Symantec Endpoint Protection Integration with VMware Horizon View

Symantec Endpoint Protection Integration with VMware Horizon View

How SEP Works?

SEP client needs to be installed on each client virtual machines in case of Horizon View VMs this will be installed as part of the desktop base image. The individual clients will protect the virtual computers. The SEP clients would report to the available Symantec End Point Protection Manager and get content updates from the internal Live Update Administrator.

In order to optimize the performance following are the available features in SEP.

Virtual image exception: White list files from standard virtual machine image to optimize scanning.

Shared Insight cache (Security Virtual Appliance) : Shares scans results centrally across virtual clients to reduce bandwidth and latency

Resource leveling: Randomizes scan and update schedules to prevent resource utilization spikes.

Offline image scanning: Finds threats even in offline virtual machine images.

Components of this solution

VMware Horizon View 5.2 VMware vCloud® Networking and Security 5.1 (vShield Manager , vShield

Endpoint) VMware vSphere 5.x Symantec SEP 12.1.2 (Symantec Endpoint Protection Manager, Live Update

Administrator , Security Virtual Appliance , Virtual Image Exception Tool, ClientSideClonePrepTool)

In the next two parts will cover:

Implementation details for all the components Configuration details

Below is the sequence in which we will go through about the installation

1)   VMware vShield Manager

2)   VMware vShield Endpoint

3)   Symantec Virtual Appliance

Installation of vShield Manager:

The vShield Manager is the centralized network management component of vShield, and is installed as a virtual appliance on any ESX host in your vCenter Server environment. A vShield Manager can run on a different ESX host from your vShield agents.

Using the vShield Manager user interface or vSphere Client plug-in, administrators install, configure, and maintain vShield components. The vShield Manager user interface leverages the VMware Infrastructure SDK to display a copy of the vSphere Client inventory panel, and includes the Hosts, Clusters and Networks views.

The management interfaces of vShield components should be placed in a common network, such as the vSphere management network. The vShield Manager requires connectivity to the vCenter Server, ESXi host, vShield Endpoint module, and vShield Data Security virtual machine. vShield components can communicate over routed connections as well as different LANs.

It’s recommended that you install vShield Manager on a dedicated management cluster separate from the cluster(s) that vShield Manager manages. Each vShield Manager manages a single vCenter Server environment.

System Requirements Hardware/Software

Memory vShield Manager: 8GB allocated, 3GB reserved

Disk Space vShield Manager: 60 GBvCPU vShield Manager: 2

For all software related dependencies please look at VMware Product Interoperability Matrix at

http://partnerweb.vmware.com/comp_guide/sim/interop_matrix.php.

Now let’s look at the installation/configuration procedure of vShield Manager

Step 1: Download the .ova file of vShield Manager from VMware download site, typically the naming convention is like VMware-vShield-Manager-5.x.x-<build_number>.ova

Step 2: Import the .ova file to an ESXi server through VI Client or Web Client

Step 3: Power on the appliance and configure as shown below. Login to the appliance using admin as username and default as password.

Step 4: Once logged in type enable on the Manager> prompt , password is again “default” , once in you will have to invoke the setup as seen above.

Step 5: The setup prompt will ask you for networking details which enables you to access the vShield Manager Appliance.

Step 6: You access the vShield Manager user interface by opening a web browser window and navigating to the IP address of the vShield Manager’s management port.The default user account, admin, has global access to the vShield Manager. After initial login, you should change the default password of the admin user account.

Step 6: Once you are logged in the vShiled Manager’s web interface specify vCenter Server, DNS and NTP server, and Lookup server details.

Installation of vShield End Point:

Step 1: Installation of vShield endpoint is very straight forward, login to the vShiled manager. Select any host on the left hand side where you want to install the vShield endpoint component.

Step 2 : The installation will begin and you will see messages like the one below.

Step 3: You will see the below messages in the vCenter server

The vShield Endpoint host component adds two firewall rules to the ESX host:

The vShield-Endpoint-Mux rule opens ports 48651 to port 48666 for communication between the host component and partner security VMs.

The vShield-Endpoint-Mux-Partners rule may be used by partners to install a host component. It is disabled by default.

Step 4: Once the installation is complete you will see the below messages in the vShield Manager

The installation needs to be repeated for all the ESXi servers in the Datacenter.

