vshield_41_quickstart

8/6/2019 vshield_41_quickstart

1/30

vShield Quick Start GuidevShield Manager 4.1

vShield Edge 1.0

vShield App 1.0

vShield Endpoint 1.0

This document supports the version of each product listed and

supports all subsequent versions until the document is replaced

by a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.

EN-000375-00
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs


2/30

VMware, Inc.

3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

2 VMware, Inc.

vShield Quick Start Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents .VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentsmailto:[email protected]://www.vmware.com/supporthttp://www.vmware.com/support/


3/30

VMware, Inc. 3

Contents

About

This

Book 5

1 IntroductiontovShield 7vShieldComponentsataGlance 7

vShieldManager 7

vShieldZones 7

vShieldEdge 8

StandardvShieldEdgeServices(IncludingCloudDirector) 8

AdvancedvShieldEdgeServices 8

vShieldApp 9

vShieldEndpoint 9

DeploymentScenarios 10

ProtectingtheDMZ 10IsolatingandProtectingInternalNetworks 10

ProtectingVirtualMachinesinaCluster 11

CommonDeploymentsofvShieldEdge 11

CommonDeploymentsofvShieldApp 11

2 PreparingforInstallation 13SystemRequirements 13

Hardware 13

Software 13

ClientandUserAccess 14

DeploymentConsiderations 14

PreparingVirtualMachinesforvShieldProtection 14HowAreMyVirtualMachinesGrouped? 14

AreMyVirtualMachinesStillProtectedifIvMotionThemtoAnotherESXHost? 14

HowDoIIsolateaGroupofVirtualMachines? 15

vShieldManagerUptime 15

CommunicationBetweenvShieldComponents 15

HardeningYourvShieldVirtualMachines 15

vShieldManagerUserInterface 15

CommandLineInterface 15

RESTRequests 16

3 InstallingthevShieldManagerandvShieldZones 17ObtainthevShieldManagerOVAFile 17

InstallthevShieldManagerVirtualAppliance 17

ConfiguretheNetworkSettingsofthevShieldManager 18

LogIntothevShieldManagerUserInterface 19

SynchronizethevShieldManagerwiththevCenterServer 19

RegisterthevShieldManagerPlugInwiththevSphereClient 20

ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount 20

InstallvShieldZones 20

WheretoGoNext 21


4/30


4 VMware, Inc.

4 InstallingvShieldEdge,vShieldApp,andvShieldEndpoint 23RunningvShieldinEvaluationMode 23

PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpoint 23

InstallvShieldComponentLicenses 24

PrepareAllESXHosts 24

PrepareavNetworkforPortGroupIsolation 25

InstallavShieldEdge 25

InstallingvShieldEndpoint 27vShieldEndpointInstallationWorkflow 27

InstalltheThinAgentontheGuestVirtualMachine 27

Prerequisites 27

WheretoGoNext 28

Index 29


5/30

VMware, Inc. 5

ThevShieldQuickStartGuideprovidesinformationaboutinstallingVMwarevShieldintoyourVMwareVirtualInfrastructureenvironment.

Intended Audience

This

book

is

intended

for

anyone

who

wants

to

install

or

use

VMware

vShield.

The

information

in

this

book

is

writtenforexperiencedWindowsorLinuxsystemadministratorswhoarefamiliarwithvirtualmachine

technologyanddatacenteroperations.ThisbookalsoassumesfamiliaritywithVMwareVirtual

Infrastructure,includingvCenterServer4.x,VMwareESX4.x,andthevSphereClient.

VMware Technical Publications Glossary

VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions

oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

[email protected].

VMware Infrastructure Documentation

ThefollowingdocumentscomprisetheVMwarevShielddocumentationset:

vShieldAdministrationGuide vShieldQuickStartGuide vShieldAPIProgrammingGuideYoushouldalsohaveaccesstothecombinedvCenterServerandESXdocumentationset.

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and

registeryourproducts,gotohttp://www.vmware.com/support.

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.

About This Book
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supporthttp://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs


6/30


6 VMware, Inc.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials

designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andliveonline.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/support/serviceshttp://www.vmware.com/services/http://www.vmware.com/services/http://www.vmware.com/support/services


7/30

VMware, Inc. 7

1

ThischapterintroducestheVMwarevShieldcomponentsyouinstall.

Thechapterincludesthefollowingtopics:

vShieldComponentsataGlanceonpage 7

DeploymentScenariosonpage 10

vShield Components at a Glance

VMwarevShieldisasuiteofsecurityvirtualappliancesbuiltforVMwarevCenterServerintegration.

vShieldisacriticalsecuritycomponentforprotectingvirtualizeddatacentersfromattacksandmisusehelping

youachieveyourcompliancemandatedgoals.

vShieldincludesvirtualappliancesandservicesessentialforprotectingvirtualmachines.vShieldcanbe

configuredthroughawebbaseduserinterface,avSphereClientplugin,acommandlineinterface(CLI),and

RESTAPI.

vCenterServerincludesvShieldManagerandvShieldZones.ThefollowingvShieldpackageseachrequirea

license:

vShieldEdgewithPortGroupIsolation

vShieldApp

vShieldEndpoint

OnevShieldManagermanagesmultiplevShieldZones,vShieldEdge,vShieldApp,andvShieldEndpoint

instances.

vShield Manager

ThevShieldManageristhecentralizednetworkmanagementcomponentofvShield,andisinstalledasa

virtualapplianceonanyESXhostinyourvCenterServerenvironment.AvShieldManagercanrunona

differentESXhostfromyourvShieldagents.

UsingthevShieldManageruserinterfaceorvSphereClientplugin,administratorsinstall,configure,and

maintainvShieldcomponents.ThevShieldManageruserinterfaceleveragestheVMwareInfrastructureSDK

todisplayacopyofthevSphereClientinventorypanel,andincludestheHosts&ClustersandNetworks

views.

vShield Zones

vShieldZonesprovidesfirewallprotectionfortrafficbetweenvirtualmachines.ForeachZonesFirewallrule,

youcanspecifythesourceIP,destinationIP,sourceport,destinationport,andservice.

Introduction to vShield 1


8/30


8 VMware, Inc.

vShield Edge

vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport

group,vDSportgroup,orCiscoNexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared

(uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing.

CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloud

environmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).

Standard vShield Edge Services (Including Cloud Director)

Firewall:SupportedrulesincludeIP5tupleconfigurationwithIPandportrangesforstatefulinspection

forTCP,UDP,andICMP.

NetworkAddressTranslation: SeparatecontrolsforSourceandDestinationIPaddresses,aswellasTCP

andUDPporttranslation.

DynamicHostConfigurationProtocol(DHCP):ConfigurationofIPpools,gateways,DNSservers,and

searchdomains.

Advanced vShield Edge Services

SitetoSiteVirtualPrivateNetwork(VPN):UsesstandardizedIPsecprotocolsettingstointeroperatewith

all

major

firewall

vendors. LoadBalancing:SimpleanddynamicallyconfigurablevirtualIPaddressesandservergroups.

vShieldEdgesupportssyslogexportforallservicestoremoteservers.

Figure 1-1. vShield Edge Installed to Secure a vDS Port Group


9/30

VMware, Inc. 9

Chapter 1 Introduction to vShield

vShield App

vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof

networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual

machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicycreation.

vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates

withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS,

vMotion,

DPM,

and

maintenance

mode.vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteroneveryvirtual

networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetworkchangesor

modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers,

likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to

reducethenumberoffirewallrulesandmaketheruleseasiertotrack.

YoushouldinstallvShieldAppinstancesonallESXhostswithinaclustersothatVMwarevMotion

operationsworkandvirtualmachinesremainprotectedastheymigratebetweenESXhosts.Bydefault,a

vShieldAppvirtualappliancecannotbemovedbyusingvMotion.

TheFlowMonitoringfeaturedisplaysallowedandblockednetworkflowsattheapplicationprotocollevel.

Youcanusethisinformationtoauditnetworktrafficandtroubleshootoperational.

vShield Endpoint

vShieldEndpointdeliversanintrospectionbasedantivirussolution.vShieldEndpointusesthehypervisorto

scanguestvirtualmachinesfromtheoutsidewithoutabulkyagent.vShieldEndpointisefficientinavoiding

resourcebottleneckswhileoptimizingmemoryuse.

vShieldEndpointinstallsasahypervisormoduleandsecurityvirtualappliancefromathirdpartyantivirus

vendor(VMwarepartners)onanESXhost.

Figure 1-2. vShield Endpoint Installed on an ESX Host


10/30


10 VMware, Inc.

Deployment Scenarios

UsingvShield,youcanbuildsecurezonesforavarietyofvirtualmachinedeployments.Youcanisolatevirtual

machinesbasedonspecificapplications,networksegmentation,orcustomcompliancefactors.Onceyou

determineyourzoningpolicies,youcandeployvShieldtoenforceaccessrulestoeachofthesezones.

Protecting the DMZ

TheDMZisamixedtrustzone.ClientsenterfromtheInternetforWebandemailservices,whileservices

withintheDMZmightrequireaccesstoservicesinsidetheinternalnetwork.YoucanplaceDMZvirtual

machinesinaportgroupandsecurethatportgroupwithavShieldEdge.vShieldEdgeprovidesaccess

servicessuchasfirewall,NAT,andVPN,aswellasloadbalancingtosecureDMZservices.

AcommonexampleofaDMZservicerequiringaninternalserviceisMicrosoftExchange.MicrosoftOutlook

WebAccess(OWA)commonlyresidesintheDMZcluster,whiletheMicrosoftExchangebackendisinthe

internalcluster.Ontheinternalcluster,youcancreatefirewallrulestoallowonlyExchangedrelatedrequests

fromtheDMZ,identifyingspecificsourcetodestinationparameters.FromtheDMZcluster,youcancreate

rulestoallowoutsideaccesstotheDMZonlytospecificdestinationsusingHTTP,FTP,orSMTP.

Isolating and Protecting Internal Networks

YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateaninternalnetworkfromthe

externalnetwork.AvShieldEdgeprovidesperimeterfirewallprotectionandedgeservicestosecurevirtual

machinesinaportgroup,enablingcommunicationtotheexternalnetworkthroughDHCP,NAT,andVPN.

Withinthesecuredportgroup,youcaninstallavShieldAppinstanceoneachESXhostthatthevDSspansto

securecommunicationbetweenvirtualmachinesintheinternalnetwork.

IfyouutilizeVLANtagstosegmenttraffic,youcanuseAppFirewalltocreatesmarteraccesspolicies.Using

AppFirewallinsteadofaphysicalfirewallallowsyoutocollapseormixtrustzonesinsharedESXclusters.By

doingso,yougainoptimalutilizationandconsolidationfromfeaturessuchasDRSandHA,insteadofhaving

separate,fragmentedclusters.ManagementoftheoverallESXdeploymentasasinglepoolislesscomplex

thanhavingseparatelymanagedpools.

Forexample,youuseVLANstosegmentvirtualmachinezonesbasedonlogical,organizational,ornetwork

boundaries.LeveragingtheVirtualInfrastructureSDK,thevShieldManagerinventorypaneldisplaysaview

ofyourVLANnetworksundertheNetworksview.YoucanbuildaccessrulesforeachVLANnetworkto

isolatevirtualmachinesanddropuntaggedtraffictothesemachines.


11/30

VMware, Inc. 11

Chapter 1 Introduction to vShield

Protecting Virtual Machines in a Cluster

InFigure 13,vShieldAppinstancesareinstalledoneachESXhostinacluster.Virtualmachinesareprotected

whenmovedviavMotionorDRSbetweenESXhostsinthecluster.EachvAppsharesandmaintainsstate

ofalltransmissions.

