Manage the on-premises management console
This article covers on-premises management console options like backup and restore, downloading committee device activation file, updating certificates, and setting up a proxy to sensors.
You onboard the on-premises management console from the Azure portal.
Upload an activation file
When you first sign in, an activation file for the on-premises management console is downloaded. This file contains the aggregate committed devices that are defined during the onboarding process. The list includes sensors associated with multiple subscriptions.
After initial activation, the number of monitored devices might exceed the number of committed devices defined during onboarding. This event might happen, for example, if you connect more sensors to the management console. If there's a discrepancy between the number of monitored devices and the number of committed devices, a warning appears in the management console. If this event occurs, you should upload a new activation file.
To upload an activation file:
Go to the Azure Defender for IoT Pricing page.
Select the Download the activation file for the management console tab. The activation file is downloaded.
Select System Settings from the management console.
Select Choose a File and select the file that you saved.
Following on-premises management console installation, a local self-signed certificate is generated and used to access the web application. When logging in to the on-premises management console for the first time, Administrator users are prompted to provide an SSL/TLS certificate.
Administrators may be required to update certificates that were uploaded after initial login. This may happen for example if a certificate expired.
To update a certificate:
Select System Settings.
Select SSL/TLS Certificates.
In the SSL/TLS Certificates dialog box, delete the existing certificate and add a new one.
- Add a certificate name.
- Upload a CRT file and key file.
- Upload a PEM file if necessary.
If the upload fails, contact your security or IT administrator, or review the information in About Certificates.
To change the certificate validation setting:
Enable or disable the Enable Certificate Validation toggle. If the option is enabled and validation fails, communication between relevant components is halted and a validation error is presented in the console. If disabled, certificate validation is not carried out. See About certificate validation for more information.
For more information about first-time certificate upload see, First-time sign-in and activation checklist
Define backup and restore settings
The on-premises management console system backup is performed automatically, daily. The data is saved on a different disk. The default location is
You can automatically transfer this file to the internal network.
You can perform the backup and restore procedure on the same version only.
To back up the on-premises management console machine:
- Sign in to an administrative account and enter
sudo cyberx-management-backup -full.
To restore the latest backup file:
- Sign in to an administrative account and enter
$ sudo cyberx-management-system-restore.
To save the backup to an external SMB server:
Create a shared folder in the external SMB server.
Get the folder path, username, and password required to access the SMB server.
In Defender for IoT, make a directory for the backups:
sudo mkdir /<backup_folder_name_on_ server>
sudo chmod 777 /<backup_folder_name_on_c_server>/
sudo nano /etc/fstab
add - //<server_IP>/<folder_path> /<backup_folder_name_on_server> cifs rw,credentials=/etc/samba/user,vers=3.0,uid=cyberx,gid=cyberx,file_mode=0777,dir_mode=0777 0 0
Edit or create credentials for the SMB server to share:
sudo nano /etc/samba/user
Mount the directory:
sudo mount -a
Configure a backup directory to the shared folder on the Defender for IoT on-premises management console:
sudo nano /var/cyberx/properties/backup.properties
set Backup.shared_location to <backup_folder_name_on_server>
Edit the host name
To edit the management console's host name configured in the organizational DNS server:
In the management console's left pane, select System Settings.
In the console's networking section, select Network.
Enter the host name configured in the organizational DNS server.
Define VLAN names
VLAN names are not synchronized between the sensor and the management console. Define identical names on components.
In the networking area, select VLAN and add names to the discovered VLAN IDs. Then select Save.
Define a proxy to sensors
Enhance system security by preventing user sign-in directly to the sensor. Instead, use proxy tunneling to let users access the sensor from the on-premises management console with a single firewall rule. This enhancement narrows the possibility of unauthorized access to the network environment beyond the sensor.
Use a proxy in environments where there's no direct connectivity to sensors.
The following procedure connects a sensor to the on-premises management console and enables tunneling on that console:
Sign in to the on-premises management console appliance CLI with administrative credentials.
sudo cyberx-management-tunnel-enableand select Enter.
--port 10000and select Enter.
Adjust system properties
System properties control various operations and settings in the management console. Editing or modifying them might damage the management console's operation. Consult with Microsoft Support before changing your settings.
To access system properties:
Sign in to the on-premises management console or the sensor.
Select System Settings.
Select System Properties from the General section.
Change the name of the on-premises management console
You can change the name of the on-premises management console. The new names appear in the console web browser, in various console windows, and in troubleshooting logs. The default name is management console.
To change the name:
In the bottom of the left pane, select the current name.
In the Edit management console configuration dialog box, enter the new name. The name can't be longer than 25 characters.
Select Save. The new name is applied.
Password recovery for your on-premises management console is tied to the subscription that the device is attached to. You can't recover a password if you don't know which subscription a device is attached to.
To reset your password:
Go to the on-premises management console's sign-in page.
Select Password Recovery.
Copy the unique identifier.
Go to the Defender for IoT Sites and sensors page and select the Recover my password tab.
Enter the unique identifier and select Recover. The activation file is downloaded.
Go to the Password Recovery page and upload the activation file.
You're now given your username and a new system-generated password.
The sensor is linked to the subscription that it was originally connected to. You can recover the password only by using the same subscription that it's attached to.
Update the software version
The following procedure describes how to update the on-premises management console software version. The update process takes about 30 minutes.
If you are working with an on-premises management console and managed sensors, update the management console first.
Go to the Azure portal.
Go to Defender for IoT.
Go to the Updates page.
Select a version from the on-premises management console section.
Select Download and save the file.
Log into on-premises management console and select System Settings from the side menu.
On the Version Update pane, select Update.
Select the file that you downloaded from the Defender for IoT Updates page.
Mail server settings
Define SMTP mail server settings for the on-premises management console.
- Sign in to the CLI for the on-premises management with administrative credentials.
- Select enter. The following prompts appear.
- Enter the SMTP server name and sender and select enter.