ON PREMISES SOLUTIONS

VMware vCenter

Integrate with vCenter Server

You can integrate GravityZone with one or multiple vCenter Server systems.

vCenter Server systems in Linked Mode must be added separately to Control Center.

To set up integration with a vCenter Server:

  1. Go to the Configuration page in Control Center and navigate to Virtualization Providers > Management Platforms.

  2. Click the add.png Add button at the upper side of the table and choose vCenter Server from the menu. A configuration window will appear.

  3. Specify the vCenter Server details.

    • Name of the vCenter Server system in Control Center

    • Hostname or IP address of the vCenter Server system

    • vCenter Server port (default 443)

  4. Specify the credentials to be used to authenticate with the vCenter Server.

    You can choose to use the credentials provided for integration with Active Directory or a different set of credentials.

    The user whose credentials you provide must have root or administrator permissions on the vCenter Server.

  5. Choose the VMware platform installed in your environment and configure the settings accordingly:

    • None. Select this option for NSX-T or if there is no VMware specific platform is installed and click Save. Accepting the self signed security certificate is required for the integration.

      To configure NSX-T Manager integration and apply endpoint protection to your VMs through GravityZone Guest Introspection policy, refer to Manage endpoint protection in VMware NSX-T.

    • vShield. Specify the details of the vShield Manager system integrated with the vCenter Server.

      • Hostname or IP address of the vShield Manager system

      • vShield Manager port (default 443)

    • NSX-V. Specify the details of the NSX Manager integrated with the vCenter Server.

      Note

      To upgrade from VMware vShield to NSX, refer to Upgrade VMware environments protected with GravityZone from vCNS to NSX.

      • Hostname or IP address of the NSX Manager

      • NSX Manager port (default 443)

      • Username and password used to authenticate on NSX Manager.

        These credentials will be saved on the protected entity, not in Credentials Manager.

      • Select the Tag if a virus is found check box to use the default NSX security tags when malware is found on the virtual machine.

        A machine may be tagged with three different security tags, depending on the risk level of the threat:

        • ANTI_VIRUS.VirusFound.threat=low, applying on machine when Bitdefender finds low risk malware, which it can delete.

        • ANTI_VIRUS.VirusFound.threat=medium, applying on the machine if Bitdefender cannot delete the infected files, but instead it disinfects them.

        • ANTI_VIRUS.VirusFound.threat=high, applying on the machine if Bitdefender can neither delete, nor disinfect the infected files, but blocks access to them.

        When threats of different risk levels are detected on the same machine, all associated tags will be applied. For example, a machine on which high and low risk malware were found, will have both security tags.

        Note

        You can find the security tags in VMware vSphere, under Networking & Security > NSX Managers > NSX Manager > Manage > Security Tags tab.

        Though you can create as many tags as you want, only the three mentioned tags work with Bitdefender.

  6. Restrict policy assignment from the network view. Use this option to control the network administrators permission to change the virtual machines policies via the Computers and Virtual Machines view in the Network page. When this option is selected, administrators can change the virtual machines policies only from the Virtual Machines view of the network inventory.

  7. Click Save. You will be asked to accept the security certificates for vCenter Server and NSX Manager. These certificates ensure a secure communication between GravityZone and VMware components, resolving the risk of man-in-the-middle attacks.

    You can verify if the correct certificates were installed by checking the browser's site information for each VMware component against the certificate information displayed in Control Center.

  8. Select the check boxes to accept using the certificates.

  9. Click Save. You will be able to view the vCenter Server in the active integrations list.

  10. If you use the NSX-V platform:

    1. Go to the Update > Components tab.

    2. Download and then publish the Security Server (VMware with NSX) package. For more information on how to update GravityZone components, refer to Update GravityZone.

    3. Go to the Configuration > Virtualization Providers tab.

    4. In the Action column, click the register.png Register button corresponding to the vCenter integrated with NSX to register the Bitdefender service with VMware NSX Manager.

    Warning

    When the security certificate is expired and the vCenter tries to synchronize, a pop-up will prompt you to update it. Enter the configuration window of the vCenter Server integration, click Save, accept the new certificates and then click Save again.

    After registration, Bitdefender adds to VMware vSphere console:

    • Bitdefender service

    • Bitdefender service manager

    • Three new default service profiles for permissive, normal and aggressive scanning modes.

