Installing NetScope OVA as a Virtual Appliance on VirtualBox

Requirements:

• Reasonably powerful x86 hardware. Any recent Intel or AMD 64-bit CPU should do. For example, AMD brought out its first generation virtualization extensions to its CPUs about 2006.
• Tested successfully on Windows 7 and 10.

The instructions are set out in the following format:

1. Import Netscope OVA file. Make preliminary setting changes.
2. Configure Network Settings:
   1. Management port - Adapter 1
      • Bridged adapter
      • Host-only adapter
   2. Capture port - Adapter 2
3. Start the Virtual Machine
4. Obtain a License
5. Detecting direction by the gateway/router’s or the host port’s MAC address
6. If Management port is a host-only adapter disable NTP
7. Turning off the Netscope Virtual Appliance
8. Sleep and Hibernate - date/time - needs Netscope Virtual Appliance restarted

1. Import Netscope OVA file. Make preliminary setting changes.

1. Select File -> Import Appliance. 
2. Select ‘Expert Mode’ then browse to the NetScopeVirtBox.ova file.
3. Click ‘yes’ for “Reinitialize the MAC address of all network cards” so that every network card gets a new MAC address assigned.
4. If really necessary, make any preliminary changes to the virtual machine hardware configuration. You may like to change the ‘Name’. Minimum requirements for NetScope are:
   • 1 GB of RAM or more.
   • 1.5 GB of hard disk. The virtual size of the disk is set to 8GB but it is dynamically allocated as more network traffic data is collected over the duration of the demo license. 
   • 64-bit CPU(s). NetScope will effectively utilize up to 8 cores. Dual or quad-core CPUs are common.
   • 2 network interfaces. The first is assigned an IP address for the web user interface. The second acts as the capture port and collects data from a SPAN/mirror port or your own desktop ethernet port.
5. Click ‘Import’.

Once the import has completed a new virtual machine will appear in the VirtualBox Manager screen.

2. Configure Network Settings

1. Right click on the NetScope Virtual Appliance.
2. Click ‘Settings’.

 

There should be 2 network adapters enabled- Adapter 1 and Adapter 2. These need to be configured for your set up.

2.1 Management port - Adapter 1

The first adapter we use to manage Netscope through a web user interface. It is given an IP address which one puts into a web browser to view and manage Netscope. This first adapter we suggest you attach to a Bridged Adapter or a Host-only adapter. 

A ‘Bridged Adapter’ connects the Netscope virtual appliance’s management port to a chosen physical network adapter on your host computer. VirtualBox uses a device driver which intercepts data and injects data into the physical network adapter it is bridged to. From the perspective of the host computer, Netscope’s management port is connected to the chosen physical network adapter (wired or wireless) as if it were connected by an internal virtual network cable to an internal virtual switch on the host computer. This means that you can treat Netscope’s management port just as a port on any computer on your external physical network. Therefore you can access Netscope’s web user interface from another computer than the host computer. If your external physical network has a DHCP server, Netscope’s management port will receive an IP address from it. Please note- when bridging to a Wi-fi adapter, the DHCP may not work. You may have to use the following ‘Host-only Adapter’ option for the Management port - Adapter 1. However, for the Capture port - Adapter 2, bridging to a Wi-Fi adapter has been tested and works.

For a ‘Host-only Adapter’,  VirtualBox creates a new software network interface on the host which then appears next to your existing network interfaces. This software network interface is not connected to a physical networking interface and therefore cannot talk to the world outside the host computer. With host-only networking, a new “loopback” interface is created on the host. The network interface is preconfigured with a private IP address and can be configured with its own DHCP server. Therefore Netscope’s management port can receive an IP address if the DHCP server is set up. Netscope’s web user interface is then accessible via this IP address from the host computer but not from outside the host computer. Please note- since Netscope’s main management port is not connected outside the host computer to the internet:

• Netscope email notifications that rely on email servers on the internet will not work.
• NTP which relies on NTP servers on the internet will not work. It needs to be disabled. Ensure to follow ‘If Management port is a host-only adapter disable NTP’ below after you’ve obtained a license.

So the instructions for using either a ‘Bridged Adapter’ or a ‘Host-only Adapter’ for Management port - Adapter 1 are following:

Bridged Adapter:

1. Choose the physical network interface to attach to Netscope’s management port. Ensure the ‘Cable Connected’ checkbox is checked ‘yes’.

Host-only Adapter:

1. Choose the Host-Only software network adapter. There should be one pre-installed. If not (i.e at ‘Name:’ the only option is ‘Not Selected’), then make sure you create one in step 4 in the next set of instructions.

