8/6/2019 vshield_41_quickstart
1/30
vShield Quick Start GuidevShield Manager 4.1
vShield Edge 1.0
vShield App 1.0
vShield Endpoint 1.0
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.
EN-000375-00
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs8/6/2019 vshield_41_quickstart
2/30
VMware, Inc.
3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
2 VMware, Inc.
vShield Quick Start Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
Copyright 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents .VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentsmailto:[email protected]://www.vmware.com/supporthttp://www.vmware.com/support/8/6/2019 vshield_41_quickstart
3/30
VMware, Inc. 3
Contents
About
This
Book 5
1 IntroductiontovShield 7vShieldComponentsataGlance 7
vShieldManager 7
vShieldZones 7
vShieldEdge 8
StandardvShieldEdgeServices(IncludingCloudDirector) 8
AdvancedvShieldEdgeServices 8
vShieldApp 9
vShieldEndpoint 9
DeploymentScenarios 10
ProtectingtheDMZ 10IsolatingandProtectingInternalNetworks 10
ProtectingVirtualMachinesinaCluster 11
CommonDeploymentsofvShieldEdge 11
CommonDeploymentsofvShieldApp 11
2 PreparingforInstallation 13SystemRequirements 13
Hardware 13
Software 13
ClientandUserAccess 14
DeploymentConsiderations 14
PreparingVirtualMachinesforvShieldProtection 14HowAreMyVirtualMachinesGrouped? 14
AreMyVirtualMachinesStillProtectedifIvMotionThemtoAnotherESXHost? 14
HowDoIIsolateaGroupofVirtualMachines? 15
vShieldManagerUptime 15
CommunicationBetweenvShieldComponents 15
HardeningYourvShieldVirtualMachines 15
vShieldManagerUserInterface 15
CommandLineInterface 15
RESTRequests 16
3 InstallingthevShieldManagerandvShieldZones 17ObtainthevShieldManagerOVAFile 17
InstallthevShieldManagerVirtualAppliance 17
ConfiguretheNetworkSettingsofthevShieldManager 18
LogIntothevShieldManagerUserInterface 19
SynchronizethevShieldManagerwiththevCenterServer 19
RegisterthevShieldManagerPlugInwiththevSphereClient 20
ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount 20
InstallvShieldZones 20
WheretoGoNext 21
8/6/2019 vshield_41_quickstart
4/30
vShield Quick Start Guide
4 VMware, Inc.
4 InstallingvShieldEdge,vShieldApp,andvShieldEndpoint 23RunningvShieldinEvaluationMode 23
PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpoint 23
InstallvShieldComponentLicenses 24
PrepareAllESXHosts 24
PrepareavNetworkforPortGroupIsolation 25
InstallavShieldEdge 25
InstallingvShieldEndpoint 27vShieldEndpointInstallationWorkflow 27
InstalltheThinAgentontheGuestVirtualMachine 27
Prerequisites 27
WheretoGoNext 28
Index 29
8/6/2019 vshield_41_quickstart
5/30
VMware, Inc. 5
ThevShieldQuickStartGuideprovidesinformationaboutinstallingVMwarevShieldintoyourVMwareVirtualInfrastructureenvironment.
Intended Audience
This
book
is
intended
for
anyone
who
wants
to
install
or
use
VMware
vShield.
The
information
in
this
book
is
writtenforexperiencedWindowsorLinuxsystemadministratorswhoarefamiliarwithvirtualmachine
technologyanddatacenteroperations.ThisbookalsoassumesfamiliaritywithVMwareVirtual
Infrastructure,includingvCenterServer4.x,VMwareESX4.x,andthevSphereClient.
VMware Technical Publications Glossary
VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
VMware Infrastructure Documentation
ThefollowingdocumentscomprisetheVMwarevShielddocumentationset:
vShieldAdministrationGuide vShieldQuickStartGuide vShieldAPIProgrammingGuideYoushouldalsohaveaccesstothecombinedvCenterServerandESXdocumentationset.
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.
About This Book
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supporthttp://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs8/6/2019 vshield_41_quickstart
6/30
vShield Quick Start Guide
6 VMware, Inc.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andliveonline.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/support/serviceshttp://www.vmware.com/services/http://www.vmware.com/services/http://www.vmware.com/support/services8/6/2019 vshield_41_quickstart
7/30
VMware, Inc. 7
1
ThischapterintroducestheVMwarevShieldcomponentsyouinstall.
Thechapterincludesthefollowingtopics:
vShieldComponentsataGlanceonpage 7
DeploymentScenariosonpage 10
vShield Components at a Glance
VMwarevShieldisasuiteofsecurityvirtualappliancesbuiltforVMwarevCenterServerintegration.
vShieldisacriticalsecuritycomponentforprotectingvirtualizeddatacentersfromattacksandmisusehelping
youachieveyourcompliancemandatedgoals.
vShieldincludesvirtualappliancesandservicesessentialforprotectingvirtualmachines.vShieldcanbe
configuredthroughawebbaseduserinterface,avSphereClientplugin,acommandlineinterface(CLI),and
RESTAPI.
vCenterServerincludesvShieldManagerandvShieldZones.ThefollowingvShieldpackageseachrequirea
license:
vShieldEdgewithPortGroupIsolation
vShieldApp
vShieldEndpoint
OnevShieldManagermanagesmultiplevShieldZones,vShieldEdge,vShieldApp,andvShieldEndpoint
instances.
vShield Manager
ThevShieldManageristhecentralizednetworkmanagementcomponentofvShield,andisinstalledasa
virtualapplianceonanyESXhostinyourvCenterServerenvironment.AvShieldManagercanrunona
differentESXhostfromyourvShieldagents.
UsingthevShieldManageruserinterfaceorvSphereClientplugin,administratorsinstall,configure,and
maintainvShieldcomponents.ThevShieldManageruserinterfaceleveragestheVMwareInfrastructureSDK
todisplayacopyofthevSphereClientinventorypanel,andincludestheHosts&ClustersandNetworks
views.
vShield Zones
vShieldZonesprovidesfirewallprotectionfortrafficbetweenvirtualmachines.ForeachZonesFirewallrule,
youcanspecifythesourceIP,destinationIP,sourceport,destinationport,andservice.
