Manage endpoint protection in VMware NSX-T
Integration Overview
NSX-T Data Center provides agentless endpoint protection capabilities through the Guest Introspection ecosystem. Bitdefender integrates with the NSX ecosystem to protect guest virtual machines by using a Security Server deployed at the hypervisor host level.
This article provides guidance for NSX-T Data Center administrators on how to configure and apply endpoint protection to guest VMs, by implementing a Bitdefender GravityZone Guest Introspection policy.
Prerequisites
- Software Prerequisites
Compatibility with NSX-T Data Center:VMware NSX-T Manager GravityZone Control Center Bitdefender Security Server for NSX-T 3.1 6.18.1 and newer 1.0.5.10125 and newer 3.0 6.14.1 and newer 1.0.3.9806 and newer 2.5 6.9.1-1 and newer 1.0.2.9311 and newer 2.4 6.5.5-1 – 6.9.1-1 1.0.1.8727 and newer 2.3 n/a n/a For more compatibility details, refer to these VMware webpages:
- VMware Compatibility Guide – GravityZone vs. NSX-T Manager
- VMware Product Interoperability Matrices - NSX-T Data Center vs. VMware vCenter and VMware Tools
- NSX-T Manager configuration prerequisites
Before you start the Bitdefender GravityZone configuration and Security for Virtualized Environment service deployment, you need to meet the following conditions:- The NSX-T Manager is connected to all target Compute Manager (vCenter Servers) and all ESXi hosts target cluster members have NSX drivers installed. For more information, refer to the refer to the VMware NSX-T Data Center documentation.
- All target VMs are running a compatible version of VMware Tolls with the NSX Guest Introspection driver installed. For more information, refer to the VMware guide on installing VMware Tools with NSX Guest Introspection Drivers.
To integrate GravityZone Security and apply endpoint protection to VMs follow these steps:
- Integrate GravityZone with vCenter Server
- Integrate GravityZone with NSX-T Manager
- Download Bitdefender Security Server installation package
- Deploy Partner service (Bitdefender GravityZone) in NSX Manager
- Configure NSX Groups
- Create GravityZone security policy
- Configure and apply endpoint protection to guest VMs
Step 1: Integrate GravityZone with vCenter Server
Add a new VMware vCenter Server integration to the GravityZone Control Center.
- Log in to GravityZone Control Center.
- Go to the Configuration page.
- Navigate to Virtualization Providers > Management Platforms.
- Click Add and choose vCenter Server from the menu.
- Specify the vCenter Server details.
- Specify the credentials for vCenter Server authentication.
- Under Installed platforms choose None for your NSX-T integration.
- Click Save to complete the vCenter Server integration with Control Center.
Accepting the self-signed security certificate is required for the integration.
For more information, refer to the Integrating with vCenter Server chapter within the Bitdefender GravityZone Installation Guide.
Note: For multiple vCenter Servers managed by NSX-T Manager, you need to repeat this step. |
Step 2: Integrate GravityZone with NSX-T Manager
Add a new VMware NSX-T Manager integration to the GravityZone Control Center.
- In Control Center, go to the Configuration page.
- Navigate to Virtualization Providers > Security Providers.
- Click Add to configure the NSX-T integration.
- Specify the NSX-T integration details:
- Name of the NSX-T integration
- Hostname or the IP address of the vCenter Server system
- NSX-T port (default 443)
- Specify the credentials for NSX-T Manager authentication.
- Click Save to complete the integration.
Note: Integrated server count within NSX-T manager should match the one from the Management Platform within Control Center. If the count is not matched, go back to Step 1 to add a new vCenter Server integration. |
Step 3: Download Bitdefender Security Server installation package
Download the Security Server installation package to deploy it as a Partner service in NSX Manager.
- In Control Center, navigate to Network > Packages.
- Select the Default Security Server Package.
- Click Download and choose the Security Server (VMware with NSX-T) package.
- Save the package to a selected location.
Step 4: Deploy Partner service (Bitdefender GravityZone) in NSX Manager
Deploy the Security Server as a Partner service in NSX-T Manager.
Note:
We recommend using this method only in testing environments. |
- In NSX Manager, go to the System page and click Service Deployment.
- Navigate to the Deployment tab and click Deploy Service.
- Specify the service deployment details:
- Enter the service deployment name.
- In the Compute Manager field, select the compute resource on the vCenter Server to deploy the service (Bitdefender SVA).
- In the Cluster field, select the cluster where the service needs to be deployed.
- In the Data Store field, you can select a data store as the repository if it has not been previously configured.
For more information, refer to VMware Docs. - Under the Network column, click Set to configure the Management Network interface.
A configuration window appears where you configure the address type, control network and data network. - In the Deployment Specification field, select Bitdefender SVA – Medium.
- In the Deployment Template field, select Bitdefender Security Server.
- Click Save.
The Bitdefender Security Server is deployed.
Step 5: Configure NSX Groups
NSX uses groups to be used as source and destination field of a service profile. Create groups in NSX Manager for protected, unprotected VMs and affected (quarantined) VMs.
In this step, you will create and define group membership as follows:
Protected VMs Group
Create a group for protected VMs.
- In NSX Manager, go to the Inventory page and click Groups.
- Click ADD GROUP to configure the group.
- Specify the group details:
- Enter the security group name.
- In the Domain column, click default.
- Under the Compute Members, click Set Members to define membership of the group:
- Go to the Members tab and select a group from the Select Category drop-down menu.
- In the table, select a node to assign a server to this group.
- Click APPLY.
For more information, refer to the following VMware Docs article.
- Click SAVE.
The group for the protected VMs is now added.
Unprotected VMs Group
To create a group and define membership for unprotected VMs, follow the previous steps 1-4 from Protected VMs Group.
Affected VMs Group
Create a group for affected VMs and name it Quarantine.
- In NSX Manager, go to the Inventory page and click Groups.
- Click ADD GROUP to configure the group.
- Specify the group details:
- Enter the security group name.
- In the Domain column, click default.
- Under the Compute Members, click Set Members to define membership of the group:
- Go to the Membership Criteria tab and click ADD CRITERIA.
- In the third column, select Contains.
- In the Scope field, enter the following tag:
ANTI_VIRUS
- Click APPLY.
For more information, refer to the following VMware Docs article.
- Click SAVE.
The group for the quarantined VMs is now added.
Step 6: Create GravityZone security policy
Create and configure security policy in Control Center.
- In Control Center, go to the Policies page.
- Click Add to configure a policy.
- Enter a name for your policy.
- Configure the policy settings as needed.
Only Antimalware settings are applicable to NSX-T integrations. - Go to NSX and select the associated check box to set its visibility in NSX-T Manager.
The GravityZone policy is visible in NSX-T Manager under the Vendor Template column, when you add a Service Profile. - Click Save.
Step 7: Configure and apply endpoint protection to guest VMs
NSX enforces Guest Introspection policies (GravityZone security policy) when a Service Profile is available. To apply endpoint protection to guest VMs you need to create Service Profile and associate it to a VM group through policy rule.
Configure endpoint protection for guest VMs as follows:
Create a Service Profile
Add a Service Profile in NSX Manager.
- In NSX Manager, go to the Security page.
- Navigate to the Endpoint Protection tab and go to SERVICE PROFILES.
- Click ADD SERVICE PROFILE.
- Specify the Service Profile details:
- Enter the Service Profile name.
- Select the vendor template (GravityZone security policy).
- Click Save.
The Service Profile is now added.
Create and publish a policy rule
Create a policy for your VM group. To associate a VM group that needs to be protected with a specific service profile, you need to create a policy rule.
- In NSX Manager, go to the Security page
- Navigate to the Endpoint Protection tab and go to RULES.
- Click ADD POLICY.
- Enter a policy name.
- Click the three vertical dots to open the dropdown menu.
- Click Add Rule.
- Enter a policy rule name.
- Under the Groups column, click the edit icon to set VM groups:
- In the table, select a VM group for this rule.
- Click APPLY.
- Under the Service Profiles column, click the edit icon to map the Service Profile to your VM groups.
In the table, select the Service Profile and click SAVE. - Click PUBLISH to apply endpoint protection to your guest VMs.