Prepare your OT network for Microsoft Defender for IoT

This article describes how to set up your OT network to work with Microsoft Defender for IoT components, including the OT network sensors, the Azure portal, and an optional on-premises management console.

OT network sensors use agentless, patented technology to discover, learn, and continuously monitor network devices for a deep visibility into OT/ICS/IoT risks. Sensors carry out data collection, analysis, and alerting on-site, making them ideal for locations with low bandwidth or high latency.

This article is intended for personnel experienced in operating and managing OT and IoT networks, such as automation engineers, plant managers, OT network infrastructure service providers, cybersecurity teams, CISOs, and CIOs.

We recommend that you use this article together with our pre-deployment checklist.

For assistance or support, contact Microsoft Support.


Before performing the procedures in this article, make sure you understand your own network architecture and how you'll connect to Defender for IoT. For more information, see:

On-site deployment tasks

Perform the steps in this section before deploying Defender for IoT on your network.

Make sure to perform each step methodologically, requesting the information and reviewing the data you receive. Prepare and configure your site and then validate your configuration.

Collect site information

Record the following site information:

  • Sensor management network information.

  • Site network architecture.

  • Physical environment.

  • System integrations.

  • Planned user credentials.

  • Configuration workstation.

  • TLS/SSL certificates (optional but recommended).

  • SMTP authentication (optional). To use the SMTP server with authentication, prepare the credentials required for your server.

  • DNS servers (optional). Prepare your DNS server's IP and host name.

Prepare a configuration workstation

To prepare a Windows or Mac workstation:

  • Make sure that you can connect to the sensor management interface.

  • Make sure that you have terminal software (like PuTTY) or a supported browser. Supported browsers include the latest versions of Microsoft Edge, Chrome, Firefox, or Safari (Mac only).

    For more information, see recommended browsers for the Azure portal.

  • Make sure the required firewall rules are open on the workstation. Verify that your organizational security policy allows access as required. For more information, see Networking requirements.

Set up certificates

After you've installed the Defender for IoT sensor or on-premises management console software, a local, self-signed certificate is generated, and used to access the sensor web application.

The first time they sign in to Defender for IoT, administrator users are prompted to provide an SSL/TLS certificate. Optional certificate validation is enabled by default.

We recommend having your certificates ready before you start your deployment. For more information, see Defender for IoT installation and About Certificates.

Plan rack installation

To plan your rack installation:

  1. Prepare a monitor and a keyboard for your appliance network settings.

  2. Allocate the rack space for the appliance.

  3. Have AC power available for the appliance.

  4. Prepare the LAN cable for connecting the management to the network switch.

  5. Prepare the LAN cables for connecting switch SPAN (mirror) ports and network taps to the Defender for IoT appliance.

  6. Configure, connect, and validate SPAN ports in the mirrored switches using one of the following methods:

    Method Description
    Switch SPAN port Mirror local traffic from interfaces on the switch to a different interface on the same switch.
    Remote SPAN (RSPAN) Mirror traffic from multiple, distributed source ports into a dedicated remote VLAN.
    Active or passive aggregation (TAP) Mirror traffic by installing an active or passive aggregation terminal access point (TAP) inline to the network cable.
    ERSPAN Mirror traffic with ERSPAN encapsulation when you need to extend monitored traffic across Layer 3 domains, when using specific Cisco routers and switches.
    ESXi vSwitch Use Promiscuous mode in a virtual switch environment as a workaround for configuring a monitoring port.
    Hyper-V vSwitch Use Promiscuous mode in a virtual switch environment as a workaround for configuring a monitoring port.


    SPAN and RSPAN are Cisco terminology. Other brands of switches have similar functionality but might use different terminology.

  7. Connect the configured SPAN port to a computer running Wireshark, and verify that the port is configured correctly.

  8. Open all the relevant firewall ports.

Validate your network

After preparing your network, use the guidance in this section to validate whether you're ready to deploy Defender for IoT.

Make an attempt to receive a sample of recorded traffic (PCAP file) from the switch SPAN or mirror port. This sample will:

  • Validate if the switch is configured properly.

  • Confirm if the traffic that goes through the switch is relevant for monitoring (OT traffic).

  • Identify bandwidth and the estimated number of devices in this switch.

For example, you can record a sample PCAP file for a few minutes by connecting a laptop to an already configured SPAN port through the Wireshark application.

To use Wireshark to validate your network:

  • Check that Unicast packets are present in the recording traffic. Unicast is from one address to another. If most of the traffic is ARP messages, then the switch setup is incorrect.

