GravityZone platform

To make sure installation goes smoothly, follow these steps:

GravityZone Control Center is installed and hosted on Bitdefender servers. To access it, go to https://gravityzone.bitdefender.com.

Prepare for installation

For installation, you need a GravityZone virtual appliance image.

After you deploy and set up the GravityZone appliance, you can remotely install the client or download the necessary installation packages for all security services components from the Control Center web interface.

The GravityZone appliance image is available in several different formats, compatible with the main virtualization platforms.

You can obtain the download links by registering for a trial on the Bitdefender website. When filling out the required form, select one of these on-premises products: Bitdefender Security for Virtualized Environments, Bitdefender GravityZone Security for Endpoints, Bitdefender GravityZone Security for Exchange, Bitdefender GravityZone Security for Mobile.

You can obtain the license key by making an inquiry on the Bitdefender Business Products Inquiry website.

For installation and initial setup, you must have the following at hand:

DNS names or fixed IP addresses (either by static configuration or via a DHCP reservation) for the GravityZone appliances
Username and password of a domain administrator
vCenter Server, NSX Manager, XenServer details (hostname or IP address, communication port, administrator username and password)
vCenter Server, XenServer details (hostname or IP address, communication port, administrator username and password)
License keys (check the trial registration or purchase email)
Outgoing mail server settings
If needed, proxy server settings
Security certificates

Deploy and set up GravityZone VA

A GravityZone deployment consists of one or several virtual appliances running the server roles. The number of appliances depends on various criteria, such as: the size and design of your network infrastructure, or the GravityZone features you will use. Server roles are of three types: basic, auxiliary and optional.

Important

Auxiliary and optional roles are available only to certain GravityZone solutions.

GravityZone Role	Role Type	Deployment
Database Server Update Server Web Console Communication Server	Basic (Required)	At least one instance of each role. A GravityZone appliance can run one, several or all of these roles.
Report Builder Database Report Builder Processors Incidents Sensor	Auxiliary	One appliance for each role
Security Server	Optional	Recommended only in small networks or if low on resources. Otherwise, deploy a stand-alone Security Server from Control Center, after GravityZone deployment is complete.

GravityZone Role

Role Type

Deployment

Database Server

Update Server

Web Console

Communication Server

Basic (Required)

At least one instance of each role.

A GravityZone appliance can run one, several or all of these roles.

Report Builder Database

Report Builder Processors

Incidents Sensor

Auxiliary

One appliance for each role

Security Server

Optional

Recommended only in small networks or if low on resources. Otherwise, deploy a stand-alone Security Server from Control Center, after GravityZone deployment is complete.

Depending on how you distribute the GravityZone roles, you will deploy one or more GravityZone appliances (at least three appliances if you use Report Builder). The Database Server is the first to be installed.

Note

Report Builder is only available with certain GravityZone products.

In a scenario with multiple GravityZone appliances, you will install the Database Server role on the first appliance and configure all other appliances to connect to the existing database instance.

You can deploy more instances of Database Server, Web Console, and Communication Server roles. In this case, you will use Replica Set for Database Server, and load balancers for Web Console and Communication Server on the GravityZone appliances.

It is recommended to install the Report Builder roles after you set up GravityZone, meaning: installing the basic GravityZone roles, configuring Control Center, updating GravityZone, and deploying protection on endpoints. Also, you need to first install Report Builder Database, followed by Report Builder Processors.

To deploy and set up GravityZone:

Download the GravityZone virtual appliance image from the Bitdefender website (link provided in registration or purchase email).
Import the GravityZone virtual appliance image in your virtualized environment.
Power on the appliance.
From your virtualization management tool, access the console interface of the GravityZone appliance.
Configure the password for bdadmin, the built-in system administrator.
Log in with the password you have just set.
You will access the appliance configuration interface.
Use the arrow keys and the Tab key to navigate through menus and options. Press Enter to select a specific option.
If you need to change the interface language, select the option Configure Language. For configuration details, refer to Configure Language.
Configure the appliance hostname.
Configure the network settings.
Configure the proxy settings (if needed).
Install the GravityZone server roles. You have two options:
- Automatic Installation. Select this option if you need to deploy only one GravityZone appliance in your network.
- Advanced Settings. Select this option if you need to deploy GravityZone manually or in a distributed architecture.
Configure language.

After deploying and setting-up the GravityZone appliance, you can anytime edit the appliance settings using the configuration interface. For more information regarding the GravityZone appliance configuration, refer to Managing the GravityZoneAppliance.

Configure hostname settings

Communication with the GravityZone roles is performed using the IP address or DNS name of the appliance they are installed on. By default, the GravityZone components communicate using IP addresses. If you want to enable communication via DNS names, you must configure GravityZone appliances with a DNS name and make sure it correctly resolves to the configured IP address of the appliance.

Prerequisites:

Configure the DNS record in the DNS server.
The DNS name must correctly resolve to the configured IP address of the appliance. Therefore, you must make sure the appliance is configured with the correct IP address.

To configure the hostname settings:

From the main menu, select Configure Hostname Settings.
Enter the hostname of the appliance and the Active Directory domain name (if needed).
Select OK to save the changes.

Configure network settings

You can configure the appliance to automatically obtain network settings from the DHCP server or you can manually configure network settings. If you choose to use DHCP, you must configure the DHCP Server to reserve a specific IP address for the appliance.

From the main menu, select Configure Network Settings.
Select the network interface.
Select the configuration method:
- Configure network settings manually
  You must specify the IP address, network mask, gateway address and DNS server addresses.
- Obtain network settings automatically via DHCP
  Use this option only if you have configured the DHCP Server to reserve a specific IP address for the appliance.
You can check current IP configuration details or link status by selecting the corresponding options.

Configure proxy settings

If you want the appliance to connect to the Internet through a proxy server, you must configure the proxy settings.

From the main menu, select Configure Proxy Settings.
Select Show proxy information to check if proxy is enabled.
Select OK to return to the previous screen.
Select again Configure proxy settings.
Enter the proxy server address.
Use the following syntax:
- If the proxy server does not require authentication:
  http(s)://<IP/hostname>:<port>
- If the proxy server requires authentication:
  http(s)://<username>:<password>@<IP/hostname>:<port>
Select OK to save the changes.

Automatic installation

During automatic installation all basic roles install on the same appliance. For a distributed GravityZone deployment, refer to Advanced settings.

Important

Automatic deployment will also install the Security Server, embedded into the GravityZone appliance. For information about Security Server, refer to GravityZone Architecture.

If your license type restricts its use, you can remove this role afterwards.

The option to install roles automatically is available only at the initial setup of GravityZone.

To install the roles automatically:

From the main menu, select Automatic Installation.
Read and accept the End User License Agreement (EULA) to continue.
Confirm the roles to be installed.
Set the password for the Database Server.
The password can contain any combination of ASCII characters and must be 6 to 32 characters in length, including at least one digit, one uppercase, one lowercase and one special character.
Wait until installation process is complete.

Advanced settings

Use this option to install only a part or all of the GravityZone roles, individually, or to extend your GravityZone infrastructure. You can install the roles on one or more appliances. This installation method is required when staging updates or in distributed GravityZone architectures to scale GravityZone in large networks and to ensure high availability of the GravityZone services.

To install the roles individually:

From the main menu, select Advanced Settings.
Select Install/Uninstall Roles to install the appliance in a GravityZone environment with a single database server.
Note
The other options are for extending the GravityZone deployment to a distributed architecture. For more information, refer to Connect to Existing Database or to Connect to Existing Database (Secure VPN Cluster).
Select Add or remove roles. A confirmation message will appear.
Press Enter to continue.
Press the Space bar and then the Enter key to install the Database Server role. You must confirm your choice by pressing Enter again.
Set the database password.
The password can contain any combination of ASCII characters and must be 6 to 32 characters in length, including at least one digit, one uppercase, one lowercase and one special character.
Press Enter and wait for the installation to complete.
Install the other roles. by choosing Add or remove roles from the Install/Uninstall Roles menu and then the roles to install.
1. Choose Add or remove roles from the Install/Uninstall Roles menu.
2. Read the End User License Agreement. Press Enter to accept and continue.
  Note
  This is required only once after installing the Database Server.
3. Select the roles to install. Press the Space bar to select a role and Enter to proceed.
4. Press Enter to confirm and then wait for the installation to complete.

Note

Each role is normally installed within a few minutes.

During installation, required files are downloaded from the Internet. Consequently, the installation takes more time if the Internet connection is slow.

If the installation hangs, redeploy the appliance.

To ensure the appliance is working correctly, it is recommended to reboot it every 70 days.

Configure language

Initially, the appliance configuration interface is in English.

To change the interface language:

Select Configure Language from the main menu.
Select the language from the available options. A confirmation message will appear.
Note
You may need to scroll down to view your language.
Select OK to save the changes.

Connect to Control Center and set up user account

After deploying and setting up the GravityZone appliance, you must access the Control Center web interface to register the GravityZone product and configure your Company Administrator account.

In the address bar of your web browser, enter the IP address or the DNS hostname of the Control Center appliance (using the https:// prefix). A configuration wizard will appear.
Provide the license key(s) required for validating the purchased GravityZone solution.
Provide the license key required for validating the GravityZone solution.
You can also provide any GravityZone add-on key you may have.
Check the trial registration or purchase email to find your license keys.
1. Click the Add button at the upper side of the table. A configuration window will appear.
2. Select the license registration type (online or offline).
3. Enter the license key in the License key field. For offline registration, you are required to provide also the registration code.
4. Wait until the license key is validated. Click Add to finish.
The license key will appear in the license table. You can also view the security service, status, expiry date and current usage for each license key in the corresponding columns.
The license key and its expiry date will appear in the license table.
Note
- During the initial setup, you must provide a valid basic license key to start using GravityZone. You can afterwards add license keys for add-ons, or to modify the existing ones.
- You can use the add-ons as long as a valid basic license is provided. Otherwise you will view the features, but you will be unable to use them.
Click Next to continue.
Fill in your company information, such as company name, address and phone.
You can change the logo displayed in Control Center and also in your company's reports and email notifications as follows:
- Click Change to browse for the image logo on your computer. The image file format must be .png or .jpg and the image size must be 200x30 pixels.
- Click Default to delete the image and reset to the image provided by Bitdefender.
Specify the required details for your company administrator account: username, email address and a password. The password must contain at least one upper case character, at least one lower case character and at least one digit or special character.
Click Create account.

The company administrator account will be created and you will automatically log on with the new account to Bitdefender Control Center.

Certificates

For your deployment to operate correctly and in a secure manner, you must create and add a number of security certificates in Control Center.

For your deployment to operate correctly and in a secure manner, you must create and add the security certificate in Control Center.

Control Center supports the following certificate formats:

PEM (.pem, .crt, .cer, .key)
DER (.der, .cer)
PKCS#7 (.p7b, .p7c)
PKCS#12 (.p12, .pfx)

Note

The following certificates are required exclusively for managing security on Apple iOS devices:

Communication Server Certificate
Apple MDM Push Certificate
iOS MDM Identity and Profile Signing Certificate
iOS MDM Trust Chain Certificate

If you do not plan to roll out iOS mobile device management, you do not need to provide these certificates.

Control Center security certificate

The Control Center Security certificate is needed to identify the Control Center web console as a trusted website in the web browser.

Control Center uses by default an SSL certificate signed by Bitdefender.

This built-in certificate is not recognized by web browsers and triggers security warnings.

To avoid browser security warnings, add an SSL certificate signed by your company or by an external Certificate Authority (CA).

To add or replace the Control Center certificate:

Go to the Configuration page and click the Certificates tab.
Click the certificate name.
Choose the certificate type (with separate or embedded private key).
Click the Add button next to the Certificate field and upload the certificate.
For certificates with separate private key, click the Add button next to the Private key field and upload the private key.
If the certificate is password protected, enter the password in the corresponding field.
Click Save.

Important

If you import certificates, they must meet the following requirements:

They are RSA certificates
They have at least 2048 bits

We do not offer supoort for certificates with that use elliptic-curve cryptography (ECC) keys.

Endpoint - Security Server communication security certificate

This certificate ensures a secure communication between the security agents and the Security Server (Multi-Platform) they have assigned.

During its deployment, the Security Server generates a default self-signed certificate. You can replace this built-in certificate by adding one of your choice in Control Center.

To add or replace an Endpoint - Security Server Communication Certificate:

Go to the Configuration page and click the Certificates tab.
Click the certificate name.
Choose the certificate type (with separate or embedded private key).
Click the Add button next to the Certificate field and upload the certificate.
For certificates with separate private key, click the Add button next to the Private key field and upload the private key.
If the certificate is password protected, enter the password in the corresponding field.
Click Save. A warning message may appear if the certificate is self-signed or expired. If expired, please renew your certificate.
Click Yes to continue uploading the certificate. Immediately after the upload finishes, Control Center sends the security certificate to the Security Servers.

If needed, you can revert to the original built-in certificate of each Security Server, as follows:

Click the certificate name in the Certificates page.
Choose No certificate (use default) as the certificate type.
Click Save.

Communication Server certificate

The Communication Server certificate is used to secure communication between the Communication Server and iOS mobile devices.

Requirements:

This SSL certificate can be signed either by your company or by an external Certificate Authority.
Warning
The certificate may be invalidated if it not issued by a public/trusted Certificate Authority (for example, self-signed certificates).
The certificate common name must match exactly the domain name or IP address used by mobile clients to connect to the Communication Server.
This is configured as the external MDM address in the configuration interface of the appliance console.
Mobile clients must trust this certificate.
For this, you must also add the iOS MDM Trust Chain.

To add or replace the Communication Server certificate:

Go to the Configuration page and click the Certificates tab.
Click the certificate name.
Choose the certificate type (with separate or embedded private key).
Click the Add button next to the Certificate field and upload the certificate.
For certificates with separate private key, click the Add button next to the Private key field and upload the private key.
If the certificate is password protected, enter the password in the corresponding field.
Click Save.

Apple MDM Push certificate

Apple requires an MDM Push certificate to ensure secure communication between the Communication Server and the Apple Push Notifications service (APNs) when sending push notifications. Push notifications are used to prompt devices to connect to the Communication Server when new tasks or policy changes are available.

Apple issues this certificate directly to your company, but requires your Certificate Signing Request (CSR) to be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate.

Important

You need an Apple ID to obtain and manage the certificate. If you do not have an Apple ID, you can create one on https://appleid.apple.com My Apple ID webpage. Use a generic and not an employee’s email address to register for the Apple ID, as you will need it later to renew the certificate.
Apple website does not work properly on Internet Explorer. We recommend using the latest versions of Safari or Chrome.
The Apple MDM Push certificate is valid for one year only. When the certificate is about to expire, you must renew it and import the renewed certificate to Control Center. If you allow the certificate to expire, you must create a new one and reactivate all your devices.

Adding an Apple MDM Push certificate

To obtain the Apple MDM Push certificate and import it in Control Center:

Go to the Configuration page and click the Certificates tab.
Click the certificate name and follow the wizard as described below:
1. Obtain a Certificate Signing Request signed by
  Select the appropriate option:
  - I need to generate a certificate signing request signed by (Recommended)
    Enter your company name, your full name and email address in the corresponding fields.
    Click Generate to download the CSR file signed by .
  - I already have a certificate signing request and I need to get it signed by
    Upload your CSR file and the associated private key by clicking the Add button next to their fields.
    The Communication Server needs the private key when authenticating with the APNs servers.
    Specify the password protecting the private key, if any.
    Click the Sign button to download the CSR file signed by .
2. Request a push certificate from Apple
  1. Click the Apple Push Certificates Portal link and sign in using your Apple ID and password.
  2. Click the Create a Certificate button and accept the Terms of Use.
  3. Click Choose file, select the CSR file and then click Upload.
    Note
    You may find the Choose file button with a different name such as Choose or Browse, depending on the browser you use.
  4. From the confirmation page, click the Download button to receive your MDM Push certificate.
  5. Go back to the wizard from Control Center.
3. Import the Apple push certificate
  Click the Add Certificate button to upload the certificate file from your computer.
  You may check the certificate details in the field below.
Click Save.

Renewing the Apple MDM Push certificate

To renew the Apple MDM certificate and update it in Control Center:

Go to the Configuration page and click the Certificates tab.
Click the certificate name to open the import wizard.
Obtain a Certificate Signing Request signed by . The procedure is the same as for obtaining a new certificate.
Click the Apple Push Certificates Portal link and sign in with the same Apple ID used to create the certificate.
Locate the MDM Push certificate for and click the corresponding Renew button.
Click Choose file, select the CSR file and then click Upload.
Click Download to save the certificate to your computer.
Go back to Control Center and import the new Apple push certificate.
Click Save.

iOS MDM Identity and Profile Signing certificate

The iOS MDM Identity and Profile Signing certificate is used by the Communication Server to sign identity certificates and configuration profiles sent to mobile devices.

Requirements:

It must be an Intermediate or End-Entity certificate, signed either by your company or by an external Certificate Authority.
Mobile clients must trust this certificate.
For this, you must also add the iOS MDM Trust Chain.

To add or replace the iOS MDM Identity and Profile Signing certificate:

Go to the Configuration page and click the Certificates tab.
Click the certificate name.
Choose the certificate type (with separate or embedded private key).
Click the Add button next to the Certificate field and upload the certificate.
For certificates with separate private key, click the Add button next to the Private key field and upload the private key.
If the certificate is password protected, enter the password in the corresponding field.
Click Save.

iOS MDM Trust Chain certificate

The iOS MDM Trust Chain certificates are required on mobile devices to ensure they trust the Communication Server certificate and the iOS MDM Identity and Profile Signing certificate.

The Communication Server sends this certificate to mobile devices during activation.

The iOS MDM Trust Chain must include all intermediate certificates up to the root certificate of your company or to the intermediate certificate issued by the external Certificate Authority.

To add or replace the iOS MDM Trust Chain certificates:

Go to the Configuration page and click the Certificates tab.
Click the certificate name.
Click the Add button next to the Certificate field and upload the certificate.
Click Save.

Configure Control Center settings

After the initial setup, you need to configure Control Center settings. As Company Administrator, you can do the following:

Configure mail, proxy and other general settings.
Run or schedule a Control Center database backup.
Set up integration with Active Directory and virtualization management tools (vCenter Server, XenServer).
Install security certificates.

Mail server

Control Center requires an external mail server to send email communications.

Note

It is recommended to create a dedicated mail account to be used by Control Center.

To enable Control Center to send emails:

Go to the Configuration page.
Select the Mail Server tab.
Select Mail Server Settings and configure the required settings:
- Mail server (SMTP)
  Enter the IP address or hostname of the mail server that is going to send the emails.
- Port
  Enter the port used to connect to the mail server.
- Encryption type
  If the mail server requires an encrypted connection, choose the appropriate type from the menu (SSL, TLS or STARTTLS).
- From email
  Enter the email address that you want to appear in the From field of the email (sender's email address).
- Use authentication
  Select this check box if the mail server requires authentication.
  You must specify a valid username / email address and password.
Click Save.

Control Center automatically validates the mail settings when you save them. If the provided settings cannot be validated, an error message informs you of the incorrect setting. Correct the setting and try again.

Proxy

If your company connects to the Internet through a proxy server, you must configure the proxy settings:

Go to the Configuration page.
Select the Proxy tab.
Select Use Proxy Settings and configure the required settings:
- Address - type in the IP address of the proxy server.
- Port - type in the port used to connect to the proxy server.
- Username - type in a user name recognized by the proxy.
- Password - type in the valid password of the previously specified user.
Click Save.

Miscellaneous

From the Configuration page > Miscellaneous tab you can configure the following general preferences:

When an unavailable Security Server image is needed
The GravityZone appliance does not include by default the Security Server virtual machine images.
If an administrator tries to download a Security Server image or to run a Security Server installation task, the action is going to fail.
You can configure an automated action for this situation by choosing one of the following options:
- Download the image automatically
- Notify the administrator and do not download
Note
To avoid interference with administrator's work, you can manually download the necessary Security Server packages from the Update page, on the Product Update tab.
For more information, refer to Downloading Product Updates.
When an unavailable kit is needed
You can configure an automated action for this situation by choosing one of the following options:
- Download the package automatically
- Notify the administrator and do not download
Concurrent deployments
Administrators can remotely deploy security components by running installation tasks.
Use this option to specify the maximum number of simultaneous deployments that can be performed at a time.
For example, if the maximum number of concurrent deployments is set to 10 and a remote client installation task is assigned to 100 computers, Control Center will initially send 10 installation packages through the network.
In this case, the client installation is performed simultaneously on a maximum number of 10 computers, all the other sub-tasks being in pending state.
As soon as a sub-task is done, another installation package is sent, and so on.
Prefer basic deployment methods instead of integration-specific ones
Select this option to deploy the security agents through SSH. Use this method if the configuration of your virtualized environment does not allow deployment through the environment's specific API.
Enforce two-factor authentication for all accounts
The two-factor authentication (2FA) adds an extra layer of security to GravityZone accounts, by requiring an authentication code in addition to Control Center credentials.
This feature requires downloading and installing either the Google Authenticator, Microsoft Authenticator, or any two-factor TOTP (Time-Based One-Time Password Algorithm) authenticator app - compatible with the standard RFC6238 - on the user's mobile device, then linking the app to the GravityZone account and using it with each Control Center login. The authentication app generates a six-digit code each 30 seconds. To complete the Control Center login, after entering the password, the user will have to provide also the authentication app's six-digit code.
Two-factor authentication is enabled by default when creating a company. After that, at login, a configuration window will prompt users to enable this feature. Users will have the option to skip enabling 2FA for three times only. At the fourth login attempt, skipping the 2FA configuration will not be possible and the user will not be allowed to log in.
If you want to deactivate the 2FA enforcement for all GravityZone accounts in your company, just uncheck the option. You will be prompted with a confirmation message before the changes come into effect. From this point on, users will still have 2FA activated, but they will be able to deactivate it from their account settings.
Note
- You can view the 2FA status for a user account in the Accounts page.
- If a user with 2FA enabled cannot log in to GravityZone (because of new device or lost secret key), you can reset its two-factor authentication activation from the user account page, under Login Security section. For more details, refer to this section.
Users trust their browsers
This option allows to trust the browsers used for connecting to Control Center. After enabling the Trust this browser check box on the login screen, users do not need to enter the six-digit code any longer until the interval expires.
The maximum interval you can select is 90 days. When the interval expires, users must enter the six-digit code in addition to their credentials. When selecting Never, browsers and not trusted and users cannot skip two-factor authentication.
NTP Server Settings.
The NTP server is used to synchronize time between all GravityZone appliances. A default NTP server address is provided, which you can change in the NTP Server Address field.
Note
For the GravityZone appliances to communicate with the NTP Server, 123 (UDP) port must be open.
Enable Syslog.
By enabling this feature, you allow GravityZone to send notifications to a logging server that uses the Syslog protocol. This way you have the possibility to better monitor GravityZone events.
To view or configure the list of notifications sent to the Syslog server, refer to the Notifications chapter from GravityZone Administrator's Guide.
To enable logging to a remote Syslog server:
1. Select the Enable Syslog check box.
2. Enter the server name or IP, the preferred protocol and the port Syslog listens to.
3. Select in the format in which to send the data to the Syslog server:
  - JSON Format. JSON is a lightweight data-interchange format that is completely independent from any programming language. JSON represents the data in human readable text format. In JSON format, the details of each event are structured into objects, each object consisting in a name/value pair.
    For example:
    { "name":"Login from new device", "created":"YYYY-MM-DDThh:mm:ss+hh:ss", "company_name":"companyname", "user_name":"username", "os":"osname", "browser_version":"browserversion", "browser_name":"browsername", "request_time":"DD MMM YYYY, hh:mm:ss +hh:ss", "device_ip":"computerip" }
    For more information, refer to www.json.org.
    This is the default format in GravityZone.
  - Common Event Format (CEF). CEF is an open standard developed by ArcSight, which simplifies log management.
    For example:
    CEF:0|Bitdefender|GZ|<GZ version>|NNNNN|Login from new device|3|start=MMM DD YYYY hh:mm:ss+hh:mm BitdefenderGZCompanyName=companyname suser=username BitdefenderGZLoginOS=osname BitdefenderGZAuthenticationBrowserName=browsername BitdefenderGZAuthenticationBrowserVersion=browserversion dvchost=computerip
    For more information, refer to ArcSight Common Event Format (CEF) Implementation Standard.
  In the Notifications chapter of the Administrator's Guide, you can view the available notification types for each format.
4. Click the Add button from the Action column.

