Prepare your OT network for Microsoft Defender for IoT
This article describes how to set up your OT network to work with Microsoft Defender for IoT components, including the OT network sensors, the Azure portal, and an optional on-premises management console.
OT network sensors use agentless, patented technology to discover, learn, and continuously monitor network devices for a deep visibility into OT/ICS/IoT risks. Sensors carry out data collection, analysis, and alerting on-site, making them ideal for locations with low bandwidth or high latency.
This article is intended for personnel experienced in operating and managing OT and IoT networks, such as automation engineers, plant managers, OT network infrastructure service providers, cybersecurity teams, CISOs, and CIOs.
We recommend that you use this article together with our pre-deployment checklist.
For assistance or support, contact Microsoft Support.
Before performing the procedures in this article, make sure you understand your own network architecture and how you'll connect to Defender for IoT. For more information, see:
- Microsoft Defender for IoT system architecture
- Sensor connection methods
- Best practices for planning your OT network monitoring
On-site deployment tasks
Perform the steps in this section before deploying Defender for IoT on your network.
Make sure to perform each step methodologically, requesting the information and reviewing the data you receive. Prepare and configure your site and then validate your configuration.
Collect site information
Record the following site information:
Sensor management network information.
Site network architecture.
Planned user credentials.
TLS/SSL certificates (optional but recommended).
SMTP authentication (optional). To use the SMTP server with authentication, prepare the credentials required for your server.
DNS servers (optional). Prepare your DNS server's IP and host name.
Prepare a configuration workstation
To prepare a Windows or Mac workstation:
Make sure that you can connect to the sensor management interface.
Make sure that you have terminal software (like PuTTY) or a supported browser. Supported browsers include the latest versions of Microsoft Edge, Chrome, Firefox, or Safari (Mac only).
For more information, see recommended browsers for the Azure portal.
Make sure the required firewall rules are open on the workstation. Verify that your organizational security policy allows access as required. For more information, see Networking requirements.
Set up certificates
After you've installed the Defender for IoT sensor or on-premises management console software, a local, self-signed certificate is generated, and used to access the sensor web application.
The first time they sign in to Defender for IoT, administrator users are prompted to provide an SSL/TLS certificate. Optional certificate validation is enabled by default.
We recommend having your certificates ready before you start your deployment. For more information, see Defender for IoT installation and About Certificates.
Plan rack installation
To plan your rack installation:
Prepare a monitor and a keyboard for your appliance network settings.
Allocate the rack space for the appliance.
Have AC power available for the appliance.
Prepare the LAN cable for connecting the management to the network switch.
Prepare the LAN cables for connecting switch SPAN (mirror) ports and network taps to the Defender for IoT appliance.
Configure, connect, and validate SPAN ports in the mirrored switches using one of the following methods:
Method Description Switch SPAN port Mirror local traffic from interfaces on the switch to a different interface on the same switch. Remote SPAN (RSPAN) Mirror traffic from multiple, distributed source ports into a dedicated remote VLAN. Active or passive aggregation (TAP) Mirror traffic by installing an active or passive aggregation terminal access point (TAP) inline to the network cable. ERSPAN Mirror traffic with ERSPAN encapsulation when you need to extend monitored traffic across Layer 3 domains, when using specific Cisco routers and switches. ESXi vSwitch Use Promiscuous mode in a virtual switch environment as a workaround for configuring a monitoring port. Hyper-V vSwitch Use Promiscuous mode in a virtual switch environment as a workaround for configuring a monitoring port.
SPAN and RSPAN are Cisco terminology. Other brands of switches have similar functionality but might use different terminology.
Connect the configured SPAN port to a computer running Wireshark, and verify that the port is configured correctly.
Open all the relevant firewall ports.
Validate your network
After preparing your network, use the guidance in this section to validate whether you're ready to deploy Defender for IoT.
Make an attempt to receive a sample of recorded traffic (PCAP file) from the switch SPAN or mirror port. This sample will:
Validate if the switch is configured properly.
Confirm if the traffic that goes through the switch is relevant for monitoring (OT traffic).
Identify bandwidth and the estimated number of devices in this switch.
For example, you can record a sample PCAP file for a few minutes by connecting a laptop to an already configured SPAN port through the Wireshark application.
To use Wireshark to validate your network:
Check that Unicast packets are present in the recording traffic. Unicast is from one address to another. If most of the traffic is ARP messages, then the switch setup is incorrect.
