Search the VMware Knowledge Base (KB)
View by Article ID

Using vSphere Auto Deploy to configure a Stateless ESXi image for VMware vCloud Networking and Security 5.1.x and 5.5.x (2036701)

  • 2 Ratings


VMware vCloud Networking and Security 5.1.x/5.5.x provides vShield App and vShield Endpoint VIBs that can be applied to an ESXi boot image using Image Builder. This article documents how to access these VIBs, apply it to the boot image, and set up Auto Deploy. In addition, any pre/post deployment steps required to provision a fully functional stack capable of running vCloud Networking and Security 5.1.x/5.5.x solutions are also explained.


Auto Deploy can be configured to bring up a Stateless ESXi host with a certain image profile and host profile. For example, when using Image Builder, you can use Auto Deploy to bring up all hosts in a cluster with the base image profile (ESX-Base) and host profile (Host-Base) automatically.

To configure this you will need go to the vCloud Networking and Security install page on any host. You should be presented with an option to install the vShield App. Select Install VSA and configure the appropriate parameters. You can then choose to install on all hosts at this point.

Note: Before proceeding consult the product system requirements to validate the version of vShield Manager you are using to manage the vShield App, and vShield Endpoint components. For more information see Installing vCloud Networking and Security 5.1 best practices (2034173). In addition, the vShield App installation includes both vShield App and vShield Endpoint components.

Configuring a Stateless ESXi Image for vCloud Networking and Security 5.1.x/5.5.x

  1. Use the Stateless ESXi on which we successfully installed vShield App above to create a new Host Profile called Host-VSA for our example.
  2. Ensure your firewall is configured properly. vCenter Server at times might not be fast enough to pick the firewall configuration changes done on the host by the VIB. Before using the host to create a new host profile verify that the firewall changes are reflected on vCenter Server and ESXi. Go to ESX configuration > Security Profile > Firewall > Incoming Connections, and ensure an entry for DVfilter is visible. If it is not visible, click Refresh to pull the latest configurations from the host.
  3. Locate the VIBs for vCloud Networking and Security depending on the version you are using on the vShield Manager server. It should be named similar to, where XXXXXX is the file name of the build number. This file is the offline-bundle for the VSA module and is located on your vShield Manager server. For example:















    Note: After a successful vShield App installation when an ESXi host reboots the first time, it may come up with the vShield App SVM in an orphaned state. In this case reboot the ESXi host again, and the vShield App virtual machine will show the correct state.

  4. Use Image Builder to incorporate into the ESX-Base image, resulting in a new Image Profile called ESX-VSA.
  5. Create/Update a deploy rule to use ESX-VSA and Host-VSA as the profiles to provision Stateless ESXi hosts.
  6. Whenever existing Stateless ESXi hosts reboot, they will come up with the right VIB and configuration, and should work transparently.

    Note: If different ESXi hosts use different Image Profile and Host Profiles, you would need to update all of them, basically repeat the above steps for each set of profiles.

Installing vShield App on a new Stateless ESXi host

This assumes that the above steps have already been followed, and new ESXi host are already using ESX-VSA and Host-VSA profiles.

  1. Go to vShield Manager install page for the new host. You should see that vShield Apps is already installed.
  2. Select uninstall, and let it complete. vShield Manager may report an error indicating that the VIB uninstallation encountered issues. This error can be safely ignored.
  3. In the installation page, select the option to install vShield App.

    Note: Before selecting the install option, ensure that the host is not in Maintenance Mode.

  4. Select Install VSA, configure the parameters, and proceed with the installation. The installation should now be successful.

    Note: Since this host is already using ESX-VSA and Host-VSA profiles, no more steps are required to handle a reboot.

Uninstalling vShield App on a Stateless ESXi host

  1. Create/update deploy rules to use ESX-Base and Host-Base as profiles to provision Stateless ESXi.
  2. Go to vShield Manager and uninstall vShield App from all the hosts. vShield Manager may report an error indicating that the VIB uninstallation encountered issues. This error can be safely ignored. 
  3. Reboot your ESXi hosts to remove the VIB and host configuration (this is optional).

    Note: If you want to uninstall vShield App only from selected hosts, do not change the deploy rules. Uninstalling from vShield Manager is sufficient.

Additional Information

For related information, see Deploying VXLAN through Auto Deploy (2041972).

For more information on using vSphere Auto Deploy, see Understanding vSphere Auto Deploy (2005131).

See Also

Update History

09/12/2014 - Updated the Resolution section and added VMware vCloud Networking and Security 5.5.x to the Product version.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 2 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 2 Ratings