Installing Guest Introspection automatically installs a new VIB and a service virtual machine on each host in the cluster. Guest Introspection is required for NSX Data Security, Activity Monitoring, and several third-party security solutions.
About this task
For autodeploy setup on stateless hosts, you must manually restart VMware NSX for vSphere 6.x Service Virtual Machines (SVM) after an ESXi host reboot. For more information, see the Knowledge Base article http://kb.vmware.com/kb/2120649.
In a VMware NSX for vSphere 6.x environment, when a Service VM (SVM) is migrated (vMotion/SvMotion), you may experience these symptoms:
An interruption in the service (workload VM) for which the Service VM (SVM) is providing data
ESXi host fails with a purple diagnostic screen contains backtraces similar to:
@BlueScreen: #PF Exception 14 in world wwww:WorldName IP 0xnnnnnnnn addr 0x0 PTEs:0xnnnnnnnn;0xnnnnnnnn;0x0; 0xnnnnnnnn:[0xnnnnnnnn]VmMemPin_DecCount@vmkernel#nover+0x1b 0xnnnnnnnn:[0xnnnnnnnn]VmMemPinUnpinPages@vmkernel#nover+0x65 0xnnnnnnnn:[0xnnnnnnnn]VmMemPin_ReleaseMainMemRange@vmkernel#nover+0x6 0xnnnnnnnn:[0xnnnnnnnn]P2MCache_ReleasePages@vmkernel#nover+0x2a 0xnnnnnnnn:[0xnnnnnnnn]DVFilterVmciUnmapGuestPage@com.vmware.vmkapi#v2_2_0_0+0x34
This is a known issue affecting VMware ESXi 5.5.x and 6.x hosts. To work around the issue, do not manually migrate a Service VM (SVM) (vMotion/SvMotion) to another ESXi host in the cluster. To migrate a SVM to another datastore (svMotion), VMware recommends a cold migration by turning the SVM off, and then migrating it to another datastore.
The installation instructions that follow assume that you have the following system:
A datacenter with supported versions of vCenter Server and ESXi installed on each host in the cluster.
If the hosts in your clusters were upgraded from vCenter Server version 5.0 to 5.5, you must open ports 80 and 443 on those hosts.
Hosts in the cluster where you want to install Guest Introspection have been prepared for NSX. See Prepare Host Clusters for NSX in the NSX Installation Guide. Guest Introspection cannot be installed on standalone hosts. If you are using NSX for deploying and managing Guest Introspection for anti-virus offload capability only, you do not need to prepare the hosts for NSX, and the NSX for vShield Endpoint license does not allow it.
NSX Manager 6.2 installed and running.
Ensure the NSX Manager and the prepared hosts that will run Guest Introspection services are linked to the same NTP server and that time is synchronized. Failure to do so may cause VMs to be unprotected by anti-virus services, although the status of the cluster will be shown as green for Guest Introspection and any third-party services.
If an NTP server is added, VMware recommends that you then redeploy Guest Introspection and any third-party services.
If you want to assign an IP address to the NSX Guest Introspection service virtual machine from an IP pool, create the IP pool before installing NSX Guest Introspection. See Working with IP Pools in the NSX Administration Guide.
vSphere Fault Tolerance does not work with Guest Introspection.
- On the Installation tab, click Service Deployments.
- Click the New Service Deployment () icon.
- In the Deploy Network and Security Services dialog box, select Guest Introspection.
- In Specify schedule (at the bottom of the dialog box), select Deploy now to deploy Guest Introspection as soon as it is installed or select a deployment date and time.
- Click Next.
- Select the datacenter and cluster(s) where you want to install Guest Introspection, and click Next.
- On the Select storage and Management Network Page, select the datastore on which to add the service virtual machines storage or select Specified on host. It is recommended that you use shared datastores and networks instead of "specified on host" so that deployment workflows are automated.
The selected datastore must be available on all hosts in the selected cluster.
If you selected Specified on host, follow the steps below for each host in the cluster.
On the vSphere Web Client home page, click vCenter and then click Hosts.
Click a host in the Name column and then click the Manage tab.
Click Agent VM Settings and click Edit.
Select the datastore and click OK.
- Select the distributed virtual port group to host the management interface. If the datastore is set to Specified on host, the network must also be Specified on host.
The selected port group must be able to reach the NSX Manager’s port group and must be available on all hosts in the selected cluster.
If you selected Specified on host, follow the substeps in Step 7 to select a network on the host. When you add a host (or multiple hosts) to the cluster, the datastore and network must be set before each host is added to the cluster.
- In IP assignment, select one of the following:
Assign an IP address to the NSX Guest Introspection service virtual machine through Dynamic Host Configuration Protocol (DHCP). Select this option if your hosts are on different subnets.
An IP pool
Assign an IP address to the NSX Guest Introspection service virtual machine from the selected IP pool.
- Click Next and then click Finish on the Ready to complete page.
- Monitor the deployment until the Installation Status column displays Succeeded.
- If the Installation Status column displays Failed, click the icon next to Failed. All deployment errors are displayed. Click Resolve to fix the errors. In some cases, resolving the errors displays additional errors. Take the required action and click Resolve again.
What to do next
Install VMware Tools on guest virtual machines.