Install a Sensor Via OVA

If an organization is hosting a Sensor on its own hardware, a virtual machine package (OVA file) that contains a Sensor configured for that organization can be used as a streamlined alternative to the manual command-line installation and configuration. This involves:

  • Downloading the virtual machine package from that organization
  • Changing the virtual machine password
  • Initializing the Sensor
  • Configuring the Sensor

The Sensor runs in the virtual machine that contains a preconfigured operating system and software. The virtual machine itself is configured to meet the requirements as described in Sensor Prerequisites.

About OVA files

An OVA file is a tar archive file that contains an OVF package. OVF stands for open virtualization format, an open standard for packaging and distributing software to be run in virtual machines. An OVF package contains a description of all the files in the package, one or more disk images of virtual machines, and sometimes certificate and other supporting files. OVF is supported by more than a dozen virtualization providers, including VirtualBox, Red Hat Enterprise Virtualization, and VMware.

The OVA file that you can download is a package that contains a virtual machine disk image configured to install, run, and manage a Sensor.

Download the virtual machine package (OVA file) for an organization

Prerequisites

You will need a blank text file, into which you will paste information generated by this procedure that you will need later. This information includes:

  • A URL that is unique for your organization.
  • A provisioning key, which is a random sequence of 6 words that you will use to initialize the Sensor after you install it. (This is not a license file. It validates the link between the Sensor and your organization in Cloud Email Protection.
  1. Go to Manage > Sensors.
  2. Click the Installation tab.
  3. Click Download Sensor Installer > OVA Image.
  4. Copy both the URL to the download and the provisioning key and save them to a text file.
  5. The URL is the location from which you will download the OVA file, and the provisioning key is a random sequence of 6 words that you will need later to complete the Sensor install. The download link expires at the date and time stated in the download dialog box. The provisioning key expires 7 days after it was generated.

  6. If your browser changed the file extension to .ovf, change the file extension to .ova. (You must have your operating system configured to view file extensions.)
  7. Click OK.
  8. In a new browser window/tab, paste the URL in the address bar and go to the address. The OVA file will be downloaded automatically to your computer.

The OVA file, about 1.2 GB, contains the most current version of all Sensor software.

NOTE: If you download the OVA file again, a new provisioning key will be generated and the previous key will be invalidated. Note that this will not disable currently provisioned Sensors.

Notes before you begin

TIP: If you’re using a standalone box for the sensor, the virtualization software (VirtualBox, VMware, etc.) must be installed on the computer you intend to run the Sensor on, and the OVA file that you downloaded must be copied to that machine. If you’re using a hypervisor (only VMWare ESXi is supported), the OVA file that you downloaded is then uploaded to a new virtual machine instance on the hypervisor.

NOTE: The first boot of an OVA (the first step of the next task) is slow while it finalizes the software pre-load of the Sensor application. If your boot seems to hang at Loading application bundle, please allow at least 3 minutes to complete.

Change the admin password

  1. Start the virtual machine and import the OVA file. This creates a virtual machine instance in the virtualization software.
  2. From the Sensor management menu, enter 4 (Change Password).
  3. When asked if you want to change the password, enter y.
  4. Enter a new password, and then press Enter. The password must meet the following requirements
    • Minimum length: 6 characters
    • Must not be similar to username
    • Must not be similar to hostname
    • Must not be similar to old password
    • Requires at least 1 upper case, 1 lower case, 1 digit, and 1 special character
  5. Enter the password again, and then press Enter.

Configure the virtual machine

  1. In the network(ing) section of the virtual machine settings, ensure it can connect to your desired DNS and NTP servers, and must have HTTP/HTTPS access to AWS. (In some virtualization software, the firewall rules to allow these connections are already enabled.)
  2. Open port 22. The sensor is made available on port 22. (In some virtualization software, port 22 is opened by default.)
  3. Ensure the rest of the virtual machine's configuration meets the minimum requirements described in Sensor Prerequisites. (The virtual machine should come pre-configured to meet these requirements; this is just a validation step.)
  4. Save the virtual machine settings.

Initialize the Sensor

Initializing the Sensor involves running the first-time sensor setup, which you do by a remote command-line login, not the Sensor management menu in the virtual machine.

Prerequisites

  • The 6-word provisioning key you generated and saved when you downloaded the OVA file
  • If you are using a proxy for HTTP traffic, the hostname, port, username, and password for the proxy
  • If you plan to use SMTP over TLS delivery to the sensor, a private key (.key file), a signed TLS certificate (.pem file), and a certificate chain (.pem file)
  1. Open a command prompt.
  2. If you use SMTP over TLS, use scp to upload your private key and certificate files to /data/tls‑certs/
    For example, enter the command
    scp private_key.pem admin@sensor:/data/tls‑certs/
  3. SSH into the virtual machine as admin and enter the admin password.
  4. Enter the command first-time-setup and press Enter.
  5. Paste the 6-word provisioning key at the prompt and press Enter.

The Sensor initialization will ask several questions to configure itself correctly for your organization:

Question Options
Do you want to verify the AWS SSL server certificates used for communications from this sensor to AWS?

Amazon Web Services (AWS) hosts the Cloud Email Protection application, and the SSL server certificates authenticate the connection from the Sensor to Cloud Email Protection.

  • yes (default)
  • no
You may optionally specify a Unix group that will be given read access to logs as well as write access to the Sensor's configuration and data. root is the default group and should be fine for most instances.
Will this Sensor use an HTTPS proxy to send data to the cloud?

If you select yes, you will be prompted to enter the hostname, port, username, and password.

  • yes
  • no (default)
Do you want to configure TLS Certificates for incoming SMTP traffic to this Sensor?

This is necessary if you require traffic to be encrypted from the mail server to the Sensor.

  • yes
  • no (default)
Require that all SMTP sessions use TLS?
  • yes
  • no (default)
Which port should this Sensor listen on for incoming SMTP connections? 25 is the default, and is the traditional well-known port for SMTP. Depending on your infrastructure, you may need to change this. 587 is often used as an alternative to 25 and is useful for unencrypted or TLS connections, and SSL connections often use 465.
Enable DEBUG-level logging?

DEBUG-level logging sends a lot more data, which can be used if there is an issue with the Sensor. The additional data can slow down data processing, so unless there is a known issue with the Sensor, leave this setting at the default value of no.

  • yes: Generates and sends additional data about the processing of each message.
  • no (default): Generates and sends only Sensor data.

Once the initialization is complete, the Sensor is started automatically. After a short wait, you can refresh the Sensors page in the organization and you should see the new Sensor there.

Default sensor configuration

When a Sensor is initialized, it is configured to the following default settings:

Setting Value
Status Started
Autostart Enabled
DHCP/Static IP address

DHCP

NOTE: While the Sensor can be configured to use DHCP, it requires a static IP address because that IP address is used when configuring other parts of your email infrastructure to communicate with the Sensor. If you do not set a static IP address for the Sensor (see Set a static IP address), you must reserve an IP address lease for the Sensor in your DHCP server.

IP address Depends on the virtual machine software being used. Most usually have a default value or range of values.
Hostname sensor
NTP Server us.pool.ntp.org