Tag Archives: Endpoint

Removing a vCenter Endpoint from vRA 7.x

This post will walk through the process of removing a vCenter Endpoint from vRA 7.3. Before beginning it is a good idea to take a backup of the vRA database, and snapshot the vRA management stack. Ensure there are no existing virtual machines provisioned to the vCenter Endpoint we are removing. A reservation cannot be removed while virtual machines are assigned to it. Log into the vRA tenant web portal. You can check existing virtual machines from the Infrastructure tab under Managed Machines using the Reservation filter. Still on the Infrastructure tab, from the navigation pane on the left hand side select Reservations, Reservations. Select and Delete any reservations using compute resources associated with the vCenter Endpoint.

The next step is to remove the compute resources. Download the vRealize CloudClient here, at the time of writing the latest version is 4.4.0. Extract the contents to a Windows machine with access to the vRA management stack. In this example I am using one of the IaaS web servers. From an elevated command prompt run the VMware_vRealize_CloudClient-4.4.0-5511232\bin\cloudclient.bat file and accept the EULA. The first thing we will do for ease of use is to create an auto login file using login autologinfile and close down Cloud Client.

CloudClient

In the root directory of the extracted folder a file is created called CloudClient.properties. Open the file with notepad and enter the FQDN or IP address of the vRA appliance and IaaS load balance name in the appropriate fields, along with administrator credentials for both.

CloudClientLogin

Open back up the VMware_vRealize_CloudClient-4.4.0-5511232\bin\cloudclient.bat file in an elevated command prompt, by default the auto login file will be used. Accept any certificate warnings when prompted.

When using Cloud Client you can tab out to see available commands. We’ll need the following:

vra computeresource list displays a list of compute resources

vra computeresource inactive list displays a list of inactive compute resources

CloudClient1

At this stage before actually deleting the compute resources we need to stop the VMware vCloud Automation Center Agent service on the vRA Agent servers.

vra computeresource inactive remove removes the listed inactive compute resources

continue confirms deletion of the compute resources

agents stopped confirms agents are stopped, at this point the compute resources will be removed

CloudClient2

Go back into the vRA tenant web UI, from the Infrastructure tab check in Compute Resources, or Endpoints, Fabric Groups. Click the fabric group previously containing the compute resources, they have now been removed.

The final step is to remove the endpoint, this can be done in the web UI under Infrastructure, Endpoints, Endpoints. Select the endpoint and click Delete. Alternatively the endpoint can be removed from Cloud Client using vra endpoint remove --id <endpoint> where <endpoint> is the endpoint name. Remember to remove the CloudClient.properties auto login file.

McAfee MOVE with NSX Install Guide

McAfee Management for Optimised Virtual Environments (MOVE) is an anti-virus solution that removes the need for an individual agent install on every guest virtual machine, providing performance benefits and administrative savings at the same time as full anti-virus and malware protection.

MOVE Agentless AntiVirus safeguards virtualised environments using advanced malware protection; integrating real-time threat intelligence with security management whilst offloading all on-access scanning to a dedicated service virtual machine. The agentless solution integrates with NSX Manager and Service Composer for policy and event handling, meaning virtual machines are protected as soon as they are provisioned.

This post will detail the installation and configuration process of the McAfee MOVE service deployment and the associate VMware components; NSX Manager and Guest Introspection. You should already have an ePO server and vCenter server in place.

Architecture

2

NSX Manager is deployed and registered with vCenter Server on a 1:1 mapping. Upon registration a plug-in is injected into the vSphere web client to enable deployment and management of logical networks and services.

Service deployments consisting of the Guest Introspection and McAfee MOVE ESX Agents are deployed to vSphere clusters; when a host is added to the cluster the configured services are automatically deployed. The McAfee Service Virtual Appliance (SVA) relies on VirusScan Enterprise for Linux for protection and updates, and utilises Global Threat Intelligence (GTI) for real time malware defense.

NSX Manager integrates with McAfee ePolicy Orchestrator to export profile configurations to be used when creating security profiles with Service Composer. Policies are applied to objects such as clusters belonging to an NSX security group, this ensures all virtual machines and hosts are instantly protected. The McAfee ePO integration also allows for management of Service Virtual Machines and reports.

Versions

We will be installing NSX Manager 6.2.4 with McAfee MOVE Agentless 3.6.1 (advanced license), on vCenter 6.0 and ESXi 6.0, version 5.5 of both can also be used. The ePO version should be 4.6.8, 5.1.0, 5.1.1 or 5.3.0. If you are using different versions check the McAfee MOVE compatibility matrix. There is a multi-platform version of McAfee MOVE compatible with Microsoft and Citrix hypervisors, which is beyond the scope of this guide.

With regards to deploying McAfee MOVE in a vCloud Networking and Security (vCNS) environment, using vShield Manager and Endpoint, these products are now end of life. The replacement solution is NSX Manager with Guest Introspection. For assistance with upgrading vShield Manager review Upgrading vShield Manager to NSX Manager.

New post: McAfee MOVE 4.5.0 Upgrade Guide with NSX

Requirements

  • The NSX Manager appliance (1 per vCenter) is preconfigured with 16 GB RAM, 4 vCPU and 60 GB disk. VMware recommend a memory reservation for NSX Manager in production environments.
  • The Guest Introspection agent (1 per host) is preconfigured with 1 GB RAM, 2 vCPU and 5 GB disk.
  • The McAfee MOVE agent (1 per host) is preconfigured with 2 GB RAM, 2 vCPU and 15 GB disk.
  • Each ESX Agent you deploy requires an IP address; 2 per host. This should be planned into the solution design as you will need to assign IP addresses using either DHCP or an IP pool of reserved addresses.
  • A vSphere Distributed Switch (vDS) must be used, there is a work around for this by configuring the Agent VM Setting on each host, however this should be used for environments such as ROBO and not datacentres.
  • ESXi servers must be grouped into clusters, even if only a single ESXi host resides in a cluster.
  • Connectivity between the NSX Manager and vCenter \ ESXi management networks is required. If you have any firewalls in place review the NSX network port requirements.
  • Environmental variables: correct DNS configuration, time synchronisation, and vSphere administrator access.
  • VMware Tools must be installed on the guest virtual machines as this includes the Guest Introspection driver necessary for offloading on-access scanning.
  • The McAfee MOVE licensing model is as follows: product trial for use with up to 10 hypervisors in a non-production environment, basic license for manual deployment of the Security Virtual Appliance (SVA) bought as a standalone product, advanced license for McAfee ePO based SVA deployment (packaged with Server Security Suite Essentials, Advanced, and Desktop).
  • NSX Manager has a number of licensing models, the default license with NSX Manager v6.2.4 and later includes use of Guest Introspection for offloaded AV. For additional features compare NSX versions.
  • If you have licensing queries check with McAfee support and your VMware account manager.

This guide is intended as a consolidation of the end to end process, before beginning any implementation you should review further documentation including the MOVE AV Agentless Product Guide and the VMware NSX 6.2 Documentation Centre.

Installation Part 1 – NSX Manager

Download the NSX Manager OVA file from the Download VMware NSX for vSphere page.

nsx1

Deploy the OVA file to your vCenter server, in the customisation options configure the appliance network settings. Once the NSX Manager appliance is deployed and powered on open a web browser to the specified IP address, log in with the admin account, if you didn’t change the password during deployment the default password is default.

nsx2

Click Manage vCenter Registration, under vCenter Server click Edit. Enter the name of the vCenter server to register NSX Manager and the relevant credentials, click Ok. It is good practise to set the time settings and host name in the Manage Appliance Settings page, you can also configure a syslog server, backups, change network settings, etc.

nsx3

After configuring NSX Manager restart the VMware vSphere Web Client on the vCenter Server the NSX Manager was registered with. You may also need to restart your browser. Log in to the vSphere web client and browse to Networking & Security, click NSX Managers and verify the newly deployed NSX Manager is present.

To configure additional permissions select the NSX Manager and click Manage, Users. Here you can add, edit, and remove users and permissions. Each role provides a description of the level of access, for more information on NSX permissions click here. To add Active Directory permissions to NSX Manager select the Domains tab, and click the green plus symbol to add the LDAP details.

If you have a license key to apply to NSX Manager you can do so under the Administration option from the home page of the vSphere web client, select Licenses, Assets, Solutions, NSX.

Part 2 – McAfee ePO

Depending on your environment some of the steps below might already be configured, you may also need to repeat sections for multiple vCenters. Download the MOVE AntiVirus Agentless zip package, the MOVE AntiVirus Agentless extension for McAfee ePO, and the Data Center Connector for vSphere from McAfee downloads.

Log in to McAfee ePO as an administrator and browse to Menu, Software, Extensions. Click Install Extension and install the MOVE AntiVirus Agentless extension and the Data Center Connector for vSphere extension.

mcafee1

Next we need to register the vCenter, browse to Menu, Configuration, Registered Cloud Accounts. Click Actions, Add Cloud Account. Ensure VMware vSphere is selected and input the vCenter details.

mcafee2

Before deploying MOVE we create a common configuration on the ePO server for use with each Service Virtual Machine (SVM). Browse to Menu, Automation, MOVE AV Agentless. On the Configuration tab select General, enter your administrative password and configure a naming convention and admin password for use with each SVM.

mcafee3

Next we can check in the SVM zip package downloaded earlier, browse to Menu, Automation, MOVE AV Agentless. From the Configuration tab select SVM repository and Actions, Add SVM.

mcafee4

The extensions we installed will automatically detect NSX Manager instances, however we still need to register these with McAfee ePO. Click Menu, Automation, MOVE AV Agentless. From the Configuration tab select NSX Manager, the discovered instances of NSX Manager will be listed, click Edit. Fill in the NSX Manager details, validate the credentials can connect, and click Save.

mcafee5

Next we register the MOVE Anti Virus service with McAfee ePO, browse to Menu, Automation, MOVE AV Agentless. Select the Service tab and click NSX Manager, the registered vCenters and associated NSX Managers will be listed, click Register. The McAfee MOVE AV service should now be listed in the vSphere web client under Networking & Security, Service Definitions. Once McAfee MOVE is defined as a service definition in vSphere, any scan policies are exported from McAfee ePO to NSX in real time.

mcafee6

Part 3 – Service Deployments

Guest Introspection and McAfee MOVE are service deployments installed on a per cluster basis using the vSphere web client. Guest Introspection must be deployed before McAfee MOVE. Once a cluster has a service deployment installed any new host added to the cluster automatically receives the ESX Agents.

To deploy Guest Introspection log into the vSphere web client and browse to Networking & Security, then click Installation. Click the green plus symbol to add a new service deployment.

deployment1

In the new service deployment screen select Guest Introspection and click Next.

move1

Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps outlined here to extend. When the storage and network settings are configured click Next.

move2

Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX Agents being deployed in the vSphere recent tasks pane. Once complete the installation status should show succeeded and the service status ok.

Click the green plus symbol to add a new service deployment. In the new service deployment screen select McAfee MOVE AV and click Next.

move3

Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps outlined here to extend. When the storage and network settings are configured click Next.

move4

Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX Agents being deployed in the vSphere recent tasks pane. Once complete the installation status should show succeeded and the service status ok. Each host will now contain an ESX Agents resource group with the installed service deployments.

capture

If you are using stateless environments then you should update the Auto Deploy image with the NSX VIBs, otherwise the Guest Introspection status will change to not ready after a host is rebooted.

Browse to https:///bin/vdn/nwfabric.properties and find the VIB URL for your version of ESXi, open the relevant URL which will auto download vxlan.zip. For assistance with updating Auto Deploy images see the VMware Auto Deploy Guide.

Part 4 – Service Composer

The final stage is to create and apply security policies to the security group containing virtual machines that you want to protect. McAfee MOVE is optimised for virtual environments and as such the settings out of the box are set to provide maximum protection with minimum overhead. However you can exclude certain file types and create on-access scan schedules tailored to your environment if preferred.

In this example we will be applying the default McAfee scan policy. To create your own scan policies log in to McAfee ePO and browse to Menu, Policy, Policy Catalog and select New Policy. Remember any scan policies created in ePO are automatically exported to NSX.

In the vSphere web client go to Networking & Security, Service Composer and open the Security Policies tab. Click the New Security Policy icon.

servicecomposer1

Add a new Guest Introspection Service that applies the service profile from ePO, in our case this is the McAfee MOVE AV My Default policy. Click Ok and Finish.

servicecomposer2

Now we need to create a security group to apply the policy to, select the Security Groups tab and click the New Security Group icon. Enter a group name and description, configure the objects to include and exclude and click Finish. (You can change the Object Type to datacentres, clusters, virtual machines, etc.)

servicecomposer3

Finally we apply the policy to the newly created group by clicking the Apply Policy icon. Select the policy and group to apply to and click Ok.

servicecomposer4

The default policy is now applied and members of the security group are protected. Depending on your environment and existing ePO policy standards you may want to setup separate policies such as quarantine, tagging, etc. For further assistance with McAfee policies refer to the MOVE AV Agentless Product Guide.

