The endpoint protection workflow needs partners to register their services with NSX-T Data Center and an administrator to consume these services. There are a few concepts that aid your understanding of the workflow.

  • Service Definition: Partners define services with these attributes: name, description, supported form factors, deployment attributes that include network interfaces, and appliance OVF package location to be used by the SVM.
  • Service Insertion: NSX-T Data Center provides the service insertion framework that allows partners to integrate networking and security solutions with the NSX-T Data Center platform. Guest introspection solution is one such form of service insertion.

  • Service Profiles and Vendor Templates: Partners register vendor templates which expose protection levels for policies. For example, protection levels can be Gold, Silver, or Platinum. Service Profiles can be created from Vendor Templates, which allow the NSX-T Data Center administrators to name the Vendor Templates according to their preference. For services other than those of Guest Introspection, the Service Profiles allow further customization using attributes. The Service Profiles can then be used in the Endpoint Protection policy rules to configure protection for virtual machine groups defined in NSX-T Data Center. As an administrator, you can create groups based on VM name, tags, or identifiers. Multiple Service Profiles can optionally be created from a single Vendor Template.
  • Endpoint Protection Policy: A policy is a collection of rules. When you have multiple policies, arrange them in the order to run them. The same applies for rules defined within a policy. For example, policy A has three rules, and policy B has four rules, and they are arranged in a sequence such that policy A precedes policy B. When guest introspection begins running policies, rules from policy A are run first before rules from policy B.

  • Endpoint Protection Rule: As an NSX-T Data Center administrator, you can create rules that specify the virtual machine groups that are to be protected, and choose the protection level for those groups by specifying the Service Profile for each rule.

  • Service Instance: It refers to the service VM on a host. The service VMs are treated as special VMs by vCenter and they are started before any of the guest VMs are powered on and stopped after all the guest VMs are powered off. There is one service instance per service per host.
    Important: Number of service instances is equal to the number of hosts on which the service is running host. For example, if you have eight hosts in a cluster, and the partner service was deployed on two clusters, the total number of service instances running are 16 SVMs.
  • Service Deployment: As an admin you deploy partner Service VMs through NSX-T Data Center on a per cluster basis. Deployments are managed at a cluster level, so that when any host is added to the cluster, EAM automatically deploys the service VM on them.

    Automatically deploying the SVM is important because if distributed resource scheduler (DRS) service is configured on a vCenter Cluster, then vCenter can rebalance or distribute existing VMs to any new host that got added to the cluster after the SVM is deployed and started on the new host. Since partner Service VMs need NSX-T Data Center platform to provide security to guest VMs, the host must be prepared as a transport node.

    Important: One service deployment refers to one cluster on the vCenter Server that is managed for deploying and configuring one partner service.
  • File Introspection driver: Is installed on the guest VM, intercepts the file activity on the guest VM.
  • Network Introspection driver: Is installed on the guest VM, intercepts the network traffic, process, and user activity on the guest VM.