Introduction to vShield 1
8/6/2019 vshield_41_quickstart
8/30
vShield Quick Start Guide
8 VMware, Inc.
vShield Edge
vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport
group,vDSportgroup,orCiscoNexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared
(uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing.
CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloud
environmentswherethevShieldEdgeprovidesperimetersecurityforVirtualDatacenters(VDCs).
Standard vShield Edge Services (Including Cloud Director)
Firewall:SupportedrulesincludeIP5tupleconfigurationwithIPandportrangesforstatefulinspection
forTCP,UDP,andICMP.
NetworkAddressTranslation: SeparatecontrolsforSourceandDestinationIPaddresses,aswellasTCP
andUDPporttranslation.
DynamicHostConfigurationProtocol(DHCP):ConfigurationofIPpools,gateways,DNSservers,and
searchdomains.
Advanced vShield Edge Services
SitetoSiteVirtualPrivateNetwork(VPN):UsesstandardizedIPsecprotocolsettingstointeroperatewith
all
major
firewall
vendors. LoadBalancing:SimpleanddynamicallyconfigurablevirtualIPaddressesandservergroups.
vShieldEdgesupportssyslogexportforallservicestoremoteservers.
Figure 1-1. vShield Edge Installed to Secure a vDS Port Group
8/6/2019 vshield_41_quickstart
9/30
VMware, Inc. 9
Chapter 1 Introduction to vShield
vShield App
vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof
networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual
machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicycreation.
vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates
withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS,
vMotion,
DPM,
and
maintenance
mode.vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteroneveryvirtual
networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetworkchangesor
modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers,
likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to
reducethenumberoffirewallrulesandmaketheruleseasiertotrack.
YoushouldinstallvShieldAppinstancesonallESXhostswithinaclustersothatVMwarevMotion
operationsworkandvirtualmachinesremainprotectedastheymigratebetweenESXhosts.Bydefault,a
vShieldAppvirtualappliancecannotbemovedbyusingvMotion.
TheFlowMonitoringfeaturedisplaysallowedandblockednetworkflowsattheapplicationprotocollevel.
Youcanusethisinformationtoauditnetworktrafficandtroubleshootoperational.
vShield Endpoint
vShieldEndpointdeliversanintrospectionbasedantivirussolution.vShieldEndpointusesthehypervisorto
scanguestvirtualmachinesfromtheoutsidewithoutabulkyagent.vShieldEndpointisefficientinavoiding
resourcebottleneckswhileoptimizingmemoryuse.
vShieldEndpointinstallsasahypervisormoduleandsecurityvirtualappliancefromathirdpartyantivirus
vendor(VMwarepartners)onanESXhost.
Figure 1-2. vShield Endpoint Installed on an ESX Host
8/6/2019 vshield_41_quickstart
10/30
vShield Quick Start Guide
10 VMware, Inc.
Deployment Scenarios
UsingvShield,youcanbuildsecurezonesforavarietyofvirtualmachinedeployments.Youcanisolatevirtual
machinesbasedonspecificapplications,networksegmentation,orcustomcompliancefactors.Onceyou
determineyourzoningpolicies,youcandeployvShieldtoenforceaccessrulestoeachofthesezones.
Protecting the DMZ
TheDMZisamixedtrustzone.ClientsenterfromtheInternetforWebandemailservices,whileservices
withintheDMZmightrequireaccesstoservicesinsidetheinternalnetwork.YoucanplaceDMZvirtual
machinesinaportgroupandsecurethatportgroupwithavShieldEdge.vShieldEdgeprovidesaccess
servicessuchasfirewall,NAT,andVPN,aswellasloadbalancingtosecureDMZservices.
AcommonexampleofaDMZservicerequiringaninternalserviceisMicrosoftExchange.MicrosoftOutlook
WebAccess(OWA)commonlyresidesintheDMZcluster,whiletheMicrosoftExchangebackendisinthe
internalcluster.Ontheinternalcluster,youcancreatefirewallrulestoallowonlyExchangedrelatedrequests
fromtheDMZ,identifyingspecificsourcetodestinationparameters.FromtheDMZcluster,youcancreate
rulestoallowoutsideaccesstotheDMZonlytospecificdestinationsusingHTTP,FTP,orSMTP.
Isolating and Protecting Internal Networks
YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateaninternalnetworkfromthe
externalnetwork.AvShieldEdgeprovidesperimeterfirewallprotectionandedgeservicestosecurevirtual
machinesinaportgroup,enablingcommunicationtotheexternalnetworkthroughDHCP,NAT,andVPN.
Withinthesecuredportgroup,youcaninstallavShieldAppinstanceoneachESXhostthatthevDSspansto
securecommunicationbetweenvirtualmachinesintheinternalnetwork.
IfyouutilizeVLANtagstosegmenttraffic,youcanuseAppFirewalltocreatesmarteraccesspolicies.Using
AppFirewallinsteadofaphysicalfirewallallowsyoutocollapseormixtrustzonesinsharedESXclusters.By
doingso,yougainoptimalutilizationandconsolidationfromfeaturessuchasDRSandHA,insteadofhaving
separate,fragmentedclusters.ManagementoftheoverallESXdeploymentasasinglepoolislesscomplex
thanhavingseparatelymanagedpools.
Forexample,youuseVLANstosegmentvirtualmachinezonesbasedonlogical,organizational,ornetwork
boundaries.LeveragingtheVirtualInfrastructureSDK,thevShieldManagerinventorypaneldisplaysaview
ofyourVLANnetworksundertheNetworksview.YoucanbuildaccessrulesforeachVLANnetworkto
isolatevirtualmachinesanddropuntaggedtraffictothesemachines.
8/6/2019 vshield_41_quickstart
11/30
VMware, Inc. 11
Chapter 1 Introduction to vShield
Protecting Virtual Machines in a Cluster
InFigure 13,vShieldAppinstancesareinstalledoneachESXhostinacluster.Virtualmachinesareprotected
whenmovedviavMotionorDRSbetweenESXhostsinthecluster.EachvAppsharesandmaintainsstate
ofalltransmissions.
Figure 1-3. vShield App Instances Installed on Each ESX Host in a Cluster
Common Deployments of vShield Edge
YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateastubnetwork,usingNATtoallow
trafficinandoutofthenetwork.Ifyoudeployinternalstubnetworks,youcanusevShieldEdgetosecure
communicationbetweennetworksbyusingLANtoLANencryptionviaVPNtunnels.
vShieldEdgecanbedeployedasaselfserviceapplicationwithinVMwareCloudDirector.
Common Deployments of vShield App
YoucanusevShieldApptocreatesecurityzoneswithinavDC.YoucanimposefirewallpoliciesonvCenter
containers
or
SecurityGroups,
which
are
custom
containers
you
can
create
by
using
the
vShield
Manager
user
interface.Containerbasedpoliciesenableyoutocreatemixedtrustzonesclusterswithoutrequiringan
externalphysicalfirewall.
InadeploymentthatdoesnotusevDCs,useavShieldAppwiththeSecurityGroupsfeaturetocreatetrust
zonesandenforceaccesspolicies.
ServiceProviderAdminscanusevShieldApptoimposebroadfirewallpoliciesacrossallguestvirtual
machinesinaninternalnetwork.Forexample,youcanimposeafirewallpolicyonthesecondvNICofallguest
virtualmachinesthatallowsthevirtualmachinestoconnecttoastorageserver,butblocksthevirtual
machinesfromaddressinganyothervirtualmachines.
Unprotected Cluster
Protected Cluster
8/6/2019 vshield_41_quickstart
12/30
8/6/2019 vshield_41_quickstart
13/30
VMware, Inc. 13
2
ThischapterintroducestanoverviewoftheprerequisitesforsuccessfulvShieldinstallation.
Thechapterincludesthefollowingtopics:
SystemRequirementsonpage 13
DeploymentConsiderationsonpage 14
System Requirements
BeforeinstallingvShieldinyourvCenterServerenvironment,consideryournetworkconfigurationand
resources.YoucaninstallonevShieldManagerpervCenterServer,onevShieldAppperESXhost,andone
vShieldEdgeperportgroup.
ToinstallvShield,youmustmeetthefollowingrequirements:
Hardware
Table 22liststhehardwarerequirementsforthisversionofvShield.
Software
VMwarevCenterServer4.0Update1orlater
Table 22liststhevCenterversionsthatarecompatiblewiththisversionofvShield.
Preparing for Installation 2
Table 2-1. Hardware Requirements
Component Minimum
Memory 8GB
DiskSpace 8GBforthevShieldManager
5GBpervShieldAppperESXhost
100MBpervShieldEdge
NICs 2gigabitNICsonanESXhost
NOTE vShieldEndpointrequiresvCenterServer4.1orlater.
Table 2-2. Supported vCenter Versions
vCenter Release Build Number
4.0Update1 264050
4.1GA 208111
4.1GAvSphereClient 208111
8/6/2019 vshield_41_quickstart
14/30
vShield Quick Start Guide
14 VMware, Inc.
VMwareESX4.0Update1orlaterforeachserver
Table 23liststheESXandESXiversionsthatarecompatiblewiththisversionofvShield.
VMarevCloudDirector1.0
Table 24liststhevCloudDirectorversionsthatarecompatiblewiththisversionofvShield.
Client and User Access PCwiththeVMwarevSphereClient
Permissionstoaddandpoweronvirtualmachines
Accesstothedatastorewhereyoustorevirtualmachinefiles,andtheaccountpermissionstocopyfilesto
thatdatastore
EnablecookiesonyourWebbrowsertoaccessthevShieldManageruserinterface
ConnecttothevShieldManagerusingoneofthefollowingsupportedWebbrowsers:
InternetExplorer6.xandlater
MozillaFirefox1.xandlater
Safari1.xor2.x
Deployment Considerations
ConsiderthefollowingrecommendationsandrestrictionsbeforeyoudeployvShieldcomponents.
Preparing Virtual Machines for vShield Protection
YoumustdeterminehowtoprotectyourvirtualmachineswithvShield.Considerthefollowingquestions:
How Are My Virtual Machines Grouped?
You
might
consider
moving
virtual
machines
to
port
groups
on
a
vDS
or
a
different
ESX
host
to
group
virtual
machinesbyfunction,department,orotherorganizationalneedtoimprovesecurityandeaseconfigurationof
accessrules.YoucaninstallvShieldEdgeattheperimeterofanyportgrouptoisolatevirtualmachinesfrom
theexternalnetwork.YoucaninstallavShieldApponanESXhostandconfigurefirewallpoliciesper
containerresourcetoenforcerulesbasedonthehierarchyofresources.
Are My Virtual Machines Still Protected if I vMotion Them to Another ESX Host?
Yes,ifyouinstallavShieldApponeachESXhostinacluster,youcanmigratemachinesbetweenhostswithout
weakeningthesecurityposture.vShieldAppinstancescannotbemigratedtootherhosts,thuseachinstance
maintainsstateforexistingsessions.
NOTE vShieldEndpointrequiresESX4.1orlater.
Table 2-3. Supported ESX and ESXi Versions
ESX or ESXi Release Build Number
4.0Update1 208167
4.1GA 260247
Table 2-4. Supported vCloud Director Versions
vCloud Director Release Build Number
1.0 285979
8/6/2019 vshield_41_quickstart
15/30
VMware, Inc. 15
Chapter 2 Preparing for Installation
How Do I Isolate a Group of Virtual Machines?
YoucanusevShieldEdgewiththePortGroupIsolationfeatureorVLANstoisolatevirtualmachinesfromthe
externalnetwork.
1 InstallPortGroupIsolationoneachESXhostthatavDSspans.
2 CreateaportgrouponthevDS.
3 EnablePortGroupIsolationonthevDS.
4 InstallavShieldEdgeontheportgroup.
5 Movethevirtualmachinestotheportgroup.
6 ConfigurevShieldEdgeNATrulesfortrafficinandoutoftheportgroup.
vShield Manager Uptime
ThevShieldManagershouldberunonanESXhostthatisnotaffectedbydowntime,suchasfrequentreboots
ormaintenancemodeoperations.YoucanuseHAorDRStoincreasetheresilienceofthevShieldManager.If
theESXhostonwhichthevShieldManagerresidesisexpectedtorequiredowntime,vMotionthevShield
ManagervirtualappliancetoanotherESXhost.Thus,morethanoneESXhostisrecommended.
