VMware vShield 4.1 Quick start guide

Category
Software manuals
Type
Quick start guide

This manual is also suitable for

vShield Quick Start Guide
vShield Manager 4.1.0 Update 1
vShield Zones 4.1.0 Update 1
vShield Edge 1.0.0 Update 1
vShield App 1.0.0 Update 1
vShield Endpoint 1.0.0 Update 1
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of this
document, see http://www.vmware.com/support/pubs.
EN-000375-02
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
vShield Quick Start Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks
and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3
Contents
AboutThisBook 5
1 IntroductiontovShield 7
vShieldComponentsataGlance 7
vShieldManager 7
vShieldZones 7
vShieldEdge 8
vShieldApp 9
vShieldEndpoint 9
DeploymentScenarios 10
ProtectingtheDMZ 10
IsolatingandProtectingInternalNetworks 10
ProtectingVirtualMachinesinaCluster 11
CommonDeploymentsofvShieldEdge 11
CommonDeploymentsofvShieldApp 11
2 PreparingforInstallation 13
SystemRequirements 13
Hardware 13
Software 13
ClientandUserAccess 14
DeploymentConsiderations 14
PreparingVirtualMachinesforvShieldProtection 14
vShieldManagerUptime 15
CommunicationBetweenvShieldComponents 15
HardeningYourvShieldVirtualMachines 15
3 InstallingthevShieldManagerandvShieldZones 17
ObtainthevShieldManagerOVAFile 17
InstallthevShieldManagerVirtualAppliance 17
ConfiguretheNetworkSettingsofthevShieldManager 18
LogIntothevShieldManagerUserInterface 19
SynchronizethevShieldManagerwiththevCenterServer 19
RegisterthevShieldManagerPlugInwiththevSphereClient 20
ChangethePasswordofthevShieldManagerUser
InterfaceDefaultAccount 20
InstallvShieldZones 20
WheretoGoNext 21
4 InstallingvShieldEdge,vShieldApp,andvShieldEndpoint 23
RunningvShieldinEvaluationMode 23
PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpoint 23
InstallvShieldComponentLicenses 24
PrepareAllESXHosts 24
PrepareavNetworkforPortGroupIsolation 25
InstallavShieldEdge 26
InstallingvShieldEndpoint 27
vShieldEndpointInstallationWorkflow 27
vShield Quick Start Guide
4 VMware, Inc.
InstalltheThinAgentontheGuestVirtualMachine 27
WheretoGoNext 28
Index 29
VMware, Inc. 5
ThevShieldQuickStartGuideprovidesinformationaboutinstallingVMware
®
vShield™intoyourVMware
VirtualInfrastructureenvironment.
Intended Audience
ThisbookisintendedforanyonewhowantstoinstalloruseVMwarevShield.Theinformationinthisbookis
writtenforexperiencedWindowsorLinuxsystemadministratorswhoarefamiliarwithvirtualmachine
technologyanddatacenteroperations.ThisbookalsoassumesfamiliaritywithVMwareVirtual
Infrastructure,includingvCenter™Server4.x,
VMwareESX™4.x,andthevSphereClient.
VMware Technical Publications Glossary
VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions
oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbacktodocfeedback@vmware.com.
VMware Infrastructure Documentation
ThefollowingdocumentscomprisethevShield2.0documentationset:
vShieldAdministrationGuide
vShieldQuickStartGuide
vShieldAPIProgrammingGuide
YoushouldalsohaveaccesstothecombinedvCenterServerandESXdocumentationset.
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.
About This Book
vShield Quick Start Guide
6 VMware, Inc.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,
build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc. 7
1
ThischapterintroducestheVMware
®
vShield™componentsyouinstall.