Click Save to apply the changes.

Backup

To make sure all your Control Center data are safe, you may want to back up the GravityZone database. You can run as many database backups as you want, or you can schedule periodic backups to run automatically at a specified time interval.

Each database backup command creates a tgz file (GZIP Compressed Tar Archive file) to the location specified in the backup settings.

When several administrators have manage privileges over the Control Center settings, you can also configure the Notification Settings to alert you each time a database backup has been completed. For more information, refer to Configuring notification settings.

Creating database backups

To run a database backup:

Go to the Configuration page in Control Center and click the Backup tab.
Click the Backup Now button at the upper side of the table. A configuration window will appear.
Select the type of location where the backup archive will be saved:
- Local, for saving the backup archive to the GravityZone appliance. In this case, you have to specify the path to the specific directory from the GravityZone appliance where the archive will be saved.
  The GravityZone appliance has a Linux directory structure. For example, you can choose to create the backup to the tmp directory. In this case, enter /tmp in the Path field.
- FTP, for saving the backup archive to a FTP server. In this case, enter the FTP details in the following fields.
- Network, for saving the backup archive to a network share. In this case, enter the path to the network location that you want (for example, \\computer\folder), the domain name and the domain user credentials.
Optionally, you can back up your update staging settings for endpoints along with the status of the published packages. The Staging backup option is available only for environments with staging enabled and may require large storage.
Click the Test Settings button. A text notification will inform you if the specified settings are valid or invalid.
To create a backup, all the settings have to be valid.
Click Generate. The Backup page will be displayed. A new backup entry will be added to the list. Check the Status of the new backup. When the backup is completed, you will find the tgz archive at the specified location.
Note
- The list available in the Backup page contains the logs of all created backups. These logs do not provide access to the backup archives; they only display details of the created backups.
- Database backups with staging settings may require large storage and take longer than usual backups.

To schedule a database backup:

Go to the Configuration page in Control Center and click the Backup tab.
Click the Backup Settings button at the upper side of the table. A configuration window will appear.
Select Scheduled Backup.
Configure the backup interval (daily, weekly or monthly) and the start time.
For example, you can schedule backups to run weekly, every Friday, starting at 22:00.
Configure the scheduled backup location.
Select the type of location where the backup archive will be saved:
- Local, for saving the backup archive to the GravityZone appliance. In this case, you have to specify the path to the specific directory from the GravityZone appliance where the archive will be saved.
  The GravityZone appliance has a Linux directory structure. For example, you can choose to create the backup to the tmp directory. In this case, enter /tmp in the Path field.
- FTP, for saving the backup archive to a FTP server. In this case, enter the FTP details in the following fields.
- Network, for saving the backup archive to a network share. In this case, enter the path to the network location that you want (for example, \\computer\folder), the domain name and the domain user credentials.
Optionally, you can back up your update staging settings for endpoints along with the status of the published packages. The Staging backup option is available only for environments with staging enabled and may require large storage.
Click the Test Settings button. A text notification will inform you if the specified settings are valid or invalid.
To create a backup, all the settings have to be valid.
Click Save to create the scheduled backup.

Restoring a database backup

When for various reasons your GravityZone instance is working improperly (failed updates, dysfunctional interface, corrupted files, errors, etc.), you can restore the GravityZone database from a backup copy using:

The same appliance
A fresh GravityZone image
The Replica Set feature

Choose the option that best suits your situation and proceed with the restoration procedure only after you have carefully read the prerequisites described hereinafter.

Restoring the database to the same GravityZone VA

Prerequisites

A SSH connection to the GravityZone appliance, using the root privileges.
You can use putty and bdadmin’s credentials to connect to the appliance via SSH, then run the command sudo su to switch to the root account.
The GravityZone infrastructure has not changed since the backup.
The backup is more recent than April 30th, 2017 and the GravityZone version is higher than 6.2.1-30. If otherwise, contact the Technical Support team.
In distributed architectures, GravityZone has not been configured to use database replication (Replica Set).
To verify the configuration, follow these steps:
1. Open the /etc/mongodb.conf file.
2. Check that replSet is not configured, as in the example below:
```
# replSet = setname
```
Note
To restore the database when Replica Set is enabled, refer to install.deployment.root.backup.restore.replica.
No CLI processes are running.
To make sure all CLI processes are stopped, run the following command:
```
# killall -9 perl
```
The mongoconsole package is installed on the appliance.
To verify the condition is met, run this command:
```
# /opt/bitdefender/bin/mongoshellrestore --version
```
The command should not return any errors, otherwise run:
```
# apt-get update
# apt-get install --upgrade mongoconsole
```

Restoring the database

Go to the location containing the database archive:
```
# cd /directory-with-backup
```
, where directory-with-backup is the path to the location with the backup files.
For example:
```
# cd /tmp/backup
```
Restore the database.
```
# /opt/bitdefender/bin/mongoshellrestore -u bd -p 'GZ_db_password' \

--authenticationDatabase admin --gzip --drop --archive < \

gz-backup-$YYYY-$MM-$DD(timestamp).tar.gz
```
Important
Make sure to replace GZ_db_password with the actual password of the GravityZoneDatabase Server and the timestamp variables in the archive's name with the actual date.
For example, the actual date should look like this:
```
gz-backup-2019-05-17(1495004926).tar.gz
```
Optionally, to be able to download again previously published kits in the GravityZone console run the following command:
/opt/bitdefender/bin/mongoshell -u bd -p 'GZ_db_password' --eval 'db.endpointKits.update({state:{$ne:1}},{$set:{internalState:1,isProcessing:true,"applianceIds.downloaded":[],"applianceIds.published":[]}},{multi:true})' --quiet devdb
Note
Enabling this option may generate a large amount of data and take a long time depending on your previous update staging settings.
Restart the appliances.
Database restoration is now complete.

Restoring the database from a decommissioned GravityZone VA

Prerequisites

A fresh GravityZone VA installation:
- With the same IP as the old appliance
- Having ONLY the Database Server role installed.
You can download the GravityZone VA image from here.
You can download the GravityZone VA image from here.
You can download the GravityZone VA image from here.
You can download the GravityZone VA image from here.
A SSH connection to the GravityZone virtual appliance, using the root privileges.
The GravityZone infrastructure has not changed since the backup was made.
The backup is more recent than April 30th, 2017.
In distributed architectures, GravityZone has not been configured to use database replication (Replica Set).
If you use Replica Set in your GravityZone environment, you also have the Database Server role installed on other appliance instances.
To restore the database when Replica Set is enabled, refer to Restoring thedatabase in a Replica Set environment.

Restoring the database

Connect to the GravityZone appliance via SSH and switch to root.
Stop VASync:
```
# stop vasync
```
Stop CLI:
```
# # killall -9 perl
```
Go to the location where the backup is:
```
# cd /directory-with-backup
```
, where directory-with-backup is the path to the location with the backup files.
For example:
```
# cd /tmp/backup
```
Restore the database.
```
# /opt/bitdefender/bin/mongoshellrestore -u bd -p 'GZ_db_password' \

--authenticationDatabase=admin --gzip --drop \

--archive='/home/bdadmin/gz-backup-$YYYY-$MM-$DD(timestamp).tar.gz
```
Important
Make sure to replace GZ_db_password with the actual password of the GravityZoneDatabase Server and the timestamp variables in the archive's name with the actual date.
For example, the actual date should look like this:
```
gz-backup-2019-05-17(1495004926).tar.gz
```

Restore the old appliance ID:

# /opt/bitdefender/bin/mongoshell -u bd -p 'GZ-db_password' \

––eval print(db.applianceInstalls.findOne({name:'db'}).\

applianceId)" --quiet > /opt/bitdefender/etc/applianceid

Important

Make sure to replace GZ_db_password with the actual password of the GravityZoneDatabase Server.

Remove the reference to the old roles.

# /opt/bitdefender/bin/mongoshell -u bd -p 'GZ_db_password' --eval\

'db.applianceInstalls.remove({ip:db.applianceInstalls.findOne(

{name:"db"}).ip,name:{"$ne": "db"}});' --quiet devdb

Important

Make sure to replace GZ_db_password with the actual password of the GravityZoneDatabase Server.

Start VASync:
```
# start vasync
```
Optionally, to be able to download again previously published kits in the GravityZone console run the following command:
/opt/bitdefender/bin/mongoshell -u bd -p 'GZ_db_password' --eval 'db.endpointKits.update({state:{$ne:1}},{$set:{internalState:1,isProcessing:true,"applianceIds.downloaded":[],"applianceIds.published":[]}},{multi:true})' --quiet devdb
Note
Enabling this option may generate a large amount of data and take a long time depending on your previous update staging settings.
Start CLI:
```
# /opt/bitdefender/eltiw/installer
```

Install the other roles.

# dpkg -l gz*

Note that the database schema has been successfully upgraded to the latest version:

> db.settings.findOne().database
{
"previousVersion" : "000-002-009",
"ranCleanUpVersions" : {
"b0469c84f5bf0bec0b989ae37161b986" : "000-002-008"
},
"updateInProgress" : false,
"updateTimestamp" : 1456825625581,
"version" : "000-002-011"
}

Restart the appliance.
Database restoration is now complete.

Restoring the database with staging settings

Prerequisites

The Database and the Update Server roles should be installed on separate appliances
A fresh GravityZone VA installation, with the same IP as the old appliance and having only the Database Server role installed. You can download the GravityZone VA image from here.
A SSH connection to the GravityZone virtual appliance, using the root privileges.
The GravityZone infrastructure has not changed since the backup was made.
The backup is more recent than April 30th, 2017.
In distributed architectures, GravityZone has not been configured to use database replication (Replica Set). If you use Replica Set in your GravityZone environment, you also have the Database Server role installed on other appliance instances.

Restoring the database and staging settings

To restore the database follow the steps below:

Download the Virtual Appliance.
Install the Database Server role.
For more information about installing the Database Server role, refer to Deploy and set up GravityZone VA.
Stop VASync:
# service vasync stop
Stop CLI:
# killall -9 perl
Go to the location containing the database archive:
# cd /directory-with-backup
Where directory-with-backup is the path to the location with the backup files.
For example: # cd /tmp/backup
Restore the database:
/opt/bitdefender/bin/mongoshellrestore -u bd -p 'GZ_db_password' --authenticationDatabase admin --gzip --drop --archive < 'gz-backup-$YYYY-$MM-$DD(timestamp).tar.gz'
Important
Make sure to replace GZ_db_password with the actual password of the GravityZone Database Server and the timestamp variables in the archive's name with the actual date.
For example, the actual date should look like this:
gz-backup-2019-05-17(1495004926).tar.gz
Test to make sure you have entered the correct password by running the following command:
mongo admin -u bd -p 'GZ_db_password'
Note
If you receive error messages, contact Bitdefender Enterprise Support.
Restore the appliance ID:
/opt/bitdefender/bin/mongoshell -u bd -p 'GZ_db_password' --eval 'print(db.applianceInstalls.findOne({name:"db"}).applianceId);' --quiet devdb > /opt/bitdefender/etc/applianceid
Important
Make sure to replace GZ_db_password with the actual password of the GravityZone Database Server.
Remove the reference to the old roles:
/opt/bitdefender/bin/mongoshell -u bd -p 'GZ_db_password' --eval 'db.applianceInstalls.remove({name:{"$ne": "db"}});' --quiet devdb
Important
Make sure to replace GZ_db_password with the actual password of the GravityZone Database Server.
Start VASync:
# service vasync start
Optionally, to be able to download again previously published kits in the GravityZone console run the following command:
/opt/bitdefender/bin/mongoshell -u bd -p 'GZ_db_password' --eval 'db.endpointKits.update({state:{$ne:1}},{$set:{internalState:1,isProcessing:true,"applianceIds.downloaded":[],"applianceIds.published":[]}},{multi:true})' --quiet devdb
Note
Enabling this option may generate a large amount of data and take a long time depending on your previous update staging settings.
Start CLI:
/opt/bitdefender/eltiw/installer
Restart the appliance.
Database restoration is now complete.

To restore the staging settings follow the steps below:

Go to the location containing the backup archives.
Copy or move the gz-backup-staging archive to a directory of your choice on the appliance where the Update Server role will be installed.
For example: /home/bdadmin/backup-staging
Start CLI:
/opt/bitdefender/eltiw/installer
Connect to the existing database previously created.
Install the Update Server role.
Stop the update server service:
# service arrakis stop
Remove the product updates directories:
# rm -rf /opt/bitdefender/var/data/products/v2
# rm -rf /opt/bitdefender/var/data/products/bst_nix
# rm -rf /opt/bitdefender/var/data/products/bst_nix7_update
Unpack the gz-backup-staging archive from the location it was saved:
# tar -xvzf archive
Copy all directories:
# rsync -a -v -r --chown=bitdefender:bitdefender /home/bdadmin/extracted_archive_folder/opt/bitdefender/var/data/products/ /opt/bitdefender/var/data/products/ > /home/bdadmin/rsync_output.txt
Replace the extracted_archive_folder with the exact location where the archive was extracted.
To check the status of the process open /home/bdadmin/rsync_output.txt.
Make sure the copying process ended successfully then start the update server service:
# service arrakis start

You can continue to install the remaining roles on the database appliance or on separate appliances. Make sure no other roles are installed on the update server appliance.

Restoring the database in a Replica Set environment

If you have deployed the database in a Replica Set environment, you can find the official restore procedure on the mongoDB online manual (English only).

Note

The procedure requires advanced technical skills and should be done only by a trained engineer. If you encounter difficulties, please contact our Technical Support to assist you in restoring the database.

Access permissions

With access permissions you can grant GravityZoneControl Center access to Active Directory (AD) users, based on access rules. To integrate and synchronize AD domains, refer to Active Directory. For more information on managing user accounts via access rules, refer to the User Accounts section.

Use cases

Bitdefender GravityZone is delivered as a virtual appliance. The Bitdefender GravityZone appliance image is available in several different formats, compatible with the main virtualization platforms. Before proceeding, check the GravityZone virtual appliance requirements.

To receive a trial license, go to Bitdefender website and register. For GravityZone on-premises, select one or more of the following products:

Bitdefender Security for Virtualized Environments
Bitdefender GravityZone Security for Endpoints
Bitdefender GravityZone Security for Exchange
Bitdefender GravityZone Security for Mobile

Install GravityZone on an Ubuntu machine

Prerequisites

On the physical server, install Ubuntu Server 20.04, with a valid internet connection from the link above.
Select your location: C - no localization.
Select country: Recommended America/US (recommended for initial deploy).
Detect keyboard layout: No. Choose English (US), recommended for initial deploy.
Network: no special requirements (recommended DHCP for initial deploy).
Setup users and passwords:
- Full name new user: bdadmin
- Username: bdadmin
- Password: [your desired bdadmin user password]
Encrypt home directory: No.
Choose time zone: any option, it will be later changed to UTC during GravityZone installation.
Partition disks: Guided - use the entire disk and set up LVM. Then accept all the default settings and write changes to disk when asked to do so.
Choose no automatic updates.
Select to install only Standard system utilities and OpenSSH server.

