This topic describes how to install and configure Anti-Virus Mirror for VMware Tanzu. VMware recommends that you install this tile before installing Anti-Virus for VMware Tanzu.

Overview

If you do not have an external mirror for Anti-Virus jobs to fetch database updates from, you can deploy a mirror using the Anti-Virus Mirror tile.

This deployed internal mirror, which uses mutual TLS (mTLS), can support both air-gapped environments and Anti-Virus Mirror networked environments:

• Online Network: You can deploy the internal Anti-Virus Mirror as a proxy. This acts as a database for the virus definitions if the online virus database experiences downtime.
• Air-gapped Network: Because there is no access to an outside network, the internal Anti-Virus Mirror VM acts as the server for the virus definitions.

If you have already deployed an external mirror, you can use that instead of installing this tile, and continue to Installing and Configuring Anti-Virus for VMware Tanzu.

Prerequisites

To install the Anti-Virus Mirror, you must have:

• A Ops Manager operator user account with admin rights. For more information, see Platform Operators.

• Operations Manager (Ops Manager). For compatible versions, see the Product Snapshot.

• At least 1 GB of RAM free for each VM that installs Anti-Virus. This is so that you can install the Anti-Virus for VMware Tanzu tile after deploying this mirror. Anti-Virus installs itself on each tile VM and runs internally. Anti-Virus takes at least 610 MB of RAM on each VM. On Google Cloud Platform (GCP), the recommended minimum VM size is micro.cpu using 2 CPU and 2 GB RAM.

Install Anti-Virus Mirror for VMware Tanzu

To install the Anti-Virus Mirror for VMware Tanzu tile:

1. Download the product file from VMware Tanzu Network.

   For air-gapped networks, follow your company’s offline installation protocols. For more information, see Installing Ops Manager in Air-gapped Environments.

2. Navigate to the Ops Manager Installation Dashboard and select Import a Product to upload the product file.

3. Under the Import a Product button, click + next to the version number of Anti-Virus Mirror for VMware Tanzu. This adds the tile to your staging area.

4. Click the newly added Anti-Virus Mirror for VMware Tanzu tile.

Assign AZs and Networks

To assign availability zones (AZs) and networks:

1. Select Assign AZs and Networks.

2. Configure the fields as follows:

   Field	Description
   Place singleton jobs in	Select an AZ. If you install only one Anti-Virus Mirror VM, this is the AZ that it is placed in.
   Balance other jobs in	Select one or more AZs. If you install more than one Anti-Virus Mirror VM, these are the AZs that the VMs are placed in.
   Network	Select a subnet for the antivirus_mirror VM. This is typically the same subnet that includes the VMware Tanzu Application Service for VMs (TAS for VMs) component VMs.

3. Click Save.

Configure Anti-Virus Mirror

To configure Anti-Virus Mirror:

1. Select Anti-Virus Mirror Configuration.

2. Configure the fields as follows:

   Field	Instructions
   Log output destination	Select the file descriptor to forward your logs through: stdout: sends messages to /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stdout.log stderr: sends messages to /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stderr.log syslog: sends messages to /var/log/messages
   Anti-Virus Mirror Port	Enter the port for Anti-Virus Mirror to use. The default value is 6501. <p class="note"><strong>Note: </strong> Anti-Virus Mirror uses mTLS. This port must be the same port used in <strong>Anti-Virus Mirror Port</strong> of the <strong>Anti-Virus for VMware Tanzu</strong> tile. If these ports are not the same, Anti-Virus database updates and deployments fail. </p> </td>
   Mirror for Automatic Database Updates	No mirror: Select this for air-gapped environments, or to control the database versions available to your environment. Official mirror Existing mirror
   Official mirror	Select this to have the mirror fetch databases from the official virus database mirror. Number of database checks per day (min: 1, max: 50) : Enter the number of database checks that the mirror performs per day. The default value is 12.
   Existing mirror	Comma separated list of mirror hostnames or IPs: Enter a list of hostnames or IPs of mirrors. Number of database checks per day (min: 1, max: 50): Enter the number of database checks the mirror performs per day. The default value is 12.

   Note: Anti-Virus Mirror for VMware Tanzu serves virus definitions to your environment for Anti-Virus for VMware Tanzu to use, but the Anti-Virus mirror needs to get databases itself. You can configure the Anti-Virus mirror to get virus definitions using the supported options in Mirror for Automatic Database Updates above.

3. Click Save.

4. (Optional) If you selected Official mirror or Existing mirror in the previous section, you can configure a proxy for the Anti-Virus mirror to retrieve the databases from. To do this:

   1. Select HTTP Proxy Configuration.

   2. Set HTTP proxy to get database updates to Enabled.

   3. Enter the host, port, username, and password in the fields that appear.

   4. Click Save.

Configure Syslog Forwarding

Follow the steps below to enable system logging for Anti-Virus Mirror for VMware Tanzu.

1. Select Syslog.

2. Select Yes for Do you want to configure Syslog forwarding?.

3. Configure the fields as follows:

   Field	Instructions
   Address	Enter the address or host of the syslog server for sending logs, for example, logmanager.example.com.
   Port	Enter the port of the syslog server for sending logs, for example, 29279.
   Transport Protocol	Select the transport protocol used to send system logs to the server. VMware recommends using TCP.
   Enable TLS	If you select TCP, you can also select to send logs encrypted over TLS.
   Permitted Peer	Enter either the accepted fingerprint, in SHA1, or the name of the remote peer, for example, *.example.com.
   SSL Certificate	Enter the SSL or TLS Certificates for the syslog server. This ensures the logs are transported securely.
   Queue Size	Enter an integer. This value specifies the number of log entries held in the buffer. The default value is 100000.
   Forward Debug Logs	Select this box to forward debug logs to an external source. This option is deselected by default. If you select it, you might generate a large amount of log data.
   Custom rsyslog Configuration	Enter configuration details for rsyslog. This field requires RainerScript syntax.

4. Click Save Syslog Settings.

Scale the Number of Deployed Mirrors

Anti-Virus jobs do load balancing for you.

VMware recommends one Anti-Virus Mirror VM for every 250 VMs with Anti-Virus installed. To scale the number of deployed mirrors:

1. Select Resource Config.

   

2. For antivirus-mirror, set INSTANCES to the number of mirrors that you want to deploy.

3. Click Save.

Apply Changes from Your Configuration

Your Anti-Virus Mirror installation is not complete until you apply your configuration changes. To do this:

1. Return to the Ops Manager Installation Dashboard.

2. Click Review Pending Changes.

3. Unselect all products except BOSH Director and Anti-Virus Mirror and click Apply Changes.
4. After Apply Changes is complete, if you selected No Mirror, upload a set of virus definitions to your deployed antivirus-mirrors. To do this, see Updating Virus Definitions.