Table of Contents
Advertisement
10 Click Install at the top of the form.
You can follow the vShield App installation steps from the Recent Tasks pane of the vSphere Client screen.
11 After installation of all components is complete, do the following:
vShield App: At this point, vShield App installation is complete. Go to the vShield App > App
Firewall tab at the datacenter, cluster, or port group container level to configure firewall rules. Each
vShield App inherits global firewall rules set in the vShield Manager. The default firewall rule set
allows all traffic to pass. You must configure blocking rules to explicitly block traffic. To configure
App Firewall rules, see the vShield Administration Guide.
Port Group Isolation: You must enable the Port Group Isolation feature on each vDS. After
enablement is complete, install a vShield Edge on each vDS port group. See "Prepare a vNetwork for
Port Group Isolation" on page 25.
vShield Endpoint: To complete installation, see "Installing vShield Endpoint" on page 27.
Prepare a vNetwork for Port Group Isolation
Port Group Isolation creates a barrier between the virtual machines protected by a vShield Edge and the
external network. When you enable Port Group Isolation and install a vShield Edge on a vDS port group, you
isolate each secured vDS port group from the external network. When Port Group Isolation is enabled, traffic
is not allowed access to the virtual machines in the secured port group unless NAT rules or VLAN tags are
configured.
N
Port Group Isolation is an optional feature that is not required for vShield Edge operation. Port Group
OTE
Isolation is available for vDS‐based vShield Edge installations only.
To use Port Group Isolation, you must enable this feature on each vDS on which you will install a vShield Edge.
1
Enable Port Group Isolation on each vDS.
2
Install a vShield Edge on each vDS port group you plan to secure.
3
Move the virtual machines to secured vDS port groups.
After Port Group Isolation is installed on each ESX host, you must enable Port Group Isolation on each vDS
where you will install a vShield Edge. This allows the Port Group Isolation service to be used on any port
group in a vDS.
To enable Port Group Isolation on a vDS
1
Log in to the vSphere Client.
2
Go to View > Inventory > Networking.
3
Right‐click a vDS.
4
Select vShield > Enable Isolation.
A browser window opens to confirm that Port Group Isolation has been enabled.
After Port Group Isolation installation is complete, install a vShield Edge instance on each vDS port group.
Install a vShield Edge
Each vShield Edge virtual appliance has External and Internal network interfaces. The Internal interface
connects to the secured port group and acts as the gateway for all protected virtual machines in the port group.
The subnet assigned to the Internal interface can be RFC 1918 private space. The External interface of the
vShield Edge connects to an uplink port group that has access to a shared corporate network or a service that
provides access layer networking.
Each vShield Edge requires at least one IP address to number the External interface. Multiple external IP
addresses can be configured for Load Balancer, Site‐to‐Site VPN, and NAT services. The Internal interface can
have a private IP address block that overlaps with other vShield Edge secured port groups.
VMware, Inc.
Chapter 4 Installing vShield Edge, vShield App, and vShield Endpoint
25
Advertisement
Table of Contents
Need help?
Do you have a question about the VSHIELD APP 1.0 and is the answer not in the manual?