Bitdefender B2B Help Center

Virtualization platforms

GravityZone can currently integrate with VMware vCenter Server, Citrix XenServer, Nutanix Prism Element, Amazon EC2 and Microsoft Azure.

Note

Whenever you set up a new integration with another vCenter Server, XenServer, Nutanix Prism Element or Microsoft Azure, remember to also review and update access privileges for existing users.

Amazon EC2

Integrate with Amazon EC2

You can integrate GravityZone with your Amazon EC2 inventory and protect your EC2 instances hosted in the Amazon cloud.

Prerequisites:

  • The access and secret keys of a valid AWS account

  • The AWS account must have the following permissions:

    • IAMReadOnlyAccess

    • AmazonEC2ReadOnly for all AWS regions

You can create several Amazon EC2 integrations. For each integration, you need to provide a valid AWS user account.

Note

It is not possible to add multiple integrations using the credentials of IAM roles created for the same AWS account.

To set up integration with Amazon EC2:

  1. Go to the Configuration page in Control Center and click the Virtualization Providers tab.

  2. Click the add.png Add button at the upper side of the table and choose Amazon EC2 Integration from the menu. A configuration window will appear.

  3. Specify the Amazon EC2 integration details:

    • The integration name. When adding several Amazon EC2 integrations, you can identify them by name.

    • The access and secret keys of the AWS user account.

  4. Restrict policy assignment from the network view. Use this option to control the network administrators permission to change the virtual machines policies via the Computers and Virtual Machines view in the Network page. When this option is selected, administrators can change the virtual machines policies only from the Virtual Machines view of the network inventory.

  5. Click Save. If the provided credentials are valid, the integration will be created and added to the grid.

Wait a few moments while GravityZone synchronizes with the Amazon EC2 inventory.

Citrix XenServer

Integrate with XenServer

You can integrate GravityZone with one or multiple XenServer systems.

To set up integration with a XenServer:

  1. Go to the Configuration page in Control Center and click the Virtualization Providers tab.

  2. Click the add.png Add button at the upper side of the table and choose XenServer from the menu. A configuration window will appear.

  3. Specify the XenServer details.

    • Name of the XenServer system in Control Center

    • Hostname or IP address of the XenServer system

    • XenServer port (default 443)

  4. Specify the credentials to be used to authenticate with the XenServer.

    You can choose to use the credentials provided for integration with Active Directory or a different set of credentials.

  5. Restrict policy assignment from the network view. Use this option to control the network administrators permission to change the virtual machines policies via the Computers and Virtual Machines view in the Network page. When this option is selected, administrators can change the virtual machines policies only from the Virtual Machines view of the network inventory.

  6. Auto-update integration when master host changes in XenCenter. Use this option to keep the integration alive without manual intervention when the IP address of the pool master server has changed.

    Note

    You can enable the XenServer Integration Auto-update notification to know whenever such changes occur and the settings are automatically updated.

  7. Click Save. You will be able to view the vCenter Server in the active integrations list and that it is synchronizing. Wait for a couple of minutes until synchronization finishes.

Protect virtual machines in a XenDesktop with Provisioning Server infrastructure

This section describes how to install and configure Security for Virtualized Environments on XenServer virtual machines with Provisioning Server infrastructure.

Overview

Provisioning Server's infrastructure is based on software-streaming technology.

Using Provisioning Server, administrators prepare a device (Master Target Device) to be imaged, by installing an operating system and any required software on that device. A virtual disk (vDisk) image is then created from the Master Target Device's hard drive and saved to the network (on Provisioning Server or back-end storage device).

Once the vDisk is available from the network, a target device no longer needs its local hard drive to operate, as it boots directly from the network. The Provisioning Server streams the contents of the vDisk to the target device on demand, in real time.

Step-by-step procedure

To protect virtual machines in a XenDesktop with Provisioning Server infrastructure using GravityZone Security for Virtualized Environments (SVE), you need to deploy a Security Server and have BEST installed on the vDisk. To do so, follow these steps:

  1. Deploy GravityZone in the virtual environment and configure its roles.

  2. Connect to GravityZone Control Center using an account with Manage Solution right.

  3. Go to Configuration > Virtualization section and integrate GravityZone with Xen Server. When the process is finished, the Sync status will be Synchronized and the Progress status: Finished.

    7409_1.png
  4. To install the Security Server on the host, go to the Network page, select the host and run the Install Security Server task. The inventory will display the newly deployed virtual machine:

    7409_2.png
  5. Create a virtual machine with all programs that users need and install BEST to protect it against malware. To deploy BEST, select the VM in the inventory and run the Install Client task. After BEST is installed, the inventory will show the VM as being protected:

    7409_3.png

    Also verify that the Master VM is protected by accessing it and opening the BEST user interface.

    7409_4.png

    If you plan to use the BEST Firewall module, you need to add firewall rules to the BEST policy, to allow the appropriate ports used by Citrix components. For more details, check the following Citrix articles:

    Communication Ports Used by Citrix Technologies

    Best Practices for Configuring Provisioning Services Server on a Network

    It is especially important to allow the vDisk Streaming (Streaming Service) ports, otherwise the virtual desktops will not boot. For this purpose, you must add a Connection rule with the following configuration:

    • Local Address set to Any

    • Remote Address set to the address of the server hosting the vDisk

    • Remote Address port range set to PVS port range

    • Protocol set to UDP

    • Allow action

    Whenever you plan to change the PVS ports or update/upgrade your Citrix software, be sure to check for Citrix port changes and update the BEST firewall rules accordingly. Please follow Citrix recommendations on how to update the ports, as indicated in the next step.

  6. Prepare the target device by following the procedure described in this article.

  7. Start to deliver virtual desktops to users. The new VMs will appear in the network inventory as being protected by BEST.

    Users will see their devices as protected when they access BEST user interface.

    To test the protection, you can use an EICAR file. The file will be detected as a virus and it will be deleted. The interface will display the action taken to protect the virtual machine.

