After you register a service, you must deploy an instance of the service for the service to start processing network traffic.

Deploy partner service VMs that run the partner security engine on all the NSX-T Data Center hosts in a cluster. The vSphere ESX Agency Manager (EAM) service is used to deploy the partner service VMs on each host. After you deploy the SVMs, you can create policy rules used by SVM to protect guest VMs.


  • All hosts are managed by a vCenter Server.

  • Partner services are registered with NSX-T Data Center and are ready for deployment.

  • NSX-T Data Center administrators can access partner services and vendor templates.

  • Both the service VM and the partner Service Manager (console) must be able to communicate with each other at the management network level.

  • Prepare cluster for NSX-T Data Center networking:
    • Create a transport zone.
    • Create an IP pool for tunnel endpoint IP addresses.
    • Create an uplink profile.
    • Apply transport node profile on a cluster to auto-deploy NSX-T Data Center on each host of the cluster.
  • Starting with NSX-T Data Center 3.1, on clusters that span physical servers placed in different racks, you can override the transport node profile applied on a per-host basis.
  • Starting with NSX-T Data Center 3.0, before you deploy endpoint protection service on hosts, prepare clusters by applying transport node profile.
  • With NSX-T Data Center 2.5.x or earlier, you only need to apply transport node profile on a cluster deployed using the host-based deployment method.
  • When upgrading endpoint protection service, the existing service will continue to be functional even if transport node profile is not applied to the cluster.


  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Go to the System tab and click Service Deployment.
  3. From the Partner Service drop-down, select the service to be deployed.
  4. Click Deployment and click Deploy Service.
  5. Enter the service deployment name.
  6. In the Compute Manager field, select the compute resource on the vCenter Server to deploy the service.
  7. In the Cluster field, select the cluster where the services need to be deployed.
  8. In the Data Store drop-down menu, you can:
    1. Select a datastore as the repository for the service virtual machine.
    2. Select Specified on Host. This setting means that you do not need to select a datastore and port group on this wizard. You can directly configure agent settings on EAM in vCenter Server to point to a specific datastore and port group to be used for service deployment.

    To know how to configure EAM, refer to the vSphere documentation.

  9. In the Network column, click Set.
  10. Set the Management Network interface to Specified on Host or DVPG.
  11. Set the network type to DHCP or Static IP pool. If you set the network type to Static IP pool, select from the list of available IP pools.
  12. In the Deployment Specification field, select form factor of the service for deployment on all hosts.
  13. In the Deployment Template field, select the registered deployment template.
  14. Click Save.


When a new host is added to the cluster, EAM automatically deploys the service VM on the new host. The deployment process might take some time, depending on the vendor's implementation. You can view the status in the NSX Manager user interface. The service is successfully deployed on the host when the status turns Deployment Successful.

To remove host from a cluster, first move it into maintenance mode. Then, select the option to migrate the guest VMs to another host to complete migration.

What to do next

Know deployment details and heath status about service instances deployed on hosts. See View Service Instance Details.