Communication Between vShield Components
ThemanagementinterfacesofvShieldcomponentsshouldbeplacedinacommonnetwork,suchasthe
vSpheremanagementnetwork.ThevShieldManagerrequiresconnectivitytothevCenterServer,aswellas
allvShieldAppandvShieldEdgeinstances.vShieldcomponentscancommunicateoverroutedconnections
aswellasdifferentLANs.
Hardening Your vShield Virtual Machines
YoucanaccessthevShieldManagerandothervShieldcomponentsbyusingawebbaseduserinterface,
commandlineinterface,andRESTAPI.vShieldincludesdefaultlogincredentialsforeachoftheseaccess
options.AfterinstallationofeachvShieldvirtualmachine,youshouldhardenaccessbychangingthedefault
logincredentials.
vShield Manager User Interface
YouaccessthevShieldManageruserinterfacebyopeningawebbrowserwindowandnavigatingtotheIP
addressofthevShieldManagersmanagementport.Thedefaultuseraccount,admin,hasglobalaccesstothe
vShieldManager.Afterinitiallogin,youshouldchangethedefaultpasswordoftheadminuseraccount.See
ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20.
Command Line Interface
YoucanaccessthevShieldManager,vShieldApp,andvShieldEdgevirtualappliancesbyusingacommand
lineinterfaceviavSphereClientconsolesession.Eachvirtualapplianceusesthesamedefaultusername
(admin)andpassword(default)combinationasthevShieldManageruserinterface.EnteringEnabledmode
alsousesthepassworddefault.
FormoreonhardeningtheCLI,seethevShieldAdministrationGuide.
NOTE YoucanalsouseVLANstoisolatevirtualmachinesprotectedbyavShieldEdge.Ifyouuse
VLANs,theinternalportgroupconnectedtoavShieldEdgemusthaveaVLANtagthatisdifferentfrom
theexternalportgroup.
NOTE ThevShieldManagermustbeinthesamevCenterServerenvironmentasthevShieldcomponentsto
bemanaged.YoucannotusethevShieldManageracrossdifferentvCenterServerenvironments.
8/6/2019 vshield_41_quickstart
16/30
vShield Quick Start Guide
16 VMware, Inc.
REST Requests
AllRESTAPIrequestsrequireauthenticationwiththevShieldManager.UsingBase64encoding,youidentify
ausernamepasswordcombinationinthefollowingformat:username:password.YoumustuseavShield
Manageruserinterfaceaccount(usernameandpassword)withprivilegedaccesstoperformrequests.For
moreonauthenticatingRESTAPIrequests,seethevShieldAPIProgrammingGuide
8/6/2019 vshield_41_quickstart
17/30
VMware, Inc. 17
3
VMwarevShieldprovidesfirewallprotection,trafficanalysis,andnetworkperimeterservicestoprotectyour
vCenterServervirtualinfrastructure.vShieldvirtualapplianceinstallationhasbeenautomatedformost
virtualdatacenters.
ThevShieldManageristhecentralizedmanagementcomponentofvShield.YouusethevShieldManagerto
monitorandpushconfigurationstovShieldApp,vShieldEndpoint,andvShieldEdgeinstances.ThevShield
ManagerrunsasavirtualapplianceonanESXhost.
VMwarevShieldisincludedwithVMwareESX4.0and4.1.ThebaseVMwarevShieldpackageincludesthe
vShieldManagerandvShieldZones.YoucanconfigurethevShieldZonesfirewallrulesettomonitortraffic
basedonIPaddresstoIPaddresscommunication.
InstallingthevShieldManagerisamultistepprocess.Youmustperformallofthetasksthatfollowinsequence
tocompletevShieldManagerinstallationsuccessfully.
Thischapterincludesthefollowingtopics:
ObtainthevShieldManagerOVAFileonpage 17
InstallthevShieldManagerVirtualApplianceonpage 17
ConfiguretheNetworkSettingsofthevShieldManageronpage 18
LogIntothevShieldManagerUserInterfaceonpage 19
SynchronizethevShieldManagerwiththevCenterServeronpage 19
RegisterthevShieldManagerPlugInwiththevSphereClientonpage 20
ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20
InstallvShieldZonesonpage 20
WheretoGoNextonpage 21
Obtain the vShield Manager OVA File
ThevShieldManagervirtualmachineispackagedasanOpenVirtualizationAppliance(OVA)file,which
allowsyoutousethevSphereClienttoimportthevShieldManagerintothedatastoreandvirtualmachine
inventory.
Install the vShield Manager Virtual Appliance
YoucaninstallthevShieldManagervirtualmachineonanESXhostinaclusterconfiguredwithDRS.The
targetESXhostmustbemanagedbythesamevCenterinstanceastheESXhostsonwhichyouwanttodeploy
vShieldZonesorvShieldAppinstances.AsinglevShieldManagerservesasinglevCenterServer
environment.
Installing the vShield Manager andvShield Zones 3
8/6/2019 vshield_41_quickstart
18/30
vShield Quick Start Guide
18 VMware, Inc.
ThevShieldManagervirtualmachineinstallationincludesVMwareTools.Donotattempttoupgradeor
installVMwareToolsonthevShieldManager.
To install the vShield Manager
1 LogintothevSphereClient.
2 CreateaportgrouptohomethemanagementinterfaceofthevShieldManager.
The
vShield
Manager
management
interface
must
be
reachable
by
all
future
vShield
Edge,
vShield
App,
andvShieldEndpointinstances.
3 GotoFile>DeployOVFTemplate.
4 ClickDeployfromfileandclickBrowsetolocatethefolderonyourPCcontainingthevShieldManager
OVAfile.
5 Completethewizard.
ThevShieldManagerisinstalledasavirtualmachineintoyourinventory.
6 PoweronthevShieldManagervirtualmachine.
Configure the Network Settings of the vShield Manager
Youmustusethecommandlineinterface(CLI)ofthevShieldManagertoconfigureanIPaddress,identifythe
defaultgateway,andsetDNSsettings.
YoucanspecifyuptotwoDNSserversthatthevShieldManagercanuseforIPaddressandhostname
resolution.DNSisrequiredifanyESXhostinyourvCenterServerenvironmentwasaddedbyusingthe
hostname(insteadofIPaddress).