      Note

      You can view these service profiles also in the Policies page of Control Center. Click the Columns button at the upper-right side of the right pane to view additional information.

In the end, you can view that the vCenter Server is synchronizing. Wait for a couple of minutes until synchronization finishes.

Protect VDIs when using VMware Horizon View and GravityZone SVE

This section explains how to protect the Virtual Desktop infrastructure (VDI) in a VMware environment with the use of VMware Horizon View and GravityZone Security and with or without vShield for Virtualized Environments.

Without vShield
Overview

VMware Horizon View delivers desktop services from your datacenter to enable end-user freedom and IT management and control.

Desktop and application virtualization offers IT a more streamlined, secure way to manage users and provide agile, on-demand desktop services.

Bitdefender GravityZone Security for Virtualized Environments (SVE), is an all-encompassing security solution for virtualized datacenters, protecting virtualized servers and desktops on Windows, Linux, and Solaris systems.

GravityZone SVE offers protection through Security Server and BEST. Security Server is a dedicated virtual machine that de-duplicates and centralizes most of the antimalware functionality of antimalware clients, acting as a scan server. BEST is the component to be installed on the virtual machines you want to protect.

Prerequisites

The prerequisites for GravityZone SVE are:

  • ESXi host;

  • vCenter Server;

  • Control Center with GravityZone SVE service;

  • Security Server (VMware version) deployed on at least on ESXi Host;

  • BEST installed on golden image.

How to protect the VDIs

You can use SVE in VMware environment also when vShield Endpoint is not installed. In non-vShield VMware environment, you must install BEST on every virtual machine.

BEST offloads anti-malware processing to the Security Server via TCP/IP. Network load will be at a minimum level due to the BEST local cache and the centralized cache on the Security Server. BEST employs a local cache that is prepopulated based on its environment variables; this way it is able to offload the scanning of only what is required while excluding objects that are safe.

Note

Using GravityZone SVE in a non-vShield VMware environment, there is no need to deploy a Security Server on each ESXi Hosts.

To protect the VDIs, follow the next steps:

  1. Integrate Control Center with vCenter:

    1. Open GravityZone Control Center.

    2. Go to the Configuration page.

    3. Select the Virtualization tab.

    4. Click the Add button from the left uppper side of the table and choose vCenter Server from the menu.

    7555_1.png
  2. Install Security Server on ESXi hosts.

    1. Go to the Network page and select Virtual Machines service.

    2. Select the host(s) on which you deploy the Security Server.

    3. Right-click to access the contextual menu and select the Tasks > Install Security Server option. The Security Server Installation window appears.

      7555_2.png
    4. In the General tab, select one of the following options:

      • Use common settings for all Security Servers. Using this option while deploying multiple Security Server instances requires the target hosts to share the same storage and have identical hardware specs. In addition, all security servers will be part of the same management network segment and they will be automatically configured by DHCP.

        Note: If DHCP is used, make sure all IPs assigned to Security Servers are reserved.

      • Configure each Security Sever differently. This option allows you to have different values for each setting of the Security Servers.

    5. Click Next to configure the Security Server instance(s):

      • Name – The name of the Security Server which will appear in VMware Inventory.

      • Deploy Container – the vCenter server parent container for the new Security Server.

      • Provisioning – the VMDK provisioning type.

      • Consolidation – the hardware resources assignation. If Custom level is selected, the administrator can specify the amount of CPU and Memory.

      • Set Administrative Password – at the time of the deployment the administrator can change the Security Server root password. If this option is not selected, the root account will have the default password and the only way this can be changed later is by accessing the VM's console.

      • Timezone – the time zone setting. Clock is automatically synchronized by the ntpd service.

      • Network Settings – the VMs management network settings.

      7555_3.png
    6. After all the configurations are done, if you have different settings for your Security Servers, click Next to proceed with the next instance, otherwise click Save. The deployment task starts.

      Note

      You can view the deployment task progress in the Network > Tasks page. Check the task status, by clicking the link in the Status column. After the deployment task reaches the status In progress 100%, the new Security Server is powered on and boot process starts. Allow up to 3 minutes for the boot operation to complete. The deployment task will display the Finished status after the management agent on the Security Server synchronizes with GravityZone for the first time, announcing the administrator the new Security Server is operational.

    7555_4.png
  3. Create a virtual machine (with Windows 7 for example) with all the programs needed by users.

