Search the VMware Knowledge Base (KB)
View by Article ID

Re-installing NSX to upgrade vCNS Endpoint to NSX Guest Introspection (2150140)

  • 0 Ratings
Language Editions


This article explains the recommended procedure to upgrade from vCNS to NSX in the environments where vCNS is configured and used for Endpoint only.


Uninstall vShield Endpoint Components:

  1. Remove Endpoint installation from all Hosts in the environment by navigating to vSheild Manager GUI Settings > host > Summary > uninstall Endpoint.

  2. Check if the VIBs have been removed by running the command on the host:
    esxcli software vib list | grep mux

  3. Check if the vmservice-vswitch has been removed.
    Note: If it is present after the host has had Endpoint uninstalled, remove it manually via the vSphere Client. 

  4. Power down the old vSheild Manager appliance.

  5. Move any VM's off the old vSwitch that was created by vSheild (vmservice-vswitch).

  6. Delete the vSheild vSwitch. Ensure that no vms, nics, or kernels attached to the vSwitch.

  7. Log on to the ESXi host and run the command: 
    esxcli software vib remove -n epsec-mux

  8. Un-deploy the third party virtual machines that were deployed by the third party appliance manager. 

  9. Remove the old vShield Manager virtual machine.
    The hosts are now ready for a new NSX GI installation.

Installing NSX Guest Introspection:

  1. Ensure that your Endpoint solution is compatible and certified with NSX. For more information, see, VMware Compatibility Guide 

  2. Ensure that vCenter version is a minimum of 5.5 or above.

  3. Install NSX Manager, available at VMware downloads.
  4. Finish the configuration of NSX Manager (Install Manager appliance, Register VC with NSX, Register NSX with SSO).

  5. Reserve an IP address range to be used for Guest Introspection VMs and Endpoint Solution Security Virtual Appliances (SVA). 2 virtual machines will be deployed on each ESXi host.

  6. Create IP pools as needed. It is recommended to create 2 IP pools per cluster, but 2 IP pools could be used for the entire environment (GI VMs, and SVAS).

  7. To create IP pool: Navigate to Networking and Security > NSX Manager > Manage > Grouping Objects > IP Pools.

  8. Ensure that a DVS port group has been created for GI VMs and SVA VMs, which has the connectivity to vCenter, NSX Manager, Endpoint Solution, and ESXi hosts.

  9. Install a Guest introspection service deployment.

    Note: For each cluster, this deployment needs to be run for 2 times using appropriate ip pools and networks that you provisioned above. After all service deployments have been completed, you can see a new resource pool in each cluster, and 2 VM's for each ESXi host in that cluster.

  10. Create a Security group by navigating to Networking and Security > Service Composer > Security Groups.

  11. Apply a Guest Introspection Security Policy to that Security group.
    Navigate to Networking and Security > Service Composer > Security Policies. Follow the Wizard, Add a Name to the policy and a name to the Guest Introspection Service. Select Service Name > antivirus Solution and set to enforce. 

  12. Ensure that each VM is configured with VMware tools.

  13. Complete the rest of the configuration for Guest Introspection within the 3rd party Antivirus Solution.

See Also

Language Editions


Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 0 Ratings