Installing VMware vCloud Networking and Security 5.5.x best practices (2059449)
Note: This guide contains definitive information. If there is a discrepancy between the guide and this article, assume that the guide is correct.
|Memory||vShield Manager: 8GB allocated, 3GB reserved|
vShield Edge compact: 512 MB, large: 1GB, x-large: 8GB
vShield Endpoint Service: 1GB
vShield Data Security: 512 MB
|Disk Space||vShield Manager: 60GB|
vShield Edge compact and large: 512 MB, x-large: 4.5GB, (with 4GB swap file)
vShield Endpoint Service: 4GB
vShield Data Security: 6GB per ESXi host
|vCPU||vShield Manager: 2|
vShield Edge compact: 1, large and x-large: 2
vShield Endpoint Service: 2
vShield Data Security: 1
For the latest interoperability information, see the Product Interoperability Matrix.
These are the minimum required versions of VMware products to be installed with vShield 5.5:
VMware vCenter Server 5.1 or later
- For VXLAN virtual wires, you need vCenter Server 5.1 or later
- For VXLAN virtual wires, you need vCenter Server 5.1 or later
- VMware ESXi/ESX 5.0 or later for each server
- For VXLAN virtual wires, you need VMware ESXi 5.1 or later
- For vShield Endpoint, you need VMware ESX 5.0 or later
- VMware Tools
- For vShield Endpoint and vShield Data Security, you must upgrade your virtual machines to hardware version 7 or 8, and install VMwareTools 8.6.0 (that was released with ESXi 5.0 Patch 3)
- You must install VMware Tools on virtual machines that are to be protected by vShield App
- VMware vCloud Director 5.1 or later
- VMware View 4.5 or later
Client and user access requirements
VMware vShield 5.5 has these client and user access requirements:
- PC with the vSphere Client installed.
- If you add ESXi hosts by name to the vSphere inventory, ensure that DNS servers have been configured on the vShield Manager and name resolution is working. If you do not do this, vShield Manager cannot resolve the IP addresses.
- Permissions to add and power on virtual machines.
- Access to the datastore where you store virtual machine files, and the account permissions to copy files to that datastore.
- Ensure that you have enabled cookies on your Web browser to access the vShield Manager user interface.
- Port 443 must be accessible from the ESXi host, vCenter Server, and the vShield appliances to be deployed. This port is required to download the OVF file on the ESXi host for deployment.
- Connection to the vShield Manager user interface using one of these supported browsers:
- Internet Explorer 6.x and later
- Mozilla Firefox 1.x and later
- Safari 1.x or 2.x
Consider the following recommendations and restrictions before you deploy vShield components.
Preparing virtual machines for vShield Protection
You must determine how to protect your virtual machines with vShield. As a best practice, you should prepare all ESX hosts within a DRS cluster for vShield Endpoint, and vShield Data Security depending on the vShield components you are using. You must also upgrade your virtual machines to hardware version 7 or 8.
vShield Manager deployment
Shield Manager should be run on an ESXi host that is not affected by downtime, such as frequent reboots or maintenance mode operations. You can use HA or DRS to increase the resilience of the vShield Manager. If the ESXi host on which the vShield Manager resides is expected to require downtime, vMotion the vShield Manager virtual appliance to another ESXi host. Thus, more than one ESXi host is recommended.
For more detailed information, see the vShield Installation and Upgrade Guide.
Port Requirements and Hardening Your Environment
vShield Manager requires some ports to be open for connectivity to vCenter Server, ESXi host, vShield App and vShield Edge instances, vShield Endpoint module, and vShield Data Security virtual machine. vShield components can communicate over routed connections as well as different LANs. For more information on the ports required see the Communication Between vShield Components section of the vShield Installation and Upgrade Guide.
You can access the vShield Manager and other vShield components by using a web-based user interface, command line interface, and REST API. vShield includes default login credentials for each of these access options. After installation of each vShield virtual machine, you should harden access by changing the default login credentials.
Note: That vShield Data Security does not include default login credentials.
Details on hardening each component of vShield are contained in the vShield Installation and Upgrade Guide. This should be thoroughly reviewed and implemented before vShield is put into production.
Installing vShield Manager
- Obtain the vShield Manager OVA File - The vShield Manager virtual machine is packaged as an Open Virtualization Appliance (OVA) file, which allows you to use the vSphere Client to import the vShield Manager into the datastore and virtual machine inventory.
- Configure the Network Settings of the vShield Manager - You must use the command line interface (CLI) of the vShield Manager to configure an IP address, identify the default gateway, and set DNS settings. You can specify up to two DNS servers that the vShield Manager can use for IP address and host name resolution. DNS is required if any ESX host in your vCenter Server environment was added by using the hostname (instead of IP address).
- Log In to the vShield Manager User Interface - After you have installed and configured the vShield Manager virtual machine, log in to the vShield Manager user interface and accept the SSL certificate.
- Set up vShield Manager - Specify the vCenter Server, DNS and NTP server, and Lookup server details.
Note: The vShield Manager virtual machine does not appear as a resource in the inventory panel of the vShield Manager user interface. The Settings & Reports object represents the vShield Manager virtual machine in the inventory panel.
You must have a vCenter Server user account with administrative access to synchronize vShield Manager with the vCenter Server . If your vCenter password has non-Ascii characters, you must change it before synchronizing the vShield Manager with the vCenter Server.
To use SSO on vShield Manager, you must have vCenter Server 5.1 or above and single sign on service must be installed on the vCenter Server.
- Change the Password of the vShield Manager User Interface Default Account - You can change the password of the admin account to harden access to your vShield Manager by logging to the vShield Manager user interface and clicking Change Password on the top right corner of the window.
- Schedule a Backup of vShield Manager Data - You can only schedule the parameters for one type of backup at any given time. You cannot schedule a configuration-only backup and a complete data backup to run simultaneously. You can configure the backup schedule from the Configuration tab.
Installing vShield Components
- vShield Edge provides network edge security and gateway services to isolate a virtualized network, or virtual machines in a port group, vDS port group, or Cisco Nexus 1000V port group. You install a vShield Edge at a data center level and can add up to ten internal or uplink interfaces. The vShield Edge connects isolated, stub networks to shared (uplink) networks by providing common gateway services such as DHCP, VPN, NAT, and Load Balancing. Common deployments of vShield Edge include in the DMZ, VPN Extranets, and multi-tenant Cloud environments where the vShield Edge provides perimeter security for Virtual Data Centers (VDCs).
- vShield Endpoint offloads antivirus and anti-malware agent processing to a dedicated secure virtual appliance delivered by VMware partners. Since the secure virtual appliance (unlike a guest virtual machine) does not go offline, it can continuously update antivirus signatures, thereby giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online.
- vShield Data Security provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive data is adequately protected and assess compliance with regulations around the world.
- Network Virtualization Infrastructure is installed your virtual environment on a per-cluster level for each vCenter Server, which deploys the required software on all hosts in the cluster. When a new host is added to this cluster, the required software is automatically installed on the newly added host. After the network infrastructure is installed on a cluster, Distributed Firewall is enabled on that cluster.
Note: For more information on the configuration of each of these components, see the vShield Installation and Upgrade Guide.