound filtering is in place. If DNS, NTP and SMTP are all housed internally, firewall rules should be configured to allow those resources.

If any questions arise please contact your OPSWAT Deployment Engineer or OPSWAT Support.