Thechapterincludesthefollowingtopics:
“vShieldComponentsataGlance”onpage 7
“DeploymentScenarios”onpage 10
vShield Components at a Glance
VMwarevShieldisasuiteofsecurityvirtualappliancesbuiltforVMwarevCenter™Serverintegration.
vShieldisacriticalsecuritycomponentforprotectingvirtualizeddatacentersfromattacksandmisusehelping
youachieveyourcompliancemandatedgoals.
vShieldincludesvirtualappliancesandservicesessentialforprotectingvirtualmachines.vShieldcanbe
configured
throughawebbaseduserinterface,avSphereClientplugin,acommandlineinterface(CLI),and
RESTAPI.
vCenterServerincludesvShieldManagerandvShieldZones.ThefollowingvShieldpackageseachrequirea
license:
vShieldEdgewithPortGroupIsolation
vShieldApp
vShieldEndpoint
OnevShieldManagermanagesmultiplevShieldZones,vShieldEdge,vShieldApp,andvShieldEndpoint
instances.
vShield Manager
ThevShieldManageristhecentralizednetworkmanagementcomponentofvShield,andisinstalledasa
virtualapplianceonanyESX™hostinyourvCenterServerenvironment.AvShieldManagercanrunona
differentESXhostfromyourvShieldagents.
UsingthevShieldManageruserinterfaceorvSphereClientplug
in,administratorsinstall,configure,and
maintainvShieldcomponents.ThevShieldManageruserinterfaceleveragestheVMwareInfrastructureSDK
todisplayacopyofthevSphereClientinventorypanel,andincludestheHosts&ClustersandNetworks
views.
vShield Zones
vShieldZonesprovidesfirewallprotectionfortrafficbetweenvirtualmachines.ForeachZonesFirewallrule,
youcanspecifythesourceIP,destinationIP,sourceport,destinationport,andservice.
Introduction to vShield
1
vShield Quick Start Guide
8 VMware, Inc.
vShield Edge
vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport
group,vDSportgroup,orCisco
®
Nexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared
(uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing.
CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmultitenantCloud
environmentswherethevShieldEdgeprovidesperimetersecurityfor
VirtualDatacenters(VDCs).
Standard vShield Edge Services (Including Cloud Director)
Firewall:SupportedrulesincludeIP5tupleconfigurationwithIPandportrangesforstatefulinspection
forTCP,UDP,andICMP.
NetworkAddressTranslation:SeparatecontrolsforSourceandDestinationIPaddresses,aswellasTCP
andUDPporttranslation.
DynamicHostConfigurationProtocol(DHCP):ConfigurationofIPpools,gateways,DNSservers,and
searchdomains.
Advanced vShield Edge Services
SitetoSiteVirtualPrivateNetwork(VPN):UsesstandardizedIPsecprotocolsettingstointeroperatewith
allmajorfirewallvendors.
LoadBalancing:SimpleanddynamicallyconfigurablevirtualIPaddressesandservergroups.
vShieldEdgesupportssyslogexportforallservicestoremoteservers.
Figure 1-1. vShield Edge Installed to Secure a vDS Port Group
VMware, Inc. 9
Chapter 1 Introduction to vShield
vShield App
vShieldAppisaninterior,vNIClevelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof
networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual
machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainerbasedpolicy
creation.
vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates
withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS,
vMotion,DPM,andmaintenancemode.
vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteronevery
virtual
networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetw orkchangesor
modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers,
likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to
reducethenumber
offirewallrulesandmaketheruleseasiertotrack.
YoushouldinstallvShieldAppinstancesonallESXhostswithinaclustersothatVMwarevMotion™
operationsworkandvirtualmachinesremainprotectedastheymigratebetweenESXhosts.Bydefault,a
vShieldAppvirtualappliancecannotbemovedby
usingvMotion.
TheFlowMonitoringfeaturedisplaysallowedandblockednetworkflowsattheapplicationprotocollevel.
Youcanusethisinformationtoauditnetworktrafficandtroubleshootoperational.
vShield Endpoint
vShieldEndpointdeliversanintrospectionbasedantivirussolution.vShieldEndpointusesthehypervisorto
scanguestvirtualmachinesfromtheoutsidewithoutabulkyagent.vShieldEndpointisefficientinavoiding
resourcebottleneckswhileoptimizingmemoryuse.
vShieldEndpointinstallsasahypervisormoduleandsecurityvirtualappliancefromathird
partyantivirus
vendor(VMwarepartners)onanESXhost.
Figure 1-2. vShield Endpoint Installed on an ESX Host
vShield Quick Start Guide
10 VMware, Inc.
Deployment Scenarios
UsingvShield,youcanbuildsecurezonesforavarietyofvirtualmachinedeployments.Youcanisolatevirtual
machinesbasedonspecificapplications,networksegmentation,orcustomcompliancefactors.Onceyou
determineyourzoningpolicies,youcandeployvShieldtoenforceaccessrulestoeachofthesezones.