    7409_5.png

Microsoft Azure

Integrate Microsoft Azure

You can integrate GravityZone with Microsoft Azure and protect your virtual machines hosted in the Microsoft cloud.

Prerequisites:

  • Azure application with Reader permission

  • Active Directory ID

  • Application ID

  • Application Secret

For details about obtaining the required credentials and setting up the Azure application, refer to Configure Microsoft Azure application for GravityZone integration.

You can create several Microsoft Azure integrations. For each integration, you must have a valid Active Directory ID.

To set up integration with Microsoft Azure:

  1. Go to the Configuration page in Control Center and click the Virtualization Providers tab.

  2. Click the add.png Add button at the upper side of the table and choose Azure Integration from the menu. A configuration window will appear.

  3. Specify the Azure integration details:

    • The integration name. When adding several Azure integrations, you can identify them by name.

    • Active Directory ID. Each instance of Azure Active Directory has a unique identifier available in the Microsoft Azure account details.

    • Application ID. Each Azure application has a unique identifier available in the application details.

    • Application Secret. The application secret is the value displayed when saving a key in the Azure application settings.

  4. Select the option Restrict policy assignment from the network view to change the policy only from the Virtual Machines view. If deselected, you can change the policy from the Computers and Virtual Machines view.

  5. Click Save. If the provided credentials are valid, the integration will be created and added to the grid.

Wait a few moments while GravityZone synchronizes with the Microsoft Azure inventory.

Configure Microsoft Azure application for GravityZone integration

This section aims to explain how to configure an Azure application to integrate GravityZone with Microsoft Azure.

Through GravityZone (on-premises solution) integration with Microsoft Azure, you are able to import into Control Center the existing inventory of virtual machines hosted in the Microsoft cloud.

The integration requires registering in Azure a web application that provides GravityZone the ability to access data from Azure virtual machines. The Azure application also provides the necessary credentials to configure the integration in Control Center:

  • Active Directory ID

  • Application ID

  • Application Secret

For details on how to use these credentials after you have created the application, refer to the GravityZone Installation Guide.

Requirements

To create an application, first make sure that you have the necessary Azure AD and subscription permissions.

Azure AD permissions

You need Azure AD permissions to access Azure Active Directory and to register the application.

To check the Azure AD permissions:

  1. Log in to Microsoft Azure Portal.

  2. Select Azure Active Directory.

  3. In the Overview section, observe your role. For example, if you are an administrator, you can manage all aspects of app registrations. Refer to Microsoft Azure documentation for available roles and role permissions.

  4. In the left pane, select User settings.

  5. View the App registrations setting. If the value is Yes, then any user in the Azure directory can register an application. If the value is No, then only users with an administrator role can register an application. Only an administrator can change the value for App registrations.

Azure subscription permissions

In your Azure subscription, you need to have Microsoft.Authorization/*/Write access to assign a role to the application. This action requires the Owner role or User Access Administrator role.

To check the subscription permissions:

  1. Search for and select Subscriptions, or click Subscriptions on the Home page.

  2. Select the subscription that you want to associate with the application. If you do not see the subscription, select global subscriptions filter.

  3. Select My permissions and select Click here to view complete access details for this subscription.

    02-user-permissions.png
  4. Click Role assignments and view your roles. If the case, use the filtering boxes to find your account. If you do not have the required permissions to assign a role to the application, contact your administrator.

Configuring an Azure application
Register the application

To register an Azure application:

  1. Log in to Microsoft Azure Portal.

  2. Select Azure Active Directory.

  3. Select App registrations.

  4. Select New registration.

    03-app-register.png
  5. Enter a name for the application.

    04-create-app.png
  6. Under Redirect URl (optional), select Web and enter the URL of the GravityZone instance that you integrate with Azure.

  7. Click Register.

    05-details.png

Once created, the application displays in the Overview section two of the three values required for GravityZone integration:

  • Application (client) ID

  • Directory (tenant) ID

Assign a role to the application

You must assign a Reader role to the application to access resources in your subscription.

  1. Search for and select Subscriptions, or click Subscriptions on the Home page.

  2. Select the subscription that you want to associate with the application.

  3. Select Access control (IAM).

    06-add-role-assign.png
  4. Click Add and select Add role assignment.

  5. Under Role, select Reader.

    07-role-reader.png
  6. Select Azure AD user, group, or service principal.

  7. Select the application you have created.

  8. Click Save.

Create an application secret

To integrate GravityZone with Azure, you also need the application secret.

  1. Select Azure Active Directory.

  2. Go to App registrations and select your application.

  3. Select Certificates & secrets.

    08-secret.png
  4. Under Client secrets, click New client secret.

  5. Enter a description, select the duration and click Add.

    Caution

    After the secret expires, the synchronization between the Microsoft Azure and GravityZone inventories will not be possible. In this case, you must use another secret for integration.

  6. Back under Client secrets, a key value is displayed. This value represents the application secret required for GravityZone integration.

    Use the Copy to clipboard option and keep the value in a safe location. You will not be able to retrieve this value later.

    09-secret-done.png

Microsoft provides additional information on creating an Azure application: How to: Use the portal to create an Azure AD application and service principal that can access resources

Create the Azure Application
  1. Log in to Microsoft Azure portal.

  2. On the right upper-side, click the Directory and Subscription filter icon and, under Switch directory, select the directory where you want to register you app. Under the directory name, there is an alphanumerical string which represents the Active Directory ID. This identifier is the first one necessary to configure the GravityZone integration.

    15271_1.png
  3. From the left-side menu, go to Azure Active Directory > App registrations > New application registration.

  4. Under Create, fill in the required fields:

    1. Name for your application.

    2. Application type: Web app / API.

    3. Sign-on URL – the URL of the GravityZone instance that you integrate with Azure.

  5. Click the Create button. A new window provides you with details about the new application. These details include Application ID, an identifier also required for GravityZone integration.

    15271_2.png
  6. Click Settings, then click Keys.

  7. In the new window, under Passwords:

    1. Enter a description as you desire.

    2. Select the duration of the key.

      Note

      After the key expires, the synchronization between the Microsoft Azure and GravityZone inventories will not be possible. In this case, you must use another key for integration.

    3. Click Save. A key value is displayed immediately. This key represents Application Secret, required to complete in Control Center the GravityZone integration with Microsoft Azure. Copy the value and keep it in a safe location.

      15271_3.png
Add Permissions for Azure Application

The Azure application requires Reader permission to be able to synchronize the Microsoft Azure and GravityZone inventories.

  1. From the left-side menu, go to Cost Management + Billing > Subscriptions.

  2. In the subscription list, click the name of the subscription you want to assign access to.

  3. Click Access control (IAM), then click Add.

  4. In the Add permissions window:

    1. Fill in the required fields with the following values:

      1. Role: Reader.

      2. Assign access to: Azure AD user, group, or application.

      3. Select: search for the name of the application that you have created.

    2. Click Save.

      15271_4.png

If you have more than one subscription in Microsoft Azure, you can add Reader permission for all of them using the same Azure application.

Nutanix Prism Element

Integrate with Nutanix Prism Element

You can integrate GravityZone with one or multiple Nutanix Prism Element clusters, whether they are registered to Nutanix Prism Central or not.

To set up integration with Nutanix Prism Element:

  1. Go to the Configuration page in Control Center and click the Virtualization Providers tab.

  2. Click the add.png Add button at the upper side of the table and choose Nutanix Prism Element from the menu. A configuration window will appear.

  3. Specify the Nutanix Prism Element details:

    • Name of the Nutanix Prism Element in Control Center.

    • The IP address of a Controller Virtual Machine (CVM) from the Nutanix Prism Element cluster or the IP address of the Cluster Virtual IP.

    • Nutanix Prism Element port (default 9440).

  4. Specify the credentials to be used to authenticate with Nutanix Prism Element.

    Important

    The user whose credentials you provide must have Cluster Admin or User Admin privileges in Nutanix Prism Element.

  5. Restrict policy assignment from the network view. Use this option to control the network administrators’ permission to change the virtual machines policies via the Computers and Virtual Machines view in the Network page. When this option is selected, administrators can change the virtual machines policies only from the Virtual Machines view of the network inventory.

  6. Click Save. You will be asked to accept the security certificates for Nutanix Prism. These certificates ensure a secure communication between GravityZone and Nutanix Prism Element, resolving the risk of man-in-the-middle attacks.

    You can verify if the correct certificates were installed by checking the browser’s site information for each Nutanix Prism Element cluster or CVM against the certificate information displayed in Control Center.

  7. Select the check boxes to accept using the certificates.

  8. Click Save.

    If you entered a CVM IP to configure the integration, you will asked in a new window if you want to use the Cluster Virtual IP instead of the CVM IP:

    1. Click Yes to use the Cluster Virtual IP for integration. The Cluster Virtual IP will replace the CVM IP in the Nutanix Prism Element details.

    2. Click No to further use the CVM IP.

      Note

      As best practice, it is recommended to use the Cluster Virtual IP rather than the CVM IP. This way, the integration remains active even when a particular host becomes unavailable.

    3. In the Add Nutanix Prism Element window, click Save.

You will be able to view the Nutanix Prism Element in the active integrations list. Wait for a couple of minutes until the synchronization finishes.

Veeam Backup & Replication

Overview

The GravityZone integration with Veeam Backup & Replication v11a aims to help you discover security issues on virtual machines before restoring the machines to the production environment.

For this purpose, Bitdefender Endpoint Security Tools (BEST) performs a complete scan for various threats. If the machine is clean, then Veeam Backup & Replication restores it. If BEST detects a threat, Veeam Backup & Replication can either abort the restore process, or restore the machine or its disks with specific restrictions, depending on the restore settings.

Prerequisites
Configuration steps

For Veeam Backup & Replication to decode the scanning status from BEST, you need to modify a specific Veeam Backup & Replication configuration file. To do so, follow these steps:

  1. On the mount server, go to: %ProgramFiles%\Common Files\Veeam\Backup and Replication\Mount Service.

  2. Open the AntivirusInfos.xml file.

  3. In the <Antiviruses> section of the file, include this structure:

    <!--Bitdefender Endpoint Security Tools-->
    
        <AntivirusInfo Name='Bitdefender Endpoint Security Tools' IsPortableSoftware='true'
    ExecutableFilePath='%ProgramFiles%\Bitdefender\Endpoint Security\product.console.exe' CommandLineParameters= ' /c
    FileScan.OnDemand.RunScanTask custom path=%Path%' RegPath='' ServiceName='' ThreatExistsRegEx='Remaining issues:\s[1-9]\d*|Resolved
    issues:\s[1-9]\d*' IsParallelScanAvailable='false'>
    
            <ExitCodes>
    
                <ExitCode Type='Success' Description='Command executed successfully'>0</ExitCode>
    
                <ExitCode Type='Error' Description='Invalid Parameter'>87</ExitCode>
    
                <ExitCode Type='Error' Description='Bad Arguments'>160</ExitCode>
    
                <ExitCode Type='Error' Description='Function Failed – an error occurred while executing the command'>1627</ExitCode>
    
                <ExitCode Type='Infected' Description='A threat was detected on the system'>-526</ExitCode>
    
            </ExitCodes>
    
        </AntivirusInfo>
    
  4. Save the file.

Once the file is saved, you can proceed with the rest of the steps described in How Secure Restore Works in the Veeam documentation.

VMware NSX-T

GravityZone Security for Virtualized Environments integrates with the VMware NSX-T Data Center through NSX-T Manager.

Integrate with NSX-T Manager

NSX-T Manager is the management plane of your vCenter Servers integrated with an NSX-T Data Center For the integration to work, you will need to set up the integration for vCenter Servers associated with the NSX-T Manager. For more information, refer to Integrate with vCenter Server.

To setup integration with NSX-T Manager:

  1. In Control Center, navigate to Configuration > Virtualization Providers > Security Providers.

  2. Click the add.png Add button at the upper side of the table. A configuration window will appear.

  3. Specify the NSX-T integration details:

    • Name of the NSX-T integration.

    • Hostname or the IP address of the associated vCenter Server system.

    • NSX-T port (default 433).

  4. Specify the credentials to authenticate with the vCenter Server. You can choose to use the credentials provided for integration with Active Directory or a different set of credentials. The user whose credentials you provide must have root or administrator permissions on the vCenter Server.

  5. Click Save.

    The Control Center is now integrated with NSX-T. To apply endpoint protection to your VMs through GravityZone Guest Introspection policy, refer to Manage endpoint protection in VMware NSX-T.

Note

GravityZone can only be used to protect the associated vCenter Server.

Manage endpoint protection in VMware NSX-T

In this section, you will learn how to configure Bitdefender GravityZone Security for Virtualized Environments integration with NSX-T 2.4 Guest Introspection services and apply endpoint protection to your guest virtual machines.

Integration Overview

NSX-T Data Center provides agentless endpoint protection capabilities through the Guest Introspection ecosystem. Bitdefender integrates with the NSX ecosystem to protect guest virtual machines by using a Security Server deployed at the hypervisor host level.

This section provides guidance for NSX-T Data Center administrators on how to configure and apply endpoint protection to guest VMs, by implementing a Bitdefender GravityZone Guest Introspection policy.

Prerequisites
  • Software Prerequisites

    Compatibility with NSX-T Data Center:

    VMware NSX-T Manager

    GravityZone Control Center

    Bitdefender Security Server

    3.2

    6.27.1 and newer

    1.1.5.11317 and newer

    3.1

    6.18.1 and newer

    1.0.5.10125 and newer

    3.0

    6.14.1 and newer

    1.0.3.9806 and newer

    2.5

    6.9.1-1 and newer

    1.0.2.9311 and newer

    2.4

    6.5.5-1 – 6.9.1-1

    1.0.1.8727 and newer

    2.3

    n/a

    n/a

    For more compatibility details, refer to these VMware webpages:

  • NSX-T Manager configuration prerequisites

    Before you start the Bitdefender GravityZone configuration and Security for Virtualized Environments service deployment, you need to meet the following conditions:

Process description

To integrate GravityZone Security and apply endpoint protection to VMs follow these steps:

Integrate GravityZone with vCenter Server

Add a new VMware vCenter Server integration to the GravityZone Control Center.

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration page.

  3. Navigate to Virtualization Providers > Management Platforms.

  4. Click Add and choose vCenter Server from the menu.

  5. Specify the vCenter Server details.

  6. Specify the credentials for vCenter Server authentication.

  7. Under Installed platforms choose None for your NSX-T integration.

  8. Click Save to complete the vCenter Server integration with Control Center.

    Note

    Before accepting the self-signed security certificate required for the integration, make sure it corresponds with the vCenter details.

    For more information, refer to the Integrating with vCenter Server chapter within the Bitdefender GravityZone Installation Guide.

Note

For multiple vCenter Servers managed by NSX-T Manager, you need to repeat this step.

Download NSX-T SVA
  1. Log in to GravityZone Control Center.

  2. Go to the Update screen,under Configuration .

  3. Select the Components tab.

  4. Under Product, select Security Server (VMware NSX-T).

  5. From the Packages section, select the associated check box to download.

Integrate GravityZone with NSX-T Manager

Add a new VMware NSX-T Manager integration to the GravityZone Control Center.

  1. In Control Center, go to the Configuration page.

  2. Navigate to Virtualization Providers > Security Providers.

  3. Click Add to configure the NSX-T integration.

    80107_1.png
  4. Specify the NSX-T integration details:

    • Name of the NSX-T integration

    • Hostname or the IP address of the vCenter Server system

    • NSX-T port (default 443)

      80107_2.png
  5. Specify the credentials for NSX-T Manager authentication.

  6. Click Save to complete the integration.

Note

Integrated server count within NSX-T manager should match the one from the Management Platform within Control Center. If the count is not matched, follow the integration procedure to add a new vCenter Server integration.

Deploy Partner service (Bitdefender GravityZone) in NSX Manager

Deploy the Security Server installation as a Partner service in NSX-T Manager.

  1. In NSX Manager, go to the System page and click Service Deployment.

  2. Select Partner service and then click deploy.

    80107_3.png
  3. Specify the service deployment details:

    • Enter the service deployment name.

    • In the Compute Manager field, select the vCenter (Bitdefender SVA).

    • In the Cluster field, select the cluster where the service needs to be deployed.

    • In the Data Store field, you can select a data store where the SVA disk can be stored.

      For more information, refer to VMware Docs.

    • Under the Network column, click Edit Details to configure the Management Network interface.

      A configuration window appears where you can configure the network/distributed switch to use for the management NIC and the network type.

    • In the Deployment Specification field, select Bitdefender SVA – Medium.

    • In the Deployment Template field, select Bitdefender Security Server OVF Template.

      80107_4.png
  4. Click Save.

    The Bitdefender Security Server is deployed.

Configure NSX Groups

NSX uses groups to be used as source and destination field of a service profile. Create groups in NSX Manager for protected, unprotected VMs and affected (quarantined) VMs.

In this section, you will find out how to create and define group membership:

Protected VMs Group

Create a group for protected VMs.

  1. In NSX Manager, go to the Inventory page and click Groups.

  2. Click ADD GROUP to configure the group.

    80107_5.png
  3. Specify the group details:

    • Enter the security group name.

    • Under the Compute Members, click Set Members to define membership of the group:

      1. Go to the Members tab and select a group from the Category drop-down menu.

      2. Select the nodes that should be protected.

      3. Click APPLY.

        80107_6.png

        For more information, refer to the following VMware Docs article.

  4. Click SAVE.

    The group for the protected VMs is now added.

Unprotected VMs Group

To create a group and define membership for unprotected VMs, follow the previous steps 1-4 from Protected VMs Group.

Affected VMs Group

Create a group for affected VMs and name it Quarantine.

  1. In NSX Manager, go to the Inventory page and click Groups.

  2. Click ADD GROUP to configure the group.

  3. Specify the group details:

    • Enter the security group name.