Go to Statistics > Protocol Hierarchy. Verify that industrial OT protocols are present.
Use the following tables to ensure that required firewalls are open on your workstation and verify that your organization security policy allows required access.
User access to the sensor and management console
|SSH||TCP||In/Out||22||CLI||To access the CLI||Client||Sensor and on-premises management console|
|HTTPS||TCP||In/Out||443||To access the sensor, and on-premises management console web console||Access to Web console||Client||Sensor and on-premises management console|
Sensor access to Azure portal
|HTTPS||TCP||Out||443||Access to Azure||Sensor||OT network sensors connect to Azure to provide alert and device data and sensor health messages, access threat intelligence packages, and more. Connected Azure services include IoT Hub, Blob Storage, Event Hubs, and the Microsoft Download Center.
For OT sensor versions 22.x: Download the list from the Sites and sensors page in the Azure portal. Select an OT sensor with software versions 22.x or higher, or a site with one or more supported sensor versions. Then, select More options > Download endpoint details. For more information, see Sensor management options from the Azure portal.
For OT sensor versions 10.x:
Sensor access to the on-premises management console
|NTP||UDP||In/Out||123||Time Sync||Connects the NTP to the on-premises management console||Sensor||On-premises management console|
|TLS/SSL||TCP||In/Out||443||Give the sensor access to the on-premises management console.||The connection between the sensor, and the on-premises management console||Sensor||On-premises management console|
Other firewall rules for external services (optional)
Open these ports to allow extra services for Defender for IoT.
|SMTP||TCP||Out||25||Used to open the customer's mail server, in order to send emails for alerts, and events||Sensor and On-premises management console||Email server|
|DNS||TCP/UDP||In/Out||53||DNS||The DNS server port||On-premises management console and Sensor||DNS server|
|HTTP||TCP||Out||80||The CRL download for certificate validation when uploading certificates.||Access to the CRL server||Sensor and on-premises management console||CRL server|
|WMI||TCP/UDP||Out||135, 1025-65535||Monitoring||Windows Endpoint Monitoring||Sensor||Relevant network element|
|SNMP||UDP||Out||161||Monitoring||Monitors the sensor's health||On-premises management console and Sensor||SNMP server|
|LDAP||TCP||In/Out||389||Active Directory||Allows Active Directory management of users that have access, to sign in to the system||On-premises management console and Sensor||LDAP server|
|Proxy||TCP/UDP||In/Out||443||Proxy||To connect the sensor to a proxy server||On-premises management console and Sensor||Proxy server|
|Syslog||UDP||Out||514||LEEF||The logs that are sent from the on-premises management console to Syslog server||On-premises management console and Sensor||Syslog server|
|LDAPS||TCP||In/Out||636||Active Directory||Allows Active Directory management of users that have access, to sign in to the system||On-premises management console and Sensor||LDAPS server|
|Tunneling||TCP||In||9000 In addition to port 443 Allows access from the sensor, or end user, to the on-premises management console Port 22 from the sensor to the on-premises management console||Monitoring||Tunneling||Endpoint, Sensor||On-premises management console|
Choose a cloud connection method
If you're setting up OT sensors and connecting them to the cloud, understand supported cloud connection methods, and make sure to connect your sensors as needed.
For more information, see:
This section provides troubleshooting for common issues when preparing your network for a Defender for IoT deployment.
Can't connect by using a web interface
Verify that the computer you're trying to connect is on the same network as the appliance.
Verify that the GUI network is connected to the management port on the sensor.
Ping the appliance IP address. If there's no response to ping:
Connect a monitor and a keyboard to the appliance.
Use the support user* and password to sign in.
Use the command network list to see the current IP address.
If the network parameters are misconfigured, sign into the OT sensor as the cyberx_host user* to re-run the OT monitoring software configuration wizard. For example:
root@xsense:/# sudo dpkg-reconfigure iot-sensor
The configuration wizard starts automatically. For more information, see Install OT monitoring software.
Restart the sensor machine and sign in with the support user*. Run the network list command to verify that the parameters were changed.
Try to ping and connect from the GUI again.
(*) For more information, see Default privileged on-premises users.
Appliance isn't responding
Connect with a monitor and keyboard to the appliance, or use PuTTY to connect remotely to the CLI.
Use the support credentials to sign in.
Use the system sanity command and check that all processes are running.
For any other issues, contact Microsoft Support.
For more information, see:
Submit and view feedback for