Installing AppDefense for vSphere Platinum – Step by Step

VMware AppDefense takes a new approach to application security. What if, instead of “chasing bad” we started by “ensuring good”?

Here are some resources I recommend you review to learn more about AppDefense, and the benefits.

I thought it would be useful to walk you through step by step installing & validating the AppDefense architecture.  Stay tuned for a follow up post, where I plan to detail how to create application scopes and protect your applications!  I’m installing AppDefense for vSphere Platinum. Take a look at this official VMware Blog for an overview.  Introducing vSphere Platinum and vSphere 6.7 Update 1!

I’m assuming your environment meets the requirements , you have vSphere Platinum licensing and have already activated your AppDefense account

I’ve detailed the process in 4 main steps,

  • Installing AppDefense Plugin & Virtual Appliance
  • Installing Host Module
  • Installing Guest Module
  • Validating Install

guid-1cce098d-4fd3-4fa1-80f3-32dea4af1174-high

Installing AppDefense Plugin & Virtual Appliance

  1. Download VMware AppDefense Plugin & Appliance for Platinum Edition from the VMware downloads page 
  2. Deploy the OVA. I have a management cluster in my lab, so I deployed there.(I’m assuming at this point you know how to deploy an OVA, choose location, set IP yada yada yada, so I’m skipping those steps)
  3. I have very limited resources in my lab,  so once the deployment was complete, I edited the VM’s resources and decreased vCPU & RAM from the OOTB setting.  Don’t do this for production implementations!  Power on the VM
  4. Once the VM is powered up,  we need to login and register our vCenter server
  5. Connect to the AppDefense appliance via a browser(https://fqdfn) and login with the admin password specified during deployment.1
  6. Before registering vCenter, let’s setup NTP.  As 90% of problems are either DNS or NTP related 😉
  7. Under Configuration, click General.  Then click Edit(top right) and enter relevant details for your environment, make sure to click Save2
  8. Now click on Registration and enter SSO details.  In my environment PSC is embedded with vCenter so I enter the FQDN of my vCenter and click Register.  *NOTE If you are running an external PSC, considered utilizing the vCenter Server Converge Tool soon as support for external PSC is being deprecated.

    3

  9. Validate the thumbprint, enter vCenter credentials and click Register 

    4

  10. vCenter Server details show now be populated, click Register in this section5.png
  11. Next, we need to Enable AppDefense Service (SaaS Connectivity Mode).  Launch a new browser window and login to https://appdefense.vmware.com, make sure to select the appropriate region. The App Defense manager is what provides process reputation services, machine learning capabilities, and other additional visibility features for your environment

    6.png

  12. Click the settings icon next to your e-mail address(bottom left of the UI) and select Appliances 

    8.png

  13. Click Provision New Appliance,  give it a name, click Provision again

    9

    10

  14. When the New Appliance Created window pops up,  copy the contents to clipboard.  We will need those shortly.11.png
  15. Switch back to your on prem AppDefense appliance. If your session has timed out,  login then select Registration under Configuration
  16. Within the AppDefense Manager section, click Edit. Toggle the SaaS Service setting then past in information from step 14 and click Save
    1. For AppDefense Manager URL paste the value after mgr.endpoint.baseurl=
    2. For Manager UUID paste the value after goldilocks.appliance.uuid=
    3. For Manager API key paste the value after goldilocks.appliance.api-key=12.png
  17. Click Yes when asked Do you really want to change AppDefense cloud settings?
  18. Validate you see a green check mark next to AppDefense Manager URL

    14

 

Installing Host Module

  1. If you still have a vSphere Client browser session open, logout and log back in. If not start a new session and login. You should see a message at the top of the screen,  click Refresh Browser15.png
  2. To validate the plugin has been successfully installed, click Menu and you should see then AppDefense Icon, click it17.png
  3. Validate OnlineTrust Analysis & AppDefense both show as connected18.png
  4. Ok, now let’s Install the AppDefense host module. In my lab,  I’m installing on the hosts in my compute cluster. Within the Hosts & Clusters view, select Configure, scroll down to AppDefense, Security then click Install AppDefense

    19.png

  5. Review the popup window, assuming you meet the requirements click OK 

    20.png

  6. Within a few minutes you should see the screen change to Cluster up to date 

    21.png

Installing Guest Module

Before installing the guest module, ensure the VM meets the system requirements. e.g.  VM Hardware & Tools version

  1. Within the vSphere client, select the VM where AppDefense is to be installed
  2. Click Configure, scroll down to AppDefense, Security. Select Install AppDefense22
  3. Review information screen.  NOTE – understand that if the VM has  virtual hardware version less than 13, this will automatically be upgraded for compatibility with AppDefense.  The AppDefense install will will REBOOT the VM. You expand the Advanced section and uncheck the box to enable AppDefense on next reboot if desired. Check the privacy notice and click OK 

    23

  4. Within a few minutes you should see that AppDefense is installed and up to date

    24

  5. NOTE – If you run into issues with the automatic guest module install, you can try and install manually.  The Windows guest module is available from the VMware download site

 

Validating Install

  1. Within the vSphere Client, click Menu and click the AppDefense Icon

    17.png

  2. I can see that as expected, 2 hosts & 1 VM have the AppDefense module installed.  AppDefense is already vetting the processes running on the VM.  11 have been vetted and classed as Low Risk
    26
  3. Click on the link to Go to AppDefense Manager, in order to login to the AppDefense Service
  4. Click the settings icon next to your e-mail address(bottom left of the UI) and select Appliances 

    8.png

  5. Ensure you have a recent heartbeat, status of active and can connect to vCenter27
  6. You can also click the settings icon next to your e-mail address(bottom left of the UI) and select Inventory 

    28

  7. Within Inventory check Hosts and also VM’s to ensure it is being populated correctly.

Congratulations, you have successfully installed and validated the AppDefense Architecture! Stay tuned for a follow up post, where I plan to detail how to start discovering and protecting your applications!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s