Install VMware NSX components:

1. Go to Networking & Security → Installation and Upgrade → Host Preparation.
2. Choose the cluster with the hypervisors on which you want to deploy SVMs with the Network Threat Detection component.
3. Click Actions → Install.

4. In the window that opens, click Yes.

The preparation status of the hypervisors will appear.

5. Wait until the hypervisors have been prepared. 

In the NSX Installation column, you will find information about the version of the NSX components installed.

To run Kaspersky Security or Virtualization 5.x Agentless in an infrastructure managed by VMware vCenter and VMware NSX Manager, deploy the Guest Introspection service on each cluster of VMware hypervisors where SVMs with the File Anti-Virus component will be deployed. As a result, Guest Introspection service virtual machines are deployed on each hypervisor in a cluster.

To deploy Guest Introspection:

1. Go to Networking & Security → Installation and Upgrade → Service Deployments.
2. Click Add to launch the deployment wizard for network services and virtual machine protection services.
3. Select Guest Introspection and click Next.

4. Select one or several VMware clusters on which you wish to install SVMs with the File Anti-Virus component. Click Next.

5. If necessary, you can change the default network settings and select the storage for Guest Introspection service virtual machines, which will be installed on the selected VMware clusters. 

1. Select the network to be used by the Guest Introspection service virtual machines and the storage for deploying these VMs.
2. If you want to configure the parameters for assigning IP addresses for service virtual machines, click the corresponding icon in the IP Assignment column. 
   
3. Select Use IP Pool and click Add.
   

   

4. Configure the pool of static addresses and click Add.
   

   

5. Select the pool you have added and click OK.
   

   

The name of the selected pool will appear in the IP Assignment column.

6. Make sure all the parameters are correct. Click Finish.

The wizard window will close and the current status of the Guest Introspection service deployment process will appear in the Installation Status column in the VMware vSphere Web Client console.

7. Wait until the Guest Introspection service has been deployed.

8. In the VMware vSphere Web Client console, go to Hosts and Clusters. 
9. Make sure Guest Introspection service virtual machines have been deployed successfully on each hypervisor in the cluster you selected.

The Guest Introspection service has been deployed. 

To use the Network Threat Detection component, an active license for NSX for vSphere Advanced or NSX for vSphere Enterprise is required.

If you use a standard license for NSX for vSphere, which is installed upon connecting VMware NSX to the VMware vCenter server, the Network Service Insertion (Third Party Integration) feature, which is required for enabling network threat protection on VMware ESXi hypervisors, is unavailable.

To view information about the licenses in use:

1. Open the main menu and select Administration.

2. Go to Licenses → Assets.

If the licenses for NSX for vSphere Advanced or NSX for vSphere Enterprise are missing from the list, install the license using the corresponding wizard.

1. Publish the installers to the web server

Kaspersky Security for Virtualization 5.x Agentless installers must be distributed on file servers via HTTP or HTTPS. You can use the built-in Windows web server IIS. 

2. Install Kaspersky Security Center components

The Kaspersky Security Center components include the management plugin, the Integration Server console and the Integration Server required for interaction with vCenter and NSX. To install the components:

1. Run the file SecurityCenterComponents_setup_x.x.x.x_mlg.exe.
2. Select the language and click Next
3. Read the End User License Agreement carefully and accept it if you agree to all its terms. Click Next.
4. View the Integration Server parameters. Make sure port 7271 is open and connection to it is allowed. Click Next.
5. Click Finish. 

The components have been installed. 

3. Register the services of Kaspersky Security for Virtualization 5.x Agentless

For detailed instructions, see this article. 

Kaspersky Security for Virtualization 5.x Agentless services are registered in VMware NSX Manager by the Integration Server. The Integration Server is registered in VMware NSX Manager as Kaspersky Service Manager. 

You can view the list of registered services and Service Managers in the VMware vSphere Web Client console:

1. Go to Networking & Security → Service Definitions → Services. 

The table shows:

• Name – the name of the file system protection service (Kaspersky File Antimalware Protection or Kaspersky Network Protection).
• Version – the version of the SVM image, the path to which you have specified in the Integration server management console.
• Service Manager – Kaspersky Service Manager name (Integration server, registered in VMware NSX Manager).

2. Go to Service Managers. 

The table shows:

• Name – Kaspersky Service Manager name (Integration server, registered in VMware NSX Manager)
• Vendor ID – Kaspersky Lab ID.
• Vendor Name – Kaspersky Lab name.

Add all the virtual machines you want to protect with Kaspersky Security for Virtualization 5.x Agentless to the NSX Security Group. First, create the NSX Security Group and configure the rules for adding virtual machines to the group.

Virtual machines can be added to the NSX Security Group in the following ways:

• They can be added dynamically to the NSX Security Group. The group includes all the virtual machines that meet the specified criteria.
• Specified VMware management objects can be added to the NSX Security Group. You can select the objects to be added to the group, e.g. the Datacenter object, the VMware cluster, a resource pool, оr specific virtual machines. By default, all child objects of the specified VMware management object are added to the group. You can also specify the VMware management objects which should not be added to the NSX Security Group.

You can combine these options when configuring the rules for adding virtual machines to the NSX Security Group. For example, you can select that virtual machines be added to the group dynamically according to specified parameters, and also specify VMware management objects to be excluded from the group.

To configure a NSX Security Group:

1. Go to Service Composer → Security Groups.
2. Click Add.

3. Enter a name for the new NSX Security Group, e.g. “Kaspersky Security Group” or “Protected by Kaspersky”. 
4. Click Next.

5. If you want virtual machines to be added to the group dynamically, proceed to the Define dynamic membership step of the wizard.
   1. Click Add.
   2. Adjust the criteria for adding virtual machines to the group. For example, to add all virtual machines running Windows to the group, you can use the criteria Computer OS Name – Contains – Windows.
   3. Click Next

6. If you want to specify the VMware management objects to be added to the NSX Security Group, proceed to the Select objects to include step. 
   1. Select the object type in the Object Type field.
   2. Move all the VMware management objects you want to include in the group to the Selected Objects list. 
   3. Click Next.

7. If you want to specify VMware management objects to be excluded from the NSX Security Group, proceed to the Select objects to exclude step. 
   1. Select the object type in the Object Type field.
   2. Move all the VMware management objects you wish to exclude to the Selected Objects list. 
   3. Click Next.

8. To check the specified parameters, proceed to the Ready to complete step.
9. Click Finish. 

10. Go to Hosts and Clusters and make sure that the virtual machines you want to protect are included in the group. For each virtual machine that meets the group’s requirements, the name of the NSX Security Group is specified in the Security Group Membership section of the Summary tab.

The NSX Security Groups have been configured. 

To protect the virtual machines in the NSX Security Group, configure the NSX Security Policy and apply it to the NSX Security Group.

1. Go to Networking & Security → Service Composer → Security Policies.
2. Click Add. 

3. Enter a policy name and click Next.

4. If you want to use File Anti-Virus, click Add.

5. Type the name into the Name field and in the Service Name drop-down list select the Kaspersky File Antimalware Protection service. Click OK. 

Information about the Kaspersky File Antimalware Protection service will appear in the wizard window.

6. If you want to use Network Threat Detection, proceed to the Network Introspection Services step. 
7. To check the outbound traffic of virtual machines:
   1. Click Add. 
      

      

   2. Type the name into the Name field and select the Kaspersky Network Protection service from the Service Name drop-down list.
   3. Enable the Redirect to service option.
   4. Select Policy’s Security Groups in the Source block and Any in the Destination block. 
      

      

   5. Click OK.
8. To check the incoming traffic of virtual machines:
   1. Click Add.
   2. Type the name into the Name field and select the Kaspersky Network Protection service from the Service Name drop-down list.
   3. Enable the Redirect to service option.
   4. Select Any in the Source block and Policy’s Security Groups in the Destination block.
      

      

   5. Click OK.

Information about the Kaspersky Network Protection service will appear in the wizard window.

9. Exit the wizard.
10. In the Security Policies tab, select the policy you have created and click Apply.

11. Select the NSX Security Group with the secure virtual machines and click Apply.

In the Security Policies tab, the Successful status will appear for the created policy in the Status column. 

The NSX Security Policy is now applied to the NSX Security Group.

SVMs with the File Anti-Virus component are deployed on VMware ESXi hypervisors when deploying the Kaspersky File Antimalware Protection service on the VMware vCenter clusters. Deployment is performed via the VMware vSphere Web Client:

1. Go to Networking & Security → Installation → Service Deployment.
2. Click Add. 

3. Select the Kaspersky File Antimalware Protection service and click Next.

4. Select one or several VMware clusters on which you want to install File Anti-Virus. Click Next

5. If necessary, you can change the default network parameters and select the storage for all the SVMs that will be deployed on the hypervisors in the selected cluster.

1. Select the network to be used by SVMs and the storage for deploying the SVM with the File Anti-Virus component.
2. If you want to configure the parameters for assigning IP addresses for service virtual machines, click the corresponding icon in the IP assignment column.  
   
3. Select Use IP Pool and click Add. 
   

   

4. Configure the pool of static addresses and click Add.
   

   

5. Click the pool you have added and click OK. 
   

   

The name of the selected pool will appear in the IP Assignment column.  

6. Make sure all the parameters are correct. Click Finish.

The wizard window will close and the current status of the Kaspersky File Antimalware Protection service deployment process will be shown in the Installation Status column in the VMware vSphere Web Client console.

7. Wait until Kaspersky File Antimalware Protection is successfully deployed.

8. In the VMware vSphere Web Client console, go to Hosts and Clusters. 
9. Make sure the SVMs have been deployed successfully on each hypervisor in the cluster you selected.

The SVM with the File Anti-Virus component has been deployed. 

The SVMs with the Network Threat Detection component are deployed on VMware ESXi hypervisors when deploying the Kaspersky Network Protection service on VMware clusters. Deployment is performed in the VMware vSphere Web Client console:

To deploy an SVM with the Network Threat Detection component:

1. Go to Networking & Security → Installation → Service Deployment.
2. Click Add. 
3. Select the Kaspersky Network Protection service and click Next.

4. Select one or several VMware clusters on which you would like to install Network Threat Detection. Click Next

5. If necessary, you can change the default network parameters and select the storage for all the SVMs that will be deployed on the hypervisors in the selected cluster.

1. Select the network to be used by the SVMs and the storage for deploying the SVM with the Network Threat Detection component. 
2. If you want to configure the parameters for assigning IP addresses for service virtual machines, click the corresponding icon in the IP Assignment column.   
3. Select Use IP Pool and click Add.  
   

   

4. Configure the pool of static addresses and click Add. 
   

   

5. Select the pool you have added and click OK.
   

   

The name of the selected pool will appear in the IP Assignment column.

6. Make sure all the parameters are correct. Click Finish.

The wizard window will close and the current status of the Kaspersky Network Protection deployment process will be shown in the Installation Status column in the VMware vSphere Web Client console.

7. Wait until Kaspersky Network Protection is successfully deployed.

8. In the VMware vSphere Web Client console, go to Hosts and Clusters. 
9. Make sure the SVMs have been deployed successfully on each hypervisor in the cluster you selected.

 The SVM with the Network Threat Detection component is deployed.