Deploy agentless protection in a vCloud environment

Applies to on-premise Deep Security software installations only

VMware vCloud integration enables the primary tenant in a multi-tenant installation to add a vCenter to their Deep Security Manager, configure a connector, and to deploy and manage the Deep Security Virtual Appliance. The tenants can import vCloud Organizations as cloud accounts and apply agentless Deep Security protection to them.

When applying agentless protection to vCloud Organizations, only the anti-malware and integrity monitoring modules are supported and the vCloud Organizations must only be added to tenants (not the primary tenant). If you want to enable other protection modules, you will need to use agent-based protection instead (see Deploy agent-based protection in a vCloud environment).

In this article:

Enable agentless protection of vCloud VMs

  1. In the Deep Security Manager console, go to Administration > System Settings > Agents.
  2. Select the Allow Appliance protection of vCloud VMs checkbox.
  3. Click Save.

Create a multi-tenant environment

There are two main task required to create a multi-tenancy environment: you must enable multi-tenancy and then create tenants. For step-by-step instructions on how to perform these tasks, as well as requirements and recommendations for a multi-tenant environment, see Set up a multi-tenant environment.

Add a vCenter and deploy the Deep Security Virtual Appliance

The primary tenant must add a vCenter and deploy the Deep Security Virtual Appliance. For instructions, see Deploy the Deep Security Virtual Appliance with NSX Advanced or Enterprise.

Configure VMware vCloud resources for integration with Deep Security

To enable vCloud integration, you must assign a minimum set of rights to the user accounts tenants will use to import their vCloud "Cloud Accounts" and you must configure the vCenter database to assign unique UUIDs to new virtual machines.

Create a minimum rights role for vCloud account tenant users

The user accounts you create in vCloud director that the Deep Security tenants will use to add their cloud accounts to their Deep Security Manager require only the All Rights > General > Administrator View right.

  1. Log in to vCloud Director.
  2. In the System tab, click on Administration.
  3. In the navigation panel on the left, click on Roles.
  4. Click the "plus" sign to create a new Role (for example, "DS_User").
  5. Select the Administrator View right in the All Rights > General folder.
  6. Click OK.

You can now assign this role to the user accounts you will give to Deep Security rsers to import their vCloud resources into the Deep Security Manager.

When providing a Deep Security user with their credentials, you must include the IP address of the vCloud Organization and instruct them that when importing the vCloud resources into their Deep Security Manager, their username must include "@orgName". For example if the vCloud account's username is kevin and the vCloud Organization you've given the account access to is called CloudOrgOne, then the Deep Security user must enter kevin@CloudOrgOne as their username when importing the vCloud resources. (For a vCloud administrator view, use @system.)
You can configure Deep Security Manager to use a proxy server specifically for connecting to instances being protected in Cloud Accounts. The proxy setting can be found in Administration > System Settings > Proxies > Proxy Server Use > Deep Security Manager (Cloud Accounts).

Configure the vCenter database to assign unique UUIDs to new virtual machines

Deep Security requires that all protected virtual machines have unique UUIDs. Virtual machines created from a vApp template can be assigned duplicate UUIDs which can cause problems. However, you can configure your database to assign unique UUIDs to these VMs created from a template.

The following information is taken from a VMware Knowledge Base article, "BIOS UUIDs in vCloud Director are not unique when virtual machines are deployed from catalog templates (2002506).

To configure the database to assign unique UUIDs to new virtual machines that are created from a template, you must set the CONFIG table of the database, with the parameter backend.cloneBiosUuidOnVmCopy, to 0.

To set this parameter in Oracle Database, launch Oracle Database Enterprise Manager and run the following commands:

In this example, "VCLOUD" is the name of the data base you created for vCloud.

set feedback on echo on

set linesize 120

update "VCLOUD"."CONFIG" set VALUE = '0' where NAME='backend.cloneBiosUuidOnVmCopy';

commit;

select * from "VCLOUD"."CONFIG" where VALUE = '0' and NAME='backend.cloneBiosUuidOnVmCopy';

To set this parameter in Microsoft SQL Server, launch SQL Server Management Studio and run the following commands:

USE VCLOUD

GO

update config set value = '0' where name='backend.cloneBiosUuidOnVmCopy'

select * from dbo.config where value = 0 and name='backend.cloneBiosUuidOnVmCopy';

When the parameter has been set, restart all cells in vCloud Director.

This change does not affect previously existing virtual machines.

Enable the OVF Environment Transport for VMware Tools on your guest VMs

Enabling the OVF Environment Transport for VMware Tools on your guest VMs will expose the guestInfo.ovfEnv environment variable making it easier for Agents to uniquely identify their VMs to the Deep Security Manager. This will reduce the risk of VM misidentification.

  1. In vCloud Director, open the VM's Properties screen, go the Guest OS Customization tab and select the Enable guest customization checkbox. Click OK.
  2. In vCenter, select the same VM, open its Properties screen, go to the Options tab.
  3. Click vApp Options and select the Enabled radio button. OVF Settings will now be exposed.
  4. In OVF Settings, select the VMware Tools checkbox in the OVF Environment Transport area. Click OK.

If your VM is running, it must be restarted for the changes to take effect.

The data used by Deep Security are taken from the following properties: vmware.guestinfo.ovfenv.vcenterid and vmware.guestinfo.ovfenv.vcloud.computername.

Activate virtual appliance protection on virtual machines

The tenants can import vCloud Organizations as cloud accounts and apply agentless Deep Security protection to them.

Import computers from a VMware vCloud Organization Account

  1. In the Deep Security Manager, go to the Computers section, right-click Computers in the navigation panel and select Add vCloud Account to display the Add vCloud Account wizard.
  2. Enter a Name and Description of the resources you are adding. (These are only used for display purposes in the Deep Security Manager.)
  3. Enter the vCloud Address. (The hostname of the vCloud Director host machine.)
  4. Enter your User name and Password.
    Your User name must be in the form username@vcloudorganization.
  5. Click Next.
  6. Deep Security Manager will verify the connection to the cloud resources and display a summary of the import action. Click Finish.

The VMware vCloud resources now appear in the Deep Security Manager under their own branch under Computers in the navigation panel.

Import computers from a VMware vCloud Air Virtual data center

  1. In the Deep Security Manager, go to the Computers section, right-click Computers in the navigation panel and select Add vCloud Account to display the Add vCloud Account wizard.
  2. Enter a Name and Description of the VMware vCloud Air virtual data center you are adding. (These are only used for display purposes in the Deep Security Manager.)
  3. Enter the Address of the VMware vCloud Air virtual data center.
    To determine the address of the VMware vCloud Air virtual data center:
    1. Log in to your VMware vCloud Air portal.
    2. On the Dashboard tab, click on the data center you want to import into Deep Security. This will display the Virtual Data Center Details information page.
    3. In the Related Links section of the Virtual Data Center Details page, click on vCloud Director API URL. This will display the full URL of the vCloud Director API.
    4. Use the hostname only (not the full URL) as the Address of the VMware vCloud Air virtual data center that you are importing into Deep Security.
  4. Enter your User name and Password.
    Your User name must be in the form username@virtualdatacenterid.
  5. Click Next .
  6. Deep Security Manager will verify the connection to the virtual data center and display a summary of the import action. Click Finish.

The VMware vCloud Air data center now appears in the Deep Security Manager under its own branch under Computers in the navigation panel.

Activate virtual appliance protection on virtual machines

To activate virtual appliance protection, right-click on a virtual machine in the Computers list and click Actions > Activate.