With a VMware infrastructure, one application that can add a large amount of footprint on an environment is the antivirus solution. Since many of the operating system files in a VMware environment, particularly VMware Horizon View, are redundant, one of the best ways to reduce the impact of an antivirus solution is by utilizing VMware vShield Endpoint to offload virus scanning activities to a centrally managed solution. In Symantec’s case, this solution comes in the form of a security virutal appliance. This article explains how to install the Symantec Security Virtual Appliance in a VMware environment.
This article is the third part of a series regarding deploying vShield with Symantec Endpoint Protection for VMware Horizon View:
- How To Deploy OVA / OVF Template Using VMware vSphere Client
- How to Configure VMware vShield Manager and vShield Endpoint
- Deploying vShield with the Symantec Security Virtual Appliance
- Exporting a Policy from Symantec Endpoint Protection Manager
- Configuring a SEPM Policy for vShield and Symantec SVA
- How to install EPSEC Drivers for vShield
Prerequisites for Installing the Symantec Security Virtual Appliance
Before continuing the installation, it is always a good idea to verify the SVA has compatibility with your existing VMware environment.
http://www.symantec.com/business/support/index?page=content&id=HOWTO81081
http://www.symantec.com/business/support/index?page=content&id=TECH163829
Environmental Variables
For the deployment of the Symantec Security Virtual Appliance in this guide, I had the following environmental variables:
- vSphere 5.5
- ESXi 5.5
- Symantec Endpoint Protection Manager 12.1.4 MP1
- vShield Endpoint 5.1.0-01255202
- VMware vShield Manager 5.5.2 1912200
Note: Although the first version of Symantec Endpoint Protection Management to support the Symantec SVA is SEPM 12.1.2, be sure to upgrade SEPM to 12.1.4 if you are deploying SVA to a VMware 5.5 environment. Otherwise, the security virtual appliance will not be able to check in to SEPM.
Files Needed for SVA Installation
To begin installation of the Symantec Security Virtual Appliance, four files will be needed for the installation. I recommend copying all of these files to a central location for deployment:
- SVA_InstallSettings.xml
- Symantec_SVA_Install.jar
- Symantec Endpoint Protection Security Virtual Appliance
- Sylink.xml
Both SVA_InstallSettings.xml and Symantec_SVA_Install.jar can be found in the Symantec Endpoint Protection Manager Installation folder under
Installation folderVirtualizationSecurityVirtualAppliance.
Note: These files should be pulled from your version of SEPM, in this case 12.1.4. If you have an older copy of SEPM installation laying around on a file server, these files may not be compatible with your version.
To acquire the OVA for the Symantec Security Virtual Appliance, log in to https://fileconnect.symantec.com.
Located the virtual appliance. In the photo below, the newest version available is Symantec_Endpoint_Protection 12.1.2_Security_Virtual_Appliance_ML.ova.
To acquire the sylink.xml file, you will need to export a Symantec Endpoint Policy. For a VDI infrastructure, it is recommended to make a specific policy for the virtual machines. This policy does not need to be configured yet. If you do not have a policy for the virtual machines, now is a good time to create one – before exporting the configuration.
See the following article on how to export a policy from SEPM:
Modifying Configuration Files to Install the Symantec Security Virtual Appliance
Communications File
By default, the SVA will communicate utilizing port 8014. Although you can adjust this to port 80, in SEPM 12.1.4, there is currently a glitch that will not allow the SVA to check-in if you changed the port to port 80. The fix for this issue is expected in SEPM 12.1.5.
Additionally, modify the name from of the exported configuration to sylink.xml.
SVA Installation File
Next, modify the SVA_InstallSettings.xml file. Since you will need to deploy an SVA for every ESX/ESXi host, I recommend making an individual SVA_InstallSettings file for each host to avoid conflicts with the hostname or static IP settings.
Enter in the vCenter Server IP address for deployment. If you have multiple vCenter servers, enter in the vCenter that is managing the ESX/ESXi hosts that will have SVA deployed on them.
Enter in the IP address for vShield Manager. If the Symantec_SVA_Install.jar is not compatible with the versions of ESX/ESXi in the environment or the file is corrupt, you will receive an error that the password is incorrect.
For the path to the OVA, enter in the full path to avoid any issues.
For example: C:VirtualAppliance12.1.2_Security_Virtual_Appliance_ML.ova
For the for ESX/ESXi IP address, enter in the IP address on which you plan to deploy the SVA. For our use case, this will be on the host that houses our virtual machines for the VMware Horizon View deployment.
For the hostname, I recommend using a naming convention that relates to your host.
Installing the Symantec Security Virtual Appliance
Once all the configuration files have been configured, via the install guide you will need to run the following with Java 7 or above:
Java –jar Symantec_SVA_Install.jar –s FullpathSVA_InstallSettings.xml
In my example, since java.exe is not a valid executable, I navigated to my java directory. On a x64 bit system, by default, this will be located in
C:Program Files
Once the installation commences, the following prompts will appear:
- vCenter password
- vShield Manager password (use the web login password)
- Set the admin user password for the SVA
- Re-enter the admin user for the SVA
- Select an available datastore
- Select a VM network
Once the SVA has been installed, verify that the installation has been completed by checking the vShield Manager. Click on the individual host to verify that the vShield Endpoint solution has been installed.
Next, verify within Symantec Endpoint Protection Manager that the Security Virtual Appliance is checking in properly. To do this, click on
Monitors > Security Virtual Appliance.
The Symantec Security Virtual Appliance has been successfully installed.
The next article in the seres explains how to export a policy from SEPM, to be able to install SEPM agents on a virtual machine for the anti-virus policy being used. If you have already completed this step, visit the Configuring a SEPM Policy for vShield and Symantec SVA article to begin configuring SEPM.
Resources Used:
- Configuring the Symantec Endpoint Protection Security Virtual Appliance installation settings file, http://www.symantec.com/business/support/index?page=content&id=HOWTO81082. Accessed, July 17, 2014
- Installing a Symantec Endpoint Protection Security Virtual Appliance, http://www.symantec.com/business/support/index?page=content&id=HOWTO81083. Accessed, July 17, 2014
- Release Notes and System Requirements for all versions of Symantec Endpoint Protection and Symantec Network Access Control, http://www.symantec.com/business/support/index?page=content&id=TECH163829. Accessed, July 18, 2014
- Symantec Endpoint Protection and Symantec Network Access Control 12.1.2 Installation and Administration Guide, https://www.symantec.com/business/support/index?page=content&id=DOC6153. Accessed July 16, 2014.
- Symantec Endpoint Protection Integration with VMware Horizon View – Part2, http://thinkingloudoncloud.com/2014/04/symantec-endpoint-protection-integration-vmware-horizon-view-part2/. Accessed July 16, 2014
- VMware software requirements to install a Symantec Security Virtual Appliance, http://www.symantec.com/business/support/index?page=content&id=HOWTO81081. Accessed, July 17, 2014