vShield Quick Start Guide vShield Manager 5.0.1 vShield App 5.0.1 vShield Edge 5.0.1 vShield Endpoint 5.0.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vShield Quick Start Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2010 – 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents About this Book 5 1 Introduction to vShield 7 vShield Components at a Glance 7 Deployment Scenarios 10 2 Preparing for Installation 13 System Requirements 13 Deployment Considerations 14 3 Installing the vShield Manager 17 Obtain the vShield Manager OVA File 17 Install the vShield Manager Virtual Appliance 18 Configure the Network Settings of the vShield Manager 18 Log In to the vShield Manager User Interface 19 Synchronize the vShield Manager with the vCenter Server 20 Register the vShield M
vShield Quick Start Guide Index 39 4 VMware, Inc.
About this Book ® This manual, the vShield Quick Start Guide, describes how to install and configure the VMware vShield™ system by using the vShield Manager user interface, the vSphere Client plug-in, and command line interface (CLI). The information includes step-by-step configuration instructions, and suggested best practices. Intended Audience This manual is intended for anyone who wants to install or use vShield in a VMware vCenter environment.
vShield Quick Start Guide Services provides offerings to help you assess, plan, build, and manage your virtual environment. To access information about education classes, certification programs, and consulting services, go to http://www.vmware.com/services. 6 VMware, Inc.
Introduction to vShield 1 ® This chapter introduces the VMware vShield™ components you install. This chapter includes the following topics: n “vShield Components at a Glance,” on page 7 n “Deployment Scenarios,” on page 10 vShield Components at a Glance VMware vShield is a suite of security virtual appliances built for VMware vCenter Server integration.
vShield Quick Start Guide n vShield Edge on page 9 vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port group, vDS port group, or Cisco Nexus 1000V. The vShield Edge connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
Chapter 1 Introduction to vShield vShield Edge vShield Edge provides network edge security and gateway services to isolate the virtual machines in a port group, vDS port group, or Cisco Nexus 1000V. The vShield Edge connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing.
vShield Quick Start Guide vShield Endpoint vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) doesn't go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host.
Chapter 1 Introduction to vShield n Isolating and Protecting Internal Networks on page 11 You can use a vShield Edge to isolate an internal network from the external network. A vShield Edge provides perimeter firewall protection and edge services to secure virtual machines in a port group, enabling communication to the external network through DHCP, NAT, and VPN. n Protecting Virtual Machines in a Cluster on page 12 You can use vShield App to protect virtual machines in a cluster.
vShield Quick Start Guide Protecting Virtual Machines in a Cluster You can use vShield App to protect virtual machines in a cluster. In Figure 1-3, vShield App instances are installed on each ESX host in a cluster. Virtual machines are protected when moved via vMotion or DRS between ESX hosts in the cluster. Each vApp shares and maintains state of all transmissions. Figure 1-3.
Preparing for Installation 2 This chapter introduces tan overview of the prerequisites for successful vShield installation. This chapter includes the following topics: n “System Requirements,” on page 13 n “Deployment Considerations,” on page 14 System Requirements Before you install vShield in your vCenter Server environment, consider your network configuration and resources.
vShield Quick Start Guide For vShield Endpoint and vShield Data Security, you must upgrade your virtual machines to hardware version 7 or 8 and install VMware Tools 8.6.0 released with ESXi 5.0 Patch 1. For more information, see “Install VMware Tools on the Guest Virtual Machines,” on page 28. n VMware vCloud Director 1.0 or later n VMware View 4.
Chapter 2 Preparing for Installation Preparing Virtual Machines for vShield Protection You must determine how to protect your virtual machines with vShield. As a best practise, you should prepare all ESX hosts within a resource pool for vShield App, vShield Endpoint, and vShield Data Security depending on the vShield components you are using. You must also upgrade your virtual machines to hardware version 7 or 8.
vShield Quick Start Guide n Command Line Interface on page 16 You can access the vShield Manager, vShield App, and vShield Edge virtual appliances by using a command line interface via vSphere Client console session. To access the vShield Endpoint virtual appliance, refer to the instructions from the anti-virus solution provider. You cannot access the vShield Data Security virtual machine by using the command line interface.
Installing the vShield Manager 3 VMware vShield provides firewall protection, traffic analysis, and network perimeter services to protect your vCenter Server virtual infrastructure. vShield virtual appliance installation has been automated for most virtual datacenters. The vShield Manager is the centralized management component of vShield. You use the vShield Manager to monitor and push configurations to vShield App, vShield Endpoint, and vShield Edge instances.
vShield Quick Start Guide Install the vShield Manager Virtual Appliance You can install the vShield Manager virtual machine on an ESX host in a cluster configured with DRS. With vShield 5.0 and later, you can install the vShield Manager in a different vCenter than the one that the vShield Manager will be interoperating with. A single vShield Manager serves a single vCenter Server environment. The vShield Manager virtual machine installation includes VMware Tools.
Chapter 3 Installing the vShield Manager 4 Run the setup command to open the CLI setup wizard. The CLI setup wizard guides you through IP address assignment for the vShield Manager’s management interface and identification of the default network gateway. The IP address of the management interface must be reachable by all installed vShield App, vShield Edge, and vShield Endpoint instances, and by a Web browser for system management. manager# setup Use CTRL-D to abort configuration dialog at any prompt.
vShield Quick Start Guide Synchronize the vShield Manager with the vCenter Server Synchronize with your vCenter Server to display your VMware Infrastructure inventory in the vShield Manager user interface. You must have a vCenter Server user account with administrative access to complete this task. If your vCenter password has non-Ascii characters, you must change it before synchronizing the vShield Manager with the vCenter Server.
Chapter 3 Installing the vShield Manager Change the Password of the vShield Manager User Interface Default Account You can change the password of the admin account to harden access to your vShield Manager. Procedure 1 Log in to the vShield Manager user interface. 2 Click Settings & Reports from the vShield Manager inventory panel. 3 Click the Users tab. 4 Select the admin account. 5 Click Update User. 6 Enter a new password.
vShield Quick Start Guide 22 VMware, Inc.
Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security 4 After the vShield Manager is installed, you can obtain licenses to activate the vShield App, vShield Endpoint, vShield Edge, and vShield Data Security components. The vShield Manager OVA package includes the drivers and files required to install these add-on components. A vShield App license allows you to use the vShield Endpoint component as well.
vShield Quick Start Guide Install vShield Component Licenses You must install licenses for vShield Edge, vShield App, and vShield Endpoint before installing these components. You can install these licenses after vShield Manager installation is complete by using the vSphere Client. A vShield App license allows you to use the vShield Endpoint component as well. Procedure 1 From a vSphere Client host that is connected to a vCenter Server system, select Home > Licensing. 2 For the report view, select Asset.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security Option Description Netmask Type the IP subnet mask associated with the assigned IP address. Default Gateway Type the IP address of the default network gateway. 7 Select the vShield Endpoint check box. 8 Click Install. You can follow the progress of the vShield App installation on the Recent Tasks pane of the vSphere Client screen.
vShield Quick Start Guide c n Check that a DVFilter entry appears in the Incoming Connections under the Firewall panel. If no DVFilter entry appears, click Refresh. Create a host profile. For more information, see the vSphere Installation and Setup Guide. Procedure 1 Edit the host profile. a In the vCenter client, select Home > Management > Host Profiles. b Select the profile to edit. c Click Edit Host Profile.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security 7 Under Network Interfaces, enter the following information. Option Description External Port Group Select the external port group in the vDS. This port group homes a physical NIC and connects to the external network. IP Address Type the IP address of the external port group. Subnet Mask Type the IP subnet mask associated with the specified external IP address.
vShield Quick Start Guide The vShield Endpoint host component adds two firewall rules to the ESX host: n The vShield-Endpoint-Mux rule opens ports 48651 to port 48666 for communication between the host component and partner security VMs. n The vShield-Endpoint-Mux-Partners rule may be used by partners to install a host component. It is disabled by default.
