Preparing the VMware virtual infrastructure

Prior to installing the application in a VMware infrastructure, you must perform the following actions:

• Combine VMware ESXi hypervisors into one or several VMware clusters.
• Configure the Agent VM Settings in the properties of each hypervisor: select a network and storage for service virtual machines and SVMs. For details on configuring Agent VM Settings, please refer to the VMware product documentation.
• Deploy the Guest Introspection service on each VMware cluster on which SVMs with the File Threat Protection component will be deployed.
• On each VMware cluster on which SVMs with the Network Threat Protection component will be deployed, prepare hypervisors for network protection deployment. To do so, you must install VMware NSX components on hypervisors. Installation is performed in the VMware vSphere Web Client console in the Networking & Security → Installation and Upgrade section on the Host Preparation tab. To install VMware NSX components to hypervisors, you must select Actions → Install for the VMware cluster. Refer to the Knowledge Base for more details.
• Install the Guest Introspection driver (NSX File Introspection Driver) on each virtual machine that you want to protect using Kaspersky Security.

  To do so, you must install VMware Tools kit version 11.0.1. on virtual machines running a Windows operating system. When installing the VMware Tools package, you need to install the NSX File Introspection Driver component that is included in the package. The NSX File Introspection Driver component is not installed by default.

  Special packages are provided for installation of the NSX File Introspection Driver component on virtual machines running a Linux operating system. For more details please refer to documentation attached to VMware products.

• If you want to install the Network Threat Protection component, make sure that a license for NSX for vSphere Advanced or NSX for vSphere Enterprise is being used for VMware NSX for vSphere.

Deploying the Guest Introspection service

For proper functioning of Kaspersky Security, you must deploy the Guest Introspection service on each VMware cluster on which SVMs with the File Threat Protection component will be deployed.

After deploying the Guest Introspection service on a VMware cluster, the Guest Introspection service virtual machines are deployed on each hypervisor that is part of the cluster.

Deployment of the Guest Introspection service is performed in the VMware vSphere Web Client console.

To deploy the Guest Introspection service:

1. In the VMware vSphere Web Client console, start the Deployment Wizard for network services and protection services for virtual machines (the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Use the Wizard to specify the following settings for deploying the Guest Introspection service:
   1. Select the Guest Introspection service in the table.
   2. Select one or several VMware clusters on which you want to install the File Threat Protection component.
   3. If required, change the default settings for all Guest Introspection service virtual machines that will be deployed on hypervisors within the selected VMware cluster:
      • Network that will be used by the service virtual machines.
      • Storage for deployment of service virtual machines.
      • Method of assigning IP addresses. By default, service virtual machines receive network settings via the DHCP protocol. You can configure a static pool of IP addresses that will be used for assigning IP addresses to service virtual machines.
3. Finish the Wizard and wait for deployment of the Guest Introspection service to complete.

   A Guest Introspection service virtual machine will be deployed on each hypervisor within the VMware cluster that you selected.

For more details about deploying the Guest Introspection service, please refer to the Knowledge Base.

Viewing information about the license for NSX for vSphere

To utilize Network Threat Protection component functionality, you must have a current license for NSX for vSphere Advanced or NSX for vSphere Enterprise.

When using a standard NSX for vSphere license, the Network Service Insertion (Third Party Integration) function that is required for enabling protection against network threats on VMware ESXi hypervisors is unavailable.

You can view information about the utilized licenses in the VMware vSphere Web Client console in the Administration → Licenses section on the Products tab (for more details, please refer to the Knowledge Base).

For more details on working with NSX for vSphere licenses, please refer to the VMware product documentation.