Protecting the DMZ
TheDMZisamixedtrustzone.ClientsenterfromtheInternetforWebandemailservices,whileservices
withintheDMZmightrequireaccesstoservicesinsidetheinternalnetwork.YoucanplaceDMZvirtual
machinesinaportgroupandsecurethatportgroupwithavShieldEdge.vShield
Edgeprovidesaccess
servicessuchasfirewall,NAT,andVPN,aswellasloadbalancingtosecureDMZservices.
AcommonexampleofaDMZservicerequiringaninternalserviceisMicrosoftExchange.MicrosoftOutlook
WebAccess(OWA)commonlyresidesintheDMZcluster,whiletheMicrosoftExchangebackendis
inthe
internalcluster.Ontheinternalcluster,youcancreatefirewallrulestoallowonlyExchanged relatedrequests
fromtheDMZ,identifyingspecificsourcetodestinationparameters.FromtheDMZcluster,youcancreate
rulestoallowoutsideaccesstotheDMZonlytospecificdestinationsusingHTTP,FTP,
orSMTP.
Isolating and Protecting Internal Networks
YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateaninternalnetworkfromthe
externalnetwork.AvShieldEdgeprovidesperimeterfirewallprotectionandedgeservicestosecurevirtual
machinesinaportgroup,enablingcommunicationtotheexternalnetworkthroughDHCP,NAT,andVPN.
Within
thesecuredportgroup,youcaninstallavShieldAppinstanceoneachESXhostthatthevDSspansto
securecommunicationbetweenvirtualmachinesintheinternalnetwork.
IfyouutilizeVLANtagstosegmenttraffic,youcanuseAppFirewalltocreatesmarteraccesspolicies.Using
AppFirewallinstead
ofaphysicalfirewallallowsyoutocollapseormixtrustzonesinsharedESXclusters.By
doingso,yougainoptimalutilizationandconsolidationfromfeaturessuchasDRSandHA,insteadofhaving
separate,fragmentedclusters.ManagementoftheoverallESXdeploymentasasinglepoolislesscomplex
thanhavingseparatelymanagedpools.
Forexample,youuseVLANstosegmentvirtualmachinezonesbasedonlogical,organizational,ornetwork
boundaries.LeveragingtheVirtualInfrastructureSDK,thevShieldManagerinventorypaneldisplaysaview
ofyourVLANnetworksundertheNetworksview.YoucanbuildaccessrulesforeachVLAN
networkto
isolatevirtualmachinesanddropuntaggedtraffictothesemachines.
VMware, Inc. 11
Chapter 1 Introduction to vShield
Protecting Virtual Machines in a Cluster
InFigure 13,vShieldAppinstancesareinstalledoneachESXhostinacluster.Virtualmachinesareprotected
whenmovedviavMotion™orDRSbetweenESXhostsinthecluster.EachvAppsharesandmaintainsstate
ofalltransmissions.
Figure 1-3. vShield App Instances Installed on Each ESX Host in a Cluster
Common Deployments of vShield Edge
YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateastubnetwork,usingNATtoallow
trafficinandoutofthenetwork.Ifyoudeployinternalstubnetworks,youcanusevShieldEdgetosecure
communicationbetweennetworksbyusingLANtoLANencryptionvia
VPNtunnels.
vShieldEdgecanbedeployedasaselfserviceapplicationwithinVMwareCloudDirector.
Common Deployments of vShield App
YoucanusevShieldApptocreatesecurityzoneswithinavDC.YoucanimposefirewallpoliciesonvCenter
containersorSecurityGroups,whicharecustomcontainersyoucancreatebyusingthevShieldManageruser
interface.Containerbasedpoliciesenableyoutocreatemixedtrustzonesclusterswithoutrequiring
an
externalphysicalfirewall.
InadeploymentthatdoesnotusevDCs,useavShieldAppwiththeSecurityGroupsfeaturetocreatetrust
zonesandenforceaccesspolicies.
ServiceProviderAdminscanusevShieldApptoimposebroadfirew allpoliciesacrossallguestvirtual
machinesinaninternalnetwork.Forexample,
youcanimposeafirewallpolicyonthesecondvNICofallguest
virtualmachinesthatallowsthevirtualmachinestoconnecttoastorageserver,butblocksthevirtual
machinesfromaddressinganyothervirtualmachines.
Unprotected Cluster
Protected Cluster
vShield Quick Start Guide
12 VMware, Inc.
VMware, Inc. 13
2
ThischapterintroducestanoverviewoftheprerequisitesforsuccessfulvShieldinstallation.
Thechapterincludesthefollowingtopics:
“SystemRequirements”onpage 13
“DeploymentConsiderations”onpage 14
System Requirements
BeforeinstallingvShieldinyourvCenterServerenvironment,consideryournetworkconfigurationand
resources.YoucaninstallonevShieldManagerpervCenterServer,onevShieldAppperESX™host,andone
vShieldEdgeperportgroup.
ToinstallvShield,youmustmeetthefollowingrequirements:
Hardware
Table 21liststhehardwarerequirementsforthisversionofvShield.
Software
VMwarevCenterServer4.0Update1orlater
Table 22liststhevCenterversionsthatarecompatiblewiththisversionofvShield.
Preparing for Installation
2
Table 2-1. Hardware Requirements
Component Minimum
Memory 8GB
DiskSpace
8GBforthevShieldManager
5GBpervShieldAppperESXhost
100MBpervShieldEdge
NICs 2gigabitNICsonanESXhost
NOTEvShieldEndpointrequiresvCenterServer4.1orlater.
Table 2-2. Supported vCenter Versions
vCenter Release Build Number
4.0Update1 264050
4.1GA 259021
4.1GAvSphereClient 259021
vShield Quick Start Guide
14 VMware, Inc.
VMwareESX4.0Update1orlaterforeachserver
Table 23liststheESXandESXiversionsthatarecompatiblewiththisversionofvShield.
VMarevCloudDirector1.0
Table 24liststhevCloudDirectorversionsthatarecompatiblewiththisversionofvShield.
Client and User Access
PCwiththeVMwarevSphereClient
Permissionstoaddandpoweronvirtualmachines
Accesstothedatastorewhereyoustorevirtualmachinefiles,andtheaccountpermissionstocopyfilesto
thatdatastore
EnablecookiesonyourWebbrowsertoaccessthevShieldManageruserinterface
ConnecttothevShieldManagerusingoneofthefollowingsupportedWebbrowsers:
InternetExplorer6.xandlater
MozillaFirefox1.xandlater
Safari1.xor2.x
Deployment Considerations
ConsiderthefollowingrecommendationsandrestrictionsbeforeyoudeployvShieldcomponents.
Preparing Virtual Machines for vShield Protection
YoumustdeterminehowtoprotectyourvirtualmachineswithvShield.Considerthefollowingquestions:
How Are My Virtual Machines Grouped?
YoumightconsidermovingvirtualmachinestoportgroupsonavDSoradifferentESXhosttogroupvirtual
machinesbyfunction,department,orotherorganizationalneedtoimprovesecurityandeaseconfigurationof
accessrules.YoucaninstallvShieldEdgeattheperimeterofanyportgrouptoisolate
virtualmachinesfrom
theexternalnetwork.YoucaninstallavShieldApponanESXhostandconfigurefirewallpoliciesper
containerresourcetoenforcerulesbasedonthehierarchyofresources.
Are My Virtual Machines Still Protected if I vMotion Them to Another ESX Host?
Yes,ifyouinstallavShieldApponeachESXhostinacluster,youcanmigratemachinesbetweenhostswithout
weakeningthesecurityposture.vShieldAppinstancescannotbemigratedtootherhosts,thuseachinstance
maintainsstateforexistingsessions.
N
OTEvShieldEndpointrequiresESX4.1orlater.
Table 2-3. Supported ESX and ESXi Versions
ESX or ESXi Release Build Number
4.0Update1 208167
4.1GA 260247
Table 2-4. Supported vCloud Director Versions
vCloud Director Release Build Number
1.0 285979
VMware, Inc. 15
Chapter 2 Preparing for Installation
How Do I Isolate a Group of Virtual Machines?