To configure the vShield Manager network settings by using the vShield Manager CLI
1 RightclickthevShieldManagervirtualmachineandclickOpenConsoletoopenthecommandline
interface(CLI)ofthevShieldManager.
Thebootingprocessmighttakeafewminutes.
2 Afterthemanager loginpromptappears,logintotheCLIbyusingtheusernameadminandthe
passworddefault.
3 EnterEnabledmodebyusingthepassworddefault.
manager> enable
Password:
manager#
4 RunthesetupcommandtoopentheCLIsetupwizard.
The
CLI
setup
wizard
guides
you
through
IP
address
assignment
for
the
vShield
Managers
management
interfaceandidentificationofthedefaultnetworkgateway.TheIPaddressofthemanagementinterface
mustbereachablebyallinstalledvShieldApp,vShieldEdge,andvShieldEndpointinstances,andbya
Webbrowserforsystemmanagement.
manager# setup
Use CTRL-D to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
IP Address (A.B.C.D):
Subnet Mask (A.B.C.D):
Default gateway (A.B.C.D):
Primary DNS IP (A.B.C.D):
Secondary DNS IP (A.B.C.D):
NOTE DonotplacethemanagementinterfaceofthevShieldManagerinsameportgroupastheService
ConsoleandVMkernel.
8/6/2019 vshield_41_quickstart
19/30
VMware, Inc. 19
Chapter 3 Installing the vShield Manager and vShield Zones
Old configuration will be lost, and system needs to be rebooted
Do you want to save new configuration (y/[n]): y
Please log out and log back in again.
manager> exit
manager login:
5 LogintotheCLI.
6 Pingthedefaultgatewaytoverifynetworkconnectivity.
manager> ping A.B.C.D
7 FromyourPC,pingthevShieldManagerIPaddresstovalidatethattheIPaddressisreachable.
Log In to the vShield Manager User Interface
AfteryouhaveinstalledandconfiguredthevShieldManagervirtualmachine,logintothevShieldManager
userinterface.
To log in to the vShield Manager user interface
1 OpenaWebbrowserwindowandtypetheIPaddressassignedtothevShieldManager.
The
vShield
Manager
user
interface
opens
in
an
SSH
session.2 Acceptthesecuritycertificate.
ThevShieldManagerloginscreenappears.
3 LogintothevShieldManageruserinterfacebyusingtheusernameadminandthepassworddefault.
Youshouldchangethedefaultpasswordasoneofyourfirsttaskstopreventunauthorizeduse.See
ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccountonpage 20.
4 ClickLogIn.
Synchronize the vShield Manager with the vCenter Server
SynchronizewithyourvCenterServertodisplayyourVMwareInfrastructureinventoryinthevShield
Manageruserinterface.
YoumusthaveavCenterServeruseraccountwithadministrativeaccesstocompletethistask.
To synchronize the vShield Manager with vCenter Server
1 LogintothevShieldManager.
2 ClickSettings&ReportsfromthevShieldManagerinventorypanel.
3 ClicktheConfigurationtab.
4 ClickthevCentertab.
5 TypetheIPaddressorhostnameofyourvCenterServerintheIPaddress/Namefield.
6 TypeyourvSphereClientloginusernameintheUserNamefield.
7 TypethepasswordassociatedwiththeusernameinthePasswordfield.
8 ClickSave.
NOTE YoucanuseanSSLcertificateforauthentication.RefertothevShieldAdministrationGuide.
NOTE ThevShieldManagervirtualmachinedoesnotappearasaresourceintheinventorypanelofthe
vShieldManageruserinterface.TheSettings&ReportsobjectrepresentsthevShieldManagervirtual
machineintheinventorypanel.
8/6/2019 vshield_41_quickstart
20/30
vShield Quick Start Guide
20 VMware, Inc.
Register the vShield Manager Plug-In with the vSphere Client
ThevSpherePluginoptionletsyouregisterthevShieldManagerasavSphereClientplugin.Afterthe
pluginisregistered,youcanconfiguremostvShieldoptionsfromthevSphereClient.
To register the vShield Manager as a vSphere Client Plug-in
1 ClickSettings&ReportsfromthevShieldManagerinventorypanel.
2 ClicktheConfigurationtab.
3 ClickvSpherePlugin.
4 ClickRegister.
5 IfyouareloggedintothevSphereClient,logout.
6 LogintothevSphereClient.
7 SelectanESXhost.
8 VerifythatthevShieldtabappearsasanoption.
Change the Password of the vShield Manager User Interface Default
AccountYoucanchangethepasswordoftheadminaccounttohardenaccesstoyourvShieldManager.
To change the admin account password
1 LogintothevShieldManageruserinterface.
2 ClickSettings&ReportsfromthevShieldManagerinventorypanel.
3 ClicktheUserstab.
4 Selecttheadminaccount.
5 ClickUpdateUser.
6 Enteranewpassword.
7 ConfirmthepasswordbytypingitasecondtimeintheRetypePasswordfield.
8 ClickOKtosaveyourchanges.
Install vShield Zones
ThefollowinginformationisrequiredforvShieldZonesinstallationonanESXhost:
OneIPaddressforthemanagement(MGMT)portofeachvShieldZonesvirtualappliance.EachIP
addressshouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedfor
vCenterandESXhostmanagementinterfaces.
LocalornetworkstoragetoplacethevShieldZonesdisk.
vShieldZonesvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMwareTools
softwareonavShieldZonesvirtualappliance.
1 LogintothevSphereClient.
2 SelectanESXhostfromtheinventorytree.
3 ClickthevShieldtab.
4 Acceptthesecuritycertificate.
5 ClickInstallforthevShieldZonesservice.
8/6/2019 vshield_41_quickstart
21/30
VMware, Inc. 21
Chapter 3 Installing the vShield Manager and vShield Zones
6 Enterthefollowinginformation.
7 ClickInstallatthetopoftheform.
YoucanfollowthevShieldZonesinstallationstepsfromtheRecentTaskspaneofthevSphereClient
screen.
8 Afterinstallationofallcomponentsiscomplete,gotothevShieldZones>ZonesFirewalltabatthe
datacenter,cluster,orportgroupcontainerleveltoconfigurefirewallrules.EachvShieldZonesinstance
inheritsglobalfirewallrulessetinthevShieldManager.Thedefaultfirewallrulesetallowsalltrafficto
pass.Youmustconfigureblockingrulestoexplicitlydenytraffic.ToconfigureZonesFirewallrules,see
thevShieldAdministrationGuide.
Where to Go Next
AftervShieldManagerinstallationiscomplete,youcanconfigurevShieldZonesfirewallsettingsandanalyze
traffic.Formore,seethevShieldAdministrationGuide.Toenhanceyournetworksecurityposture,youcanobtainlicensesforvShieldApp,vShieldEndpoint,and
vShieldEdge.Formore,seeChapter 4,InstallingvShieldEdge,vShieldApp,andvShieldEndpoint,on
page 23.
Field Action
Datastore SelectthedatastoreonwhichtostorethevShieldZonesvirtualmachinefiles.
ManagementPortGroup SelecttheportgrouptohostthevShieldZonesmanagementinterface.ThisportgroupmustbeabletoreachthevShieldManagersportgroup.
IPAddress TypetheIPaddresstoassigntothevShieldZonesmanagementinterface.
Netmask TypetheIPsubnetmaskassociatedwiththeassignedIPaddress.
DefaultGateway TypetheIPaddressofthedefaultnetworkgateway.
NOTE YoucanupgradevShieldZonestovShieldAppbyobtainingavShieldApplicense.vShieldApp
enhancesvShieldZonesprotectionbyofferingFlowMonitoring,customcontainercreation(SecurityGroups),
andcontainerbasedaccesspolicycreationandenforcement.
YoudonothavetouninstallvShieldZonestoinstallvShieldApp.AllvShieldZonesinstancesbecomevShield
Appinstances,theZonesFirewallbecomesAppFirewall,andtheadditionalvShieldAppfeaturesareenabled.
8/6/2019 vshield_41_quickstart
22/30
vShield Quick Start Guide
22 VMware, Inc.
8/6/2019 vshield_41_quickstart
23/30
VMware, Inc. 23
4
AfterthevShieldManagerandvShieldZonesareinstalled,youcanobtainlicensestoactivatevShieldApp,
vShieldEndpoint,andvShieldEdgecomponents.ThevShieldManagerOVApackageincludesthedrivers
andfilesrequiredtoinstalltheseaddoncomponents.
Thischapterincludesthefollowingtopics:
Running
vShield
in
Evaluation
Mode
on
page 23 PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpointonpage 23
InstallingvShieldEndpointonpage 27
WheretoGoNextonpage 28
Running vShield in Evaluation Mode
BeforepurchasingandactivatinglicensesforvShieldEdge,vShieldApp,anvShieldEndpoint,youcaninstall
andrunevaluationmodesofthesoftware.Whenruninevaluationmode,intendedfordemonstrationand
evaluationpurposes,yourvShieldEdge,vShieldApp,andvShieldEndpointarecompletelyoperational
immediatelyafterinstallation,donotrequireanylicensingconfiguration,andprovidefullfunctionalityfor60
daysfromthetimeyoufirstactivatethem.
Whenruninevaluationmode,vShieldcomponentscansupportamaximumallowednumberofinstances.
Afterthe60daytrialperiodexpires,unlessyouobtainlicensesforyoursoftware,youcannotusevShield.For
example,youcannotpoweronvShieldApporvShieldEdgevirtualappliancesorprotectyourvirtual
machines.
TocontinueusingthevShieldAppandvShieldEdgefunctionalitywithoutinterruptionsortorestorethe
featuresthatbecomeunavailableafterthe60daytrial,youneedtoobtainandinstalllicensefilesthatactivate
thefeaturesappropriateforthevShieldcomponentyoupurchased.
Preparing Your Virtual Infrastructure for vShield App, vShield Edge,
and vShield EndpointPriortoinstallation,theaddoncomponentsrequirepreparationofyourESXhostandvNetwork
environments.YouinstallvShieldApp,vShieldEndpoint,andthePortGroupIsolationfeatureonESXhosts.
YouinstallvShieldEdgeonaportgroup,vNetworkDistributedSwitch(vDS)portgroup,oraCiscoNexus
1000V.
IfyouintendtousethePortGroupIsolationfeature,youshouldinstallPortGroupIsolationonallESXhosts
inyourvCenterenvironmentbeforeyouinstallanyvShieldEdgevirtualmachines.IfyoudonotinstallPort
GroupIsolationandattempttoenablethefeatureduringvShieldEdgeinstallation,PortGroupIsolationdoes
notwork.SeePrepareAllESXHostsonpage 24.
Installing vShield Edge, vShield App,and vShield Endpoint 4
8/6/2019 vshield_41_quickstart
24/30
vShield Quick Start Guide
24 VMware, Inc.
Install vShield Component Licenses
YoumustinstalllicensesforvShieldEdge,vShieldApp,andvShieldEndpointbeforeinstallingthese
components.YoucaninstalltheselicensesaftervShieldManagerinstallationiscompletebyusingthevSphere
Client.
1 FromavSphereClienthostthatisconnectedtoavCenterServersystem,selectHome>Licensing.
2 Forthereportview,selectAsset.
3 RightclickavShieldassetandselectChangelicensekey.
4 SelectAssignanewlicensekeyandclickEnterKey.
5 Enterthelicensekey,enteranoptionallabelforthekey,andclickOK.
6 ClickOK.
7 RepeatthesestepsforeachvShieldcomponentforwhichyouhavealicense.
Prepare All ESX Hosts
YoushouldprepareallESXhostsinyourvCenterenvironmentforvShieldaddonfunctionality.
ThefollowinginformationisrequiredforESXhostpreparation:
OneIPaddressforthemanagement(MGMT)portofeachvShieldAppvirtualappliance.EachIPaddress
shouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedforvCenterand
ESXhostmanagementinterfaces.
LocalornetworkstoragetoplacethevShieldAppandPortGroupIsolationdisks.
vShieldvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMwareTools
softwareonavShieldvirtualappliance.
To prepare an ESX host for vShield add-on functionality
1 LogintothevSphereClient.
2 SelectanESXhostfromtheinventorytree.
3 ClickthevShieldtab.
4 Acceptthesecuritycertificate.
5 ClickInstallforthevShieldAppservice.
Youwillbeabletoinstallallthreeservicesonthenextscreen.