    • Under the Compute Members, click Set Members to define membership of the group:

      1. Go to the Membership Criteria tab and click ADD CRITERIA.

      2. In the third column, select Contains.

      3. In the Scope field, enter the following tag:

        ANTI_VIRUS

      4. Click APPLY.

        80107_7.png

        For more information, refer to the following VMware Docs article.

  4. Click SAVE.

    The group for the quarantined VMs is now added.

Create GravityZone security policy

Create and configure security policy in Control Center.

  1. In Control Center, go to the Policies page.

  2. Click Add to configure a policy.

  3. Enter a name for your policy.

  4. Configure the policy settings as needed.

    80107_8.png

    Note

    Only Antimalware settings are applicable to NSX-T integrations.

  5. Go to NSX and select the associated check box to set its visibility in NSX-T Manager.

    80107_9.png

    The GravityZone policy is visible in NSX-T Manager under the Vendor Template column, when you add a Service Profile.

  6. Click Save.

Configure and apply endpoint protection to guest VMs

NSX enforces Guest Introspection policies (GravityZone security policy) when a Service Profile is available. To apply endpoint protection to guest VMs you need to create Service Profile and associate it to a VM group through policy rule.

Configure endpoint protection for guest VMs as follows:

Create a Service Profile

Add a Service Profile in NSX Manager.

  1. In NSX Manager, go to the Security page and click on Configuration tab.

  2. Navigate to the Endpoint Protection tab and go to SERVICE PROFILES.

  3. In the Partner Service drop-down select Bitdefender and then click ADD SERVICE PROFILE.

  4. Specify the Service Profile details:

    • Enter the Service Profile name.

    • Select the vendor template (GravityZone security policy).

  5. Click Save.

    80107_11.png

    The Service Profile is now added.

Create and publish a policy rule

Create a policy for your VM group. To associate a VM group that needs to be protected with a specific service profile, you need to create a policy rule.

  1. In NSX Manager, go to the Security page and click on Configuration tab.

  2. Navigate to the Endpoint Protection tab and go to RULES.

  3. Click ADD POLICY.

  4. Enter a policy name.

  5. Click the three vertical dots to open the dropdown menu.

  6. Click Add Rule.

    80107_12.png
  7. Enter a policy rule name.

  8. Under the Groups column, click the edit icon to set VM groups:

    80107_13.png
    • In the table, select a VM group for this rule.

    • Click APPLY.

      80107_14.png
  9. Under the Service Profiles column, click the edit icon to map the Service Profile to your VM groups.

    In the table, select the Service Profile and click SAVE.

  10. Click PUBLISH to apply endpoint protection to your guest VMs.

    80107_15.png

VMware NSX-V

Upgrade VMware environments protected with GravityZone from vCNS to NSX

This section describes the upgrade procedure from VMWare vShield to NSX.

This information helps the Bitdefender Enterprise Support team to investigate and resolve the issues you encountered with upgrading from vShield to NSX.

Bitdefender GravityZone continues to protect VMware environments after upgrading from vCNS to NSX, making this a safe experience. To make sure your network remains secured, follow these steps:

  1. Update the Bitdefender GravityZone Virtual Appliance to a version higher than 5.1.25-526. This way, you will be able to integrate GravityZone with NSX.

  2. Uninstall Bitdefender Tools from all Windows/Linux machines in your network.

    Note

    After update, all File and Process exclusions will no longer work on Windows/Linux machines.

  3. Uninstall all Bitdefender Security Server deployments. In VMware NSX, all of them are managed through vSphere Web Console and not through GravityZone Control Center.

  4. Migrate your VMware environment to NSX. Choose your preferred method:

    1. Install NSX over the existing vCNS, following the instructions described in NSX Upgrade Guide for vShield Endpoint (English).

      Note

      Carefully run over the "Upgrade to Guest Introspection in NSX for vShield Endpoint" section, as it is a very important step (see upgrade-to-guest-introspection.png).

    2. Completely remove vCNS and deploy a clean NSX environment:

      1. Uninstall vShield components by following the instructions described in the "Uninstalling vShield Components" chapter of vShield Installation and Upgrade Guide (English).

      2. Remove the vShield plug-in from vCenter, using the guidelines in the KB article Removing or Disabling unwanted plug-ins from vCenter Server and vCenter Server Appliance (English).

      3. Deploy NSX, following the instructions from the Installation Guide (English).

  5. Go to the GravityZone Control Center > Configuration page and select the Virtualization tab.

  6. Edit the existing vCenter with vShield integration by clicking the corresponding Edit button in the Actions column.

  7. In the configuration window, under the Protection section, select NSX.

  8. Complete the Bitdefender integration with NSX. For more information, refer to the "Installing Protection > Configure Control Center Settings > Virtualization > Integrating with vCenter Server" section of GravityZone Installation Guide.

    Note

    You can find the Installation Guide link in the Help & Support page of Control Center.

VMware vCenter

Integrate with vCenter Server

You can integrate GravityZone with one or multiple vCenter Server systems.

vCenter Server systems in Linked Mode must be added separately to Control Center.

To set up integration with a vCenter Server:

  1. Go to the Configuration page in Control Center and navigate to Virtualization Providers > Management Platforms.

  2. Click the add.png Add button at the upper side of the table and choose vCenter Server from the menu. A configuration window will appear.

  3. Specify the vCenter Server details.

    • Name of the vCenter Server system in Control Center

    • Hostname or IP address of the vCenter Server system

    • vCenter Server port (default 443)

  4. Specify the credentials to be used to authenticate with the vCenter Server.

    You can choose to use the credentials provided for integration with Active Directory or a different set of credentials.

    The user whose credentials you provide must have root or administrator permissions on the vCenter Server.

  5. Choose the VMware platform installed in your environment and configure the settings accordingly:

    • None. Select this option for NSX-T or if there is no VMware specific platform is installed and click Save. Accepting the self signed security certificate is required for the integration.

