When migrated Security Policies in NSX use a partner service that provides only Endpoint Protection or both Endpoint Protection and Network Introspection, deploy an instance of the partner service after all the clusters are migrated to NSX.

Only a host-based service deployment is supported.

In a host-based service deployment, one partner service virtual machine is installed on each host of the migrated cluster. In the VMware vCenter, the vSphere ESX Agency Manager (EAM) service is internally used to deploy a partner service VM on each host of the cluster.


  • All the hosts in the cluster are migrated to NSX.
  • All the migrated hosts are managed by a VMware vCenter.
  • A transport node profile is applied to the cluster.


  1. From your browser, log in with admin privileges to an NSX Manager at https://nsx-manager-ip-address.
  2. Navigate to System > Service Deployments > Deployment.
  3. In the Partner Service drop-down menu, select the partner service to be deployed, and click Deploy Service.
  4. Enter the service deployment name.
  5. Select the VMware vCenter that is registered as a compute manager in NSX.
  6. Select the cluster where you want to deploy the partner service.
  7. To specify the datastore, do one of the following actions:
    • Select a datastore as the repository for the service virtual machines.
    • Select Specified on Host.

      The Specified on Host option means that you do not need to select a datastore and network on the Deploy Service page. Before deploying the partner service, you must configure Agent VM settings on each ESXi host to point to a specific datastore and network.

      To know more about configuring Agent VM settings, see the vSphere product documentation.

  8. Under Networks, click Set and select the NICs you want to use for deployment.
    1. Select the network for the Management interface.

      In a host-based deployment, if you set the datastore as Specified on Host, you must set the network also as Specified on Host.

    2. Set the Network type to DHCP or Static IP Pool. If you set the network type to a Static IP Pool, select from the list of available IP pools.
  9. In the Deployment Template drop-down menu, select the registered deployment template and click Save.
    The deployment process might take some time depending on the vendor's implementation.
  10. Check the deployment status on the Deployment page. Wait until the status changes to Up.

    You might have to refresh the Deployment page a few times to retrieve the latest status.

    If the Status column shows Down, click the icon next to Down. All deployment errors are displayed. Take the required actions to fix the errors, and click Resolve. The status changes to In Progress. Wait until the status changes to Up.


A partner service VM is now deployed on all the hosts of the cluster.
Note: When you add a new host in the cluster, EAM automatically deploys the partner service VM on the new host.

What to do next

Go to the Partner Console and verify whether the endpoint protection service is activated. Now, the migrated endpoint protection rules are enforced on the workload VMs that are running on the NSX prepared cluster.

For more information about activating the endpoint protection service in the Partner Console, see the partner documentation.