Search the VMware Knowledge Base (KB)
View by Article ID

Upgrading to vCloud Networking and Security 5.1.4 best practices (2076531)

  • 4 Ratings

Purpose

This article provides best practices on upgrading a vShield environment to vCloud Networking and Security 5.1.4.

Note: The vShield Upgrade and Installation Guide contains definitive information. If there is a discrepancy between the guide and this article, assume that the guide is correct. For more information, see the vShield Upgrade and Installation Guide.

Resolution

To upgrade vShield, you must first upgrade the vShield Manager, then update the other components for which you have a license.

Software requirements

For the latest interoperability information, see the Product Interoperability Matrix.

These are the minimum required versions of VMware products to be installed with vShield 5.1.4:
  • VMware vCenter Server 5.0 or later

    Note: For VXLAN virtual wires, you need vCenter Server 5.1 or later.

  • VMware ESX 4.1 or later for each server

    Note: For VXLAN virtual wires, you need VMware ESXi 5.1 or later.

  • VMware Tools
    • For vShield Endpoint and vShield Data Security, you must upgrade your virtual machines to hardware version 7 or 8 and install VMware Tools 8.6.0 released with ESXi 5.0 Patch 3.
    • You must install VMware Tools on virtual machines that are to be protected by vShield App.

  • VMware vCloud Director 5.1.2 or later.
  • VMware View 5.1 or later.

Client and user access requirements

vShield 5.1.4 has these client and user access requirements:
  • PC with the vSphere Client installed.
  • If you added ESXi hosts by name to the vSphere inventory, ensure that DNS servers have been configured on the vShield Manager and name resolution is working. Otherwise, vShield Manager cannot resolve the IP addresses.
  • Permissions to add and power on virtual machines.
  • Access to the datastore where you store virtual machine files, and permissions to copy files to that datastore.
  • Ensure that you have enabled cookies on your web browser to access the vShield Manager user interface.
  • Port 443 must be accessible from the ESXi host, the vCenter Server, and the vShield appliances to be deployed. This port is required to download the OVF file on the ESXi host for deployment.
  • Connection to the vShield Manager user interface using one of these supported web browsers:
    • Internet Explorer 6.x and later
    • Mozilla Firefox 1.x and later
    • Safari 1.x or 2.x

System requirements

This table outlines minimum system requirements:

ComponentMinimum requirements
MemoryvShield Manager (64-bit): 8 GB
vShield App: 1 GB
vShield Edge compact: 256 MB, large: 1 GB, x-large: 8 GB
vShield Data Security: 512 MB
Disk SpacevShield Manager: 60 GB
vShield App: 5 GB per vShield App per ESXi/ESX host
vShield Edge compact and large: 320 B, x-large: 4.4 GB (with 4 GB swap file)
vShield Data Security: 6 GB per ESXi/ESX host
vCPUvShield Manager: 2
vShield App: 2
vShield Edge compact: 1, large and x-large: 2
vShield Data Security: 1

Pre-upgrade preparation (upgrading from 5.0.x)

With vCNS 5.1, a new vShield Manager was released with a new virtual hardware that has more CPUs, more RAM, and a larger disk. If you are upgrading to 5.1.4 from 5.0 (5.0, 5.0.1, or 5.0.2), you must follow these pre-upgrade preparation steps:

Note: If you are currently using version 5.1.1, 5.1.2, 5.1.2a, or 5.1.3, skip this section and go to pre-upgrade preparation for upgrading from 5.1.x.
  • Run the maintenance bundle to free up disk space
  • Upgrade vShield Manager to 5.1.4
  • Upgrade to new 5.1.4 appliance using Backup and Restore
To ensure the upgrade process is successful, ensure you perform these tasks before starting the upgrade process:
  • From the vSphere Client, take a snapshot of the vShield Manager.
  • Free up disk space.
  • A minimum of 2.5 GB free disk space in the /common partition is required for the upgrade process. Use the vShield maintenance bundle to make disk space available on the vShield Manager. The maintenance bundle stops the vShield Manager process and starts it again after the completion of the file system cleanup activity.
Note: The existing logs and flow monitoring data on the vShield Manager appliance will be deleted as part of this procedure. The tech support log bundle will contain the log messages of this procedure.

