VMware Sensor Deployment

VMware Sensor Deployment

Review the following prerequisites to ensure an efficient setup and configuration of the USM Anywhere Sensor on VMware.

Minimum Requirements

These are the minimum requirements to set up and configure the USM Anywhere Sensor on VMware:
  1. Access to VMware ESXi 6.5 or later, including the free version.
  2. Dedicated 4 CPUs and 12 GB of reserved memory.
  3. Dedicated 150 GB of disk space (100 GB data device and 50 GB root device).
  4. Internet connectivity to the network where you plan to install the VMware Sensor.
Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) throughput a sensor can process varies. Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.
These are the recommended requirements to set up and configure the USM Anywhere Sensor on VMware:
  1. A VMware vSphere or VMware vCenter user account to use for USM Anywhere Sensor configuration with an assigned role that has permissions equivalent to the read-only default role.
Note: The read-only role enables a user limited read access to the system without any other privileges. Credentials with this assigned role enable the deployed USM Anywhere Sensor to collect vCenter and vSphere events and run asset discovery.
  1. Installed VMware Tools for hosts in your vSphere or vCenter environment.
      With configured vSphere or vCenter credentials, the VMware Sensor uses the VMware APIs to run asset discovery. For hosts that do not have VMware Tools installed, the asset does not have an       assigned IP address. This can result in the asset being missed from asset discovery or in duplicate assets created during subsequent discoveries. These tools also enable the sensor to collect more detailed       information about the asset.
  1. If Dynamic Host Configuration Protocol (DHCP) is not available, a configured static IP for the management interface and local Domain Name System (DNS) information.
         Important: AT&T Cybersecurity strongly recommends assigning a static IP address to deploy the USM Anywhere Sensor. If DHCP changes the IP address of the sensor, you must update all the IP                      addresses on all the devices that are forwarding logs to the sensor through syslog.
  1. Port mirroring set up for network monitoring (see Direct Traffic from Your Physical Network to the VMware Sensor for more information).
  2. Administrative credentials for devices that require configuration to forward logs to the VMware Sensor.
  3. Administrative credentials for remote hosts to support authenticated asset scans.
  4. Configuration on firewall or other security device to send UDP or TCP syslog (if it is capable of exporting security logs through UDP or TCP syslog).
  5. Network topology information to run asset discovery.
  6. To access network-based intrusion detection system (NIDS) functionality on the sensor, an ethernet port on the host must be available to receive data from a Switched Port Analyzer (SPAN) or Test Access Point (TAP) port.

Sensor Ports and Connectivity

Before deploying a USM Anywhere Sensor, you must configure your firewall permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress and outbound ports and protocols in the firewall for communication with USM Anywhere and AT&T Cybersecurity Secure Cloud resources. The sensor receives no inbound connections from outside the firewall.

Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.

The following tables list the inbound and outbound ports.

Sensor Ports and Connectivity (Outbound Ports)

TypePortsEndpointsPurpose
TCP443update.alienvault.cloudCommunication with AT&T Cybersecurity for initial setup and future updates of the sensor.
TCP443reputation.alienvault.comOngoing communication with AT&T Alien Labs™ Open Threat Exchange® (OTX™).
TCP443otx.alienvault.com

Ongoing communication with OTX to retrieve vulnerability scores. Connecting to otx.alienvault.com is not required but highly recommended.

OTX uses the AWS Cloudfront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses.

TCP443

Your USM Anywhere subdomain
.alienvault.cloud

Your USM Anywhere subdomain
.gov.alienvault.us (for AT&T TDR for Gov)

Ongoing communication with USM Anywhere.
TCP9443vCenter Server

Authenticate sensor to ESXi.

Connect to the vCenter for VMware configuration to gather data directly from vCenter.

SSL/TCP7100

Your USM Anywhere subdomain
.alienvault.cloud

Your USM Anywhere subdomain
.gov.alienvault.us (for AT&T TDR for Gov)

Ongoing communication with USM Anywhere.
UDP53DNS Servers (Google Default)Ongoing communication with USM Anywhere.
UDP123

0.pool.ntp.org

1.pool.ntp.org

2.pool.ntp.org

3.pool.ntp.org

Sync with network time protocol (NTP) services.
TCP22 and 443

prod-usm-saas-tractorbeam.alienvault.cloud

prod-gov-usm-saas-tractorbeam.gov.alienvault.us (for AT&T TDR for Gov)

SSH communications with the USM Anywhere remote support server.

See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.

TCP443

geoip-us-west-2-prod.alienvault.cloud

geoip-us-east-1-prod.alienvault.cloud

geoip-sa-east-1-prod.alienvault.cloud

geoip-eu-west-1-prod.alienvault.cloud

geoip-eu-west-2-prod.alienvault.cloud

geoip-eu-central-1-prod.alienvault.cloud

geoip-ca-central-1-prod.alienvault.cloud

geoip-ap-southeast-2-prod.alienvault.cloud

geoip-ap-northeast-1-prod.alienvault.cloud

Allows resolution of IP addresses for geolocation services.

It is only necessary to whitelist the GeoIP address that corresponds to the region where your USMA instance is hosted.


Sensor Ports and Connectivity (Inbound Ports)

TypePortsPurpose
SSH22Inbound method for secure remote login from a computer to USM Anywhere.
HTTP80Inbound communication for HTTP traffic.
UDP (RFC 3164)514USM Anywhere collects data through syslog over UDP on port 514 by default.
TCP (RFC 3164)601Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default.
TCP (RFC 5424)602USM Anywhere collects data through syslog over TCP on port 602 by default.
Traffic Mirroring4789Inbound communication for virtual extensible local area network (VXLAN).
WSMANS5987Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog).
TLS/TCP (RFC 3164)6514USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default.
TLS (RFC 5424)6515USM Anywhere collects data through syslog over TLS on port 6515 by default.
Graylog12201Inbound communication for Graylog Extended Log Format (GELF).

USM Anywhere IP Addresses for Whitelisting

Your sensor is connected to a USM Anywhere instance deployed in one of the Amazon Web Services (AWS) endpoint regions based on your location. If you need to configure your firewall to allow communication between the sensor and the USM Anywhere instance, refer to the following table with the reserved IP address ranges for each region.

Important: The Update Server and the AlienVault Agent always use the 3.235.189.112/28 range no matter where your USM Anywhere is deployed. The AT&T TDR for Gov Update Server uses the 3.32.190.224/28 range.
The regional IP ranges listed in this table are limited to the Control Nodes (subdomain). You must also meet all requirements provided in the Sensor Ports and Connectivity (Outbound Ports) table.

AWS Regions Where USM Anywhere Instance Is Available

CodeNameReserved Static IP Address Ranges
ap-northeast-1Asia Pacific (Tokyo)

18.177.156.144/28

3.235.189.112/28

44.210.246.48/28

ap-south-1Asia Pacific (Mumbai)

3.7.161.32/28

3.235.189.112/28

44.210.246.48/28

ap-southeast-2Asia Pacific (Sydney)

3.25.47.48/28

3.235.189.112/28

44.210.246.48/28

ca-central-1Canada (Central)

3.96.2.80/28

3.235.189.112/28

44.210.246.48/28

eu-central-1Europe (Frankfurt)

18.156.18.32/28

3.235.189.112/28

44.210.246.48/28

eu-west-1Europe (Ireland)

3.250.207.0/28

3.235.189.112/28

44.210.246.48/28

eu-west-2Europe (London)

18.130.91.160/28

3.235.189.112/28

44.210.246.48/28

sa-east-1South America (São Paulo)

18.230.160.128/28

3.235.189.112/28

44.210.246.48/28

us-east-1US East (N. Virginia)

3.235.189.112/28

44.210.246.48/28

us-west-2US West (Oregon)

44.234.73.192/28

3.235.189.112/28

44.210.246.48/28

us-gov-west-1AWS GovCloud (US-West)

3.32.190.224/28

Create the VMware Virtual Machine

AT&T Cybersecurity provides a download package, which contains the VMware Open Virtualization Format (OVF) template that you can use to import and deploy the USM Anywhere Sensor on a VMware ESXi host.
Important: Use VMware ESXi 6.5, you must have build 7388607 or later. Earlier builds have an issue with the OVF tools that will cause the sensor OVF deployment to fail.
If the OVF package is invalid and can't be deployed, and you get a SHA256 Error message, see The OVF Package Is Invalid and Cannot Be Deployed - SHA256 Error for more information.

The following procedure describes the standard VMware ESXi Embedded Host Client, which is a native HTML and JavaScript application served directly from your ESXi host. Before you begin this procedure, make sure that your ESXi 6.5 host is updated to build 7388607 or later and that the web client is updated to build 7119706 or later. Refer to these VMware online resources for the latest download files and information:
  1. VMware ESXi Patch Tracker: https://esxi-patches.v-front.de/ESXi-6.5.0.html
  2. VMware ESXi Embedded Host Client: https://labs.vmware.com/flings/esxi-embedded-host-client 
If you are using VMware vCenter to manage your VMware ESXi hosts and using the VMware vSphere web client, refer to the documentation provided by VMware and extrapolate from this procedure.

To load the OVF and deploy the USM Anywhere Sensor Virtual Machine (VM)
  1. Go to the USM Anywhere Sensor Downloads page and click the  icon of your specific sensor. After clicking, your browser starts to download the USM Anywhere Sensor package. Depending on your Internet connection, the download can take 30 minutes or more.
  2. Extract the USM Anywhere Sensor package to any folder on the machine where you are using the vSphere client.
  3. In your ESXi Web Client, click Create/Register VM.
    This opens the New virtual machine wizard.
  4. In the Select creation type page, choose Deploy a virtual machine from an OVF or OVA file and click Next.
  5. Enter a name for the new VM and select the template files.
  6. Browse to the location where you extracted the files from the sensor download package, select the OVF and VMDK files, and click Next.
  7. For each of the wizard pages, set the parameters as needed for your network and click Next:
  1. Select storage: Select the datastore you want to use for the VM.
  1. Deployment options: Set the networking and deployment for the VM.
          The primary network requires internet connectivity and an IP address that is routed to provide the access to USM Anywhere. The other interfaces passively monitor network traffic in promiscuous mode.

      Warning: The VMware Sensor requires all five network interface cards (NICs) to be enabled; otherwise, the USM Anywhere update will fail. The NICs can remain disconnected.
      See Configure Network Interfaces for On-Premises Sensors for more information about these interfaces.
  1. Clear the Power on automatically option. It is important to create the VM without powering it on so that you can configure the ISO file before the initial boot.
  1. In the Ready to complete panel, review the configuration and click Finish.

    An alert appears that says "A required disk image was missing". Ignore this message, because you will address the disk image in the next step.

    Import of the OVF and VMDK files and the creation of the virtual image can take some time. You can check the status in the Recent Tasks window.

  2. After the VM is created but not yet powered on, configure the correct ISO file, deploy_config.iso, for the datastore:
Note: Sometimes a different ISO file is selected by default causing the deployment to fail.

Warning: You must complete this step and ensure that the ISO is mounted before you start the sensor VM for the first time.
If you see REPLACEME as the initial login password in the sensor welcome screen when you connect to the VM, it is most likely that the ISO was not mounted before the sensor was started. If this happens, you must shut down the VM, complete this step so that the ISO is configured for the datastore, and then begin the deployment process anew.
  1. Upload the deploy_config.iso file to your datastore. You can use the datastore browser in the web client to select the ISO file and upload it.
  2. Select the new sensor VM in the left pane and scroll to the Hardware Configuration section.
  3. Locate CD/DVD drive 1 in the hardware list and click Select disc image.
  4. Navigate the datastore and select the deploy_config.iso file.
  5. Click Select.
  1. In the toolbar, click Power on to start the USM Anywhere Sensor VM.
After starting the sensor initialization process, the USM Anywhere Sensor VM thumbnail displays a green startup screen during this process, which can take a few minutes to complete.
  1. Connect to the console for the USM Anywhere Sensor using one of the following methods:

    • In the toolbar, click Console.
    • Click the thumbnail for the sensor VM.

    Open a console for the deployed USM Anywhere Sensor VM

The USM Anywhere Sensor screen provides the initial login password to use when you complete the sensor setup. It also displays the URL that you use to access USM Anywhere and complete the sensor registration and connection.

