Hyper-V Server¶
Deploy the Sophos Remote Testing Appliance (RTA) on a Windows Server host running
the Hyper-V role. Your engagement lead sends you a zip archive containing two
VHDX disks — the appliance root disk and a small cidata seed disk. You create a
Generation 2 VM, attach both disks, and apply a few required settings
(Secure Boot off, MAC spoofing on, external switch).
How delivery works on Hyper-V Server¶
You receive one thing from your engagement lead:
| Item | What it is |
|---|---|
| VHDX zip | An archive containing two VHDX disks — the appliance root disk (rta_latest.vhdx) and a small cidata seed disk (cidata.vhdx). |
Inside the zip:
rta-vhdx.zip
├── rta_latest.vhdx # appliance root disk (boot)
└── cidata.vhdx # cidata seed disk (engagement identity)
The disks are customized for your engagement before you receive them. The
cidata seed disk carries the appliance's identity and credentials, so once you
attach both disks the appliance boots already registered and connects to the
Sophos headend automatically — there is no activation step, and the console
shows a live status and troubleshooting dashboard.
Attach BOTH disks
The RTA needs both the root disk and the cidata seed disk. Attach both to
the VM — the root disk as the boot disk and the cidata disk as a second disk.
Without the cidata disk the appliance has no engagement identity and will not
register.
You apply these settings when you create the VM (the guides below walk through each):
| Property | Value |
|---|---|
| Generation | 2 (UEFI) |
| Secure Boot | Off (unsigned bootloader) |
| Memory | 8 GB |
| vCPU | 4 |
| MAC address spoofing | On (required for L2 tooling) |
| Switch | External, bound to a wired NIC |
Requirements¶
| Resource | Minimum | Recommended |
|---|---|---|
| vCPU | 2 | 4 or more |
| Memory | 4 GB | 8 GB or more |
| Boot disk | 40 GB | 40 GB |
| Host role | Windows Server with the Hyper-V role installed | — |
| Network | Wired Ethernet NIC bound to an external switch; outbound internet | Dedicated engagement NIC on a separate VLAN |
Wired Ethernet required for Layer-2 testing
The appliance needs Layer-2 adjacency to its targets — it must appear as a distinct peer on the engagement LAN. Hyper-V can bridge a wired NIC transparently (external switch), but a Wi-Fi association only carries one MAC per client. A Wi-Fi-backed external switch gives the RTA internet but prevents L2 poisoning and MITM. Use a wired NIC for any engagement that requires ARP poisoning, Responder, or bettercap.
Choose a deployment method¶
-
Create the Gen2 VM, attach both VHDX, and apply every required setting (Secure Boot off, MAC spoofing on, external switch) in one scripted sequence with
New-VMand friends. -
Use the New Virtual Machine wizard in Hyper-V Manager, attach both disks, and set Secure Boot, MAC spoofing, and the switch yourself — no PowerShell required.