ON PREMISES SOLUTIONS

VMware NSX-T

GravityZone Security for Virtualized Environments integrates with the VMware NSX-T Data Center through NSX-T Manager.

Integrate with NSX-T Manager

NSX-T Manager is the management plane of your vCenter Servers integrated with an NSX-T Data Center For the integration to work, you will need to set up the integration for vCenter Servers associated with the NSX-T Manager. For more information, refer to Integrate with vCenter Server.

To setup integration with NSX-T Manager:

  1. In Control Center, navigate to Configuration > Virtualization Providers > Security Providers.

  2. Click the add.png Add button at the upper side of the table. A configuration window will appear.

  3. Specify the NSX-T integration details:

    • Name of the NSX-T integration.

    • Hostname or the IP address of the associated vCenter Server system.

    • NSX-T port (default 433).

  4. Specify the credentials to authenticate with the vCenter Server. You can choose to use the credentials provided for integration with Active Directory or a different set of credentials. The user whose credentials you provide must have root or administrator permissions on the vCenter Server.

  5. Click Save.

    The Control Center is now integrated with NSX-T. To apply endpoint protection to your VMs through GravityZone Guest Introspection policy, refer to Manage endpoint protection in VMware NSX-T.

Note

GravityZone can only be used to protect the associated vCenter Server.

Manage endpoint protection in VMware NSX-T

In this section, you will learn how to configure Bitdefender GravityZone Security for Virtualized Environment integration with NSX-T 2.4 Guest Introspection services and apply endpoint protection to your guest virtual machines.

Integration Overview

NSX-T Data Center provides agentless endpoint protection capabilities through the Guest Introspection ecosystem. Bitdefender integrates with the NSX ecosystem to protect guest virtual machines by using a Security Server deployed at the hypervisor host level.

This section provides guidance for NSX-T Data Center administrators on how to configure and apply endpoint protection to guest VMs, by implementing a Bitdefender GravityZone Guest Introspection policy.

Prerequisites
  • Software Prerequisites

    Compatibility with NSX-T Data Center:

    VMware NSX-T Manager

    GravityZone Control Center

    Bitdefender Security Server

    3.1

    6.18.1 and newer

    1.0.5.10125 and newer

    3.0

    6.14.1 and newer

    1.0.3.9806 and newer

    2.5

    6.9.1-1 and newer

    1.0.2.9311 and newer

    2.4

    6.5.5-1 – 6.9.1-1

    1.0.1.8727 and newer

    2.3

    n/a

    n/a

    For more compatibility details, refer to these VMware webpages:

  • NSX-T Manager configuration prerequisites

    Before you start the Bitdefender GravityZone configuration and Security for Virtualized Environment service deployment, you need to meet the following conditions:

Process description

To integrate GravityZone Security and apply endpoint protection to VMs follow these steps:

Integrate GravityZone with vCenter Server

Add a new VMware vCenter Server integration to the GravityZone Control Center.

  1. Log in to GravityZone Control Center.

  2. Go to the Configuration page.

  3. Navigate to Virtualization Providers > Management Platforms.

  4. Click Add and choose vCenter Server from the menu.

  5. Specify the vCenter Server details.

  6. Specify the credentials for vCenter Server authentication.

  7. Under Installed platforms choose None for your NSX-T integration.

  8. Click Save to complete the vCenter Server integration with Control Center.

    Note

    Before accepting the self-signed security certificate required for the integration, make sure it corresponds with the vCenter details.

    For more information, refer to the Integrating with vCenter Server chapter within the Bitdefender GravityZone Installation Guide.

Note

For multiple vCenter Servers managed by NSX-T Manager, you need to repeat this step.

Download NSX-T SVA
  1. Log in to GravityZone Control Center.

  2. Go to the Update screen,under Configuration .

  3. Select the Components tab.

  4. Under Product, select Security Server (VMware NSX-T).

  5. From the Packages section, select the associated check box to download.

Integrate GravityZone with NSX-T Manager

Add a new VMware NSX-T Manager integration to the GravityZone Control Center.

  1. In Control Center, go to the Configuration page.

  2. Navigate to Virtualization Providers > Security Providers.

  3. Click Add to configure the NSX-T integration.

    80107_1.png
  4. Specify the NSX-T integration details:

    • Name of the NSX-T integration

    • Hostname or the IP address of the vCenter Server system

    • NSX-T port (default 443)

      80107_2.png
  5. Specify the credentials for NSX-T Manager authentication.

  6. Click Save to complete the integration.

Note

Integrated server count within NSX-T manager should match the one from the Management Platform within Control Center. If the count is not matched, follow the integration procedure to add a new vCenter Server integration.

