After deployment, Endpoint Protection (EPP) service has an “unknown” status in vCenter or the Endpoint Protection VM does not receive an IP address.

Problem

After deployment, Endpoint Protection status shows as “Not Ready." EPP is otherwise reachable with valid IP assigned. “Trend SVM Heartbeat status” shows as red.

Cause

Deployed Endpoint Protection does not have a valid IP address.

Endpoint Protection Service Deployment shows status as “Unknown”

Solution

  1. If Endpoint Protection is lacking an IP address or shows as Failed: Networking:
    1. On the host, ensure that each host has been configured properly. See the NSX-T Data Center Installation Guide.
    2. Deploy vSwitch and distributed port group for EPP. EPP should be deployed on a DVPortGroup created for the network on an existing NSX vSwitch.
    3. Ensure that the physical firewall and existing network configuration is valid.
  2. If Endpoint Protection is lacking an IP address:
    1. If Endpoint Protection uses static IP addressing pools, verify that each IP address assigned to the IP pool is not already in use by another VM or machine. Remove the IP addresses in question from the pool, or manually free up the IP addresses in question.
    2. If Endpoint Protection uses DHCP or dynamic IP addressing, determine if the DHCP server is correctly configured.
    vSphere 6.x supports VIB downloads over port 443 (instead of port 80). This port is opened and closed dynamically. The intermediate devices between the ESXi hosts and vCenter Server must allow traffic using this port.
  3. If the NSX Manager reports that installing Endpoint Protection fails for each cluster see Installing NSX Guest Introspection services (MUX VIB) on the ESXi host fails in VMware NSX for vSphere 6.x (2135278)

Solution

Endpoint Protection should have a valid IP address allocated to it and show as Up and Running in the Service Deployment window.