Install VMware NSX components:

1. Go to Networking & Security → Installation and Upgrade → Host Preparation.
2. Choose the cluster with the hypervisors on which SVMs with the Network Threat Protection component will be deployed.
3. Click Actions → Install.

4. Click Yes.

Hypervisor preparation status will appear.

5. Wait until the hypervisors are prepared. 

The information about installed NSX components can be found in the Hosts section.

In the infrastructure managed by VMware vCenter server and VMware NSX Manager, deploy the Guest Introspection service for each VMware hypervisor cluster that will later deploy SVMs with the Network Threat Protection components:

1. Go to Networking & Security → Installation and Upgrade → Service Deployments.
2. Click Add to start the Deployment Wizard for network services and protection services for virtual machines.
3. Select the Guest Introspection service and click Next.

4. Select one or several VMware clusters to install SVMs with File Threat Protection components. Click Next.

5. If necessary, you can change the default network settings and select the storage for Guest Introspection service virtual machines, which will be installed on the selected VMware clusters.

1. Select the network to be used by the Guest Introspection service virtual machines and the storage for deploying these VMs.
2. If you want to configure the parameters for assigning IP addresses for service virtual machines, click the corresponding icon in the IP Assignment column.

3. Select Use IP Pool and then click Add.

   

4. Configure the static IP address pool and click Add.

   

5. Select the added static IP address pool and click OK.

   

6. The name of the selected pool will appear in the IP Assignment column.

   

6. Make sure that all parameters are configured correctly. Click Finish.

The wizard window will close and the current status of the Guest Introspection service deployment process will appear in the Installation Status column in the VMware vSphere Web Client console.

7. Wait until the Guest Introspection service has been deployed.

8. In the VMware vSphere Web Client console, go to Hosts and Clusters. 
9. Make sure Guest Introspection service virtual machines have been deployed successfully on each hypervisor in the cluster you selected.

The Guest Introspection service will be deployed on each hypervisor included in the cluster.

To use the Network Threat Detection component, an active license for NSX for vSphere Advanced or NSX for vSphere Enterprise is required.

If you use a standard license for NSX for vSphere, which is installed upon connecting VMware NSX to the VMware vCenter server, the Network Service Insertion (Third Party Integration) feature, which is required for enabling network threat protection on VMware ESXi hypervisors, is unavailable.

To view the information about the licenses in use:

1. Open the main menu and select Administration.

2. Go to Licenses → Assets.

If the licenses for NSX for vSphere Advanced or NSX for vSphere Enterprise are missing from the list, install the license using the corresponding wizard.

To register the services on NSX:

1. Publish the installation packages of Kaspersky Security for Virtualization 6.x Agentless on a file server with network access via HTTP or HTTPS. You can use the IIS web server integrated in Windows.
2. Install Kaspersky Security Center components: management plugin, the Integration Server console and the Integration Server required for interaction with vCenter and NSX. To install the components:
   1. Run the "ksv-components_x.x.x.x_mlg.exe" file.
   2. Select language and click Next.
   3. Carefully read through the End User License Agreement. If you agree to all the terms, click Next.
   4. View the Integration Server parameters. Make sure port 7271 is open and can be accessed. Click Next.
   5. Click Finish. 
3. Register the services of Kaspersky Security for Virtualization 6.x Agentless. For instructions, see Online Help.

The NSX services will be registered.

Kaspersky Security for Virtualization 6.x Agentless services are registered in VMware NSX Manager by the Integration Server. The Integration Server is registered in VMware NSX Manager as Kaspersky Service Manager.

To view the list of registered services, go to Networking & Security → Service Definitions → Services. 

The table will contain:

• Name – the name of the file system protection service (Kaspersky File Antimalware Protection) or network protection service (Kaspersky Network Protection)
• Version – the version of the SVM image, the path to which you have specified in the Integration server's console
• Service Manager – Kaspersky Service Manager name (Integration server, registered in VMware NSX Manager)

To view the list of Service Managers, go to Networking & Security → Service Definitions → Service Managers.

The table will contain:

• Name – Kaspersky Service Manager name (Integration server, registered in VMware NSX Manager)
• Vendor ID – Kaspersky Lab ID
• Vendor Name – Kaspersky Lab name

Add all the virtual machines you want to protect with Kaspersky Security for Virtualization 6.x Agentless to the NSX security group. To do so, create an NSX security group and configure the rules for adding virtual machines to the group:

• Dynamically. The group will include all the virtual machines that meet the specified criteria.
• By selecting VMware management objects. You can select the objects to be added to the group, e.g. the Datacenter object, the VMware cluster, a resource pool, оr specific virtual machines. By default, all child objects of the specified VMware management object are added to the group. You can also specify the VMware management objects which should not be added to the NSX security group.

You can combine these options when configuring the rules of adding SVMs to the NSX security group. For example, you can select adding the VMs to the group according to specified parameters dynamically and also specify the VMware management objects to be excluded from the group.

To configure NSX Security Group:

1. Go to Service Composer → Security Groups.
2. Click Add.

3. Enter a name for the new NSX security group, e.g. "Kaspersky Security Group" or "Protected by Kaspersky".  
4. Click Next.

5. If you want to set up adding VMs to the group dynamically, proceed to the Define dynamic membership step and do the following:
   1. Click Add.
   2. Adjust the criteria for adding the VMs to the group. For example, to add all virtual machines running under Windows, you can use the criteria Computer OS Name, Contains, Windows.
   3. Click Next.

6. If you want to specify the VMware management objects to be added to the NSX security group, proceed to the Select objects to include step and do the following:
   1. Select the object type in the Object Type field.
   2. Move all the VMware management objects you want to include in the group to the Selected Objects list. 
   3. Click Next.

7. If you want to specify the VMware management objects to be excluded from the NSX Security Group, proceed to the Select objects to exclude step and do the following:
   1. Select the object type in the Object Type field.
   2. Move all the VMware management objects you want to exclude from the group to the Selected Objects list. 
   3. Click Next.

8. To check the specified parameters, proceed to the Ready to complete step.
9. Make sure that all parameters are configured correctly. Click Finish. 

10. Go to Hosts and Clusters and make sure that the virtual machines you want to protect are included in the group.
11. Make sure that the NSX security group name is displayed for each virtual machine meeting the inclusion criteria in the Summary tab of the Security Group Membership section.

The NSX security groups will be configured.

To protect the virtual machines in the NSX security group, configure the NSX security policy and apply it to the NSX security group:

1. Go to Networking & Security → Service Composer → Security Policies.
2. Click Add.

3. Enter the policy name and click Next.

4. If you want to use the File Threat Protection component, click Add.

5. Type the name into the Name field and select the Kaspersky File Antimalware Protection service in the Service Name drop-down list. Click OK. 

Information about the Kaspersky File Antimalware Protection service will appear in the wizard window. 

6. If you want to use the Network Threat Protection component, proceed to the Network Introspection Services tab. 
7. To monitor the outbound traffic of the virtual machines:

   1. Click Add.

      

   2. Type the name into the Name field and select the Kaspersky Network Protection service in the Service Name drop-down list.
   3. Enable the Redirect to service option.

   4. Select Policy's Security Groups in the Source section and Any in the Destination section.

      

   5. Click OK.
8. To monitor the incoming traffic of the virtual machines:
   1. Click Add.
   2. Type the name into the Name field and select the Kaspersky Network Protection service in the Service Name drop-down list.
   3. Enable the Redirect to service option.

   4. Select Any in the Source section and Policy's Security Groups in the Destination section.

      

   5. Click OK.

Information about the Kaspersky Network Protection service will appear in the wizard window.

9. Exit the NSX security policy configuration wizard.
10. Go to the Security Policies tab and select the created policy. Click Apply.

11. Select the NSX security group with the protected virtual machines and click Apply.

On the Security Policies tab, the Successful status will appear for the created policy in the Status section.

The NSX security policy will be applied to the NSX security group.

SVMs with the File Threat Protection component are deployed on VMware ESXi hypervisors when deploying the Kaspersky File Antimalware Protection service on the VMware vCenter clusters.

To deploy the services:

1. Go to Networking & Security → Installation and Upgrade → Service Deployment.
2. Click Add. 

3. Select the Kaspersky File Antimalware Protection service and click Next.

4. Select one or several VMware clusters to install the File Threat Protection component. Click Next.

5. If necessary, you can change the default network parameters and select the storage for all the SVMs that will be deployed on the hypervisors in the selected cluster.

1. Select the network to be used by SVMs and the storage for deploying the SVMs with the File Threat Protection component.
2. If you want to configure the parameters for assigning IP addresses for service virtual machines, click the corresponding icon in the IP assignment column.

3. Select Use IP Pool and then click Add. 

   

4. Configure the static IP address pool and click Add.

   

5. Select the added static IP address pool and click OK. 

   

6. The name of the selected pool will appear in the IP Assignment column.

   

6. Make sure that all parameters are configured correctly. Click Finish.

The wizard window will close and the current status of the Kaspersky File Antimalware Protection service deployment process will be shown in the Installation Status column in the VMware vSphere Web Client console.

7. Wait until Kaspersky File Antimalware Protection is successfully deployed.

8. In the VMware vSphere Web Client console, go to Hosts and Clusters.
9. Make sure the SVMs have been deployed successfully on each hypervisor in the cluster you selected.

The SVMs with the File Threat Protection component will be deployed.

The SVMs with the Network Threat Detection component are deployed on VMware ESXi hypervisors when deploying the Kaspersky Network Protection service on VMware clusters.

To Deploy an SVM with the Network Threat Protection component:

1. Go to Networking & Security → Installation and Upgrade → Service Deployment.
2. Click Add. 
3. Select the Kaspersky Network Protection service and click Next.

4. Select one or several VMware clusters to install the Network Threat Protection component. Click Next.

5. If necessary, you can change the default network parameters and select the storage for all the SVMs that will be deployed on the hypervisors in the selected cluster.

1. Select the network to be used by SVMs and the storage for deploying the SVM with the Network Threat Protection component.
2. If you want to configure the parameters for assigning IP addresses for service virtual machines, click the corresponding icon in the IP Assignment column.

3. Select Use IP Pool and then click Add.

   

4. Configure the pool of static addresses and click Add. 

   

5. Select the added static IP address pool and click OK.

   

6. The name of the selected pool will appear in the IP Assignment column.

   

6. Make sure that all parameters are configured correctly. Click Finish.

The wizard window will close and the current status of the Kaspersky Network Protection deployment process will be shown in the Installation Status column in the VMware vSphere Web Client console.

7. Wait until the Kaspersky Network Protection service is successfully deployed.

8. In the VMware vSphere Web Client console, go to Hosts and Clusters. 
9. Make sure the SVMs have been deployed successfully on each hypervisor in the cluster you selected.

The SVMs with the Network Threat Protection component will be deployed.