How Do I Isolate A Group Of Virtual Machines; Vshield Manager Uptime; Communication Between Vshield Components; Hardening Your Vshield Virtual Machines - VMware VSHIELD APP 1.0 Quick Start Manual

How Do I Isolate a Group of Virtual Machines?

You can use vShield Edge with the Port Group Isolation feature or VLANs to isolate virtual machines from the
external network.
1 Install Port Group Isolation on each ESX host that a vDS spans.
2 Create a port group on the vDS.
3 Enable Port Group Isolation on the vDS.
4 Install a vShield Edge on the port group.
5 Move the virtual machines to the port group.
6 Configure vShield Edge NAT rules for traffic in and out of the port group.
N You can also use VLANs to isolate virtual machines protected by a vShield Edge. If you use
OTE
VLANs, the internal port group connected to a vShield Edge must have a VLAN tag that is different from
the external port group.

vShield Manager Uptime

The vShield Manager should be run on an ESX host that is not affected by downtime, such as frequent reboots
or maintenance mode operations. You can use HA or DRS to increase the resilience of the vShield Manager. If
the ESX host on which the vShield Manager resides is expected to require downtime, vMotion the vShield
Manager virtual appliance to another ESX host. Thus, more than one ESX host is recommended.

Communication Between vShield Components

The management interfaces of vShield components should be placed in a common network, such as the
vSphere management network. The vShield Manager requires connectivity to the vCenter Server, as well as
all vShield App and vShield Edge instances. vShield components can communicate over routed connections
as well as different LANs.
N The vShield Manager must be in the same vCenter Server environment as the vShield components to
OTE
be managed. You cannot use the vShield Manager across different vCenter Server environments.

Hardening Your vShield Virtual Machines

You can access the vShield Manager and other vShield components by using a web‐based user interface,
command line interface, and REST API. vShield includes default login credentials for each of these access
options. After installation of each vShield virtual machine, you should harden access by changing the default
login credentials.

vShield Manager User Interface

You access the vShield Manager user interface by opening a web browser window and navigating to the IP
address of the vShield Manager's management port. The default user account, admin, has global access to the
vShield Manager. After initial login, you should change the default password of the admin user account. See
"Change the Password of the vShield Manager User Interface Default Account" on page 20.

Command Line Interface

You can access the vShield Manager, vShield App, and vShield Edge virtual appliances by using a command
line interface via vSphere Client console session. Each virtual appliance uses the same default username
(admin) and password (default) combination as the vShield Manager user interface. Entering Enabled mode
also uses the password default.
For more on hardening the CLI, see the vShield Administration Guide.
VMware, Inc.
Chapter 2 Preparing for Installation
15