To apply the maintenance bundle:
  1. From the vShield Manager CLI (enable mode), run the show filesystems command. You need at least 5% free disk space in the /common partition to install the maintenance bundle. If the /common partition usage is more than 95%, file a support request with VMware Technical Support and note this Knowledge Base article ID (2076531) in the problem description. For more information on filing a Support Request, see Filing a Support Request in My VMware (2006985).
  2. From the vShield Manager CLI (enable mode), run the show manager log follow command. Keep this console open while you perform the next steps.
  3. From the VMware Download Center, download the vShield maintenance bundle to a location to which the vShield Manager can browse. The name of the upgrade bundle file is:

    VMware-vShield-Manager-upgrade-bundle-maintenance-5.0-939118.tar.gz

  4. In the vShield Manager Inventory panel, click Settings & Reports.
  5. Click the Updates tab.
  6. Click Upload Upgrade Bundle.
  7. Click Browse and select the VMware-vShield-Manager-upgrade-bundle-maintenance-5.0-939118.tar.gz file.
  8. Click Open.
  9. Click Upload File.
  10. Click Install to begin the upgrade process.

    Note: You must wait for 2 – 3 minutes after this step.

  11. Click Confirm Install. Ensure that you click Confirm Install after waiting for 2 – 3 minutes after the previous step.
  12. Go back to the CLI and monitor the show manager log follow output and look for the maintenance-fs-cleanup: Filesystem cleanup successful message as a form of verification that the maintenance bundle was successfully installed.

    Notes:
    • This message indicates that the maintenance bundle failed to install:

      maintenance-fs-cleanup: ERROR:Filesystem cleanup FAILED

      If you see this message, file a support request with VMware Technical Support and note this Knowledge Base article ID (2076531) in the problem description. For more information on filing a Support Request, see Filing a Support Request in My VMware (2006985).

    • The upgrade process restarts the vShield Manager service, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are restarted.

  13. Log in to the vShield Manager Web user interface again.
  14. Log in to the CLI of the vShield Manager, switch to enable mode, and run the CLI command show filesystems to ensure there is enough free space for the upgrade. A minimum of 2.5 GB free disk space in the /common partition is required for the upgrade process.

    If, after running the maintenance bundle, you do not have at least 2.5 GB free disk space, do not continue with the upgrade and file a support request with VMware Technical Support and note this Knowledge Base article ID (2076531) in the problem description. For more information on filing a Support Request, see Filing a Support Request in My VMware (2006985).

New virtual hardware requirements for vShield Manager 5.1.4

The vShield Manager requires an upgrade to its virtual hardware starting with version 5.1. This virtual hardware upgrade is not automatically performed as part of the vShield upgrade process for vShield Managers running versions 5.0.x or earlier. Architectural changes for improved scalability, performance, and increased logging and reporting capabilities require that the vShield Manager's virtual hardware is upgraded. Some of these changes include 64-bit support, 2 vCPUs, 8 GB RAM, a larger virtual disk, and other virtual hardware properties.

You must upgrade to a new appliance after upgrading to vShield Manager 5.1.4. The procedure to upgrade the vShield Manager appliance is provided in the Upgrading the vShield Manager virtual hardware section.

Pre-upgrade preparation (upgrading from 5.1.1, 5.1.2, 5.1.2a, or 5.1.3)

To ensure the upgrade process is successful, ensure you perform this task prior to starting the upgrade process:
  • From the vSphere Client, take a snapshot of the vShield Manager.

Upgrading vShield Manager

You can upgrade the vShield Manager to a new version only from the vShield Manager web user interface. You can upgrade the vShield App and vShield Edge to a new version from the vShield Manager user interface or using REST APIs.

Prerequisites
  • Perform the pre-upgrade preparation steps.
  • Upgrading directly from 4.1.x to 5.1.x is not supported. If you are using vShield Manager 4.1.x or earlier (builds 576124, 310451, and 287872), first upgrade to any 5.0.x version (builds 473791, 638924, or 791471).
  • If you are using vShield Endpoint 4.1, uninstall vShield Endpoint before upgrading vShield Manager.

    Note: Do not uninstall a deployed instance of the vShield Manager Appliance.

To upgrade vShield Manager:

Note: This procedure applies to these versions of vShield Manager:
  • 5.0.0 (build 473791)
  • 5.0.1 (build 638924)
  • 5.0.2 (build 791471)
  • 5.1.0 (build 807847)
  • 5.1.1 (build 848085)
  • 5.1.2/5.1.2a (build 943471, patch 997359)
  • 5.1.3 (build 1563888)

  1. Download the vShield upgrade bundle from the VMware Download Center to a location to which vShield Manager can browse. The name of the upgrade bundle file is:

    VMware-vShield-Manager-upgrade-bundle-5.1.4-1740417.tar.gz

  2. From the vShield Manager Inventory panel, click Settings & Reports.
  3. Click the Updates tab.
  4. Click Upload Settings.
  5. Click Browse and select the VMware-vShield-Manager-upgrade-bundle-5.1.4-1740417.tar.gz file.
  6. Click Open.
  7. Click Upload File.
  8. Click Install to begin the upgrade process.
  9. Click Confirm Install. The upgrade process reboots vShield Manager, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are rebooted.
  10. After the reboot, log back in to the vShield Manager and click the Updates tab. Confirm that the Installed Release panel displays version 5.1.4.

Post upgrade notes:
  • If you upgraded to 5.1.4 from 5.0.x, you must upgrade the vShield Manager virtual hardware by following the steps in the Upgrading the vShield Manager virtual hardware section.

    To check your existing virtual hardware, use the vSphere Client and select the vShield Manager virtual machine in the Host and Cluster view. Click the Summary tab and look at the CPU, RAM, and size of the virtual machine. If virtual machine has 1 vCPU, 3 GB of RAM, and the size is around 13 GB, you are still using the old virtual hardware, and you must upgrade. (The new virtual hardware released with 5.1.x has 2 vCPU, 8 GB or RAM, and the virtual machine size is approximately 64 GB.)

  • If you upgraded to 5.1.4 from 5.1.x and you have already upgraded the vShield Manager virtual hardware, proceed to the What to do next section to upgrade other vShield Components.

Upgrading the vShield Manager virtual hardware

Note: If you are already using the new 5.1.x virtual hardware, skip this section and proceed to the Upgrading vShield App section.

  1. On the vShield Manager Inventory panel, click Settings & Reports.
  2. Click the Configuration tab, then click Backups.
  3. Enter the host IP address/name of the system where the backup will be saved.
  4. Enter the user name required to log in to the backup system (FTP/SFTP server).
  5. Enter the password associated with the user name for the backup system.
  6. In the Backup Directory field, enter the absolute path where backups will be stored.
  7. Enter a text string in the Filename Prefix field.

    Note: This text is prepended to each backup filename for easy recognition on the backup system. For example, if you type ppdb, the resulting backup is named ppdbHH_MM_SS_DayDDMonYYYY.

  8. From the Transfer Protocol dropdown, select either SFTP or FTP, based on what the destination supports.
  9. Click Save Settings and Backup.
  10. Click View Backups to ensure the backup was created.
  11. Create a post-upgrade backup. The backup must be created on version 5.1.4 and restored in version 5.1.4.
  12. Power off the vShield Manager.
  13. From the VMware Downloads web page, download the 5.1.4 vShield Manager .OVA installation package.
  14. Deploy a new vShield Manager into your vSphere inventory. This new vShield Manager will replace the existing one.
  15. Power on the new vShield Manager and perform the initial setup, giving it the same IP address as the one that is currently powered off.
  16. Configure the vShield Manager Backups page to view the backups currently stored on the FTP/SFTP server.
  17. Identify the vShield Manager backup created earlier and do a Post-Upgrade Restore by clicking Restore.

What to do next

Continue with the upgrade of the other vShield components managed by vShield Manager, then change the certificates and keys used by SSL VPN.

Upgrading vShield App

You must upgrade vShield App on each host in your data center.

To upgrade a vShield App:

Note: During the vShield App upgrade, the ESXi host must be placed into Maintenance Mode and rebooted. Ensure the virtual machines on the ESXi host are migrated (using DRS or manual vMotion) or are powered off to allow the host to be placed into Maintenance Mode.
  1. Log in to the vSphere Client.
  2. Click Inventory > Hosts and Clusters.
  3. Select the host on which you want to upgrade vShield App.
  4. Click the vShield tab. The General tab displays each vShield component that is installed on the selected host and the available release.
  5. Click Update next to vShield App.
  6. Select the vShield App checkbox.
  7. Click Install.

Upgrading vShield Edge

You must upgrade each vShield Edge instance in your data center.