To check the configuration of the Host-only software network adapter click on ‘File’ then ‘Preferences…’ in the VirtualBox Manager screen.

1. Select Network
2. Click the Host-only Networks tab.
3. Select the Host-Only software network adapter that you selected for Adapter 1 as in the above picture.
4. If there are no software network adapters in the list then create a new one. If you have created one, you’ll need to go back and select it for the Netscope virtual machine’s Adapter 1 as in the above instructions.
5. Click ‘Edit’ details.
6. Check the Host-Only software network adapter has a suitable IP and netmask.

1. Click the ‘DHCP Server’ tab.
2. Click to enable the DHCP server and check the values are on the same IP network/subnet as the Host-only software network adapter. In this example, the IP network/subnet is 192.168.160.0/24.

2.2 Capture port - Adapter 2

The 2nd network adapter Netscope uses as its Capture port. It receives on this port the network traffic that Netscope monitors.

Whether you are monitoring your host machine’s ethernet port, (wireless or wired) or you have connected the host’s ethernet port to a managed switch’s mirror/SPAN port you need to:

1. Select ‘Bridged Adapter’ and select the network adapter you want to listen on.
2. Set Promiscuous Mode to ‘Allow All’.

 

For wired ethernet network adapters, one can have the Management port- Adapter 1 and Capture port- Adapter 2 bridged to the same physical network adapter. Ensure, though, that the ‘Promiscuous Mode’ of Adapter 1 set to the default ‘Deny’.

3. Start the Virtual Machine

Now start the virtual machine by right-clicking on it in the list and selecting ‘Normal Start’.

Once you have powered up the virtual machine a console window will appear. Once the boot is complete it should obtain an IP address for the management port and display it on the console screen.

NOTE: if you do not see an IP address on the console window, simply click within the console window and press ‘Enter’. The login will be prompted again and you’ll see an IP address. A few times may be required.

4. Obtain a license

Enter the IP address displayed in the console window into a browser. To obtain your Demo license go to ‘Log in and Obtain License‘ then click on your browser’s back <- button to continue on here.

5. Detecting direction by the gateway/router’s or the host port’s MAC address

If you’ve connected the capture port to set up a managed switch’s mirror/SPAN port then the following article needs to be followed:

Network Traffic Direction Detection - Mirror Mode

(Please note: using VirtualBox with the capture port connected to a managed switch for an organisation is ok for evaluation purposes.  A  constantly powered-on dedicated computer, though, is recommended. Or one can use a constantly powered-on hypervisor such as VMware’s ESXi server with the Netscope Virtual Appliance.)

If you are monitoring your own host’s network adapter the aforementioned article still applies but rather than Netscope automatically detecting a gateway/router’s MAC address it should detect your host’s network adapter’s MAC address. If it does not, follow the directions in the article but in your mind swap the terms ‘gateway’ and ‘router’ with ‘your host port’. As of this writing, for monitoring your own host port, you need to think of Inbound as Outbound and Outbound as Inbound.

6. If Management port is a host-only adapter disable NTP

With a host-only adapter Netscope Virtual Appliance will not be able to connect to a physical network and internet. Therefore it cannot connect to NTP servers to synchronise the time with them. We, therefore, need to disable NTP to allow the Netscope Virtual Appliance to gets its time rather from the host computer. To do this select ‘Configuration’ from the top tabbed menu.

1. Select ‘Time’ from the Configuration menu.
2. Uncheck the Enable/Disable NTP checkbox.
3. Click ‘Save’.

We then need to reboot the Netscope Virtual Appliance:

1. In the Configuration menu select ‘System’.
2. Click ‘Next’.
3. In the Command screen select ‘Reboot System’ from the drop-down menu.
4. Click ‘Save’.

The VirtualBox console screen will show with the login prompt that the Netscope web user interface is ready to use.

7. Turning off the Netscope Virtual Appliance

1. Right-click on the Netscope Virtual Appliance in the VirtualBox Manager.
2. Click on ‘Close’ then on ‘ACPI Shutdown’.

It is recommended not to use ‘Power Off’ as this is the same as pulling the power plug on a computer. It will not shutdown the operating system properly.

8. Sleep and Hibernate - date/time - needs Netscope Virtual Appliance restarted

Note the following when using Sleep or Hibernate on the host system while the Netscope Virtual Appliance is left running. When the host is powered back on from sleep or hibernate, the date/time of the Netscope Virtual Appliance will be back at the time when the host was put into sleep or hibernate. There will be a gap between Netscope’s time and the host system. To make the Netscope’s time back to the host system’s time, turn off the Netscope Virtual Appliance as in 7. above and ‘Start’ it again as in 3. above.