Hi,
I am planning an upgrade of vShield/vCNS (5.5.4) to NSX (6.2.8, then 6.3.4). We use AV/endpoint protection only. We currently have TrendMicro DSM 9.6 deployed and DSVAs deployed to each ESXi host.
I am unclear on whether I have to deploy the Guest Introspection agent VMs after NSX Manager upgrade. Are these not the same as the DSVAs?
In testing, after I upgraded vCNS to NSX Manager, I see under Service Deployments that an upgrade is available for Guest Introspection. I tried upgrading a test ESXi cluster that already had DSVAs deployed and did see errors on the GI agentvms after deployment.
Thanks!
Lyle
That is correct - if you look at the last screenshot for vib's it clearly shows what is the purpose of the VIB. During initial discussion i was under the impression you are leveraging other NSX services(Hence Host preparation was mentioned) -> If you are using NSX for managing Guest Introspection for anti-virus offload capability only we do not need to prepare the hosts
You need to follow below steps
1. Upgrade VCNS to NSX
2. Prepare the ESXI host
3. If you have any Edges,upgrade the same(You must upgrade the edge to NSX compatible prior to NSX 6.3.4 upgrade)
4. Upgrade EndPoint to Guest Introspection service.
5. If your partner solution, in this case DSVA support upgraded NSX/ESXI/VC versions-no need of any upgrade. Otherwise you need to upgrade the partner solution as well. Do check partner solution guide for detailed procedure. -> Also do check VMware HCL VMware Compatibility Guide - Networking and Security
6. VMware Tools must be installed on the guest virtual machines as this includes the Guest Introspection driver
I have same question but we running McAfee MOVE Agentless
we are planning to upgrade vCNS to NSX Manager.
question which I have is - how do I know if Security Virtual Appliance (SVA) is compatible with NSX Manager
after we upgrade Guest Introspection services appliance, the upgrade guide is requesting to check with vendor.
This is one way of checking from VMware HCL site . Select the partner name,ESXI version,API integration and solution along with NSX version. Other than this we will have to check the vendor to know the supported version.
Also do check
VMware HCL
Thank you so much Sreec
Thanks so much for info Screec! This upgrade is for AV/Endpoint only; no other networking services currently provided by installed vCNS (ie Edge).
For step 2, Prepare the ESXi host... what is this doing exactly. This is done from NSX manager?
For step 4, this will upgrade epsec-mux VIB to some other VIB as well as deploy VMware's Guest Introspection service VM on each host?
Appreciate for sharing the feedback.
For step 2, Prepare the ESXi host... what is this doing exactly. This is done from NSX manager?
This task is done from NSX Plugin which will be populated in vCenter Server Webclient once after NSX+VC registration . When you prepare the host based on the respective ESXI version below VIB's get pushed via EAM.
For step 4, this will upgrade epsec-mux VIB to some other VIB as well as deploy VMware's Guest Introspection service VM on each host?
epsec-mux will be also upgraded as per my understanding , you can search for esxcli software vib get --vibname epsec-mux
Note: VM's will not be protected during the upgrade process.
I don't believe Step 2 is necessary for those only doing end-point protection.
I can confirm that after upgrading Guest Introspection, epsec-mux 6.5.0esx60-4885300 VIB was deployed to the ESXi host.
That is correct - if you look at the last screenshot for vib's it clearly shows what is the purpose of the VIB. During initial discussion i was under the impression you are leveraging other NSX services(Hence Host preparation was mentioned) -> If you are using NSX for managing Guest Introspection for anti-virus offload capability only we do not need to prepare the hosts