Set Up USM Anywhere on the VMware Virtual Machine

There is some configuration required within the sensor console on the virtual machine (VM). The sensor console also provides tools for troubleshooting the USM Anywhere Sensor. After this initial configuration, you complete the sensor configuration in the USM Anywhere web user interface (UI).
Perform these initial configuration tasks on the VMware VM, using the USM Anywhere Sensor console.

Change the Administrative Password and Keyboard Layout

Follow these instructions to change the administrative password and keyboard layout.

To change the administrative password and keyboard layout
  1. Log in using the credentials displayed in the console screen.
    Login screen for the USM Anywhere Sensor
  2. (Optional.) Configure the keyboard if you use a keyboard layout other than the U.S. default.
  3. Set a new password for the sysadmin user.
Important: During the installation, your system acquires the initial IP address through Dynamic Host Configuration Protocol (DHCP). If DHCP is not enabled, you must configure it manually.
AT&T Cybersecurity strongly recommends assigning a static IP address to the USM Anywhere Sensor as a best practice. This allows for proper log forwarding and network architecture.
  1. If your system sets an IP address automatically, note the web URL (IP address). You will need the URL when you exit from the console and follow the instructions in Connect the VMware Sensor to USM Anywhere
  2. If your system does not set an IP address automatically, a message box confirms that the system was unable to acquire an IP address from a DHCP server after you change the sysadmin password.
  3. In this case, you must manually set a static IP address so that it remains unchanged in the future.

Configure a Static IP Address

Follow these instructions to configure a static IP address.
To configure a static IP address
  1. Go to Network Configuration > Configure Management Interface > Set a Static Management IP Address.
  2. Enter the IP address, subnet, and gateway information in each screen.
  3. Press Enter
Important: DNS settings are not maintained when a static IP address is configured. If you configure a static IP address, you must configure the DNS network settings for successful sensor activation.

Configure Domain Name System

Follow these instructions to configure the Domain Name System (DNS).

Important: When the USM Anywhere Sensor performs an asset scan, it must access the local Domain Name System (DNS) server to resolve local host names. The sensor uses reverse DNS to look up the hostname through the discovered IP address.

Note: When deploying your VMware Sensor in a DHCP environment, the DNS server is automatically set to retrieve via DHCP. This can be configured later in your sensor's settings. See Deploying Your Sensor in a DHCP Environment for more information about USM Anywhere Sensors in a DHCP environment.

To configure DNS
  1. Go to Network Configuration > Configure DNS.
  2. Enter the primary DNS and press Enter.
    Enter the primary DNS
  3. (Optional.) Enter the secondary DNS and press Enter.
    A text box opens to confirm that you want to apply changes.
  4. Press Enter.
Note: Check your settings through Network Configuration > View Network Configuration.


    • Related Articles

    • USM Anywhere Sensor Deployments

      Before you deploy a USM Anywhere Sensor, you must configure your firewall permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress or outbound ports and protocols in the firewall ...
    • Hyper-V Sensor Deployment

      Review the following prerequisites to ensure an efficient setup and configuration of a USM Anywhere Sensor on Microsoft Hyper-V. Minimum Requirements These are the minimum requirements needed to set up and configure a USM Anywhere Sensor on Hyper-V: ...
    • AWS Sensor Deployment

      Requirements for AWS Sensor Deployment USM Anywhere deploys the Amazon Web Services (AWS) Sensor in the Amazon Elastic Compute Cloud (EC2) platform through the Amazon Virtual Private Cloud (VPC). This table includes the requirements for the AWS ...
    • Azure Sensor Deployment

      Requirements for Azure Sensor Deployment To ensure that you can successfully deploy USM Anywhere in your Microsoft Azure subscription and monitor all of your Azure resources, make sure you have the following available in your Azure environment: An ...
    • Forward NXLog Messages Directly to a USM Anywhere Sensor

      Please follow the steps below to configure NXLog for your Windows Host: On your Windows host, download and install the latest version of NXLog from their website: https://nxlog.co/downloads/nxlog-ce#nxlog-community-edition. On the download page ...