  4. Deploy BEST on this new virtual machine:

    1. Select the VM on which you deploy BEST.

    2. Right-click to access the contextual menu and select the Tasks > Install option. The BEST Installation window appears.

      7555_5.png
    3. Under the Credentials Manager section, specify the administrative credentials required for remote authentication on the virtual machine.

      Note

      If using VMware Horizon View Persona Management, it is recommended to configure Active Directory Group Policy to exclude the following Bitdefender processes (without the full path):

      • bdredline.exe

      • epag.exe

      • epconsole.exe

      • epintegrationservice.exe

      • epprotectedservice.exe

      • epsecurityservice.exe

      • epupdateservice.exe

      • epupdateserver.exe

      For details, refer to this VMware Horizon documentation page.

  5. Configure the VMware Horizon View: connect to VMware Horizon View Administrator and create the pools for the VDIs.

    7555_6.png
  6. Once VMware Horizon View is configured and a user is trying to connect from a VMware View Client to a VDI, new Virtual Desktops are created.

    7555_7.png
  7. All the VDIs from VMware Horizon View will be protected.

    7555_8.png
    7555_9.png

    To be sure that the VDIs are protected, you can do the following checks:

    • Try an EICAR test. Copy the 68 bytes string, in a .txt file and save it. If the VDI is protected, when you will reopen the .txt file, it will be empty. Also, the reports and charts from Control Center Dashboard and Reports page, the charts will show malware presence on the VDI.

    • On the Security Server you can check if your VDI is connected to it. The connection should be established on port 7081.

      netstat | grep ESTABLISHED

      tcp6 0 0 gz2svamp.tstlabs:7081 vdi-01.tstlabs.bi:65299 ESTABLISHED

      tcp6 0 0 gz2svamp.tstlabs:7081 vdi-02.tstlabs.bi:64235 ESTABLISHED

With vShield
Overview

VMware Horizon View delivers desktop services from your datacenter to enable end-user freedom and IT management and control.

Desktop and application virtualization offers IT a more streamlined, secure way to manage users and provide agile, on-demand desktop services.

Bitdefender GravityZone Security for Virtualized Environments (SVE), is an all-encompassing security solution for virtualized datacenters, protecting virtualized servers and desktops on Windows, Linux, and Solaris systems.

GravityZone SVE offers protection through Security Server and Bitdefender Tools. Security Server is a dedicated virtual machine that de-duplicates and centralizes most of the antimalware functionality of antimalware clients, acting as a scan server. Bitdefender Tools is the component to be installed on the virtual machines you want to protect.

GravityZone SVE can be used in VMware environment with vShield Endpoint. When installed in VMware vSphere environments, SVE takes advantage of the vShield Endpoint integration to provide agentless antimalware introspection. vShield Endpoint offloads anti-malware agent processing to the dedicated Security Server.

Using the vShield Endpoint driver installed on the ESXi host and vShield Thin Agent installed by VMware tools on every VM, the Security Server scans each guest VM, providing an agentless service.

Requirements

To use vShield Endpoint Thin Agent, ensure the guest virtual machine is installed with a supported version of Windows. The versions of the Windows operating systems that are supported for vShield Endpoint are:

  • Windows XP (32-bit)

  • Windows Vista (32-bit)

  • Windows 7 (32-bit, 64-bit)

  • Windows 8 (32-bit, 64-bit) (vSphere 5.5 only)

  • Windows 2003 (32-bit, 64-bit)

  • Windows 2003 R2 (32-bit, 64-bit)

  • Windows 2008 (32-bit, 64-bit)

  • Windows 2008 R2 (32-bit, 64-bit)

  • Windows 2012 (32-bit, 64-bit) (vSphere 5.5 only)

Note

  • Windows 8 and Windows 2012 are supported guest operating systems in vSphere 5.5, but the ReFS file system is not supported.

  • Ensure the Thin Agent and the virtual machine are both either 32 or 64 bit versions. You cannot mix the two versions.

  • Windows 2012 R2 and Windows 8.1 are currently not supported Guest operating systems for vShield Endpoint.

  • The SCSI controller is only needed for vShield Endpoint version 1.0, ensure the guest virtual machine has a SCSI controller installed for vShield Endpoint 1.0. Later versions of vShield Endpoint do not require a SCSI controller.

