VMware vSphere — Command Line (CLI)¶

Deploy the RTA from the command line using VMware OVF Tool (ovftool). This is the fastest path for scripted or repeated deployments — a single command pulls the OVA and registers the VM on the target vCenter or ESXi host.

Before you start

Review the VMware vSphere overview. You'll need the OVA URL or file path, the vCenter/ESXi hostname, datastore name, and network port group name from your engagement lead.

Prerequisites¶

ovftool 4.6+ — download from the Broadcom Developer Portal. Verify: ovftool --version
vCenter Server or standalone ESXi credentials with permission to create VMs.

Deploy with ovftool¶

To vCenter Server (recommended)¶

ovftool \
  --acceptAllEulas \
  --noSSLVerify \
  --name=rta \
  --datastore=<DATASTORE> \
  --network=<NETWORK> \
  --diskMode=thin \
  --powerOn \
  <OVA_URL_OR_PATH> \
  "vi://<USER>@<VCENTER_HOST>/<DATACENTER>/host/<CLUSTER_OR_HOST>/"

Replace the placeholders:

Placeholder	Value (from engagement lead)
`<OVA_URL_OR_PATH>`	Download URL or local `.ova` path
`<USER>`	vCenter username (e.g. `administrator@vsphere.local`)
`<VCENTER_HOST>`	vCenter Server FQDN or IP
`<DATACENTER>`	Datacenter name as shown in vSphere Client
`<CLUSTER_OR_HOST>`	Cluster name or ESXi hostname within that datacenter
`<DATASTORE>`	Datastore name
`<NETWORK>`	Port group name with L2 access to engagement targets

ovftool will prompt for your vCenter password. To supply it non-interactively, embed it in the URI: vi://<USER>:<PASSWORD>@<VCENTER_HOST>/... — avoid this on shared systems where the command line is visible in process listings.

To a standalone ESXi host¶

ovftool \
  --acceptAllEulas \
  --noSSLVerify \
  --name=rta \
  --datastore=<DATASTORE> \
  --network=<NETWORK> \
  --diskMode=thin \
  --powerOn \
  <OVA_URL_OR_PATH> \
  "vi://<USER>@<ESXI_HOST>/"

ESXi direct: inject OVF environment on power-on

When targeting a standalone ESXi host (not vCenter), ESXi has no parameter cache. If the OVA uses OVF environment properties, add --X:injectOvfEnv and --powerOn together so the properties are injected at first boot. The RTA OVA does not use OVF properties, so this is not required for standard deployments — but keep it in mind if you see property-related errors.

Power on¶

If you did not pass --powerOn to ovftool:

govc vm.power -on rta
# or via the vSphere Client: right-click the VM → Power On

Verify¶

# Check VM power state
govc vm.info rta

# Get the VM's IP address once the appliance has booted
govc vm.ip rta

The appliance is customized for your engagement, so it boots already registered and connects to the Sophos headend automatically — no activation step. To check its status, open the VM console (it shows a live status and troubleshooting dashboard):

govc vm.console rta   # opens a URL to the VMRC web console

Network access¶

The appliance makes one connection to do its job: an outbound tunnel to the Sophos headend. Nothing inbound is ever required — you never open or forward any ports to the appliance.

Allow this outbound destination


Destination	`connect.remotetesting.secureworks.com`
IP addresses	`3.33.194.251` and `15.197.255.2` (static — these do not change)
Port / protocol	TCP 443, carrying OpenVPN (not HTTPS)
Direction	Outbound only

Allow egress on TCP/443 to that destination from the appliance's network. On a next-generation firewall or NAC-controlled network, an L3 "allow 443" rule is often not enough — Layer-7 application control, TLS/SSL decryption, or NAC can still drop the tunnel even when the port is open. See Connectivity Troubleshooting for the exact firewall and NAC exceptions to request.

Troubleshooting¶

Deployed but something isn't right?

See VMware vSphere troubleshooting for the most common issues on this platform and how to fix them.