For more information about this, refer to the Official Ubuntu Installation Guide.

Installation Steps

Connect to the server via SSH, with the bdadmin user.
Login as root:
```
$ sudo -i
```

Configure networking and replace netplan with ifupdown:

# sed -ri 's#^GRUB_CMDLINE_LINUX_DEFAULT=.*#GRUB_CMDLINE_LINUX_DEFAULT="netcfg/do_not_use_netplan=true net.ifnames=0 biosdevname=0 console=tty1 console=ttyS0,115200n8 earlyprintk=ttyS0,115200 rootdelay=300"#' /etc/default/grub

# update-grub2

# apt -yq install ifupdown

# echo -e 'auto lo\niface lo inet loopback\n\nauto eth0\niface eth0 inet dhcp' > /etc/network/interfaces

# apt -yq install resolvconf

# ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf

# systemctl disable systemd-resolved

Remove the Ubuntu repositories:

# mv /etc/apt/sources.list /etc/apt/sources.list.orig

Install the GravityZone repositories:

# echo "deb https://download.bitdefender.com/repos/deb-hydra20-unified bitdefender non-free" > /etc/apt/sources.list.d/deb-hydra20-unified.list

Install the GravityZone repositories key:

# curl -sS http://download.bitdefender.com/repos/gzrepos.key.asc | apt-key add -

Set DEBIAN_FRONTEND to noninteractive to silently complete the installation:
```
# export DEBIAN_FRONTEND="noninteractive"
```

Make sure that the appliance OS timezone is set to UTC:

# timedatectl set-timezone UTC
# timedatectl set-local-rtc false

Disable the Ubuntu banners (they will be replaced by the specific GravityZone ones):
```
# chmod -x /etc/update-motd.d/*
```
Clean apt and update the packages to the GravityZone repository versions:
```
# apt clean
# apt update
# apt -yq dist-upgrade
```

Install the GravityZone initial packages:

# apt -yq --allow-unauthenticated install gzinstallwizard

Update the installation system:

# /opt/bitdefender/scripts/createInstallerXml.sh

Remove snapd:
```
# apt autoremove --purge snapd
```
Remove any unneeded packages:
```
# apt -yq autoremove
```
Restart to complete the customization of the Ubuntu server into the GravityZone appliance:
```
# reboot
```

Install roles from the console interface of the GravityZone appliance. For the administration of the GravityZone machine, refer to this topic.

Further on, if you want to install a standalone Security Server and you cannot use Bitdefender images to deploy it, you will need to manually install it in a similar manner to how you have installed the above GravityZone appliance. For details on the installation procedure of the Security Server, refer to Install Security Server manually.

Install GravityZone in Oracle VM VirtualBox

Download Bitdefender GravityZone OVA and MD5 files from the Bitdefender download website.

To be able to use GravityZone, you have to install it, following the steps below.

Import GravityZone OVA file in VirtualBox
1. Open Oracle VM VirtualBox Manager.
2. Go to File > Import appliance or press (Ctrl + I). The import wizard is displayed.
3. Click the Browse button, navigate to the GravityZone OVA file, select it and then click Open.
4. Click Next to continue and view the appliance settings.
5. Click Import to load the appliance into the VM manager. Wait until the progress bar disappears.
Configure main GravityZone settings
1. From the left side pane, select the newly imported appliance and click Start to power it on. Wait until it finishes loading the system. The VM console window is displayed.
2. Set a password for bdadmin, the built-in system administrator, needed to access the GravityZone appliance configuration area.
3. Log in to GravityZone Virtual Appliance command line interface (CLI).
4. Set up Bitdefender GravityZone:
  1. Configure network settings. Make sure it has access to the internet.
  2. Install the GravityZone roles. First install the Database role. After that, install all the other roles.
  For more information, refer to the Deploy and Set Up GravityZone Appliance section.
Install VirtualBox Guest Additions on the GravityZone appliance
1. Power off the appliance.
2. Load the Guest Additions image into the CD/DVD drive:
  1. Select the GravityZone appliance and then click Settings. The configuration windows is displayed.
  2. Go to the Storage tab.
  3. In the Storage Tree, click Add CD/DVD Device.
  4. Click Choose disk and select the VBoxGuestAdditions.iso file from the Virtualbox folder.
  5. Click OK to apply the changes and close the window.
3. Power on the appliance.
4. Press Alt + F2 to switch to tty2, or connect through SSH with putty.
5. Enter the bdadmin's credentials.
6. Type sudo su to get root privileges.
7. Add the Ubuntu official repositories to the sources file:
  1. Open /etc/apt/sources.list with an editor of your choice.
  2. Copy and paste the text below after the first line.
```
# See http://help.ubuntu.com/community/UpgradeNotes# for how to upgrade to newer versions of the distribution.deb http://us.archive.ubuntu.com/ubuntu/ xenial main restricteddeb-src http://us.archive.ubuntu.com/ubuntu/ xenial main restricted## Major bug fix updates produced after the final release## of the distribution.deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricteddeb-src http://us.archive.ubuntu.com/ubuntu/ xenial-updates main restricted
```
  3. Save the file and close the editor.
8. Get the list with the latest packages versions from the repositories.
  #apt-get update
9. Install the build-essential package.
  #apt-get install build-essential
10. Install DKMS.
  #apt-get install dkms
11. Install Linux headers.
  #apt-get install linux-headers-$(uname -r)
12. Mount the DVD with the Guest Additions ISO file.
  #mkdir /mnt/dvd #mount /dev/dvd1 /mnt/dvd
13. Install the Guest Additions package.
  #cd /mnt/dvd #sh ./VBoxLinuxAdditions.run

You may now log in to GravityZone Control Center and continue with registration.

Install GravityZone in Nutanix

To install GravityZone in Nutanix, follow these steps.

Import the GravityZone virtual appliance

Download the latest GravityZone VMDK and MD5 files from the Bitdefender website.
Log in to PRISM, the Nutanix Web Console.
Import the VDMK file:
1. Click the gear button at the upper-right corner of the console to access the Settings menu and then select Image Configuration.
  The configuration window is displayed.
2. Click Upload Image. A new window pops up, asking you to enter image details.
3. Enter a suggestive name for the image.
4. From the Image Type menu, choose Disk.
5. From Image Source, select Upload File and then choose the VDMK file you have previously extracted.
6. Click Save. Wait while the virtual drive is being uploaded. When finished, you will be able to view the image in the list of existing images.
Create the virtual machine for GravityZone VMDK file:
1. Go to the VM page using the menu at the upper left corner of the console.
2. Click the Create VM button at the upper right corner of the page.
3. In the new configuration window, enter the requested details:
  - A suggestive name and a description for the VM.
  - Hardware configuration such as number of CPUs, cores per CPU and memory. These values must meet the GravityZone requirements.
4. Click Add new disk. A configuration window is displayed.
5. Configure the disk settings as follows:
  - Type: Disk
  - Operation: Clone from Image Service
  - Bus Type: SCSI
  - Image: the image you have previously created.
6. Click Add.
7. Click Add new NIC and choose the network you want to use.
8. Click Save.

Deploy GravityZone

In Nutanix console, go to the VM > Table section.
Power on the newly created machine.
Click Launch Console.
The GravityZone CLI interface is displayed and you can begin to configure and install GravityZone in your network. For details regarding installation steps, refer to this topic.

