posted

0 Comments

Updating VMware Tools for VMware AppDefense

 

VMware AppDefense requires the installation of a guest module that comes included with VMware Tools 10.3.2 and above. VMware Tools 10.3.2 is only included in ESXi 6.7 U1+ and VMware Tools 10.3.5 is only included in ESXi 6.5 P03+. This means that it may be necessary to update the version of VMtools that’s packaged with your ESXi hosts for easy upgrade. In this blog we’ll explain how to quickly update the VMware Tools image on ESXi using VMware Update Manager. VMware Update Manager (VUM) streamlines upgrades and host remediations tasks allowing you to perform these tasks across multiple servers at once.

 

Checking the Version of VMtools on ESXi

ESXi typically comes bundled with a predefined version of VMtools. To check which version of VMtools was shipped with your version of ESXi please visit: https://packages.vmware.com/tools/versions. Based on this website, unless your hosts are at version 6.7 Update 1, you most likely don’t have the latest version of VMtools. Even if you are running the latest version of ESXi which is 6.7 Update 2, you would only get VMtools version 10.3.5 and the latest version at the time of writing this post is version 10.3.10.

Thus, it’s my recommendation to start by downloading the latest VMtools image to update your ESXi hosts.

 

Downloading VMtools

To update the version of VMware tools hosted on ESXi, we must download the offline-vib bundle from my.vmware.com. Here is a direct link to the 10.3.10 VMtools download page: https://my.vmware.com/web/vmware/details?downloadGroup=VMTOOLS10310&productId=742.

From the above link we want to download the offline-vib bundle as highlighted below.

 

downloading offline-vib bundle from VMware

 

Be sure to save this in a location you can easily access as the next step involves uploading it into VMware Update Manager.

 

Adding VMtools to VMware Update Manager (VUM)

Here we are going to take the VMtools offline bundle that we just downloaded and add this package to VUM.

1. Log into your vCenter

2. Select Menu > Update Manager (screenshot below)

 

adding VMtools to VMware Update Manager

 

3. Select “Updates > Upload From File” and browse to the location you stored the offline bundle you just downloaded.

 

select updates

 

4. Select, “Import” and it’ll upload the bundle to VUM.

 

upload bundle to VUM

 

Create a New Baseline

We are now ready to create a baseline for this VMtools upgrade that we will attach to our hosts.

1. Still on the “Update Manager” screen, select “Baselines > New > Baseline.”

 

create a new baseline

 

2. On the popup screen just give the baseline a name. I named mine, “ESXi VMtools Update” and select “Patch” under the “Content” section. Note: You might have to scroll down a little.

 

titling the baseline

 

3. Uncheck “Automatically update this baseline with patches that match the following criteria” and select “Next.”

 

select next

 

4. On this page, click the filter icon and search “10.3.10” or whatever version of tools you uploaded to VUM. This should return only one result which should be the offline VIB bundle that you downloaded previously. Select the bundle and click “Next.”

 

click the filter icon

 

5. Click “Finish.”
6. Now, under “Baselines”, you should see the new baseline that you created.

 

Attach Baseline to Hosts and Remediate

Now that we’ve created the baseline, it’s time to attach that baseline to your hosts.

1. Navigate to “Hosts and Clusters” view in the vSphere Client.

2. Select your ESXi host > Updates > Host Updates > Attach.

 

select and attach host updates

 

3. In the pop-up window select the baseline we created in the section above and click “Attach.”

 

click attach

 

4. The popup window will disappear. Then select the baseline that we just attached and click “Remediate.”

 

remediate the baseline

 

5. VUM will go through some pre-checks and you may have some alerts or warnings you need to address. This remediation will not require a reboot of the host and is non-impactful.

 

VUM will go through pre-checks

 

6. In the above example I have some pre-checks that failed. Clicking the “Show Full Remediation Pre-Check Report” shows me that I have CD Drives attached to the VMs that will not allow the host to go into Maintenance Mode. Because this remediation does not require the host be in Maintenance Mode, we can ignore this warning and click “Remediate.”

 

ignore warning and remediate

 

7. Once Remediation is complete, we can now check that our host is compliant with the baseline we created by looking at the baselines section.

 

check compliance

 

8. At this step we are finished. We have successfully updated the VMtools image on the ESXi host and prepped for running our automation script to install the guest module within Windows VMs using VMtools.

 

Conclusion

VMware AppDefense is the only hypervisor-native workload protection platform for enterprise virtualization and security teams that delivers the most secure virtual infrastructure and simplifies micro-segmentation planning. AppDefense reduces the attack surface by modeling intended application behavior, monitoring for anomalous behavior, and providing deep application visibility, reputation scoring, and security.

Ensuring VMware Tools is up to date is an integral part of the AppDefense installation and configuration process. We hope this blog has helped you on your journey to configuring AppDefense. If you’re not leveraging AppDefense today and would like to learn more please contact sales at appdefense-sales@vmware.com or visit: https://www.vmware.com/products/appdefense.html.