DDoS Secure. VMware Virtual Edition Installation Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

Transcription

1 DDoS Secure VMware Virtual Edition Installation Guide Release Published:

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA Copyright Webscreen Technology Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. DDoS Secure VMware Virtual Edition Installation Guide All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About the Documentation xi Documentation and Release Notes xi Documentation Conventions xi Documentation Feedback xiii Requesting Technical Support xiii Self-Help Online Tools and Resources xiv Opening a Case with JTAC xiv Part 1 VMware Virtual Edition Installation Chapter 1 DDoS Secure VMware Virtual Edition Overview DDoS Secure VMware Virtual Edition Overview Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition Physical Interface Requirements for Installing a DDoS Secure Appliance VE Chapter 3 ESX (i) Server Preparation Preparing to Configure an ESX (i) Server Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview Deploying a DDoS Secure Appliance Using the vsphere OVA Package DDoS Secure Appliance Virtual Engine Startup and Shutdown Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine Powering On a DDoS Secure Appliance Virtual Engine Configuring the Management IP Address in a DDoS Secure Appliance Connecting to the DDoS Secure Appliance First Boot Understanding DDoS Secure Appliance Overview Page Information Configuring a Pair of High Availability DDoS Secure Appliances Part 2 Appendix Appendix A Installing Virtual Switches in a Network Adaptor Installing Virtual Switches in a Network Adaptor Adding JS Protected and Protected LAN Port Groups Adding a JS Data Share Port Group Adding a JS Internet Port Group Reassigning the Existing VM Network Interfaces to a DDoS Secure Appliance iii

4 DDoS Secure VMware Virtual Edition Installation Guide Appendix B Installing an Existing Single NIC ESX (i) Server Installing an Existing Single NIC ESX (i) Server Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server Adding a JS Data Share Port Group to a NIC ESX (i) Server Adding a JS Internet Port Group to a NIC ESX (i) Server Appendix C Installing and Configuring a New ESX (i) Server Installing and Configuring a New ESX (i) Server Installing an ESX (i) Server Connecting to vsphere Configuring vswitch0 in the DDoS Secure Appliance Management Interface(s) Creating Internet Traffic for a DDoS Secure Appliance Configuring a Data Share Port Group in a DDoS Secure Appliance Setting a DDoS Secure Appliance Protected Interface to Promiscuous Mode Changing the Configuration Settings in an ESX (i) Server VMNIC Interface Appendix D Reassigning the Existing VM Network Interfaces in a VM Server Reassigning the Existing VM Network Interfaces in a VM Server Appendix E Troubleshooting Reconfiguring a vsphere Client Appendix F Understanding Sizing Requirements Understanding Sizing Requirements Appendix G NUMA Tuning Tuning in a NUMA Environment iv

5 List of Figures Part 1 VMware Virtual Edition Installation Chapter 1 DDoS Secure VMware Virtual Edition Overview Figure 1: Virtual Edition with DDoS Protection System (External Servers Protection) Figure 2: Virtual Edition with DDoS Protection System (VM Servers Protection) Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview Figure 3: Deploy OVF Template Figure 4: OVF Template Details Figure 5: EULA - Accept Figure 6: EULA Name Figure 7: EULA Name and Location Figure 8: Disk Format Figure 9: Network Mapping Figure 10: Ready to Complete Figure 11: Deployment Confirmation Figure 12: vsphere Client - Primary Figure 13: VM Startup and Shutdown Figure 14: VM Startup and Shutdown Startup Order Figure 15: VM Startup and Shutdown Automatic Startup Figure 16: VM Autostart Settings Figure 17: Startup and Shutdown Confirmation Figure 18: Startup and Shutdown Complete Figure 19: Primary Virtual Machine Properties Figure 20: DDoS Secure Appliance Power On Figure 21: DDoS Secure Appliance Package Installation Figure 22: DDoS Secure Appliance Package Progression Figure 23: DDoS Secure Appliance VMware Tools Screen Figure 24: DDoS Secure Appliance Package Update Screen Figure 25: DDoS Secure Appliance Primary Console Figure 26: IP Address Configuration Figure 27: Netmask Configuration Figure 28: Gateway Configuration Figure 29: Input Values Figure 30: Layer 2, Layer 23 or Layer Figure 31: Navigation Block Error Figure 32: DDoS Secure Appliance Log in Page Figure 33: Security Log in Page Figure 34: First Boot Screen Snippets v

