DDoS Secure. VMware Virtual Edition Installation Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

(1)

VMware Virtual Edition Installation Guide

Release

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

(3)

About the Documentation . . . xi

Documentation and Release Notes . . . xi

Documentation Conventions . . . xi

Documentation Feedback . . . xiii

Requesting Technical Support . . . xiii

Self-Help Online Tools and Resources . . . xiv

Opening a Case with JTAC . . . xiv

Part 1 VMware Virtual Edition Installation

Chapter 1 DDoS Secure VMware Virtual Edition Overview . . . 3

DDoS Secure VMware Virtual Edition Overview . . . 3

Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition . . . 7

Physical Interface Requirements for Installing a DDoS Secure Appliance VE . . . 7

Chapter 3 ESX (i) Server Preparation . . . 9

Preparing to Configure an ESX (i) Server . . . 9

Chapter 4 DDoS Secure Appliance Virtual Engine Installation Overview . . . 11

Deploying a DDoS Secure Appliance Using the vSphere OVA Package . . . 12

DDoS Secure Appliance Virtual Engine Startup and Shutdown . . . 17

Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine . . . 22

Powering On a DDoS Secure Appliance Virtual Engine . . . 23

Configuring the Management IP Address in a DDoS Secure Appliance . . . 27

Connecting to the DDoS Secure Appliance . . . 28

First Boot . . . 31

Understanding DDoS Secure Appliance Overview Page Information . . . 33

Configuring a Pair of High Availability DDoS Secure Appliances . . . 34

Part 2 Appendix

Appendix A Installing Virtual Switches in a Network Adaptor . . . 39

Installing Virtual Switches in a Network Adaptor . . . 39

Adding JS Protected and Protected LAN Port Groups . . . 41

Adding a JS Data Share Port Group . . . 52

Adding a JS Internet Port Group . . . 57

(4)

Appendix B Installing an Existing Single NIC ESX (i) Server . . . 69

Installing an Existing Single NIC ESX (i) Server . . . 69

Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server . . . 71

Adding a JS Data Share Port Group to a NIC ESX (i) Server . . . 82

Adding a JS Internet Port Group to a NIC ESX (i) Server . . . 86

Appendix C Installing and Configuring a New ESX (i) Server . . . 97

Installing and Configuring a New ESX (i) Server . . . 97

Installing an ESX (i) Server . . . 97

Connecting to vSphere . . . 97

Configuring vSwitch0 in the DDoS Secure Appliance Management Interface(s) . . . 98

Creating Internet Traffic for a DDoS Secure Appliance . . . 103

Configuring a Data Share Port Group in a DDoS Secure Appliance . . . 110

Setting a DDoS Secure Appliance Protected Interface to Promiscuous Mode . . . 111

Changing the Configuration Settings in an ESX (i) Server VMNIC Interface . . . 112

Appendix D Reassigning the Existing VM Network Interfaces in a VM Server . . . 113

Reassigning the Existing VM Network Interfaces in a VM Server . . . 113

Appendix E Troubleshooting . . . 117

Reconfiguring a vSphere Client . . . 117

Appendix F Understanding Sizing Requirements . . . 119

Understanding Sizing Requirements . . . 119

Appendix G NUMA Tuning . . . 121

Tuning in a NUMA Environment . . . 121

(5)

Part 1 VMware Virtual Edition Installation

Chapter 1 DDoS Secure VMware Virtual Edition Overview . . . 3

Figure 1: Virtual Edition with DDoS Protection System (External Servers Protection) . . . 4

Figure 2: Virtual Edition with DDoS Protection System (VM Servers Protection) . . . 5

Figure 3: Deploy OVF Template . . . 12

Figure 4: OVF Template Details . . . 13

Figure 5: EULA - Accept . . . 13

Figure 6: EULA Name . . . 14

Figure 7: EULA – Name and Location . . . 14

Figure 8: Disk Format . . . 15

Figure 9: Network Mapping . . . 15

Figure 10: Ready to Complete . . . 16

Figure 11: Deployment Confirmation . . . 16

Figure 12: vSphere Client - Primary . . . 17

Figure 13: VM Startup and Shutdown . . . 18

Figure 14: VM Startup and Shutdown –Startup Order . . . 18

Figure 15: VM Startup and Shutdown – Automatic Startup . . . 19

Figure 16: VM Autostart Settings . . . 20

Figure 17: Startup and Shutdown – Confirmation . . . 21

Figure 18: Startup and Shutdown – Complete . . . 21

Figure 19: Primary Virtual Machine Properties . . . 23

Figure 20: DDoS Secure Appliance Power On . . . 24

Figure 21: DDoS Secure Appliance Package Installation . . . 24

Figure 22: DDoS Secure Appliance Package Progression . . . 25

Figure 23: DDoS Secure Appliance VMware Tools Screen . . . 25

Figure 24: DDoS Secure Appliance Package Update Screen . . . 26

Figure 25: DDoS Secure Appliance Primary Console . . . 26

Figure 26: IP Address Configuration . . . 27

Figure 27: Netmask Configuration . . . 27

Figure 28: Gateway Configuration . . . 27

Figure 29: Input Values . . . 27

Figure 30: Layer 2, Layer 23 or Layer 3 . . . 28

Figure 31: Navigation Block Error . . . 29

Figure 32: DDoS Secure Appliance Log in Page . . . 30

(6)

