Installing Guest Introspection automatically installs a new VIB and a service virtual machine on each host in the cluster. Guest Introspection is required for Activity Monitoring, and several third-party security solutions.

Note:

You cannot migrate a Service VM (SVM) using vMotion/SvMotion. SVMs must remain on the host on which they were deployed for correct operation.

Prerequisites

The installation instructions that follow assume that you have the following system:

  • A data center with supported versions of vCenter Server and ESXi installed on each host in the cluster.

  • Hosts in the cluster where you want to install Guest Introspection have been prepared for NSX. See "Prepare Host Clusters for NSX" in the NSX Installation Guide. Guest Introspection cannot be installed on standalone hosts. If you are deploying and managing Guest Introspection for anti-virus offload capability only, you do not need to prepare the hosts for NSX, and the NSX for vShield Endpoint license does not allow it.

  • NSX Manager installed and running.

  • Ensure the NSX Manager and the prepared hosts that run Guest Introspection services are linked to the same NTP server and that time is synchronized. Failure to do so might cause VMs to be unprotected by anti-virus services, although the status of the cluster will be shown as green for Guest Introspection and any third-party services.

    If an NTP server is added, VMware recommends that you then redeploy Guest Introspection and any third-party services.

If you want to assign an IP address to the Guest Introspection service virtual machine from an IP pool, create the IP pool before installing Guest Introspection. See "Working with IP Pools" in the NSX Administration Guide.

vSphere Fault Tolerance does not work with Guest Introspection.

Procedure

  1. Navigate to Networking & Security > Installation and Upgrade > Service Deployment.
  2. Click Add.
  3. In the Deploy Network and Security Services dialog box, select Guest Introspection.
  4. In Specify schedule (at the bottom of the dialog box), select Deploy now to deploy Guest Introspection immediately after it is installed or select a deployment date and time.
  5. Click Next.
  6. Select the datacenter and clusters where you want to install Guest Introspection, and click Next.
  7. On the Select storage and Management Network Page, select the datastore on which to add the service virtual machines storage or select Specified on host. It is recommended that you use shared datastores and networks instead of "specified on host" so that deployment workflows are automated.

    The selected datastore must be available on all hosts in the selected cluster.

    If you selected Specified on host, complete the following substeps for each host in the cluster.

    1. On the Home page, click Hosts and Clusters.

    2. Click a host in the Navigator, and then click Configure.

    3. In the left navigation pane, under Virtual Machines click Agent VMs, and then click Edit.

    4. Select the datastore and click OK.

  8. If you set datastore as Specified on host, you must set the network also as Specified on host.

    If you selected Specified on host, follow the substeps in Step 7 to select a network on the host. When you add a host (or multiple hosts) to the cluster, the datastore and network must be set before each host is added to the cluster.

  9. In IP assignment, select one of the following:

    Select

    To

    DHCP

    Assign an IP address to the Guest Introspection service virtual machine through Dynamic Host Configuration Protocol (DHCP). Select this option if your hosts are on different subnets.

    Use IP Pool

    Assign an IP address to the Guest Introspection service virtual machine from the selected IP pool.

  10. Click Next and then click Finish on the Ready to complete page.
  11. Monitor the deployment until the Installation Status column displays Succeeded.

    In NSX 6.4.0 and later, the name of the GI SVM in vCenter server displays the IP address of the host that it has been deployed on.

  12. If the Installation Status column displays Failed, click the icon next to Failed. All deployment errors are displayed. Click Resolve to fix the errors. Sometimes, resolving the errors displays additional errors. Take the required action and click Resolve again.