6 UndervShieldApp,enterthefollowinginformation.
7 SelectthevShieldEdgePortGroupIsolationHostPreparationcheckbox.
8 SelecttheDatastoreonwhichtostorethePortGroupIsolationservicefiles.
9 SelectthevShieldEndpointcheckbox.
Field Action
Datastore SelectthedatastoreonwhichtostorethevShieldAppvirtualmachinefiles.
ManagementPortGroup SelecttheportgrouptohostthevShieldAppsmanagementinterface.This
portgroupmustbeabletoreachthevShieldManagersportgroup.
IPAddress TypetheIPaddresstoassigntothevShieldAppsmanagementinterface.
Netmask TypetheIPsubnetmaskassociatedwiththeassignedIPaddress.
DefaultGateway TypetheIPaddressofthedefaultnetworkgateway.
8/6/2019 vshield_41_quickstart
25/30
VMware, Inc. 25
Chapter 4 Installing vShield Edge, vShield App, and vShield Endpoint
10 ClickInstallatthetopoftheform.
YoucanfollowthevShieldAppinstallationstepsfromtheRecentTaskspaneofthevSphereClientscreen.
11 Afterinstallationofallcomponentsiscomplete,dothefollowing:
vShieldApp:Atthispoint,vShieldAppinstallationiscomplete.GotothevShieldApp>App
Firewalltabatthedatacenter,cluster,orportgroupcontainerleveltoconfigurefirewallrules.Each
vShieldAppinheritsglobalfirewallrulessetinthevShieldManager.Thedefaultfirewallruleset
allowsalltraffictopass.Youmustconfigureblockingrulestoexplicitlyblocktraffic.ToconfigureAppFirewallrules,seethevShieldAdministrationGuide.
PortGroupIsolation:YoumustenablethePortGroupIsolationfeatureoneachvDS.After
enablementiscomplete,installavShieldEdgeoneachvDSportgroup.SeePrepareavNetworkfor
PortGroupIsolationonpage 25.
vShieldEndpoint:Tocompleteinstallation,seeInstallingvShieldEndpointonpage 27.
Prepare a vNetwork for Port Group Isolation
PortGroupIsolationcreatesabarrierbetweenthevirtualmachinesprotectedbyavShieldEdgeandthe
externalnetwork.WhenyouenablePortGroupIsolationandinstallavShieldEdgeonavDSportgroup,you
isolateeachsecuredvDSportgroupfromtheexternalnetwork.WhenPortGroupIsolationisenabled,traffic
isnotallowedaccesstothevirtualmachinesinthesecuredportgroupunlessNATrulesorVLANtagsare
configured.
TousePortGroupIsolation,youmustenablethisfeatureoneachvDSonwhichyouwillinstallavShieldEdge.
1 EnablePortGroupIsolationoneachvDS.
2 InstallavShieldEdgeoneachvDSportgroupyouplantosecure.
3 MovethevirtualmachinestosecuredvDSportgroups.
AfterPortGroupIsolationisinstalledoneachESXhost,youmustenablePortGroupIsolationoneachvDSwhereyouwillinstallavShieldEdge.ThisallowsthePortGroupIsolationservicetobeusedonanyport
groupinavDS.
To enable Port Group Isolation on a vDS
1 LogintothevSphereClient.
2 GotoView>Inventory>Networking.
3 RightclickavDS.
4 SelectvShield>EnableIsolation.
AbrowserwindowopenstoconfirmthatPortGroupIsolationhasbeenenabled.
AfterPortGroupIsolationinstallationiscomplete,installavShieldEdgeinstanceoneachvDSportgroup.
Install a vShield Edge
EachvShieldEdgevirtualappliancehasExternalandInternalnetworkinterfaces.TheInternalinterface
connectstothesecuredportgroupandactsasthegatewayforallprotectedvirtualmachinesintheportgroup.
ThesubnetassignedtotheInternalinterfacecanbeRFC1918privatespace.TheExternalinterfaceofthe
vShieldEdgeconnectstoanuplinkportgroupthathasaccesstoasharedcorporatenetworkoraservicethat
providesaccesslayernetworking.
EachvShieldEdgerequiresatleastoneIPaddresstonumbertheExternalinterface.MultipleexternalIP
addressescanbeconfiguredforLoadBalancer,SitetoSiteVPN,andNATservices.TheInternalinterfacecan
haveaprivateIPaddressblockthatoverlapswithothervShieldEdgesecuredportgroups.
NOTE PortGroupIsolationisanoptionalfeaturethatisnotrequiredforvShieldEdgeoperation.PortGroup
IsolationisavailableforvDSbasedvShieldEdgeinstallationsonly.
8/6/2019 vshield_41_quickstart
26/30
vShield Quick Start Guide
26 VMware, Inc.
YoucaninstallonevShieldEdgeperportgroup,vDSportgroup,orCiscoNexus1000V.
IfDRSandHAareenabled,avShieldEdgewillbemigrateddynamically.
To install a vShield Edge
1 LogintothevSphereClient.
2 GotoView>Inventory>Networking.
3 OnavDS,createaportgroup.
ThisportgroupistheInternalportgroup.
4 MoveatenantsguestvirtualmachinestotheInternalportgroup.
5 SelectthenewInternalportgroup.
6 ClicktheEdgetab.
7 UnderNetworkInterfaces,enterthefollowinginformation.
8 (Optional)SelecttheIsolatecheckboxtoenablePortGroupIsolationonthevShieldEdge.
ThispreventsvirtualmachinesontheInternalportgroupfromcommunicatingwithsystemsoutsideof
thatportgroup.
9 UnderEdgedeploymentresourceselection,enterthefollowinginformation
10 Click
Install.Afterinstallationiscomplete,configureservicesandfirewallrulestoprotectthevirtualmachinesinthe
securedportgroup.ToconfigureavShieldEdge,seethevShieldAdministrationGuide.
Field Action
External
PortGroup SelecttheexternalportgroupinthevDS.ThisportgrouphomesaphysicalNICandconnectstotheexternalnetwork.
IPAddress TypetheIPaddressoftheexternalportgroup.
SubnetMask TypetheIPsubnetmaskassociatedwiththespecifiedexternalIPaddress.
DefaultGateway TypetheIPaddressofthedefaultnetworkgateway.