NSX Manager Guest Introspection

Guest introspection is a service that is deployed from NSX Manager to offload security functions to a dedicated security appliance on each host; thus removing the need for an AV agent within the guest operating system.

Using the Guest Introspection driver baked into VMware Tools and a third party service virtual machine, such as McAfee MOVE, all virtual machines are protected by real-time inspection as soon as they are powered on. This reduces administrative and guest memory overheads, whilst standardising deployments.

vShield Manager and Endpoint

Guest introspection functionality was previously achieved using vShield Manager with vShield Endpoint as part of the vCloud Networking and Security suite. NSX Manager v6.2.4 onwards is the replacement product for vShield Manager which has now reached end of life. Guest Introspection replaces vShield Endpoint, you may have noticed in ESXi 5.5 U2 the vShield drivers were renamed to guest introspection drivers as part of the VMware Tools install.

When upgrading from vShield Manager to NSX Manager the vShield Endpoint VIBs are already present on the hosts, these need upgrading to Guest Introspection. For assistance with upgrading from vShield Manager to NSX Manager see the post Upgrading vShield Manager to NSX Manager. This post will detail a clean installation process for the Guest Introspection service, as well as extending an IP Pool for use with Guest Introspection.

NSX Manager and Guest Introspection

Guest introspection is installed on a per cluster basis using the vSphere web client. Deploying Guest Introspection installs a new VIB and ESX Agent on each host in the cluster. You should check with your third party security vendor for compatibility and specific instructions. In most cases, such as with McAfee MOVE, an additional service virtual machine for offloaded anti-malware and AV scanning is deployed to each host.

capture

Both the Guest Introspection ESX Agent and the third party appliance will require storage and a dedicated IP address, this can be configured using either DHCP or a VMware IP pool. The IP addressing of these ESX agents should be factored in to your solution design. The network is provided by a vSphere distributed switch, if you are not using distributed switches then it is possible to set an agent network on each host as a work around under Configuration > Agent VM Settings in vSphere.

To enable Guest Introspection log into the vSphere web client and browse to Networking & Security, then click Installation. Click the green plus symbol to add a new service deployment.

deployment1

In the new service deployment screen select Guest Introspection and click Next.

deployment2

Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps at the bottom of this post to extend. When the storage and network settings are configured click Next.

deployment3

Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX agents being deployed in the vSphere recent tasks pane.

deployment5

Once complete the installation status should show succeeded and the service status ok. The Guest Introspection service has now been deployed to the selected clusters and you can move on to deploying and configuring your chosen third party appliance.

deployment7

If you are using stateless environments then you should update the Auto Deploy image with the NSX VIBs, otherwise the guest introspection status will change to not ready after a host is rebooted.

Browse to https://NSX/bin/vdn/nwfabric.properties (where NSX is the IP or FQDN of the NSX Manager) and find the VIB URL for your version of ESXi, open the relevant URL which will auto download vxlan.zip. For assistance with updating Auto Deploy images see the VMware Auto Deploy Guide.

  • Service deployment failed with Agent VIB module cannot be detected on the host? See this post.
  • Guest Introspection intermittently losing connectivity? See this post.

Extending NSX Manager IP Pools

When creating Service Deployments through NSX Manager a new IP Pool can be created for use with the service. During the service deployment wizard although we can create new pools, there is no option to extend an existing pool. In the event a pool requires additional capacity you can follow the steps outlined below.

From the home page of the vSphere web client select Networking & Security, click NSX Managers.

ip1

With the NSX Manager selected open the Manage tab and click Grouping Objects, IP Pools.

The existing IP Pools will be listed, here you can add, remove, and edit IP Pools. The Used / Total column will tell you how many IP addresses have been used in the pool. For this example we have an IP Pool with 22/22 used addresses, we will therefore extend the pool. Select the IP Pool to extend and click the Edit icon.

ip2

ip2

Change the relevant settings in the pop-out window, I will be altering the static IP Pool to include an additional 2 addresses. Click Ok once complete.

ip3

We can see the IP Pool has used 22/24 addresses.

ip4

ip4

Now there are available addresses we can go ahead and use the IP Pool for our new service deployment.