Deploy Partner service (Bitdefender GravityZone) in NSX Manager

Deploy the Security Server installation as a Partner service in NSX-T Manager.

  1. In NSX Manager, go to the System page and click Service Deployment.

  2. Select Partner service and then click deploy.

    80107_3.png
  3. Specify the service deployment details:

    • Enter the service deployment name.

    • In the Compute Manager field, select the vCenter (Bitdefender SVA).

    • In the Cluster field, select the cluster where the service needs to be deployed.

    • In the Data Store field, you can select a data store where the SVA disk can be stored.

      For more information, refer to VMware Docs.

    • Under the Network column, click Edit Details to configure the Management Network interface.

      A configuration window appears where you can configure the network/distributed switch to use for the management NIC and the network type.

    • In the Deployment Specification field, select Bitdefender SVA – Medium.

    • In the Deployment Template field, select Bitdefender Security Server OVF Template.

      80107_4.png
  4. Click Save.

    The Bitdefender Security Server is deployed.

Configure NSX Groups

NSX uses groups to be used as source and destination field of a service profile. Create groups in NSX Manager for protected, unprotected VMs and affected (quarantined) VMs.

In this section, you will find out how to create and define group membership:

Protected VMs Group

Create a group for protected VMs.

  1. In NSX Manager, go to the Inventory page and click Groups.

  2. Click ADD GROUP to configure the group.

    80107_5.png
  3. Specify the group details:

    • Enter the security group name.

    • Under the Compute Members, click Set Members to define membership of the group:

      1. Go to the Members tab and select a group from the Category drop-down menu.

      2. Select the nodes that should be protected.

      3. Click APPLY.

        80107_6.png

        For more information, refer to the following VMware Docs article.

  4. Click SAVE.

    The group for the protected VMs is now added.

Unprotected VMs Group

To create a group and define membership for unprotected VMs, follow the previous steps 1-4 from Protected VMs Group.

Affected VMs Group

Create a group for affected VMs and name it Quarantine.

  1. In NSX Manager, go to the Inventory page and click Groups.

  2. Click ADD GROUP to configure the group.

  3. Specify the group details:

    • Enter the security group name.

    • Under the Compute Members, click Set Members to define membership of the group:

      1. Go to the Membership Criteria tab and click ADD CRITERIA.

      2. In the third column, select Contains.

      3. In the Scope field, enter the following tag:

        ANTI_VIRUS

      4. Click APPLY.

        80107_7.png

        For more information, refer to the following VMware Docs article.

  4. Click SAVE.

    The group for the quarantined VMs is now added.

Create GravityZone security policy

Create and configure security policy in Control Center.

  1. In Control Center, go to the Policies page.

  2. Click Add to configure a policy.

  3. Enter a name for your policy.

  4. Configure the policy settings as needed.

    80107_8.png

    Note

    Only Antimalware settings are applicable to NSX-T integrations.

  5. Go to NSX and select the associated check box to set its visibility in NSX-T Manager.

    80107_9.png

    The GravityZone policy is visible in NSX-T Manager under the Vendor Template column, when you add a Service Profile.

  6. Click Save.

Configure and apply endpoint protection to guest VMs

NSX enforces Guest Introspection policies (GravityZone security policy) when a Service Profile is available. To apply endpoint protection to guest VMs you need to create Service Profile and associate it to a VM group through policy rule.

Configure endpoint protection for guest VMs as follows:

Create a Service Profile

Add a Service Profile in NSX Manager.

  1. In NSX Manager, go to the Security page and click on Configuration tab.

  2. Navigate to the Endpoint Protection tab and go to SERVICE PROFILES.

  3. In the Partner Service drop-down select Bitdefender and then click ADD SERVICE PROFILE.

  4. Specify the Service Profile details:

    • Enter the Service Profile name.

    • Select the vendor template (GravityZone security policy).

  5. Click Save.

    80107_11.png

    The Service Profile is now added.

Create and publish a policy rule

Create a policy for your VM group. To associate a VM group that needs to be protected with a specific service profile, you need to create a policy rule.

  1. In NSX Manager, go to the Security page and click on Configuration tab.

  2. Navigate to the Endpoint Protection tab and go to RULES.

  3. Click ADD POLICY.

  4. Enter a policy name.

  5. Click the three vertical dots to open the dropdown menu.

  6. Click Add Rule.

    80107_12.png
  7. Enter a policy rule name.

  8. Under the Groups column, click the edit icon to set VM groups:

    80107_13.png
    • In the table, select a VM group for this rule.

    • Click APPLY.

      80107_14.png
  9. Under the Service Profiles column, click the edit icon to map the Service Profile to your VM groups.

    In the table, select the Service Profile and click SAVE.

  10. Click PUBLISH to apply endpoint protection to your guest VMs.

    80107_15.png