Setup guide

Preparing Virtual Machines for vShield Protection
You must determine how to protect your virtual machines with vShield. As a best practise, you should prepare
all ESX hosts within a resource pool for vShield App, vShield Endpoint, and vShield Data Security depending
on the vShield components you are using. You must also upgrade your virtual machines to hardware version
7 or 8.
Consider the following questions:
How Are My Virtual Machines Grouped?
You might consider moving virtual machines to port groups on a vDS or a different ESX host to group virtual
machines by function, department, or other organizational need to improve security and ease configuration
of access rules. You can install vShield Edge at the perimeter of any port group to isolate virtual machines from
the external network. You can install a vShield App on an ESX host and configure firewall policies per container
resource to enforce rules based on the hierarchy of resources.
Are My Virtual Machines Still Protected if I vMotion Them to Another ESX Host?
Yes, if the hosts in a resource pool are prepared, you can migrate machines between hosts without weakening
the security posture. For information on preparing your ESX hosts, see “Prepare All ESX Hosts,” on
page 24.
vShield Manager Uptime
The vShield Manager should be run on an ESX host that is not affected by downtime, such as frequent reboots
or maintenance mode operations. You can use HA or DRS to increase the resilience of the vShield Manager. If
the ESX host on which the vShield Manager resides is expected to require downtime, vMotion the vShield
Manager virtual appliance to another ESX host. Thus, more than one ESX host is recommended.
Communication Between vShield Components
The management interfaces of vShield components should be placed in a common network, such as the vSphere
management network. The vShield Manager requires connectivity to the vCenter Server, vShield App and
vShield Edge instances, vShield Endpoint module, and vShield Data Security virtual machine. vShield
components can communicate over routed connections as well as different LANs.
VMware recommends that you install vShield Manager in a different vCenter environment from the one that
vShield Manager manages. Each vShield Manager manages a single vCenter Server environment.
CAUTION Ensure that vCenter is not running on a vShield App protected host that it is managing.
Hardening Your vShield Virtual Machines
You can access the vShield Manager and other vShield components by using a web-based user interface,
command line interface, and REST API. vShield includes default login credentials for each of these access
options. After installation of each vShield virtual machine, you should harden access by changing the default
login credentials. Note that vShield Data Security does not include default login credentials.
n
vShield Manager User Interface on page 16
You access the vShield Manager user interface by opening a web browser window and navigating to the
IP address of the vShield Manager’s management port.
Chapter 2 Preparing for Installation
VMware, Inc. 15