The purpose of this section is to provide a migration path for those VDI VMs from Agent-less to Agent without protection lost.

Configuration matrix before and after migration:

Migration procedure:

1. Before migration
   1. The Guest VM activation and security policy assigned by "Computer Created(by System)" or "Computer Powered On (by System)" EBT:

      

   2. The Security feature configured to "Appliance preferred" under Security Policy > Protection Source when in Combined Mode:

      

   3. The NSX security policy binding to Default (EBT):

      

      

   4. Ensure Guest VM is activated and security policy is successfully assigned under the DSVA protection.

      

2. Install DSA to VM template.
   1. Download and install the DSA package.

      

   2. Keep the DSA service running but not activated.

      

   3. Power off template and create new snapshot.

      

   4. Recompose the VDI pool with new snapshot.

      

3. Active Guest VM with Combined Mode
   1. The new VDI VMs are re-deployed but still under the DSVA protection after recomposing the new snapshot.

      

      

   2. Manually reactivate VDI VMs.

      

   3. VDI VMs are reactivated successfully with Combined mode.

      

      

4. Configure security policy to "Agent preferred".
   1. Configure the security feature from "Appliance preferred" to " Agent preferred".

      

   2. Check if the security module is installed on the Agent site.

      

   3. Check Agent status on VDI VM.

      

5. Remove Agent-less protection per vCenter Cluster base.
   1. Remove DSVA and GI from NSX > Installation and Upgrade Menu > Service Deployment.

      

      

   2. Remove Security Policies and Security Group from NSX > Security > Service Composer. Below are the prerequisites:
      • All Guest VMs should be Agent protection ready.
      • DSVA and GI should be deleted for all vCenter Cluster.

      

      

   3. Remove NSX binding from DSM > Computers > vCenter connector.

      

6. Check all VDI VMs migration to Agent-based protection.

   

The purpose of this section is to keep the Computer tree management behavior the same as op-premise DSM with vCenter connector after migration to Agent-based solution on Cloud One - Workload Security.

Configuration matrix before and after migration:

1. Before migration
   1. The vCenter connector with NSX-T binding and enabled Policy Synchronization from on-premise DSM to NSX-T:

      

   2. Follow the DS 20.0 OLH document on "Deploy the appliance (NSX-T 3.x) ". 
      1. Create a group for protection.
      2. Configure east-west security.
      3. Configure Endpoint Protection.
   3. All Guest VMs will be activated automatically after DSVA deployment.

      

2. Prepare Data Center Gateway and create vCenter connector on Cloud one - Workload Security.
   1. Follow the instructions on how to install and configure a data center gateway.

      

   2. Refer to the download links for the data center gateway software.
   3. Add vCenter connector to Cloud One - Workload Security.

      

3. Install DSA to VM template and use the deployment script to activate DSA.
   1. Download and install the DSA package.

      

   2. Keep the DSA service running but not activated.

      

   3. Configure the deployment script (Platform, Security Policy,Relay group...). Save to file and put the script into VM template.

      

   4. Power off template and create new snapshot.

      

   5. Leverage the VDI Guest Customization > ClonePrep (for Instant Clone type VM) or QuickPrep (for Linked-Clone type VM) to execute.

      

   6. Recompose the VDI pool with new snapshot.

      

4. After recomposing the VDI VM
   1. Check the VDI VM if the DSA was successfully activated, and report to Cloud One - Workload Security.

      

   2. Check the VDI VM that is still under the Agent-less protection, and report to on-premise DSM.

      

5. Remove Agent-less solution from on-premise DSM.
   1. Follow the Deep Security 20.0 document to on Uninstalling Deep Security from your NSX environment.

The purpose of this section is provide simple and quick way to migration to Cloud One - Workload Security with Agent-based protection.

Configuration matrix before and after migration:

1. Before migration
   1. The vCenter connector should have NSX-T binding and the Policy Synchronization should beenabled from on-premise DSM to NSX-T.

      

   2. Follow the Deep Security 20.0 document on Deploying the appliance (NSX-T 3.x).
      • Create a group for protection.
      • Configure east-west security.
      • Configure Endpoint Protection.
   3. All Guest VMs will be activated automatically after the DSVA deployment success.

      

2. Install DSA to VM template and activate DSA using the deployment script.
   1. Download and install the DSA package.

      

   2. Keep the DSA service running but not activated.

      

   3. Configure the deployment script (Platform, Security Policy, Relay group...). Save to file and put the script into VM template.

      

   4. Power off template and create new snapshot.

      

   5. Leverage the VDI Guest Customization > ClonePrep (for Instant Clone type VM) or QuickPrep (for Linked-Clone type VM) to execute the deployment.

      

   6. Recompose the VDI pool with new snapshot.

      

3. Recompose the VDI pool with new snapshot
   1. Check the VDI VM if the DSA was successfully activated, and report to Cloud One - Workload Security.

      

   2. Check the VDI VM that still under the Agent-less protection and report to on-premise DSM.

      

4. Remove Agent-less solution from on-premise DSM.
   1. Follow the Deep Security 20.0 document to on Uninstalling Deep Security from your NSX environment.