Activate and set up your on-premises management console

Activation and setup of the on-premises management console ensures that:

  • Network devices that you're monitoring through connected sensors are registered with an Azure account.

  • Sensors send information to the on-premises management console.

  • The on-premises management console carries out management tasks on connected sensors.

  • You have installed an SSL certificate.

Sign in for the first time

To sign in to the management console:

  1. Navigate to the IP address you received for the on-premises management console during the system installation.

  2. Enter the username and password you received for the on-premises management console during the system installation.

If you forgot your password, select the Recover Password option, and see Password recovery for instructions on how to recover your password.

Activate the on-premises management console

After you sign in for the first time, you will need to activate the on-premises management console by getting, and uploading an activation file.

To activate the on-premises management console:

  1. Sign in to the on-premises management console.

  2. In the alert notification at the top of the screen, select the Take Action link.

    Select the Take Action link from the alert on the top of the screen.

  3. In the Activation popup screen, select the Azure portal link.

    Select the Azure portal link from the popup message.

  4. Select a subscription to associate the on-premises management console to, and then select the Download on-premises management console activation file button. The activation file is downloaded.

    The on-premises management console can be associated to one, or more subscriptions. The activation file will be associated with all of the selected subscriptions, and the number of committed devices at the time of download.

    You can select multiple subscriptions to onboard your on-premises management console to.

    If you have not already onboarded a subscription, then Onboard a subscription.

    Note

    If you delete a subscription, you will need to upload a new activation file to all on-premises management console that was affiliated with the deleted subscription.

  5. Navigate back to the Activation popup screen and select Choose File.

  6. Select the downloaded file.

After initial activation, the number of monitored devices can exceed the number of committed devices defined during onboarding. This issue occurs if you connect more sensors to the management console. If there's a discrepancy between the number of monitored devices, and the number of committed devices, a warning will appear on the management console.

If you see the device commitment warning, you will need to upload a new activation file.

If this warning appears, you need to upload a new activation file.

Activate an expired license (versions under 10.0)

For users with versions prior to 10.0, your license may expire, and the following alert will be displayed.

When your license expires you will need to update your license through the activation file.

To activate your license:

  1. Open a case with support..

  2. Supply support with your Activation ID number.

  3. Support will supply you with new license information in the form of a string of letters.

  4. Read the terms and conditions, and check the checkbox to approve.

  5. Paste the string into space provided.

    Paste the string into the provided field.

  6. Select Activate.

Set up a certificate

After you install the management console, a local self-signed certificate is generated. This certificate is used to access the console. After an administrator signs in to the management console for the first time, that user is prompted to onboard an SSL/TLS certificate.

Two levels of security are available:

  • Meet specific certificate and encryption requirements requested by your organization by uploading the CA-signed certificate.

  • Allow validation between the management console and connected sensors. Validation is evaluated against a certificate revocation list and the certificate expiration date. If validation fails, communication between the management console and the sensor is halted and a validation error is presented in the console. This option is enabled by default after installation.

The console supports the following types of certificates:

  • Private and Enterprise Key Infrastructure (private PKI)

  • Public Key Infrastructure (public PKI)

  • Locally generated on the appliance (locally self-signed)

    Important

    We recommend that you don't use a self-signed certificate. The certificate is not secure and should be used for test environments only. The owner of the certificate can't be validated, and the security of your system can't be maintained. Never use this option for production networks.

To upload a certificate:

  1. When you're prompted after sign-in, define a certificate name.

  2. Upload the CRT and key files.

  3. Enter a passphrase and upload a PEM file if necessary.

You may need to refresh your screen after you upload the CA-signed certificate.

To disable validation between the management console and connected sensors:

  1. Select Next.

  2. Turn off the Enable system-wide validation toggle.

For information about uploading a new certificate, supported certificate files, and related items, see Manage the on-premises management console.

Connect sensors to the on-premises management console

Ensure that sensors send information to the on-premises management console, and that the on-premises management console can perform backups, manage alerts, and carry out other activity on the sensors. To do that, use the following procedures to verify that you make an initial connection between sensors and the on-premises management console.

Two options are available for connecting Azure Defender for IoT sensors to the on-premises management console:

  • Connect from the sensor console

  • Connect by using tunneling

After connecting, you must set up a site with these sensors.

Connect sensors to the on-premises management console from the sensor console

To connect sensors to the on-premises management console from the sensor console:

  1. On the on-premises management console, select System Settings.

  2. Copy the Copy Connection String.

    Copy the connection string for the sensor.

  3. On the sensor, navigate to System Settings and select Connection to Management Console

  4. Paste the copied connection string from the on-premises management console into the Connection string field.

    Paste the copied connection string into the connection string field.

  5. Select Connect.

Connect sensors by using tunneling

Enable a secured tunneling connection between organizational sensors and the on-premises management console. This setup circumvents interaction with the organizational firewall, and as a result reduces the attack surface.

Using tunneling allows you to connect to the on-premises management console from its IP address and a single port (that is, 9000) to any sensor.

To set up tunneling at the on-premises management console:

  • Sign in to the on-premises management console and run the following commands:

    cyberx-management-tunnel-enable
    service apache2 reload
    sudo cyberx-management-tunnel-add-xsense --xsenseuid <sensorIPAddress> --xsenseport 9000
    service apache2 reload
    

To set up tunneling on the sensor:

  1. Open TCP port 9000 on the sensor (network.properties) manually. If the port is not open, the sensor will reject the connection from the on-premises management console.

  2. Sign in to each sensor and run the following commands:

    sudo cyberx-xsense-management-connect -ip <on-premises management console IP Address> -token < Copy the string that appears after the IP colon (:) from the Connection String field, Management Console Connection dialog box>
    sudo cyberx-xsense-management-tunnel
    sudo vi /var/cyberx/properties/network.properties
    opened_tcp_incoming_ports=22,80,443,9000
    sudo cyberx-xsense-network-validation
    sudo /etc/network/if-up.d/iptables-recover
    sudo iptables -nvL
    

Set up a site

The default enterprise map provides an overall view of your devices according to several levels of geographical locations.

The view of your devices might be required where the organizational structure and user permissions are complex. In these cases, site setup might be determined by a global organizational structure, in addition to the standard site or zone structure.

To support this environment, you need to create a global business topology that's based on your organization's business units, regions, sites, and zones. You also need to define user access permissions around these entities by using access groups.

Access groups enable better control over where users manage and analyze devices in the Defender for IoT platform.

How it works

You can define a business unit, and a region for each site in your organization. You can then add zones, which are logical entities that exist in your network.

Assign at least one sensor per zone. The five-level model provides the flexibility and granularity required to deliver the protection system that reflects the structure of your organization.

Diagram showing sensors and regional relationship.

Using the Enterprise View, you can edit your sites directly. When you select a site from the Enterprise View, the number of open alerts appears next to each zone.

Screenshot of an on-premises management console map with Berlin data overlay.

To set up a site:

  1. Add new business units to reflect your organization's logical structure.

    1. From the Enterprise view, select All Sites > Manage Business Units.

      Select manage business unit from the all sites drop down menu on the enterprise view screen.

    2. Enter the new business unit name and select ADD.

  2. Add new regions to reflect your organization's regions.

    1. From the Enterprise View, select All Regions > Manage Regions.

    Select all regions and then manage regions to manage the regions in your enterprise.

    1. Enter the new region name and select ADD.
  3. Add a site.

    1. From the Enterprise view, select on the top bar. Your cursor appears as a plus sign (+).

    2. Position the + at the location of the new site and select it. The Create New Site dialog box opens.

      Screenshot of the Create New Site view.

    3. Define the name and the physical address for the new site and select SAVE. The new site appears on the site map.

  4. Add zones to a site.

  5. Connect the sensors.

  6. Assign sensor to site zones.

Delete a site

If you no longer need a site, you can delete it from your on-premises management console.

To delete a site:

  1. In the Site Management window, select from the bar that contains the site name, and then select Delete Site. The confirmation box appears, verifying that you want to delete the site.