Install GravityZone in Microsoft Azure

To install GravityZone in Microsoft Azure, follow these steps:

Download the GravityZone virtual appliance image (VHD file) from the Bitdefender website to C:\vhd.
Create a virtual machine in Hyper-V with the VHD file.
Power on the machine and set the password for the default user, bdadmin.
Power off the virtual machine.
Recreate the the VHD file:
$sourceVhd = "C:\vhd\GravityZoneEnterprise.vhd" $recreatedVhd = "C:\vhd\GravityZoneEnterpriseHDD.vhd" Convert-VHD -VHDType Dynamic -Path $sourceVhd -DestinationPath $recreatedVhd
Prepare PowerShell for Azure:
Install-Module AzureRM Login-AzureRmAccount
Upload the file to Azure:
$resourceGroupName = "Resources" $recreatedVhd = "C:\vhd\GravityZoneEnterpriseHDD.vhd" $destinationVhd = "https://mystorearea.blob.core.windows.net/vhds/GravityZoneEnterpriseHDD.vhd" Add-AzureRmVhd -LocalFilePath $recreatedVhd -Destination $destinationVhd -ResourceGroupName $resourceGroupName -NumberOfUploaderThreads 5
Note
- Azure supports only fixed sized VHD files. Add-AzureRmVhd commandlet takes the dynamic size VHD file and uploads it as a fixed size.
- $destinationVhd is a custom path. Make sure to choose a valid path in your Azure environment.
Create the virtual machine in Azure:
1. Get the network to be attached to the VM:
  $virtualNetworkName = "Resources-vnet" $locationName = "westeurope" $virtualNetwork = Get-AzureRmVirtualNetwork -ResourceGroupName $resourceGroupName -Name $virtualNetworkName
  Note
  Depending on your Azure setup, you may need to use other values for the above mentioned variables.
2. Configure public IP:
  $publicIp = New-AzureRmPublicIpAddress -Name "HydraSrv" -ResourceGroupName $ResourceGroupName -Location $locationName -AllocationMethod Dynamic $networkInterface = New-AzureRmNetworkInterface -ResourceGroupName $resourceGroupName -Name "HydraSrv-Interface" -Location $locationName -SubnetId $virtualNetwork.Subnets[0].Id -PublicIpAddressId $publicIp.Id
3. Configure VM settings:
  $vmConfig = New-AzureRmVMConfig -VMName "HydraSrv" -VMSize "Standard_F4s" $vmConfig = Set-AzureRmVMOSDisk -VM $vmConfig -Name "HydraSrv" -VhdUri $destinationVhd -CreateOption Attach –Linux $vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $networkInterface.Id
4. Create the VM in Azure:
  $vm = New-AzureRmVM -VM $vmConfig -Location $locationName -ResourceGroupName $resourceGroupName
Install GravityZone roles:
1. Connect to the GravityZone appliance via SSH.
2. Log in with bdadmin.
3. Gain root privileges:
  $ sudo su
4. Run the GravityZone installer:
  # /opt/bitdefender/eltiw/installer
5. Install the roles: Database Server, Communication Server, Update Server, Web Console.

Import GravityZone virtual appliance in VMware vCenter

Bitdefender GravityZone OVA file can be downloaded from Bitdefender website: OVA and MD5.

To import Bitdefender GravityZone OVA file in VMware vCenter, follow these steps:

Open the vSphere client.
Go to File > Deploy OVF template. This works for both OVA and OVF.
Browse and select the package you would like to deploy, and then hit Next.
You will get details about it. Hit Next.
Now you get to name your virtual machine and place it in the proper datacenter and folder.
Now you choose your cluster.
Choose the storage locations.
Choose the disk provisioning virtual machine type thin or thick.
Choose the network.
Hit Finish and watch your virtual machine being created.
Wait while the virtual machine is deployed from the OVA.
Connect to the virtual machine and start the configuration.

Prerequisites for installing Bitdefender Endpoint Security Tools in VMware NSX environments

Current constraints

GravityZone Security for Virtualized Environments is designed to offer only agentless protection for VMware NSX through Security Server. Installing Bitdefender Endpoint Security Tools (BEST) in such environments can lead to undesired behavior and malfunctions for the GravityZone infrastructure, such as:

Duplicated endpoints in GravityZone Control Center.
License key pools get depleted.
Protection stops working partially or completely.
Managed state reports from endpoints are inconsistent.
Power state reports from endpoints are inconsistent.

When to install Bitdefender Endpoint Security Tools in NSX

In some cases, endpoints hosted on an NSX infrastructure do need protection through Bitdefender Endpoint Security Tools:

Security for Exchange is not available with agentless protection. Therefore, you need to install Bitdefender Endpoint Security Tools on an Exchange Server that is hosted in an NSX protected cluster.
The protected operating systems are incompatible with the NSX introspection driver. In such cases, the NSX agentless protection does not work, and you need to install Bitdefender Endpoint Security Tools on these legacy endpoints.
When Virtual Desktop Infrastructure (VDI) environments are used, some endpoints could need the additional protection modules available only with Bitdefender Endpoint Security Tools, and through the agentless protection. This case also requires installing Bitdefender Endpoint Security Tools.

Note

Using both solutions on the same cluster means that endpoints using either one of the protection services are going to coexist in the same NSX protected cluster. You cannot protect an endpoint using Bitdefender Endpoint Security Tools and Security Server for NSX at the same time. In this case, Bitdefender Endpoint Security Tools must be configured to use an alternative to Central Scan mode, such as Local Scan or Hybrid Scan.

Prerequisistes

The following prerequisites must be met to safely separate the endpoints protected with Bitdefender Endpoint Security Tools from the GravityZone NSX agentless protection. In addition, these prerequisites must be met before installing the Bitdefender Endpoint Security Tools agents on the endpoints.

Endpoints to be protected by Bitdefender Endpoint Security Tools should not be included in any NSX Security Group on which a Bitdefender policy is applied.
If this prerequisite cannot be achieved due to how the NSX Security Groups memberships are defined, you can exclude the endpoints which use Bitdefender Endpoint Security Tools from that group.
On the Bitdefender Endpoint Security Tools protected endpoints, VMware Tools must be installed without the NSX Guest Introspection drivers.
If VMware Tools have been installed on endpoints with the NSX Guest Introspection drivers, run the VMware Tools setup again and remove them.

After these prerequisites are met, you can safely deploy Bitdefender Endpoint Security Tools agents on endpoints.

Note

Bitdefender Endpoint Security Tools can be installed only manually, because the Install Client task is not available.

Import GravityZone virtual appliance in VMware ESXi

Bitdefender GravityZone OVA file can be downloaded from Bitdefender website as OVA and MD5.

To import Bitdefender GravityZone OVA file on ESXi Host, you have to:

Open the vSphere client.
Go to File > Deploy OVF template. This works for both OVA and OVF.
Browse and select the package you would like to deploy, and then hit Next.
You will get details about it. Hit Next.
Now you get to name your virtual machine and place it in the proper datacenter and folder.
Now you choose your cluster.
Choose the storage locations.
Choose the disk provisioning virtual machine type thin or thick.
Choose the network.
Hit Finish and watch your virtual machine being created.
Wait while the virtual machine is deployed from the OVA.
Connect to the virtual machine and start the configuration.

Import GravityZone virtual appliance in Microsoft Hyper-V

Import GravityZone virtual appliance in VMM (System Center 2012 - Virtual Machine Manager)

Bitdefender GravityZone VHD file can be downloaded from Bitdefender website: VHD and MD5.

To import Bitdefender GravityZone VHD file on Hyper-V Manager, you have to:

Open System Center 2012 - Virtual Machine Manager.
Select the Library tab.
Add that share location to Library Shares.
Select the share location, where Bitdefender GravityZone VHD file has previously been copied.
Select VMs and Services tab, from Virtual Machine Manager.
Click Create Virtual Machine.
In the next window, select the virtual machine source: GravityZoneVA.vhd and click Next.
Select an existing virtual machine.
Choose a name for the virtual machine.
Configure hardware for the virtual machine, as mentioned under Endpoint protection.
Select the destination.
Select the Hyper-V Host destination.
Review the virtual machine settings:
A task will be created.
Connect to the virtual machine and start the configuration.

Import GravityZone virtual appliance in Hyper-V host

Bitdefender GravityZone VHD file can be downloaded from Bitdefender website: VHD and MD5.

To import Bitdefender GravityZone VHD file on Hyper-V Manager, you have to:

Open Hyper-V Manager.
From the navigation pane of Hyper-V Manager, select the computer running Hyper-V.
Click New and then click Virtual Machine. The New Virtual Machine wizard opens. Click Next.
On the Specify Name and Location page, type an appropriate name.
On the Specify Generation, select Generation 1.
On the Assign Memory page, specify enough memory to start the guest operating system.
On the Configure Networking page, connect the virtual machine to the switch you created when you installed Hyper-V.
On the Connect Virtual Hard Disk page, choose the option of using an existing virtual hard disk.
Browse for the location of Bitdefender GravityZone VHD file.
The guest operating system is already installed in a virtual hard disk, so choose Install an operating system later.
On the Summary page, verify your selections and then click Finish.
Connect to the virtual machine and start the configuration.

Import GravityZone virtual appliance in Citrix XenCenter

Bitdefender GravityZone XVA file can also be downloaded from Bitdefender website: XVA and MD5.

You can import Bitdefender GravityZone XVA file using the XenCenter Import wizard.

Importing a VM from an XVA or ova.xml file involves the same steps as creating and provisioning a new VM using the New VM wizard, such as, nominating a home server, and configuring storage and networking for the new VM.

Open the Import wizard by doing one of the following:

On the File menu, select Import.
On the first page of the wizard, locate the XVA file you want to import and then click Next.
Alternatively you enter a URL location (http | https | file | ftp) in the Filename box.
On clicking Next, the Download Package dialog box opens and you must specify a folder on your XenCenter host where the file(s) will be copied.
On the Home Server page, specify where to put the new VM:
- To place the imported VM in a pool without assigning it a home server, select the destination pool in the list, and then click Next.
- To place the imported VM in a pool and assign it to a specific home server (or to place it on a standalone server), select a server and then click Next to continue.
On the Storage page, select a storage repository (SR) where the imported virtual disks will be placed, then click Next to continue.
On the Networking page, map the virtual network interfaces in the VM you are importing to target networks in the destination pool. The Network and MAC address shown in the list on this page are stored as part of the definition of the original (exported) VM in the export file. To map an incoming virtual network interface to a target network, select a network from the list in the Target network column.
Click Next to continue.
On the last page of the Import wizard, review the configuration options you have selected. To have the imported VM start up as soon as the import process has finished and the new VM is provisioned, select the Start VM after import check box.
Click Finish to begin importing the selected file and close the wizard.
The import progress is displayed in the status bar at the bottom of the XenCenter window and also on the Logs tab.

The import process may take some time, depending on the size of the imported VM's virtual disks, the available network bandwidth, and the disk interface speed of the XenCenter host. When the newly-imported VM is available, it appears in the Resources pane.

Import GravityZone virtual appliance in KVM

Bitdefender GravityZone is delivered as a virtual appliance. The Bitdefender GravityZone appliance image is available in several different formats, compatible with the main virtualization platforms.

To receive a trial license, go to Bitdefeder website and register.

Bitdefender GravityZone KVM image can be downloaded from Bitdefender website: RAW and MD5.

To import GravityZone image to KVM you have to install the Virtual Machine Manager utility on a Linux machine with GUI. The Linux with GUI machine should have connectivity with the KVM server.

Example of the Virtual Machine Manager installation on Ubuntu with GUI:

#apt-get install virt-manager

To import GravityZone image using Virtual Machine Manager, you have to:

Upload GravityZone KVM image to the KVM server storage pool location using WinSCP. By default the storage location is /var/lib/libvirt/images.
Extract GravityZone image archive using the following command:
tar -jxf /var/lib/libvirt/images/GravityZoneVA_KVM.tar.bz2
Open Virtual Machine Manager and connect to the KVM server: File > Add connection.
Click the Create Virtual Machine icon, to create a new virtual machine.
Type a name and select Import existing disk image.
Click Browse to provide a storage path.
Select the GravityZone raw file extracted before.
Note: If the GravityZone raw file is not listed, the /var/lib/libvirt/images is not the default storage location. To check or change the default storage location from Virtual Machine Manager, select the KVM connection Details option, under the Storage tab.
Configure GravityZone virtual machine CPU and memory.
Configure GravityZone virtual network and click Finish.
Right click the virtual machine icon to power it on.
Select Open to access the virtual machine.

Protect endpoints located in DMZ

In the default GravityZone setup, devices can be managed only when they are directly connected to the corporate network.

Networking prerequisites

To manage BEST clients located in the DMZ (demilitarized zone), the administrator will have to configure any firewall or network filter located between the DMZ and the GravityZone appliance.

The following ports need to be opened for the communication to be successful:

Traffic from the DMZ communication server to the Production Database instance on port 27017
Traffic from the DMZ communication server to the Production Update Server
Traffic from the DMZ Update Servers
Traffic from the DMZ Communication servers to the Production Web Consoles and Communication Servers on ports 4369, 5672 and 6150
Traffic from the DMZ Communication servers to Production Web Consoles instances on port 443
Traffic from the DMZ clients to the Bitdefender servers (upgrade.bitdefender.com) on port 80.

To guarantee a proper communication between appliances across networks, ensure that all communication ports pertaining to Bitdefender are open. For more details, refer to GravityZone (on-premises) communication ports.

As administrator you have 3 options to choose from, in terms of how the clients can communicate with the GravityZone appliance:

The endpoints can connect to the Communication Server of the main appliance directly on port 8443.
The endpoints can connect to a Relay in the DMZ on port 7074, which connects to the main appliance, therefore minimizing traffic.
Endpoints can connect to a second Communication Server from the DMZ

Configure a new role balancer

This step is only required if you do not have an external balancer.

The role balancer is needed for configuring a more than one communication server and can be set up a as role on a second GravityZone Appliance. To configure a new balancer, follow the steps below:

Connect to the GravityZone VM Console from your Hypervisor.
Login as bdadmin.
Go to Advanced Settings > Connect to existing database.
Enter your database IP followed by :27017:
```
databaseIP:27017
```
Select OK to continue.
Go to Advanced Settings > Configure Role Balancers.
Select Use the built-in balancers from the available options and Select.
Select Communication Server Balancer from the available options.
Select OK to continue.

Configure a new Communication Server in the DMZ

To configure a new Communication Server in the DMZ, use these steps:

Connect to the GravityZone VM Console from your Hypervisor.
Login as bdadmin.
If you have an external balancer, and have not configured a new role balancer, follow the steps below:
1. Go to Advanced Settings > Configure Role Balancers > Use external balancers.
2. Next to Communication Server, enter the IP address of the balancer, followed by port 8443:
```
https://IP_OF_BALANCER:8443
```
3. Select OK to save the changes made.
  Note
  Leave the Web Console field blank.
Import a new GravityZone virtual appliance image to your Hypervisor of choice on a virtual host in the DMZ.
Connect to the new GravityZone VM Console from your Hypervisor and configure the settings under the Configure Hostname Settings and Configure Network Settings sections.
Connect the appliance to an existing Database that is running on the Production Server.
Go to Advanced Settings > Install/Uninstall Roles > Add or remove roles > Add the Communication Server role only and click OK to finalize the changes.

Install BEST on the devices

The BEST client can be installed manually through an installation package or remotely deployed via the GravityZone Control Center.

The installation package used for the manual installation must be configured to communicate with the public IP address of the DMZ Communication Server.

Follow these steps:

Log in to GravityZone and go to the Packages page.
Select Add.
Configure the installation package for your endpoints.
Note
For more information on the creating packages, refer to Create installation packages.
Under the Deployer section, apply these changes to set up communication with a DMZ relay:
Install the newly created packages to all endpoints located in the DMZ.
Go to the Policies page and create the Add button to create a new policy.
Under the General tab, select Communication.
Under the Endpoint Communication Assignment section, from the drop down menu for the IP column, select the Communication Server’s IP address.
Note
Based on your network configuration, you can also select the IP address of your DMZ Relay, or GravityZone appliance.
Add the public IP of the DMZ under the Custom Name/IP field.
Click the Add button.
Under the same General tab, click the Save in the lower part of the window.
While still editing the same policy, under the General tab, go the the Update page.
Under the Update locations section, add the relay server IP address (if any) in the Add location box and click the Add button.
Finish configuring the policy to fit your company's needs.
Note
For more information on creating policy templates, refer to Creating policies.
Assign the new policy template to each endpoint located in the DMZ.

In this section:

Bitdefender B2B Help Center