A while back I posted a hack to exclude your vCenter Server from vShield App protection. I discussed this hack with the vShield team and asked them if it would be possible to add similar functionality to vShield. I was pleasantly surprised when I noticed that they managed to slip it in to vShield App 5.0.1 release. What a quick turnaround! It is described how to do this on page 51 of the admin guide. I tested it myself ad here are the steps I took:
- Log in to the vShield Manager.
- Click Settings & Reports from the vShield Manager inventory panel.
- Click the vShield App tab.
- On the Exclusion List, click Add.
Add Virtual Machines to Exclude dialog box opens. - Click in the field next to Select and click the virtual machine you want to exclude.
- Click Select.
The selected virtual machine is added to the list. - Click OK
In my case I excluded both my WSX server and my vCenter Server instance:
Nice, might start using it in my “lab without separate management cluster” again without shooting myself in the foot every now and then …
How do they accomplish this under the hood?
Do they just ad the extra lines jou found to the vmx of the excluded servers?
This is real good, we are in the process of implementing vshield in our environment and saw this as a huge limitation. I am looking forward to test this out.
Thanks
Hi Duncan,
have you tested vShield App on Nexus…i am having such a hard time implementing this product (App) on Nexus. The install is inconsitent, the uninstall has broken my hosts twice, since it leaves a trace and the host mgmt connectivity breaks. With the service VM on Nexus it blocks everything right out of the gate and no matter what i do until i move the service vm’s to a VSS or vmware VDS it doesnt work….it’s leading me to believe that this product has issues with Nexus 1000v and that’s particulalry our direction in the networking space in our vmware env.
thanks!
Hi Duncan,
Were you able to test this in real production environment?
Thanks.
Hi Abhishek,
I have same setup and everything is working great. Can you please describe more your design, thanks.
Thanks.
No, I don’t have a production environment… I work for VMware and have a large test environment but that is it.
Hi Duncan,
We implemented vShield Zones and the vShield agent on the ESXi host lost heartbeat with an event id 9999. Unfortunately my vCenter Server was on this host and hence we lost connection. I could log in to the ESXi host itself so we decided to turn off the vShield agent for the Host and turn it back on which resolved the issue, still trying to figure out why and what happened. Meanwhile I have been looking for an option to exclude vCenter server from vShield. http://www.vmware.com/pdf/vshield_410U1_admin.pdf document have a small caution on page 13, but no options to exclude one VM. I cant have a single Host unprotected. Any thoughts.
Regards,
Joyce
Upgrade to a later version? Or use the hack I mention above… only way of solving it, but note the hack is of course not supported!
Hi Duncan,
We are using vShield Zones 5. I think I an going to try the workaround in your blog or may be we will be going back to a Physical Machine for vCenter Server Will post the results soon
Thank you
Joyce
Hi Duncan, Does this mean its now possible to have vshield running on same cluster as work vms along with vCenter and its db instead of a separate management cluster or is there additional steps needed to make sure vcenter doesn’t loose comms during vshield config?
Yes, that is what the article explains.
HI Duncan,
Just an update for my post – Excluding vCenter Server from vShield Zones. Our work around which is working quite well was to create a Port Group on the standard switch and put vCenter Server on this port group. This way vCenter Server is not protected by vShield 🙁 but incase of a failure in vShield it is still up and running. This work around seems to be good for now untill we upgrade to a later version.
Regards,
Joyce
Duncan,
If you exclude your vCenter VM and have the default policy to block when vShield Manager is not running and vShield Manager is not running will it still block the vCenter VM?
Judd