Views:
You can import a VMware vCenter into Deep Security Manager and then protect its virtual machines with an agent.
Note
Note
You cannot import a vCenter that is using vShield Manager.
You have the following options for adding a vCenter:
Note
Note
Deep Security Manager supports vCenter High Availability environments in Active or Passive mode.

Add a vCenter

  1. In Deep Security Manager, go to Computers > Add > Add VMware vCenter.
    The following page appears:
    vCenter-add-vcenter-page=c9a42566-41ef-453b-90c9-ecc0a2ba1a8e.png
  2. Enter vCenter information:
    • Server Address: The vCenter server's IP address (or host name if DNS is configured and able to resolve FQDNs to IP addresses).
    • Server Port: The port number to connect to the vCenter (443 by default).
    • Name: The name of the vCenter that will appear in the manager.
    • Description: A description for the vCenter.
    • Username and Password: Enter the user name and password of a vCenter user account. This account must conform to the specifications in the tables below, and is required to synchronize the VM inventory between vCenter and Deep Security Manager.
      Note
      Note
      Applying the Read Only role at the Hosts and Clusters or Virtual Machine level in vCenter causes synchronization problems.

    vCenter user account specifications

    Protection method
    NSX Type
    vCenter user account specifications
    agent only
    No NSX-V or NSX-T integration
    The vCenter user account must have the vCenter Read Only role (or another role that has equal or greater privileges) at the data center level.
  3. Accept the vCenter TLS (SSL) certificate.
  4. Click Next.
    The following page appears:
    vCenter-add-nsx-page=5db8967b-3ed9-48e0-bb7d-c5bcc87d47cb.png
    Note
    Note
    If you don't see the NSX binding options at the top of the page, it's because you're using an older version of the manager. Upgrade your manager to FR 2019-12-12 to see the options.
  5. Fill out the page as follows:
    Note
    Note
    For details about the NSX-T Manager Cluster Virtual IP Address (VIP), see NSX-T Manager Cluster Deployment with Deep Security.
    • Make sure Configure vCenter without NSX binding is selected and click Next. NSX is not supported with the Deep Security Manager VM from Azure Marketplace.

    NSX user account specifications

    NSX Type
    User account specifications
    VMware NSX Data Center for vSphere (NSX-V)
    The user account must be:
    • the NSX built-in administrator account (which has full permissions).
    Or
    • a vCenter user account with the following two roles:
      • Enterprise Administrator role assigned in NSX Manager. For information on assigning roles in NSX-V Manager, see this VMware article.
      • Administrator role assigned at the data center level in vCenter. (Applying this role at the cluster level causes errors.)
    VMware NSX-T Data Center (NSX-T)
    The user account must be:
    • the NSX built-in admin account (Enterprise Admin, which has full permissions).
    Or
    • an NSX-T user account with LDAP credentials with the following roles (or other roles that have equal or greater privileges):
      • GI Partner Admin for Endpoint Protection.
      • Netx Partner Admin for E-W Network Introspection.
    For details on the privileges assigned to the various VMware roles, see this VMware article. For details on assigning roles in NSX-T Manager, see this VMware article.
  6. Click Next.
  7. Review the vCenter information and click Finish.
  8. The VMware vCenter has been successfully added message is displayed. Click Close.The vCenter will appear on the Computers page.
    Tip
    Tip
    If you select Create an Event Based task to automatically activate VMs added to protected NSX Security Groups in this vCenter when adding the vCenter, Deep Security Manager will create two event-based tasks. One activates VMs when protection is added and the other deactivates VMs when protection is removed.
If you provided your NSX information as described above, Deep Security Manager registers the Deep Security service within NSX Manager. The registration permits the deployment of the Deep Security service to the ESXi servers.
In a large environment with more than 3000 machines reporting to a vCenter Server, this process may take 20 to 30 minutes to complete. You can check the vCenter's Recent Task section to verify if there are activities running.
Deep Security Manager will maintain real-time synchronization with this VMware vCenter to keep the information displayed in Deep Security Manager (number of VMs, their status, etc.) up to date.

Add multiple vCenters

To add multiple vCenters to Deep Security Manager:
  1. Add the first vCenter and NSX Manager following the instructions in Add a vCenter.
  2. Repeat the steps in Add a vCenter for subsequent vCenters and associated NSX Managers you want to add.

Add a vCenter - FIPS mode

To add a vCenter when Deep Security Manager is in FIPS mode:
  1. Import the vCenter and NSX Manager TLS (SSL) certificates into Deep Security Manager before adding the vCenter to the manager. See Manage trusted certificates.
  2. Add a vCenter following the steps in Add a vCenter. The steps are exactly the same, except that in FIPS mode you will see a Trusted Certificate section on the vCenter page. Click Test Connection to check whether the vCenter's SSL certificate has been imported successfully into Deep Security Manager. If there are no errors, click Next and continue on through the wizard.