Endpoint Protection Architecture

Understand the architecture of service insertion and endpoint protection components (guest introspection) in NSX-T Data Center.

Endpoint Protection architectural diagram showing guest VM and partner VM configured to run third-party endpoint protection services. — Figure 1. Endpoint Protection Architecture

Key Concepts:

Partner console: It is the web application provided by the security vendor to work with the guest introspection platform.
NSX Manager: It is the management plane appliance for NSX that provides API and graphical user interface to customers and partners for configuration of Network and Security policies. For guest introspection, the NSX Manager also provides API and GUI to deploy and manage partner appliances.
Guest Introspection SDK: VMware provided library consumed by the security vendor.
Service VM: Is the security vendor provided VM that consumes the guest introspection SDK provided by VMware. It contains the logic to scan file or process events to detect virus or malware on the guest. After scanning a request, it sends back a verdict or notification about the action taken by the guest VM on the request.
Guest Introspection host agent (Context Multiplexer): It processes configuration of endpoint protection policies. It also multiplexes and forwards messages from protected VMs to the Service VM. It reports the health status of the guest introspection platform and maintains records of the Service VM configuration in the muxconfig.xml file.
Ops agent (Context engine and Guest Introspection client): It forwards the guest introspection configuration to the guest introspection host agent (Context Multiplexer). It also relays the health status of the solution to NSX Manager.
EAM: NSX Manager uses the ESXi agent manager to deploy a partner Service VM on every host on the cluster configured for protection.
Thin agent: It is the file or network introspection agent running inside the guest VMs. It also intercepts file and network activities that are forwarded to the Service VM through the host agent. This agent is part of VMware Tools. It replaces the traditional agent provided by antivirus or antimalware security vendors. It is a generic and lightweight agent that facilitates offloading files and processes for scanning to the Service VM provided by the vendor.