Internal
PortGroup Thisistheselectedinternalportgroup.
IPAddress TypetheIPaddressoftheinternalportgroup.
SubnetMask TypetheIPsubnetmaskassociatedwiththespecifiedinternalIPaddress.
Field Action
ResourcePool SelecttheresourcepoolwherethevShieldEdgeshouldbedeployed.
Host SelecttheESXhostonwhichthedatastoreresides.
Datastore SelectthedatastoreonwhichtostorethevShieldEdgevirtualmachinefiles.
8/6/2019 vshield_41_quickstart
27/30
VMware, Inc. 27
Chapter 4 Installing vShield Edge, vShield App, and vShield Endpoint
Installing vShield Endpoint
Theinstallationinstructionsthatfollowassumethatyouhavethefollowingsystem:
AdatacenterwithvCenterServer4.1installedandrunning,andESX4.1installedoneachESXhostinthe
cluster.
vShieldManager4.1installedandrunning.
Anti
virus
solution
management
server
installed
and
running.
vShield Endpoint Installation Workflow
AfterpreparingtheESXhostforvShieldEndpointinstallationiscomplete,installvShieldEndpointinthese
stages:
1 Deployandconfigureasecurityvirtualmachine(SVM)toeachESXhostaccordingtotheinstructions
fromtheantivirussolutionprovider.
2 InstallthevShieldEndpointthinagentonallvirtualmachinestobeprotected.Forinstructions,see
InstalltheThinAgentontheGuestVirtualMachineonpage 27.
Install the Thin Agent on the Guest Virtual Machine
Thethinagentmustbeinstalledoneachguestvirtualmachinetobeprotected.Virtualmachineswiththethin
agentinstalledareautomaticallyprotectedwhenevertheyarestarteduponanESXhostthathasthesecurity
solutioninstalled.Thatis,protectedvirtualmachinesretainthesecurityprotectionthroughshutdownsand
restarts,andevenafteravMotionmovetoanotherESXhostwiththesecuritysolutioninstalled.
Prerequisites
MakesurethattheguestvirtualmachinehasasupportedversionofWindowsinstalled.Supported
versionsoftheWindowsoperatingsystemforvShieldEndpoint1.0are:
WindowsVista(32bit)
Windows7(32bit)
WindowsXP(32bit) Windows2003(32/64bit)
Windows2008(32/64bit)
Makesurethatthethinagentandthevirtualmachinearebotheither32or64bitversions.Youcannotmix
thetwoversions.
MakesuretheguestvirtualmachinehasaSCSIcontrollerinstalled.
IMPORTANT Whenyoucreateanewvirtualmachine,thedefaultconfigurationdoesnotincludeaSCSI
controller.YoumustspecificallyaddaSCSIcontrollertothevirtualmachine.Tofindinstructionsonhow
toaddSCSIcontrollerstoavirtualmachine,seethevSphereClienthelp:vSphereClientHelp>
ManagingVirtualMachineHardwareandDevices>AddingVirtualDevices>AddSCSIControllers
CAUTION BusLogicSCSIcontrollersarenotsupported.
8/6/2019 vshield_41_quickstart
28/30
vShield Quick Start Guide
28 VMware, Inc.
To install the Thin Agent
1 TheinstallationpackageislocatedatthesameVMwarecustomersitewhereyoudownloadedvShield
Manager.
Thepackagenamehasthefollowingform:
32bit
VMware-vShield-Endpoint-Driver-1.0.0-.x86-32.msi 64bit
VMware-vShield-Endpoint-Driver-1.0.0-.x86-64.msi.
ThisisastandardMicrosoftinstallerpackage.
2 Downloadandexecutetheinstallationpackageonthetargethost.
3 Thethinagentmustbeinstalledoneveryguestvirtualmachinetobeprotected.
4 Reboottheguestvirtualmachinetocompletetheinstallation.
Ifyourunasilentinstallusingmsiexec,therebootwillhappenautomatically.
Where to Go NextAfterinstallationiscomplete,seethevShieldAdministrationGuideforconfiguration,monitoring,andmaintenance.
8/6/2019 vshield_41_quickstart
29/30
VMware, Inc. 29
Index
Cchanging the GUI password 20CLI
configuring vShield Manager network
settings 18
hardening 15
client requirements 14
cluster protection 11
communication between components 15
configuring vShield Manager network settings 18
D
deploymentcluster 11
DMZ 10
deployment considerations 14
deployment scenarios 10
DMZ 10
E
enabling Port Group Isolation 25
ESX host preparation 24
evaluating vShield components 23
Ffile system filter driver installation 27
G
guest driver installation 27
GUI, logging in 19
H
hardening 15
CLI 15
REST 16
vShield Manager GUI 15
I
installation
licenses 24
Port Group Isolation 24
vShield App 24
vShield Edge 25, 27
vShield Endpoint 24
vShield Endpoint thin agent 27
vShield Manager 17
isolating networks 10
isolating virtual machines 15
L
licensing
evaluation mode 23
installation 24
logging in to the GUI 19
P
password change 20
plug-in 20
Port Group Isolationenabling 25
installation 24
isolating networks 10
preparing virtual machines for protection 14
protecting a cluster 11
protecting virtual machines 14
R
REST 16
S
synchronizing with vCenter 19system requirements 13
T
thin agent installation 27
V
vCenter, syncing from vShield Manager 19
virtual machine isolation 15
vMotion 14
vNetwork preparation 25
vShield
component communication 15
deployment scenarios 10
evaluating components 23
hardening 15
preparing an ESX host 24
vShield App 9
vShield Edge 8
vShield Endpoint 9
vShield Manager 7
vShield Zones 7
8/6/2019 vshield_41_quickstart
30/30
vShield Quick Start Guide
vShield App
about 9
common deployments 11
installation 24
licensing 24
vShield Edge
about 8
common deployments 11installation 25
isolating networks 10
licensing 24
vShield Endpoint
about 9
installation 24, 27
installation steps 27
licensing 24
thin agent installation 27
vShield Manager
about 7
changing the GUI password 20
installation 17
logging in to GUI 19
network settings 18
registering plug-in 20
syncing with vCenter 19
uptime 15
vShield Manager GUI 15
vShield Zones
about 7
vShield Manager 7
vSphere Client plug-in 20
Recommended