  2. In the confirmation box, select CONFIRM.

Create enterprise zones

Zones are logical entities that enable you to divide devices within a site into groups according to various characteristics. For example, you can create groups for production lines, substations, site areas, or types of devices. You can define zones based on any characteristic that's suitable for your organization.

You configure zones as a part of the site configuration process.

Screenshot of the Site Management Zones view.

The following table describes the parameters in the Site Management window.

Parameter Description
Name The name of the sensor. You can change this name only from the sensor. For more information, see the Defender for IoT user guide.
IP The sensor IP address.
Version The sensor version.
Connectivity The sensor connectivity status. The status can be Connected or Disconnected.
Last Upgrade The date of the last upgrade.
Upgrade Progress The progress bar shows the status of the upgrade process, as follows:
- Uploading package
- Preparing to install
- Stopping processes
- Backing up data
- Taking snapshot
- Updating configuration
- Updating dependencies
- Updating libraries
- Patching databases
- Starting processes
- Validating system sanity
- Validation succeeded
- Success
- Failure
- Upgrade started
- Starting installation

For details about upgrading, refer to Microsoft Support for help.
Devices The number of OT devices that the sensor monitors.
Alerts The number of alerts on the sensor.
Enables assigning a sensor to zones.
Enables deleting a disconnected sensor from the site.
Indicates how many sensors are currently connected to the zone.
Indicates how many OT assets are currently connected to the zone.
Indicates the number of alerts sent by sensors that are assigned to the zone.
Unassigns sensors from zones.

To add a zone to a site:

  1. In the Site Management window, select from the bar that contains the site name, and then select Add Zone. The Create New Zone dialog box appears.

    Screenshot of the Create New Zone view.

  2. Enter the zone name.

  3. Enter a description for the new zone that clearly states the characteristics that you used to divide the site into zones.

  4. Select SAVE. The new zone appears in the Site Management window under the site that this zone belongs to.

To edit a zone:

  1. In the Site Management window, select from the bar that contains the zone name, and then select Edit Zone. The Edit Zone dialog box appears.

    Screenshot that shows the Edit Zone dialog box.

  2. Edit the zone parameters and select SAVE.

To delete a zone:

  1. In the Site Management window, select from the bar that contains the zone name, and then select Delete Zone.

  2. In the confirmation box, select YES.

To filter according to the connectivity status:

  • From the upper-left corner, select next to Connectivity, and then select one of the following options:

    • All: Presents all the sensors that report to this on-premises management console.

    • Connected: Presents only connected sensors.

    • Disconnected: Presents only disconnected sensors.

To filter according to the upgrade status:

  • From the upper-left corner, select next to Upgrade Status and select one of the following options:

    • All: Presents all the sensors that report to this on-premises management console.

    • Valid: Presents sensors with a valid upgrade status.

    • In Progress: Presents sensors that are in the process of upgrade.

    • Failed: Presents sensors whose upgrade process has failed.

Assign sensors to zones

For each zone, you need to assign sensors that perform local traffic analysis and alerting. You can assign only the sensors that are connected to the on-premises management console.

To assign a sensor:

  1. Select Site Management. The unassigned sensors appear in the upper-left corner of the dialog box.

    Screenshot of the Unassigned Sensors view.

  2. Verify that the Connectivity status is connected. If not, see Connect sensors to the on-premises management console for details about connecting.

  3. Select for the sensor that you want to assign.

  4. In the Assign Sensor dialog box, select the business unit, region, site, and zone to assign.

    Screenshot of the Assign Sensor view.

  5. Select ASSIGN.

To unassign and delete a sensor:

  1. Disconnect the sensor from the on-premises management console. See Connect sensors to the on-premises management console for details.

  2. In the Site Management window, select the sensor and select . The sensor appears in the list of unassigned sensors after a few moments.

  3. To delete the unassigned sensor from the site, select the sensor from the list of unassigned sensors and select .

See also

Troubleshoot the sensor and on-premises management console