VMware vShield 4.1 Quick start guide

Brand: VMware

Model: vShield 4.1

Category: Software manuals

Type: Quick start guide

This manual is also suitable for

VSHIELD MANAGER 4.1.0 UPDATE 1 - API

vShield Quick Start Guide

vShield Manager 4.1.0 Update 1

vShield Zones 4.1.0 Update 1

vShield Edge 1.0.0 Update 1

vShield App 1.0.0 Update 1

vShield Endpoint 1.0.0 Update 1

This document supports the version of each product listed and

supports all subsequent versions until the document is replaced

by a new edition. To check for more recent editions of this

document, see http://www.vmware.com/support/pubs.

EN-000375-02

VMware, Inc.

3401 Hillview Ave.

Palo Alto, CA 94304

www.vmware.com

2 VMware, Inc.

vShield Quick Start Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks

and names mentioned herein may be trademarks of their respective companies.

VMware, Inc. 3

Contents

AboutThisBook 5

1 IntroductiontovShield 7

vShieldComponentsataGlance 7

vShieldManager 7

vShieldZones 7

vShieldEdge 8

vShieldApp 9

vShieldEndpoint 9

DeploymentScenarios 10

ProtectingtheDMZ 10

IsolatingandProtectingInternalNetworks 10

ProtectingVirtualMachinesinaCluster 11

CommonDeploymentsofvShieldEdge 11

CommonDeploymentsofvShieldApp 11

2 PreparingforInstallation 13

SystemRequirements 13

Hardware 13

Software 13

ClientandUserAccess 14

DeploymentConsiderations 14

PreparingVirtualMachinesforvShieldProtection 14

vShieldManagerUptime 15

CommunicationBetweenvShieldComponents 15

HardeningYourvShieldVirtualMachines 15

3 InstallingthevShieldManagerandvShieldZones 17

ObtainthevShieldManagerOVAFile 17

InstallthevShieldManagerVirtualAppliance 17

ConfiguretheNetworkSettingsofthevShieldManager 18

LogIntothevShieldManagerUserInterface 19

SynchronizethevShieldManagerwiththevCenterServer 19

ChangethePasswordofthevShieldManagerUser

InterfaceDefaultAccount 20

InstallvShieldZones 20

WheretoGoNext 21

4 InstallingvShieldEdge,vShieldApp,andvShieldEndpoint 23

RunningvShieldinEvaluationMode 23

PreparingYourVirtualInfrastructureforvShieldApp,vShieldEdge,andvShieldEndpoint 23

InstallvShieldComponentLicenses 24

PrepareAllESXHosts 24

PrepareavNetworkforPortGroupIsolation 25

InstallavShieldEdge 26

InstallingvShieldEndpoint 27

vShieldEndpointInstallationWorkflow 27

vShield Quick Start Guide

4 VMware, Inc.

InstalltheThinAgentontheGuestVirtualMachine 27

WheretoGoNext 28

Index 29

VMware, Inc. 5

ThevShieldQuickStartGuideprovidesinformationaboutinstallingVMware

®

vShield™intoyourVMware

VirtualInfrastructureenvironment.

Intended Audience

ThisbookisintendedforanyonewhowantstoinstalloruseVMwarevShield.Theinformationinthisbookis

writtenforexperiencedWindowsorLinuxsystemadministratorswhoarefamiliarwithvirtualmachine

technologyanddatacenteroperations.ThisbookalsoassumesfamiliaritywithVMwareVirtual

Infrastructure,includingvCenter™Server4.x,

VMwareESX™4.x,andthevSphereClient.

VMware Technical Publications Glossary

VMwareTechnicalPublicationsprovidesaglossaryoftermsthatmightbeunfamiliartoyou.Fordefinitions

oftermsastheyareusedinVMwaretechnicaldocumentationgotohttp://www.vmware.com/support/pubs.

Document Feedback

VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

feedbacktodocfeedback@vmware.com.

VMware Infrastructure Documentation

ThefollowingdocumentscomprisethevShield2.0documentationset:

 vShieldAdministrationGuide

 vShieldQuickStartGuide

 vShieldAPIProgrammingGuide

YoushouldalsohaveaccesstothecombinedvCenterServerandESXdocumentationset.

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.

About This Book

vShield Quick Start Guide

6 VMware, Inc.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehands‐onlabs,casestudyexamples,andcoursematerials

designedtobeusedason‐the‐jobreferencetools.Coursesareavailableonsite,intheclassroom,andlive

online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,

build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services. 

VMware, Inc. 7

ThischapterintroducestheVMware

vShield™componentsyouinstall.

Thechapterincludesthefollowingtopics:

 “vShieldComponentsataGlance”onpage 7

 “DeploymentScenarios”onpage 10

vShield Components at a Glance

VMwarevShieldisasuiteofsecurityvirtualappliancesbuiltforVMwarevCenter™Serverintegration.

vShieldisacriticalsecuritycomponentforprotectingvirtualizeddatacentersfromattacksandmisusehelping

youachieveyourcompliance‐mandatedgoals.

vShieldincludesvirtualappliancesandservicesessentialforprotectingvirtualmachines.vShieldcanbe

configured

throughaweb‐baseduserinterface,avSphereClientplug‐in,acommandlineinterface(CLI),and

RESTAPI.

vCenterServerincludesvShieldManagerandvShieldZones.ThefollowingvShieldpackageseachrequirea

license:

 vShieldEdgewithPortGroupIsolation

 vShieldApp

 vShieldEndpoint

OnevShieldManagermanagesmultiplevShieldZones,vShieldEdge,vShieldApp,andvShieldEndpoint

instances.

vShield Manager

ThevShieldManageristhecentralizednetworkmanagementcomponentofvShield,andisinstalledasa

virtualapplianceonanyESX™hostinyourvCenterServerenvironment.AvShieldManagercanrunona

differentESXhostfromyourvShieldagents.

UsingthevShieldManageruserinterfaceorvSphereClientplug‐

in,administratorsinstall,configure,and

maintainvShieldcomponents.ThevShieldManageruserinterfaceleveragestheVMwareInfrastructureSDK

todisplayacopyofthevSphereClientinventorypanel,andincludestheHosts&ClustersandNetworks

views.

vShield Zones

vShieldZonesprovidesfirewallprotectionfortrafficbetweenvirtualmachines.ForeachZonesFirewallrule,

youcanspecifythesourceIP,destinationIP,sourceport,destinationport,andservice.

Introduction to vShield

vShield Quick Start Guide

8 VMware, Inc.

vShield Edge

vShieldEdgeprovidesnetworkedgesecurityandgatewayservicestoisolatethevirtualmachinesinaport

group,vDSportgroup,orCisco

Nexus1000V.ThevShieldEdgeconnectsisolated,stubnetworkstoshared

(uplink)networksbyprovidingcommongatewayservicessuchasDHCP,VPN,NAT,andLoadBalancing.

CommondeploymentsofvShieldEdgeincludeintheDMZ,VPNExtranets,andmulti‐tenantCloud

environmentswherethevShieldEdgeprovidesperimetersecurityfor

VirtualDatacenters(VDCs).

Standard vShield Edge Services (Including Cloud Director)

 Firewall:SupportedrulesincludeIP5‐tupleconfigurationwithIPandportrangesforstatefulinspection

forTCP,UDP,andICMP.

 NetworkAddressTranslation:SeparatecontrolsforSourceandDestinationIPaddresses,aswellasTCP

andUDPporttranslation.

 DynamicHostConfigurationProtocol(DHCP):ConfigurationofIPpools,gateways,DNSservers,and

searchdomains.

Advanced vShield Edge Services

 Site‐to‐SiteVirtualPrivateNetwork(VPN):UsesstandardizedIPsecprotocolsettingstointeroperatewith

allmajorfirewallvendors.

 LoadBalancing:SimpleanddynamicallyconfigurablevirtualIPaddressesandservergroups.

vShieldEdgesupportssyslogexportforallservicestoremoteservers.

