• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Yellow Bricks

by Duncan Epping

  • Home
  • ESXTOP
  • Stickers/Shirts
  • Privacy Policy
  • About
  • Show Search
Hide Search

Excluding your vCenter Server from vShield App protection!

Duncan Epping · Mar 17, 2012 ·

A while back I posted a hack to exclude your vCenter Server from vShield App protection. I discussed this hack with the vShield team and asked them if it would be possible to add similar functionality to vShield. I was pleasantly surprised when I noticed that they managed to slip it in to vShield App 5.0.1 release. What a quick turnaround! It is described how to do this on page 51 of the admin guide. I tested it myself ad here are the steps I took:

  1. Log in to the vShield Manager.
  2. Click Settings & Reports from the vShield Manager inventory panel.
  3. Click the vShield App tab.
  4. On the Exclusion List, click Add.
    Add Virtual Machines to Exclude dialog box opens.
  5. Click in the field next to Select and click the virtual machine you want to exclude.
  6. Click Select.
    The selected virtual machine is added to the list.
  7. Click OK

In my case I excluded both my WSX server and my vCenter Server instance:

Related

Server 5.0.1, security, vshield, vSphere

Reader Interactions

Comments

  1. Duco Jaspars says

    19 March, 2012 at 11:19

    Nice, might start using it in my “lab without separate management cluster” again without shooting myself in the foot every now and then …

    How do they accomplish this under the hood?
    Do they just ad the extra lines jou found to the vmx of the excluded servers?

  2. fpesante says

    23 March, 2012 at 06:11

    This is real good, we are in the process of implementing vshield in our environment and saw this as a huge limitation. I am looking forward to test this out.

    Thanks

  3. abhishek says

    29 March, 2012 at 18:35

    Hi Duncan,

    have you tested vShield App on Nexus…i am having such a hard time implementing this product (App) on Nexus. The install is inconsitent, the uninstall has broken my hosts twice, since it leaves a trace and the host mgmt connectivity breaks. With the service VM on Nexus it blocks everything right out of the gate and no matter what i do until i move the service vm’s to a VSS or vmware VDS it doesnt work….it’s leading me to believe that this product has issues with Nexus 1000v and that’s particulalry our direction in the networking space in our vmware env.

    thanks!

  4. Nixon says

    10 April, 2012 at 21:28

    Hi Duncan,

    Were you able to test this in real production environment?

    Thanks.

  5. Nixon says

    10 April, 2012 at 21:31

    Hi Abhishek,

    I have same setup and everything is working great. Can you please describe more your design, thanks.

    Thanks.

  6. Duncan Epping says

    10 April, 2012 at 21:34

    No, I don’t have a production environment… I work for VMware and have a large test environment but that is it.

  7. joyce says

    18 April, 2012 at 17:57

    Hi Duncan,
    We implemented vShield Zones and the vShield agent on the ESXi host lost heartbeat with an event id 9999. Unfortunately my vCenter Server was on this host and hence we lost connection. I could log in to the ESXi host itself so we decided to turn off the vShield agent for the Host and turn it back on which resolved the issue, still trying to figure out why and what happened. Meanwhile I have been looking for an option to exclude vCenter server from vShield. http://www.vmware.com/pdf/vshield_410U1_admin.pdf document have a small caution on page 13, but no options to exclude one VM. I cant have a single Host unprotected. Any thoughts.

    Regards,

    Joyce

  8. Duncan Epping says

    18 April, 2012 at 18:24

    Upgrade to a later version? Or use the hack I mention above… only way of solving it, but note the hack is of course not supported!

  9. Joyce says

    19 April, 2012 at 10:29

    Hi Duncan,
    We are using vShield Zones 5. I think I an going to try the workaround in your blog or may be we will be going back to a Physical Machine for vCenter Server Will post the results soon

    Thank you

    Joyce

  10. Michael says

    24 April, 2012 at 17:40

    Hi Duncan, Does this mean its now possible to have vshield running on same cluster as work vms along with vCenter and its db instead of a separate management cluster or is there additional steps needed to make sure vcenter doesn’t loose comms during vshield config?

  11. Duncan says

    24 April, 2012 at 19:06

    Yes, that is what the article explains.

  12. joyce says

    24 October, 2012 at 11:43

    HI Duncan,
    Just an update for my post – Excluding vCenter Server from vShield Zones. Our work around which is working quite well was to create a Port Group on the standard switch and put vCenter Server on this port group. This way vCenter Server is not protected by vShield 🙁 but incase of a failure in vShield it is still up and running. This work around seems to be good for now untill we upgrade to a later version.

    Regards,

    Joyce

  13. Judd says

    12 September, 2014 at 22:25

    Duncan,

    If you exclude your vCenter VM and have the default policy to block when vShield Manager is not running and vShield Manager is not running will it still block the vCenter VM?

    Judd

Primary Sidebar

About the author

Duncan Epping is a Chief Technologist in the Office of CTO of the Cloud Platform BU at VMware. He is a VCDX (# 007), the author of the "vSAN Deep Dive", the “vSphere Clustering Technical Deep Dive” series, and the host of the "Unexplored Territory" podcast.

Upcoming Events

May 24th – VMUG Poland
June 1st – VMUG Belgium
Aug 21st – VMware Explore
Sep 20th – VMUG DK
Nov 6th – VMware Explore
Dec 7th – Swiss German VMUG

Recommended Reads

Sponsors

Want to support Yellow-Bricks? Buy an advert!

Advertisements

Copyright Yellow-Bricks.com © 2023 · Log in