      To configure NSX-T Manager integration and apply endpoint protection to your VMs through GravityZone Guest Introspection policy, refer to Manage endpoint protection in VMware NSX-T.

    • vShield. Specify the details of the vShield Manager system integrated with the vCenter Server.

      • Hostname or IP address of the vShield Manager system

      • vShield Manager port (default 443)

    • NSX-V. Specify the details of the NSX Manager integrated with the vCenter Server.

      Note

      To upgrade from VMware vShield to NSX, refer to Upgrade VMware environments protected with GravityZone from vCNS to NSX.

      • Hostname or IP address of the NSX Manager

      • NSX Manager port (default 443)

      • Username and password used to authenticate on NSX Manager.

        These credentials will be saved on the protected entity, not in Credentials Manager.

      • Select the Tag if a virus is found check box to use the default NSX security tags when malware is found on the virtual machine.

        A machine may be tagged with three different security tags, depending on the risk level of the threat:

        • ANTI_VIRUS.VirusFound.threat=low, applying on machine when Bitdefender finds low risk malware, which it can delete.

        • ANTI_VIRUS.VirusFound.threat=medium, applying on the machine if Bitdefender cannot delete the infected files, but instead it disinfects them.

        • ANTI_VIRUS.VirusFound.threat=high, applying on the machine if Bitdefender can neither delete, nor disinfect the infected files, but blocks access to them.

        When threats of different risk levels are detected on the same machine, all associated tags will be applied. For example, a machine on which high and low risk malware were found, will have both security tags.

        Note

        You can find the security tags in VMware vSphere, under Networking & Security > NSX Managers > NSX Manager > Manage > Security Tags tab.

        Though you can create as many tags as you want, only the three mentioned tags work with Bitdefender.

  6. Restrict policy assignment from the network view. Use this option to control the network administrators permission to change the virtual machines policies via the Computers and Virtual Machines view in the Network page. When this option is selected, administrators can change the virtual machines policies only from the Virtual Machines view of the network inventory.

  7. Click Save. You will be asked to accept the security certificates for vCenter Server and NSX Manager. These certificates ensure a secure communication between GravityZone and VMware components, resolving the risk of man-in-the-middle attacks.

    You can verify if the correct certificates were installed by checking the browser's site information for each VMware component against the certificate information displayed in Control Center.

  8. Select the check boxes to accept using the certificates.

  9. Click Save. You will be able to view the vCenter Server in the active integrations list.

  10. If you use the NSX-V platform:

    1. Go to the Update > Components tab.

    2. Download and then publish the Security Server (VMware with NSX) package. For more information on how to update GravityZone components, refer to Update GravityZone.

    3. Go to the Configuration > Virtualization Providers tab.

    4. In the Action column, click the register.png Register button corresponding to the vCenter integrated with NSX to register the Bitdefender service with VMware NSX Manager.

    Warning

    When the security certificate is expired and the vCenter tries to synchronize, a pop-up will prompt you to update it. Enter the configuration window of the vCenter Server integration, click Save, accept the new certificates and then click Save again.

    After registration, Bitdefender adds to VMware vSphere console:

    • Bitdefender service

    • Bitdefender service manager

    • Three new default service profiles for permissive, normal and aggressive scanning modes.

      Note

      You can view these service profiles also in the Policies page of Control Center. Click the Columns button at the upper-right side of the right pane to view additional information.

In the end, you can view that the vCenter Server is synchronizing. Wait for a couple of minutes until synchronization finishes.

Protect VDIs when using VMware Horizon View and GravityZone SVE

This section explains how to protect the Virtual Desktop infrastructure (VDI) in a VMware environment with the use of VMware Horizon View and GravityZone Security and with or without vShield for Virtualized Environments.

Without vShield
Overview

VMware Horizon View delivers desktop services from your datacenter to enable end-user freedom and IT management and control.

Desktop and application virtualization offers IT a more streamlined, secure way to manage users and provide agile, on-demand desktop services.

Bitdefender GravityZone Security for Virtualized Environments (SVE), is an encompassing security solution for virtualized datacenters, protecting virtualized servers and desktops on Windows, Linux, and Solaris systems.

GravityZone SVE offers protection through Security Server and BEST. Security Server is a dedicated virtual machine that de-duplicates and centralizes most of the antimalware functionality of antimalware clients, acting as a scan server. BEST is the component to be installed on the virtual machines you want to protect.

Prerequisites

The prerequisites for GravityZone SVE are:

  • ESXi host;

  • vCenter Server;

  • Control Center with GravityZone SVE service;

  • Security Server (VMware version) deployed on at least on ESXi Host;

  • BEST installed on golden image.

How to protect the VDIs

You can use SVE in VMware environment also when vShield Endpoint is not installed. In non-vShield VMware environment, you must install BEST on every virtual machine.

BEST offloads anti-malware processing to the Security Server via TCP/IP. Network load will be at a minimum level due to the BEST local cache and the centralized cache on the Security Server. BEST employs a local cache that is prepopulated based on its environment variables; this way it is able to offload the scanning of only what is required while excluding objects that are safe.

Note

Using GravityZone SVE in a non-vShield VMware environment, there is no need to deploy a Security Server on each ESXi Hosts.

To protect the VDIs, follow the next steps:

  1. Integrate Control Center with vCenter:

    1. Open GravityZone Control Center.

    2. Go to the Configuration page.

    3. Select the Virtualization tab.

    4. Click the Add button from the upper left side of the table and choose vCenter Server from the menu.

    7555_1.png
  2. Install Security Server on ESXi hosts.

    1. Go to the Network page and select Virtual Machines service.

    2. Select the host(s) on which you deploy the Security Server.

    3. Right-click to access the contextual menu and select the Tasks > Install Security Server option. The Security Serverer Installation window appears.

      7555_2.png
    4. In the General tab, select one of the following options:

      • Use common settings for all Security Servers. Using this option while deploying multiple Security Server instances requires the target hosts to share the same storage and have identical hardware specs. In addition, all security servers will be part of the same management network segment and they will be automatically configured by DHCP.

        Note: If DHCP is used, make sure all IPs assigned to Security Servers are reserved.

      • Configure each Security Server differently. This option allows you to have different values for each setting of the Security Servers.

    5. Click Next to configure the Security Server instance(s):

      • Name – The name of the Security Server which will appear in VMware Inventory.

      • Deploy Container – the vCenter server parent container for the new Security Server.

      • Provisioning – the VMDK provisioning type.

      • Consolidation – the hardware resources assignation. If Custom level is selected, the administrator can specify the amount of CPU and Memory.

      • Set Administrative Password – at the time of the deployment the administrator can change the Security Server root password. If this option is not selected, the root account will have the default password and the only way this can be changed later is by accessing the VM's console.

      • Timezone – the time zone setting. Clock is automatically synchronized by the ntpd service.

      • Network Settings – the VMs management network settings.

      7555_3.png
    6. After all the configurations are done, if you have different settings for your Security Servers, click Next to proceed with the next instance, otherwise click Save. The deployment task starts.

      Note

      You can view the deployment task progress in the Network > Tasks page. Check the task status, by clicking the link in the Status column. After the deployment task reaches the status In progress 100%, the new Security Server is powered on and boot process starts. Allow up to 3 minutes for the boot operation to complete. The deployment task will display the Finished status after the management agent on the Security Server synchronizes with GravityZone for the first time, announcing the administrator the new Security Server is operational.

    7555_4.png
  3. Create a virtual machine (with Windows 7 for example) with all the programs needed by users.

  4. Deploy BEST on this new virtual machine:

    1. Select the VM on which you deploy BEST.

    2. Right-click to access the contextual menu and select the Tasks > Install option. The BEST Installation window appears.

      7555_5.png
    3. Under the Credentials Manager section, specify the administrative credentials required for remote authentication on the virtual machine.

      Note

      If using VMware Horizon View Persona Management, it is recommended to configure Active Directory Group Policy to exclude the following Bitdefender processes (without the full path):

      • bdredline.exe

      • epag.exe

      • epconsole.exe

      • epintegrationservice.exe

      • epprotectedservice.exe

      • epsecurityservice.exe

      • epupdateservice.exe

      • epupdateserver.exe

      For details, refer to this VMware Horizon documentation page.

  5. Configure the VMware Horizon View: connect to VMware Horizon View Administrator and create the pools for the VDIs.

    7555_6.png
  6. Once VMware Horizon View is configured and a user is trying to connect from a VMware View Client to a VDI, new Virtual Desktops are created.

    7555_7.png
  7. All the VDIs from VMware Horizon View will be protected.

    7555_8.png
    7555_9.png

    To be sure that the VDIs are protected, you can do the following checks:

    • Try an EICAR test. Copy the 68 bytes string, in a .txt file and save it. If the VDI is protected, when you will reopen the .txt file, it will be empty. Also, the reports and charts from Control Center Dashboard and Reports page, the charts will show malware presence on the VDI.

    • On the Security Server you can check if your VDI is connected to it. The connection should be established on port 7081.

      netstat | grep ESTABLISHED

      tcp6 0 0 gz2svamp.tstlabs:7081 vdi-01.tstlabs.bi:65299 ESTABLISHED

      tcp6 0 0 gz2svamp.tstlabs:7081 vdi-02.tstlabs.bi:64235 ESTABLISHED

With vShield
Overview

VMware Horizon View delivers desktop services from your datacenter to enable end-user freedom and IT management and control.

Desktop and application virtualization offers IT a more streamlined, secure way to manage users and provide agile, on-demand desktop services.

Bitdefender GravityZone Security for Virtualized Environments (SVE), is an all-encompassing security solution for virtualized datacenters, protecting virtualized servers and desktops on Windows, Linux, and Solaris systems.

GravityZone SVE offers protection through Security Server and Bitdefender Tools. Security Server is a dedicated virtual machine that de-duplicates and centralizes most of the antimalware functionality of antimalware clients, acting as a scan server. Bitdefender Tools is the component to be installed on the virtual machines you want to protect.

GravityZone SVE can be used in VMware environment with vShield Endpoint. When installed in VMware vSphere environments, SVE takes advantage of the vShield Endpoint integration to provide agentless antimalware introspection. vShield Endpoint offloads anti-malware agent processing to the dedicated Security Server.

Using the vShield Endpoint driver installed on the ESXi host and vShield Thin Agent installed by VMware tools on every VM, the Security Server scans each guest VM, providing an agentless service.

Requirements

To use vShield Endpoint Thin Agent, ensure the guest virtual machine is installed with a supported version of Windows. The versions of the Windows operating systems that are supported for vShield Endpoint are:

  • Windows XP (32-bit)

  • Windows Vista (32-bit)

  • Windows 7 (32-bit, 64-bit)

  • Windows 8 (32-bit, 64-bit) (vSphere 5.5 only)

  • Windows 2003 (32-bit, 64-bit)

  • Windows 2003 R2 (32-bit, 64-bit)

  • Windows 2008 (32-bit, 64-bit)

  • Windows 2008 R2 (32-bit, 64-bit)

  • Windows 2012 (32-bit, 64-bit) (vSphere 5.5 only)

Note

  • Windows 8 and Windows 2012 are supported guest operating systems in vSphere 5.5, but the ReFS file system is not supported.

  • Ensure the Thin Agent and the virtual machine are both either 32 or 64 bit versions. You cannot mix the two versions.

  • Windows 2012 R2 and Windows 8.1 are currently not supported Guest operating systems for vShield Endpoint.

  • The SCSI controller is only needed for vShield Endpoint version 1.0, ensure the guest virtual machine has a SCSI controller installed for vShield Endpoint 1.0. Later versions of vShield Endpoint do not require a SCSI controller.

Prerequisites

The prerequisites for GravityZone SVE integrated with vShield are:

  • ESXi host;

  • vCenter Server;

  • vShield Manager with vShield Endpoint installed;

  • vShield Thin Agent installed in golden image;

  • GravityZone SVE service available in Control Center;

  • Security Server (VMware with vShield) deployed on each ESXi Host;

To protect Linux VMs, you need to deploy Bitdefender Tools on those systems to offload anti-malware processing to the Security Server.

Using vShield Endpoint Thin Agent only file scanning is available. The user is not notified about possible virus activities or actions taken over different files, such as delete.

Using GravityZone SVE in VMware environment with vShield, you will have to deploy a Security Server on each ESXi Host.

How to protect the VDIs

To protect the VDIs, follow the next steps:

  1. Integrate Control Center with vCenter:

    1. Open GravityZone Control Center.

    2. Go to the Configuration page.

    3. Select the Virtualization Tab.

    4. Click the Add button from the upper left side of the table and choose vCenter Server from the menu.

    7555_10.png
  2. Install Security Server on ESXi hosts.

    1. Go to the Network page and select Virtual Machines service.

    2. Select the host(s) on which you deploy the Security Server.

    3. Right-click to access the contextual menu and select the Tasks > Install Security Server option. The Security Server Installation window appears.

      7555_11.png
    4. In the General section, select one of the following options:

      • Use common settings for all Security Servers. Using this option while deploying multiple Security Server instances requires the target hosts to share the same storage and have identical hardware specs. In addition, all security servers will be part of the same management network segment and they will be automatically configured by DHCP.

        Note: If DHCP is used, make sure all IPs assigned to Security Servers are reserved.

      • Configure each Security Server differently. This option allows you to have different values for each setting of the Security Servers.

    5. Click Next to configure the Security Server instances:

      • Name – The name of the Security Server which will appear in VMware Inventory.

      • Deploy Container – the vCenter server parent container for the new Security Server.

      • Provisioning – the VMDK provisioning type.

      • Consolidation – the hardware resources assignation. If Custom level is selected, the administrator can specify the amount of CPU and Memory.

      • Set Administrative Password – at the time of the deployment you can change the Security Server root password. If this option is not selected, the root account will have the default password. Later, the only way to change the password is by accessing the VM’s console.

      • Timezone – the time zone setting. Clock is automatically synchronized by the NTPD service.

      • Network Settings – the VMs management network settings.

      7555_12.png
    6. After all the configurations are done, if you have different settings for your Security Servers, click Next to proceed with the next instance, otherwise click Save and the deployment task starts.

      Note

      You can view the deployment task progress in the Network > Tasks page. Check the task status, by clicking the link in the Status column. After the deployment task reaches the status In progress 100%, the new Security Server is powered on and boot process starts. Allow up to 3 minutes for the boot operation to complete. The deployment task will display the Finished status after the management agent on the Security Server synchronizes with GravityZone for the first time, announcing the administrator the new Security Server is operational.

      7555_13.png
  3. Create a virtual machine (with Windows 7 for example) with all the programs needed by users.

    Note

    For VMware environment with vShield, you can use agentless protection.

  4. Configure the VMware Horizon View: connect to VMware Horizon View Administrator and create the pools for the VDIs.

    7555_14.png
  5. Once VMware Horizon View is configured and a user is trying to connect from a VMware View Client to a VDI, new Virtual Desktops are created.

    7555_15.png
  6. All the VDIs from VMware Horizon View will be protected.

    7555_16.png
    7555_17.png

    To be sure that the VDIs are protected, you can do the following checks:

    • Verify if GravityZone Security Server is registered in vShield manager:

      1. Open the web console of vShield Manager.

      2. On the host's Summary tab, at Service Virtual Machines, you should see the name of the Security Server.

        7555_18.png
    • Verify if vShield Thin Agent is running:

      1. Open a VDI.

      2. In a Command Prompt window, run the following command:

        sc query vsepflt

      3. You should have the following output:

        7555_19.png
    • Verify if VDI is protected with an EICAR test:

      1. Copy the 68 bytes string, in a .txt file and save it.

      2. If the VDI is protected, when you will reopen the .txt file, it will be empty. Also, the reports and charts from Control Center Dashboard and Reports page, the charts will show malware presence on the VDI.

Manage platform integrations

To edit or update a platform integration:

  1. In Control Center, go to the Configuration > Virtualization Providers tab.

  2. Click the edit.png Edit button in the Action column.

  3. Configure the rule settings as needed. For more information, refer to the individual integration guides in this chapter.

  4. Click Save. Wait a couple of minutes until the server re-syncs.

Nutanix Prism Element, Amazon EC2 and Microsoft Azure integrations are automatically synchronized every 15 minutes. You can manually synchronize an integration at any time, as follows:

  1. In Control Center, go to the Configuration > Virtualization Providers tab.

  2. Click the resync_nutanix.png Resync Inventory button in the Action column.

  3. Click Yes to confirm the action.

The resync_nutanix.png Resync Inventory button is especially useful when the integration status changes and requires synchronization, as in the following situations:

  • For the Nutanix Prism Element integration:

    • The user has no more administrative privileges in the inventory.

    • The user becomes invalid (changed or deleted password).

    • The security certificate becomes invalid.

    • There is a connection error.

    • A host is added or removed in the Nutanix Prism Element cluster.

  • For the Microsoft Azure integration:

    • A subscription is added or removed in Microsoft Azure.

    • Virtual machines are added or removed in the Microsoft Azure inventory.

You can also synchronize the integration by clicking the edit.png Edit button, then clicking Save.

To remove a vShield, XenServer, Nutanix Prism Element, Amazon EC2 or Microsoft Azure integration:

  1. In Control Center, go to the Configuration > Virtualization Providers tab.

  2. Click the remove.png Delete button in the Action column, corresponding to the integration to be removed.

  3. Click Yes to confirm the action.

To remove an NSX integration:

  1. Log in to VMware vSphere console and delete all Bitdefender policies and Security Servers.

  2. In Control Center, go to the Configuration > Virtualization Providers tab.

  3. In the Action column, corresponding to the integration to be removed, click unregister.png Unregister and then remove.png Delete.

  4. Click Yes to confirm the action.

To make sure the latest information is being displayed, click the Refresh button at the upper side of the table.