Figure 1-1. vShield Edge Installed to Secure a vDS Port Group

VMware, Inc. 9

Chapter 1 Introduction to vShield

vShield App

vShieldAppisaninterior,vNIC‐levelfirewallthatallowsyoutocreateaccesscontrolpoliciesregardlessof

networktopology.AvShieldAppmonitorsalltrafficinandoutofanESXhost,includingbetweenvirtual

machinesinthesameportgroup.vShieldAppincludestrafficanalysisandcontainer‐basedpolicy

creation.

vShieldAppinstallsasahypervisormoduleandfirewallservicevirtualappliance.vShieldAppintegrates

withESXhoststhroughVMsafeAPIsandworkswithVMwarevSphereplatformfeaturessuchasDRS,

vMotion,DPM,andmaintenancemode.

vShieldAppprovidesfirewallingbetweenvirtualmachinesbyplacingafirewallfilteronevery

virtual

networkadapter.Thefirewallfilteroperatestransparentlyanddoesnotrequirenetw orkchangesor

modificationofIPaddressestocreatesecurityzones.YoucanwriteaccessrulesbyusingvCentercontainers,

likedatacenters,cluster,resourcepoolsandvApps,ornetworkobjects,likePortGroupsandVLANs,to

reducethenumber

offirewallrulesandmaketheruleseasiertotrack.

YoushouldinstallvShieldAppinstancesonallESXhostswithinaclustersothatVMwarevMotion™

operationsworkandvirtualmachinesremainprotectedastheymigratebetweenESXhosts.Bydefault,a

vShieldAppvirtualappliancecannotbemovedby

usingvMotion.

TheFlowMonitoringfeaturedisplaysallowedandblockednetworkflowsattheapplicationprotocollevel.

Youcanusethisinformationtoauditnetworktrafficandtroubleshootoperational.

vShield Endpoint

vShieldEndpointdeliversanintrospection‐basedantivirussolution.vShieldEndpointusesthehypervisorto

scanguestvirtualmachinesfromtheoutsidewithoutabulkyagent.vShieldEndpointisefficientinavoiding

resourcebottleneckswhileoptimizingmemoryuse.

vShieldEndpointinstallsasahypervisormoduleandsecurityvirtualappliancefromathird‐

partyantivirus

vendor(VMwarepartners)onanESXhost.

Figure 1-2. vShield Endpoint Installed on an ESX Host

vShield Quick Start Guide

10 VMware, Inc.

Deployment Scenarios

UsingvShield,youcanbuildsecurezonesforavarietyofvirtualmachinedeployments.Youcanisolatevirtual

machinesbasedonspecificapplications,networksegmentation,orcustomcompliancefactors.Onceyou

determineyourzoningpolicies,youcandeployvShieldtoenforceaccessrulestoeachofthesezones.

Protecting the DMZ

TheDMZisamixedtrustzone.ClientsenterfromtheInternetforWebandemailservices,whileservices

withintheDMZmightrequireaccesstoservicesinsidetheinternalnetwork.YoucanplaceDMZvirtual

machinesinaportgroupandsecurethatportgroupwithavShieldEdge.vShield

Edgeprovidesaccess

servicessuchasfirewall,NAT,andVPN,aswellasloadbalancingtosecureDMZservices.

AcommonexampleofaDMZservicerequiringaninternalserviceisMicrosoftExchange.MicrosoftOutlook

WebAccess(OWA)commonlyresidesintheDMZcluster,whiletheMicrosoftExchangebackendis

inthe

internalcluster.Ontheinternalcluster,youcancreatefirewallrulestoallowonlyExchanged ‐relatedrequests

fromtheDMZ,identifyingspecificsource‐to‐destinationparameters.FromtheDMZcluster,youcancreate

rulestoallowoutsideaccesstotheDMZonlytospecificdestinationsusingHTTP,FTP,

orSMTP.

Isolating and Protecting Internal Networks

YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateaninternalnetworkfromthe

externalnetwork.AvShieldEdgeprovidesperimeterfirewallprotectionandedgeservicestosecurevirtual

machinesinaportgroup,enablingcommunicationtotheexternalnetworkthroughDHCP,NAT,andVPN.

Within

thesecuredportgroup,youcaninstallavShieldAppinstanceoneachESXhostthatthevDSspansto

securecommunicationbetweenvirtualmachinesintheinternalnetwork.

IfyouutilizeVLANtagstosegmenttraffic,youcanuseAppFirewalltocreatesmarteraccesspolicies.Using

AppFirewallinstead

ofaphysicalfirewallallowsyoutocollapseormixtrustzonesinsharedESXclusters.By

doingso,yougainoptimalutilizationandconsolidationfromfeaturessuchasDRSandHA,insteadofhaving

separate,fragmentedclusters.ManagementoftheoverallESXdeploymentasasinglepoolislesscomplex



thanhavingseparatelymanagedpools.

Forexample,youuseVLANstosegmentvirtualmachinezonesbasedonlogical,organizational,ornetwork

boundaries.LeveragingtheVirtualInfrastructureSDK,thevShieldManagerinventorypaneldisplaysaview

ofyourVLANnetworksundertheNetworksview.YoucanbuildaccessrulesforeachVLAN

networkto

isolatevirtualmachinesanddropuntaggedtraffictothesemachines.

VMware, Inc. 11

Chapter 1 Introduction to vShield

Protecting Virtual Machines in a Cluster

InFigure 1‐3,vShieldAppinstancesareinstalledoneachESXhostinacluster.Virtualmachinesareprotected

whenmovedviavMotion™orDRSbetweenESXhostsinthecluster.EachvAppsharesandmaintainsstate

ofalltransmissions.

Figure 1-3. vShield App Instances Installed on Each ESX Host in a Cluster

Common Deployments of vShield Edge

YoucanuseavShieldEdgewiththePortGroupIsolationfeaturetoisolateastubnetwork,usingNATtoallow

trafficinandoutofthenetwork.Ifyoudeployinternalstubnetworks,youcanusevShieldEdgetosecure

communicationbetweennetworksbyusingLAN‐to‐LANencryptionvia

VPNtunnels.

vShieldEdgecanbedeployedasaself‐serviceapplicationwithinVMwareCloudDirector.

Common Deployments of vShield App

YoucanusevShieldApptocreatesecurityzoneswithinavDC.YoucanimposefirewallpoliciesonvCenter

containersorSecurityGroups,whicharecustomcontainersyoucancreatebyusingthevShieldManageruser

interface.Container‐basedpoliciesenableyoutocreatemixedtrustzonesclusterswithoutrequiring

an

externalphysicalfirewall.

InadeploymentthatdoesnotusevDCs,useavShieldAppwiththeSecurityGroupsfeaturetocreatetrust

zonesandenforceaccesspolicies.

ServiceProviderAdminscanusevShieldApptoimposebroadfirew allpoliciesacrossallguestvirtual

machinesinaninternalnetwork.Forexample,

youcanimposeafirewallpolicyonthesecondvNICofallguest

virtualmachinesthatallowsthevirtualmachinestoconnecttoastorageserver,butblocksthevirtual

machinesfromaddressinganyothervirtualmachines.

Unprotected Cluster

Protected Cluster

vShield Quick Start Guide

12 VMware, Inc.

VMware, Inc. 13

ThischapterintroducestanoverviewoftheprerequisitesforsuccessfulvShieldinstallation.

Thechapterincludesthefollowingtopics:

 “SystemRequirements”onpage 13

 “DeploymentConsiderations”onpage 14

System Requirements

BeforeinstallingvShieldinyourvCenterServerenvironment,consideryournetworkconfigurationand

resources.YoucaninstallonevShieldManagerpervCenterServer,onevShieldAppperESX™host,andone

vShieldEdgeperportgroup.

ToinstallvShield,youmustmeetthefollowingrequirements:

Hardware

Table 2‐1liststhehardwarerequirementsforthisversionofvShield.

Software

 VMwarevCenterServer4.0Update1orlater

Table 2‐2liststhevCenterversionsthatarecompatiblewiththisversionofvShield.

