Deep Security vCD Integration

Overview of integration options

Deep Security can be configured to protect workloads that are hosted in vCloud Director. In addition these workloads can be presented in a Portal to clients that will show only their hosted environments or workloads enabling them to setup specific security polices for their private environments that is in a hosted environment.

The Deep Security Portal can be setup in a full Multi-Tenant configuration enabling Service Providers the ability to on sell Deep Security as Security as a Service.

The integration of vCloud Director can either be natively in the DSM portal and/or in the Multi-Tenant view enabling clients to configure their own vDC’s and present them in the DSM portal.

Configuring Deep Security to connect to vCloud Director

Deep Security can be configured to protect vCloud Director workloads. vCD workloads are presented in Deep Security in the following hierarchy  :

  • vCloud Director Instance
  • Virtual Datacenter
  • vApp
  • Virtual Machine (Being the endpoint that can be protected)

This enable the administrator to select Virtual Machines belonging to certain vDC/vApp’s to be protected. Multiple vCD instances can be presented but always ensure the following rules are applied:

  • Ensure all vCenters that vCD used for resources are already configured in the Administrative side of the portal.
  • Present vCD instances at vCD System object. This will allow for all for all workloads to be discovered in vCD.

The following vCloud Director settings must be configured correctly:

  • vCD public URL
  • vCD public REST API base URL

These settings are located as follow in the System:

  • System – > Administration -> Public Addresses

Adding vCloud Director Instances

Consider the following settings when adding the vCloud Director Instance:

  • Ensure the name is descriptive. There might be multiple instance of vCloud Systems configured
  • Enter the Address of the vCloud Director instance as follow:
    • vcloud.mycompany.com
    • This should be the same as what you will find in the vCloud Director Setting :

System Settings -> Public Addresses -> VCD Public URL

  • It is not needed to add “http” or “https” in from of the Address
  • It is not needed to add the organisation name at the end of the url.
  • The user name is in the format: username@organisation name.
    • Example : admin@clientx
    • Admin is the user name defined in the Clientx organisation

General Considerations

  • It is possible to have a Virtual Machine listed in vCloud Directory and the same Virtual Machine listed in Active Directory if the OS of the Virtual Machine part of the same Windows Domain. Ensure that either in Guest Agent is activated or Agent Less via VMware is used. Do not use both methods to enable protection for a Virtual Machine. (It will fail with the activation with an error to deactivate the agent first)
  • When adding more than one vCloud Director instance ensure that the corresponding Provider Virtual Datacenter resources have been added to the DSM manager. These include the following :
    • All vCenter instances that is used for Provider Virtual Datacentres
    • All vShield Manager instances that is used for Provider Virtual Datacentres
    • Public Catalog Virtual Machines must have the vShield Driver installed as part of the Template configuration before adding the vApp/VM to the Catalog. This will ensure that when a Virtual Machine is deployed the vShield Drives are already enabled and thus the vApp/VM can be used for Agent Less protection

Leave a Reply