Figure 1-3. vShield App Instances Installed on Each ESX Host in a Cluster

Common Deployments of vShield Edge

YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateastubnetwork,usingNATtoallow

trafficinandoutofthenetwork.Ifyoudeployinternalstubnetworks,youcanusevShieldEdgetosecure

communicationbetweennetworksbyusingLANtoLANencryptionviaVPNtunnels.

vShieldEdgecanbedeployedasaselfserviceapplicationwithinVMwareCloudDirector.

Common Deployments of vShield App

YoucanusevShieldApptocreatesecurityzoneswithinavDC.YoucanimposefirewallpoliciesonvCenter

containers

or

SecurityGroups,

which

are

custom

containers

you

can

create

by

using

the

vShield

Manager

user

interface.Containerbasedpoliciesenableyoutocreatemixedtrustzonesclusterswithoutrequiringan

externalphysicalfirewall.

InadeploymentthatdoesnotusevDCs,useavShieldAppwiththeSecurityGroupsfeaturetocreatetrust

zonesandenforceaccesspolicies.

ServiceProviderAdminscanusevShieldApptoimposebroadfirewallpoliciesacrossallguestvirtual

machinesinaninternalnetwork.Forexample,youcanimposeafirewallpolicyonthesecondvNICofallguest

virtualmachinesthatallowsthevirtualmachinestoconnecttoastorageserver,butblocksthevirtual

machinesfromaddressinganyothervirtualmachines.

Unprotected Cluster

Protected Cluster


12/30


13/30

VMware, Inc. 13

2

ThischapterintroducestanoverviewoftheprerequisitesforsuccessfulvShieldinstallation.

Thechapterincludesthefollowingtopics:

SystemRequirementsonpage 13

DeploymentConsiderationsonpage 14

System Requirements

BeforeinstallingvShieldinyourvCenterServerenvironment,consideryournetworkconfigurationand

resources.YoucaninstallonevShieldManagerpervCenterServer,onevShieldAppperESXhost,andone

vShieldEdgeperportgroup.

ToinstallvShield,youmustmeetthefollowingrequirements:

Hardware

Table 22liststhehardwarerequirementsforthisversionofvShield.

Software

VMwarevCenterServer4.0Update1orlater

Table 22liststhevCenterversionsthatarecompatiblewiththisversionofvShield.

Preparing for Installation 2

Table 2-1. Hardware Requirements

Component Minimum

Memory 8GB

DiskSpace 8GBforthevShieldManager

5GBpervShieldAppperESXhost

100MBpervShieldEdge

NICs 2gigabitNICsonanESXhost

NOTE vShieldEndpointrequiresvCenterServer4.1orlater.

Table 2-2. Supported vCenter Versions

vCenter Release Build Number

4.0Update1 264050

4.1GA 208111

4.1GAvSphereClient 208111


14/30


14 VMware, Inc.

VMwareESX4.0Update1orlaterforeachserver

Table 23liststheESXandESXiversionsthatarecompatiblewiththisversionofvShield.

VMarevCloudDirector1.0

Table 24liststhevCloudDirectorversionsthatarecompatiblewiththisversionofvShield.

Client and User Access PCwiththeVMwarevSphereClient

Permissionstoaddandpoweronvirtualmachines

Accesstothedatastorewhereyoustorevirtualmachinefiles,andtheaccountpermissionstocopyfilesto

thatdatastore

EnablecookiesonyourWebbrowsertoaccessthevShieldManageruserinterface

ConnecttothevShieldManagerusingoneofthefollowingsupportedWebbrowsers:

InternetExplorer6.xandlater

MozillaFirefox1.xandlater

Safari1.xor2.x

Deployment Considerations

ConsiderthefollowingrecommendationsandrestrictionsbeforeyoudeployvShieldcomponents.

Preparing Virtual Machines for vShield Protection

YoumustdeterminehowtoprotectyourvirtualmachineswithvShield.Considerthefollowingquestions:

How Are My Virtual Machines Grouped?

You

might

consider

moving

virtual

machines

to

port

groups

on

a

vDS

or

a

different

ESX

host

to

group

virtual

machinesbyfunction,department,orotherorganizationalneedtoimprovesecurityandeaseconfigurationof

accessrules.YoucaninstallvShieldEdgeattheperimeterofanyportgrouptoisolatevirtualmachinesfrom

theexternalnetwork.YoucaninstallavShieldApponanESXhostandconfigurefirewallpoliciesper

containerresourcetoenforcerulesbasedonthehierarchyofresources.

Are My Virtual Machines Still Protected if I vMotion Them to Another ESX Host?

Yes,ifyouinstallavShieldApponeachESXhostinacluster,youcanmigratemachinesbetweenhostswithout

weakeningthesecurityposture.vShieldAppinstancescannotbemigratedtootherhosts,thuseachinstance

maintainsstateforexistingsessions.

NOTE vShieldEndpointrequiresESX4.1orlater.

Table 2-3. Supported ESX and ESXi Versions

ESX or ESXi Release Build Number

4.0Update1 208167

4.1GA 260247

Table 2-4. Supported vCloud Director Versions

vCloud Director Release Build Number

1.0 285979


15/30

VMware, Inc. 15

Chapter 2 Preparing for Installation

How Do I Isolate a Group of Virtual Machines?

YoucanusevShieldEdgewiththePortGroupIsolationfeatureorVLANstoisolatevirtualmachinesfromthe

externalnetwork.

1 InstallPortGroupIsolationoneachESXhostthatavDSspans.

2 CreateaportgrouponthevDS.

3 EnablePortGroupIsolationonthevDS.

4 InstallavShieldEdgeontheportgroup.

5 Movethevirtualmachinestotheportgroup.

6 ConfigurevShieldEdgeNATrulesfortrafficinandoutoftheportgroup.

vShield Manager Uptime

ThevShieldManagershouldberunonanESXhostthatisnotaffectedbydowntime,suchasfrequentreboots

ormaintenancemodeoperations.YoucanuseHAorDRStoincreasetheresilienceofthevShieldManager.If

theESXhostonwhichthevShieldManagerresidesisexpectedtorequiredowntime,vMotionthevShield

ManagervirtualappliancetoanotherESXhost.Thus,morethanoneESXhostisrecommended.

Communication Between vShield Components

ThemanagementinterfacesofvShieldcomponentsshouldbeplacedinacommonnetwork,suchasthe

vSpheremanagementnetwork.ThevShieldManagerrequiresconnectivitytothevCenterServer,aswellas

allvShieldAppandvShieldEdgeinstances.vShieldcomponentscancommunicateoverroutedconnections

aswellasdifferentLANs.

Hardening Your vShield Virtual Machines

YoucanaccessthevShieldManagerandothervShieldcomponentsbyusingawebbaseduserinterface,

commandlineinterface,andRESTAPI.vShieldincludesdefaultlogincredentialsforeachoftheseaccess

options.AfterinstallationofeachvShieldvirtualmachine,youshouldhardenaccessbychangingthedefault

logincredentials.

vShield Manager User Interface

YouaccessthevShieldManageruserinterfacebyopeningawebbrowserwindowandnavigatingtotheIP

addressofthevShieldManagersmanagementport.Thedefaultuseraccount,admin,hasglobalaccesstothe

vShieldManager.Afterinitiallogin,youshouldchangethedefaultpasswordoftheadminuseraccount.See

ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20.

Command Line Interface

YoucanaccessthevShieldManager,vShieldApp,andvShieldEdgevirtualappliancesbyusingacommand

lineinterfaceviavSphereClientconsolesession.Eachvirtualapplianceusesthesamedefaultusername

(admin)andpassword(default)combinationasthevShieldManageruserinterface.EnteringEnabledmode

alsousesthepassworddefault.

FormoreonhardeningtheCLI,seethevShieldAdministrationGuide.

NOTE YoucanalsouseVLANstoisolatevirtualmachinesprotectedbyavShieldEdge.Ifyouuse

VLANs,theinternalportgroupconnectedtoavShieldEdgemusthaveaVLANtagthatisdifferentfrom

theexternalportgroup.

NOTE ThevShieldManagermustbeinthesamevCenterServerenvironmentasthevShieldcomponentsto

bemanaged.YoucannotusethevShieldManageracrossdifferentvCenterServerenvironments.


16/30


16 VMware, Inc.

REST Requests

AllRESTAPIrequestsrequireauthenticationwiththevShieldManager.UsingBase64encoding,youidentify

ausernamepasswordcombinationinthefollowingformat:username:password.YoumustuseavShield

Manageruserinterfaceaccount(usernameandpassword)withprivilegedaccesstoperformrequests.For

moreonauthenticatingRESTAPIrequests,seethevShieldAPIProgrammingGuide


17/30

VMware, Inc. 17

3

VMwarevShieldprovidesfirewallprotection,trafficanalysis,andnetworkperimeterservicestoprotectyour

vCenterServervirtualinfrastructure.vShieldvirtualapplianceinstallationhasbeenautomatedformost

virtualdatacenters.

ThevShieldManageristhecentralizedmanagementcomponentofvShield.YouusethevShieldManagerto

monitorandpushconfigurationstovShieldApp,vShieldEndpoint,andvShieldEdgeinstances.ThevShield

ManagerrunsasavirtualapplianceonanESXhost.

VMwarevShieldisincludedwithVMwareESX4.0and4.1.ThebaseVMwarevShieldpackageincludesthe

vShieldManagerandvShieldZones.YoucanconfigurethevShieldZonesfirewallrulesettomonitortraffic

basedonIPaddresstoIPaddresscommunication.

InstallingthevShieldManagerisamultistepprocess.Youmustperformallofthetasksthatfollowinsequence

tocompletevShieldManagerinstallationsuccessfully.

Thischapterincludesthefollowingtopics:

ObtainthevShieldManagerOVAFileonpage 17

InstallthevShieldManagerVirtualApplianceonpage 17

ConfiguretheNetworkSettingsofthevShieldManageronpage 18

LogIntothevShieldManagerUserInterfaceonpage 19

SynchronizethevShieldManagerwiththevCenterServeronpage 19

RegisterthevShieldManagerPlugInwiththevSphereClientonpage 20

ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20

InstallvShieldZonesonpage 20

WheretoGoNextonpage 21

Obtain the vShield Manager OVA File

ThevShieldManagervirtualmachineispackagedasanOpenVirtualizationAppliance(OVA)file,which

allowsyoutousethevSphereClienttoimportthevShieldManagerintothedatastoreandvirtualmachine

inventory.

Install the vShield Manager Virtual Appliance

YoucaninstallthevShieldManagervirtualmachineonanESXhostinaclusterconfiguredwithDRS.The

targetESXhostmustbemanagedbythesamevCenterinstanceastheESXhostsonwhichyouwanttodeploy

vShieldZonesorvShieldAppinstances.AsinglevShieldManagerservesasinglevCenterServer

environment.

Installing the vShield Manager andvShield Zones 3


18/30


18 VMware, Inc.

ThevShieldManagervirtualmachineinstallationincludesVMwareTools.Donotattempttoupgradeor

installVMwareToolsonthevShieldManager.

To install the vShield Manager

1 LogintothevSphereClient.

2 CreateaportgrouptohomethemanagementinterfaceofthevShieldManager.

The

vShield

Manager

management

interface

must

be

reachable

by

all

future

vShield

Edge,

vShield

App,

andvShieldEndpointinstances.

3 GotoFile>DeployOVFTemplate.

4 ClickDeployfromfileandclickBrowsetolocatethefolderonyourPCcontainingthevShieldManager

OVAfile.

5 Completethewizard.

ThevShieldManagerisinstalledasavirtualmachineintoyourinventory.

6 PoweronthevShieldManagervirtualmachine.

Configure the Network Settings of the vShield Manager

Youmustusethecommandlineinterface(CLI)ofthevShieldManagertoconfigureanIPaddress,identifythe

defaultgateway,andsetDNSsettings.

YoucanspecifyuptotwoDNSserversthatthevShieldManagercanuseforIPaddressandhostname

resolution.DNSisrequiredifanyESXhostinyourvCenterServerenvironmentwasaddedbyusingthe

hostname(insteadofIPaddress).

To configure the vShield Manager network settings by using the vShield Manager CLI

1 RightclickthevShieldManagervirtualmachineandclickOpenConsoletoopenthecommandline

interface(CLI)ofthevShieldManager.

Thebootingprocessmighttakeafewminutes.

2 Afterthemanager loginpromptappears,logintotheCLIbyusingtheusernameadminandthe

passworddefault.

3 EnterEnabledmodebyusingthepassworddefault.

manager> enable

Password:

manager#

4 RunthesetupcommandtoopentheCLIsetupwizard.

The

CLI

setup

wizard

guides

you

through

IP

address

assignment

for

the

vShield

Managers

management

interfaceandidentificationofthedefaultnetworkgateway.TheIPaddressofthemanagementinterface

mustbereachablebyallinstalledvShieldApp,vShieldEdge,andvShieldEndpointinstances,andbya

Webbrowserforsystemmanagement.

manager# setup

Use CTRL-D to abort configuration dialog at any prompt.

Default settings are in square brackets '[]'.

IP Address (A.B.C.D):

Subnet Mask (A.B.C.D):

Default gateway (A.B.C.D):

Primary DNS IP (A.B.C.D):

Secondary DNS IP (A.B.C.D):

NOTE DonotplacethemanagementinterfaceofthevShieldManagerinsameportgroupastheService

ConsoleandVMkernel.


19/30

VMware, Inc. 19

Chapter 3 Installing the vShield Manager and vShield Zones

Old configuration will be lost, and system needs to be rebooted

Do you want to save new configuration (y/[n]): y

Please log out and log back in again.

manager> exit

manager login:

5 LogintotheCLI.

6 Pingthedefaultgatewaytoverifynetworkconnectivity.

manager> ping A.B.C.D

7 FromyourPC,pingthevShieldManagerIPaddresstovalidatethattheIPaddressisreachable.

Log In to the vShield Manager User Interface

AfteryouhaveinstalledandconfiguredthevShieldManagervirtualmachine,logintothevShieldManager

userinterface.

To log in to the vShield Manager user interface

1 OpenaWebbrowserwindowandtypetheIPaddressassignedtothevShieldManager.

The

vShield

Manager

user

interface

opens

in

an

SSH

session.2 Acceptthesecuritycertificate.

ThevShieldManagerloginscreenappears.

3 LogintothevShieldManageruserinterfacebyusingtheusernameadminandthepassworddefault.

Youshouldchangethedefaultpasswordasoneofyourfirsttaskstopreventunauthorizeduse.See

ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20.

4 ClickLogIn.

Synchronize the vShield Manager with the vCenter Server

SynchronizewithyourvCenterServertodisplayyourVMwareInfrastructureinventoryinthevShield

Manageruserinterface.

YoumusthaveavCenterServeruseraccountwithadministrativeaccesstocompletethistask.

To synchronize the vShield Manager with vCenter Server

1 LogintothevShieldManager.

2 ClickSettings&ReportsfromthevShieldManagerinventorypanel.

3 ClicktheConfigurationtab.

4 ClickthevCentertab.

5 TypetheIPaddressorhostnameofyourvCenterServerintheIPaddress/Namefield.

6 TypeyourvSphereClientloginusernameintheUserNamefield.

7 TypethepasswordassociatedwiththeusernameinthePasswordfield.

8 ClickSave.

NOTE YoucanuseanSSLcertificateforauthentication.RefertothevShieldAdministrationGuide.

NOTE ThevShieldManagervirtualmachinedoesnotappearasaresourceintheinventorypanelofthe

vShieldManageruserinterface.TheSettings&ReportsobjectrepresentsthevShieldManagervirtual

machineintheinventorypanel.


20/30


20 VMware, Inc.

Register the vShield Manager Plug-In with the vSphere Client

ThevSpherePluginoptionletsyouregisterthevShieldManagerasavSphereClientplugin.Afterthe

pluginisregistered,youcanconfiguremostvShieldoptionsfromthevSphereClient.

To register the vShield Manager as a vSphere Client Plug-in


2 ClicktheConfigurationtab.

3 ClickvSpherePlugin.

4 ClickRegister.

5 IfyouareloggedintothevSphereClient,logout.


7 SelectanESXhost.

8 VerifythatthevShieldtabappearsasanoption.

Change the Password of the vShield Manager User Interface Default

AccountYoucanchangethepasswordoftheadminaccounttohardenaccesstoyourvShieldManager.

To change the admin account password

1 LogintothevShieldManageruserinterface.


3 ClicktheUserstab.

4 Selecttheadminaccount.

5 ClickUpdateUser.

6 Enteranewpassword.

7 ConfirmthepasswordbytypingitasecondtimeintheRetypePasswordfield.

8 ClickOKtosaveyourchanges.

Install vShield Zones

ThefollowinginformationisrequiredforvShieldZonesinstallationonanESXhost:

OneIPaddressforthemanagement(MGMT)portofeachvShieldZonesvirtualappliance.EachIP

addressshouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedfor

vCenterandESXhostmanagementinterfaces.

LocalornetworkstoragetoplacethevShieldZonesdisk.

vShieldZonesvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMwareTools

softwareonavShieldZonesvirtualappliance.


2 SelectanESXhostfromtheinventorytree.

3 ClickthevShieldtab.

4 Acceptthesecuritycertificate.

5 ClickInstallforthevShieldZonesservice.


21/30

VMware, Inc. 21

Chapter 3 Installing the vShield Manager and vShield Zones

6 Enterthefollowinginformation.

7 ClickInstallatthetopoftheform.

YoucanfollowthevShieldZonesinstallationstepsfromtheRecentTaskspaneofthevSphereClient

screen.