Preparing for Installation

Table 2-1. Hardware Requirements

Component Minimum

Memory 8GB

DiskSpace

 8GBforthevShieldManager

 5GBpervShieldAppperESXhost

 100MBpervShieldEdge

NICs 2gigabitNICsonanESXhost

NOTEvShieldEndpointrequiresvCenterServer4.1orlater.

Table 2-2. Supported vCenter Versions

vCenter Release Build Number

4.0Update1 264050

4.1GA 259021

4.1GAvSphereClient 259021

vShield Quick Start Guide

14 VMware, Inc.

 VMwareESX4.0Update1orlaterforeachserver

Table 2‐3liststheESXandESXiversionsthatarecompatiblewiththisversionofvShield.

 VMarevCloudDirector1.0

Table 2‐4liststhevCloudDirectorversionsthatarecompatiblewiththisversionofvShield.

Client and User Access

 PCwiththeVMwarevSphereClient

 Permissionstoaddandpoweronvirtualmachines

 Accesstothedatastorewhereyoustorevirtualmachinefiles,andtheaccountpermissionstocopyfilesto

thatdatastore

 EnablecookiesonyourWebbrowsertoaccessthevShieldManageruserinterface

 ConnecttothevShieldManagerusingoneofthefollowingsupportedWebbrowsers:

 InternetExplorer6.xandlater

 MozillaFirefox1.xandlater

 Safari1.xor2.x

Deployment Considerations

ConsiderthefollowingrecommendationsandrestrictionsbeforeyoudeployvShieldcomponents.

Preparing Virtual Machines for vShield Protection

YoumustdeterminehowtoprotectyourvirtualmachineswithvShield.Considerthefollowingquestions:

How Are My Virtual Machines Grouped?

YoumightconsidermovingvirtualmachinestoportgroupsonavDSoradifferentESXhosttogroupvirtual

machinesbyfunction,department,orotherorganizationalneedtoimprovesecurityandeaseconfigurationof

accessrules.YoucaninstallvShieldEdgeattheperimeterofanyportgrouptoisolate

virtualmachinesfrom

theexternalnetwork.YoucaninstallavShieldApponanESXhostandconfigurefirewallpoliciesper

containerresourcetoenforcerulesbasedonthehierarchyofresources.

Are My Virtual Machines Still Protected if I vMotion Them to Another ESX Host?

Yes,ifyouinstallavShieldApponeachESXhostinacluster,youcanmigratemachinesbetweenhostswithout

weakeningthesecurityposture.vShieldAppinstancescannotbemigratedtootherhosts,thuseachinstance

maintainsstateforexistingsessions.

OTEvShieldEndpointrequiresESX4.1orlater.

Table 2-3. Supported ESX and ESXi Versions

ESX or ESXi Release Build Number

4.0Update1 208167

4.1GA 260247

Table 2-4. Supported vCloud Director Versions

vCloud Director Release Build Number

1.0 285979

VMware, Inc. 15

Chapter 2 Preparing for Installation

How Do I Isolate a Group of Virtual Machines?

YoucanusevShieldEdgewiththePortGroupIsolationfeatureorVLANstoisolatevirtualmachinesfromthe

externalnetwork.

1InstallPortGroupIsolationoneachESXhostthatavDSspans.

2 CreateaportgrouponthevDS.

3EnablePortGroupIsolationonthevDS.

4InstallavShieldEdgeonthe

portgroup.

5Movethevirtualmachinestotheportgroup.

6ConfigurevShieldEdgeNATrulesfortrafficinandoutoftheportgroup.

vShield Manager Uptime

ThevShieldManagershouldberunonanESXhostthatisnotaffectedbydowntime,suchasfrequentreboots

ormaintenancemodeoperations.YoucanuseHAorDRStoincreasetheresilienceofthevShieldManager.If

theESXhostonwhichthevShieldManagerresidesisexpectedto

requiredowntime,vMotionthevShield

ManagervirtualappliancetoanotherESXhost.Thus,morethanoneESXhostisrecommended.

Communication Between vShield Components

ThemanagementinterfacesofvShieldcomponentsshouldbeplacedinacommonnetwork,suchasthe

vSpheremanagementnetwork.ThevShieldManagerrequiresconnectivitytothevCenterServer,aswellas

allvShieldAppandvShieldEdgeinstances.vShieldcomponentscancommunicateoverroutedconnections

aswellasdifferentLANs.

Hardening Your vShield Virtual Machines

YoucanaccessthevShieldManagerandothervShieldcomponentsbyusingaweb‐baseduserinterface,

commandlineinterface,andRESTAPI.vShieldincludesdefaultlogincredentialsforeachoftheseaccess

options.AfterinstallationofeachvShieldvirtualmachine,youshouldhardenaccessbychangingthedefault

vShield Manager User Interface

YouaccessthevShieldManageruserinterfacebyopeningawebbrowserwindowandnavigatingtotheIP

addressofthevShieldManager’smanagementport.Thedefaultuseraccount,admin,hasglobalaccesstothe

vShieldManager.Afterinitiallogin,youshouldchangethedefaultpasswordoftheadminuseraccount.

See

“ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount”onpage 20.

Command Line Interface

YoucanaccessthevShieldManager,vShieldApp,andvShieldEdgevirtualappliancesbyusingacommand

lineinterfaceviavSphereClientconsolesession.Eachvirtualapplianceusesthesamedefaultusername

(admin)andpassword(default)combinationasthevShieldManageruserinterface.EnteringEnabledmode

alsousesthe

passworddefault.

FormoreonhardeningtheCLI,seethevShieldAdministrationGuide.

NOTEYoucanalsouseVLANstoisolatevirtualmachinesprotectedbyavShieldEdge.Ifyouuse

VLANs,theinternalportgroupconnectedtoavShieldEdgemusthaveaVLANtagthatisdifferentfrom

theexternalportgroup.

NOTEThevShieldManagermustbeinthesamevCenterServerenvironmentasthevShieldcomponentsto

bemanaged.YoucannotusethevShieldManageracrossdifferentvCenterServerenvironments.

vShield Quick Start Guide

16 VMware, Inc.

REST Requests

AllRESTAPIrequestsrequireauthenticationwiththevShieldManager.UsingBase64encoding,youidentify

ausername‐passwordcombinationinthefollowingformat:username:password.YoumustuseavShield

Manageruserinterfaceaccount(usernameandpassword)withprivilegedaccesstoperformrequests.For

moreonauthenticatingRESTAPIrequests,see

thevShieldAPIProgrammingGuide

VMware, Inc. 17

VMwarevShieldprovidesfirewallprotection,trafficanalysis,andnetworkperimeterservicestoprotectyour

vCenterServervirtualinfrastructure.vShieldvirtualapplianceinstallationhasbeenautomatedformost

virtualdatacenters.

ThevShieldManageristhecentralizedmanagementcomponentofvShield.YouusethevShieldManagerto

monitorandpushconfigurationstovShield

App,vShieldEndpoint,andvShieldEdgeinstances.ThevShield

ManagerrunsasavirtualapplianceonanESXhost.

VMwarevShieldisincludedwithVMwareESX4.0and4.1.ThebaseVMwarevShieldpackageincludesthe

vShieldManagerandvShieldZones.YoucanconfigurethevShieldZonesfirewallrulesetto

monitortraffic

basedonIPaddress‐to‐IPaddresscommunication.

InstallingthevShieldManagerisamultistepprocess.Youmustperformallofthetasksthatfollowinsequence

tocompletevShieldManagerinstallationsuccessfully.

Thischapterincludesthefollowingtopics:

 “ObtainthevShieldManagerOVAFile”onpage 17

 “InstallthevShieldManagerVirtualAppliance”onpage 17

 “ConfiguretheNetworkSettingsofthevShieldManager”onpage 18

 “LogIntothevShieldManagerUserInterface”onpage 19

 “SynchronizethevShieldManagerwiththevCenterServer”onpage 19

 “RegisterthevShieldManagerPlug‐InwiththevSphereClient”onpage 20

 “ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount”onpage 20

 “InstallvShieldZones”onpage 20

 “WheretoGoNext”onpage 21

Obtain the vShield Manager OVA File

ThevShieldManagervirtualmachineispackagedasanOpenVirtualizationAppliance(OVA)file,which

allowsyoutousethevSphereClienttoimportthevShieldManagerintothedatastoreandvirtualmachine

inventory.

Install the vShield Manager Virtual Appliance

YoucaninstallthevShieldManagervirtualmachineonanESXhostinaclusterconfiguredwithDRS.

YoumustinstallthevShieldManagerintothevCenterthatthevShieldManagerwillbeinteroperatingwith.

AsinglevShieldManagerservesasinglevCenterServerenvironment.

ThevShieldManagervirtualmachineinstallationincludes

VMwareTools.Donotattempttoupgradeor

installVMwareToolsonthevShieldManager.

Installing the vShield Manager and

vShield Zones

vShield Quick Start Guide

18 VMware, Inc.

To install the vShield Manager

1LogintothevSphereClient.

2 CreateaportgrouptohomethemanagementinterfaceofthevShieldManager.

ThevShieldManagermanagementinterfacemustbereachablebyallfuturevShieldEdge,vShieldApp,

andvShieldEndpointinstances.

3GotoFile>DeployOVFTemplate.

4ClickDeployfromfileandclickBrowsetolocatethefolderonyourPCcontainingthevShieldManager

OVAfile.

5Completethewizard.

ThevShieldManagerisinstalledasavirtualmachineintoyourinventory.

6PoweronthevShieldManagervirtualmachine.

Configure the Network Settings of the vShield Manager

Youmustusethe commandlineinterface(CLI)ofthevShieldManagertoconfigureanIPaddress,identifythe

defaultgateway,andsetDNSsettings.

YoucanspecifyuptotwoDNSserversthatthevShieldManagercanuseforIPaddressandhostname

resolution.DNSisrequiredifany

ESXhostinyourvCenterServerenvironmentwasaddedbyusingthe

hostname(insteadofIPaddress).

To configure the vShield Manager network settings by using the vShield Manager CLI

1Right‐clickthevShieldManagervirtualmachineandclickOpenConsoletoopenthecommandline

interface(CLI)ofthevShieldManager.

Thebootingprocessmighttakeafewminutes.

2Afterthemanager loginprompt

appears,logintotheCLIbyusingtheusernameadminandthe

passworddefault.

3EnterEnabledmodebyusingthepassworddefault.

manager> enable

Password:

manager#

4RunthesetupcommandtoopentheCLIsetupwizard.

TheCLIsetupwizardguidesyouthroughIPaddressassignmentforthevShieldManager’smanagement

interfaceandidentificationofthedefaultnetworkgateway.TheIPaddressofthemanagementinterface

mustbereachablebyallinstalledvShieldApp,vShieldEdge,and

vShieldEndpointinstances,andbya

Webbrowserforsystemmanagement.

manager# setup

Use CTRL-D to abort configuration dialog at any prompt.

Default settings are in square brackets '[]'.

IP Address (A.B.C.D):

Subnet Mask (A.B.C.D):

Default gateway (A.B.C.D):

Primary DNS IP (A.B.C.D):

Secondary DNS IP (A.B.C.D):

Old configuration will be lost, and system needs to be rebooted

Do you want to save new configuration (y/[n]): y

Please log out and log back in again.

NOTEDonotplacethemanagementinterfaceofthevShieldManagerinsameportgroupastheService

ConsoleandVMkernel.

VMware, Inc. 19

Chapter 3 Installing the vShield Manager and vShield Zones

manager> exit

manager login:

5LogintotheCLI.

6Pingthedefaultgatewaytoverifynetworkconnectivity.

manager> ping A.B.C.D

7FromyourPC,pingthevShieldManagerIPaddresstovalidatethattheIPaddressisreachable.

AfteryouhaveinstalledandconfiguredthevShieldManagervirtualmachine,logintothevShieldManager

userinterface.

To log in to the vShield Manager user interface

1OpenaWebbrowserwindowandtypetheIPaddressassignedtothevShieldManager.

ThevShieldManageruserinterfaceopensinanSSLsession.

2Acceptthesecuritycertificate.

ThevShieldManagerlogin

screenappears.

3LogintothevShieldManageruserinterfacebyusingtheusernameadminandthepassworddefault.

Youshouldchangethedefaultpasswordasoneofyourfirsttaskstopreventunauthorizeduse.See

“ChangethePasswordofthevShieldManagerUserInterfaceDefaultAccount”onpage 20.

4ClickLog

In.

Synchronize the vShield Manager with the vCenter Server

SynchronizewithyourvCenterServertodisplayyourVMwareInfrastructureinventoryinthevShield

Manageruserinterface.

YoumusthaveavCenterServeruseraccountwithadministrativeaccesstocompletethistask.

To synchronize the vShield Manager with vCenter Server

1LogintothevShieldManager.

2ClickSettings&ReportsfromthevShieldManagerinventorypanel.

3ClicktheConfigurationtab.

4ClickthevCentertab.

5TypetheIPaddressorhostnameofyourvCenterServerintheIPaddress/Namefield.

6TypeyourvSphereClientloginusernameintheUserNamefield.

7TypethepasswordassociatedwiththeusernameinthePasswordfield.

8ClickSave.

OTEYoucanuseanSSLcertificateforauthentication.RefertothevShieldAdministrationGuide.

NOTEThevShieldManagervirtualmachinedoesnotappearasaresourceintheinventorypanelofthe

vShieldManageruserinterface.TheSettings&ReportsobjectrepresentsthevShieldManagervirtual

machineintheinventorypanel.

vShield Quick Start Guide

20 VMware, Inc.

ThevSpherePlug‐inoptionletsyouregisterthevShieldManagerasavSphereClientplug‐in.Afterthe

plug‐inisregistered,youcanconfiguremostvShieldoptionsfromthevSphereClient.

To register the vShield Manager as a vSphere Client Plug-in

1ClickSettings&ReportsfromthevShieldManagerinventorypanel.

2ClicktheConfigurationtab.

3ClickvSpherePlug‐in.

4Click

Register.

5IfyouareloggedintothevSphereClient,logout.

6LogintothevSphereClient.

7 SelectanESXhost.

8VerifythatthevShieldtabappearsasanoption.

Change the Password of the vShield Manager User Interface Default

Account

YoucanchangethepasswordoftheadminaccounttohardenaccesstoyourvShieldManager.

To change the admin account password

1LogintothevShieldManageruserinterface.

2ClickSettings&ReportsfromthevShieldManagerinventorypanel.

3ClicktheUserstab.

4 Selecttheadminaccount.

5ClickUpdateUser.

6Enteranewpassword.

7Confirmthepasswordby

typingitasecondtimeintheRetypePasswordfield.

8ClickOKtosaveyourchanges.

Install vShield Zones

ThefollowinginformationisrequiredforvShieldZonesinstallationonanESXhost:

 OneIPaddressforthemanagement(MGMT)portofeachvShieldZonesvirtualappliance.EachIP

addressshouldbereachablefromthevShieldManagerandsitontheManagementnetworkusedfor

vCenterandESXhostmanagementinterfaces.

 LocalornetworkstoragetoplacethevShieldZonesdisk.

vShieldZonesvirtualappliancesincludeVMwareTools.DonotattempttoalterorupgradetheVMw areTools

softwareonavShieldZonesvirtualappliance.

To install a vShield Zones virtual appliance

1LogintothevSphereClient.

2 SelectanESXhostfromtheinventorytree.

CAUTIONDonotinstallvShieldZones/AppontheESXhostwherevCenterServerisrunning.

Page is loading ...

VMware vShield 4.1 Quick start guide

Brand: VMware

Model: vShield 4.1

Category: Software manuals

Type: Quick start guide

This manual is also suitable for

VSHIELD MANAGER 4.1.0 UPDATE 1 - API

Download PDF

report

VMware vShield 4.1 Quick start guide

This manual is also suitable for

VMware vShield 4.1 Quick start guide

Related papers

Other documents