www

Directly contact our Support Team

Manage endpoint protection in VMware NSX-T

Integration Overview

NSX-T Data Center provides agentless endpoint protection capabilities through the Guest Introspection ecosystem. Bitdefender integrates with the NSX ecosystem to protect guest virtual machines by using a Security Server deployed at the hypervisor host level.

This article provides guidance for NSX-T Data Center administrators on how to configure and apply endpoint protection to guest VMs, by implementing a Bitdefender GravityZone Guest Introspection policy.

Prerequisites

  • Software Prerequisites
    Compatibility with NSX-T Data Center:
    VMware NSX-T Manager  GravityZone Control Center  Bitdefender Security Server for NSX-T
    3.1 6.18.1 and newer 1.0.5.10125 and newer
    3.0 6.14.1 and newer 1.0.3.9806 and newer
    2.5 6.9.1-1 and newer 1.0.2.9311 and newer
    2.4 6.5.5-1 – 6.9.1-1 1.0.1.8727 and newer
    2.3 n/a n/a

    For more compatibility details, refer to these VMware webpages:

  • NSX-T Manager configuration prerequisites
    Before you start the Bitdefender GravityZone configuration and Security for Virtualized Environment service deployment, you need to meet the following conditions:

To integrate GravityZone Security and apply endpoint protection to VMs follow these steps:

  1. Integrate GravityZone with vCenter Server
  2. Integrate GravityZone with NSX-T Manager
  3. Download Bitdefender Security Server installation package
  4. Deploy Partner service (Bitdefender GravityZone) in NSX Manager
  5. Configure NSX Groups
  6. Create GravityZone security policy
  7. Configure and apply endpoint protection to guest VMs

Step 1: Integrate GravityZone with vCenter Server

Add a new VMware vCenter Server integration to the GravityZone Control Center.

  1. Log in to GravityZone Control Center.
  2. Go to the Configuration page.
  3. Navigate to Virtualization Providers > Management Platforms.
  4. Click Add and choose vCenter Server from the menu.
  5. Specify the vCenter Server details.
  6. Specify the credentials for vCenter Server authentication.
  7. Under Installed platforms choose None for your NSX-T integration.
  8. Click Save to complete the vCenter Server integration with Control Center.
    Accepting the self-signed security certificate is required for the integration.
    For more information, refer to the Integrating with vCenter Server chapter within the Bitdefender GravityZone Installation Guide.
note Note:
For multiple vCenter Servers managed by NSX-T Manager, you need to repeat this step.

Step 2: Integrate GravityZone with NSX-T Manager

Add a new VMware NSX-T Manager integration to the GravityZone Control Center.

  1. In Control Center, go to the Configuration page.
  2. Navigate to Virtualization Providers > Security Providers.
  3. Click Add to configure the NSX-T integration.
  4. Specify the NSX-T integration details:
    • Name of the NSX-T integration
    • Hostname or the IP address of the vCenter Server system
    • NSX-T port (default 443)
  5. Specify the credentials for NSX-T Manager authentication.
  6. Click Save to complete the integration.
note Note:
Integrated server count within NSX-T manager should match the one from the Management Platform within Control Center. If the count is not matched, go back to Step 1 to add a new vCenter Server integration.

Step 3: Download Bitdefender Security Server installation package

Download the Security Server installation package to deploy it as a Partner service in NSX Manager.

  1. In Control Center, navigate to Network > Packages.
  2. Select the Default Security Server Package.
  3. Click Download and choose the Security Server (VMware with NSX-T) package.
  4. Save the package to a selected location.

Step 4: Deploy Partner service (Bitdefender GravityZone) in NSX Manager

Deploy the Security Server as a Partner service in NSX-T Manager.

note

Note:
For test or proof-of-concept deployments in which the GravityZone Communication Server role is configured with a self-signed certificate, the Security Server appliance deployment will fail when using NSX-T Data Center 2.5.0.
For successful testing, follow these additional steps prior deployment:

  1. Connect to NSX-T Manager with root privileges.
  2. Open the file /config/vmware/auth/ovf_validation.properties.
  3. Set the following flag as indicated:
    THIRD_PARTY_OVFS_VALIDATION_FLAG=2

We recommend using this method only in testing environments.
If deployment issues occur, please consider this KB article and that the port used is 8443.

  1. In NSX Manager, go to the System page and click Service Deployment.
  2. Navigate to the Deployment tab and click Deploy Service.
  3. Specify the service deployment details:
    • Enter the service deployment name.
    • In the Compute Manager field, select the compute resource on the vCenter Server to deploy the service (Bitdefender SVA).
    • In the Cluster field, select the cluster where the service needs to be deployed.
    • In the Data Store field, you can select a data store as the repository if it has not been previously configured.
      For more information, refer to VMware Docs.
    • Under the Network column, click Set to configure the Management Network interface.
      A configuration window appears where you configure the address type, control network and data network.
    • In the Deployment Specification field, select Bitdefender SVA – Medium.
    • In the Deployment Template field, select Bitdefender Security Server.
  4. Click Save.
    The Bitdefender Security Server is deployed.

Step 5: Configure NSX Groups

NSX uses groups to be used as source and destination field of a service profile. Create groups in NSX Manager for protected, unprotected VMs and affected (quarantined) VMs.

In this step, you will create and define group membership as follows:

Protected VMs Group

Create a group for protected VMs.

  1. In NSX Manager, go to the Inventory page and click Groups.
  2. Click ADD GROUP to configure the group.
  3. Specify the group details:
    • Enter the security group name.
    • In the Domain column, click default.
    • Under the Compute Members, click Set Members to define membership of the group:
      1. Go to the Members tab and select a group from the Select Category drop-down menu.
      2. In the table, select a node to assign a server to this group.
      3. Click APPLY.
        For more information, refer to the following VMware Docs article.
  4. Click SAVE.
    The group for the protected VMs is now added.

Unprotected VMs Group

To create a group and define membership for unprotected VMs, follow the previous steps 1-4 from Protected VMs Group.

Affected VMs Group

Create a group for affected VMs and name it Quarantine.

  1. In NSX Manager, go to the Inventory page and click Groups.
  2. Click ADD GROUP to configure the group.
  3. Specify the group details:
    • Enter the security group name.
    • In the Domain column, click default.
    • Under the Compute Members, click Set Members to define membership of the group:
      1. Go to the Membership Criteria tab and click ADD CRITERIA.
      2. In the third column, select Contains.
      3. In the Scope field, enter the following tag:
        ANTI_VIRUS
      4. Click APPLY.
        For more information, refer to the following VMware Docs article.
  4. Click SAVE.
    The group for the quarantined VMs is now added.

Step 6: Create GravityZone security policy

Create and configure security policy in Control Center.

  1. In Control Center, go to the Policies page.
  2. Click Add to configure a policy.
  3. Enter a name for your policy.
  4. Configure the policy settings as needed.
    Only Antimalware settings are applicable to NSX-T integrations.
  5. Go to NSX and select the associated check box to set its visibility in NSX-T Manager.
    The GravityZone policy is visible in NSX-T Manager under the Vendor Template column, when you add a Service Profile.
  6. Click Save.

Step 7: Configure and apply endpoint protection to guest VMs

NSX enforces Guest Introspection policies (GravityZone security policy) when a Service Profile is available. To apply endpoint protection to guest VMs you need to create Service Profile and associate it to a VM group through policy rule.

Configure endpoint protection for guest VMs as follows:

  1. Create a Service Profile
  2. Create and publish a policy rules

Create a Service Profile

Add a Service Profile in NSX Manager.

  1. In NSX Manager, go to the Security page.
  2. Navigate to the Endpoint Protection tab and go to SERVICE PROFILES.
  3. Click ADD SERVICE PROFILE.
  4. Specify the Service Profile details:
    • Enter the Service Profile name.
    • Select the vendor template (GravityZone security policy).
  5. Click Save.
    The Service Profile is now added.

Create and publish a policy rule

Create a policy for your VM group. To associate a VM group that needs to be protected with a specific service profile, you need to create a policy rule.

  1. In NSX Manager, go to the Security page
  2. Navigate to the Endpoint Protection tab and go to RULES.
  3. Click ADD POLICY.
  4. Enter a policy name.
  5. Click the three vertical dots to open the dropdown menu.
  6. Click Add Rule.
  7. Enter a policy rule name.
  8. Under the Groups column, click the edit icon to set VM groups:
    • In the table, select a VM group for this rule.
    • Click APPLY.
  9. Under the Service Profiles column, click the edit icon to map the Service Profile to your VM groups.
    In the table, select the Service Profile and click SAVE.
  10. Click PUBLISH to apply endpoint protection to your guest VMs.
Can't find a solution for your problem? Open an email ticket and we will answer the question or concern in the shortest time possible.

Rate this article:

Submit