8 Afterinstallationofallcomponentsiscomplete,gotothevShieldZones>ZonesFirewalltabatthe

datacenter,cluster,orportgroupcontainerleveltoconfigurefirewallrules.EachvShieldZonesinstance

inheritsglobalfirewallrulessetinthevShieldManager.Thedefaultfirewallrulesetallowsalltrafficto

pass.Youmustconfigureblockingrulestoexplicitlydenytraffic.ToconfigureZonesFirewallrules,see

thevShieldAdministrationGuide.

Where to Go Next

AftervShieldManagerinstallationiscomplete,youcanconfigurevShieldZonesfirewallsettingsandanalyze

traffic.Formore,seethevShieldAdministrationGuide.Toenhanceyournetworksecurityposture,youcanobtainlicensesforvShieldApp,vShieldEndpoint,and

vShieldEdge.Formore,seeChapter 4,InstallingvShieldEdge,vShieldApp,andvShieldEndpoint,on

page 23.

Field Action

Datastore SelectthedatastoreonwhichtostorethevShieldZonesvirtualmachinefiles.

ManagementPortGroup SelecttheportgrouptohostthevShieldZonesmanagementinterface.ThisportgroupmustbeabletoreachthevShieldManagersportgroup.

IPAddress TypetheIPaddresstoassigntothevShieldZonesmanagementinterface.

Netmask TypetheIPsubnetmaskassociatedwiththeassignedIPaddress.

DefaultGateway TypetheIPaddressofthedefaultnetworkgateway.

NOTE YoucanupgradevShieldZonestovShieldAppbyobtainingavShieldApplicense.vShieldApp

enhancesvShieldZonesprotectionbyofferingFlowMonitoring,customcontainercreation(SecurityGroups),

andcontainerbasedaccesspolicycreationandenforcement.

YoudonothavetouninstallvShieldZonestoinstallvShieldApp.AllvShieldZonesinstancesbecomevShield

Appinstances,theZonesFirewallbecomesAppFirewall,andtheadditionalvShieldAppfeaturesareenabled.


22/30


22 VMware, Inc.


23/30

VMware, Inc. 23

4

AfterthevShieldManagerandvShieldZonesareinstalled,youcanobtainlicensestoactivatevShieldApp,

vShieldEndpoint,andvShieldEdgecomponents.ThevShieldManagerOVApackageincludesthedrivers

andfilesrequiredtoinstalltheseaddoncomponents.

Thischapterincludesthefollowingtopics:

Running

vShield

in

Evaluation

Mode

on

page 23 PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpointonpage 23

InstallingvShieldEndpointonpage 27

WheretoGoNextonpage 28

Running vShield in Evaluation Mode

BeforepurchasingandactivatinglicensesforvShieldEdge,vShieldApp,anvShieldEndpoint,youcaninstall

andrunevaluationmodesofthesoftware.Whenruninevaluationmode,intendedfordemonstrationand

evaluationpurposes,yourvShieldEdge,vShieldApp,andvShieldEndpointarecompletelyoperational

immediatelyafterinstallation,donotrequireanylicensingconfiguration,andprovidefullfunctionalityfor60

daysfromthetimeyoufirstactivatethem.

Whenruninevaluationmode,vShieldcomponentscansupportamaximumallowednumberofinstances.

Afterthe60daytrialperiodexpires,unlessyouobtainlicensesforyoursoftware,youcannotusevShield.For

example,youcannotpoweronvShieldApporvShieldEdgevirtualappliancesorprotectyourvirtual

machines.

TocontinueusingthevShieldAppandvShieldEdgefunctionalitywithoutinterruptionsortorestorethe

featuresthatbecomeunavailableafterthe60daytrial,youneedtoobtainandinstalllicensefilesthatactivate

thefeaturesappropriateforthevShieldcomponentyoupurchased.

Preparing Your Virtual Infrastructure for vShield App, vShield Edge,

and vShield EndpointPriortoinstallation,theaddoncomponentsrequirepreparationofyourESXhostandvNetwork

environments.YouinstallvShieldApp,vShieldEndpoint,andthePortGroupIsolationfeatureonESXhosts.

YouinstallvShieldEdgeonaportgroup,vNetworkDistributedSwitch(vDS)portgroup,oraCiscoNexus

1000V.

IfyouintendtousethePortGroupIsolationfeature,youshouldinstallPortGroupIsolationonallESXhosts

inyourvCenterenvironmentbeforeyouinstallanyvShieldEdgevirtualmachines.IfyoudonotinstallPort

GroupIsolationandattempttoenablethefeatureduringvShieldEdgeinstallation,PortGroupIsolationdoes

notwork.SeePrepareAllESXHostsonpage 24.

Installing vShield Edge, vShield App,and vShield Endpoint 4


24/30


24 VMware, Inc.

Install vShield Component Licenses

YoumustinstalllicensesforvShieldEdge,vShieldApp,andvShieldEndpointbeforeinstallingthese

components.YoucaninstalltheselicensesaftervShieldManagerinstallationiscompletebyusingthevSphere

Client.

1 FromavSphereClienthostthatisconnectedtoavCenterServersystem,selectHome>Licensing.

2 Forthereportview,selectAsset.

3 RightclickavShieldassetandselectChangelicensekey.

4 SelectAssignanewlicensekeyandclickEnterKey.

5 Enterthelicensekey,enteranoptionallabelforthekey,andclickOK.

6 ClickOK.

7 RepeatthesestepsforeachvShieldcomponentforwhichyouhavealicense.

Prepare All ESX Hosts

YoushouldprepareallESXhostsinyourvCenterenvironmentforvShieldaddonfunctionality.

ThefollowinginformationisrequiredforESXhostpreparation:

OneIPaddressforthemanagement(MGMT)portofeachvShieldAppvirtualappliance.EachIPaddress

shouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedforvCenterand

ESXhostmanagementinterfaces.

LocalornetworkstoragetoplacethevShieldAppandPortGroupIsolationdisks.

vShieldvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMwareTools

softwareonavShieldvirtualappliance.

To prepare an ESX host for vShield add-on functionality


2 SelectanESXhostfromtheinventorytree.

3 ClickthevShieldtab.

4 Acceptthesecuritycertificate.

5 ClickInstallforthevShieldAppservice.

Youwillbeabletoinstallallthreeservicesonthenextscreen.

