VM Deployment Guide

ESXi Overview

Includes Installation Instructions for loading SafeConnect into your ESXi 5.0+ environment from an OVA file.

This document is intended to be used as a guide to install a Virtual Machine (VM) version of the SafeConnect Policy Enforcer appliance within an ESXi virtual environment. You should be familiar with the VSphere Client Console prior to attempting this task. If technical support is required during the installation, please use the contact information below for assistance.

OPSWAT Customer Support
(813) 607-2771
support@impulse.com

ESXi Installation

Click here for ESXi instructions

The OPSWAT Enforcer VM image labeled VMware ESXi requires 16GB of memory of dedicated memory with 300GB thin provisioned storage partition and 2 shared quad core CPUs (2-3Ghz). This configuration allows for up to 25,000 concurrent connections.

If you are using the OPSWAT Enforcer VM image labeled Small Footprint Version this requires 4GB of memory of dedicated memory with 300GB thin provisioned storage partition and 2 CPU Cores (2-3Ghz). This configuration allows for up to 1,000 concurrent connections.

images/download/attachments/6076645/image2017-7-18_11-45-4.png

To add the new machine to your inventory, launch your VSphere client and log into Virtual Management Console. The image uses VM Version 8 hardware.

Highlight the resource pool, and select “Deploy OVF Template…” from the “File” menu as shown in the illustrations below.

images/download/attachments/6076645/image2017-7-18_11-45-31.png

In the “Deploy OVF Template” dialogue screen, you can directly input the path to the OVA you downloaded. If you have not already downloaded the OVA visit the URL linked below to download. Once you have the OVF file information correctly entered into the dialogue box, click “Next”.
SafeConnect Download Page (for over 1000 devices) SafeConnect Small Download Page (for under 1000 devices)

images/download/attachments/6076645/image2017-7-18_11-49-5.png

The following screen will allow you to verify your OVF template details. If everything is correct, click “Next”.

images/download/attachments/6076645/image2017-7-18_11-50-9.png

In the following screen, enter the name of the new virtual machine as shown in the illustration below. Click Next when complete.

images/download/attachments/6076645/image2017-7-18_11-50-37.png

The following screen allows you to select how the virtual disk will be formatted. It is recommended that you select “Thin Provision” as shown in the illustration below. Click Next when complete.

images/download/attachments/6076645/image2017-7-18_11-51-2.png

The next screen will allow you to review all of the details of the new Virtual Machine. Once you have verified the configuration, click “Finish” and the OVF file will be deployed into your virtual environment.

images/download/attachments/6076645/image2017-7-18_11-51-45.png

You will see the deployment progress in a pop-up dialogue window as illustrated below.

images/download/attachments/6076645/image2017-7-18_11-52-29.png

Once the deployment completes, the pop-up dialogue window will display a message indicating a successful completion as shown in the illustration below. You may then click: “Close” to close the pop-up dialogue window. The OPSWAT Policy Enforcer OVF Template is now successfully deployed within your Virtual environment.

images/download/attachments/6076645/image2017-7-18_11-52-58.png

Hyper-V Overview

Includes Installation Instructions for loading SafeConnect into your Hyper-V Gen2 environment from an VHDX file.

This document is intended to be used as a guide to install a Virtual Machine (VM) version of the SafeConnect Policy Enforcer appliance within a Hyper-V virtual environment. You should be familiar with the Hyper-V Manager Console prior to attempting this task. If technical support is required during the installation, please use the contact information below for assistance.

OPSWAT Customer Support
(813) 607-2771
support@impulse.com

Hyper-V Installation

Click here for Hyper-V instructions

The OPSWAT Enforcer VM image requires 4Gig of memory of dedicated memory with 300Gig thin provisioned storage partition and 2 shared quad core CPUs (2-3Ghz). This configuration allows for up to 1,000 concurrent connections.

To add the new machine to your inventory, launch your Hyper-V Manager Console. The image uses Hyper-V Generation 2.

images/download/attachments/6076645/image2017-12-21_10-19-23.png

"Click New > Virtual Machine".

images/download/attachments/6076645/image2017-12-21_10-19-29.png

Specify Name and Location:

Enter a name for your SafeConnect virtual machine and a storage location, if applicable.

images/download/attachments/6076645/image2017-12-21_10-19-36.png

Specify Generation:

Select Generation 2 as the version

images/download/attachments/6076645/image2017-12-21_10-19-41.png

Assign Memory:

Assign Memory to 16000 MB.

images/download/attachments/6076645/image2017-12-21_10-19-45.png

Configure Network:

Select the Connection type from the Connection drop down

images/download/attachments/6076645/image2017-12-21_10-19-51.png

Connect Virtual Hard Disk:

Select Use an existing virtual hard disk and browse to your SafeConnect vhdx.

Click Next

images/download/attachments/6076645/image2017-12-21_10-19-58.png

When finished y ou may then click: “ Finish ” to cl ose the dialogue window.

Once VM is created you will need to verify 2 virtual processors are assigned to the VM. You can do this by right clicking on the virtual machine and selecting Processor. Under ‘Number of virtual processors’ ensure there are 2.

images/download/attachments/6076645/image2017-12-21_10-20-2.png

Once complete click OK and start the SafeConnect virtual machine.

The OPSWAT Policy Enforcer Hyper-V Template is now successfully deployed wi thin your v irtual environment.

System Configuration

Once the virtual appliance is powered on, connect to the console and login with the username “admin” and the password “admin”. After logging in, the consoled configuration utility will be launched. The resulting pages will prompt the user to update the admin password, configure the IP address settings and enter a license key. A License Key will need to be available prior to starting this step. If no license key is available, please contact support@impulse.com for assistance.

SafeConnect VMs are typically placed in a network management or dedicated subnet. This subnet must be directly connected to any Layer 3 device (router/L3 switch) SafeConnect will be integrated with. This subnet cannot be a user device subnet.

If the SafeConnect VM is placed in a subnet that is not directly connected to a Layer 3 device that is part of the integration, Policy-Based Routing (PBR) will not function.

Reset Admin Password

images/download/attachments/6076645/screenshot-2020-01-30T14-31-25-0500.png

Configure Appliance Network Settings

This step should only be performed once. It's considered dangerous to perform this step multiple times, even if you don't change anything. The act of resetting the network can be dangerous, especially to an HA environment.

images/download/attachments/6076645/screenshot-2020-01-30T14-32-03-0500.png

Enter License Key

images/download/attachments/6076645/screenshot-2020-01-30T14-33-14-0500.png

Network Test

This is the same network test performed when setting the IP address. It exists here to provide a convenient first troubleshooting step. A support engineer or a customer can get shell access and do any additional network testing they want if this doesn't suffice.

Available in version 7.0.4 and later.

images/download/attachments/6076645/screenshot-2020-01-30T14-35-47-0500.png

Port Check

Optional Step

Available in version 6.5.18 and later.

images/download/attachments/6076645/screenshot-2020-01-30T14-36-14-0500.png

Troubleshooting Shell

Click here for System Configuration

Optional Step

Available in version 6.5.18 and later.

images/download/attachments/6076645/screenshot-2020-01-30T14-36-42-0500.png

Write down the Web Login URL. The console utility displays formats for the default hostname and the IP address of the appliance. If this is a brand new installation, the IP address format will likely need to be used as DNS may not yet be configured.

Exit Appliance Basic System Configuration.

For additional configuration, open https://portal.myweblogon.com:8443/manage (alternatively https://<appliance_IP>:8443/manage) in your web browser.

Remote Access Requirements

Click here for Remote Access Requirements

Outbound access rules are only applicable if outbound Internet filtering is in place. If outbound filtering is not in place, the connections below should work with no action required.

For DNS, NTP or SMTP, if those services are hosted internally, ensure no ACLs or Firewall rules block communication from SafeConnect to those services.

The Access Requirements below are used to facilitate installation, testing, training, support, monitoring, backups and upgrades of your SafeConnect Appliance(s) which is included as part of your Managed Service.

  • Allow outbound HTTP/HTTPS (port 80 and 443) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):

    • Service Name: Amazon Web Services (Appliance Configuration Backups)

    • Resources:

      • 52.92.16.0/20

      • 52.216.0.0/15

      • 54.231.0.0/17

  • Allow outbound for following services from host x.x.x.x (SafeConnect Appliance Private IP):

    • Services: HTTPS, DNS, NTP

If any questions arise please contact your OPSWAT Deployment Engineer or OPSWAT Support.