Deployment Guides

Deployment Guides#

Endpoint Analytics is available in a deployment package for ESXi environment. Hardware appliance is also available upon request.

On this page:

Pre-deployment
Pre-deployment
Virtual appliance
Virtual appliance
Hardware appliance
Hardware appliance
Basic configuration
Initial configuration

Pre-deployment#

As part of the installation process, the Endpoint Analytics hardware or virtual appliance must be configured with certain information that it needs to interact with the environment it will be deployed to. Certain parts of existing network infrastructure must also be properly configured to allow Endpoint Analytics to collect the data necessary for its functions.

To minimize interruptions during deployment and accelerate the subsequent configuration steps, use the following table to make the necessary preparations beforehand:

Requirement

Description/use

Initial configuration details

Passwords for beacon (appliance) and admin (web interface) accounts, hostname, management interface (ens160) IP and mask, default gateway IP, name server FQDN or IP, NTP server(s) FQDN or IP; Must be entered during the initial configuration of the hardware or virtual appliance

SSL certificate details

FQDN of the appliance, organization unit and name, state or province, city, and two-letter country code; Will be requested by the initial configuration script for the creation of the self-signed digital certificate and Certificate Signing Request (CSR)

Internal address blocks

Range of endpoint IP addresses to be targeted by the system (typically one or more IP networks or subnets); Must be entered in CIDR (x.x.x.x/mask) format

Network devices

List of network infrastructure devices (NIDs) that will be polled by the system; Must be added via the web interface before Endpoint Analytics can start collecting data from them

SNMP trap information

SNMP trap community string that will be used by NIDs sending traps (NIDs should also be configured to send link state and MAC change traps when possible); Will ensure that only traps from NIDs of interest will be accepted for processing

DHCP traffic visibility

DHCP-addressed endpoints should be configured to have a copy of their traffic redirected to the monitoring port(s) using SPAN, RSPAN, or other mirroring methods; Will allow Endpoint Analytics to analyze traffic between DHCP clients and servers to assign profiles and maintain IP-to-MAC mapping

Note

The items above link directly to the relevant pages under the Configuration Guides section of this manual, but reading through this section first is recommended, especially when deploying Endpoint Analytics for the first time.

The default settings of Endpoint Analytics can be further tuned after running the system in production for some time and learning more about the endpoint monitoring requirements for a given enterprise network.

Hardware appliance#

After removing the Endpoint Analytics hardware appliance from its packaging, verify that all accompanying accessories (rackmount kit, appliance-locking bezel and keys, and power cord) are included. The appliance can be mounted in a standard 19-inch rack or cabinet.

Important

If your box arrives torn, dented, or otherwise damaged, the appliance itself seems damaged, or there are missing parts, contact Plixer Technical Support immediately and do not attempt to install the unit.

  1. Connect the power cable to the socket in the rear of the appliance and plug the other end into a grounded AC outlet.

  2. Connect a monitor, keyboard, and mouse directly to the appliance or through a KVM switch.

Hint

A PC running HyperTerminal can also be used to access the appliance’s command line interface (CLI) using serial parameters: 9600 baud, N, 8, and 1.

  1. Connect an RJ-45 Ethernet cable to the port labeled e0:Mgt behind the appliance and connect the other end of the cable to an available switch port.

  2. Connect the monitoring interface(s) to the network switch ports. The second on-board copper port and additional ports in the expansion slots can be used as additional monitor ports for the system.

  3. Power on the device using the button on the front panel and use the LEDs to confirm connectivity based on the following table:

LED

State

Connectivity status

Left

Off

No network connection (Link Down)

Solid amber

Network link established (Link Up)

Blinking amber

Transmit/receive activity

Right

Off

10 Mbps connection (if left LED is on or blinking)

Solid amber

100 Mbps connection

Solid Green

1000 Mbps connection

Once the appliance boots, wait for the login prompt, and then follow the initial configuration guide to complete the appliance deployment.

Virtual appliance#

To deploy the Endpoint Analytics virtual appliance in ESXi, take note of the following requirements and proceed with the deployment process described below:

  • ESXi 6.7 U2+

  • VMware vSphere or vCenter

  • Resources:

    • Memory: 8 GB

    • Storage: 40 GB

    • CPU: 4 cores, 2.0+ GHz

Deploying the OVA template#

  1. Contact Plixer Technical Support and use the link they provide (https://files.plixer.com/PACKAGE_PATH_AND_FILENAME) to download the latest VMware virtual appliance package.

  2. Extract the contents of the package to a location on the ESXi server.

  3. In vSphere or vCenter, right-click the host to deploy the appliance to, and then select Deploy OVF Template from the menu.

  4. Select Local file, and then browse to the Endpoint Analytics OVA file before clicking Next.

  5. Provide a name for the virtual appliance and continue to follow the deployment wizard.

  6. When done, verify the configuration in the summary, and then click Finish to import the virtual appliance.

Once the Endpoint Analytics virtual appliance has been imported, right-click on the VM to power it on, and then follow the initial configuration guide to complete the deployment process.

By default, the OVF install includes 2 CPUs, 4GB RAM, 40GB storage, and 2 network adapters. In most cases, this configuration is sufficient. However, if you increase your virtual hardware allocation, you must make those changes within your KVM environment (e.g., increasing RAM via VMware), as they cannot be configured through Endpoint Analytics.

Adding new interfaces#

To add a new interface (for ERSPAN traffic) to the Endpoint Analytics virtual appliance, follow these steps:

  1. In vCenter, right click on the Endpoint Analytics VM, and then select Edit Settings….

  2. Select Add New Device, and then select Network Adapter from the dropdown.

After the new interface has been added, it can be configured to receive ERSPAN traffic via the web interface.

Initial configuration#

After the Endpoint Analytics hardware or virtual appliance has been set up, the system will be ready for initial configuration.

Appliance setup#

After powering on the Endpoint Analytics appliance for the first time, log in with the credentials beacon:beacon, and then wait for the device to reboot.

After logging in again, follow the appliance setup prompts as described below to allow access to the web interface:

  1. At the Welcome dialog, verify that the version number displayed matches the version you purchased. When done, select OK, and then press Enter to continue.

  2. Enter the following information in the network configuration dialog:

    • System/appliance hostname (will be required by Plixer Technical Support for licensing)

    • Management interface (ens160) IP address with netmask/CIDR

    • Management interface (ens160) default gateway/router address

    • One or more DNS server IP addresses (comma-separated, without spaces)

    • One or more NTP server FQDNs or IP addresses (comma-separated, without spaces)

  3. Verify that all details are correct, and then select Submit to save the information and proceed.

  4. Continue through the succeeding dialogs, and then select Yes to accept the EULA when prompted.

  5. When prompted, enter a password for the beacon appliance user account, and then press Enter. You will be asked to enter the password twice.

  6. When prompted, enter a password for the admin web interface user account.

  7. Enter the requested SSL details to create a self-signed certificate and certificate signing request (CSR).

An Installation Complete dialog will confirm the completion of the appliance setup process. To complete the configuration process, access the web interface by navigating to https://[APPLIANCE_ADDRESS] in a supported browser.

Note

  • To abort the setup script, press Ctrl+C or select Cancel/No at any time.The script and its auxilliary runmodes can be re-run from the CLI at a later time using the beaconctl command set.

  • When multiple DNS servers are defined, they are queried in the order entered when resolving IP addresses.

  • The self-signed certificate created during setup can later be replaced with a CA-signed certificate as described here.

Licensing and SSL#

Upon logging in to the Endpoint Analytics web interface for the first time using the admin account, the user will be able to add a license key to activate the product. A CA-signed SSL certificate may also be installed to replace the previously created self-signed certificate at this point.

Adding a license key

An Endpoint Analytics license key can be obtained by contacting Plixer Technical Support. You will be asked to provide your appliance’s unique machine ID, which can be found by navigating to Configuration > Upload License Key in the web interface.

Once acquired, paste the active license key into the field on the Upload License Key page, and then click Upload Key.

After a license key has successfully been uploaded, the Upload License Key page will display the following details for the currently applied license:

  • Appliance hostname

  • License type

  • Expiration date

Note

The dashboard header in the web interface will display a warning message once the system detects that your license key is due to expire within 30 days.

Installing a CA-signed SSL certificate

As long as the system is set to use the self-signed SSL certificate created during the initial configuration process, browsers will return an untrusted certificate warning, which must be overridden to access the web interface.

To avoid this behavior, an SSL certificate that has been signed by an internal or commercial Certificate Authority (CA) will need to be installed:

  1. Navigate to Configuration > Manage Certificate, click the Download CSR button, and then save the Certificate Signing Request to local storage.

  2. Forward the CSR file to the CA for digital signing.

  3. After receiving the Endpoint Analytics appliance certificate and the CA Bundle certificate in PEM format from the CA, copy the files to a location that can be accessed via the Endpoint Analytics web interface.

  4. Return to the Manage Certificate page, and then click the Choose File button under SSL Certificate to browse to the appliance certificate file (.crt).

  5. Still on the Manage Certificate page, click the Choose File button under CA Certificate to browse to the CA certificate file (.pem).

  6. After both files have been selected, click Upload Certificate Files, and then wait for the confirmation that the files have been successfully uploaded.

To verify that the web interface is using the correct SSL certificate, use a browser to navigate to the login page using the FQDN specified in the CA-signed certificate. The browser should no longer return an untrusted certificate warning and the padlock icon in the address bar should be locked instead of open.

Contents