6 UndervShieldApp,enterthefollowinginformation.

7 SelectthevShieldEdgePortGroupIsolationHostPreparationcheckbox.

8 SelecttheDatastoreonwhichtostorethePortGroupIsolationservicefiles.

9 SelectthevShieldEndpointcheckbox.

Field Action

Datastore SelectthedatastoreonwhichtostorethevShieldAppvirtualmachinefiles.

ManagementPortGroup SelecttheportgrouptohostthevShieldAppsmanagementinterface.This

portgroupmustbeabletoreachthevShieldManagersportgroup.

IPAddress TypetheIPaddresstoassigntothevShieldAppsmanagementinterface.

Netmask TypetheIPsubnetmaskassociatedwiththeassignedIPaddress.



25/30

VMware, Inc. 25

Chapter 4 Installing vShield Edge, vShield App, and vShield Endpoint

10 ClickInstallatthetopoftheform.

YoucanfollowthevShieldAppinstallationstepsfromtheRecentTaskspaneofthevSphereClientscreen.

11 Afterinstallationofallcomponentsiscomplete,dothefollowing:

vShieldApp:Atthispoint,vShieldAppinstallationiscomplete.GotothevShieldApp>App

Firewalltabatthedatacenter,cluster,orportgroupcontainerleveltoconfigurefirewallrules.Each

vShieldAppinheritsglobalfirewallrulessetinthevShieldManager.Thedefaultfirewallruleset

allowsalltraffictopass.Youmustconfigureblockingrulestoexplicitlyblocktraffic.ToconfigureAppFirewallrules,seethevShieldAdministrationGuide.

PortGroupIsolation:YoumustenablethePortGroupIsolationfeatureoneachvDS.After

enablementiscomplete,installavShieldEdgeoneachvDSportgroup.SeePrepareavNetworkfor

PortGroupIsolationonpage 25.

vShieldEndpoint:Tocompleteinstallation,seeInstallingvShieldEndpointonpage 27.

Prepare a vNetwork for Port Group Isolation

PortGroupIsolationcreatesabarrierbetweenthevirtualmachinesprotectedbyavShieldEdgeandthe

externalnetwork.WhenyouenablePortGroupIsolationandinstallavShieldEdgeonavDSportgroup,you

isolateeachsecuredvDSportgroupfromtheexternalnetwork.WhenPortGroupIsolationisenabled,traffic

isnotallowedaccesstothevirtualmachinesinthesecuredportgroupunlessNATrulesorVLANtagsare

configured.

TousePortGroupIsolation,youmustenablethisfeatureoneachvDSonwhichyouwillinstallavShieldEdge.

1 EnablePortGroupIsolationoneachvDS.

2 InstallavShieldEdgeoneachvDSportgroupyouplantosecure.

3 MovethevirtualmachinestosecuredvDSportgroups.

AfterPortGroupIsolationisinstalledoneachESXhost,youmustenablePortGroupIsolationoneachvDSwhereyouwillinstallavShieldEdge.ThisallowsthePortGroupIsolationservicetobeusedonanyport

groupinavDS.

To enable Port Group Isolation on a vDS


2 GotoView>Inventory>Networking.

3 RightclickavDS.

4 SelectvShield>EnableIsolation.

AbrowserwindowopenstoconfirmthatPortGroupIsolationhasbeenenabled.

AfterPortGroupIsolationinstallationiscomplete,installavShieldEdgeinstanceoneachvDSportgroup.

Install a vShield Edge

EachvShieldEdgevirtualappliancehasExternalandInternalnetworkinterfaces.TheInternalinterface

connectstothesecuredportgroupandactsasthegatewayforallprotectedvirtualmachinesintheportgroup.

ThesubnetassignedtotheInternalinterfacecanbeRFC1918privatespace.TheExternalinterfaceofthe

vShieldEdgeconnectstoanuplinkportgroupthathasaccesstoasharedcorporatenetworkoraservicethat

providesaccesslayernetworking.

EachvShieldEdgerequiresatleastoneIPaddresstonumbertheExternalinterface.MultipleexternalIP

addressescanbeconfiguredforLoadBalancer,SitetoSiteVPN,andNATservices.TheInternalinterfacecan

haveaprivateIPaddressblockthatoverlapswithothervShieldEdgesecuredportgroups.

NOTE PortGroupIsolationisanoptionalfeaturethatisnotrequiredforvShieldEdgeoperation.PortGroup

IsolationisavailableforvDSbasedvShieldEdgeinstallationsonly.


26/30


26 VMware, Inc.

YoucaninstallonevShieldEdgeperportgroup,vDSportgroup,orCiscoNexus1000V.

IfDRSandHAareenabled,avShieldEdgewillbemigrateddynamically.

To install a vShield Edge


2 GotoView>Inventory>Networking.

3 OnavDS,createaportgroup.

ThisportgroupistheInternalportgroup.

4 MoveatenantsguestvirtualmachinestotheInternalportgroup.

5 SelectthenewInternalportgroup.

6 ClicktheEdgetab.

7 UnderNetworkInterfaces,enterthefollowinginformation.

8 (Optional)SelecttheIsolatecheckboxtoenablePortGroupIsolationonthevShieldEdge.

ThispreventsvirtualmachinesontheInternalportgroupfromcommunicatingwithsystemsoutsideof

thatportgroup.

9 UnderEdgedeploymentresourceselection,enterthefollowinginformation

10 Click

Install.Afterinstallationiscomplete,configureservicesandfirewallrulestoprotectthevirtualmachinesinthe

securedportgroup.ToconfigureavShieldEdge,seethevShieldAdministrationGuide.

Field Action

External

PortGroup SelecttheexternalportgroupinthevDS.ThisportgrouphomesaphysicalNICandconnectstotheexternalnetwork.

IPAddress TypetheIPaddressoftheexternalportgroup.

SubnetMask TypetheIPsubnetmaskassociatedwiththespecifiedexternalIPaddress.