YoucanusevShieldEdgewiththePortGroupIsolationfeatureorVLANstoisolatevirtualmachinesfromthe
externalnetwork.
1InstallPortGroupIsolationoneachESXhostthatavDSspans.
2 CreateaportgrouponthevDS.
3EnablePortGroupIsolationonthevDS.
4InstallavShieldEdgeonthe
portgroup.
5Movethevirtualmachinestotheportgroup.
6ConfigurevShieldEdgeNATrulesfortrafficinandoutoftheportgroup.
vShield Manager Uptime
ThevShieldManagershouldberunonanESXhostthatisnotaffectedbydowntime,suchasfrequentreboots
ormaintenancemodeoperations.YoucanuseHAorDRStoincreasetheresilienceofthevShieldManager.If
theESXhostonwhichthevShieldManagerresidesisexpectedto
requiredowntime,vMotionthevShield
ManagervirtualappliancetoanotherESXhost.Thus,morethanoneESXhostisrecommended.
Communication Between vShield Components
ThemanagementinterfacesofvShieldcomponentsshouldbeplacedinacommonnetwork,suchasthe
vSpheremanagementnetwork.ThevShieldManagerrequiresconnectivitytothevCenterServer,aswellas
allvShieldAppandvShieldEdgeinstances.vShieldcomponentscancommunicateoverroutedconnections
aswellasdifferentLANs.
Hardening Your vShield Virtual Machines
YoucanaccessthevShieldManagerandothervShieldcomponentsbyusingawebbaseduserinterface,
commandlineinterface,andRESTAPI.vShieldincludesdefaultlogincredentialsforeachoftheseaccess
options.AfterinstallationofeachvShieldvirtualmachine,youshouldhardenaccessbychangingthedefault
logincredentials.
vShield Manager User Interface
YouaccessthevShieldManageruserinterfacebyopeningawebbrowserwindowandnavigatingtotheIP
addressofthevShieldManagersmanagementport.Thedefaultuseraccount,admin,hasglobalaccesstothe
vShieldManager.Afterinitiallogin,youshouldchangethedefaultpasswordoftheadminuseraccount.
See
“ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount”onpage 20.
Command Line Interface
YoucanaccessthevShieldManager,vShieldApp,andvShieldEdgevirtualappliancesbyusingacommand
lineinterfaceviavSphereClientconsolesession.Eachvirtualapplianceusesthesamedefaultusername
(admin)andpassword(default)combinationasthevShieldManageruserinterface.EnteringEnabledmode
alsousesthe
passworddefault.
FormoreonhardeningtheCLI,seethevShieldAdministrationGuide.
NOTEYoucanalsouseVLANstoisolatevirtualmachinesprotectedbyavShieldEdge.Ifyouuse
VLANs,theinternalportgroupconnectedtoavShieldEdgemusthaveaVLANtagthatisdifferentfrom
theexternalportgroup.
NOTEThevShieldManagermustbeinthesamevCenterServerenvironmentasthevShieldcomponentsto
bemanaged.YoucannotusethevShieldManageracrossdifferentvCenterServerenvironments.
vShield Quick Start Guide
16 VMware, Inc.
REST Requests
AllRESTAPIrequestsrequireauthenticationwiththevShieldManager.UsingBase64encoding,youidentify
ausernamepasswordcombinationinthefollowingformat:username:password.YoumustuseavShield
Manageruserinterfaceaccount(usernameandpassword)withprivilegedaccesstoperformrequests.For
moreonauthenticatingRESTAPIrequests,see
thevShieldAPIProgrammingGuide
VMware, Inc. 17
3
VMwarevShieldprovidesfirewallprotection,trafficanalysis,andnetworkperimeterservicestoprotectyour
vCenterServervirtualinfrastructure.vShieldvirtualapplianceinstallationhasbeenautomatedformost
virtualdatacenters.
ThevShieldManageristhecentralizedmanagementcomponentofvShield.YouusethevShieldManagerto
monitorandpushconfigurationstovShield
App,vShieldEndpoint,andvShieldEdgeinstances.ThevShield
ManagerrunsasavirtualapplianceonanESXhost.
