Search the VMware Knowledge Base (KB)
View by Article ID

Installing vCloud Networking and Security 5.1.x best practices (2034173)

  • 6 Ratings

Purpose

This article provides best practices for installing and setting up vCloud Networking and Security 5.1.x in a vSphere environment. For more detailed information, see the vShield Installation and Upgrade guide.

Note: This guide contains definitive information.  If there is a discrepancy between the guide and this article, assume that the guide is correct.

Resolution

vShield Manager is the centralized network management component of vCloud Networking and Security, and is installed as a virtual appliance on any ESXi host in your vCenter Server environment. A vShield Manager can run on a different ESXi host from your vShield agents. The requirements to install vShield Manager are:
 
System Requirements
  
ComponentMinimum requirements
MemoryvShield Manager (64 bit): 8GB allocated
vShield App: 1GB allocated
vShield Edge compact: 256 MB, large: 1 GB, x-large: 8 GB
vShield Data Security: 512 MB
Disk SpacevShield Manager: 60 GB
vShield App: 5 GB per vShield App per ESX host
vShield Edge compact and large: 320 MB, x-large: 4.4 GB (with 4GB sawp file)
vShield Data Security: 6GB per ESX host
vCPUvShield Manager: 2
vShield App: 2
vShield Edge compact: 1, large and x-large: 2
vShield Data Security: 1
 
Software Requirements
 
For the latest interoperability information, see the Product Interoperability Matrix.
 
These are the minimum required versions of VMware products to be installed with vShield 5.1:
  • vCenter Server 5.0 or later

    For VXLAN virtual wires, you need vCenter Server 5.1 or later.

  • ESX 4.1 or later for each server

    For VXLAN virtual wires, you need ESXi 5.1 or later.

  • VMware Tools

    Note: For vShield Endpoint and vShield Data Security, you must upgrade your virtual machines to hardware version 7 or 8 and install VMware Tools 8.6.0 released with ESXi 5.0 Patch 3 or later. For more information, see Installing VMware Tools on Guest Virtual Machines in the vShield Installation and Upgrade Guide.

  • VMware vCloud Director 1.5 or later
  • VMware View 4.5 or later 
Client and User Access Requirements
  • PC with the vSphere Client installed
  • If you added ESXi hosts by name to the vSphere inventory, ensure that DNS servers have been configured on the vShield Manager and name resolution is working. Otherwise, vShield Manager cannot resolve the IP addresses.
    Permissions to add and power on virtual machines
  • Access to the datastore where you store virtual machine files, and the account permissions to copy files to that datastore
  • Ensure that you have enabled cookies on your web browser to access the vShield Manager user interface
  • Port 443 must be accessible from the ESXi host, the vCenter Server, and the vShield appliances to be deployed. This port is required to download the OVF file on the ESXi host for deployment.
  • Connection to the vShield Manager user interface using one of the following supported web browsers:
    • Internet Explorer 6.x and later
    • Mozilla Firefox 1.x and later
    • Safari 1.x or 2.x 
Deployment Considerations
 
Consider the following recommendations and restrictions before you deploy vShield components.
 
Preparing Virtual Machines for vShield Protection
 
You must determine how to protect your virtual machines with vShield. As a best practice, you should prepare all ESXi hosts within a DRS cluster for vShield App, vShield Endpoint, and vShield Data Security depending on the vShield components you are using. You must also upgrade your virtual machines to hardware version 7 or 8.
 
vShield Manager Deployment
 
vShield Manager should be run on an ESXi host that is not affected by downtime, such as frequent reboots or maintenance mode operations. You can use HA or DRS to increase the resilience of the vShield Manager. If the ESXi host on which the vShield Manager resides is expected to require downtime, vMotion the vShield Manager virtual appliance to another ESXi host. Thus, more than one ESXi host is recommended.
 
For more detailed information, see the vShield Installation and Upgrade guide.
 
 
Port Requirements and Hardening Your Environment
 
vShield Manager requires some ports to be open for connectivity to the vCenter Server, ESXi host, vShield App and vShield Edge instances, vShield Endpoint module, and vShield Data Security virtual machine. vShield components can communicate over routed connections as well as different LANs. For more information on the ports required see Network port requirements for vShield 5.1 (2034339).
 
Security Hardening
 
You can access the vShield Manager and other vShield components by using a web-based user interface, command line interface, and REST API. vShield includes default login credentials for each of these access options. After installation of each vShield virtual machine, you should harden access by changing the default login credentials.
 
Note: That vShield Data Security does not include default login credentials.
 
Details on hardening each component of vShield are contained in the vShield Installation and Upgrade guide. This should be thouroughly reviewed and implemented before vShield is put into production
 
 
Installing vShield Manager

vCloud Networking and Security provides firewall protection, traffic analysis, and network perimeter services to protect your vCenter Server virtual infrastructure. vCloud Networking and Security virtual appliance installation has been automated for most virtual datacenters.

The vShield Manager is the centralized management component of vShield. You use the vShield Manager to monitor and push configurations to vShield App, vShield Endpoint, and vShield Edge instances. vShield Manager runs as a virtual appliance on an ESXi host.  Installing the vShield Manager is a multistep process. You must perform all of the tasks that follow in sequence to complete vShield Manager installation successfully.

Note: To enhance your network security posture, you can obtain licenses for vShield App, vShield Endpoint, and vShield Edge. 
  1. Obtain the vShield Manager OVA File - The vShield Manager virtual machine is packaged as an Open Virtualization Appliance (OVA) file, which allows you to use the vSphere Client to import the vShield Manager into the datastore and virtual machine inventory. Install the vShield Manager Virtual Appliance.

  2. Configure the Network Settings of the vShield Manager - You must use the command line interface (CLI) of the vShield Manager to configure an IP address, identify the default gateway, and set DNS settings. You can specify up to two DNS servers that the vShield Manager can use for IP address and host name resolution. DNS is required if any ESX host in your vCenter Server environment was added by using the hostname (instead of IP address).

  3. Log In to the vShield Manager User Interface - After you have installed and configured the vShield Manager virtual machine, log in to the vShield Manager user interface and accept the SSL certificate.

  4. Set up vShield Manager - Specify the vCenter Server, DNS and NTP server, and Lookup server details.

    Note: The vShield Manager virtual machine does not appear as a resource in the inventory panel of the vShield Manager user interface. The Settings & Reports object represents the vShield Manager virtual machine in the inventory panel.

    Prerequisites:

    You must have a vCenter Server user account with administrative access to synchronize vShield Manager with the vCenter Server . If your vCenter password has non-Ascii characters, you must change it before synchronizing the vShield Manager with the vCenter Server.

    To use SSO on vShield Manager, you must have vCenter Server 5.1 or above and single sign on service must be installed on the vCenter Server.

  5. Change the Password of the vShield Manager User Interface Default Account - You can change the password of the admin account to harden access to your vShield Manager by logging to the vShield Manager user interface and clicking Change Password on the top right corner of the window.

  6. Schedule a Backup of vShield Manager Data - You can only schedule the parameters for one type of backup at any given time. You cannot schedule a configuration-only backup and a complete data backup to run simultaneously. You can configure the backup schedule from the Configuration tab.
 
Installing vShield Components

There are several components that make up vCloud Networking and Security. Each product contains it's own set of functions and are an essential makeup to vCloud Networking and Security. They are described below:
  • vShield App is a hypervisor-based firewall that protects applications in the virtual datacenter from network based attacks. Organizations gain visibility and control over network communications between virtual machines. You can create access control policies based on logical constructs such as vCenter Server containers and vShield security groups, not just physical constructs such as IP addresses. In addition, flexible IP addressing offers the ability to use the same IP address in multiple tenant zones to simplify provisioning.

  • vShield Edge provides network edge security and gateway services to isolate a virtualized network, or virtual machines in a port group, vDS port group, or Cisco Nexus 1000V port group. You install a vShield Edge at a datacenter level and can add up to ten internal or uplink interfaces. The vShield Edge connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing. Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the vShield Edge provides perimeter security for Virtual Datacenters (VDCs).

  • vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) doesn't go offline, it can continuously update antivirus signatures thereby giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online.

  • vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive data is adequately protected and assess compliance with regulations around the world.

The configuration of each of these components is detailed in the vShield Installation and Configuration guide.  Refer to this document for more information.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 6 Ratings
Actions
KB: