vShield Endpoint with vSphere 6.0

I’ve heard some questions regarding vShield Endpoint being supported with vSphere 6.0.  Some of the confusion has come from various announcements of End of Availability and End of Support for vCloud Networking and Security.  Before I answer the question of using vShield Endpoint with vSphere 6.0, let’s first look at the history of the vShield product line to see where the confusion may come from.  There has been many changes due to the rapid pace of innovation and developments in virtual networking and security:

  • May 2009: vShield Zones 1.0 released, providing an application-aware firewall built for VMware vCenter Server integration.  vSphere 4.0 is the current version of vSphere.  vSphere Advanced, Enterprise and Enterprise Plus editions are entitled to vShield Zones.
  • August 2010: VMware vShield 4.1 is released along with vSphere 4.1.  vShield Edge, App and Endpoint are introduced and packaged with vShield Zones. All vShield components are managed by vShield Manager. vShield (Suite) is available as add-on licenses.  vShield Zones remains a part of vSphere Enterprise and Enterprise Plus licensing.
  • July 2011: vShield Data Security is announced.
  • September 2011: VMware vShield 5.0 is released, along with vSphere 5.0.  vShield 5.0 adds vShield Data Security capabilities.  If you were running ESX 4.1 with vShield Zones 4.1, and wanted to upgrade to ESXi 5.0, you must manually uninstall vShield Manager 4.1 and Zones 4.1, upgrade to ESXi 5.0, then install vShield Manager 1.0 and Zones 1.0 that were released with vSphere 5.0.  Yes, this is confusing at best….  vShield Endpoint is made available as part of the VMware View 4 Premier Edition bundle.
  • August 2012: vShield Zones 4.1 reaches End of Availability (EOA) and End of General Support (EOS).  However, vShield Zones 1.0 that was released with vSphere 5.0 remains available for download through vSphere 5.1.  The vShield Zones virtual firewall provided very basic segmentation and traffic filtering capabilities using the VMsafe API, which is deprecated (thus further investment for feature development or support can not be justified). VMware plans to continue to invest in vCloud Networking and Security, which covers the majority of use cases for vShield Zones.
  • July 2012: VMware acquires Nicira for $1.26 Billion.  VMware NSX will eventually come from this acquisition.
  • August 2012: vShield Endpoint is now included in every vSphere Edition (except vSphere Essentials).  The licensing change makes vShield Endpoint available for all customers, with an active SnS, running vSphere 5.1.x, vSphere 5.0.x, or vSphere 4.1 U3! 
  • August 2012: vSphere 5.1 and vCloud Networking and Security (vCNS) 5.1 are announced.  vCNS includes vShield Edge, App and Endpoint.  vCNS is available as an add-on license to vSphere, and is included with vCloud Director.  With the general availability of VMware vCloud Networking and Security 5.1 in September 2012, VMware announced an end of availability date of October 15, 2012 for the standalone vShield family of products (i.e, vShield Edge, vShield App, vShield Data Security and vShield Endpoint.) VMware will continue to support maintenance releases for the vShield products until September 1, 2013.
    • vCloud Networking and Security is sold in two editions:
      • Standard Edition -­‐ provides the following features: firewall, VPN, VXLAN, vCloud Ecosystem framework, Network Address Translation, and Dynamic Host Control Protocol.
      • Advanced Edition – Provides all the features of Standard Edition plus high availability, load balancing, and data security.
  • August 2012: vCloud Suite 5.1 is announced.  This first iteration of the vCloud Suite bundled vSphere, vCloud Director, vCloud Connector, vFabric Application Director, vCloud Networking and Security 5.1, vCenter Operations Management Suite, vCenter Site Recovery Manager and vCloud Automation Center.  VMware offered a $1 upgrade from vSphere Enterprise Plus to vCloud Suite Standard – customers who took advantage of this deal are now licensed for vCloud Networking and Security through the vCloud Suite.
    • With vCloud Suite, VMware is now selling vCloud Networking and Security with two licensing options: bundled with the vCloud Suites and licensed per processor; or sold stand alone, and licensed per VM.
  • September 2013: vCloud Suite 5.5 is released.  vCloud Suite 5.5 includes vCloud Networking and Security 5.5; vCloud Networking and Security 5.5 is only available as part of VMware vCloud Suite 5.5 and is not available as a standalone product.  At the same time, VMware announced the End of Availability (“EOA”) of the VMware vCloud Networking and Security 5.1 Standard and Advanced editions for sale as standalone products effective September 30, 2013.
  • September 2013: VMware announces general availability of VMware NSX.  NSX is a stand-alone product with some functionality that overlaps vCNS.
  • March 2015: vSphere 6.0 and vCloud Suite 6.0 are announced.
    • vCloud Networking and Security is removed from the vCloud Suite bundle – this means that vCNS has reached End of Availability because it was only available through the vCloud Suite bundle. However, vCNS 5.5 remains supported through September 2016 for customers who were already licensed.
    • NSX is not included in the vCloud Suite.  vCloud Suite customers who are ready to take advantage of advanced software-defined networking and security services have the option to purchase NSX for vSphere at a reduced add-on price. NSX provides layer 2 to layer 7 network virtualization, with security policies that follow workloads across the data center for faster network provisioning and management.

