Tag Archives: vShield

McAfee MOVE with NSX Install Guide

McAfee Management for Optimised Virtual Environments (MOVE) is an anti-virus solution that removes the need for an individual agent install on every guest virtual machine, providing performance benefits and administrative savings at the same time as full anti-virus and malware protection.

MOVE Agentless AntiVirus safeguards virtualised environments using advanced malware protection; integrating real-time threat intelligence with security management whilst offloading all on-access scanning to a dedicated service virtual machine. The agentless solution integrates with NSX Manager and Service Composer for policy and event handling, meaning virtual machines are protected as soon as they are provisioned.

This post will detail the installation and configuration process of the McAfee MOVE service deployment and the associate VMware components; NSX Manager and Guest Introspection. You should already have an ePO server and vCenter server in place.

Architecture

2

NSX Manager is deployed and registered with vCenter Server on a 1:1 mapping. Upon registration a plug-in is injected into the vSphere web client to enable deployment and management of logical networks and services.

Service deployments consisting of the Guest Introspection and McAfee MOVE ESX Agents are deployed to vSphere clusters; when a host is added to the cluster the configured services are automatically deployed. The McAfee Service Virtual Appliance (SVA) relies on VirusScan Enterprise for Linux for protection and updates, and utilises Global Threat Intelligence (GTI) for real time malware defense.

NSX Manager integrates with McAfee ePolicy Orchestrator to export profile configurations to be used when creating security profiles with Service Composer. Policies are applied to objects such as clusters belonging to an NSX security group, this ensures all virtual machines and hosts are instantly protected. The McAfee ePO integration also allows for management of Service Virtual Machines and reports.

Versions

We will be installing NSX Manager 6.2.4 with McAfee MOVE Agentless 3.6.1 (advanced license), on vCenter 6.0 and ESXi 6.0, version 5.5 of both can also be used. The ePO version should be 4.6.8, 5.1.0, 5.1.1 or 5.3.0. If you are using different versions check the McAfee MOVE compatibility matrix. There is a multi-platform version of McAfee MOVE compatible with Microsoft and Citrix hypervisors, which is beyond the scope of this guide.

With regards to deploying McAfee MOVE in a vCloud Networking and Security (vCNS) environment, using vShield Manager and Endpoint, these products are now end of life. The replacement solution is NSX Manager with Guest Introspection. For assistance with upgrading vShield Manager review Upgrading vShield Manager to NSX Manager.

New post: McAfee MOVE 4.5.0 Upgrade Guide with NSX

Requirements

  • The NSX Manager appliance (1 per vCenter) is preconfigured with 16 GB RAM, 4 vCPU and 60 GB disk. VMware recommend a memory reservation for NSX Manager in production environments.
  • The Guest Introspection agent (1 per host) is preconfigured with 1 GB RAM, 2 vCPU and 5 GB disk.
  • The McAfee MOVE agent (1 per host) is preconfigured with 2 GB RAM, 2 vCPU and 15 GB disk.
  • Each ESX Agent you deploy requires an IP address; 2 per host. This should be planned into the solution design as you will need to assign IP addresses using either DHCP or an IP pool of reserved addresses.
  • A vSphere Distributed Switch (vDS) must be used, there is a work around for this by configuring the Agent VM Setting on each host, however this should be used for environments such as ROBO and not datacentres.
  • ESXi servers must be grouped into clusters, even if only a single ESXi host resides in a cluster.
  • Connectivity between the NSX Manager and vCenter \ ESXi management networks is required. If you have any firewalls in place review the NSX network port requirements.
  • Environmental variables: correct DNS configuration, time synchronisation, and vSphere administrator access.
  • VMware Tools must be installed on the guest virtual machines as this includes the Guest Introspection driver necessary for offloading on-access scanning.
  • The McAfee MOVE licensing model is as follows: product trial for use with up to 10 hypervisors in a non-production environment, basic license for manual deployment of the Security Virtual Appliance (SVA) bought as a standalone product, advanced license for McAfee ePO based SVA deployment (packaged with Server Security Suite Essentials, Advanced, and Desktop).
  • NSX Manager has a number of licensing models, the default license with NSX Manager v6.2.4 and later includes use of Guest Introspection for offloaded AV. For additional features compare NSX versions.
  • If you have licensing queries check with McAfee support and your VMware account manager.

This guide is intended as a consolidation of the end to end process, before beginning any implementation you should review further documentation including the MOVE AV Agentless Product Guide and the VMware NSX 6.2 Documentation Centre.