Chapter 4 Installing vShield Edge, vShield App, vShield Endpoint, and vShield Data Security Procedure 1 Log in to the vSphere Client. 2 Select an ESX host from the inventory tree. 3 Click the vShield tab. 4 Click Install next to vShield Data Security. 5 Select the vShield Data Security checkbox. 6 Under vShield Data Security, enter the following information. 7 Option Description Datastore Select the datastore on which to add the vShield Data Security service virtual machine.
vShield Quick Start Guide 30 VMware, Inc.
Uninstalling vShield Components 5 This chapter details the steps required to uninstall vShield components from your vCenter inventory.
vShield Quick Start Guide 2 Go to View > Inventory > Networking. 3 Click the Edge tab. 4 Click Uninstall. Uninstall a vShield Data Security Virtual Machine After you uninstall the vShield Data Security virtual machine, you must uninstall the virtual appliance according to the instructions from the VMware partner. Procedure 1 Log in to the vSphere Client. 2 Select an ESX host from the inventory tree. 3 Click the vShield tab. 4 Click Uninstall for the vShield Data Security service.
Upgrading vShield 6 To upgrade vShield, you must first upgrade the vShield Manager, then update the other components for which you have a license.
vShield Quick Start Guide 9 Click Confirm Install. The upgrade process reboots vShield Manager, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are rebooted. 10 Right-click the vShield Manager virtual machine and click Open Console to open the vShield Manager command line-interface (CLI). 11 After you see the e1000_watchdog_task: NIC Link is up message, log in to the vShield Manager user interface. 12 Click the Updates tab.
Chapter 6 Upgrading vShield In compatibility mode, the default firewall policy is applied only on the internal interface. All traffic in in/out direction on external and VPN interfaces is allowed. When you switch to regular mode, the default firewall policy rules are not modified initially. When you change the firewall configuration, the default firewall rules for vShield Edge 5.0.1 are applied where incoming traffic is blocked and outgoing traffic is allowed.
vShield Quick Start Guide Upgrade vShield Data Security Upgrade vShield Data Security on each host in your datacenter. It is recommended that you upgrade vShield Endpoint before upgrading vShield Data Security. Procedure 1 Log in to the vSphere Client. 2 Go to Inventory > Hosts and Clusters. 3 Select the host on which you want to upgrade vShield App. The Summary tab displays each vShield component that is installed on the selected host and the available release.
vShield Installation Fails 7 Installing vShield App results in an error. Problem When a vShield App installation fails, you receive a prompt to uninstall the product. Cause When you uninstall vShield vApp, all required components might not be removed. Solution 1 Click Uninstall to uninstall all vShield components. For more information, see Chapter 5, “Uninstalling vShield Components,” on page 31. 2 If the error message indicated a problem in installing the VIB, reboot the ESX host.
vShield Quick Start Guide 38 VMware, Inc.
Index C L changing the GUI password 21 CLI configuring vShield Manager network settings 18 hardening 16 client requirements 13 cluster protection 12 communication between components 15 configuring vShield Manager network settings 18 licensing evaluation mode 23 installation 24 logging in to the GUI 19 D P password change 21 plug-in 20 preparing virtual machines for protection 15 protecting a cluster 12 protecting virtual machines 15 deployment cluster 12 DMZ 11 deployment considerations 14 deployment
vShield Quick Start Guide vShield App 8 vShield Edge 9 vShield Endpoint 10 vShield Manager 8 vShield App about 8 common deployments 12 installation 24 licensing 24 uninstall 31 vShield Data Security 10 vShield Edge about 9 common deployments 12 installation 26 isolating networks 11 licensing 24 uninstall 31 vShield Endpoint about 10 installation 24, 27 installation steps 27 licensing 24 thin agent installation 28 uninstall 32 unregister SVM 32 vShield Manager about 8 changing the GUI password 21 installati