6 DDoS Secure VMware Virtual Edition Installation Guide Figure 35: First Boot Accept Screen Snippet Figure 36: DDoS Secure Appliance Summary Board Figure 37: Configure Interface Page - Data Share Interface Part 2 Appendix Appendix A Installing Virtual Switches in a Network Adaptor Figure 38: Example of ESX (i) Server Figure 39: Example of ESX (i) Server with Dual NIC Figure 40: ESX (i) Server Console Figure 41: ESX (i) Server Add Network Wizard Figure 42: ESX (i) Server Wizard - Network Access Figure 43: ESX (i) Server Wizard - Connection Settings Figure 44: ESX (i) Server Wizard Confirmation Figure 45: ESX (i) Server Configuration Page Figure 46: vswitch Properties Figure 47: vswitch Network Wizard Connection Type Figure 48: vswitch Network Wizard Connection Settings Figure 49: vswitch Network Wizard Confirmation Figure 50: vswitch Properties Figure 51: JS Protected Properties - General Figure 52: JS Protected Properties - Security Figure 53: vswitch3 Properties Figure 54: ESX (i) Host Configuration Figure 55: VMware Connection Type Figure 56: Virtual Machine Network Access Figure 57: Virtual Machine Connection Settings Figure 58: Virtual Machine Connection Settings Completion Figure 59: Virtual Machine Connections Page Figure 60: Virtual Machine Configuration Page Figure 61: vswitch Properties Figure 62: vswitch Connection Type Figure 63: Virtual Machine Connection Settings Figure 64: Network Wizard Completion Page Figure 65: Virtual Machine Configuration Page Figure 66: vswitch Properties Figure 67: JS Internet Properties - General Figure 68: JS Internet Properties - Security Figure 69: vswitch Properties - Ports Figure 70: Virtual Machine Properties Appendix B Installing an Existing Single NIC ESX (i) Server Figure 71: ESX (i) Server with Single NIC Figure 72: ESX (i) Server with Single NIC after DDoS Secure Appliance Installation Figure 73: JS Protected and Protected LAN Port Groups Figure 74: Connection Type Figure 75: Virtual Machine Network Access Figure 76: Virtual Machine Connection Settings Figure 77: Virtual Machine Connection Settings Completion vi

7 List of Figures Figure 78: Virtual Machine Inventory Figure 79: vswitch Properties - Port Figure 80: Virtual Machine Connection Type Figure 81: Virtual Machine Connection Settings Figure 82: Virtual Machine Connection Completion Figure 83: vswitch Properties Port Figure 84: JS Protected Properties Figure 85: JS Protected Properties - General Figure 86: JS Protected Properties - Port Figure 87: Virtual Switch Figure 88: Virtual Switch Connection Type Figure 89: Virtual Switch - Network Access Figure 90: Virtual Machine Connection Settings Figure 91: Virtual Machine Summary Figure 92: Virtual Switch Configuration Page Figure 93: vswitch Properties Figure 94: Virtual Machine Connection Type Figure 95: Virtual Machine Connection Settings Figure 96: Virtual Machine Connection Completion Page Figure 97: Virtual Machine Inventory Figure 98: vswitch Properties Summary Figure 99: JS Internet Properties Figure 100: JS Internet Properties - General Figure 101: JS Internet vswitch Properties Appendix C Installing and Configuring a New ESX (i) Server Figure 102: VMware vsphere Client Log in Page Figure 103: VMware vsphere Summary Page Figure 104: vsphere Client Configuration Page Figure 105: vswitch Properties Figure 106: VM Network Properties - General Figure 107: vswitch Properties - Ports Figure 108: vsphere Client Configuration Page Figure 109: vswitch Properties - Connection Type Figure 110: Virtual Machine - Network Access Figure 111: Virtual Machine - Connection Settings Figure 112: Virtual Machine Connection Setting Completion Figure 113: Virtual Machine Connection Networking Figure 114: vswitch Properties Figure 115: JS Internet Properties - General Figure 116: JS Internet Properties - Security Appendix D Reassigning the Existing VM Network Interfaces in a VM Server Figure 117: VM Server Edit Settings Figure 118: Virtual Machine Properties Figure 119: Virtual Machine Properties - Hardware Figure 120: Virtual Machine Network Adapter Appendix E Troubleshooting Figure 121: DDoS Secure Primary Appliance Summary vii

8 DDoS Secure VMware Virtual Edition Installation Guide Appendix G NUMA Tuning Figure 122: Processor Sockets Figure 123: Virtual Machine Properties Resources options Figure 124: Virtual Machine Properties - Allocating Maximum vcpus viii

9 List of Tables About the Documentation xi Table 1: Notice Icons xii Table 2: Text and Syntax Conventions xii Part 1 VMware Virtual Edition Installation Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition Table 3: DDoS Secure Appliance VE Prerequisites Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview Table 4: Default Configurations in OVF Part 2 Appendix Appendix F Understanding Sizing Requirements Table 5: Sizing Requirement Details ix

10 DDoS Secure VMware Virtual Edition Installation Guide x

11 About the Documentation Documentation and Release Notes Documentation and Release Notes on page xi Documentation Conventions on page xi Documentation Feedback on page xiii Requesting Technical Support on page xiii Documentation Conventions To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at Table 1 on page xii defines notice icons used in this guide. xi

12 DDoS Secure VMware Virtual Edition Installation Guide Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Table 2: Text and Syntax Conventions Table 2 on page xii defines the text and syntax conventions used in this guide. Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. Configure the machine s domain name: [edit] root@# set system domain-name domain-name To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; xii

13 About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at If you are using , be sure to include the following information with your comments: Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, xiii

14 DDoS Secure VMware Virtual Edition Installation Guide or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see xiv

15 PART 1 VMware Virtual Edition Installation DDoS Secure VMware Virtual Edition Overview on page 3 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition on page 7 ESX (i) Server Preparation on page 9 DDoS Secure Appliance Virtual Engine Installation Overview on page 11 1

16 DDoS Secure VMware Virtual Edition Installation Guide 2

17 CHAPTER 1 DDoS Secure VMware Virtual Edition Overview DDoS Secure VMware Virtual Edition Overview on page 3 DDoS Secure VMware Virtual Edition Overview This chapter provides an overview of the VMware Virtual Edition (VE). Figure 1 on page 4 illustrates the Virtual Edition with DDoS external server protection system and Figure 2 on page 5 illustrates the Virtual Edition with DDoS Secure with VM protection system. 3

18 DDoS Secure VMware Virtual Edition Installation Guide Figure 1: Virtual Edition with DDoS Protection System (External Servers Protection) 4

19 Chapter 1: DDoS Secure VMware Virtual Edition Overview Figure 2: Virtual Edition with DDoS Protection System (VM Servers Protection) The DDoS Secure appliance Virtual Edition provides the freedom and operational flexibility to install a fully automatic DDoS protection system for any hardware platform running VMware ESX (i) v4 or later server software. The DDoS Secure appliance VMware solution is placed between the JS Internet port group and the port group JS Protected as a layer 2 device controlling the flow between the two switches. The solution is scalable for performance by adding in virtual CPUs and scalable for IP protection by adding in more virtual memory (subject to license key). High Availability primary and secondary instances of DDoS Secure appliance VE are connected to the JS Data Share port group. This connection is then used to synchronize the configuration and other information of the DDoS Secure appliance VE standby/active pair. Related Documentation Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 Preparing to Configure an ESX (i) Server on page 9 Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 5

20 DDoS Secure VMware Virtual Edition Installation Guide 6

21 CHAPTER 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 Physical Interface Requirements for Installing a DDoS Secure Appliance VE Table 3 on page 7 describes the prerequisites to be met before installing DDoS Secure appliance VE. Table 3: DDoS Secure Appliance VE Prerequisites PREREQUISITE COMPONENT TYPE(S) COMMENTS 64-bit hardware assisted virtualization support enabled Intel-VTx or equivalent with 64-bit support Provides support to run a 64-bit virtual guest. VT is usually enabled through the BIOS settings of the host. Bare-Metal Embedded Hypervisor VMware ESX (i) 4.1 Server or above Provides a virtualization layer that abstracts the processor, memory, storage, and networking resources of the physical host into multiple virtual machines. You can install ESX (i) installable on any hard drive on your physical server. Virtual Infrastructure Management Tool VMware vsphere Client Installs on a Windows PC and is the primary method of interaction with VMware vsphere. The vsphere client acts as a console to operate virtual machines and as an administration interface into ESX (i) hosts. The vsphere client is downloadable from the vcenter server system and ESX (i) hosts. The vsphere client includes documentation for administrators and console users. DDoS Secure appliance Virtual Edition Product package OVA package Deploys the DDoS Secure appliance Virtual Edition (VE) on to an ESX (i) server using a vsphere client. The DDoS Secure appliance Virtual Edition (VE) Product package is downloadable from the from the Juniper Network website: (login required). RAM Virtual managed in vsphere environment At least 800MB free of virtual RAM to allocate to each DDoS Secure appliance VE. 7

22 DDoS Secure VMware Virtual Edition Installation Guide Table 3: DDoS Secure Appliance VE Prerequisites (continued) PREREQUISITE COMPONENT TYPE(S) COMMENTS Datastore Virtual disk managed in vsphere environment At least 11GB of free space for each DDoS Secure appliance VE. CPU Virtual CPU At least one virtual CPU. Preferably two or more. Management Network 1 x vswitch 1 x Port Group Connects existing management traffic and DDoS Secure appliance VE(s) together through a port group ManagementLan. Internet Network 1 x vswitch 1 x Dedicated Port Group It is recommended that the physical Internet Gateway router/switch is connected to a vswitch with a dedicated vmnic. The DDoS Secure appliance Internet interface must be connected to this vswitch using a JS Internet port group configured in promiscuous mode. Protected Network 1 x vswitch 1 x Dedicated Port Group 1 x Port Group It is recommended that firewalls/load balancers/servers and so on are connected to a vswitch with port group ProtectedLAN so that their traffic is routed using the DDoS Secure appliance transparently to and from the internet gateway. DDoS Secure appliance protected interfaces must be connected to this vswitch using a dedicated JS Protected port group configured in promiscuous mode. Data Share Network 1 x vswitch 1 x Port Group DDoS Secure appliance VE can be paired to provide a highly available active/standby pair. The port group is labeled as JS Data Share. Related Documentation DDoS Secure VMWare Virtual Edition Overview on page 3 Preparing to Configure an ESX (i) Server on page 9 Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 8

23 CHAPTER 3 ESX (i) Server Preparation Preparing to Configure an ESX (i) Server on page 9 Preparing to Configure an ESX (i) Server It is possible that the ESX (i) server has been built in many different ways, or the ESX (i) server has not yet been built. There are three existing generic build scenarios, and most existing ESX (i) configurations should map into one of the following scenarios: 1. Two (or more) NIC interfaces in use Existing 2+ NIC ESX (i) Installation. 2. Single (possibly teamed) NIC interface in use Existing Single NIC ESX (i) Installation. 3. Initial build of ESX (i) server New ESX (i) Installation. Verify which is the most appropriate scenario to use to reconfigure/update the ESX (i) internal networking layout. NOTE: This preparation work MUST be done prior to installing the DDoS Secure appliance VMware instance. The ESX (i) server may be restricted in the number of physical interfaces, so it may not be possible to associate each vswitch with a dedicated physical interface. The Management Lan port group and JS Data Share port group must not be on the same vswitch, unless they are in different VLANs. The JS Internet port group and JS Protected port group must not be on the same vswitch, unless they are in different VLANs. Related Documentation Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 DDoS Secure VMWare Virtual Edition Overview on page 3 Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 9

24 DDoS Secure VMware Virtual Edition Installation Guide 10

25 CHAPTER 4 DDoS Secure Appliance Virtual Engine Installation Overview To install the DDoS Secure appliance VE, you will need to deploy a DDoS Secure appliance OVF Template package onto the VMware ESX (i) server via a vsphere client. The vsphere configuration wizard guides you through the initial configuration and allows you to change the virtual machine name, disk format and the network mapping. There are two variants of the Open Virtualization Format (OVF). One variant is for general use and the other variant is for light use (that is, demo on laptop). Table 4 on page 11 describes the initial default configuration contained in the OVF: Table 4: Default Configurations in OVF RESOURCE GENERAL VALUE VALUE vcpu 4 vcpu 2 vcpu Virtual Disk 100GB 15GB Memory 6000 MB 1000 MB Network Interfaces 4 4 It is quite likely that these defaults will need to be changed according to bandwidth requirements, the number of protected servers, tracked IP addresses and TCP connections; depending on your network usage. Resource values must be changed using the vsphere client user interface before powering on the virtual machine for the first time. Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Powering On a DDoS Secure Appliance Virtual Engine on page 23 Configuring the Management IP Address in a DDoS Secure Appliance on page 27 Configuring a Pair of High Availability DDoS Secure Appliances on page 34 11

26 DDoS Secure VMware Virtual Edition Installation Guide Deploying a DDoS Secure Appliance Using the vsphere OVA Package To deploy an appliance using the vsphere OVA package: 1. Verify that you have created all the necessary port groups. 2. In vsphere client, select the appropriate host or resource pool. 3. Select File > Deploy OVF Template to invoke the Deploy OVF template wizard, as shown in Figure 3 on page 12. Figure 3: Deploy OVF Template The Deploy OVF Template wizard will be invoked and will request selection of an OVA package. Use the OVA package previously downloaded from the DDoS Secure appliance Technology website. The OVA package can be identified by the following naming format: DDoS Secure appliance[version].[arch].ova DDoS Secure appliancefc11_ x86_64.ova ddossecurecentos_6_3-lite x86_64.ova 4. Specify your OVA file or click Browse to browse for it and then click Next to continue. Figure 4 on page 13 displays the OVF template details. 12

27 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 4: OVF Template Details 5. The Wizard reads and verifies the OVF template details. Click Next to continue. Figure 5 on page 13 displays the EULA screen. Figure 5: EULA - Accept 6. Read and accept the End User License Agreement (EULA). Click Next to continue. Figure 6 on page 14 displays the screen to enter the name of the EULA. 13

28 DDoS Secure VMware Virtual Edition Installation Guide Figure 6: EULA Name 7. A suggested default VM name is provided. Rename this to DDoS Secure appliance Primary (DDoS Secure appliance Secondary, if this is the second instance for a HA pair), or any other suitable name. Figure 7 on page 14 displays the screen to enter the name and location. Figure 7: EULA Name and Location 14

29 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview 8. Click Next to continue. Figure 8 on page 15 displays the screen with disk format details. Figure 8: Disk Format 9. Select the disk format in which the DDoS Secure appliance VE files are stored. You must choose Thick provisioned format (the default format). 10. Click Next to continue. Figure 9 on page 15 displays the network mapping screen. Figure 9: Network Mapping 15

30 DDoS Secure VMware Virtual Edition Installation Guide 11. Map the networks used in the OVF template to the networks defined in your inventory. If the port groups have been labeled up as previously described, no changes are required. However, if there are differences, for each source network choose an appropriate destination network by selecting an inventory network from the destination networks drop-down select box. 12. Click Next to continue. Figure 10 on page 16 displays the ready to complete screen. Figure 10: Ready to Complete 13. Review the configured settings and click Finish to start the deployment process. This completes the wizard process, the Deploy OVF Template window will now close. It may take a few minutes for the new machine to be deployed in the vsphere client inventory. Figure 11 on page 16 displays the deployment completion message. Figure 11: Deployment Confirmation Upon deployment, a window box will appear stating that the deployment has been successful. 14. Click Close to continue. 16

31 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Related Documentation DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Powering On a DDoS Secure Appliance Virtual Engine on page 23 Physical Interface Requirements for Installing a DDoS Secure Appliance VE on page 7 DDoS Secure Appliance Virtual Engine Startup and Shutdown To start or shutdown a Virtual Machine: 1. Open the vsphere client. 2. Select the ESX (i) host in the inventory. 3. Select the Configuration tab and click Virtual Machine Startup Shutdown. Figure 12 on page 17 displays the vsphere primary client screen. Figure 12: vsphere Client - Primary 4. Click Properties on the same line as Virtual Machine startup and shutdown. Figure 13 on page 18 displays the virtual machine startup and shutdown screen. 17

32 DDoS Secure VMware Virtual Edition Installation Guide Figure 13: VM Startup and Shutdown 5. Select Allow virtual machines to start and stop automatically with the system under System Settings, as shown in Figure 14 on page 18. Figure 14: VM Startup and Shutdown Startup Order 6. In the startup order window, select DDoS Secure appliance Primary under Manual Startup and click Move Up (in this case) twice for automatic startup, as shown in Figure 15 on page

33 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 15: VM Startup and Shutdown Automatic Startup 7. Click Edit. The Virtual Machine Autostart Settings window is displayed. 8. Under Shutdown Settings, select Use specified settings and select Guest Shutdown from the Perform shutdown action drop-down, as shown in Figure 16 on page

34 DDoS Secure VMware Virtual Edition Installation Guide Figure 16: VM Autostart Settings 9. Click OK in the Virtual Machine Startup and Shutdown window. Figure 17 on page 21 displays the confirmation screen of Virtual Machine Startup and Shutdown window. 20

35 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 17: Startup and Shutdown Confirmation 10. Click OK in the vsphere Client window. Figure 18 on page 21 displays the completion screen of Virtual Machine Startup and Shutdown window. Figure 18: Startup and Shutdown Complete Startup and Shutdown configuration for DDoS Secure appliance Primary is now complete. NOTE: If the entry is repeated multiple times, select another configuration option and then switch back to validate the screen above. 21

36 DDoS Secure VMware Virtual Edition Installation Guide Related Documentation Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Powering On a DDoS Secure Appliance Virtual Engine on page 23 Understanding Sizing Requirements on page 119 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine Increasing the number of vcpus will improve performance of the DDoS Secure appliance VE and increasing the memory will increase the number of servers the appliance VE will be capable of protecting. Increasing disk space will increase the logging retention capability. Alterations to vcpus, memory and disk space can only be done with the appliance powered off. Furthermore, the disk space cannot be changed after the appliance has been powered on and the software installed. Open the vsphere Client, select a appliance virtual machine from the inventory and select Edit Settings, this will open the Virtual Machine properties window. Use the recommended Virtual Machine Properties. Any memory configurations suggested by the vsphere client are not applicable to the appliance VE and should be ignored. Areas to consider are: CPUs Memory Disk Space Figure 19 on page 23 displays the Primary Virtual Machine Properties window. 22

37 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 19: Primary Virtual Machine Properties Related Documentation Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 Powering On a DDoS Secure Appliance Virtual Engine on page 23 DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Understanding Sizing Requirements on page 119 Powering On a DDoS Secure Appliance Virtual Engine Before powering on for the first time, confirm that you have configured the correct amount of disk space as this cannot be subsequently changed. To power on a DDoS Secure appliance virtual engine: 1. Open the vsphere client, select a DDoS Secure appliance virtual machine from the inventory and power on the machine by typing Ctrl-B or using the mouse-click driven menus, as shown in Figure 20 on page

38 DDoS Secure VMware Virtual Edition Installation Guide Figure 20: DDoS Secure Appliance Power On When powering on your DDoS Secure appliance virtual machine for the first time, the DDoS Secure appliance software will automatically install and boot the DDoS Secure appliance VE up to the login: prompt. It will pause, requesting that VMtools Installation is enabled before this can complete. 2. Monitor the install by selecting the Console pane of the DDoS Secure appliance virtual machine, as shown in Figure 21 on page 24. Figure 21: DDoS Secure Appliance Package Installation 24

39 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 22 on page 25 software packages being installed and the DDoS Secure appliance is waiting for VMtools to be installed. Figure 22: DDoS Secure Appliance Package Progression 3. Right click the Guest name in the Inventory and select Interactive Tools Upgrade, as shown in Figure 23 on page 25. Figure 23: DDoS Secure Appliance VMware Tools Screen 25

40 DDoS Secure VMware Virtual Edition Installation Guide The update screen appears after the VMtools CD has been detected, as shown in Figure 24 on page 26. Figure 24: DDoS Secure Appliance Package Update Screen When the installation has finished, you will be prompted to login at the console, as shown in Figure 25 on page 26. Figure 25: DDoS Secure Appliance Primary Console An IP address will be allocated by DHCP if it is available. If DHCP is not available, it will default to

41 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Related Documentation Deploying a DDoS Secure Appliance Using the vsphere OVA Package on page 12 Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17 Configuring the Management IP Address in a DDoS Secure Appliance To configure DDoS Secure appliance management IP address: 1. Login from the console with username configure and password configure. The following sets up the interface mapping, IP address, netmask, gateway and speed of the DDoS Secure appliance management interface. Replace the values shown with your appropriate settings to connect to your management network. 2. Enter the management IP address for accessing the DDoS Secure appliance GUI or CLI, as shown in Figure 26 on page 27. This IP address must not be in use elsewhere. Figure 26: IP Address Configuration 3. Enter the management IP netmask, as shown in Figure 27 on page 27. Figure 27: Netmask Configuration 4. Enter the management network gateway. This has to be in the same subnet as the management IP address, as shown in Figure 28 on page 27. Figure 28: Gateway Configuration 5. If you are satisfied with the input values, then enter y, as shown in Figure 29 on page 27. Figure 29: Input Values 6. Choose the Layer 2, Layer 23 or Layer 3 operational mode, as shown in Figure 30 on page

42 DDoS Secure VMware Virtual Edition Installation Guide Figure 30: Layer 2, Layer 23 or Layer 3 The DDoS Secure appliance normally works as a layer 2 device on the main data path that provides DDoS protection. However, there are circumstances where layer 2 will not work and the DDoS appliance needs to operate in a layer 3 type environment without the interfaces being in promiscuous mode. This mode is catered for, but does have limitations as described in the selection figure. Normally, you would select n at this point. Otherwise, you will need to define the appropriate IP addresses. The DDoS Secure appliance will re-configure and the console will return to the login prompt. Connecting to the DDoS Secure Appliance on page 28 First Boot on page 31 Understanding DDoS Secure Appliance Overview Page Information on page 33 Connecting to the DDoS Secure Appliance To connect to the DDoS Secure appliance: 1. Open a browser window on a management PC. It is recommended that the management PC is connected via the vswitch associated with the JS Management port group although access to the DDoS Secure appliance GUI and command line can also be gained via vswitches associated with the non-promiscuous Protected or Internet port groups (provided routing is in place). Whichever method is used, the management PC will need to be configured with an IP address that is routable to/from the management IP address of the DDoS Secure appliance. 2. Type in the address bar, where aaa.bbb.ccc.ddd is the IP address of the management interface of the appliance (factory default is ). A navigation block error is displayed, as shown in Figure 31 on page

43 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 31: Navigation Block Error NOTE: The URL is prefixed with All traffic between the Management PC and the DDoS Secure appliance is encrypted. The DDoS Secure appliance produces a self-signed certificate for use in the secured communications. This certificate is recreated every time the appliance management interface IP address is reconfigured, or if there is less than a year to run when a software patch is applied. It is possible for the date to be invalid if the clocks on the DDoS Secure appliance and on the browser are significantly out of phase. It is possible to replace this certificate through the GUI. 3. View the certificate and install it to prevent the security alert every time you connect to the DDoS Secure appliance. 4. Click Process anyway if you are sure that you are trying to connect to the DDoS Secure appliance. The DDoS Secure appliance login page is displayed in Figure 32 on page

44 DDoS Secure VMware Virtual Edition Installation Guide Figure 32: DDoS Secure Appliance Log in Page 5. Click Login to access the DDoS Secure appliance. Alternatively, check Use Original GUI to access the older DDoS Secure interface. If the checkbox is pre-checked, DDoS Secure has determined that your browser does not support the new UI interface. 6. Enter the username and password when prompted. Figure 33 on page 31 displays the security log in page. 30

45 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview Figure 33: Security Log in Page The default user name is user and the password is password. 7. Click Login. First Boot On the first connection, the licensing screen appears on the Management PC. Figure 34 on page 32 displays the first boot screen snippets. NOTE: The first time of use, you will be asked to accept the DDoS Secure EULA. 31

46 DDoS Secure VMware Virtual Edition Installation Guide Figure 34: First Boot Screen Snippets 32

47 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview 1. Read the End User License Agreement carefully to make sure that you fully understand the Terms and Conditions. To accept the End User License Agreement: Click I Accept to accept the terms and conditions. Click Cancel to proceed no further. This will cause the system to power-off. On accepting the Terms and Conditions of the license, the DDoS Secure appliance will then display a second licensing screen. Figure 35 on page 33 displays the first boot accept screen snippet Figure 35: First Boot Accept Screen Snippet On accepting the Terms and Conditions of the license, the DDoS Secure appliance will redirect to the overview page. Understanding DDoS Secure Appliance Overview Page Information After successful authentication, the DDoS Secure appliance summary board is displayed. Figure 36 on page 34 displays the DDoS Secure appliance overview page. 33

48 DDoS Secure VMware Virtual Edition Installation Guide Figure 36: DDoS Secure Appliance Summary Board The options available are: Traffic Monitor Displays the average speed of data processed, both inbound and outbound, for the appliance. Load Status Displays how busy the DDoS Secure appliance engine is. Attack Status Displays how aggressively the DDoS Secure appliance is dropping traffic to defend the appropriate resources. Good Traffic Displays the distribution of where good traffic is coming from. Bad Traffic Displays distribution of where the bad traffic is coming from. Protected Performance Displays how busy a protected IP is from an aggregated Charm perspective, and what the average traffic to and from the IP is. Configuring a Pair of High Availability DDoS Secure Appliances DDoS Secure appliance VEs can be HA paired within the same inventory on the same ESX (i) server or on a different inventory on a different ESX (i) server providing they share network connectivity in your network design. Having an Active/Standby pair of DDoS Secure appliances means that (software) maintenance can be on one of the DDoS Secure appliances (such as an upgrade) while still having Internet traffic flowing. DDoS Secure appliance data share interfaces are used to synchronize configurations, state information and incident information between the active/standby pair. The Primary DDoS Secure appliance and the Secondary DDoS Secure appliance in a HA pair both require configuration of their data share IP addresses. 34

49 Chapter 4: DDoS Secure Appliance Virtual Engine Installation Overview To configure data share IP addresses: 1. Click Login symbol on the DDoS Secure portal. 2. You will then be prompted for a login and password. 3. Enter initial username as user and password as password. 4. Click OK. After successful authentication, on the first access, the DDoS Secure appliance page is displayed. 5. In the Left pane, click Configuration/Logs, which will bring up a new tab. 6. In the Left pane, click Configure Interfaces. The Data Share Interface Definition option is displayed, as shown in Figure 37 on page 35. Figure 37: Configure Interface Page - Data Share Interface 7. Under Data Share Interface Definition, enter the IP address and the network mask. NOTE: Both DDoS Secure appliance data share interfaces IP address must be unique and in the same (preferable RFC1918) subnet in order to connect. NOTE: Both DDoS Secure appliances must be connected to the same JS Protected, JS Internet and JS Management port groups so HA operation to be established. Related Documentation Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on page 22 Installing Virtual Switches in a Network Adaptor on page 39 Powering On a DDoS Secure Appliance Virtual Engine on page 23 35