Installation of Symantec Virtual Appliance:

The Symantec Endpoint Protection Security Virtual Appliance is a Linux-based virtual appliance that you install on a VMware ESX/ESXi server. The Security Virtual Appliance integrates with VMware’s vShield Endpoint. The Shared Insight Cache runs in the appliance and lets Windows-based Guest Virtual Machines (GVMs) share scan results. Identical files are trusted and therefore skipped across all of the GVMs on the ESX/ESXi host. Shared Insight Cache improves full scan performance by reducing disk I/O and CPU usage

The appliance is complete and ready to use as soon as you install it. The appliance includes the Shared Insight Cache.

Configuration steps:

Step 1: On the Symantec Endpoint Protection Tools product disc, locate the Virtualization\SecurityVirtualAppliance folder

Step 2: Copy the entire contents of the SecurityVirtualAppliance folder to a local directory

Step 3: Download the file Endpoint Protection Security Virtual Appliance OVA file from File Connect at https://fileconnect.symantec.com, to the same folder

Step 4: Export Sylink.xml file from the SEPM to which you want to point the SVA and the VM Guest computers, to the same folder

Step 5: Edit the Sylink.xml file and add port details (HttpPort=”80”) to the file (as Highlighted in example below) to all instances of Server Address.

Step 6:Edit the configuration of the file SVA_InstallSettings.xml as per the details below:

a) Vcenter Information: IP address, User Name & Password

b) VShield Manager Information: IP address, User Name & Password

c) Full Path to the Security Virtual Appliance OVA file (Ex: C:\SVA\SVA.OVA)

d) ESXi Host Information: IP address of the ESXi host

e) Full Path to the sylink.xml file (Ex: C:\SVA\sylink.xml)

f) Datastore selection prompt

g) SVA Hostname / username and password

h) ip_address (a unique IP address for the SVA), gateway, subnet, dns

Step 7: Copy the files (SVA_InstallSettings.xml, Symantec_SVA_Install.jar, Endpoint Protection Security Virtual Appliance OVA file & Sylink.xml to a folder on the Vcenter server

Step 8: Ensure that Vcenter server is installed with Java 7 or above

Installation

Step 1: From command prompt run the command:

a) Navigate to the folder where the SVA files reside

b) Type in the command:  java -jar Symantec_SVA_Install.jar -s SVA_InstallSettings.xml

c) Select the datastore for your Symantec Appliance, for networking select the appropriate switch or the port group which you have configure.

d) You will see the below progress in the vcenter server when the appliance installations starts

e) You will see the below messages once the installation is finished

Step 2: After completion check if the SVA appears as an appliance and is in power on status , login to the vShield Manager and Select the Datacenter > Click on General > Hosts. You should see each hosts have a Service VMs listed that is your Symantec SVA appliance.

Step 3: Check if the SVA is reporting to the SEPM from SEPM > Monitors > Security Virtual Appliance. The hostname should reflect the Symantec SVA name which you have given at the time of installation.

Step 4: You can select the SVA and click on Details to know more information

This completes the instillation of the Symantec SVA. In the next part I will focus on the configuration and the things that we have to do on the VDI master images as well as configurations which can be done on Symantec side.

Add the VMware EPSEC driver on each GVM / Master Image

vShield Endpoint monitors virtual machine file events and notifies the antivirus engine, via VMware EPSEC (Endpoint Security), which scans and returns a disposition. It also supports scheduled full and partial file scans initiated by the antivirus engine in the security virtual machine.

    Use the VMware Tools installer to install the EPSEC driver

Note: Perform a custom install and select vShield drivers under VMware device drivers/VMCI drivers, or perform a complete install

Enable Symantec Endpoint Protection clients to use a vShield-enabled Shared Insight Cache

1. In the Symantec Endpoint Protection Manager console, open the appropriate Virus and Spyware Protection policy and click Miscellaneous

2. On the Miscellaneous page, click Shared Insight Cache3. Check Enable Shared Insight Cache4. Click Shared Insight Cache using VMware vShield

Click OK

Install SEP client on Base image

1. Copy the SEP agent for VDI clients to the GVM or the master image2. Execute Setup.exe in Admin context3. Reboot the VDI client after installation and update definition to latest4. Confirm from the SEPM that the client is reporting

Run the Virtual Image Exception tool on the base image

You can use the Virtual Image Exception tool on a base image before you build out your virtual machines. The Virtual Image Exception tool lets your clients bypass the scanning of base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in your virtual desktop infrastructure

Process for using the Virtual Image Exception tool on a base image

Step 1: On the base image, perform a full scan on all of the files to ensure that the files are clean

Step 2: Ensure that the client’s quarantine is empty

Step 3: Run the Virtual Image Exception tool from the command line to mark the base image files

Running the Virtual Image Exception tool

1. From the Symantec Endpoint Protection Tools product disc, download the following file to the base image:/Virtualization/VirtualImageException/vietool.exe

2. Open a command prompt with administrative privileges3. Navigate to the directory where the Virtual Image Exception tool is installed4. Run the Virtual Image Exception tool with the arguments : vietool.exe c: –generate –hash

Step 4: Enable the feature in Symantec Endpoint Protection Manager so that your clients know to look for and bypass the marked files when a scan runs from SEPM > Policies > Virus and Spyware Protection Policy > Miscellaneous> Virtual Images

Step 5: Remove the Virtual Image Exception tool from the base image

Prepare a Symantec Endpoint Protection 12.1 client for cloning

This tool will remove all Symantec Endpoint Protection client identifiers and leave the Endpoint Protection services stopped. It should be done as the last step in the image preparation process, before running ClientSideClonePrepTool and/or shutting down the system. If the system is rebooted or the Endpoint Protection client services are restarted then new identifiers will be generated and you must re-run the tool before cloning.

Procedure

1. Install the operating system, applications, and patches2. Install the Symantec Endpoint Protection Client and update the definitions3. Copy ClientSideClonePrepTool.exe to a folder on this computer4. Open a command prompt with administrative privileges5. Navigate to the directory where the ClientSideClonePrepTool.exe is copied6. Run ClientSideClonePrepTool.exe.

Once the ClientSideClonePrepTool is run on the VM, the VM should not be restarted. This will cause the SEP services to turn on and bring back the SEP client to normal state. The VM should be shut down and used for cloning. In case the VM is rebooted this process should be repeated.

Non-persistent virtual desktop infrastructures

1. Using Symantec Endpoint Protection in non-persistent virtual desktop infrastructures2. Setting up the base image for non-persistent guest virtual machines in virtual desktop 

infrastructures3. Creating a registry key to mark the base image Guest Virtual Machines (GVMs) as non-persistent 

clients4. Configuring a separate purge interval for offline non-persistent VDI clients

Using Symantec Endpoint Protection in non-persistent virtual desktop infrastructures

You can configure the Symantec Endpoint Protection client in your base image to indicate that it is a non-persistent virtual client. You can then configure a separate purge interval in Symantec Endpoint Protection for the offline guest virtual machines (GVMs) in non-persistent virtual desktop infrastructures.

Symantec Endpoint Protection Manager removes the non-persistent GVM clients that have been offline longer than the specified time period. This feature makes it simpler to manage the GVMs in Symantec Endpoint Protection Manager.

Creating a registry key to mark the base image Guest

Step 1: In Symantec Endpoint Protection Manager, disable Tamper Protection. This should be done by a SEP Admin.

Step 2: Modify the registry.

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\

2.    Create a new key named Virtualization3.    Under Virtualization, create a key of type DWORD named Is        NPVDI Client and set it to a value of 1

Step 3: In Symantec Endpoint Protection Manager, enable Tamper Protection again.

Configuring a separate purge interval for offline non-persistent VDI clients

Over time, obsolete clients can accumulate in the Symantec Endpoint Protection Manager database. Obsolete clients are those clients that have not connected to Symantec Endpoint Protection Manager for 30 days. Symantec Endpoint Protection Manager purges obsolete clients every 30 days by default.

If you do not want to wait the same number of days to purge obsolete non-persistent clients, you can configure a separate interval for them. If you do not configure a separate interval, then

offline non-persistent VDI clients are purged at the same interval that non-virtual obsolete clients are purged.

Online non-persistent clients count toward the number of deployed licenses; offline non-persistent clients do not.

You can also filter the offline non-persistent clients out of the view on the Clients page.

To configure the purge interval for offline non-persistent VDI clients

Step 1: In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.

Step 2: In the Domains tree, click the desired domain.

Step 3: Under Tasks, click Edit Domain Properties.

Step 4: On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number

Step 5: Click OK.

Weekly Scan Settings

You can select the frequency of the scans by going to the Administrator- Defined Scans and setup the scan with the scheduling details.

You can also tune your scans and select the options highlighted below , my recommendation is to select “Best Application Performance”. This allows a better end user experience.

Check if you want to enbale Insight Lookup you can do so from the screen below.

Advanced Scanning and Monitoring Policies

Creating a Notification for SVA health status from SEPM