Here I will start covering the basics of vShield components and operations.
It’s a VA deployed from OVA template and used to manage other vShield components. There are three methods to connect to vShield manager:
- Web Console
- vSphere Plug-in
Note: vShield manager can be running in different ESXi host than vShield App or Edge.
This is used to provide security services at network edge. Its similar to Cisco ASA Firewall in physical networks. Each vSS Port Group, vDS Port Group, or N1KV Port Profile are protected by a vShield Edge. Another typical used in multi-tenant cloud environments is to isolate between OvDCs or PvDCs.
vShield Edge can provide L2L & SSL VPN, Firewall Services, Load Balancing, DHCP & NAT Services, HA, Routing.
Very Important: vShield Edge will filter the traffic crossing the physical host ONLY. Traffic within one PG or between internal PGs won't be filtered by vShield Edge. Even if you try to make the external network for Edge as another internal PG, this won't work unless you create one VM as routing device. In this case it will work.
This component is used to provide security services at vNIC Level. Using analogue with physical firewalls you can call it L2/L3 firewall (even within one VLAN). Each packet or frame entering or existing vNIC will be scanned against vShield App rules.
vShield APP is composed of two components which are vShield App module installed in the hypervisor and firewall service VA (not a VM). Its also supporting DRS, vMotion, DPM, and maintenance mode, But you need to install vShield App in all nodes within a cluster.
Note: vShield App uses VMsafe API to integrate with ESXi hypervisor.
vShield App VA can't be migrated using vMotion
This component offloads Anti-Virus and Anti-Malware processing into VA. Like vShield App, vShield Endpoint is installed as a module in hypervisor while the VA is provided by third-party security vendors.
Summary of all components:
Migrate vShield Components
- vShield Manager and Edge can be migrated between ESXi hosts using DRS, vMotion, and HA.
- vShield App and Endpoint can't be migrated. Therefore, you need to deselect Move powered off and suspended virtual machines to other hosts in the cluster check box to ensure these virtual appliances are not migrated when ESXi hosts goes down/maintenance.
Important Note: vShield Manager must be always available for Cloud to be up and running. In case its not available, the whole cloud services won't be available. In vCD 1.5 an option has been introduced to bypass this option.
For any vShield component, don't upgrade its VMTools or uninstall it to avoid miss-operation
The first component to install is vShield Manager. The OVA template can be download from VMware website and it can't deployed using vSphere Client.
Once the deployment is completed, you need to login to the VA using CLI default account to configure Management Network Settings.
- Login using username: admin/password: default.
- Type enable and use password: default.
- Type Setup to start configuring basic networking settings.
Once management network is ready, use web-access to connect to vShield Manager (https://#IPADDR#). The first step is to attach vShield Manager with vCenter Server. Next step will be registering vShield Plugin with vSphere to start accessing vShield Manager using vSphere Client.
From there you start configuring basic settings including DNS, NTP, Time Zone, Logging, Backup, Users/Privileges, etc.
Before proceeding with installation of vShield components, you should upload each component license. Assuming that you have the Lic Keys:
- In vSphere Client navigate to Home > Licensing.
- From the Management tab, select Asset.
- Right-click CIS or vCNS asset and select Change license key.
The second component to be installed is vShield App.
vShield App installation will cause interruption in network connections for the host where it will be installed. Therefore, migrate your vCenter Server and its DB from this host. vCenter and its DB should be available during installation. Also vShield Manager should be migrated.
As a prerequisite for vShield App installation, it should be having reachability to vShield Manager and vCenter
To install vShield App, from vSphere Client Select an ESXi host from the inventory tree > Click the vShield tab > Accept the security certificate > Click Install for the vShield App service.
Note: For Stateless ESXi hosts, some tuning is required. Please refer to installation guide.
- You need to have one PG (vSS, vDS, or N1K PP) to be used as vShield Edge External Network. Compared to ASA, this represents the outside interface of the firewall.
- VMs should be grouped in one PG (vSS, vDS, or N1K PP) to be used as vShield Edge Internal Network.
Note: Communication between vShield Manager and vShield Edge is happening at VMkernal level and no using IP communication
Since vShield Edge is filtering traffic crossing the physical host, it will create one VM ONLY when installed.
To install vShield Edge, from vSphere Client navigate to Home > Inventory > Networking > Select Desired dvPG > Click vShield Edge Tab. From there you start deploying vShield Edge for this dvPG providing the details for Internal and External PGs.
Once vShield Edge is installed, you can start managing it from the same tab.
As a starting step, you need to install Endpoint VIB package in each ESXi host similar to vShield App. The next step will be installing AV third party server as well as installing VMTools in each machine to be protected. VMTools include vShield Thin Agent which is responsible for communication with AV server.
vShield Edge will open some ports in ESXi host firewall to allow communication between Thin Agent and AV VA through hypervisor.