After you register the Carbon Black Cloud Workload appliance with the vCenter Server and the Carbon Black Cloud, you can register an NSX integration with your Carbon Black Cloud organization.

This is an onboarding workflow that sets up a trust between the Carbon Black Cloud Workload appliance and the NSX Manager appliance. After the onboarding completes, the Carbon Black Cloud Workload appliance creates one or more pre-defined Distributed Firewall (DFW) policy templates for use by the Carbon Black Cloud and instantiates them as a part of the initial authentication and configuration process. It creates the following NSX DFW policies and associated tags.
  • CB-NSX-Quarantine – With this policy the VM workload is quarantined from the network. This is a read only policy for NSX administrators. The policy allows the following network flows:
    • DHCP for IP addresses and DNS traffic for name resolution.
    • HTTPS traffic to a list of FQDNs required by sensor to remain connected to Carbon Black Cloud.
  • CB-NSX-Isolate – With this policy the VM workload is completely isolated from the network. This is a read only policy for NSX administrators.
  • CB-NSX-Custom – Customizable by the NSX security admin. Advanced users can use such a policy to create a custom security posture.

After NSX-T integration, you can use the newly created NSX policies to remediate VM workloads within the Carbon Black Cloud console or remove already applied NSX policies from certain VM workloads.

Prerequisites

  • Verify the Carbon Black Cloud Workload appliance VM is powered-on.
  • Verify the SSO registration is valid.
  • The Carbon Black Cloud Workload appliance must have a valid registration with both - vCenter Server and Carbon Black Cloud.
  • Communication between Carbon Black Cloud and Carbon Black Cloud Workload appliance is over HTTPS.
  • Communication between NSX and Carbon Black Cloud Workload appliance is over HTTPS, and uses certificate-based authentication with NSX principal identity. For information on adding a role assignment or principal identity, see VMware NSX-T Data Center Product Documentation.
  • The supported NSX-T version is 3.1.3 and later.

Procedure

  1. Log in to the Carbon Black Cloud Workload appliance at https://<appliance IP address> using the admin credentials.
  2. Go to the Appliance > Registration page.
  3. In the NSX details section, select the NSX Manager IP address from the NSX hostname drop-down menu.
    The Register button becomes active.
  4. To trigger the NSX on-boarding, click Register.
  5. Enter the NSX administrator user and password, and click Register.
    Once NSX on-boards, a green check mark confirms the successful registration. It can take up to 15 seconds for the process to complete.
  6. Verify all objects are created in the NSX Manager.
    1. Log in to the NSX Manager with admin credentials.
    2. Navigate to the Inventory > Groups page and check if the following groups exist.
      • CB-NSX-Custom-Group
      • CB-NSX-Isolate-Group
      • CB-NSX-Quarantine-Group
    3. Navigate to the Security > Distributed Firewalls > CATEGORY SPECIFIC RULES page and check if the following default policies exist.
      • CB-NSX-Custom
      • CB-NSX-Isolate
      • CB-NSX-Quarantine
    4. Navigate to the Inventory > Context Profiles > Context Profiles page and check if the CB-NSX-Quarantine-Context-Profile exists with valid FQDNs.

What to do next

You can trigger the off-boarding process for NSX by selecting and confirm the off-boarding.