Figure 35: First Boot Accept Screen Snippet . . . 33

Figure 36: DDoS Secure Appliance Summary Board . . . 34

Figure 37: Configure Interface Page - Data Share Interface . . . 35

Part 2 Appendix

Appendix A Installing Virtual Switches in a Network Adaptor . . . 39

Figure 38: Example of ESX (i) Server . . . 40

Figure 39: Example of ESX (i) Server with Dual NIC . . . 41

Figure 40: ESX (i) Server Console . . . 42

Figure 41: ESX (i) Server Add Network Wizard . . . 42

Figure 42: ESX (i) Server Wizard - Network Access . . . 43

Figure 43: ESX (i) Server Wizard - Connection Settings . . . 44

Figure 44: ESX (i) Server Wizard Confirmation . . . 45

Figure 45: ESX (i) Server Configuration Page . . . 46

Figure 46: vSwitch Properties . . . 46

Figure 47: vSwitch Network Wizard – Connection Type . . . 47

Figure 48: vSwitch Network Wizard – Connection Settings . . . 48

Figure 49: vSwitch Network Wizard – Confirmation . . . 49

Figure 51: JS Protected Properties - General . . . 50

Figure 52: JS Protected Properties - Security . . . 51

Figure 53: vSwitch3 Properties . . . 52

Figure 54: ESX (i) Host Configuration . . . 53

Figure 55: VMware Connection Type . . . 53

Figure 56: Virtual Machine Network Access . . . 54

Figure 57: Virtual Machine Connection Settings . . . 55

Figure 58: Virtual Machine Connection Settings Completion . . . 56

Figure 59: Virtual Machine Connections Page . . . 57

Figure 60: Virtual Machine Configuration Page . . . 58

Figure 62: vSwitch Connection Type . . . 59

Figure 64: Network Wizard Completion Page . . . 61

Figure 65: Virtual Machine Configuration Page . . . 62

Figure 67: JS Internet Properties - General . . . 64

Figure 68: JS Internet Properties - Security . . . 65

Figure 69: vSwitch Properties - Ports . . . 66

Figure 70: Virtual Machine Properties . . . 67

Appendix B Installing an Existing Single NIC ESX (i) Server . . . 69

Figure 71: ESX (i) Server with Single NIC . . . 70

Figure 72: ESX (i) Server with Single NIC after DDoS Secure Appliance Installation . . . 71

Figure 73: JS Protected and Protected LAN Port Groups . . . 72

Figure 74: Connection Type . . . 72

Figure 75: Virtual Machine Network Access . . . 73

Figure 77: Virtual Machine Connection Settings Completion . . . 75

(7)

Figure 78: Virtual Machine Inventory . . . 76

Figure 79: vSwitch Properties - Port . . . 76

Figure 80: Virtual Machine Connection Type . . . 77

Figure 82: Virtual Machine Connection Completion . . . 78

Figure 83: vSwitch Properties Port . . . 79

Figure 84: JS Protected Properties . . . 80

Figure 85: JS Protected Properties - General . . . 81

Figure 86: JS Protected Properties - Port . . . 82

Figure 87: Virtual Switch . . . 83

Figure 88: Virtual Switch Connection Type . . . 83

Figure 89: Virtual Switch - Network Access . . . 84

Figure 91: Virtual Machine Summary . . . 86

Figure 92: Virtual Switch Configuration Page . . . 87

Figure 94: Virtual Machine Connection Type . . . 88

Figure 96: Virtual Machine Connection Completion Page . . . 90

Figure 97: Virtual Machine Inventory . . . 91

Figure 98: vSwitch Properties Summary . . . 92

Figure 99: JS Internet Properties . . . 93

Figure 101: JS Internet vSwitch Properties . . . 95

Appendix C Installing and Configuring a New ESX (i) Server . . . 97

Figure 102: VMware vSphere Client Log in Page . . . 98

Figure 103: VMware vSphere Summary Page . . . 99

Figure 104: vSphere Client Configuration Page . . . 100

Figure 106: VM Network Properties - General . . . 102

Figure 107: vSwitch Properties - Ports . . . 103

Figure 108: vSphere Client Configuration Page . . . 104

Figure 109: vSwitch Properties - Connection Type . . . 105

Figure 110: Virtual Machine - Network Access . . . 105

Figure 111: Virtual Machine - Connection Settings . . . 106

Figure 112: Virtual Machine Connection Setting Completion . . . 107

Figure 113: Virtual Machine Connection Networking . . . 107

Figure 116: JS Internet Properties - Security . . . 110

Appendix D Reassigning the Existing VM Network Interfaces in a VM Server . . . 113

Figure 117: VM Server Edit Settings . . . 113

Figure 118: Virtual Machine Properties . . . 114

Figure 119: Virtual Machine Properties - Hardware . . . 115

Figure 120: Virtual Machine Network Adapter . . . 116

(8)

Appendix G NUMA Tuning . . . 121

Figure 122: Processor Sockets . . . 121

Figure 123: Virtual Machine Properties Resources options . . . 122

Figure 124: Virtual Machine Properties - Allocating Maximum vCPUs . . . 122

(9)

About the Documentation . . . xi

Table 1: Notice Icons . . . xii

Table 2: Text and Syntax Conventions . . . xii

Part 1 VMware Virtual Edition Installation

Chapter 2 Prerequisites for Installing a DDoS Secure Appliance Virtual Edition . . . 7

Table 3: DDoS Secure Appliance VE Prerequisites . . . 7

Table 4: Default Configurations in OVF . . . 11

Part 2 Appendix

Appendix F Understanding Sizing Requirements . . . 119

(10)

(11)

• Documentation and Release Notes on page xi

• Documentation Conventions on page xi

• Documentation Feedback on page xiii

• Requesting Technical Support on page xiii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Documentation Conventions

(12)

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Table 2 on page xiidefines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute • Introduces or emphasizes important

new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles. Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

Italic text like this

• To configure a stub area, include the stubstatement at the[edit protocols ospf area area-id]hierarchy level. • The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components. Text like this

stub <default-metric metric>; Encloses optional keywords or variables.

< > (angle brackets)

(13)

Table 2: Text and Syntax Conventions (continued)

Examples Description

Convention

broadcast | multicast

(string1 | string2 | string3) Indicates a choice between the mutually

exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only Indicates a comment specified on the

same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select All Interfaces.

• To cancel the configuration, click Cancel.

Represents graphical user interface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include the following information with your comments:

• Document or topic name

• URL or page number

• Software release version (if applicable)

Requesting Technical Support

(14)

or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/

• Search for known bugs:http://www2.juniper.net/kb/

• Find product documentation:http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC athttp://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

(15)

• DDoS Secure VMware Virtual Edition Overview on page 3

• Prerequisites for Installing a DDoS Secure Appliance Virtual Edition on page 7

• ESX (i) Server Preparation on page 9

(16)

(17)

Overview

• DDoS Secure VMware Virtual Edition Overview on page 3

DDoS Secure VMware Virtual Edition Overview

This chapter provides an overview of the VMware Virtual Edition (VE).Figure 1 on page 4

illustrates the Virtual Edition with DDoS external server protection system and

(18)

Figure 1: Virtual Edition with DDoS Protection System (External Servers

Protection)

(19)

Figure 2: Virtual Edition with DDoS Protection System (VM Servers

Protection)

The DDoS Secure appliance Virtual Edition provides the freedom and operational flexibility to install a fully automatic DDoS protection system for any hardware platform running VMware ESX (i) v4 or later server software.

The DDoS Secure appliance VMware solution is placed between the JS Internet port group and the port group JS Protected as a layer 2 device controlling the flow between the two switches. The solution is scalable for performance by adding in virtual CPUs and scalable for IP protection by adding in more virtual memory (subject to license key). High Availability primary and secondary instances of DDoS Secure appliance VE are connected to the JS Data Share port group. This connection is then used to synchronize the configuration and other information of the DDoS Secure appliance VE standby/active pair.

Appliance Virtual Edition

Physical Interface Requirements for Installing a DDoS Secure Appliance VE

Table 3 on page 7describes the prerequisites to be met before installing DDoS Secure

appliance VE.

Table 3: DDoS Secure Appliance VE Prerequisites

COMMENTS COMPONENT TYPE(S)

PREREQUISITE

Provides support to run a 64-bit virtual guest. VT is usually enabled through the BIOS settings of the host.

Intel-VTx or equivalent with 64-bit support

64-bit hardware assisted virtualization support enabled

Provides a virtualization layer that abstracts the processor, memory, storage, and networking resources of the physical host into multiple virtual machines.

You can install ESX (i) installable on any hard drive on your physical server.

VMware ESX (i) 4.1 Server or above

Bare-Metal Embedded Hypervisor

Installs on a Windows PC and is the primary method of interaction with VMware vSphere. The vSphere client acts as a console to operate virtual machines and as an administration interface into ESX (i) hosts. The vSphere client is downloadable from the vCenter server system and ESX (i) hosts. The vSphere client includes documentation for administrators and console users.

VMware vSphere Client Virtual Infrastructure

Management Tool

Deploys the DDoS Secure appliance Virtual Edition (VE) on to an ESX (i) server using a vSphere client.

The DDoS Secure appliance Virtual Edition (VE) Product package is downloadable from the from the Juniper Network website: https://juniper.net(login required).

OVA package DDoS Secure appliance

Virtual Edition Product package

At least 800MB free of virtual RAM to allocate to each DDoS Secure appliance VE.

Virtual managed in vSphere environment

(22)

Table 3: DDoS Secure Appliance VE Prerequisites (continued)

COMMENTS COMPONENT TYPE(S)

PREREQUISITE

At least 11GB of free space for each DDoS Secure appliance VE. Virtual disk managed in

vSphere environment Datastore

At least one virtual CPU. Preferably two or more. Virtual CPU

CPU

Connects existing management traffic and DDoS Secure appliance VE(s) together through a port group ManagementLan.

1 x vSwitch 1 x Port Group Management Network

It is recommended that the physical Internet Gateway router/switch is connected to a vSwitch with a dedicated vmnic. The DDoS Secure appliance Internet interface must be connected to this vSwitch using a JS Internet port group configured in promiscuous mode.

1 x vSwitch 1 x Dedicated Port Group Internet Network

It is recommended that firewalls/load balancers/servers and so on are connected to a vSwitch with port group ProtectedLAN so that their traffic is routed using the DDoS Secure appliance transparently to and from the internet gateway. DDoS Secure appliance protected interfaces must be connected to this vSwitch using a dedicated JS Protected port group configured in promiscuous mode.

1 x vSwitch 1 x Dedicated Port Group 1 x Port Group Protected Network

DDoS Secure appliance VE can be paired to provide a highly available active/standby pair. The port group is labeled as JS Data Share. 1 x vSwitch

1 x Port Group Data Share Network

• DDoS Secure VMWare Virtual Edition Overview on page 3

• Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12

(23)

Preparing to Configure an ESX (i) Server

It is possible that the ESX (i) server has been built in many different ways, or the ESX (i) server has not yet been built.

There are three existing generic build scenarios, and most existing ESX (i) configurations should map into one of the following scenarios:

1. Two (or more) NIC interfaces in use—Existing 2+ NIC ESX (i) Installation.

2. Single (possibly teamed) NIC interface in use—Existing Single NIC ESX (i) Installation.

3. Initial build of ESX (i) server—New ESX (i) Installation.

Verify which is the most appropriate scenario to use to reconfigure/update the ESX (i) internal networking layout.

NOTE: This preparation work MUST be done prior to installing the DDoS Secure appliance VMware instance.

The ESX (i) server may be restricted in the number of physical interfaces, so it may not be possible to associate each vSwitch with a dedicated physical interface.

The Management Lan port group and JS Data Share port group must not be on the same vSwitch, unless they are in different VLANs.

The JS Internet port group and JS Protected port group must not be on the same vSwitch, unless they are in different VLANs.

• DDoS Secure VMWare Virtual Edition Overview on page 3

(24)

(25)

Installation Overview

To install the DDoS Secure appliance VE, you will need to deploy a DDoS Secure appliance OVF Template package onto the VMware ESX (i) server via a vSphere client. The vSphere configuration wizard guides you through the initial configuration and allows you to change the virtual machine name, disk format and the network mapping.

There are two variants of the Open Virtualization Format (OVF). One variant is for general use and the other variant is for light use (that is, demo on laptop).

Table 4 on page 11describes the initial default configuration contained in the OVF:

Table 4: Default Configurations in OVF

VALUE GENERAL VALUE RESOURCE 2 vCPU 4 vCPU vCPU 15GB 100GB Virtual Disk 1000 MB 6000 MB Memory 4 4 Network Interfaces

It is quite likely that these defaults will need to be changed according to bandwidth requirements, the number of protected servers, tracked IP addresses and TCP connections; depending on your network usage. Resource values must be changed using the vSphere client user interface before powering on the virtual machine for the first time.

• Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12

• DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17

• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual

Engine on page 22

• Powering On a DDoS Secure Appliance Virtual Engine on page 23

• Configuring the Management IP Address in a DDoS Secure Appliance on page 27

(26)

Deploying a DDoS Secure Appliance Using the vSphere OVA Package

To deploy an appliance using the vSphere OVA package:

1. Verify that you have created all the necessary port groups.

2. In vSphere client, select the appropriate host or resource pool.

3. Select File > Deploy OVF Template to invoke the Deploy OVF template wizard, as shown inFigure 3 on page 12.

Figure 3: Deploy OVF Template

The Deploy OVF Template wizard will be invoked and will request selection of an OVA package. Use the OVA package previously downloaded from the DDoS Secure appliance Technology website. The OVA package can be identified by the following naming format:

DDoS Secure appliance[VERSION].[ARCH].ova DDoS Secure applianceFC11_64-4.0.2-2.x86_64.ova ddossecureCENTOS_6_3-lite-5.13.2-0.x86_64.ova

4. Specify your OVA file or click Browse to browse for it and then click Next to continue.

Figure 4 on page 13displays the OVF template details.

(27)

Figure 4: OVF Template Details

5. The Wizard reads and verifies the OVF template details. Click Next to continue.

Figure 5 on page 13displays the EULA screen.

Figure 5: EULA - Accept

(28)

Figure 6: EULA Name

7. A suggested default VM name is provided. Rename this to DDoS Secure appliance Primary (DDoS Secure appliance Secondary, if this is the second instance for a HA pair), or any other suitable name.Figure 7 on page 14displays the screen to enter the name and location.

Figure 7: EULA – Name and Location

(29)

8. Click Next to continue.Figure 8 on page 15displays the screen with disk format details.

Figure 8: Disk Format

9. Select the disk format in which the DDoS Secure appliance VE files are stored. You must choose Thick provisioned format (the default format).

10.Click Next to continue.Figure 9 on page 15displays the network mapping screen.

(30)

11. Map the networks used in the OVF template to the networks defined in your inventory. If the port groups have been labeled up as previously described, no changes are required. However, if there are differences, for each source network choose an appropriate destination network by selecting an inventory network from the destination networks drop-down select box.

12.Click Next to continue.Figure 10 on page 16displays the ready to complete screen.

Figure 10: Ready to Complete

13.Review the configured settings and click Finish to start the deployment process. This completes the wizard process, the Deploy OVF Template window will now close. It may take a few minutes for the new machine to be deployed in the vSphere client inventory.Figure 11 on page 16displays the deployment completion message.

Figure 11: Deployment Confirmation

Upon deployment, a window box will appear stating that the deployment has been successful.

14.Click Close to continue.

(31)

DDoS Secure Appliance Virtual Engine Startup and Shutdown on page 17

•

• Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine on

page 22

DDoS Secure Appliance Virtual Engine Startup and Shutdown

To start or shutdown a Virtual Machine:

1. Open the vSphere client.

2. Select the ESX (i) host in the inventory.

3. Select the Configuration tab and click Virtual Machine Startup Shutdown.

Figure 12 on page 17displays the vSphere primary client screen.

Figure 12: vSphere Client - Primary

4. Click Properties on the same line as Virtual Machine startup and shutdown.

(32)

Figure 13: VM Startup and Shutdown

5. Select Allow virtual machines to start and stop automatically with the system under System Settings, as shown inFigure 14 on page 18.

Figure 14: VM Startup and Shutdown –Startup Order

6. In the startup order window, select DDoS Secure appliance Primary under Manual Startupand click Move Up (in this case) twice for automatic startup, as shown in

Figure 15 on page 19.

(33)

Figure 15: VM Startup and Shutdown – Automatic Startup

7. Click Edit.

The Virtual Machine Autostart Settings window is displayed.

(34)

Figure 16: VM Autostart Settings

9. Click OK in the Virtual Machine Startup and Shutdown window.Figure 17 on page 21

displays the confirmation screen of Virtual Machine Startup and Shutdown window.

(35)

Figure 17: Startup and Shutdown – Confirmation

10.Click OK in the vSphere Client window.Figure 18 on page 21displays the completion screen of Virtual Machine Startup and Shutdown window.

Figure 18: Startup and Shutdown – Complete

Startup and Shutdown configuration for DDoS Secure appliance Primary is now complete.

(36)

Deploying a DDoS Secure Appliance Using the vSphere OVA Package on page 12

•

page 22

• Understanding Sizing Requirements on page 119

Tuning the Hardware Configuration of a DDoS Secure Appliance Virtual Engine

Increasing the number of vCPUs will improve performance of the DDoS Secure appliance VE and increasing the memory will increase the number of servers the appliance VE will be capable of protecting. Increasing disk space will increase the logging retention capability.

Alterations to vCPUs, memory and disk space can only be done with the appliance powered off. Furthermore, the disk space cannot be changed after the appliance has been powered on and the software installed.

Open the vSphere Client, select a appliance virtual machine from the inventory and select Edit Settings, this will open the Virtual Machine properties window.

Use the recommended Virtual Machine Properties. Any memory configurations suggested by the vSphere client are not applicable to the appliance VE and should be ignored. Areas to consider are:

• CPUs

• Memory

• Disk Space

Figure 19 on page 23displays the Primary Virtual Machine Properties window.

(37)

Figure 19: Primary Virtual Machine Properties

•

Powering On a DDoS Secure Appliance Virtual Engine

Before powering on for the first time, confirm that you have configured the correct amount of disk space as this cannot be subsequently changed. To power on a DDoS Secure appliance virtual engine:

(38)

Figure 20: DDoS Secure Appliance Power On

When powering on your DDoS Secure appliance virtual machine for the first time, the DDoS Secure appliance software will automatically install and boot the DDoS Secure appliance VE up to the login: prompt. It will pause, requesting that VMtools Installation is enabled before this can complete.

2. Monitor the install by selecting the Console pane of the DDoS Secure appliance virtual machine, as shown inFigure 21 on page 24.

Figure 21: DDoS Secure Appliance Package Installation

(39)

Figure 22 on page 25software packages being installed and the DDoS Secure appliance is waiting for VMtools to be installed.

Figure 22: DDoS Secure Appliance Package Progression

3. Right click the Guest name in the Inventory and select Interactive Tools Upgrade, as shown inFigure 23 on page 25.

(40)

The update screen appears after the VMtools CD has been detected, as shown in

Figure 24: DDoS Secure Appliance Package Update Screen

When the installation has finished, you will be prompted to login at the console, as shown inFigure 25 on page 26.

Figure 25: DDoS Secure Appliance Primary Console

An IP address will be allocated by DHCP if it is available. If DHCP is not available, it will default to 192.168.0.196.

(41)

•

page 22

Configuring the Management IP Address in a DDoS Secure Appliance

To configure DDoS Secure appliance management IP address:

1. Login from the console with username configure and password configure.

The following sets up the interface mapping, IP address, netmask, gateway and speed of the DDoS Secure appliance management interface. Replace the values shown with your appropriate settings to connect to your management network.

2. Enter the management IP address for accessing the DDoS Secure appliance GUI or CLI, as shown inFigure 26 on page 27. This IP address must not be in use elsewhere.

Figure 26: IP Address Configuration

3. Enter the management IP netmask, as shown inFigure 27 on page 27.

Figure 27: Netmask Configuration

4. Enter the management network gateway. This has to be in the same subnet as the management IP address, as shown inFigure 28 on page 27.

Figure 28: Gateway Configuration

5. If you are satisfied with the input values, then enter y, as shown inFigure 29 on page 27.

Figure 29: Input Values

6. Choose the Layer 2, Layer 23 or Layer 3 operational mode, as shown in

(42)

Figure 30: Layer 2, Layer 23 or Layer 3

The DDoS Secure appliance normally works as a layer 2 device on the main data path that provides DDoS protection. However, there are circumstances where layer 2 will not work and the DDoS appliance needs to operate in a layer 3 type environment without the interfaces being in promiscuous mode. This mode is catered for, but does have limitations as described in the selection figure. Normally, you would select n at this point. Otherwise, you will need to define the appropriate IP addresses.

The DDoS Secure appliance will re-configure and the console will return to the login prompt.

• Connecting to the DDoS Secure Appliance on page 28

• First Boot on page 31

• Understanding DDoS Secure Appliance Overview Page Information on page 33

Connecting to the DDoS Secure Appliance

To connect to the DDoS Secure appliance:

1. Open a browser window on a management PC. It is recommended that the management PC is connected via the vSwitch associated with the JS Management port group although access to the DDoS Secure appliance GUI and command line can also be gained via vSwitches associated with the non-promiscuous Protected or Internet port groups (provided routing is in place). Whichever method is used, the management PC will need to be configured with an IP address that is routable to/from the management IP address of the DDoS Secure appliance.

2. Type https://aaa.bbb.ccc.ddd in the address bar, where aaa.bbb.ccc.ddd is the IP address of the management interface of the appliance (factory default is

192.168.0.196). A navigation block error is displayed, as shown inFigure 31 on page 29.

(43)

Figure 31: Navigation Block Error

NOTE: The URL is prefixed with https://.

All traffic between the Management PC and the DDoS Secure appliance is encrypted.

The DDoS Secure appliance produces a self-signed certificate for use in the secured communications. This certificate is recreated every time the appliance management interface IP address is reconfigured, or if there is less than a year to run when a software patch is applied. It is possible for the date to be invalid if the clocks on the DDoS Secure appliance and on the browser are significantly out of phase. It is possible to replace this certificate through the GUI.

3. View the certificate and install it to prevent the security alert every time you connect to the DDoS Secure appliance.

(44)

Figure 32: DDoS Secure Appliance Log in Page

5. Click Login to access the DDoS Secure appliance.

Alternatively, check Use Original GUI to access the older DDoS Secure interface. If the checkbox is pre-checked, DDoS Secure has determined that your browser does not support the new UI interface.

6. Enter the username and password when prompted.Figure 33 on page 31displays the security log in page.

(45)

Figure 33: Security Log in Page

The default user name is user and the password is password.

7. Click Login.

First Boot

On the first connection, the licensing screen appears on the Management PC.

Figure 34 on page 32displays the first boot screen snippets.

(46)

Figure 34: First Boot Screen Snippets

(47)

1. Read the End User License Agreement carefully to make sure that you fully understand the Terms and Conditions.

To accept the End User License Agreement: Click I Accept to accept the terms and conditions. Click Cancel to proceed no further.

This will cause the system to power-off.

On accepting the Terms and Conditions of the license, the DDoS Secure appliance will then display a second licensing screen.Figure 35 on page 33displays the first boot accept screen snippet

Figure 35: First Boot Accept Screen Snippet

On accepting the Terms and Conditions of the license, the DDoS Secure appliance will redirect to the overview page.

Understanding DDoS Secure Appliance Overview Page Information

After successful authentication, the DDoS Secure appliance summary board is displayed.

(48)

Figure 36: DDoS Secure Appliance Summary Board

The options available are:

• Traffic Monitor — Displays the average speed of data processed, both inbound and outbound, for the appliance.

• Load Status — Displays how busy the DDoS Secure appliance engine is.

• Attack Status — Displays how aggressively the DDoS Secure appliance is dropping traffic to defend the appropriate resources.

• Good Traffic — Displays the distribution of where good traffic is coming from.

• Bad Traffic — Displays distribution of where the bad traffic is coming from.

• Protected Performance — Displays how busy a protected IP is from an aggregated Charm perspective, and what the average traffic to and from the IP is.

Configuring a Pair of High Availability DDoS Secure Appliances

DDoS Secure appliance VEs can be HA paired within the same inventory on the same ESX (i) server or on a different inventory on a different ESX (i) server providing they share network connectivity in your network design.

Having an Active/Standby pair of DDoS Secure appliances means that (software) maintenance can be on one of the DDoS Secure appliances (such as an upgrade) while still having Internet traffic flowing.

DDoS Secure appliance data share interfaces are used to synchronize configurations, state information and incident information between the active/standby pair.

The Primary DDoS Secure appliance and the Secondary DDoS Secure appliance in a HA pair both require configuration of their data share IP addresses.

(49)

To configure data share IP addresses:

1. Click Login symbol on the DDoS Secure portal.

2. You will then be prompted for a login and password.

3. Enter initial username as user and password as password.

4. Click OK.

After successful authentication, on the first access, the DDoS Secure appliance page is displayed.

5. In the Left pane, click Configuration/Logs, which will bring up a new tab.

6. In the Left pane, click Configure Interfaces. The Data Share Interface Definition option is displayed, as shown inFigure 37 on page 35.

Figure 37: Configure Interface Page - Data Share Interface

7. Under Data Share Interface Definition, enter the IP address and the network mask.

NOTE: Both DDoS Secure appliance data share interfaces IP address must be unique and in the same (preferable RFC1918) subnet in order to connect.

NOTE: Both DDoS Secure appliances must be connected to the same JS Protected, JS Internet and JS Management port groups so HA operation to be established.

page 22

(50)

(51)

• Installing Virtual Switches in a Network Adaptor on page 39

• Installing an Existing Single NIC ESX (i) Server on page 69

• Installing and Configuring a New ESX (i) Server on page 97

• Reassigning the Existing VM Network Interfaces in a VM Server on page 113

• Troubleshooting on page 117

(52)

(53)

Adaptor

• Installing Virtual Switches in a Network Adaptor on page 39

Installing Virtual Switches in a Network Adaptor

You need to separate the source of your unprotected traffic from the network segment hosting your servers by using two separate virtual switches, one for each area. The DDoS Secure appliance Virtual Edition will be bridging these two virtual switches and hence control what is and is not allowed to flow between them.

The source of unprotected traffic might be an external network (for example, Internet Gateway) connected to an ESX (i) network adaptor or it might already be on a separate virtual network which is routed or bridged to your server virtual network.

In the rest of this appendix, we will refer to port groups associated with two virtual switches as the JS Internet port group (carrying unprotected traffic) and the JS Protected and Protected LAN port groups (carrying protected traffic).

Wherever unprotected xxx is referred, this is likely to be called something else on the original ESX (i) configuration, the default being VM Network . Substitute as appropriate.

(54)

Figure 38: Example of ESX (i) Server

The following sections outline the steps required for reconfiguring the example dual NIC ESX (i) Server:

• Add new vSwitch C and attach a new JS Protected port group (connects to DDoS Secure appliance) and a new Protected LAN port group (connects to protected network).

• Set JS Protected port group to support promiscuous mode.

• Add new vSwitch D and attach a new JS Data Share port group.

• Attach a new JS Internet port group with vSwitch A.

• Set JS Internet port group to support promiscuous mode.

• Install the DDoS Secure appliance VE from the OVA file.

• Connect to the GUI using the default IP addresshttps://192.168.0.196, log in with username user and password password. The management IP address can be changed from the Configure Interfaces icon on the left-hand pane.

• Log in to the DDoS Secure appliance GUI.

• Reassign your firewall/load balancers/servers from the original Unprotected Network port group to the Protected LAN port group.

• Place the DDoS Secure appliance VE in desired operating mode.

• Remove the Unprotected Network port group (Optional).

(55)

Figure 39 on page 41illustrates the ESX (i) Server with a dual NIC after DDoS Secure appliance installation.

Figure 39: Example of ESX (i) Server with Dual NIC

• Adding JS Protected and Protected LAN Port Groups on page 41

• Adding a JS Data Share Port Group on page 52

• Adding a JS Internet Port Group on page 57

• Reassigning the Existing VM Network Interfaces to a DDoS Secure Appliance on page 66

Adding JS Protected and Protected LAN Port Groups

To add port groups JS protected and Protected LAN:

1. Open the vSphere client if not already open.

(56)

3. Select the Configuration tab and click Networking as shown inFigure 40 on page 42.

Figure 40: ESX (i) Server Console

4. Click Add Networking. The Add Network Wizard page is displayed, as shown in figure

Figure 41: ESX (i) Server Add Network Wizard

(57)

5. Click the connection type Virtual Machine.

6. Click Next. The ESX (i) server wizard for network access is displayed, as shown in

Figure 42: ESX (i) Server Wizard - Network Access

7. Select Create a virtual switch and uncheck all network adapters.

8. Click Next.

The ESX (i) server wizard for connection settings is displayed, as shown in

(58)

Figure 43: ESX (i) Server Wizard - Connection Settings

9. In Port Group Properties area, change the Network Label to Protected LAN.

10.Click Next.

The ESX (i) server wizard confirmation screen is displayed, as shown in

(59)

Figure 44: ESX (i) Server Wizard Confirmation

11. Click Finish.

12.Return to the main vSphere client window where your ESX (i) host is selected in the inventory list.

(60)

Figure 45: ESX (i) Server Configuration Page

14.Click Properties of the Virtual Switch with the Protected LAN port group created in this section. The vSwitch Properties page is displayed, as shown in

Figure 46: vSwitch Properties

(61)

15.In the vSwitch properties window, click Add. The wizard connection type page is displayed, as shown inFigure 47 on page 47.

Figure 47: vSwitch Network Wizard – Connection Type

(62)

Figure 48: vSwitch Network Wizard – Connection Settings

17. In port group properties, change the Network Label to JS Protected.

18.Click Next. The wizard connection confirmation page is displayed, as shown in

Figure 49 on page 49

(63)

Figure 49: vSwitch Network Wizard – Confirmation

19.Click Finish.

The vSwitch3 Properties page is displayed, as shown inFigure 50 on page 49.

(64)

20.Select the JS Protected port group .

21.Click Edit. The JS protected properties for general tab is displayed, as shown in

Figure 51: JS Protected Properties - General

22.In the JS Protected Properties window, select the Security tab. The JS Protected Properties- Security tab is displayed, as shown in

(65)

Figure 52: JS Protected Properties - Security

23.Check Promiscuous Mode and select Accept from the list.

(66)

Figure 53: vSwitch3 Properties

The ProtectedLAN and JS Protected port group configurations are now complete.

Adding a JS Data Share Port Group

The JS Data Share port group is used to synchronize configuration of a DDoS Secure appliance HA Pair. The appliance recommend you create HA pairs on the same ESX (i) host thereby allowing software upgrade of standby whilst the other is active.

Even if a standalone appliance is to be deployed, this port group is still required for the appliance data share interface to connect to. Follow the instructions below to configure the JS Data Share port group on a new vSwitch:

3. Select Configuration tab and click Networking. The ESX (i) host configuration page is displayed, as shown inFigure 54 on page 53.

(67)

Figure 54: ESX (i) Host Configuration

4. Click Add Networking. The VMware connection type page is displayed, as shown in

(68)

5. Choose connection type Virtual Machine and click Next. The virtual machine network access page is displayed, as shown inFigure 56 on page 54.

Figure 56: Virtual Machine Network Access

6. Select create a virtual switch and uncheck all network adapters. The virtual machine connection settings page is displayed, as shown inFigure 57 on page 55.

In certain circumstances a user may want to pair up with a appliance external to the ESX (i) server. In this case, select the network adapter that the external appliance data share interface is connected to.

(69)

Figure 57: Virtual Machine Connection Settings

7. In Port Group Properties area, change the network label to JS Data Share.

(70)

Figure 58: Virtual Machine Connection Settings Completion

9. Click Finish.

The JS Data Share port group configuration is now complete. The virtual machine connection page is displayed, as shown inFigure 59 on page 57.

(71)

Figure 59: Virtual Machine Connections Page

Adding a JS Internet Port Group

To add JS Internet port group:

(72)

Figure 60: Virtual Machine Configuration Page

4. Click Properties next to Virtual Switch with Unprotected Network port group . The vSwitch Properties page is displayed, as shown inFigure 61 on page 59.

NOTE: Unprotected network is the name for the existing port group.

(73)

Figure 61: vSwitch Properties

5. In the vSwitch Properties window, in the Configuration list pane, click Add. The vSwitch connection type page is displayed, as shown inFigure 62 on page 59.

(74)

6. Choose connection type as Virtual Machine.

7. Click Next. The Virtual Machines - Connection Settings page is displayed, as shown inFigure 63 on page 60.

Figure 63: Virtual Machine Connection Settings

8. In the Port Group Properties area, change the Network Label to JS Internet.

9. Click Next. The network wizard completion page is displayed, as shown in

(75)

Figure 64: Network Wizard Completion Page

10.Click Finish.

11. Return to main vSphere client window where your ESX (i) host is selected in the inventory list.

(76)

Figure 65: Virtual Machine Configuration Page

13.Click Properties of the Virtual Switch with the JS Internet port group created in this section. The vSwitch0 Properties page is displayed, as shown inFigure 66 on page 63.

(77)

Figure 66: vSwitch Properties

(78)

Figure 67: JS Internet Properties - General

15.In the JS Internet Properties window, select the Security tab. The JS Internet properties for the security tab is displayed, as shown inFigure 68 on page 65.

(79)

Figure 68: JS Internet Properties - Security

16.Check Promiscuous Mode and select Accept from the list.

(80)

Figure 69: vSwitch Properties - Ports

The JS Internet port group configuration is now complete.

Reassigning the Existing VM Network Interfaces to a DDoS Secure Appliance

All virtual machines connected to existing Unprotected Network port group will need reconfiguring to use the Protected LAN port group.

(81)

1. Select the virtual machine in the vSphere Client inventory and open the properties window using option Edit Settings.

The virtual machine properties for hardware is displayed, as shown in

Figure 70: Virtual Machine Properties

2. In the Hardware tab, select the Network Adaptor previously connected to the Unprotected Network port group. This will be visible in the Hardware Summary but appear as a blank selection under the Network Connection pane.

3. Choose Protected LAN port group from the drop-down select box of Network Connections.

4. Click OK.

(82)

(83)

Server

• Installing an Existing Single NIC ESX (i) Server on page 69

Installing an Existing Single NIC ESX (i) Server

You must retain the association between the single physical interface, the virtual switch and vmKernel which carries the ESX (i)/vSphere management traffic. Removing this association will lead to loss of communication with your ESX (i) Server and may require an ESX (i) server rebuild.

You will need to separate the source of your unprotected traffic from the network segment hosting your firewall/load balancer/servers by placing them on two separate virtual switches. The DDoS Secure appliance Virtual Edition will be bridging these two virtual switches and hence controls the flow between them.

The source of unprotected traffic might be an external network (for example: Internet Gateway) connected to an ESX (i) network adaptor or it might already be on a separate virtual network which is routed or bridged to your server virtual network.

In the rest of this chapter we will refer to port groups associated with two virtual switches as the JS Internet port group (carrying unprotected traffic) and the JS Protected and Protected LAN port groups (carrying protected traffic).

Wherever Unprotected xxx is referred, this is likely to be called something else on the original ESX configuration, the default being VM Network. Substitute as appropriate.

(84)

Figure 71: ESX (i) Server with Single NIC

The following sections outline the steps required for reconfiguring the example single NIC ESX (i) Server:

• Add new vSwitch B and associate a new JS Protected port group (connects to DDoS Secure appliance) and a new Protected LAN port group (connects to protected network).

• Set JS Protected port group to support promiscuous mode.

• Add new switch C and associate a new JS Data Share port group.

• Associate a new JS Internet port group with vSwitch A.

• Set JS Internet port group to support Promiscuous mode.

• Install the DDoS Secure appliance VE from the .OVA file.

• Connect to the GUI using the default IP addresshttps://192.168.0.196, login with username user and password password. The management IP address can be changed from the Configure Interfaces icon within the (Admin) left-hand pane.

• Logon to the DDoS Secure appliance GUI and apply a new license.

• Reassign your firewall/load balancers/servers from the original Unprotected Network port group to the Protected LAN port group.

• Place the DDoS Secure appliance VE in desired operating mode.

Figure 72 on page 71illustrates the ESX (i) Server with a single NIC after DDoS Secure appliance installation.

(85)

Figure 72: ESX (i) Server with Single NIC after DDoS Secure Appliance

Installation

• Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server on page 71

• Adding a JS Data Share Port Group to a NIC ESX (i) Server on page 82

• Adding a JS Internet Port Group to a NIC ESX (i) Server on page 86

Adding JS Protected and Protected LAN Port Groups in a NIC ESX (i) Server

To add JS Protected and ProtectedLAN port groups:

(86)

Figure 73: JS Protected and Protected LAN Port Groups

4. Click Add Networking. The network Connection Type page is displayed, as shown in

Figure 74: Connection Type

(87)

5. Choose connection type Virtual Machine.

6. Click Next. The virtual machine network access page is displayed, as shown in

Figure 75: Virtual Machine Network Access

8. Click Next. The virtual machine connection settings page is displayed, as shown in

(88)

Figure 76: Virtual Machine Connection Settings

9. In port group Properties, change the Network Label to Protected LAN.

10.Click Next. The virtual machine connection setting completion page is displayed, as shown inFigure 77 on page 75.

(89)

Figure 77: Virtual Machine Connection Settings Completion

11. Click Finish.

(90)

Figure 78: Virtual Machine Inventory

13.Click Properties of the Virtual Switch with the Protected LAN port group, as shown in

Figure 79: vSwitch Properties - Port

(91)

14.In the vSwitch properties window, and click Add. The virtual machine connection type wizard page is displayed, as shown inFigure 80 on page 77.

Figure 80: Virtual Machine Connection Type

(92)

Figure 81: Virtual Machine Connection Settings

16.In port group Properties, change the Network Label to JS Protected, and click Next. The virtual machine connection complete page is displayed, as shown in

Figure 82: Virtual Machine Connection Completion

(93)

17. Click Finish to return to vSwitch properties window, as shown inFigure 83 on page 79.

Figure 83: vSwitch Properties Port

(94)

Figure 84: JS Protected Properties

19.In the JS Protected Properties window, select Security tab, as shown in

(95)

Figure 85: JS Protected Properties - General

(96)

Figure 86: JS Protected Properties - Port

The Protected LAN and JS Protected port group configurations are now complete.

Adding a JS Data Share Port Group to a NIC ESX (i) Server

The JS Data Share port group is used to synchronize configuration of a DDoS Secure appliance HA Pair. DDoS Secure appliance recommend you create HA pairs on the same ESX (i) host thereby allowing software upgrade of standby whilst the other is active. Even if a Standalone DDoS Secure appliance is to be deployed, this port group is still required for the DDoS Secure appliance data share interface to connect to.

Follow the instructions below to configure the JS Data Share port group:

3. Select the Configuration tab and click Networking, as shown inFigure 87 on page 83.

(97)

Figure 87: Virtual Switch

4. Click Add Networking. The connection type page is displayed, as shown in

Figure 88: Virtual Switch Connection Type

5. Choose connection type Virtual Machine, and click Next, as shown in

(98)

Figure 89: Virtual Switch - Network Access

In certain circumstances, a user may want to pair up with a DDoS Secure appliance external to the ESX (i) server. In this case select the network adapter that the external DDoS Secure appliance data share Interface is connected to, as shown in

(99)

Figure 90: Virtual Machine Connection Settings

7. In Port Group Properties area, change the Network Label to JS Data Share.

8. Click Next. The virtual machine summary page is displayed, as shown in

(100)

Figure 91: Virtual Machine Summary

9. Click Finish.

The JS Data Share port group configuration is now complete.

Adding a JS Internet Port Group to a NIC ESX (i) Server

To add JS Internet port group:

3. Select the Configuration tab and click Networking, as shown inFigure 92 on page 87.

(101)

Figure 92: Virtual Switch Configuration Page

4. Click Properties next to Virtual Switch with Unprotected Network port group, as shown inFigure 93 on page 87.

NOTE: Unprotected Networkis the name for the existing port group.

(102)

5. In the vSwitch properties window, in the Configuration list pane, click Add, as shown inFigure 94 on page 88.

Figure 94: Virtual Machine Connection Type

6. Choose connection type Virtual Machine.

7. Click Next. The virtual machine connection settings page is displayed, as shown in

(103)

Figure 95: Virtual Machine Connection Settings

8. In Properties port group, change the Network Label to JS Internet.

(104)

Figure 96: Virtual Machine Connection Completion Page

10.Click Finish.

11. Return to main vSphere client window where your ESX (i) host is selected in the inventory list, select the Configuration tab and click Networking. The virtual machine inventory configuration page is displayed, as shown inFigure 97 on page 91.

(105)

Figure 97: Virtual Machine Inventory

12.Click Properties of the Virtual Switch with the JS Internet port group created in this section. The vSwitch properties summary page is displayed, as shown in

(106)

Figure 98: vSwitch Properties Summary

13.Select the port group JS Internet and click Edit, as shown inFigure 99 on page 93.

(107)

Figure 99: JS Internet Properties

14.In the JS Internet Properties window, select the Security tab, as shown in

(108)

Figure 100: JS Internet Properties - General

15.Check Promiscuous Mode and select Accept from the drop-down and click OK. The vSwitch0 properties page is displayed, as shown inFigure 101 on page 95.

(109)

Figure 101: JS Internet vSwitch Properties

(110)

(111)

Server

• Installing and Configuring a New ESX (i) Server on page 97

Installing and Configuring a New ESX (i) Server

• Installing an ESX (i) Server on page 97

• Connecting to vSphere on page 97

• Configuring vSwitch0 in the DDoS Secure Appliance Management

Interface(s) on page 98

• Creating Internet Traffic for a DDoS Secure Appliance on page 103

• Configuring a Data Share Port Group in a DDoS Secure Appliance on page 110

• Setting a DDoS Secure Appliance Protected Interface to Promiscuous Mode on page 111

• Changing the Configuration Settings in an ESX (i) Server VMNIC Interface on page 112

Installing an ESX (i) Server

Read the VMware step-by-step guide on installing and configuring ESX (i) . After successful installation of ESX (i) server, several configuration steps are essential. In particular, some licensing, networking, and security configuration are necessary. For more details on these configuration tasks, see the following guides in the vSphere Documentation:

• The ESX (i) Installable Server Setup Guide for information on licensing

• The ESX (i) Configuration Guide for information on networking and security

Connecting to vSphere

Read the VMware step-by-step guide on installing and configuring vSphere Client onto a Windows PC.