Prerequisites

The prerequisites for GravityZone SVE integrated with vShield are:

  • ESXi host;

  • vCenter Server;

  • vShield Manager with vShield Endpoint installed;

  • vShield Thin Agent installed in golden image;

  • GravityZone SVE service available in Control Center;

  • Security Server (VMware with vShield) deployed on each ESXi Host;

To protect Linux VMs, you need to deploy Bitdefender Tools on those systems to offload anti-malware processing to the Security Server.

Using vShield Endpoint Thin Agent only file scanning is available. The user is not notified about possible virus activities or actions taken over different files, such as delete.

Using GravityZone SVE in VMware environment with vShield, you will have to deploy a Security Server on each ESXi Host.

How to protect the VDIs

To protect the VDIs, follow the next steps:

  1. Integrate Control Center with vCenter:

    1. Open GravityZone Control Center.

    2. Go to the Configuration page.

    3. Select the Virtualization Tab.

    4. Click the Add button from the left uppper side of the table and choose vCenter Server from the menu.

    7555_10.png
  2. Install Security Server on ESXi hosts.

    1. Go to the Network page and select Virtual Machines service.

    2. Select the host(s) on which you deploy the Security Server.

    3. Right-click to access the contextual menu and select the Tasks > Install Security Server option. The Security Server Installation window appears.

      7555_11.png
    4. In the General section, select one of the following options:

      • Use common settings for all Security Servers. Using this option while deploying multiple Security Server instances requires the target hosts to share the same storage and have identical hardware specs. In addition, all security servers will be part of the same management network segment and they will be automatically configured by DHCP.

        Note: If DHCP is used, make sure all IPs assigned to Security Servers are reserved.

      • Configure each Security Server differently. This option allows you to have different values for each setting of the Security Servers.

    5. Click Next to configure the Security Server instances:

      • Name – The name of the Security Server which will appear in VMware Inventory.

      • Deploy Container – the vCenter server parent container for the new Security Server.

      • Provisioning – the VMDK provisioning type.

      • Consolidation – the hardware resources assignation. If Custom level is selected, the administrator can specify the amount of CPU and Memory.

      • Set Administrative Password – at the time of the deployment you can change the Security Server root password. If this option is not selected, the root account will have the default password. Later, the only way to change the password is by accessing the VM’s console.

      • Timezone – the time zone setting. Clock is automatically synchronized by the NTPD service.

      • Network Settings – the VMs management network settings.

      7555_12.png
    6. After all the configurations are done, if you have different settings for your Security Servers, click Next to proceed with the next instance, otherwise click Save and the deployment task starts.

      Note

      You can view the deployment task progress in the Network > Tasks page. Check the task status, by clicking the link in the Status column. After the deployment task reaches the status In progress 100%, the new Security Server is powered on and boot process starts. Allow up to 3 minutes for the boot operation to complete. The deployment task will display the Finished status after the management agent on the Security Server synchronizes with GravityZone for the first time, announcing the administrator the new Security Server is operational.

      7555_13.png
  3. Create a virtual machine (with Windows 7 for example) with all the programs needed by users.

    Note

    For VMware environment with vShield, you can use agentless protection.

  4. Configure the VMware Horizon View: connect to VMware Horizon View Administrator and create the pools for the VDIs.

    7555_14.png
  5. Once VMware Horizon View is configured and a user is trying to connect from a VMware View Client to a VDI, new Virtual Desktops are created.

    7555_15.png
  6. All the VDIs from VMware Horizon View will be protected.

    7555_16.png
    7555_17.png

    To be sure that the VDIs are protected, you can do the following checks:

    • Verify if GravityZone Security Server is registered in vShield manager:

      1. Open the web console of vShield Manager.

      2. On the host's Summary tab, at Service Virtual Machines, you should see the name of the Security Server.

        7555_18.png
    • Verify if vShield Thin Agent is running:

      1. Open a VDI.

      2. In a Command Prompt window, run the following command:

        sc query vsepflt

      3. You should have the following output:

        7555_19.png
    • Verify if VDI is protected with an EICAR test:

      1. Copy the 68 bytes string, in a .txt file and save it.

      2. If the VDI is protected, when you will reopen the .txt file, it will be empty. Also, the reports and charts from Control Center Dashboard and Reports page, the charts will show malware presence on the VDI.