NSX 6.2.3 Guest Introspection Deployment

VMware has announced the end of availability of vCloud Networking and Security 5.5.x which will commence on September 19. If you are using vCNS it is possible to migrate to NSX.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2144733

NSX 6.2.3 has a default license for NSX for vShield Endpoint so if you want to use the Guest Introspection services (eg. Deep Security Anti Malware)  it’s no longer required to buy NSX licenses.

If you are planning to upgrade vCND to NSX there are some caveats to remember, especially if you are using vSphere Auto Deploy.

Host Preparation

After deploying the NSX Manager and registering it with the vCenter Server it is time to deploy the Guest Introspection service. For people who are familiar with NSX the first step to perform is the Host Preparation. If you are using the default NSX for vShield Endpoint license you will not be able to perform this action.

nsx_prepare_cluster

This behavior is by default and does not impact the service deployments. You do not have to perform the Host Preparation if you are only using the service deployments of NSX (eg. guest introspection).

Deploy the guest introspection service from the Service Deployments tab.

Service Deployment

The guest introspection service deployment is performed per cluster. If you are deploying the Guest Introspection service to a cluster with vSphere hosts using vSphere Auto Deploy in a stateless configuration the deployment will fail.

nsx_service_vib_manual_install

There is an VMware KB article on how to deploy VXLAN through Auto Deploy.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2041972

This articles does not provide the path to the VXLAN offline bundle on the NSX Manager. You can find the download path of the offline bundle from the following webpage on your NSX Manager:

https://<NSX Manager IP>/bin/vdn/nwfabric.properties.

The VIB used for Guest Introspection is not included in the offline bundle on the NSX Manager used to deploy VXLAN through vSphere Auto Deploy. So you have to add this VIB manually to your Auto Deploy image profile. The location of this VIB is not documented but after some Googling the following blog post helped me:

https://community.hds.com/people/swalker/blog/2015/09/22/deploying-nsx-in-an-autodeploy-environment

This blogpost contains the location of the VIB on older versions of the NSX Manager. To get the right location I attached the Hirens boot CD to the NSX Manager, booted from it and started a search for all .zip files.

bootcd_search_results

The search result shows the correct name of the offline bundle and the location of the file. I used the bit in the blog about the NSX 6.2 file location as a reference to the location of the .zip file but apparently they have changed the location in NSX 6.2.3 to the same format as used in NSX 6.1.

https://<NSX Manager IP>/bin/offline-bundles/vShield-Endpoint-Mux-6.0.0esx50-3796715.zip

https://<NSX Manager IP>/bin/offline-bundles/vShield-Endpoint-Mux-6.0.0esx55-3796715.zip

https://<NSX Manager IP>/bin/offline-bundles/vShield-Endpoint-Mux-6.0.0esx60-3796715.zip

Add the offline bundle to your image profile and configure vSphere Auto Deploy to use this new image profile. Reboot your vSphere hosts and click Resolve in the NSX Service Deployments tab to verify the deployment went successful.

nsx_service_cluster_overview_succes

The only downside is that every time you upgrade NSX you have to find the correct file for the offline bundle on the NSX Manager. VMware used to have a KB article for vCND which provided you with the correct file locations but they do not have this for NSX.