  • Go to Statistics > Protocol Hierarchy. Verify that industrial OT protocols are present.

For example:

Screenshot of Wireshark validation.

Networking requirements

Use the following tables to ensure that required firewalls are open on your workstation and verify that your organization security policy allows required access.

User access to the sensor and management console

Protocol Transport In/Out Port Used Purpose Source Destination
SSH TCP In/Out 22 CLI To access the CLI Client Sensor and on-premises management console
HTTPS TCP In/Out 443 To access the sensor, and on-premises management console web console Access to Web console Client Sensor and on-premises management console

Sensor access to Azure portal

Protocol Transport In/Out Port Purpose Source Destination
HTTPS TCP Out 443 Access to Azure Sensor OT network sensors connect to Azure to provide alert and device data and sensor health messages, access threat intelligence packages, and more. Connected Azure services include IoT Hub, Blob Storage, Event Hubs, and the Microsoft Download Center.

For OT sensor versions 22.x: Download the list from the Sites and sensors page in the Azure portal. Select an OT sensor with software versions 22.x or higher, or a site with one or more supported sensor versions. Then, select More options > Download endpoint details. For more information, see Sensor management options from the Azure portal.

For OT sensor versions 10.x: *

Sensor access to the on-premises management console

Protocol Transport In/Out Port Used Purpose Source Destination
NTP UDP In/Out 123 Time Sync Connects the NTP to the on-premises management console Sensor On-premises management console
TLS/SSL TCP In/Out 443 Give the sensor access to the on-premises management console. The connection between the sensor, and the on-premises management console Sensor On-premises management console

Other firewall rules for external services (optional)

Open these ports to allow extra services for Defender for IoT.

Protocol Transport In/Out Port Used Purpose Source Destination
SMTP TCP Out 25 Email Used to open the customer's mail server, in order to send emails for alerts, and events Sensor and On-premises management console Email server
DNS TCP/UDP In/Out 53 DNS The DNS server port On-premises management console and Sensor DNS server
HTTP TCP Out 80 The CRL download for certificate validation when uploading certificates. Access to the CRL server Sensor and on-premises management console CRL server
WMI TCP/UDP Out 135, 1025-65535 Monitoring Windows Endpoint Monitoring Sensor Relevant network element
SNMP UDP Out 161 Monitoring Monitors the sensor's health On-premises management console and Sensor SNMP server
LDAP TCP In/Out 389 Active Directory Allows Active Directory management of users that have access, to sign in to the system On-premises management console and Sensor LDAP server
Proxy TCP/UDP In/Out 443 Proxy To connect the sensor to a proxy server On-premises management console and Sensor Proxy server
Syslog UDP Out 514 LEEF The logs that are sent from the on-premises management console to Syslog server On-premises management console and Sensor Syslog server
LDAPS TCP In/Out 636 Active Directory Allows Active Directory management of users that have access, to sign in to the system On-premises management console and Sensor LDAPS server
Tunneling TCP In 9000

In addition to port 443

Allows access from the sensor, or end user, to the on-premises management console

Port 22 from the sensor to the on-premises management console
Monitoring Tunneling Endpoint, Sensor On-premises management console

Choose a cloud connection method

If you're setting up OT sensors and connecting them to the cloud, understand supported cloud connection methods, and make sure to connect your sensors as needed.

For more information, see:


This section provides troubleshooting for common issues when preparing your network for a Defender for IoT deployment.

Can't connect by using a web interface

  1. Verify that the computer you're trying to connect is on the same network as the appliance.

  2. Verify that the GUI network is connected to the management port on the sensor.

  3. Ping the appliance IP address. If there's no response to ping:

    1. Connect a monitor and a keyboard to the appliance.

    2. Use the support user* and password to sign in.

    3. Use the command network list to see the current IP address.

  4. If the network parameters are misconfigured, sign into the OT sensor as the cyberx_host user* to re-run the OT monitoring software configuration wizard. For example:

    root@xsense:/# sudo dpkg-reconfigure iot-sensor

    The configuration wizard starts automatically. For more information, see Install OT monitoring software.

  5. Restart the sensor machine and sign in with the support user*. Run the network list command to verify that the parameters were changed.

  6. Try to ping and connect from the GUI again.

(*) For more information, see Default privileged on-premises users.

Appliance isn't responding

  1. Connect with a monitor and keyboard to the appliance, or use PuTTY to connect remotely to the CLI.

  2. Use the support credentials to sign in.

  3. Use the system sanity command and check that all processes are running.

    Screenshot of the system sanity command.

For any other issues, contact Microsoft Support.

Next steps

For more information, see: