Best practices for upgrading to VMware vCloud Networking and Security 5.5 (2055673)

Purpose

This article provides best practices for upgrading a vShield environment to vCloud Networking and Security 5.5.Notes:

  • This article assumes that you have read the vShield Installation and Upgrade Guide. The vShield Upgrade and Installation Guide contains definitive information. If there is a discrepancy between the guide and this KB article, assume that the guide is correct.
  • For information on a new installation of vCloud Networking and Security 5.5, see the vShield Installation and Upgrade Guide.

Resolution

To upgrade vShield, you must first upgrade vShield Manager, then update the other components for which you have a license.
Complete upgrades in this order:
  1. vShield Manager
  2. vCenter Server
  3. Other vShield components managed by vShield Manager
  4. ESXi hosts

Software Requirements

For information on the latest interoperability, see the Product Interoperability Matrix.

These are the minimum required versions of VMware products to be installed with vShield 5.5:

  • VMware vCenter Server 5.1 or later
    • For VXLAN virtual wires, you need vCenter Server 5.1 or later
  •  VMware ESXi/ESX 5.0 or later for each server
    • For VXLAN virtual wires, you need VMware ESXi 5.1 or later
    • For vShield Endpoint, you need VMware ESX 5.0 or later
  • VMware Tools
    • For vShield Endpoint and vShield Data Security, you must upgrade your virtual machines to hardware version 7 or 8, and install VMwareTools 8.6.0 (that was released with ESXi 5.0 Patch 3)
    • You must install VMware Tools on virtual machines that are to be protected by vShield App
  • VMware vCloud Director 5.1 or later
  • VMware View 4.5 or later

Client and User Access Requirements

VMware vShield 5.5 has these client and user access requirements:

  • PC with the vSphere Client installed
  • If you add ESXi hosts by name to the vSphere inventory, ensure that DNS servers have been configured on the vShield Manager and name resolution is working. If you do not do this, vShield Manager cannot resolve the IP addresses.
  • Permissions to add and power on virtual machines
  • Access to the datastore where you store virtual machine files, and the account permissions to copy files to that datastore
  • Ensure that you have enabled cookies on your web browser to access the vShield Manager user interface
  • Port 443 must be accessible from the ESXi host, the vCenter Server, and the vShield appliances to be deployed. This port is required to download the OVF file on the ESXi host for deployment.
  • Connection to the vShield Manager user interface using one of these supported browsers:
    • Internet Explorer 6.x and later
    • Mozilla Firefox 1.x and later
    • Safari 1.x or 2.x

System Requirements

This table outlines minimum system requirements:

Component Minimum Requirements
Memory
  • vShield Manager (64-bit): 8 GB, 3GB reserved
  • vShield Edge compact: 512 MB, large: 1GB, x-large: 8GB
  • vShield Endpoint Service: 1GB
  • vShield Data Security: 512 MB
Disk Space
  • vShield Manager: 60 GB
  • vShield Edge compact and large: 512 MB, x-Large: 4.5 GB (with 4 GB swap file)
  • vShield Endpoint Service: 4 GB
  • vShield Data Security: 6GB per ESX host
vCPU
  • vShield Manager: 2
  • vShield Edge compact: 1, large and x-Large: 2
  • vShield Endpoint Service: 2
  • vShield Data Security:

Pre-upgrade Preparation

Prior to starting the upgrade process, consider these points to ensure a successful upgrade:

  • From the vSphere Client, take a snapshot of the vShield Manager.
  • If you are running a version earlier than 5.1.0, follow the upgrade process documented in Upgrading to vCloud Networking and Security 5.1.2a best practices (2044458) to ensure you are running the correct virtual hardware required as of version 5.1.
  • For vShield Managers running 5.1.0 (build 807847) that were upgraded from versions 5.0.0 build 473791), 5.0.1 build 638924, or 5.0.2 build 791471, ensure you have upgraded the virtual hardware as documented in Upgrading to vCloud Networking and Security 5.1.2a best practices (2044458).Note: This virtual hardware upgrade only applies to vShield Managers that are upgraded from versions 5.0.x or earlier. New installations of vShield Manager 5.1.0 or higher already ship with this upgraded virtual hardware.
  • Never uninstall a deployed instance of the vShield Manager appliance.

RC Milestone Upgrade Requirements

For RC, we will be supporting the following upgrades. Ensure that your system is at one of these versions.

  • vCNS 5.1.2 to vCNS 5.5
  • vCNS 5.12b to vCNS 5.5

Upgrade Procedure

For vShield Managers 5.1.0 or later:

  1. From the VMware Download Center, download the vShield upgrade bundle to a location that vShield Manager can browse. The name of the upgrade bundle file is:VMware-vShield-Manager-upgrade-bundle-1258810.tar.gz
  2. From the vShield Manager Inventory panel, click Settings & Reports.
  3. Click the Updates tab.
  4. Click Upload Upgrade Bundle.
  5. Click Browse and select the VMware-vShield-Manager-upgrade-bundle-1258810.tar.gz file.
  6. Click Open.
  7. Click Upload File.
  8. Click Install to begin the upgrade process.
  9. Click Confirm Install. The upgrade process reboots vShield Manager, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are rebooted.
  10. After the reboot, log back in to the vShield Manager and click the Updates tab. The Installed Release panel displays version 5.5, which is the version you just installed.

Upgrading vShield components

You must upgrade the other vShield components managed by vShield Manager.

Upgrade the vShield Appliance

To upgrade the vShield Appliance:

  1. Log in to the vSphere Client.
  2. Click Inventory > Hosts and Clusters.
  3. Click the host on which you want to upgrade vShield App.
  4. Click the vShield tab. The General tab displays each vShield component that is installed on the selected host and the available release.
  5. Click Update (next to vShield App).
  6. Select the vShield App checkbox.
  7. Click Install.Note: During the vShield App upgrade, the ESXi host is placed into Maintenance Mode by the system and rebooted. Ensure the virtual machines on the ESXi host are migrated (using DRS or vMotion), or that they are powered off to allow the host to be placed into Maintenance Mode.

Upgrading vShield Edge

You must upgrade each vShield Edge instance in your datacenter. vShield Edge 5.1.2 is not backward compatible and you cannot use 2.0 REST API calls after the upgrade.

Note: During the vShield Edge upgrade, there will be a brief network disruption for the networks that are being served by the given vShield Edge instance.

If you have vShield Edge 5.0.x, each 5.0.x vShield Edge instance on each portgroup in your datacenter must be upgraded to 5.5.

To upgrade vShield Edge:

  1. Log in to the vSphere Client.
  2. Click the portgroup on which the vShield Edge is deployed.
  3. In the vShield Edge tab, click Upgrade.
  4. View the upgraded vShield Edge:
    1. Click the datacenter corresponding to the port group on which you upgraded the vShield Edge.
    2. In the Network Visualization tab, click Edges. vShield Edge is upgraded to the compact size. A system event is generated to indicate the ID for each upgraded vShield Edge instance.
    3. Repeat for all other vShield Edges that require upgrading.

If you have 5.1.0 or higher vShield Edge instances, upgrade each Edge:

  1. Log in to the vSphere Client.
  2. Click the datacenter for which vShield Edge instances are to be upgraded.
  3. Click the Network Visualization tab. All existing vShield Edge instances are shown in the listings page. An arrow icon is shown for each vShield Edge that must be updated.
  4. Click an Edge and click Upgrade from Actions to start the upgrade. When the Edge is upgraded, the arrow icon no longer appears.
  5. Repeat for each vShield that must be upgraded.

What to do next

Firewall rules from the previous release are upgraded with some modifications. Inspect each upgraded rule to ensure it works as intended. For information on adding new firewalls, see the vShield Administration Guide.
If your scope in a previous release was limited to a port group that had a vShield Edge installation, the user is automatically granted access to that vShield Edge after the upgrade.

Upgrade vShield Endpoint

To upgrade vShield Endpoint from 5.1.x to 5.5, you must first upgrade vShield Manager, then update vShield Endpoint on each host in your datacenter.

  1. Log in to the vSphere Client.
  2. Click Inventory > Hosts and Clusters.
  3. Click the host on which you want to upgrade vShield Endpoint.
  4. Click the vShield tab. The General tab displays each vShield component that is installed on the selected host and the available version.
  5. Click Update (next to vShield Endpoint).
  6. Click vShield Endpoint.
  7. Click Install.

Upgrading vShield Data Security

To upgrade vShield Data Security from 5.1.x to 5.5, you must first upgrade vShield Manager, then update vShield Data Security on each host in your datacenter.

  1. Log in to the vSphere Client.
  2. Click Inventory > Hosts and Clusters.
  3. Click the host on which you want to upgrade vShield Data Security.
  4. Click the vShield tab. The General tab displays each vShield component that is installed on the selected host and the available version.
  5. Click Update (next to vShield Data Security).
  6. Click vShield Data Security.
  7. Click Install.
Upgrading VXLAN
When upgrading VXLAN, consider these points:
  • VXLAN virtual wires require vCenter Server 5.1 or later.
  • You must upgrade the vCNS server prior to upgrading the ESXi hosts.
  • Upgrading an ESXi host from 5.1 to 5.5 results in a new kernel module automatically being pushed to the upgraded host.
  • A reboot of the host is required to complete the host upgrade for VXLAN.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s