Up
Previous Next

Sheriff CSM™

Deploy Sheriff CSM Using Hyper-V Manager

Microsoft Hyper-V is a hypervisor that lets you create and manage virtual machines by using virtualization technology built into Windows Servers. Starting from Sheriff CSM version 5.3.4, Sheriff CSM for Hyper-V in a Virtual Hard Disk (VHD) format, tested on the latest version of the following Windows operating systems

• Windows Server 2008 SP2
• Windows Server 2008 R2 SP2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016

You can deploy Sheriff CSM using Microsoft Hyper-V Manager, an administrative tool for managing local and remote Hyper-V hosts.

Prerequisites

The requirements for deploying Sheriff CSM in Hyper-V are the same as for the other virtual appliances that Sheriff supports. See Virtual Machine Requirements for details. However, to meet the requirements, you must enable hyper-threading from the system BIOS first. Refer to this virtualization blog post from Microsoft for explanation.

You must also have downloaded the Hyper-V image file from Sheriff and unzip it to a location where you can access from the Hyper-V Manager.

Note: Due to the size of the image file, the built-in zip utility on Windows Server 2008 (all versions) cannot unzip the file. You can use 7-Zip or WinZip instead.

Create the Virtual Machine

To create a virtual machine using the Hyper-V Manager

1. Open the Hyper-V Manager.

2. In the Actions panel, click New > Virtual Machine .

   The New Virtual Machine Wizard opens.

3. Go to Specify Name and Location and type a name for your new virtual machine

   

4. Click Next .

5. Choose Generation 1 for this virtual machine and click Next.

6. Change the value of the Startup Memory

   • For Sheriff CSM Standard deployment options (including Standard Server, Standard Logger, and Standard Sensor (Deputy)), type 24576 MB.
   • For Sheriff CSM All-in-One, type 16384 MB.
   • For Sheriff CSM Remote Sensor, type 8192 MB.

7. Click Next.

8. Select the network adapter to the network you want to monitor and click Next.

9. Select Use an existing virtual hard disk and click Browse to locate the Hyper-V VHD file.

10. Click Next and on the summary page, click Finish.

Configure the Virtual Machine

To configure a virtual machine using the Hyper-V Manager

1. Select the Sheriff CSM virtual machine that you created and click Settings.

   A new window opens.

2. Click Processor in the left panel,

   • For Sheriff CSM All-in-One and Sheriff CSM Standard deployment options (including Standard Server, Standard Logger, and Standard Sensor), select 8 number of virtual processors.
   • For Sheriff CSM Remote Sensor, select 4 number of virtual processors

     

3. Click Apply .

4. Click Add Hardware > Network Adapter > Add to add network interfaces. Note: Sheriff CSM All-in-One supports 6 network interfaces and Sheriff CSM Remote Sensor supports 2 network interfaces. Sheriff recommends that you have at least two network interfaces, one for management and the other for network IDS.

5. (Optional) If using VLAN, in VLAN ID , select Enable virtual LAN identification and specify the VLAN ID in the box.

6. In Bandwidth Management , leave the option unchecked since enabling bandwidth management introduces the risk of packet loss.

   

7. Click Apply .

8. Repeat Steps 4 through 7 to add more network interfaces.

Configure Port Mirroring

Note: This procedure is optional. Port mirroring configuration is only supported in Windows Server 2012 and later.

To configure port mirroring, follow the steps below when adding network adapters

1. In the left panel, click the plus sign (+) next to the network adapter you are adding, and then click Advanced Features.

2. Locate Mirroring mode in the Port mirroring section, select Destination, and then click OK.

   

3. Open a PowerShell session as administrator.

4. To setup virtual switches in promiscuous mode for monitoring external traffic, run the following:

   $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5 $portFeature.SettingData.!MonitorMode = 2 Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <mySwitch> -VMSwitchExtensionFeature $portFeature

   where

   <mySwitch> denotes the name of the virtual switch.

   With this example, all traffic going through the virtual switch will be mirrored to any VM whose mirroring mode has been set to "Destination".

5. Alternatively, to setup virtual switches in promiscuous mode for monitoring internal traffic, run the following:

   $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5 $portFeature.SettingData.!MonitorMode = 2 Add-VMSwitchExtensionPortFeature -ManagementOS -VMSwitchExtensionFeature $portFeature

   Note: The -ManagementOS option does not allow you to specify a switch, so all virtual switches, including the shared management NIC port, will be set in monitoring mode.

6. To setup virtual switches in promiscuous mode for monitoring both internal and external traffic, run the following:

   $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5 $portFeature.SettingData.!MonitorMode = 2 Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <mySwitch> -VMSwitchExtensionFeature $portFeature Add-VMSwitchExtensionPortFeature -ManagementOS -VMSwitchExtensionFeature $portFeature

   Note: In the steps above, MonitorMode 0 = None, 1 = Destination, and 2 = Source.

Start the Virtual Machine

To start the virtual machine using the Hyper-V Manager

1. Select your virtual machine and click Start on the right panel.

2. The system initialization screen appears and you will see the console to access Sheriff CSM from the command line.