Deploy virtual appliances on an ESXi host in VMware vCenter or other KVM-based hypervisors such as Red Hat Virtualization. This procedure prompts you to download a virtual appliance OVA template or QCOW2 image from the Cisco Software Download page.
To deploy a Secure Workload external appliance, the ESXi host where the appliance is created should have the following specifications:
vSphere: version 5.5 or better.
CPU: at least 2.2 GHz per core, and has enough reservable capacity for the appliance.
Memory: at least enough space to fit the appliance.
To deploy a virtual appliance to collect data from connectors:
Procedure
1
In the Secure Workload web portal, from the navigation pane, choose Manage > Virtual Appliances.
2
Click Enable a Connector. The type of virtual appliance you must deploy depends on the type of connector you are enabling.
3
Click the type of connector for which you must create the virtual appliance. For example, click the NetFlow connector.
4
On the connector page, click Enable.
If a notification displays to deploy a virtual appliance, click Yes. If you do not see this notice, you may already have a virtual appliance that this connector can use, in which case you do not need to perform this procedure.
5
Click the link to download the OVA template or QCOW2 image for the virtual appliance. Leave the wizard open on your screen without clicking anything else.
6
Use the downloaded:
OVA to deploy a new OVF template on a designated ESXi host.
To deploy an OVA on a vSphere Web Client, follow the instructions on how to Deploy an OVF Template.
Ensure that the deployed VM settings match the recommended configuration for the virtual appliance type.
Do not power on the deployed VM
QCOW2 image to create a new VM on KVM hypervisors such as Red Hat Virtualization.
7
After the VM is deployed, but before you power it on, return to the virtual appliance deployment wizard in the Secure Workload web portal.
8
Click Next in the virtual appliance deployment wizard.
9
Configure the virtual appliance by providing IP addresses, gateways, hostname, DNS, proxy server settings and docker bridge subnet configuration. See the screenshot for Configuring the VM with network parameters.
If the appliance must use proxy server to reach Secure Workload, check the box Use proxy server to connect to Secure Workload. If this is not set correctly, connectors may not be able to communicate with Secure Workload for control messages, register connectors, and send flow data to the Secure Workload collector.
If the IP addresses and gateways of the appliance conflict with the default docker bridge subnet (172.17.0.1/16), the appliance can be configured with a customized docker bridge subnet that is specified in Docker Bridge (CIDR format) field. This requires appliance OVA 3.3.2.16 or later.
10
Click Next.
11
In the next step, a VM configuration bundle will be generated and available for download. Download the VM configuration bundle. See the screenshot for Download the VM configuration bundle.
12
Upload the VM configuration bundle to the datastore corresponding to the target ESXi host or other virtualization host.
13
[Applicable only when using QCOW2 image] Complete the following configurations on the other virtualization host where you have uploaded the VM configuration bundle:
For ingest appliances, configure three network interfaces.
Figure 1: Example of Configuring Network Interfaces in KVM-Based Environments
In the memory allocation, specify the minimum requirement of 8192 MB of RAM.
Specify the total number of virtual CPUs to be 8.
Figure 2: Example of Configuring System Resources in KVM-Based Environments
14
Edit the VM settings and mount the VM configuration bundle from the datastore to the CD/DVD drive. Make sure to select Connect at Power On check box.
15
Power on the deployed VM.
16
When the VM boots up and configures itself, it connects back to Secure Workload. This may take a few minutes. The appliance status on Secure Workload should transition from Pending Registration to Active. See the screenshot for Secure Workload Ingest appliance in Pending Registration state.
We do not recommend vMotion to be enabled for Secure Workload external appliances.
We recommend using Secure Workload external appliance OVAs as-is and to reserve 8 vCPU cores and 8192 MB of memory for QCOW2 images to deploy VMs. If sufficient resources are not available, the VM setup script would fail after the boot.
When the appliance is Active, connectors can be enabled and deployed on it.
Figure 3: Deploying a Secure Workload Ingest ApplianceFigure 4: Configuring the VM with Network Parameters
Figure 5: Download the VM Configuration BundleFigure 6: Deploy the VMFigure 7: Secure Workload Ingest Appliance in Pending Registration State
When a virtual appliance is deployed and booted up for the first time, tet-vm-setup service executes and sets up the appliance. This service is responsible for the following tasks.
Validate the appliance: validate the appliance for mandatory resource requirements for the type of the virtual appliance deployed.
IP address assignment: assign IP addresses to all the network interfaces provisioned on the appliance.
Hostname assignment: assign hostname for the appliance (if hostname is configured).
DNS configuration: update the DNS resolv.conf file (if name server and/or search-domain parameters are configured).
Proxy server configuration: update HTTPS_PROXY and NO_PROXY settings on the appliance (if provided).
Prepare appliance: copies cert bundle for the Kafka topic over which appliance management messages are sent and received.
Install appliance controller: install and bring up Appliance Controller which is managed by supervisord as tet-controller service.
When tet-controller is instantiated, it takes over the management of the appliance. This service is responsible for the following functions:
Registration: registers the appliance with Secure Workload. Until the appliance is registered, no connectors can be enabled on the appliance. When Secure Workload receives a registration request for an appliance, it updates the state of the appliance to Active.
Deploying a connector: deploys a connector as a Docker service on the appliance. For more information, see Enabling a Connector.
Deleting a connector: stops and removes the Docker service and the corresponding Docker image from the appliance. For more information, see Deleting a Connector.
Troubleshooting commands on appliances: executes allowed set of commands on the appliances for troubleshooting and debugging issues on the appliance. For more information, see the Troubleshooting.
Heartbeats: periodically sends heartbeats and statistics to Secure Workload to report the health of the appliance. For more information, see Monitoring a Virtual Appliance.
Pruning: periodically prune all Docker resources that are unused or dangling in order to recover storage space. This task is executed when every 24 hours.
Decommissioning the appliance: decommissions and deletes all Docker instances from the appliance. For more information, see Decommissioning a Virtual Appliance.
The list of deployed virtual appliances can be found at: Manage > Virtual Appliances
