NSX 6.2.3 Guest Introspection Deployment

VMware has announced the end of availability of vCloud Networking and Security 5.5.x which will commence on September 19. If you are using vCNS it is possible to migrate to NSX.


NSX 6.2.3 has a default license for NSX for vShield Endpoint so if you want to use the Guest Introspection services (eg. Deep Security Anti Malware)  it’s no longer required to buy NSX licenses.

If you are planning to upgrade vCND to NSX there are some caveats to remember, especially if you are using vSphere Auto Deploy.

Host Preparation

After deploying the NSX Manager and registering it with the vCenter Server it is time to deploy the Guest Introspection service. For people who are familiar with NSX the first step to perform is the Host Preparation. If you are using the default NSX for vShield Endpoint license you will not be able to perform this action.


This behavior is by default and does not impact the service deployments. You do not have to perform the Host Preparation if you are only using the service deployments of NSX (eg. guest introspection).

Deploy the guest introspection service from the Service Deployments tab.

Service Deployment

The guest introspection service deployment is performed per cluster. If you are deploying the Guest Introspection service to a cluster with vSphere hosts using vSphere Auto Deploy in a stateless configuration the deployment will fail.


There is an VMware KB article on how to deploy VXLAN through Auto Deploy.


This articles does not provide the path to the VXLAN offline bundle on the NSX Manager. You can find the download path of the offline bundle from the following webpage on your NSX Manager:

https://<NSX Manager IP>/bin/vdn/nwfabric.properties.

The VIB used for Guest Introspection is not included in the offline bundle on the NSX Manager used to deploy VXLAN through vSphere Auto Deploy. So you have to add this VIB manually to your Auto Deploy image profile. The location of this VIB is not documented but after some Googling the following blog post helped me:


This blogpost contains the location of the VIB on older versions of the NSX Manager. To get the right location I attached the Hirens boot CD to the NSX Manager, booted from it and started a search for all .zip files.


The search result shows the correct name of the offline bundle and the location of the file. I used the bit in the blog about the NSX 6.2 file location as a reference to the location of the .zip file but apparently they have changed the location in NSX 6.2.3 to the same format as used in NSX 6.1.

https://<NSX Manager IP>/bin/offline-bundles/vShield-Endpoint-Mux-6.0.0esx50-3796715.zip

https://<NSX Manager IP>/bin/offline-bundles/vShield-Endpoint-Mux-6.0.0esx55-3796715.zip

https://<NSX Manager IP>/bin/offline-bundles/vShield-Endpoint-Mux-6.0.0esx60-3796715.zip

Add the offline bundle to your image profile and configure vSphere Auto Deploy to use this new image profile. Reboot your vSphere hosts and click Resolve in the NSX Service Deployments tab to verify the deployment went successful.


The only downside is that every time you upgrade NSX you have to find the correct file for the offline bundle on the NSX Manager. VMware used to have a KB article for vCND which provided you with the correct file locations but they do not have this for NSX.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: