Add a VMware vCenter

You can watch Deep Security 12 - Scoping Environment Pt. 1 - Identifying Workloads on YouTube to review considerations when scoping your environment.

You can import a VMware vCenter into Deep Security Manager and then protect its virtual machines either agentlessly, with an agent, or in combined mode. (For information on those options, see Choose agentless vs. combined mode protection.)

If you are using Deep Security in FIPS mode, follow the instructions in Add a vCenter when Deep Security Manager is in FIPS mode instead.

You cannot import a vCenter that is using vShield Manager. For information on migrating from vShield Manager to a supported VMware product, see Install or upgrade Deep Security.

  1. In Deep Security Manager, go to Computers > Add > Add VMware vCenter.
  2. Enter the vCenter server information. Specify:
    • the vCenter server's IP address (or host name if DNS is configured and able to resolve FQDNs to IP addresses)
    • the port number to connect to the vCenter (443 by default)
    • the user name and password of a vCenter user account. This user must have the vCenter Administrator role at the data center level. (Applying this role at the cluster level causes errors.) This user is required to synchronize the VM inventory between vCenter and Deep Security Manager.
  3. Click Next.
  4. Accept the vCenter TLS (SSL) certificate.
  5. Enter the NSX information. Specify:
    • the NSX Manager IP address (or host name if DNS is configured and able to resolve FQDNs to IP addresses)
    • the port number to connect to NSX Manager (443 by default)
    • the user name and password of an NSX or vCenter user account. This account must conform to the specifications in the table below.
      NSX TypeUser account specifications
      VMware NSX Data Center for vSphere (NSX-V)

      The user account must be:

      • the NSX built-in administrator account (which has full permissions)

      Or

      • a vCenter user account with the following two roles:
        • Enterprise Administrator role assigned in NSX Manager. For information on assigning roles in NSX-V Manager, see this VMware article.
        • Administrator role assigned at the data center level in vCenter. (Applying this role at the cluster level causes errors.)
      VMware NSX-T Data Center (NSX-T)

      The user account must be:

      • the NSX built-in admin account (which has full permissions)

      Or

      • a vCenter user account with the following role (or another role that has equal or greater privileges):
        • Guest Introspection Administrator. For details on the privileges assigned to the various VMware roles, see this VMware article. For details on assigning roles in NSX-T Manager, see this VMware article.

    This user is required to synchronize NSX security policies and security groups with Deep Security Manager.

    Click Next.

  6. Accept the NSX Manager's TLS (SSL) certificate.
  7. Review the vCenter information and click Finish.
  8. The VMware vCenter has been successfully added message will be displayed. Click Close.The vCenter will appear on the Computers page.

    If you select Create an Event Based task to automatically activate VMs added to protected NSX Security Groups in this vCenter when adding the vCenter, Deep Security Manager will create two event-based tasks. One activates VMs when protection is added and the other deactivates VMs when protection is removed. For more information, see Automated policy management in NSX environments.

When Deep Security Manager adds the vCenter to its inventory, it also registers the Deep Security service within NSX Manager. This permits the deployment of the Deep Security service to the ESXi servers.

In a large environment with more than 3000 machines reporting to a vCenter Server, this process may take 20 to 30 minutes to complete. You can check the vCenter's Recent Task section to verify if there are activities running.

Deep Security Manager will maintain real-time synchronization with this VMware vCenter to keep the information displayed in Deep Security Manager (number of VMs, their status, etc.) up to date.

Add a vCenter when Deep Security Manager is in FIPS mode

If you are using Deep Security in FIPS mode, you must import the vCenter and NSX Manager TLS (SSL) certificates into Deep Security Manager before adding the vCenter to the manager. See Manage trusted certificates.
  1. In Deep Security Manager, go to Computers > Add > Add VMware vCenter.
  2. Enter the vCenter server information. Specify:
    • the vCenter server's IP address (or host name if DNS is configured and able to resolve FQDNs to IP addresses)
    • the port number to connect to the vCenter (443 by default)
    • the user name and password of a vCenter user account. This user must have the vCenter Administrator role at the data center level. (Applying this role at the cluster level causes errors.) This user is required to synchronize the VM inventory between vCenter and Deep Security Manager.
  3. In the Trusted Certificate section, click Test Connection to check whether the vCenter's SSL certificate has been imported successfully into Deep Security Manager. If there are no errors, click Next.
  4. Accept the vCenter's TLS (SSL) certificate.
  5. Enter the NSX information. Specify:
    • the NSX Manager IP address (or host name if DNS is configured and able to resolve FQDNs to IP addresses)
    • the port number to connect to NSX Manager (443 by default)
    • the user name and password of an NSX or vCenter user account. This account must be either the NSX built-in administrator account (which has full permissions) or a vCenter user account with the following two roles:
      • Enterprise Administrator role assigned in NSX Manager. For information on assigning roles in NSX Manager, see this VMWare article.
      • Administrator role assigned at the data center level in vCenter. (Applying this role at the cluster level causes errors.)
    • This user is required to synchronize NSX security policies and security groups between NSX and Deep Security Manager.

  6. Click Next.
  7. Accept the NSX Manager's TLS (SSL) certificate.
  8. Review the vCenter information and click Finish.
  9. The VMware vCenter has been successfully added message is displayed. Click Close.The vCenter appears on the Computers page.

In a large environment with more than 3000 machines reporting to a vCenter server, this process may take 20 to 30 minutes to complete. You can check the vCenter's Recent Task section to verify if there are activities running.

The manager maintains real-time synchronization with this VMware vCenter to keep the information displayed in Deep Security Manager (number of VMs, their status, etc.) up to date.