I want to install vShield in my environment. I have 7 ESX4.0 servers and a VC standard. I have configured DV switch on it.
Now if I want to install vShield in my environment, do I need to install it on all of the ESX servers seperately?
As in vShield documentation it is mentioned that we need to install it manually, by creating a second vNDS. If I have more than one ESX servers do I need to install vShields on all the ESX hosts or only on one ESX host and add the VMs from the other ESx host to the protected port group.
Any help is higly appreciated.
You'll have just a single vShield Manager appliance, but each host that you protect will require a running vShield Agent appliance to be configured.
VMware Communities User Moderator
Now available - vSphere Quick Start Guide
Do you have a system or PCI card working with VMDirectPath? Submit your specs to the Unofficial VMDirectPath HCL.
Thank you for replying so fast.
Alrite so I need to configure vShield agent on each of the ESX hosts. How do I go about this in DV switch? Do I need to add all the vShields that are installed on my ESX hosts.
My scenario is, I have 7 ESX hosts and a VC with vNDS. If I have to create vShield zones in my environment, How do I go about it?
Do I have to install the vshield agent on all the ESX hosts, If yes do I also have to create more dv switches. Please help
Do I have to install the vshield agent on all the ESX hosts, If yes do I also have to create more dv switches.
You need several dvswitches... .one for the network that is unprotected and one for the network that is protected.... so in effect it looks like this.
unprotected <-> vShield 1.0 Agent(s) <-> protected
Even though you have dVS in use, you need to install the agent 'Appliance' on each host and configure it to sit between each dVS for each host. Remember, while dVS is global it is also related to each host....
You manage vShield Zones Appliances outside of dVS and you need one per host.
I believe last year's VMworld (2009) Lab was about just this. I did this Lab so you may be able to find this on hte VMworld 2009 forum somewhere but alas I do not know....
But yes 1 Agent Appliance per host. Each agent is on a host and links the unprotected/protected dVS to each other at the HOST level.
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010
For the latest version of vShield Zones/vShield App this bridge based concept of protected and unprotected is no longer true. The latest version gets installed at the hypervisor level, so the protection is now on a per ESX basis (vs per vSwitch). You still need one vShield (Zones/App) per ESX host but once installed you provide protection to all VMs on the host, no need to specify a vSwitch. It's a vNic level firewall so it's like having a firewall on each NIC of every VM.