Protected Theater install - Adding and Configuring the

The initial setup of the Protected Theater can be completed in VMware or Hyper-V. Before adding and configuring the environment, verify the hardware you selected meets Protected Theater Minimum System Requirements and you have addressed everything listed in Before you Begin. Then complete the following three steps:

Create the Virtual Environment - VMware
or
Create the Virtual Environment - Hyper-V
Verify Virtualization
Set up Networking

Create the PT Virtual Environment in VMware

Only complete this step if you are working in VMware.

Download the Protected Theater OVA image from the Validation Platform customer portal.
Deploy the Protected Theater OVA image into the virtual infrastructure.
If you need assistance with this, see the VMware documentation for your product version.
Update the Virtual Hardware settings so they match the Protected Theater Requirements.
System Requirements are equal to the Protected Theater Requirements PLUS the disk image requirements.
1. Configure the CPU, memory, and hard disk requirements by following the guidance in the Protected Theater Minimum System Requirements.
2. For the Network adapter, select an interface that includes a static IP.
3. Reserve all guest memory for the host to improve performance.
  1. Expand the Memory section.
  2. Select the Reserve all guest memory checkbox.
    If this is not possible, there is a less invasive adjustment that can be made. Information on that adjustment is available at https://kb.vmware.com/s/article/1002586.
4. Enable Nested virtualization / update Hardware virtualization settings.
  - The Director validates nested virtualization is enabled when the Protected Theater initializes and reviews the image details. You cannot boot the image if this is not enabled.
    More information is available from VMware at https://communities.vmware.com/t5/Nested-Virtualization-Documents/Running-Nested-VMs/ta-p/2781466. This can only be done through the web client for ESXi.
  - Updating this will increase the efficiency of the Protected Theater as it reduces the amount of virtualization needed within ESXi by giving the Protected Theater more direct access to the hardware.
  1. Expand the CPU section.
  2. Select the Expose hardware assisted virtualization to the guest OS checkbox.
5. Click OK to save your changes.

Create the PT Virtual Environment in Hyper-V

Only complete this step if you are working in Hyper-V.

Download the Protected Theater VHD image from Actor and Protected Theater Downloads.
Extract the VHD and then copy it to your desired location. If you have a standard virtual machines folder, we suggest you use that.
Create the Virtual Machine in Hyper-V.
1. Click New > Virtual Machine.
2. Click Next.
3. Enter a Name for your Actor virtual machine and (optional) select the Location where the virtual machine should be stored. Then click Next.
4. Specify Generation. Generation 1 is recommended. Then click Next.
5. Assign Memory. 12288 mb may be adequate, depending on your baseline OS requirements. For additional details, see Protected Theater Minimum System Requirements. Then click Next.
  
  Do NOT select Use Dynamic Memory for this virtual machine.
6. Select your network Connection. Then click Next.
7. Choose Use an existing virtual hard disk, navigate to the disk's location, and then click Next.
  
  Hyper-V example: Connecting a Virtual Hard Disk to a new Virtual Machine
8. Verify everything is configured as expected and then click Finish. The virtual machine will display and be selected in the Virtual Machines list.
Update the Virtual Machine's Processor info.
1. Select your Protected Theater Virtual Machine and click Settings.
2. Click Processor, adjust the Number of virtual processors to more than 4, click Apply, and click OK.
  
  Hyper-V: Adding processors to a virtual machine
Expose the Virtualization Extensions for your VM.
1. Open a Windows PowerShell Admin window
2. Run the following command:
  
  Set-VMProcessor <VMName> -ExposeVirtualizationExtensions $true
Start the Virtual Machine by selecting the VM in Hyper-V Manager and clicking Connect.

Set up networking

After you confirm that virtualization is enabled, you can set up the Protected Theater networking. Choose an option, depending on whether you want to control your OS network settings or have Mandiant control them:

Control your OS network settings: In the vsetnet tool, you only select the management interface to use. You are responsible for manually configuring the host's networking settings outside of vsetnet.
Let Mandiant control your OS network settings: You select the interface, and then vsetnet prompts you for the network settings to use. This is done so the Actor software can make the required changes to the OS networking.

Follow these steps, regardless of the option you chose:

Connect to the Protected Theater environment using SSH.
Set up the network configuration by running the following command:
```
$ sudo vsetnet
```
Choose your preferred option:
- We recommend using ens192 for the (management) interface.
- Remember to use a static IP address.
- Only one IP address is necessary for Protected Theaters.
- Customer-controlled OS network settings:
  1. Enter no when prompted for Verodin (Mandiant) control of network files, then press Enter.
  2. Select the primary interface (ens192) and press Enter.
  3. Enter no when prompted for the test data interface and then press Enter. After these steps, Verodin services restart and your network configuration is updated.
  The following code output is provided for an example. Also, the network values are for example purposes only and should not be used for your specific network configuration.
```
$ sudo vsetnet

 - Verodin Network Configuration - 

Will Verodin control the network configuration files? (yes|no): no


Selecting the primary management interface.
Available Interfaces: 
ens192 - IP: MGMT_IP_ADDRESS - MAC: MAC_ADDRESS
Which interface do you want to use for management: ens192

Configure Second Interface for Test Data (yes|no): no

Restarting Verodin services...
```
- Mandiant-controlled OS network settings:
  1. Enter yes when prompted for Verodin (Mandiant) control of network files, then press Enter.
  2. Select the primary interface (ens192) and press Enter.
  3. Enter network values for:
    1. IP Address or DHCP
    2. Network Mask
    3. Gateway
    4. Nameserver IP Address (typically a DNS server)
  4. Enter no when prompted for the test data interface and then press Enter. After these steps, Verodin services restart and your network configuration is updated.
  The following code output is provided for an example. Also, the network values are for example purposes only and should not be used for your specific network configuration.
```
$ sudo vsetnet

 - Verodin Network Configuration - 

Will Verodin control the network configuration files? (yes|no): yes


Selecting the primary management interface.
Available Interfaces: 
ens192 - IP: 192.0.2.2 - MAC: 00:00:5E:00:53:00
Which interface do you want to use for management: ens192

Enter IP Address or DHCP: MGMT_IP_ADDRESS

Enter Network Mask: NETWORK_MASK_ADDRESS

Enter Gateway: GATEWAY_ADDRESS

Enter Nameserver IP Address: NAMESERVER_IP_ADDRESS

Configure Second Interface for Test Data (yes|no): no

Restarting Verodin services...
```
Once the network settings have been established, confirm the IP settings have been changed by running the following command and noting the inet value (in this case, MGMT_IP_ADDRESS, as used in the preceding examples):
```
$ ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet MGMT_IP_ADDRESS  netmask NETWORK_MASK_ADDRESS  broadcast GATEWAY_ADDRESS
```

Protected Theater install - Add and configure the PT Virtual Environment

Create the PT Virtual Environment in VMware

Create the PT Virtual Environment in Hyper-V

Set up networking