Virtual Sensor
The ThreatDefence NDR Sensor can be deployed as a virtual sensor on VMware or Hyper-V environments. This guide outlines the steps to configure and integrate the sensor into your environment.
VMware Deployment
Download the Open Virtualization Format (OVF)
Obtain the VHD file from the link provided by ThreatDefence Technical Support.
Download the configuration file attached to the support email.
VMware Virtual Machine Setup
Create a Generation 1 VM in VMware.
Allocate 8 GB RAM and 4 CPU cores.
Configure the VM to use the downloaded OVF as its existing disk.
Network Interface Configuration
Add two NICs to the VM:
Management NIC: Requires internet access (ports UDP/53 DNS, TCP/80 HTTP, TCP/443 HTTPS).
Data NIC: For mirrored traffic from your network.
Mirror/SPAN Port Setup
On your switch, configure a mirror (SPAN) port targeting the internal firewall port.
Connect this SPAN port to the data NIC of the virtual sensor.
VMware Virtual Switch for Mirrored Traffic
Create a new VMware virtual switch that includes the physical mirror port.
Enable promiscuous mode:
Properties -> Security -> Promiscuous Mode -> Accept.
Virtual NICs Connection
Attach the second NIC (data NIC) to the mirrored traffic switch.
Attach the management NIC to your standard VLAN.
Initial Configuration and Access
Access the VM console with the credentials provided by ThreatDefence.
Choose DHCP or static IP configuration as required.
Web Interface Configuration
After reboot, open the web interface at:
https://<VM_IP>:5000Upload the configuration file from step 1.
Finalize Installation
Notify ThreatDefence Technical Support once the sensor is operational.
Outbound Connectivity
Ensure that your virutal sensor can reach TD servers on port 443 (HTTPS) at the following domains:
tele.threatdefence.iovle.threatdefence.io
Hyper-V Deployment
Download the Virtual Hard Disk (VHD)
Obtain the VHD file and configuration file from ThreatDefence Technical Support.
Create Two Hyper-V Virtual Switches
Open Virtual Switch Manager in Hyper-V.
Create two external virtual switches, each mapped to a physical NIC:
One for Management traffic.
One for SPAN/Mirror traffic.
Apply changes (note: may temporarily interrupt connectivity).
Create new virtual switch 
External network 
External network Hyper-V Virtual Machine Setup
Create a Generation 1 VM in Hyper-V.
Allocate 8 GB RAM and 4 CPU cores.
Use the downloaded VHD as its disk.
Attach one NIC to the Management switch and a second NIC to the SPAN switch.
Attach NICs 
Attach NICs Mirror/SPAN Port Setup on Switch
Configure a mirror (SPAN) port on your switch targeting the internal firewall port.
Connect this to the Hyper-V host NIC used for mirrored traffic.
Enable Monitoring Mode with PowerShell Run the following commands (as admin):
$a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5 $a.SettingData.MonitorMode = 2 add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <Name_of_Virtual_Switch> -VMSwitchExtensionFeature $aInitial Configuration and Access
Log in via the console with the credentials provided.
Configure DHCP or static IP as required.
Web Interface Configuration
After reboot, open the web interface at:
https://<VM_IP>:5000Upload the configuration file from step 1.
Finalize Installation
Notify ThreatDefence Technical Support once operational.
With Host-Level Port Mirroring (Hyper-V Advanced Features)
Access VM Settings
In Hyper-V Manager, right-click the VM → Settings → Network Adapter → Advanced Features.
Configure Port Mirroring
Choose one of the following under Port Mirroring:
None: Disabled
Source: NIC acts as mirror source
Destination: NIC acts as mirror destination
Save and Apply
Click Apply then OK.
Repeat for all NICs/VMs involved in mirroring.
Outbound Connectivity
Ensure that your virutal sensor can reach TD servers on port 443 (HTTPS) at the following domains:
tele.threatdefence.iovle.threatdefence.io
Last updated