Requirements for VMware Sensor Deployment

To ensure that you can successfully deploy a USM Anywhere Sensor in VMware and monitor all of your VMware resources, make sure the following requirements are met.

Minimum Requirements

These are the minimum requirements to set up and configure the USM Anywhere Sensor on VMware:

  • Access to VMware ESXi 6.5 or later. The free version is sufficient.
  • Dedicated 4 CPUs and 12 GB of reserved memory.
  • Dedicated 178 GB of disk space (128 GB data device and 50 GB root device)

  • Internet connectivity to the network where you plan to install the VMware Sensor.

Important: Because the needs of a sensor differ based on the varying demands of different deployment environments and the complexity of events being processed, the number of events per second (EPS) a sensor can process varies.

Depending on your environment, you may need to deploy additional sensors to ensure that all events are processed.

Recommended Requirements

These are the recommended requirements to set up and configure the USM Anywhere Sensor on VMware:

  • A VMware vSphere or VMware vCenter user account to use for USM Anywhere Sensor configuration with an assigned role that has permissions equivalent to the read-only default role.

    Note: The read-only role enables a user limited read access to the system without any other privileges. Credentials with this assigned role enable the deployed USM Anywhere Sensor to collect vCenter and vSphere events and run asset discovery.

  • Installed VMware Tools for hosts in your vSphere or vCenter environment.

    With configured vSphere or vCenter credentials, the VMware Sensor uses the VMware APIs to run asset discovery. For hosts that do not have VMware Tools installed, the asset does not have an assigned IP address. This can result in the asset being missed from asset discovery or in duplicate assets created during subsequent discoveries. These tools also enable the sensor to collect more detailed information about the asset.

  • If Dynamic Host Configuration Protocol (DHCP Dynamic Host Configuration Protocol (DHCP) is a network protocol used to dynamically distribute network configuration parameters, such as IP addresses, for interfaces and services.) is not available, a configured static IP for the management interface and local Domain Name System (DNS) information.

    Important: AT&T Cybersecurity strongly recommends assigning a static IP address to deploy the USM Anywhere Sensor.

    If DHCP changes the IP address of the sensor, you must update all the IP addresses on all the devices that are forwarding logs to the sensor through syslog.

  • Port mirroring Method of network monitoring in which a system passively collects network traffic on the same ports as other network devices. set up for network monitoring (see Direct Traffic from Your Physical Network to the VMware Sensor for more information).
  • Administrative credentials for devices that require configuration to forward logs to the VMware Sensor.
  • Administrative credentials for remote hosts to support authenticated asset scans.
  • Configuration on firewall or other security device to send UDP or TCP syslog (if it is capable of exporting security logs through UDP or TCP syslog).
  • Network topology information to run asset discovery.
  • To access network-based intrusion detection system (NIDS) functionality on the sensor, an ethernet port on the host must be available to receive data from a Switched Port Analyzer (SPAN) or Test Access Point (TAP) port.

Sensor Ports and Connectivity

Before deploying a USM Anywhere Sensor, you must configure your firewall Virtual or physical device designed to defend against unauthorized access to data, resources, or a private network. A firewall’s primary purpose is to create segregation between two or more network resources, blocking undesirable traffic between them. permissions to enable the required connectivity for the new sensor. Initial deployment of a sensor requires that you open egress and outbound ports and protocols in the firewall for communication with USM Anywhere and AT&T Cybersecurity Secure Cloud resources. The sensor receives no inbound connections from outside the firewall.

Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the sensor IP address through TCP port 80. You can remove access to this port after the sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to this port from the Internet.

The following tables list the inbound and outbound ports.

Sensor Ports and Connectivity (Outbound Ports)
Type Ports Endpoints Purpose
TCP 443 Communication with AT&T Cybersecurity for initial setup and future updates of the sensor.
TCP 443 Ongoing communication with AT&T Alien Labs™ Open Threat Exchange® (OTX™).
TCP 443

Ongoing communication with OTX to retrieve vulnerability scores. Connecting to is not required but highly recommended.

OTX uses the AWS Cloudfront services. Refer to the AWS IP address ranges page when you deploy a new sensor. This page contains the current IP address ranges for the service and instructions on how to filter the addresses.

TCP 443

Your USM Anywhere subdomain

Your USM Anywhere subdomain (for AT&T TDR for Gov)

Ongoing communication with USM Anywhere.
TCP 9443 vCenter Server

Authenticate sensor to ESXi.

Connect to the vCenter for VMware configuration to gather data directly from vCenter.




Ongoing communication with USM Anywhere.

It is only necessary to allowlist the address that corresponds to the region where your USM Anywhere instance is hosted.

SSL/TCP 7100

Your USM Anywhere subdomain

Your USM Anywhere subdomain (for AT&T TDR for Gov)

Ongoing communication with USM Anywhere.
UDP 53 DNS Servers (Google Default) Ongoing communication with USM Anywhere.
UDP 123

Sync with network time protocol (NTP) services.
TCP 22 and 443 (for AT&T TDR for Gov)

SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). communications with the USM Anywhere remote support server.

See Troubleshooting and Remote Sensor Support for more information about remote technical support through the USM Anywhere Sensor console.

TCP 443

Allows resolution of IP addresses for geolocation services.

It is only necessary to allowlist the GeoIP address that corresponds to the region where your USMA instance is hosted.

Sensor Ports and Connectivity (Inbound Ports)

Type Ports Purpose
SSH 22 Inbound method for secure remote login from a computer to USM Anywhere.
HTTP 80 Inbound communication for HTTP traffic.
UDP (RFC 3164) 514 USM Anywhere collects data through syslog over UDP on port 514 by default.
TCP (RFC 3164) 601 Inbound communication for reliable syslog service. USM Anywhere collects data through syslog over TCP on port 601 by default.
TCP (RFC 5424) 602 USM Anywhere collects data through syslog over TCP on port 602 by default.
Traffic Mirroring 4789 Inbound communication for virtual extensible local area network (VXLAN).
WSMANS 5987 Inbound WBEM WS-Management HTTP over Secure Sockets Layer/Transport Layer Security (SSL/TLS) (NXLog).
TLS/TCP (RFC 3164) 6514 USM Anywhere collects TLS-encrypted data through syslog over TCP on port 6514 by default.
TLS (RFC 5424) 6515 USM Anywhere collects data through syslog over TLS on port 6515 by default.
TCP 9000 Inbound communication used internally for HTTP sensor traffic.
Graylog 12201 Inbound communication for Graylog Extended Log Format (GELF).

USM Anywhere IP Addresses for Allowlisting

Your sensor is connected to a USM Anywhere instance deployed in one of the Amazon Web Services (AWS) endpoint regions based on your location. If you need to configure your firewall to allow communication between the sensor and the USM Anywhere instance, refer to the following table with the reserved IP address ranges for each region.

Important: The Update Server and the AlienVault Agent always use the range no matter where your USM Anywhere is deployed. The AT&T TDR for Gov Update Server uses the range.

Note: The regional IP ranges listed in this table are limited to the control nodes (subdomain). You must also meet all requirements provided in the Sensor Ports and Connectivity (Outbound Ports) table.

AWS Regions Where USM Anywhere Instance Is Available
Code Name Reserved Static IP Address Ranges
ap-northeast-1 Asia Pacific (Tokyo)

ap-south-1 Asia Pacific (Mumbai)

ap-southeast-1 Asia Pacific (Singapore)

ap-southeast-2 Asia Pacific (Sydney)

ca-central-1 Canada (Central)

eu-central-1 Europe (Frankfurt)

eu-west-1 Europe (Ireland)

eu-west-2 Europe (London)

me-central-1 Middle East (UAE)

sa-east-1 South America (São Paulo)

us-east-1 US East (N. Virginia)

us-west-2 US West (Oregon)

us-gov-west-1 AWS GovCloud (US-West)


See Create the VMware Virtual Machine