vShield Installation and Upgrade Guide vShield Manager 5.5 vShield Edge 5.5 vShield Endpoint 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vShield Installation and Upgrade Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2010 – 2013 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents About this Book 5 1 Introduction to vShield 7 vShield Components at a Glance Deployment Scenarios 10 7 2 Preparing for Installation 13 System Requirements 13 Ports Required for vShield Communication 14 Deployment Considerations 15 3 Installing the vShield Manager 19 Obtain the vShield Manager OVA File 19 Install the vShield Manager Virtual Appliance 19 Log In to the vShield Manager User Interface 20 Set up vShield Manager 20 Change the Password of the vShield Manager User Interface Default
vShield Installation and Upgrade Guide 7 Troubleshooting Installation Issues 47 vShield App Installation Fails 47 vShield Data Security Installation Fails Index 4 48 49 VMware, Inc.
About this Book This manual, the vShield Installation and Upgrade Guide, describes how to install and configure the ® VMware vShield™ system by using the vShield Manager user interface, the vSphere Client plug-in, and command line interface (CLI). The information includes step-by-step configuration instructions, and suggested best practices. Intended Audience This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
vShield Installation and Upgrade Guide Technical Support and Education Resources The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs. Online and Telephone Support To use online support to submit technical support requests, view your product and contract information, and register your products, go to http://www.vmware.com/support.
Introduction to vShield 1 ® This chapter introduces the VMware vShield™ components you install. This chapter includes the following topics: n “vShield Components at a Glance,” on page 7 n “Deployment Scenarios,” on page 10 vShield Components at a Glance VMware vShield is a suite of security virtual appliances built for VMware vCenter Server integration.
vShield Installation and Upgrade Guide vShield App vShield App is a hypervisor-based firewall that protects applications in the virtual datacenter from network based attacks. Organizations gain visibility and control over network communications between virtual machines. You can create access control policies based on logical constructs such as VMware vCenter™ containers and vShield security groups—not just physical constructs such as IP addresses.
Chapter 1 Introduction to vShield Figure 1‑1. Multi-Interface Edge DMZ network Accounting network VPN Engineering network Interface 1 Marketing network DNS Interface 2 Interface 5 Interface 3 Internet Interface 4 High availability DHCP vShield Edge Interface 6 MPLS VPN Load Balancing vShield Edge vShield Endpoint vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners.
vShield Installation and Upgrade Guide Figure 1‑2. vShield Endpoint Installed on an ESX Host ! Third-party service virtual appliance deployed on each host to provide endpoint services vShield Endpoint hypervisor module deployed on each host vShield Data Security vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments.
Chapter 1 Introduction to vShield Isolating and Protecting Internal Networks You can use a vShield Edge to isolate an internal network from the external network. A vShield Edge provides perimeter firewall protection and edge services to secure virtual machines in a port group, enabling communication to the external network through DHCP, NAT, and VPN.
vShield Installation and Upgrade Guide Common Deployments of vShield App You can use vShield App to create security zones within a vDC. You can impose firewall policies on vCenter containers or Security Groups, which are custom containers you can create by using the vShield Manager user interface. Container-based policies enable you to create mixed trust zones clusters without requiring an external physical firewall.
Preparing for Installation 2 This chapter provides an overview of the prerequisites for successful vShield installation. This chapter includes the following topics: n “System Requirements,” on page 13 n “Ports Required for vShield Communication,” on page 14 n “Deployment Considerations,” on page 15 System Requirements Before you install vShield in your vCenter Server environment, consider your network configuration and resources.
vShield Installation and Upgrade Guide n VMware ESX 5.0 or later for each server For VXLAN virtual wires, you need VMware ESX 5.1 or later. n VMware Tools For vShield Endpoint and vShield Data Security, you must upgrade your virtual machines to hardware version 7 or 8 and install VMware Tools 8.6.0 released with ESXi 5.0 Patch 3. For more information, see “Install VMware Tools on the Guest Virtual Machines,” on page 34.
Chapter 2 Preparing for Installation Deployment Considerations Consider the following recommendations and restrictions before you deploy vShield components. Deployment Considerations for vShield This topic describes deployment considerations for vShield components. Preparing Virtual Machines for vShield Protection You must determine how to protect your virtual machines with vShield.
vShield Installation and Upgrade Guide n 80/TCP and 443/TCP for using the vShield Manager user interface and initiating connection to the vSphere SDK n 22/TCP for communication between vShield Manager and vShield App and troubleshooting the CLI Hardening Your vShield Virtual Machines You can access the vShield Manager and other vShield components by using a web-based user interface, command line interface, and REST API. vShield includes default login credentials for each of these access options.
Chapter 2 Preparing for Installation VMware recommends that you let vShield App run during normal operations and use the vShield App Flow Monitoring tool for baseline knowledge of the traffic flowing in and out of your virtual network. You can then add rules according to the needs of your network. Enabling the SpoofGuard feature of vShield App allows you to authorize the IP addresses reported by VMware Tools, and alter them if necessary to prevent spoofing.
vShield Installation and Upgrade Guide 18 VMware, Inc.
Installing the vShield Manager 3 VMware vShield provides firewall protection, traffic analysis, and network perimeter services to protect your vCenter Server virtual infrastructure. vShield virtual appliance installation has been automated for most virtual datacenters. The vShield Manager is the centralized management component of vShield. You use the vShield Manager to monitor and push configurations to vShield App, vShield Endpoint, and vShield Edge instances.
vShield Installation and Upgrade Guide Prerequisites You must have been assigned the Enterprise Administrator or vShield Administrator role . Procedure 1 Log in to the vSphere Client. 2 Create a port group to home the management interface of the vShield Manager. The vShield Manager management interface, vCenter Server, and ESXi hosts must be reachable by all future vShield Edge, vShield App, and vShield Endpoint instances. 3 Select File > Deploy OVF Template.
Chapter 3 Installing the vShield Manager Prerequisites n You must have a vCenter Server user account with administrative access to synchronize vShield Manager with the vCenter Server . If your vCenter password has non-Ascii characters, you must change it before synchronizing the vShield Manager with the vCenter Server. n To use SSO on vShield Manager, you must have vCenter Server 5.1 or above and single sign on service must be installed on the vCenter Server. Procedure 1 Log in to the vShield Manager.
vShield Installation and Upgrade Guide e Click the Sites button. f Type the IP address of the vShield Manager and click Add. g Click Close. h Click OK. i Close Internet Explorer. The vShield Manager connects to the vCenter Server, logs on, and utilizes the VMware Infrastructure SDK to populate the vShield Manager inventory panel. The inventory panel is presented on the left side of the screen. This resource tree should match your VMware Infrastructure inventory panel.
Chapter 3 Installing the vShield Manager 9 (Optional) Type the Host Name of the backup system. 10 Type the User Name required to login to the backup system. 11 Type the Password associated with the user name for the backup system. 12 In the Backup Directory field, type the absolute path where backups will be stored. 13 Type a text string in Filename Prefix. This text is prepended to each backup filename for easy recognition on the backup system.
vShield Installation and Upgrade Guide 24 VMware, Inc.
Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security 4 After the vShield Manager is installed, you can obtain licenses to activate the vShield App, vShield Endpoint, vShield Edge, and vShield Data Security components. The vShield Manager OVA package includes the drivers and files required to install these add-on components. A vShield App license allows you to use the vShield Endpoint component as well. vShield virtual appliances include VMware Tools.
vShield Installation and Upgrade Guide Install vShield Component Licenses You must install a CIS or vCloud Networking and Security (vCNS) license before installing vShield App and vShield Edge. The vSphere license includes a license for vShield Endpoint. You can install these licenses after vShield Manager installation is complete by using the vSphere Client. Procedure 1 From a vSphere Client host that is connected to a vCenter Server system, select Home > Licensing.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security 6 7 Under vShield App, provide the following information. Option Description Datastore Select the datastore on which to store the vShield App virtual machine files. Management Port Group Select the port group to host the vShield App management interface. This port group must be able to reach the vShield Manager’s port group. IP Address Type the IP address to assign to the vShield App management interface.
vShield Installation and Upgrade Guide c Click Edit Host Profile. d Select Networking Configuration > Host Port Group > vmservice-vmknic-pg > IP address settings > How is IPv4 address determined. e Type the IP address as 169.254.1.1 and Subnet mask as 255.255.255.0. f Select Networking Configuration > Host Port Group > vmservice-vmknic-pg > Determine how MAC address for vmknic should be decided. g Select User must explicitly choose the policy option. 2 Save the host profile.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security 7 Configure Firewall Policy and High Availability on page 32 You can change the default firewall policy, which blocks all incoming traffic. 8 Confirm Settings and Install the vShield Edge on page 33 Before you install the vShield Edge, review the settings you entered. Open the Add Edge Wizard Open the Add Edge wizard to install and configure a vShield Edge instance. Procedure 1 Log in to the vSphere Client.
vShield Installation and Upgrade Guide 2 (Optional) Click Enable SSH access if required. 3 Click Next. The Edge Appliances page appears. Add Appliances You must add an appliance before you can deploy a vShield Edge. If you do not add an appliance when you install vShield Edge, vShield Edge remains in an offline mode until you add an appliance. Prerequisites For high availability, verify that the resource pool has enough capacity for both HA virtual machines to be deployed.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security Add Internal and Uplink Interfaces You can add up to ten internal and uplink interfaces to a vShield Edge virtual machine. Procedure 1 2 On the Interfaces page, click the Add ( ) icon and type a name for the interface. Select Internal or Uplink to indicate whether this is an internal or external interface. You must add at least one internal interface for HA to work.
vShield Installation and Upgrade Guide Configure the Default Gateway Provide the IP address for the vShield Edge default gateway. Procedure 1 On the Default Gateway page, select Configure Default Gateway. 2 Select the interface that can communicate with the next hop or gateway IP address. 3 Type the IP address for the default gateway. 4 In MTU, the default MTU for the interface you selected in Step 2 is displayed.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security 4 If you selected Enable HA on the Name & Description page, complete the Configure HA parameters section. vShield Edge replicates the configuration of the primary appliance for the standby appliance and ensures that the two HA vShield Edge virtual machines are not on the same ESX host even after you use DRS and vMotion.
vShield Installation and Upgrade Guide n The vShield-Endpoint-Mux-Partners rule may be used by partners to install a host component. It is disabled by default. Install VMware Tools on the Guest Virtual Machines VMware Tools include the vShield Thin Agent that must be installed on each guest virtual machine to be protected. Virtual machines with VMware Tools installed are automatically protected whenever they are started up on an ESX host that has the security solution installed.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security 3 Click the vShield tab. 4 Click Install next to vShield Data Security. 5 Select the vShield Data Security checkbox. 6 Under vShield Data Security, enter the following information. 7 Option Description Datastore Select the datastore on which to add the vShield Data Security service virtual machine. Management Port Group Select the port group to host the vShield Data Security’s management interface.
vShield Installation and Upgrade Guide 36 VMware, Inc.
Uninstalling vShield Components 5 This chapter details the steps required to uninstall vShield components from your vCenter inventory.
vShield Installation and Upgrade Guide Procedure 1 Log in to the vSphere Client. 2 Select a datacenter resource from the inventory tree. 3 Click the Network Virtualization tab. 4 Click Edges. 5 Click the Delete ( ) icon. Uninstall a vShield Data Security Virtual Machine After you uninstall the vShield Data Security virtual machine, you must uninstall the virtual appliance according to the instructions from the VMware partner. Procedure 1 Log in to the vSphere Client.
Upgrading vShield 6 To upgrade vShield, you must first upgrade the vShield Manager, then update the other components for which you have a license. This chapter includes the following topics: n “Upgrade vShield Manager,” on page 39 n “Upgrade vShield App,” on page 44 n “Upgrade vShield Edge from 5.0.x to 5.5.
vShield Installation and Upgrade Guide 3 Create Post-Upgrade Backup on page 42 Starting from version 5.1, vShield Manager requires an upgrade to its virtual hardware. This virtual hardware upgrade is not automatically performed as part of the vShield upgrade process for vShield Manager versions 5.0.x or below. Architectural changes for improved scalability, performance and increased logging and reporting capabilities require an upgrade of vShield Manager's virtual hardware.
Chapter 6 Upgrading vShield 14 In the CLI, follow the output of the show manager log command. After you see the maintenance-fscleanup: Filesystem cleanup successful message, log in to the vShield Manager user interface. The upgrade process restarts the vShield Manager service, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are restarted.
vShield Installation and Upgrade Guide Firewall feature in prior version Result of upgrade to version 5.1 Firewall rules included High and Low precedence rules. Non-namespace port group rules had None precedence. High and Low precedence rules not supported. After upgrade, all non-default precedence rules are changed to None precedence. A single Spoofguard global setting was applied across all datacenters in inventory Spoofguard global settings are applied to each namespace.
Chapter 6 Upgrading vShield 5 Configure the vShield Manager Backups page to view the backups currently stored on the ftp/sftp server. 6 Identify the vShield Manager backup created earlier and click Restore. Install 5.1.2a Maintenance Patch If you are using vShield version 5.1.2, you must install the 5.1.2a patch. Procedure 1 Download the vShield 5.1.2a maintenance patch to a location to which vShield Manager can browse.
vShield Installation and Upgrade Guide 13 Click Browse and select the file you had downloaded in Step 11 14 Follow Step 6 till Step 9. Upgrade vShield Manager to Version 5.5 Prerequisites You can upgrade to vShield Manager 5.5 only from version 5.1.2 and later. If you have prior version of vShield Manager in your environment, you must upgrade to vShield Manager version 5.1.2 or later before upgrading to vShield Manager version 5.5.
Chapter 6 Upgrading vShield 7 Click Install. NOTE During vShield App upgrade, the ESXi host is placed into Maintenance Mode and rebooted. Ensure that virtual machines on the ESXi host are migrated (using DRS or vMotion), or that they are powered off to allow the host to be placed into Maintenance Mode. What to do next Inspect each upgraded rule to ensure it works as intended. For information on adding new firewall rules, see the vShield Administration Guide. Upgrade vShield Edge from 5.0.x to 5.5.
vShield Installation and Upgrade Guide Upgrade vShield Endpoint To upgrade vShield Endpoint from 5.0 to a later version, you must first upgrade vShield Manager, then update vShield Endpoint on each host in your datacenter. Procedure 1 Log in to the vSphere Client. 2 Select Inventory > Hosts and Clusters. 3 Select the host on which you want to upgrade vShield Endpoint. 4 Click the vShield tab.
Troubleshooting Installation Issues 7 This section describes installation issues. This chapter includes the following topics: n “vShield App Installation Fails,” on page 47 n “vShield Data Security Installation Fails,” on page 48 vShield App Installation Fails Installing vShield App results in an error. Problem vShield App installation may fail due to a previous incomplete installation or problems during uninstallation of a previous version.
vShield Installation and Upgrade Guide 6 (Optional) Reboot the ESX host if you had seen the following error when installing vShield App: vShield App installation encountered error while installing vib 7 8 9 Delete the vmservice-vswitch that was created during the install by following the steps below. a Log in to the vSphere Client. b Select the ESX host from the inventory tree. c Click the Configuration tab. d In the Software panel, click Networking.
Index B Backups, scheduling 22 C changing the GUI password 22 CLI, hardening 16 client requirements 13 cluster protection 11 communication between components 15 D data, scheduling backups 22 default gateway, configuring IP address 32 deployment cluster 11 DMZ 10 deployment considerations vShield 15 vShield App 16 vShield Edge 17 deployment scenarios 10 DMZ 10 isolating networks 11 L licensing evaluation mode 25 installation 26 logging in to the GUI 20 P password change 22 preparing virtual machines fo
vShield Installation and Upgrade Guide vShield component communication 15 deployment scenarios 10 evaluating components 25 hardening 16 vShield App 8 vShield Edge 8 vShield Endpoint 9 vShield Manager 7 vShield Ednpoint, install 33 vShield Manager upgrade, version 5.
