Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Pinning a Deep Security Virtual Appliance (DSVA) to an ESX host

    • Updated:
    • 26 Jan 2016
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • VMware ESX 4.1
    • VMware ESX 5.0
    • VMware vSphere 5.1
    • VMware vSphere 5.5
Summary

The DSVA is a security virtual machine (VM) that provides protection modules to guest VMs on a particular ESX host.

On a VMware environment that makes use of Distributed Resource Scheduler (DRS) and High Availability (HA), it is important to prevent DSVA from getting vMotioned to another ESX host.

Details
Public

To pin a DSVA to an ESX host:

Option A: DSVA in local datastore

Install DSVA on local datastore to prevent vMotioning to other ESX hosts.

VMs, including DSVA, situated on a local datastore cannot be vMotioned. They are not affected by the DRS and HA settings of the cluster.

Option B: DSVA installed on shared storage (SAN/NAS)

Like any other VM, DSVA is subjected to migration on an HA and DRS-enabled cluster. To prevent DSVA from being vMotioned to another ESX host:

  1. On a DRS-enabled cluster, set the DRS settings of the DSVA to Disabled.
    vCenter does not migrate nor provide migration recommendation to a VM whose DRS configuration is disabled.

    To disable DRS on a particular VM:

    1. Right-click the cluster and then click Edit Settings.
    2. Under vSphereDRS, click Virtual Machine Options.
    3. Locate the particular VM and then select Disabled from the Automation Level dropdown.
    4. Click OK.
  2. On HA-enabled cluster with or without DRS enabled, create a VM-to-Host affinity rule.

    When an ESX host fails, shuts down, or is placed in maintenance mode, HA allows a VM to be migrated and restarted in a different ESX host. This can cause the DSVA or any VM to be migrated to other ESX hosts even when the DRS configuration is disabled.

    To create a VM-to-Host affinity rule:

    1. Right-click the cluster and then click Edit Settings.
    2. Under vSphereDRS, click DRS Group Manager.
    3. Under Virtual Machines DRS Groups, click Add.
    4. In the Name box, type a name for the VM group (example: DSVA1).
      Note: We will only include one VM (DSVA) as member of the VM DRS group.
    5. Select the DSVA VM, then click the right arrow button to move the machine to the Virtual Machines in this DRS group.
    6. Click OK.
    7. Under Host DRS group, click Add.
    8. In the Name box, provide a name for the ESX host group (example: ESX1).
    9. Select the ESX then click the right arrow button to move it to the Hosts in this DRS group.
    10. Click OK.
    11. Under vSphere DRS, click Rules > Add.
    12. Provide a rule name (example: DSVA1-ESX1 or DSVA1 to ESX1).
    13. In the Type dropdown, select Virtual Machine to Hosts.
    14. Under DRS Groups, go to the Cluster VM Group dropdown then select the DSVA VM (example: DSVA1).
    15. Under Cluster VM Group, select Must run on hosts in group.
    16. Under Cluster Host Group, select the ESX to be protected by the DSVA in the DSVA group.
    17. Click OK to save.
    18. Click OK to close the window.
     
    DRS, VMware HA, and VMware DPM will not perform an action that will violate an affinity or anti-affinity rule.
Premium
Internal
Rating:
Category:
Troubleshoot; Install; Migrate
Solution Id:
1096255
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.