Home > Blogs > VMware Security & Compliance Blog


vShield 5 App Deep Dive Series Part 1: Deployment options for vShield Manager with vCenter Server

A very common question has been whether you can have vShield App protect the same cluster running its associated vCenter Server and vShield Manager.  Now with 5.0.1, this is no longer a limitation! There are some minor trade-offs, which I describe…

vShield management is centralized in the vShield Manager Service Virtual Machine (SVM). vShield Manager operations are available in the vCenter Server UI. In vShield 5.0, both these management components could not be installed in the same cluster they were managing vShield App for.  The issue was that in certain portions of the install process the vCenter Server and vShield Manager virtual machines could end up being mistakenly cut off from communication with the infrastructure they were managing.

vShield App 5.0 Option 1: Cross-managed cluster model, which while requiring another vCenter will also allow for more redundancy.

  Xmngd-vsm-vcs 

vShield App 5.0 Option 2: vShield App Shared Management Cluster which isolates the management from being impacted by Production Cluster hardware failure issues.

Seperate-mngd-vsm-vcs

With vShield 5.0.1, we now can put everything in one cluster!

 

New Option with 5.0.1: vShield App in a Single Cluster 

  Vsm-vcs-single-clstr

With 5.0.1, there is now a VM exclusion list in vShield Manager. This has the effect of disabling all vShield App protection for the excluded VM.

The steps to use the exclusion are cover in the admin guide on page 51.

Procedure

  1. Log in to the vShield Manager.
  2. Click Settings & Reports from the vShield Manager inventory panel.
  3. Click the "vShield App" tab.
  4. In "Virtual Machines Exclusion List", click Add. The Add Virtual Machines to Exclude dialog box opens.
  5. Click in the field next to Select and click the virtual machine you want to exclude. Click Select. The selected virtual machine is added to the list.
  6. Click OK.

 

Here is a screenshot borrowed from Duncan Epping’s great blog post:

Vsm-exclusion-list-ui

One Caveat:

Spoofguard, which is part of vShield App, is also disabled for those VM that are excluded. A caveat is that the MAC/IP pairs for excluded VM will still show up in the Spoofguard tab of the UI, even though the functionality is disabled.