Installation Part 1 – NSX Manager

Download the NSX Manager OVA file from the Download VMware NSX for vSphere page.

nsx1

Deploy the OVA file to your vCenter server, in the customisation options configure the appliance network settings. Once the NSX Manager appliance is deployed and powered on open a web browser to the specified IP address, log in with the admin account, if you didn’t change the password during deployment the default password is default.

nsx2

Click Manage vCenter Registration, under vCenter Server click Edit. Enter the name of the vCenter server to register NSX Manager and the relevant credentials, click Ok. It is good practise to set the time settings and host name in the Manage Appliance Settings page, you can also configure a syslog server, backups, change network settings, etc.

nsx3

After configuring NSX Manager restart the VMware vSphere Web Client on the vCenter Server the NSX Manager was registered with. You may also need to restart your browser. Log in to the vSphere web client and browse to Networking & Security, click NSX Managers and verify the newly deployed NSX Manager is present.

To configure additional permissions select the NSX Manager and click Manage, Users. Here you can add, edit, and remove users and permissions. Each role provides a description of the level of access, for more information on NSX permissions click here. To add Active Directory permissions to NSX Manager select the Domains tab, and click the green plus symbol to add the LDAP details.

If you have a license key to apply to NSX Manager you can do so under the Administration option from the home page of the vSphere web client, select Licenses, Assets, Solutions, NSX.

Part 2 – McAfee ePO

Depending on your environment some of the steps below might already be configured, you may also need to repeat sections for multiple vCenters. Download the MOVE AntiVirus Agentless zip package, the MOVE AntiVirus Agentless extension for McAfee ePO, and the Data Center Connector for vSphere from McAfee downloads.

Log in to McAfee ePO as an administrator and browse to Menu, Software, Extensions. Click Install Extension and install the MOVE AntiVirus Agentless extension and the Data Center Connector for vSphere extension.

mcafee1

Next we need to register the vCenter, browse to Menu, Configuration, Registered Cloud Accounts. Click Actions, Add Cloud Account. Ensure VMware vSphere is selected and input the vCenter details.

mcafee2

Before deploying MOVE we create a common configuration on the ePO server for use with each Service Virtual Machine (SVM). Browse to Menu, Automation, MOVE AV Agentless. On the Configuration tab select General, enter your administrative password and configure a naming convention and admin password for use with each SVM.

mcafee3

Next we can check in the SVM zip package downloaded earlier, browse to Menu, Automation, MOVE AV Agentless. From the Configuration tab select SVM repository and Actions, Add SVM.

mcafee4

The extensions we installed will automatically detect NSX Manager instances, however we still need to register these with McAfee ePO. Click Menu, Automation, MOVE AV Agentless. From the Configuration tab select NSX Manager, the discovered instances of NSX Manager will be listed, click Edit. Fill in the NSX Manager details, validate the credentials can connect, and click Save.

mcafee5

Next we register the MOVE Anti Virus service with McAfee ePO, browse to Menu, Automation, MOVE AV Agentless. Select the Service tab and click NSX Manager, the registered vCenters and associated NSX Managers will be listed, click Register. The McAfee MOVE AV service should now be listed in the vSphere web client under Networking & Security, Service Definitions. Once McAfee MOVE is defined as a service definition in vSphere, any scan policies are exported from McAfee ePO to NSX in real time.

mcafee6

Part 3 – Service Deployments

Guest Introspection and McAfee MOVE are service deployments installed on a per cluster basis using the vSphere web client. Guest Introspection must be deployed before McAfee MOVE. Once a cluster has a service deployment installed any new host added to the cluster automatically receives the ESX Agents.

To deploy Guest Introspection log into the vSphere web client and browse to Networking & Security, then click Installation. Click the green plus symbol to add a new service deployment.

deployment1

In the new service deployment screen select Guest Introspection and click Next.

move1

Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps outlined here to extend. When the storage and network settings are configured click Next.

move2

Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX Agents being deployed in the vSphere recent tasks pane. Once complete the installation status should show succeeded and the service status ok.

Click the green plus symbol to add a new service deployment. In the new service deployment screen select McAfee MOVE AV and click Next.

move3

Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps outlined here to extend. When the storage and network settings are configured click Next.

move4

Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX Agents being deployed in the vSphere recent tasks pane. Once complete the installation status should show succeeded and the service status ok. Each host will now contain an ESX Agents resource group with the installed service deployments.

capture

If you are using stateless environments then you should update the Auto Deploy image with the NSX VIBs, otherwise the Guest Introspection status will change to not ready after a host is rebooted.

Browse to https:///bin/vdn/nwfabric.properties and find the VIB URL for your version of ESXi, open the relevant URL which will auto download vxlan.zip. For assistance with updating Auto Deploy images see the VMware Auto Deploy Guide.

Part 4 – Service Composer

The final stage is to create and apply security policies to the security group containing virtual machines that you want to protect. McAfee MOVE is optimised for virtual environments and as such the settings out of the box are set to provide maximum protection with minimum overhead. However you can exclude certain file types and create on-access scan schedules tailored to your environment if preferred.

In this example we will be applying the default McAfee scan policy. To create your own scan policies log in to McAfee ePO and browse to Menu, Policy, Policy Catalog and select New Policy. Remember any scan policies created in ePO are automatically exported to NSX.

In the vSphere web client go to Networking & Security, Service Composer and open the Security Policies tab. Click the New Security Policy icon.

servicecomposer1

Add a new Guest Introspection Service that applies the service profile from ePO, in our case this is the McAfee MOVE AV My Default policy. Click Ok and Finish.

servicecomposer2

Now we need to create a security group to apply the policy to, select the Security Groups tab and click the New Security Group icon. Enter a group name and description, configure the objects to include and exclude and click Finish. (You can change the Object Type to datacentres, clusters, virtual machines, etc.)

servicecomposer3

Finally we apply the policy to the newly created group by clicking the Apply Policy icon. Select the policy and group to apply to and click Ok.

servicecomposer4

The default policy is now applied and members of the security group are protected. Depending on your environment and existing ePO policy standards you may want to setup separate policies such as quarantine, tagging, etc. For further assistance with McAfee policies refer to the MOVE AV Agentless Product Guide.

NSX Manager Guest Introspection

Guest introspection is a service that is deployed from NSX Manager to offload security functions to a dedicated security appliance on each host; thus removing the need for an AV agent within the guest operating system.

Using the Guest Introspection driver baked into VMware Tools and a third party service virtual machine, such as McAfee MOVE, all virtual machines are protected by real-time inspection as soon as they are powered on. This reduces administrative and guest memory overheads, whilst standardising deployments.

vShield Manager and Endpoint

Guest introspection functionality was previously achieved using vShield Manager with vShield Endpoint as part of the vCloud Networking and Security suite. NSX Manager v6.2.4 onwards is the replacement product for vShield Manager which has now reached end of life. Guest Introspection replaces vShield Endpoint, you may have noticed in ESXi 5.5 U2 the vShield drivers were renamed to guest introspection drivers as part of the VMware Tools install.

When upgrading from vShield Manager to NSX Manager the vShield Endpoint VIBs are already present on the hosts, these need upgrading to Guest Introspection. For assistance with upgrading from vShield Manager to NSX Manager see the post Upgrading vShield Manager to NSX Manager. This post will detail a clean installation process for the Guest Introspection service, as well as extending an IP Pool for use with Guest Introspection.

NSX Manager and Guest Introspection

Guest introspection is installed on a per cluster basis using the vSphere web client. Deploying Guest Introspection installs a new VIB and ESX Agent on each host in the cluster. You should check with your third party security vendor for compatibility and specific instructions. In most cases, such as with McAfee MOVE, an additional service virtual machine for offloaded anti-malware and AV scanning is deployed to each host.

capture

Both the Guest Introspection ESX Agent and the third party appliance will require storage and a dedicated IP address, this can be configured using either DHCP or a VMware IP pool. The IP addressing of these ESX agents should be factored in to your solution design. The network is provided by a vSphere distributed switch, if you are not using distributed switches then it is possible to set an agent network on each host as a work around under Configuration > Agent VM Settings in vSphere.

To enable Guest Introspection log into the vSphere web client and browse to Networking & Security, then click Installation. Click the green plus symbol to add a new service deployment.

deployment1

In the new service deployment screen select Guest Introspection and click Next.

deployment2

Select the cluster or clusters to deploy the service to and click Next.

Select the storage and management network for the ESX Agents, the default IP assignment is DHCP, ensure the selected network has access to a DHCP server. Alternatively click Change and select IP Pool. You can select an existing IP Pool or create a new one with the necessary network details. If your IP Pool fills up follow the steps at the bottom of this post to extend. When the storage and network settings are configured click Next.

deployment3

Review the details on the confirmation page and click Finish.

The service will now be deployed, the status will be displayed in the Installation Status column. You will also see the ESX agents being deployed in the vSphere recent tasks pane.

deployment5

Once complete the installation status should show succeeded and the service status ok. The Guest Introspection service has now been deployed to the selected clusters and you can move on to deploying and configuring your chosen third party appliance.

deployment7

If you are using stateless environments then you should update the Auto Deploy image with the NSX VIBs, otherwise the guest introspection status will change to not ready after a host is rebooted.

Browse to https://NSX/bin/vdn/nwfabric.properties (where NSX is the IP or FQDN of the NSX Manager) and find the VIB URL for your version of ESXi, open the relevant URL which will auto download vxlan.zip. For assistance with updating Auto Deploy images see the VMware Auto Deploy Guide.

  • Service deployment failed with Agent VIB module cannot be detected on the host? See this post.
  • Guest Introspection intermittently losing connectivity? See this post.

Extending NSX Manager IP Pools

When creating Service Deployments through NSX Manager a new IP Pool can be created for use with the service. During the service deployment wizard although we can create new pools, there is no option to extend an existing pool. In the event a pool requires additional capacity you can follow the steps outlined below.

From the home page of the vSphere web client select Networking & Security, click NSX Managers.

ip1

With the NSX Manager selected open the Manage tab and click Grouping Objects, IP Pools.

The existing IP Pools will be listed, here you can add, remove, and edit IP Pools. The Used / Total column will tell you how many IP addresses have been used in the pool. For this example we have an IP Pool with 22/22 used addresses, we will therefore extend the pool. Select the IP Pool to extend and click the Edit icon.

ip2

ip2

Change the relevant settings in the pop-out window, I will be altering the static IP Pool to include an additional 2 addresses. Click Ok once complete.

ip3

We can see the IP Pool has used 22/24 addresses.

ip4

ip4

Now there are available addresses we can go ahead and use the IP Pool for our new service deployment.

Upgrading vShield Manager to NSX Manager

VMware vCloud Networking and Security 5.5.x reaches end of life 19th September 2016, the vCloud Networking and Security suite is being replaced by NSX.

The final release of vCNS was compatible with vSphere 6, however with the caveat that any new vSphere 6 features have not been tested. This combined with the imminent end of general support means that customers using vShield Manager components to offload anti-virus and malware scanning should be upgrading to NSX Manager sooner rather than later.

With release 6.2.3 of NSX the default license upon install is ‘NSX for vShield Endpoint’ which allows management of vShield Endpoint from NSX Manager. This new feature is available to those who have already purchased vSphere with vShield Endpoint (Essential Plus and above) to assist with the transition from vCNS.

Requirements

  • Both vCenter and vShield should be at version 5.5 or above.
  • NSX Manager requires a minimum of 16 GB RAM, 4 vCPU and a 60 GB disk. You will need to shut down the vShield Manager and increase resources accordingly prior to the upgrade.
  • Confirm compatibility of any third party products such as backup, monitoring, AV service appliances.
  • Ensure you have a good back up and take a snapshot of your existing vShield Manager.
  • Download the vShield Manager upgrade bundle from the VMware downloads portal.
  • NSX consolidates the UI and CLI passwords. Previous versions of vShield Manager could have different UI and CLI passwords, after upgrading to NSX only the CLI password will be used so make sure you have this.

If you are upgrading to NSX Manager with McAfee MOVE then see also the McAfee MOVE Setup Guide.

Process

Open the vSphere client and select vShield Manager from the Home screen, login as an administrator.

vsm1

Click Updates and Upload Upgrade Bundle. Upload the .gz bundle downloaded earlier, once complete click Install.

vsm2

Review the change in software versions and click Confirm Install.

vsm3

Once the installer is complete the virtual appliance will reboot.

vsm4

vsm5

When the virtual appliance comes back online browse to the IP or FQDN of your NSX Manager (this is the same management IP or FQDN as the vShield Manager).

nsx1

Log in with the same admin details as the vShield Manager and select Manage vCenter Registration. Confirm the vCenter is connected.

The NSX manager can also be managed from the vSphere web client under Networking & Security > NSX Managers. You will need to restart the vSphere web client services on the vCenter server and you may need to clear your browsers cache if the NSX plugin is not present or does not display properly.

Finally we need to upgrade Guest Introspection to match the NSX Manager version.

Open the vSphere web portal and click Networking & Security > Installation > Service Deployments.

GuestIntrospection

Select the cluster to upgrade and click the green upgrade icon. Confirm the details and click Ok. Once a cluster is upgraded you can go ahead and upgrade any partner solutions.

Update – NSX Manager 6.2.3 was replaced with NSX Manager 6.2.4, however all steps in this post remain the same. For further assistance with Guest Introspection see the post NSX Manager Guest Introspection.