VM Deployment Guide
ESXi Overview
Includes Installation Instructions for loading SafeConnect into your ESXi 5.0+ environment from an OVA file.
This document is intended to be used as a guide to install a Virtual Machine (VM) version of the SafeConnect Policy Enforcer appliance within an ESXi virtual environment. You should be familiar with the VSphere Client Console prior to attempting this task. If technical support is required during the installation, please use the contact information below for assistance.
OPSWAT Customer Support
(813) 607-2771
support@impulse.com
ESXi Installation
The OPSWAT Enforcer VM image labeled VMware ESXi requires 16GB of memory of dedicated memory with 300GB thin provisioned storage partition and 2 shared quad core CPUs (2-3Ghz). This configuration allows for up to 25,000 concurrent connections.
If you are using the OPSWAT Enforcer VM image labeled Small Footprint Version this requires 4GB of memory of dedicated memory with 300GB thin provisioned storage partition and 2 CPU Cores (2-3Ghz). This configuration allows for up to 1,000 concurrent connections.
To add the new machine to your inventory, launch your VSphere client and log into Virtual Management Console. The image uses VM Version 8 hardware.
Highlight the resource pool, and select “Deploy OVF Template…” from the “File” menu as shown in the illustrations below.
In the “Deploy OVF Template” dialogue screen, you can directly input the path to the OVA you downloaded. If you have not already downloaded the OVA visit the URL linked below to download. Once you have the OVF file information correctly entered into the dialogue box, click “Next”.
SafeConnect Download Page (for over 1000 devices) SafeConnect Small Download Page (for under 1000 devices)
The following screen will allow you to verify your OVF template details. If everything is correct, click “Next”.
In the following screen, enter the name of the new virtual machine as shown in the illustration below. Click Next when complete.
The following screen allows you to select how the virtual disk will be formatted. It is recommended that you select “Thin Provision” as shown in the illustration below. Click Next when complete.
The next screen will allow you to review all of the details of the new Virtual Machine. Once you have verified the configuration, click “Finish” and the OVF file will be deployed into your virtual environment.
You will see the deployment progress in a pop-up dialogue window as illustrated below.
Once the deployment completes, the pop-up dialogue window will display a message indicating a successful completion as shown in the illustration below. You may then click: “Close” to close the pop-up dialogue window. The OPSWAT Policy Enforcer OVF Template is now successfully deployed within your Virtual environment.
Hyper-V Overview
Includes Installation Instructions for loading SafeConnect into your Hyper-V Gen2 environment from an VHDX file.
This document is intended to be used as a guide to install a Virtual Machine (VM) version of the SafeConnect Policy Enforcer appliance within a Hyper-V virtual environment. You should be familiar with the Hyper-V Manager Console prior to attempting this task. If technical support is required during the installation, please use the contact information below for assistance.
OPSWAT Customer Support
(813) 607-2771
support@impulse.com
Hyper-V Installation
The OPSWAT Enforcer VM image requires 4Gig of memory of dedicated memory with 300Gig thin provisioned storage partition and 2 shared quad core CPUs (2-3Ghz). This configuration allows for up to 1,000 concurrent connections.
To add the new machine to your inventory, launch your Hyper-V Manager Console. The image uses Hyper-V Generation 2.
"Click New > Virtual Machine".
Specify Name and Location:
Enter a name for your SafeConnect virtual machine and a storage location, if applicable.
Specify Generation:
Select Generation 2 as the version
Assign Memory:
Assign Memory to 16000 MB.
Configure Network:
Select the Connection type from the Connection drop down
Connect Virtual Hard Disk:
Select Use an existing virtual hard disk and browse to your SafeConnect vhdx.
Click Next
When finished y ou may then click: “ Finish ” to cl ose the dialogue window.
Once VM is created you will need to verify 2 virtual processors are assigned to the VM. You can do this by right clicking on the virtual machine and selecting Processor. Under ‘Number of virtual processors’ ensure there are 2.
Once complete click OK and start the SafeConnect virtual machine.
The OPSWAT Policy Enforcer Hyper-V Template is now successfully deployed wi thin your v irtual environment.
System Configuration
Once the virtual appliance is powered on, connect to the console and login with the username “admin” and the password “admin”. After logging in, the consoled configuration utility will be launched. The resulting pages will prompt the user to update the admin password, configure the IP address settings and enter a license key. A License Key will need to be available prior to starting this step. If no license key is available, please contact support@impulse.com for assistance.
SafeConnect VMs are typically placed in a network management or dedicated subnet. This subnet must be directly connected to any Layer 3 device (router/L3 switch) SafeConnect will be integrated with. This subnet cannot be a user device subnet.
If the SafeConnect VM is placed in a subnet that is not directly connected to a Layer 3 device that is part of the integration, Policy-Based Routing (PBR) will not function.
Reset Admin Password
Configure Appliance Network Settings
This step should only be performed once. It's considered dangerous to perform this step multiple times, even if you don't change anything. The act of resetting the network can be dangerous, especially to an HA environment.
Enter License Key
Network Test
This is the same network test performed when setting the IP address. It exists here to provide a convenient first troubleshooting step. A support engineer or a customer can get shell access and do any additional network testing they want if this doesn't suffice.
Available in version 7.0.4 and later.
Port Check
Optional Step
Available in version 6.5.18 and later.
Troubleshooting Shell
Optional Step
Available in version 6.5.18 and later.
Write down the Web Login URL. The console utility displays formats for the default hostname and the IP address of the appliance. If this is a brand new installation, the IP address format will likely need to be used as DNS may not yet be configured.
Exit Appliance Basic System Configuration.
For additional configuration, open https://portal.myweblogon.com:8443/manage (alternatively https://<appliance_IP>:8443/manage) in your web browser.
Remote Access Requirements
Outbound access rules are only applicable if outbound Internet filtering is in place. If outbound filtering is not in place, the connections below should work with no action required.
For DNS, NTP or SMTP, if those services are hosted internally, ensure no ACLs or Firewall rules block communication from SafeConnect to those services.
The Access Requirements below are used to facilitate installation, testing, training, support, monitoring, backups and upgrades of your SafeConnect Appliance(s) which is included as part of your Managed Service.
-
Allow outbound ssh (port 22) to below resources from host x.x.x.x (SafeConnect System IP):
-
FQDN: ca1.impulse.com
-
IP Address: 52.1.227.222/32
-
-
FQDN: ca2.impulse.com
-
IP Address: 52.4.162.8/32
-
-
FQDN: monitoring.impulse.com
-
IP Address: 54.175.200.23/32
-
-
FQDN: downloads.impulse.com
-
IP Address: 34.192.23.191/32
-
-
-
Allow outbound https (port 443) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):
-
FQDN: salesforce.com
-
IP/FQDN Address: For a full list of FQDN/IPs see: https://help.salesforce.com/articleView?id=000003652&type=1
-
-
Allow outbound HTTP (port 80) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):
-
Service Name: Squid (Used for proxying remediation resources)
-
Service: HTTP
-
-
Allow outbound HTTP/HTTPS (port 80 and 443) to below resources from host x.x.x.x (SafeConnect Appliance Private IP):
-
Service Name: Amazon Web Services (Appliance Configuration Backups)
-
Resources:
-
52.92.16.0/20
-
52.216.0.0/15
-
54.231.0.0/17
-
-
-
Allow outbound for following services from host x.x.x.x (SafeConnect Appliance Private IP):
-
Services: HTTPS, DNS, NTP
-
If any questions arise please contact your OPSWAT Deployment Engineer or OPSWAT Support.