Internal

PortGroup Thisistheselectedinternalportgroup.

IPAddress TypetheIPaddressoftheinternalportgroup.

SubnetMask TypetheIPsubnetmaskassociatedwiththespecifiedinternalIPaddress.

Field Action

ResourcePool SelecttheresourcepoolwherethevShieldEdgeshouldbedeployed.

Host SelecttheESXhostonwhichthedatastoreresides.

Datastore SelectthedatastoreonwhichtostorethevShieldEdgevirtualmachinefiles.


27/30

VMware, Inc. 27

Chapter 4 Installing vShield Edge, vShield App, and vShield Endpoint

Installing vShield Endpoint

Theinstallationinstructionsthatfollowassumethatyouhavethefollowingsystem:

AdatacenterwithvCenterServer4.1installedandrunning,andESX4.1installedoneachESXhostinthe

cluster.

vShieldManager4.1installedandrunning.

Anti

virus

solution

management

server

installed

and

running.

vShield Endpoint Installation Workflow

AfterpreparingtheESXhostforvShieldEndpointinstallationiscomplete,installvShieldEndpointinthese

stages:

1 Deployandconfigureasecurityvirtualmachine(SVM)toeachESXhostaccordingtotheinstructions

fromtheantivirussolutionprovider.

2 InstallthevShieldEndpointthinagentonallvirtualmachinestobeprotected.Forinstructions,see

InstalltheThinAgentontheGuestVirtualMachineonpage 27.

Install the Thin Agent on the Guest Virtual Machine

Thethinagentmustbeinstalledoneachguestvirtualmachinetobeprotected.Virtualmachineswiththethin

agentinstalledareautomaticallyprotectedwhenevertheyarestarteduponanESXhostthathasthesecurity

solutioninstalled.Thatis,protectedvirtualmachinesretainthesecurityprotectionthroughshutdownsand

restarts,andevenafteravMotionmovetoanotherESXhostwiththesecuritysolutioninstalled.

Prerequisites

MakesurethattheguestvirtualmachinehasasupportedversionofWindowsinstalled.Supported

versionsoftheWindowsoperatingsystemforvShieldEndpoint1.0are:

WindowsVista(32bit)

Windows7(32bit)

WindowsXP(32bit) Windows2003(32/64bit)

Windows2008(32/64bit)

Makesurethatthethinagentandthevirtualmachinearebotheither32or64bitversions.Youcannotmix

thetwoversions.

MakesuretheguestvirtualmachinehasaSCSIcontrollerinstalled.

IMPORTANT Whenyoucreateanewvirtualmachine,thedefaultconfigurationdoesnotincludeaSCSI

controller.YoumustspecificallyaddaSCSIcontrollertothevirtualmachine.Tofindinstructionsonhow

toaddSCSIcontrollerstoavirtualmachine,seethevSphereClienthelp:vSphereClientHelp>

ManagingVirtualMachineHardwareandDevices>AddingVirtualDevices>AddSCSIControllers

CAUTION BusLogicSCSIcontrollersarenotsupported.


28/30


28 VMware, Inc.

To install the Thin Agent

1 TheinstallationpackageislocatedatthesameVMwarecustomersitewhereyoudownloadedvShield

Manager.

Thepackagenamehasthefollowingform:

32bit

VMware-vShield-Endpoint-Driver-1.0.0-.x86-32.msi 64bit

VMware-vShield-Endpoint-Driver-1.0.0-.x86-64.msi.

ThisisastandardMicrosoftinstallerpackage.

2 Downloadandexecutetheinstallationpackageonthetargethost.

3 Thethinagentmustbeinstalledoneveryguestvirtualmachinetobeprotected.

4 Reboottheguestvirtualmachinetocompletetheinstallation.

Ifyourunasilentinstallusingmsiexec,therebootwillhappenautomatically.

Where to Go NextAfterinstallationiscomplete,seethevShieldAdministrationGuideforconfiguration,monitoring,andmaintenance.


29/30

VMware, Inc. 29

Index

Cchanging the GUI password 20CLI

configuring vShield Manager network

settings 18

hardening 15

client requirements 14

cluster protection 11

communication between components 15

configuring vShield Manager network settings 18

D

deploymentcluster 11

DMZ 10

deployment considerations 14

deployment scenarios 10

DMZ 10

E

enabling Port Group Isolation 25

ESX host preparation 24

evaluating vShield components 23

Ffile system filter driver installation 27

G

guest driver installation 27

GUI, logging in 19

H

hardening 15

CLI 15

REST 16

vShield Manager GUI 15

I

installation

licenses 24

Port Group Isolation 24

vShield App 24

vShield Edge 25, 27

vShield Endpoint 24

vShield Endpoint thin agent 27

vShield Manager 17

isolating networks 10

isolating virtual machines 15

L

licensing

evaluation mode 23

installation 24

logging in to the GUI 19

P

password change 20

plug-in 20

Port Group Isolationenabling 25

installation 24


preparing virtual machines for protection 14

protecting a cluster 11

protecting virtual machines 14

R

REST 16

S

synchronizing with vCenter 19system requirements 13

T

thin agent installation 27

V

vCenter, syncing from vShield Manager 19

virtual machine isolation 15

vMotion 14

vNetwork preparation 25

vShield

component communication 15

deployment scenarios 10

evaluating components 23

hardening 15

preparing an ESX host 24

vShield App 9

vShield Edge 8

vShield Endpoint 9

vShield Manager 7

vShield Zones 7


30/30


vShield App

about 9

common deployments 11

installation 24

licensing 24

vShield Edge

about 8

common deployments 11installation 25


licensing 24

vShield Endpoint

about 9

installation 24, 27

installation steps 27

licensing 24

thin agent installation 27

vShield Manager

about 7

changing the GUI password 20

installation 17

logging in to GUI 19

network settings 18

registering plug-in 20

syncing with vCenter 19

uptime 15

vShield Manager GUI 15

vShield Zones

about 7

vShield Manager 7

vSphere Client plug-in 20

Documents

vshield_41_quickstart