And that brings us to today – At first glance, it would appear that all vShield and vCloud Networking and Security products are end of availability and not available for use with vSphere 6.0.  vShield Manager, a component of vCNS, is needed to deploy and mange the vShield Endpoint agent on ESXi hosts, so customers began to question whether vShield Endpoint was licensed and compatible with vSphere 6.0 (and I suspect some of our security partners also began to wonder).  So what’s the deal?

vShield Endpoint is supported with vSphere 6.0, and licensing is included in vSphere editions Essentials Plus and above! vCloud Networking and Security was updated to version 5.5.4.x to support vSphere 6.0.  This VMware KB sheds a little light on this: Implementation of VMware vShield Endpoint beyond vCloud Networking and Security End of Availability (EOA) (2110078).  Be sure to check the VMware Product Interoperability Matrixes to verify you have the supported version of vCNS for your version of vSphere (vCenter AND ESXi).

vCNS vSphere 6.0 Interoperability

So how do you use vShield Endpoint with vSphere 6.0?  vShield Endpoint requires vCNS  (specifically, vShield Manager/vCloud Networking and Security Manager) for configuration and management.  Any entitled customers will be able to download vCNS to obtain vCloud Networking and Security Manager.  Sounds good, except that until very recently vCloud Networking and Security was not included in the vSphere 6.0 downloads (and it is still not listed under vSphere with Operations Management 6.0 downloads or vCloud Suite 6.0 downloads sections on http://my.vmware.com.  If you don’t see vCloud Networking and Security in your product downloads on http://my.vmware.com use the search functionality in the downloads section to look for “vShield 5.5.4”.  Note that as of today, the latest version is 5.5.4.1.

vCloud Networking and Security v5.5.4.1 download

So what happens after vSphere 6.0?  As far as I know, vCloud Networking and Security will not be available – features in NSX will replace vCNS/vShield features.  NSX supports Guest Introspection. Guest Introspection strengthens security for virtual machines while improving performance for endpoint protection by offloading antivirus and anti-malware agent processing to a dedicated Security Virtual Appliance that is delivered and supported by VMware partners (such as Symantec, McAfee, TrendMicro).  As of today, you have to acquire NSX licenses as add-on licensing to vCloud Suite or a la carte to your vSphere/vSOM environment (i.e. NSX is not included in vCloud Suite).  I have no insight into whether vCloud Suite or NSX licensing will change for future versions.

Customers who choose to go the NSX path will be able to upgrade from vShield Endpoint 5.5 to vShield Endpoint 6.0 and use NSX Manager to perform administration and operations on vShield Endpoint (see this documentation for more: https://pubs.vmware.com/NSX-6/index.jsp#com.vmware.nsx.install.doc/GUID-45B09850-AB5A-4232-AE7C-6A80541A2AF0.html).

vShield Endpoint partner solutions will continue to be supported per this VMware KB article: Support for partner integrations with VMware vShield Endpoint and VMware vCloud Networking and Security (2105558)

Bottom line: vShield Endpoint is supported with vSphere 6.0, and licensing is included in vSphere editions Essentials Plus and above!  Verify with your 3rd party security vendor that they support vCloud Networking and Security Manager v.5.5.4.x and vSphere 6.0.  If so, upgrade vCloud Networking and Security Manager to v.5.5.4.x and then upgrade vSphere to version 6.0.  Note that the official Update sequence for vSphere 6.0 and its compatible VMware products (2109760) has you upgrading vCenter and ESXi to 6.0 before vShield Endpoint to 5.5.4.x, but I don’t think it is correct (because vShield 5.5.3 and earlier do not support vSphere 6.x, but vShield 5.5.4.x supports vSphere 5.5 and earlier).  Check with VMware Support, the VMware Product Interoperability Matrixes and, of course, test your upgrade in a lab.  Hope this helps clear up any confusion.

Comments

  1. Thank you for detail run down for vShield.

  2. Thanks VMware. Your licensing is now more confusing and customer-unfriendly than Microsoft’s ever was. Make Oracle licensing look almost sane in comparison.

    VMware, Here’s a clue stick: you cannot replace major functionality with a new product, unless you give customers with perpetual licenses FREE licenses to the new product. Meaning $dayjob should have licenses for NSX, or at least the firwalling bits. But they want us to shell out tens of thousands. And we are rightly pissed.

    So we’re forced to look hard at OpenStack and Hyper-V… VMware has officially jumped the shark.

  3. TANKS!

Drop a comment below:

%d bloggers like this: