Setup guide
Deployment Considerations
Consider the following recommendations and restrictions before you deploy vShield components.
Deployment Considerations for vShield
This topic describes deployment considerations for vShield components.
Preparing Virtual Machines for vShield Protection
You must determine how to protect your virtual machines with vShield. As a best practice, you should
prepare all ESX hosts within a DRS cluster for vShield App, vShield Endpoint, and vShield Data Security
depending on the vShield components you are using. You must also upgrade your virtual machines to
hardware version 7 or 8.
Consider the following questions:
How Are My Virtual Machines Grouped?
You might consider moving virtual machines to port groups on a vDS or a different ESX host to group
virtual machines by function, department, or other organizational need to improve security and ease
configuration of access rules. You can install vShield Edge at the perimeter of any port group to isolate
virtual machines from the external network. You can install a vShield App on an ESX host and configure
firewall policies per container resource to enforce rules based on the hierarchy of resources.
Are My Virtual Machines Still Protected if I vMotion Them to Another ESX Host?
Yes, if the hosts in a DRS cluster are prepared, you can migrate machines between hosts without weakening
the security posture. For information on preparing your ESX hosts, see “Install vShield App,” on page 26.
vShield Manager Uptime
The vShield Manager should be run on an ESX host that is not affected by downtime, such as frequent
reboots or maintenance mode operations. You can use HA or DRS to increase the resilience of the vShield
Manager. If the ESX host on which the vShield Manager resides is expected to require downtime, vMotion
the vShield Manager virtual appliance to another ESX host. Thus, more than one ESX host is recommended.
Communication Between vShield Components
The management interfaces of vShield components should be placed in a common network, such as the
vSphere management network. The vShield Manager requires connectivity to the vCenter Server, ESXi host,
vShield App and vShield Edge instances, vShield Endpoint module, and vShield Data Security virtual
machine. vShield components can communicate over routed connections as well as different LANs.
VMware recommends that you install vShield Manager on a dedicated management cluster separate from
the cluster(s) that vShield Manager manages. Each vShield Manager manages a single vCenter Server
environment.
If the vCenter Server or vCenter Server database virtual machines are on the ESX host on which you are
installing vShield App, migrate them to another host before installing vShield App.
Ensure that the following ports are open:
n
Port 443/TCP from, to, and among the ESX host, the vCenter Server, and vShield Data Security
n
UDP123 between vShield Manager and vShield App for time synchronization
n
443/TCP from the REST client to vShield Manager for using REST API calls
Chapter 2 Preparing for Installation
VMware, Inc. 15