VMware NSX Endpoint - preparing for antivirus protection

By | October 21, 2017

As I already mentioned, since NSX 6.2.3, all vSphere customers with Essential Plus or higher can use NSX Edpoint for antivirus offloaded protection. When you deploy NSX Manager and register it to vCenter, you can find a "NSX for vShield Endpoint" license in the vCenter license inventory:vmware-nsx-endpoint-preparing-for-antivirus-protection-1

vShield Manager was EOL in September this year so migration (upgrade or fresh install) to NSX Manager is highly recommended. In this post I will show how to prepare NSX for integrating with 3rd antyvirus such as McAffee or Symantec.

  1. Deploy NSX Manager and register it to vCenter.
  2. Create an IP Pool for Guest Interospection VMs (a service virtual machine on each host in the cluster):
    1. Click Networking & Security and then click NSX Managers
    2. Click an NSX Manager in the Name column and then click the Manage tab.
    3. Click the Grouping Objects tab and then click IP Pool.Click the Add New IP Pool icon.vmware-nsx-endpoint-preparing-for-antivirus-protection-2
    4. Type a name for the IP pool and type the default gateway.
    5. Type the primary and secondary DNS and the DNS suffix and the prefix length.vmware-nsx-endpoint-preparing-for-antivirus-protection-3
    6. Type the IP address ranges to be included in the pool and click OK.
  3. Deploy Guest Introspection VMs for vSphere Cluster.
    1. On the Installation tab, click Service Deployments.vmware-nsx-endpoint-preparing-for-antivirus-protection-4
    2. Click the New Service Deployment icon shown on the above figure.
    3. In the Deploy Network and Security Services dialog box, select Guest Introspection.vmware-nsx-endpoint-preparing-for-antivirus-protection-5
    4. Select the datacenter (1) and cluster (2) where you want to install Guest Introspection, and click Next. vmware-nsx-endpoint-preparing-for-antivirus-protection-6
    5. On the Select storage and Management Network Page, select the datastore on which to add the service virtual machines storage (1). Select the distributed virtual port group to host the management interface (2). In IP assignment, select a pool created in the earlier steps (3)(4).vmware-nsx-endpoint-preparing-for-antivirus-protection-7
    6. Click Next and then click Finish on the Ready to complete page.Wait when until the Installation Status column displays Succeeded.vmware-nsx-endpoint-preparing-for-antivirus-protection-8
  4. There should be deployed some VMs - on each ESXi host in the vSphere cluster. Those VMs belong to ESX Agent resource pool.vmware-nsx-endpoint-preparing-for-antivirus-protection-9
  5. Each Guest Introspection VM (based on SUSE Linux) has the following hardware specification - 1GB RAM, 2 vCPU.vmware-nsx-endpoint-preparing-for-antivirus-protection-10-spec2
  6. NSX Endpoint is ready. Now please follow the 3rd party guide to install and integrate antivirus with NSX.

Summary

NSX Endpoint installation is easy and straightforward. If you need to migrate from vShield Manager to NSX Manager and you use it only for antyvirus protection (e.g. no vShield edges) , I recommend you to perform a fresh installation. You can easly remove vShield Manager plugin from vCenter using MOB.