VMwarevShieldisincludedwithVMwareESX4.0and4.1.ThebaseVMwarevShieldpackageincludesthe
vShieldManagerandvShieldZones.YoucanconfigurethevShieldZonesfirewallrulesetto
monitortraffic
basedonIPaddresstoIPaddresscommunication.
InstallingthevShieldManagerisamultistepprocess.Youmustperformallofthetasksthatfollowinsequence
tocompletevShieldManagerinstallationsuccessfully.
Thischapterincludesthefollowingtopics:
“ObtainthevShieldManagerOVAFile”onpage 17
“InstallthevShieldManagerVirtualAppliance”onpage 17
“ConfiguretheNetworkSettingsofthevShieldManageronpage 18
“LogIntothevShieldManagerUserInterface”onpage 19
“SynchronizethevShieldManagerwiththevCenterServeronpage 19
“RegisterthevShieldManagerPlugInwiththevSphereClient”onpage 20
“ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount”onpage 20
“InstallvShieldZones”onpage 20
“WheretoGoNext”onpage 21
Obtain the vShield Manager OVA File
ThevShieldManagervirtualmachineispackagedasanOpenVirtualizationAppliance(OVA)file,which
allowsyoutousethevSphereClienttoimportthevShieldManagerintothedatastoreandvirtualmachine
inventory.
Install the vShield Manager Virtual Appliance
YoucaninstallthevShieldManagervirtualmachineonanESXhostinaclusterconfiguredwithDRS.
YoumustinstallthevShieldManagerintothevCenterthatthevShieldManagerwillbeinteroperatingwith.
AsinglevShieldManagerservesasinglevCenterServerenvironment.
ThevShieldManagervirtualmachineinstallationincludes
VMwareTools.Donotattempttoupgradeor
installVMwareToolsonthevShieldManager.
Installing the vShield Manager and
vShield Zones
3
vShield Quick Start Guide
18 VMware, Inc.
To install the vShield Manager
1LogintothevSphereClient.
2 CreateaportgrouptohomethemanagementinterfaceofthevShieldManager.
ThevShieldManagermanagementinterfacemustbereachablebyallfuturevShieldEdge,vShieldApp,
andvShieldEndpointinstances.
3GotoFile>DeployOVFTemplate.
4ClickDeployfromfileandclickBrowsetolocatethefolderonyourPCcontainingthevShieldManager
OVAfile.
5Completethewizard.
ThevShieldManagerisinstalledasavirtualmachineintoyourinventory.
6PoweronthevShieldManagervirtualmachine.
Configure the Network Settings of the vShield Manager
Youmustusethe commandlineinterface(CLI)ofthevShieldManagertoconfigureanIPaddress,identifythe
defaultgateway,andsetDNSsettings.
YoucanspecifyuptotwoDNSserversthatthevShieldManagercanuseforIPaddressandhostname
resolution.DNSisrequiredifany
ESXhostinyourvCenterServerenvironmentwasaddedbyusingthe
hostname(insteadofIPaddress).
To configure the vShield Manager network settings by using the vShield Manager CLI
1RightclickthevShieldManagervirtualmachineandclickOpenConsoletoopenthecommandline
interface(CLI)ofthevShieldManager.
Thebootingprocessmighttakeafewminutes.
2Afterthemanager loginprompt
appears,logintotheCLIbyusingtheusernameadminandthe
passworddefault.
3EnterEnabledmodebyusingthepassworddefault.
manager> enable
Password:
manager#
4RunthesetupcommandtoopentheCLIsetupwizard.
TheCLIsetupwizardguidesyouthroughIPaddressassignmentforthevShieldManagersmanagement
interfaceandidentificationofthedefaultnetworkgateway.TheIPaddressofthemanagementinterface
mustbereachablebyallinstalledvShieldApp,vShieldEdge,and
vShieldEndpointinstances,andbya
Webbrowserforsystemmanagement.
manager# setup
Use CTRL-D to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
IP Address (A.B.C.D):
Subnet Mask (A.B.C.D):
Default gateway (A.B.C.D):
Primary DNS IP (A.B.C.D):
Secondary DNS IP (A.B.C.D):
Old configuration will be lost, and system needs to be rebooted
Do you want to save new configuration (y/[n]): y
Please log out and log back in again.
NOTEDonotplacethemanagementinterfaceofthevShieldManagerinsameportgroupastheService
ConsoleandVMkernel.
VMware, Inc. 19
Chapter 3 Installing the vShield Manager and vShield Zones
manager> exit
manager login:
5LogintotheCLI.
6Pingthedefaultgatewaytoverifynetworkconnectivity.
manager> ping A.B.C.D
7FromyourPC,pingthevShieldManagerIPaddresstovalidatethattheIPaddressisreachable.
Log In to the vShield Manager User Interface
AfteryouhaveinstalledandconfiguredthevShieldManagervirtualmachine,logintothevShieldManager
userinterface.
To log in to the vShield Manager user interface
1OpenaWebbrowserwindowandtypetheIPaddressassignedtothevShieldManager.
ThevShieldManageruserinterfaceopensinanSSLsession.
2Acceptthesecuritycertificate.
ThevShieldManagerlogin
screenappears.
3LogintothevShieldManageruserinterfacebyusingtheusernameadminandthepassworddefault.
Youshouldchangethedefaultpasswordasoneofyourfirsttaskstopreventunauthorizeduse.See
“ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount”onpage 20.
4ClickLog
In.
Synchronize the vShield Manager with the vCenter Server
SynchronizewithyourvCenterServertodisplayyourVMwareInfrastructureinventoryinthevShield
Manageruserinterface.
YoumusthaveavCenterServeruseraccountwithadministrativeaccesstocompletethistask.
To synchronize the vShield Manager with vCenter Server
1LogintothevShieldManager.
2ClickSettings&ReportsfromthevShieldManagerinventorypanel.
3ClicktheConfigurationtab.
4ClickthevCentertab.
5TypetheIPaddressorhostnameofyourvCenterServerintheIPaddress/Namefield.
6TypeyourvSphereClientloginusernameintheUserNamefield.
7TypethepasswordassociatedwiththeusernameinthePasswordfield.
8ClickSave.
N
OTEYoucanuseanSSLcertificateforauthentication.RefertothevShieldAdministrationGuide.
NOTEThevShieldManagervirtualmachinedoesnotappearasaresourceintheinventorypanelofthe
vShieldManageruserinterface.TheSettings&ReportsobjectrepresentsthevShieldManagervirtual
machineintheinventorypanel.
vShield Quick Start Guide
20 VMware, Inc.
Register the vShield Manager Plug-In with the vSphere Client
ThevSpherePluginoptionletsyouregisterthevShieldManagerasavSphereClientplugin.Afterthe
pluginisregistered,youcanconfiguremostvShieldoptionsfromthevSphereClient.
To register the vShield Manager as a vSphere Client Plug-in
1ClickSettings&ReportsfromthevShieldManagerinventorypanel.
2ClicktheConfigurationtab.
3ClickvSpherePlugin.
4Click
Register.
5IfyouareloggedintothevSphereClient,logout.
6LogintothevSphereClient.
7 SelectanESXhost.
8VerifythatthevShieldtabappearsasanoption.
Change the Password of the vShield Manager User Interface Default
Account
YoucanchangethepasswordoftheadminaccounttohardenaccesstoyourvShieldManager.
To change the admin account password
1LogintothevShieldManageruserinterface.
2ClickSettings&ReportsfromthevShieldManagerinventorypanel.
3ClicktheUserstab.
4 Selecttheadminaccount.
5ClickUpdateUser.
6Enteranewpassword.
7Confirmthepasswordby
typingitasecondtimeintheRetypePasswordfield.
8ClickOKtosaveyourchanges.
Install vShield Zones
ThefollowinginformationisrequiredforvShieldZonesinstallationonanESXhost:
OneIPaddressforthemanagement(MGMT)portofeachvShieldZonesvirtualappliance.EachIP
addressshouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedfor
vCenterandESXhostmanagementinterfaces.
LocalornetworkstoragetoplacethevShieldZonesdisk.
vShieldZonesvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMw areTools
softwareonavShieldZonesvirtualappliance.
To install a vShield Zones virtual appliance
1LogintothevSphereClient.
2 SelectanESXhostfromtheinventorytree.
CAUTIONDonotinstallvShieldZones/AppontheESXhostwherevCenterServerisrunning.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30

VMware vShield 4.1 Quick start guide

Category
Software manuals
Type
Quick start guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI