VMware Networking Community
kwg66
Hot Shot
Hot Shot
Jump to solution

NSX and VMware tools

We are about to upgrade our underlying vSphere infrastructure that is protected by NSX w / DFW. 

-  we are moving from vCenter \ vSPhere 5.5 u3a to 6.02,   NSX is already at 6.2.4.  

-  We can't do this all in one window, it must be staggered

-  the order is vCenter first, then hosts, then VMtools in VMs, then VM vHardware.

-  I want to be certain that after we upgrade vCenter and the hosts, that we won't have any issues with out of date VMtools and NSX

When I accessed the VMware Solution Compatibility matrix, I run a query:   NSX 6.2.4  against all VMtools versions, see screen shot below..

- I don't see any mention of OVT, and am still uncertain if we can use them or if we must stick to native VMtools on ESXi

-  I get an output of compatible versions that doesn't make sense to me, the standard VMtools that accompany vSphere 6.02 is none of the below, its 10.0.6:

Can someone shed led on this for me?   It doesn't seem right to me at all since we have NSX 6.2.4 running now against 5.5 u3a with VMtools at "vmx-10"

So, I need someone to provide expertise:

1)  Can I use OVT tools with VMs protected by NSX DFW?

2)  Will I have any issues with NSX compatibility after upgrading VMtools to 10.0.6 after we upgrade to vSPhere 6.02?

Here is a screen shot from the solution compatibility guide:

NSX and VMtools.JPG

Reply
0 Kudos
1 Solution

Accepted Solutions
larsonm
VMware Employee
VMware Employee
Jump to solution

"Running open VMware Tools on guest or workload virtual machines has not been validated with distributed firewall."

VMware NSX for vSphere 6.2 Documentation Center

The main issue with older versions of VMware Tools is the Guest Introspection Driver.  If you are using ID-based rules, or agentless AV, this is important.

Recommended VMware Tools version for Guest Introspection in VMware NSX for vSphere 6.x (2139740) | V...

You have the option of deploying VMware Tools 10.0.8 or later before upgrading the ESXi hosts. 

VMware Product Interoperability Matrixes

vSphere 6.0 U2 was released before VMware Tools 10.0.8, which is why 1.0.0.6 was bundled with ESXi.  A new version of tools was release to resolve some bugs.  You can download newer versions of VMware tools from the link shown below:

https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VMTOOLS1008

The primary purpose for VMware Tools is IP Discovery, but 6.2 offers ARP and DHCP snooping for IP Discovery.  It's always best to have VMware Tools in place...

VMware NSX for vSphere 6.2 Documentation Center

View solution in original post

Reply
0 Kudos
6 Replies
larsonm
VMware Employee
VMware Employee
Jump to solution

"Running open VMware Tools on guest or workload virtual machines has not been validated with distributed firewall."

VMware NSX for vSphere 6.2 Documentation Center

The main issue with older versions of VMware Tools is the Guest Introspection Driver.  If you are using ID-based rules, or agentless AV, this is important.

Recommended VMware Tools version for Guest Introspection in VMware NSX for vSphere 6.x (2139740) | V...

You have the option of deploying VMware Tools 10.0.8 or later before upgrading the ESXi hosts. 

VMware Product Interoperability Matrixes

vSphere 6.0 U2 was released before VMware Tools 10.0.8, which is why 1.0.0.6 was bundled with ESXi.  A new version of tools was release to resolve some bugs.  You can download newer versions of VMware tools from the link shown below:

https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VMTOOLS1008

The primary purpose for VMware Tools is IP Discovery, but 6.2 offers ARP and DHCP snooping for IP Discovery.  It's always best to have VMware Tools in place...

VMware NSX for vSphere 6.2 Documentation Center

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
Jump to solution

‌thanks for the detailed reply!!  

We are not using introspection services at this time, just DFW. 

Many of our VMs have rules built on VM ID, we did run into some problems with Linux VMs which use open tools And the rules were built on IP as a work around. 

We upgraded vshield to NSX 6.2.4 while at vsphere 5.5 U3 and everything is working as expected even though the tools are at the default vmx-10, much older per whats listed as compatible.    I have requested a quick test of some of the VM ID rules just to double check ports are properly being denied.


I'm going to assume NSX 6.2.4 DFW will continue to work with the outdated tools in place after we upgrade our hosts to v6.02.  i do see we can / should apply a newer version of the tools than the native available.  i do think based on the working nature of our current infrastructure that older tools seem to be working despite the solution compatibility screenshot. 


Seems like the issue in the KB that pertains to guest introspection has lead to the limited listing in the solution compatibility page, but has not affected our VM performance. 


please provide corrections if im mistaken in any way. 


thanks!

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
Jump to solution

Just wanted to add one more tidbit of info prior to assigning the points..

Not only are we running native tools from 5.5 u3a under the blanket of NSX 6.2.4, but many of those tools in that environment show up as outdated to that even environment. 

Hence, with Windows machines using native VMtools, even the outdated versions, are working correctly with DFW VM ID based rules.  This is without NSX controllers and gateway device offering up its various services, we are only using DFW upgraded from vshield.

We are NOT using VM ID rules for the Linux workloads with open tools (we do use open tools for Linux) in this environment, they wouldn't work.  So IP based rules are in place.

I think it will be up to us to validate, but I can't imaging updating vcenter and hosts to 6.02 will have a negative affect on the DFW rules and there enforcement given they work now as is.

We are testing this out shortly. 

Reply
0 Kudos
larsonm
VMware Employee
VMware Employee
Jump to solution

Just to be clear, ID-based rules, short for identity-based rules, leverage active directory group membership in the source/destination of a rule. 

Reply
0 Kudos
kwg66
Hot Shot
Hot Shot
Jump to solution

Interesting... thanks for this added info.  

Reply
0 Kudos
bayupw
Leadership
Leadership
Jump to solution

Open VM Tools is now supported starting NSX 6.2.3

VMware NSX for vSphere 6.3.2 Release Notes

Starting in NSX 6.3.2, Open VM Tools is supported with Distributed Firewall

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos