# Deployment ## Deployment Process Overview * A decision is made to engage in a Vectra Respond UX trial or purchase. * A welcome email will be sent after Vectra deploys a customer specific tenant where you can access the Respond UX. * The customer admin should validate access and configure additional user accounts and/or set up SAML SSO and role mapping for additional users as required. See [Respond UX initial login](#respond-ux-initial-login) for details. * Non network data sources can be configured at any time. * For network data sources * A Vectra Brain appliance is deployed by the customer or with the assistance of Vectra or a partner. * The Brain must either be deployed in a state ready to be linked to the Vectra cloud or Vectra will assist with conversion of Brain appliances to the ready state. * See [Converting Your Brain to Ready It for Linking to the Respond UX](#_Updating_to_version). * After the Brain is ready to be linked, Vectra links the Brain with your Vectra tenant. * All network data sources and graphical functionality are managed though the Respond UX. * There should be no requirement to access the Quadrant UX GUI before your Brain is linked to your Vectra tenant. The Quadrant UX is served from a Brain appliance locally before it is linked with Vectra for a Respond UX for Network deployment (using network data sources with the Respond UX). {% hint style="warning" %} Do **NOT** pair network Sensors or forward traffic to the Brain before it has been linked to the Vectra cloud. * If you go into the Quadrant UX on your Brain locally to pair network Sensors before it has been linked with Vectra’s cloud, it is possible for state information to become out of sync between the local Brain and Vectra’s cloud during the linking process. * As part of the linking process, a factory reset is issued to ensure that there will be no state sync issues. * All data on the local Brain that hasn’t been backed up elsewhere, will be lost. * IP configuration and remote support VPN state will be kept during a factory reset. * Any proxy configuration will be cleared as part of this reset process**.** * If proxy settings were previously configured, they will need to be reconfigured. {% endhint %} * Sensors are added and network traffic capture is initiated. * This should be done **AFTER** linking your Brain with Vectra. * **Backup configuration (required for network data sources)** * Some parts of your deployment (metadata, detections, triage rules, etc) are backed up in Vectra’s cloud but the Brain appliance must still be backed up locally in your environment. * Please see [Backing up your Brain](#_Backing_up_your) in [Recommended next steps](https://docs.vectra.ai/deployment/getting-started/respond-ux-deployment-guide/recommended-next-steps) after deployment is completed for additional guidance. ## Respond UX Initial Login Once your Vectra tenant has been created, you will receive a welcome email from with initial login details for the Respond UX. This will include a temporary password that expires in 7 days. * Please login within 7 days and create a permanent password. * Passwords must be between 8 and 128 characters and contain at least: 1 number, both lowercase and uppercase letters, and 1 symbol (e.g. \~!@#$%^&\*,.?-\_+=). * If SAML SSO is desired for admin and analyst access, please see either of the following articles to configure SAML 2.0 based SSO. * [Setup SAML SSO with any IdP (Respond UX)](https://docs.vectra.ai/configuration/access/saml-sso-rux/any-idp-saml-rux) * [Setup SAML SSO with Azure AD (Respond UX)](https://docs.vectra.ai/configuration/access/saml-sso-rux/entra-id-azure-ad-saml-rux) * [Setup SAML SSO with Okta (Respond UX)](https://docs.vectra.ai/configuration/access/saml-sso-rux/okta-saml-rux) * [Setup SAML SSO with Keycloak (Respond UX)](https://docs.vectra.ai/configuration/access/saml-sso-rux/keycloak-saml-rux) * [Setup SAML SSO with ADFS (Respond UX)](https://docs.vectra.ai/configuration/access/saml-sso-rux/adfs-saml-rux) ## Brain Deployment ### Requirements and Documentation Links Per the [introduction and overview](https://docs.vectra.ai/deployment/getting-started/respond-ux-deployment-guide/introduction-and-overview) earlier, when using network data sources, a Brain appliance must be deployed in your environment. The Brain appliance can be physical or virtual. * For physical Brain appliances: * You will need CLI (Command Line Interface) access to the appliance. * The initial configuration at the CLI is covered in the Quick Start Guide for your appliance. * Please refer to that guide to configure an IP address, network mask, default gateway, and proxy (if required) on the Brain. * See [NDR physical appliances](https://docs.vectra.ai/deployment/ndr-physical-appliances) for quick start guides for appliances: * Physical appliances must be B-Series or X-Series to be used as a Brain or in Mixed-Mode. * The quick start physical appliance guides are meant just for getting the appliance installed and available on your network. * For virtual Brains deployed in IaaS clouds: * CLI access will be required if a proxy needs to be set for the Brain to communicate with Vectra. * Please see the appropriate deployment guide below for your supported IaaS cloud: * [AWS Brain Deployment Guide](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/aws-brain) * [Azure Brain Deployment Guide](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/azure-brain) * [GCP Brain Deployment Guide](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/gcp-brain) * All [NDR virtual / cloud appliances](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances) * For virtual Brains deployed in traditional hypervisor environments such as VMware or Nutanix: * This will require CLI access to set a static IP and DNS if you used DHCP for the initial boot process or plan to use a proxy for Brain to Vectra communications. * You can set an IP and DNS statically during OVA deployment. * Please see the [VMware Brain Deployment Guide](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/vmware-brain) or [Nutanix Brain Deployment Guide](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/nutanix-brain) * All [NDR virtual / cloud appliances](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances) You may have already configured DNS following the quickstart for your physical appliance or the deployment guide for your virtual Brain. If you did not configure DNS as part of your initial Brain deployment, this guide will cover configuration of DNS later in the [*Data Sources → Network → Brain Setup*](https://docs.vectra.ai/deployment/getting-started/initial-configuration#data-sources-greater-than-network-greater-than-brain-setup) section. It is recommended to have your Brain registered in your DNS to make failover scenarios easier to deal with and to enable reverse DNS lookup. ### Proxy Support If a proxy is required in your environment to communicate with Vectra from your Brain, this can be set at the CLI of your Brain. Login to your Brain’s CLI is done using the `vectra` user account. The default password is `changethispassword` for a newly deployed Brain. For Brains deployed in IaaS clouds (AWS, Azure), part of the deployment process includes creating an SSH key pair for login as the `vectra` user. The deployment guides for Brains in IaaS clouds include instructions for how to create and use those key pairs to log in to the Brain’s CLI. * Proxy commands (v7.9+) * `show proxy` * `set proxy config [IP or Hostname] [port] [USERNAME] [PASSWORD]` * `set proxy enable [on|off]` * Any of these with `-h` option will show command help with syntax. Examples: ``` vscli > set proxy config 1.1.1.1 80 testuser testpass Saving proxy config... Proxy config updated vscli > show proxy Enabled: True Host: 1.1.1.1 Port: 80 Authentication: Authentication enabled: True User: testuser Password: ********** Method: basic vscli > set proxy enable on Updating proxy config... Proxy enabled ``` ### Converting Your Brain to Ready It for Linking to the Respond UX Vectra engineering will convert your Brain into a different state from the base state (where it serves the Quadrant UX locally) into a state where it can be linked to the Vectra cloud for use with the Respond UX. Some virtual Brains have an option to deploy in a Respond UX ready state where they will not serve a local Quadrant UX UI. For Brains that are not put into this Respond UX ready state, the conversion/linking is kicked off by Vectra engineering after your Brain checks in with Vectra. After Vectra links to your Brain, the Respond UX (served from Vectra’s cloud) communicates with your locally installed Brain. Once your Brain is installed (following the instructions from your Brain Quick Start or Deployment Guide, see links in the [Requirements and Documentation Links](#requirements-and-documentation-links) above), please ensure it can communicate with Vectra Guidance: * Ensure that if a proxy is required for communication with Vectra, it is configured per [Proxy Support](#_Proxy_Support) earlier. * Use the `debug connectivity` command at your Brain’s CLI to check connectivity to the following endpoints (from the [firewall requirements](https://docs.vectra.ai/deployment/getting-started/respond-ux-deployment-guide/firewall-requirements) earlier): * `update2.vectranetworks.com` * `api.vectranetworks.com` * `rp.vectranetworks.com` * `rs.vectranetworks.com` * You may also wish to check for connectivity to other Vectra cloud endpoints associated with the region of your RUX deployment. See endpoints in [firewall requirements](https://docs.vectra.ai/deployment/getting-started/respond-ux-deployment-guide/firewall-requirements). * Use the `show version` command at your Brain’s CLI to see the current version and whether an upgrade is currently being applied. * New Brain versions may be in the process of downloading and preparing to be installed even while the result of the show version command shows `Upgrading: False`. * Please work with your Vectra team for additional detail. If your Brain is successful in communicating with Vectra, additional detail about the current state will be available to Vectra team members. Examples: ``` vscli > debug connectivity -h Usage: debug connectivity [OPTIONS] HOST PORT Test TCP connectivity to destination host or IP through proxy if configured Options: --bypass-proxy / --dont-bypass-proxy Bypass proxy while testing connectivity if proxy is configured --ssl / --no-ssl Test connectivity to host using SSL --timeout FLOAT Seconds to attempt a connection to host and proxy if configured [default: 5] -h, --help Show this message and exit. vscli > debug connectivity api.vectranetworks.com 443 --ssl Connectivity: Success Proxy: False SSL: True vscli > debug connectivity update2.vectranetworks.com 443 --ssl Connectivity: Success Proxy: False SSL: True vscli > debug connectivity authgateway.uw2.public.app.prod.vectra-svc.ai 443 --ssl Connectivity: Success Proxy: False SSL: True vscli > debug connectivity main-authgateway-uw2.app.prod.vectra-svc.ai 443 --ssl Connectivity: Success Proxy: False SSL: True vscli > debug connectivity rp.vectranetworks.com 443 --ssl Connectivity: Success Proxy: False SSL: True vscli > debug connectivity rs.vectranetworks.com 443 Connectivity: Success Proxy: False SSL: False vscli > debug connectivity rs.vectranetworks.com 9970 Connectivity: Success Proxy: False SSL: False vscli > show version Upgrading: False Version: 8.0.0-12-32 ```