Notes:
  • vShield Edge 5.1.4 is not backward compatible, and you cannot use 2.0 REST API calls after the upgrade.
  • During a vShield Edge upgrade, there will be network disruption for the networks that are being served by the given vShield Edge instance.
  • You must be assigned the Enterprise Administrator role.
If you have vShield Edge 5.0.x, each 5.0.x vShield Edge instance on each portgroup in your data center must be upgraded to 5.1.4:
  1. Log in to the vSphere Client.
  2. Select the portgroup on which the vShield Edge is deployed.
  3. Click the vShield Edge tab.
  4. Click Upgrade.
  5. View the upgraded vShield Edge:

    1. Select the data center corresponding to the port group on which you upgraded the vShield Edge.
    2. Click the Network Virtualization tab.
    3. Click Edges. vShield Edge is upgraded to the compact size. A system event is generated to indicate the ID for each upgraded vShield Edge instance.

  6. Repeat for all other vShield Edges that need to be upgraded.
If you have 5.1.0, 5.1.1, 5.1.2, or 5.1.3 vShield Edge instances, each Edge can be upgraded with these steps:
  1. Log in to the vSphere Client.
  2. Select the data center for which vShield Edge instances are to be upgraded.
  3. Click the Network Virtualization tab.
  4. All the existing vShield Edge instances are shown in the listings page. For vShield Edges that need to be upgraded, an up-arrow icon (signifying upgrade) is displayed. Select an edge that needs to be upgraded and select Upgrade from Actions. This starts the upgrade for vShield Edge.

    When the Edge is upgraded, the up arrow icon is no longer displayed.

  5. Repeat for all other vShield Edges that need to be upgraded.

Note: Firewall rules from the previous release are upgraded with some modifications. Inspect each upgraded rule to ensure it works as intended. For information on adding new firewall rules, see the vShield Administration Guide . If a user's scope in a previous release was limited to a port group which had a vShield Edge installation, the user is automatically granted access to that vShield Edge after the upgrade.

Upgrading vShield Endpoint

Note: Use the upgrade procedure appropriate for your product version.

Upgrading vShield Endpoint from 4.1 to 5.0

To upgrade vShield Endpoint from version 4.1 to 5.0, you must first uninstall vShield Endpoint on each host in your data center, upgrade vShield Manager, then install the new release.
  1. If the protected virtual machines are running in a cluster, deactivate DRS.
  2. Deactivate all Trend DSVAs. This is required to remove vShield related VFILE filter entries from the virtual machines.
  3. If you deactivated DRS in step 1, re-activate it.
  4. Uninstall vShield Endpoint on each host in your data center.
  5. Upgrade vCenter Server to the required version.
  6. Upgrade each host to the required ESXi version.
  7. Upgrade vShield Manager.
  8. Install vShield Endpoint.
Upgrading vShield Endpoint from 5.0 to a later version

To upgrade vShield Endpoint from 5.0 to a later version, you must first upgrade vShield Manager, then update vShield Endpoint on each host in your data center.
  1. Log in to the vSphere Client.
  2. Click Inventory > Hosts and Clusters.
  3. Select the host on which you want to upgrade vShield Endpoint.
  4. Click the vShield tab. The General tab displays each vShield component that is installed on the selected host and the available version.
  5. Select Update next to vShield Endpoint.
  6. Select vShield Endpoint. Click Install.

Changing the certificates and keys

To change the certificates and keys used by SSL VPN:
  1. Add a new server certificate:
    1. In the vSphere Client, click Inventory > Hosts and Clusters.
    2. Select a data center resource from the inventory panel.
    3. Click the Network Virtualization tab and click the Edges link.
    4. Double-click a vShield Edge and click the Configure tab.
    5. Click the Certificates link.
    6. Click the Add icon and select Certificate.
    7. Paste the certificate contents and private key.
    8. Click OK.

  2. Delete the old server certificate:
    1. Select the old certificate and click the Delete icon.
    2. Click OK.

  3. Configure SSL VPN to work with the new certificate:
    1. Click the SSL VPN-Plus tab.
    2. In the Configure panel, click Server Settings. and click Change.
    3. From the Server Certificates table, select the new server certificate and click OK.

  4. Contact your certificate provider to have the old certificate revoked.
  5. Remove trust to the old certificate from your browser and OS. Also ensure that revocation checking is enabled for your system.
  6. Change the SSL VPN passwords. For more information, see Managing VPN Services in the vShield Administration Guide.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 4 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 4 Ratings
Actions
KB: