Instructions on how to install VMWare Esxi and deploy Sophos XG on VMWare Esxi

1.Mục đích bài viết

As you know the Sophos XG firewall in addition to the hard device, we can also configure Sophos XG to run virtualization.

In this article, techbast will guide you how to install VMware Esxi on a physical server and deploy Sophos XG on VMware Esxi.

2.Sơ đồ mạng

The network diagram includes the following components:

  • Internet connection is established on port 1 of the Palo Alto firewall device.
  • The LAN area is set on Port 5 of the Palo Alto device with the IP address 172.16.31.1/24 and on port 5 with DHCP configured.
  • Physical Server device with a single network port will be connected to Port 5 and installed VMWare Esxi 6.7 virtualization software with an administrative IP of 172.16.31.10.
  • In VMWare Esxi that we will have a Sophos XG firewall running virtualized consisting of 2 zones, WAN and LAN.
  • In addition, a virtualized Server 2016 will be connected to Sophos XG’s LAN area.

3. Tình huống cấu hình

In this tutorial, techbast will guide you how to install VMWare Esxi software on the server and then deploy a virtualized Sophos XG firewall with 2 WAN and LAN zones and 1 Server located on the LAN so that Sophos can protection for this server.

4.Các bước cần cấu hình

  • Install VMWare Esxi 6.7 on physical server
  • Install virtual machine run Sophos XG
  • Install virtual machine run Windows Server 2016

5.Configuration

5.1 Install VMWare Esxi 6.7 on physical server

To install VMWare Esxi we need to prepare the following tools:

  • 1 USB is empty
  • 1 file install VMWare Esxi 6.7
  • 1 file install Rufus

The first step we need to install Rufus software on the personal computer.

This Rufus software will help us create a bootable USB used to install VMWare Esxi.

After installing, open the software Rufus and select the following information:

  • Device: you select the USB to create boot.
  • Boot selection: click on SELECT and select the ISO file of VMWare Esxi prepared earlier
  • Click Start to proceed with the boot creation process, it will display a message asking you that all data in the USB will be deleted and you agree or not, here you select OK.
  • About 1 minute is the boot creation process completed.

After creating the USB boot, we plug this USB into the server and boot with it.

Note we need to connect the server to a monitor to perform the installation operations.

When booting with the server, the installation of VMWare Esxi 6.7 will be performed.

After loading the installation files from the USB, a questionnaire will appear if you want to install VMWare Esxi 6.7, press Enter to continue.

Next, press F11 to agree to the terms.

It will perform a hardware scan of the device.

Next, you select the hard drive used to install VMWare Esxi and press the Enter key.

In the language section select US Default and press Enter.

In the root password entry you need to enter the root account’s password into 2 boxes and press Enter.

Note: You need to remember this password because this is the password used to log into the administration page of the software.

Next, press F11 to proceed with the installation.

The installation process will take about 15 minutes, after successful installation press Enter to Reboot the server.

After Reboot, the screen will display as follows.

To configure the admin ip of the device or change the password, press F2 and need to enter the root password that we set to enter the configuration page at the time of installation.

To change the password you select Configure Password, enter the old password and the new password in 3 boxes and press Enter to complete.

Next we will change the administrative IP back to 172.16.31.10 according to the network diagram that we have drawn to put into the system.

To change the IP we choose Configure Management Network > IPv4 Configuration.

The IP settings table appears, since we will set the static ip, we will select Set static IPv4 address and network configuration with the up and down buttons and press enter to select.

Then just enter the following information:

  • IPv4 Address : 172.16.31.10
  • Subnet Mask : 255.255.255.0
  • Default Gateway : 172.16.31.10

Then press Enter and press the Y key to complete the installation.

After the ip configuration is complete, we attach the device to the network as shown in the diagram and use a computer with the same network layer in the system to access the administration page of VMWare Esxi via the link https: //172.16 .31.10.

And the login screen appears, you just need to enter the root account to be able to access the WMWare Esxi administration page.

5.2 Install virtual machine run Sophos XG

To set up Sophos XG on VMware ESXi we need to prepare 1 iso file to install Sophos XG for virtualization.

Note that we need to download the installation file with the word SW ie Sofware in front of the name because this is the right installation for a virtualized environment.

Next we need to upload this setup file on the server’s memory.

To upload, you need to log into the WMWare Esxi administration page> Storage> Datastore browser> select the datastore you want to upload> click upload> select the file to upload and click Open to proceed with upload.

After uploading the Sophos XG installation file successfully we will go to the network card setup.

In the description of the network diagram I have presented above, this server has only 1 internet connection port so how do we deploy the Sophos XG firewall device with many different areas and always need more 2 network cards for deployment.

Foreseeing that the WMWare also support us with a feature that is Virtual Switch.

First when you install WMWare Esxi software, it will itself generate a virtual switch named vSwitch0 and this vSwitch0 will be connected to the only network card that the server has, along with that when vSwitch0 is available, the The software also automatically creates us a Port groups called VM Network so that the virtual machines can use this card to connect to vSwitch0 and access the internet. At that time, the virtual machines using the VM Network card will receive DHCP from the Palo Alto device as model.

You can check vSwitch0 and VM Network port group at Networking> Port groups & Virtual switches.

Thus, when deploying Sophos XG we have the network port for Sophos’ WAN zone, which is VM Network.

Also, if your server has multiple internet ports you can create virtual switches and corresponding port groups.

Next to the internal LAN part of the Sophos XG device we also need to create a virtual switch called Internal.

To create go to Networking> Virtual switches> Add standard virtual switch and enter the following information:

  • vSwitch Name : Internal
  • MTU : 1500
  • Click Add.

Next we need to create corresponding Port Groups for this virtual switch.

To create port group go to Networking> Port Groups> Add port group and fill in the following information:

  • Name : Local
  • VLAN ID : 0
  • Virtual switch : Internal
  • Nhấn ADD.

So we have completed the preparation of the installation file as well as the network cards required to install Sophos XG.

To install Sophos XG we go to Virtual Machine> Create / Register VM.

The New Virtual Machine table appears in part 1 Select creation type, we choose Create a new virtual machine and click Next.

Next in part 2 Select a name and guest OS we enter and select the following information:

  • Name: Sophos XG
  • Compatibility: ESXi 6.7 virtual machine
  • Guest OS family: Linux
  • Guest OS version: Other Linux (64-bit)
  • Click Next.

In the Select storage section, the software will ask you where to store this virtual machine, you can choose according to your choice, here because the server has only one hard drive, click Next.

In the Customize settings section you need to configure the following parameters:

  • CPU: 2
  • Memory: 8192 MB
  • Hard disk 1: 60GB
  • Network Adapter 1: select VM Network
  • Click Add network adapter to add another card and select Local for it.
  • CD/DVD Drive 1: select Datastore ISO file, then the Datastore browser panel pops up, select the Sophos XG installation file that was uploaded earlier.

Then click Next and click Finish to complete.

Once created, click on the Virtual machine and we will see that the Sophos XG virtual machine has been created.

Click on the Sophos XG virtual machine then click the play button to start the virtual machine.

The Sophos XG virtual machine console will appear, press the y key then press Enter to continue the installation process.

Installation takes about 5 to 10 minutes.

After completing the installation press y and press Enter to perform Reboot.

After Reboot, the installation is complete, you can enter the password to view the Sophos XG device configuration (the default password is admin).

Press Accept.

To see ip on the ports we type 1 and press Enter.

Next type 1 and press Enter.

First we will see information for port 1.

Press Enter to see port 2 information.

Then press Enter three times and select 0 to return to the original screen.

As you can see we have completed the installation of the virtualized Sophos XG onto the WMWare Esxi environment. The network cards all got the correct IP as shown in the diagram.

Next, we need to install a Windows Server virtual machine on the LAN area of this virtualized Sophos XG device and make access to the virtualized Sophos XG by the web through its ip lan 172.16.16.16.

5.3 Hướng dẫn cài đặt Windows Server 2016 ảo hóa

Similar to when installing Sophos XG virtualization we need to prepare an ISO file to install Windows Server 2016 and upload it to the server’s drive.

To install Sophos XG we go to Virtual Machine> Create / Register VM.

The New Virtual Machine table appears in part 1 Select creation type, we choose Create a new virtual machine and click Next.

Next in part 2 Select a name and guest OS we enter and select the following information:

  • Name: AD Server
  • Compatibility: ESXi 6.7 virtual machine
  • Guest OS family: Windows
  • Guest OS version: Microsoft Windows Server 2016 (64-bit)
  • Click Next.

In the Select storage section, the software will ask you where to store this virtual machine, you can choose according to your choice, here because the server has only one hard drive, click Next.

In the Customize settings section you need to configure the following parameters:

  • CPU: 2
  • Memory: 8192 MB
  • Hard disk 1: 100GB
  • Network Adapter 1: Select Local (this is Sophos XG’s LAN card)
  • CD/DVD Drive 1: Select Datastore ISO file, then the Datastore browser panel pops up and select the Windows Server installation file that was uploaded earlier.

Then click Next and click Finish to complete.

After creating it, click on Virtual machine and we will see the AD Server virtual machine has been created.

Click on the AD Server virtual machine and then click the play button to start the virtual machine.

Windows Server installation process will be conducted, you need to press Enter to boot into the Windows Server installation file.

Then you choose the configuration as shown below.

The installation will be completed after a few minutes, the virtual machine will automatically restart.

After booting you need to set a password for the server.

After setting the password the virtual machine will load on the standby screen, you will need to press Ctrl + Alt + Delete to enter the login frame.

To use the key combination, press Action in the upper right of the virtual machine, select Guest OS> Send keys> Ctrl-Alt-Detele and enter your password to log in.

Once installed we will see that this virtual machine has received IP from Sophos XG and is able to access the internet.

Next we will access Sophos XG’s web admin page via https://172.16.16.16:4444 and do the rest of the basic configuration.

Here, because the internet is available, we will download firefox to use for convenient access.

When accessing the above link, a warning will appear, click Advanced and select Accept the Risk and Continue.

Sophos start screen appears, click Click to begin to continue.

In Basic Configuration enter the new password for the device.

Check I accept the Sophos…

Uncheck Install the lastest firmware…

Click Next.

In the Name and time zone section:

  • Firewall name: SophosXG
  • Time zone: Select the zone you want here, I choose Asis / Ho_Chi_Minh.
  • Current time: configurable hours.

In the Register your firewall section select I have a serial number (start a trial) and click Next to try it out.

To register for the trial we need to have a SophosID account, here I have prepared, if not, click Create Sophos ID to create.

After logging in with Sophos ID, the device registration process will take place check the box against robot and click Continue.

Click Confirm Registration + Evaluation License.

Click Initiate License Synchronization.

The Basic setup is complete table appears for us to review the licenses being tested.

Click Continue.

Next will come to the LAN area configuration, we can keep this configuration or change it depending on the needs of each person, here I will keep the same and only change later if needed.

Click Continue.

In Network Protection section click Continue.

In the Notifications and backups section, enter the email of the sender and recipient.

The purpose of this is when you configure automatic sending of the backup file to email then Sophos will get the sender email to send the backup file to the recipient’s email.

Next is to enter the encryption password for the backup file, this feature adds an extra layer of security even if someone else with your backup file cannot import it on another Sophos device because when importing it will ask for this password.

In the Configuration Summary section we will review the previously installed configuration and click Finish.

Applying the changes will take about 5 minutes and the device will be restarted.

Then refresh the link and we will enter your password account to login to the admin page.

After logging in, this is Sophos’s admin page, you can perform the configuration you want above.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.