Views:

The purpose of this section is to provide a migration path for those VDI VMs from Agent-less to Agent without protection lost.

Configuration matrix before and after migration:

Configuration itemBefore migrationAfter migration
NSX binding (NSX-V version 6.4.13)YesNo
Config NSX security group RequiredNo
Config NSX security Policy assignment Binding with default Default (EBT)No
Guest VM typeVDI (Instant Clone or Linked Clone)VDI (Instant Clone or Linked Clone)
 (Instant Clone or Linked Clone)(Instant Clone or Linked Clone)
Guest VM activation methodEvent-Based TasksEvent-Based Tasks
Guest VM security Policy assignmentEvent-Based TasksEvent-Based Tasks
Guest VM template with VMware tool and vShield Endpoint Thin Agent - NSX File introspection (vspeflt.sys) driver installed RequiredNo
Guest VM template with DS Agent pre-installed but not activatedNoRequired
Support communication DirectionBidirectionalBidirectional or Agent/Appliance Initiated

Migration procedure:

  1. Before migration
    1. The Guest VM activation and security policy assigned by "Computer Created(by System)" or "Computer Powered On (by System)" EBT:

      Module state

    2. The Security feature configured to "Appliance preferred" under Security Policy > Protection Source when in Combined Mode:

      Module state

    3. The NSX security policy binding to Default (EBT):

      Module state

      Module state

    4. Ensure Guest VM is activated and security policy is successfully assigned under the DSVA protection.

      Module state

  2. Install DSA to VM template.
    1. Download and install the DSA package.

      Module state

    2. Keep the DSA service running but not activated.

      Module state

    3. Power off template and create new snapshot.

      Module state

    4. Recompose the VDI pool with new snapshot.

      Module state

  3. Active Guest VM with Combined Mode
    1. The new VDI VMs are re-deployed but still under the DSVA protection after recomposing the new snapshot.

      Module state

      Module state

    2. Manually reactivate VDI VMs.

      Module state

    3. VDI VMs are reactivated successfully with Combined mode.

      Module state

      Module state

  4. Configure security policy to "Agent preferred".
    1. Configure the security feature from "Appliance preferred" to " Agent preferred".

      Module state

    2. Check if the security module is installed on the Agent site.

      Module state

    3. Check Agent status on VDI VM.

      Module state

  5. Remove Agent-less protection per vCenter Cluster base.
    1. Remove DSVA and GI from NSX > Installation and Upgrade Menu > Service Deployment.

      Module state

      Module state

    2. Remove Security Policies and Security Group from NSX > Security > Service Composer. Below are the prerequisites:
      • All Guest VMs should be Agent protection ready.
      • DSVA and GI should be deleted for all vCenter Cluster.

      Module state

      Module state

    3. Remove NSX binding from DSM > Computers > vCenter connector.

      Module state

  6. Check all VDI VMs migration to Agent-based protection.

    Module state

The purpose of this section is to keep the Computer tree management behavior the same as op-premise DSM with vCenter connector after migration to Agent-based solution on Cloud One - Workload Security.

Configuration matrix before and after migration:

Configuration itemBefore migrationAfter migration
DSM server typeOn-premiseCloud One - Workload Security
Protection modeAgent-less (DSVA Appliance)Agent (DSA)
vCenter connectorYesYes
Data Center Gateway (DCGW)NoRequired
NSX binding (NSX-T version 3.2.0.1)YesNo
Config NSX security group RequiredNo
Config NSX security Policy assignment Synchronize Deep Security Policies with NSX Service ProfilesNo
Guest VM typeVDI (Instant Clone or Linked Clone)VDI (Instant Clone or Linked Clone)
Guest VM activation methodpolicy synchronizationDeployment script
Guest VM security Policy assignmentpolicy synchronizationDeployment script
Guest VM template with VMware tool and vShield Endpoint Thin Agent - NSX File introspection (vspeflt.sys) driver installed RequiredNo
Guest VM template with DS Agent pre-installed but not activatedNoRequired
Support communication DirectionBidirectionalAgent/Appliance Initiated
  1. Before migration
    1. The vCenter connector with NSX-T binding and enabled Policy Synchronization from on-premise DSM to NSX-T:

      Module state

    2. Follow the DS 20.0 OLH document on "Deploy the appliance (NSX-T 3.x) ". 
      1. Create a group for protection.
      2. Configure east-west security.
      3. Configure Endpoint Protection.
    3. All Guest VMs will be activated automatically after DSVA deployment.

      Module state

  2. Prepare Data Center Gateway and create vCenter connector on Cloud one - Workload Security.
    1. Follow the instructions on how to install and configure a data center gateway.

      Module state

    2. Refer to the download links for the data center gateway software.
    3. Add vCenter connector to Cloud One - Workload Security.

      Module state

  3. Install DSA to VM template and use the deployment script to activate DSA.
    1. Download and install the DSA package.

      Module state

    2. Keep the DSA service running but not activated.

      Module state

    3. Configure the deployment script (Platform, Security Policy,Relay group...). Save to file and put the script into VM template.

      Module state

    4. Power off template and create new snapshot.

      Module state

    5. Leverage the VDI Guest Customization > ClonePrep (for Instant Clone type VM) or QuickPrep (for Linked-Clone type VM) to execute.

      Module state

    6. Recompose the VDI pool with new snapshot.

      Module state

  4. After recomposing the VDI VM
    1. Check the VDI VM if the DSA was successfully activated, and report to Cloud One - Workload Security.

      Module state

    2. Check the VDI VM that is still under the Agent-less protection, and report to on-premise DSM.

      Module state

  5. Remove Agent-less solution from on-premise DSM.
    1. Follow the Deep Security 20.0 document to on Uninstalling Deep Security from your NSX environment.

The purpose of this section is provide simple and quick way to migration to Cloud One - Workload Security with Agent-based protection.

Configuration matrix before and after migration:

Configuration itemBefore migrationAfter migration
DSM server typeOn-premiseCloud One - Workload Security
Protection modeAgent-less (DSVA Appliance)Agent (DSA)
vCenter connectorYesNo
NSX binding (NSX-T version 3.2.0.1)YesNo
Config NSX security group RequiredNo
Config NSX security Policy assignment Synchronize Deep Security Policies with NSX Service ProfilesNo
Guest VM typeVDI (Instant Clone or Linked Clone)VDI (Instant Clone or Linked Clone)
Guest VM activation methodpolicy synchronizationDeployment script
Guest VM security Policy assignmentpolicy synchronizationDeployment script
Guest VM template with VMware tool and vShield Endpoint Thin Agent - NSX File introspection (vspeflt.sys) driver installed RequiredNo
Guest VM template with DS Agent pre-installed but not activatedNoRequired
Support communication DirectionBidirectionalAgent/Appliance Initiated
  1. Before migration
    1. The vCenter connector should have NSX-T binding and the Policy Synchronization should beenabled from on-premise DSM to NSX-T.

      Module state

    2. Follow the Deep Security 20.0 document on Deploying the appliance (NSX-T 3.x).
      • Create a group for protection.
      • Configure east-west security.
      • Configure Endpoint Protection.
    3. All Guest VMs will be activated automatically after the DSVA deployment success.

      Module state

  2. Install DSA to VM template and activate DSA using the deployment script.
    1. Download and install the DSA package.

      Module state

    2. Keep the DSA service running but not activated.

      Module state

    3. Configure the deployment script (Platform, Security Policy, Relay group...). Save to file and put the script into VM template.

      Module state

    4. Power off template and create new snapshot.

      Module state

    5. Leverage the VDI Guest Customization > ClonePrep (for Instant Clone type VM) or QuickPrep (for Linked-Clone type VM) to execute the deployment.

      Module state

    6. Recompose the VDI pool with new snapshot.

      Module state

  3. Recompose the VDI pool with new snapshot
    1. Check the VDI VM if the DSA was successfully activated, and report to Cloud One - Workload Security.

      Module state

    2. Check the VDI VM that still under the Agent-less protection and report to on-premise DSM.

      Module state

  4. Remove Agent-less solution from on-premise DSM.
    1. Follow the Deep Security 20.0 document to on Uninstalling Deep Security from your NSX environment.
Comments (0)