How to protect virtual machines on Hyper-V hosts
Bitdefender GravityZone provides full visibility into organizations' overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender's Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization.
GravityZone does not have integration with Hyper-V, therefore the Security Servers installation and configuration in this environment has to be done manually.
This article presents the required steps for installing protection on virtual machines in a Hyper-V environment.
- Downloading Security Server (Microsoft Hyper-V)
- Creating the Security Server virtual machine
- Configuring Security Server
- Installing BEST on a virtual machine
- Network discovery mechanism
Once the GravityZone appliance has been imported and properly configured on the Hyper-V host, it is required to download the Security Server component:
- Log on to GravityZone Control Center with a Company Administrator account.
- Go to Configuration > Update page, Product Update tab.
Under Components section, select Security Server (Microsoft Hyper-V) and click the Download button. This will download the Hyper-V Security Server image to the GravityZone appliance.
- Click the Refresh button at the upper side of the Components table to check the download status.
Once the Security Server image has been downloaded to the GravityZone appliance, you will have to download the Security Server's vhd file to a network share or a storage device accessible from the host:
- Go to Network > Packages page.
- Right click on the Default Security Server Package > Download.
- Select Microsoft Hyper-V (VHD). Wait for the download to complete.
Next, you need to deploy the Security Server image on the host, by creating a new virtual machine and attaching the downloaded vhd file to it. This procedure is similar with importing the GravityZone appliance into this type of host. Find here a KB article explaining how to import a virtual appliance to Hyper-V.
Once the virtual machine has been created, you need to start it and configure it to communicate with the GravityZone components. For this, follow the next steps:
Connect to the appliance via SSH, using the default credentials:
- username: root
- password: sve
- Run the sva-setup command.
Configure the appliance with DHCP/static network settings.
If you have created an IP reservation for the appliance on the DHCP server, skip this configuration by pressing Enter. If you configure with static network settings, follow these steps:
- Type Y and press Enter to continue.
- Enter the network settings: IP address, network mask, gateway, DNS servers.
- Type Y and press Enter. to save the changes.
- Configure the Security Console IP: enter the Control Center IP address (e.g. 192.168.0.101).
- Configure the Communication Server IP address. https://CommServer-IP:8443 (e.g. https://192.168.0.101:8443).
- Configure Update Server address: enter the IP address or hostname of the Update Server (e.g. 192.168.0.101).
- Configure the Update Server port: 7074.
Note: the above IP address is just an example of a GravityZone appliance with all the roles installed on the same instance.
Once the configuration is finished, the specific services of Bitdefender will start on the virtual machine. The Security Server will be visible in the Network page of the GravityZone Control Center, in Virtual Machines > Custom Groups in no more that 2 or 3 minutes.
The first BEST client has to be manually installed on a virtual machine. Then it will discover the other virtual machines in your network and display them in GravityZone Control Center. From this point forward, the client installation can be performed remotely.
To manually install the client, follow the next steps:
- Create an installation package according to your needs.
- Download the installation package.
- Run the installation package on the machine.
- Go to the Network > Packages page.
Click the Add button on the upper left side and a configuration window will appear.
Please add all the requested information:
- Enter a suggestive name and description for the installation package you want to create.
- Configure settings as needed.
Select the Security Server that will be used for scanning the virtual machines:
- Select the Custom Scan mode. The list of detected Security Servers is displayed.
- Select an entity.
- Click the Add button at the right side of the table. The Security Server is added to the list. All target virtual machines will be scanned by the specified Security Server.
- Follow the same steps to add several Security Servers, if available. In this case, you can configure their priority using the up and down arrows available at the right side of each entity.
- To delete one entity from the list, click the corresponding Delete button at the right side of the table.
Click Save. The BEST package will appear in the list.
To download the installation package that you have created:
- Navigate to the Network > Packages page.
- Right click on the created package and Download.
- Select the appropriate version and wait for the download to complete.
For installation to work, the installation package has to be run using administrator privileges or under an administrator account.
To manually install BEST on a Windows virtual machine:
- Download or copy the installation file to the target virtual machine or to a network share accessible from that machine.
- Run the installation package.
- Follow the on-screen instructions.
To manually install BEST on a Linux virtual machine:
- Download or copy the installation file to the target virtual machine or to a network share accessible from that machine. The downloaded file is named installer.
Grant execute permission to the current user on the installer file.
$ chmod u+x installer
- Run $ sudo ./installer
Installation will complete normally in less than a minute. Once BEST has been installed, the virtual machine will show up as managed () in Control Center (Network page, under Custom Groups) within a few minutes.
The installation of BEST needs to be done manually only on the first virtual machine within the network. The rest of the virtual machines will be discovered by BEST and you will be able to deploy the product from GravityZone Control Center.
BEST includes an automatic network discovery mechanism intended to detect other virtual machines. It relies on the Microsoft Computer Browser service to perform network discovery. The Computer Browser service is a networking technology used by Windows-based computers to maintain updated lists of domains, workgroups, and the computers within them and to supply these lists to client computers upon request. Computers detected in the network by the Computer Browser service can be viewed by running the net view command in a Command Prompt window.
In order to successfully discover other virtual machines, the following are required:
- Computers must be joined in a workgroup or domain and connected via an IPv4 local network. Computer Browser service does not work over IPv6 networks.
- Several computers in each LAN group (workgroup or domain) must be running the Computer Browser service. Primary Domain Controllers must also run the service.
- NetBIOS over TCP/IP (NetBT) must be enabled on computers. Local firewall must allow NetBT traffic.
- File sharing must be enabled on computers. Local firewall must allow file sharing.
- A Windows Internet Name Service (WINS) infrastructure must be set up and working properly.
For Windows Vista and later, network discovery must be turned on (Control Panel > Network and Sharing Center > Change Advanced Sharing Settings). To be able to turn on this feature, the following services must first be started:
- DNS Client
- Function Discovery Resource Publication
- SSDP Discovery
- UPnP Device Host
- In environments with multiple domains, it is recommended to set up trust relationships between domains so that computers can access browse lists from other domains.
- Computers from which BEST queries the Computer Browser service must be able to resolve NetBIOS names
Note: All virtual machines (protected and unprotected) from a Hyper-V hosts will be displayed in Control Center, in Virtual Machines > Custom Groups. Therefore, you need to make sure that the account you are using to access Control Center has the permissions to see this container.