In one of my recent VDI projects I was working with Symantec Endpoint Protection as the choice of AV solution. When I started working on the project I was not able to find much information on the exact steps required for me to design and implement a Horizon View solution with Symantec Endpoint protection. I worked my way across the design and implementation by reading various whitepapers both by VMware and Symantec.
This prompted me to work on a series of blog articles which covers the Symantec SEP integration with Horizon View , I would attempt and complete it in a 3 Part series. I want to give due attention to each step and provide enough information for anyone who would need a reference on this topic which is why I will be separating it in 3 parts.
In the first part I would discuss the various components and the architecture for this solution.
How SEP Works?
SEP client needs to be installed on each client virtual machines in case of Horizon View VMs this will be installed as part of the desktop base image. The individual clients will protect the virtual computers. The SEP clients would report to the available Symantec End Point Protection Manager and get content updates from the internal LiveUpdate Administrator.
In order to optimize the performance following are the available features in SEP.
- Virtual image exception: White list files from standard virtual machine image to optimize scanning.
- Shared Insight cache (Security Virtual Appliance) : Shares scans results centrally across virtual clients to reduce bandwidth and latency
- Resource leveling: Randomizes scan and update schedules to prevent resource utilization spikes.
- Offline image scanning: Finds threats even in offline virtual machine images.
Components of this solution
- VMware Horizon View 5.2
- VMware vCloud® Networking and Security 5.1 (vShield Manager , vShield Endpoint)
- VMware vSphere 5.x
- Symantec SEP 12.1.2 (Symantec Endpoint Protection Manager,Live Update Administrator , Security Virtual Appliance , Virtual Image Exception Tool, ClientSideClonePrepTool)
Logical Architecture
The basic architecture of the Symantec Endpoint protection is same as the reference architecture for AV solutions integrated with vShield for VMware View , there are two other AV providers who have a similar offering Mcaffe MOVE and Trend Micro End Point Security
Communication Flow
The communication flow for SEP is described above , major role to reduce load for the scans are played by the Symantec Virtual Appliance which integrates with the vShield framework and provide a shared insights cache. The VIE or the Virtual Image Exception tool does white listing of files and makes sure that only the files which are changed get scanned hence reducing AV storms.
In the next two parts I will cover
- Implementation details for all the components
- Configuration details
Nice articles by you on EUC, I quite love reading them! But one question, I know agent based vs agentless advantages/disadvantages, but in the AV case will it not not be better to use agentless AV since it will off-load the tasks to the Appliance itself… what’s your thought on that… I am curious to know
Thanks Amitabh,
The question is valid considering if the agent installed in the VDI vms is not working with VMSAFE APIs through the appliance for offloading. I call those AV Agents in the VDI vms as full. Those agents are not advisable for VDI. However in the case of Symantec SEP 12.1.2 the agent does work with the vShield Endpoint appliance for offloading , this agent is light. As of now Symantec doesn’t have a completely agent less solution as compared to TrendMicro or McAffe.
Most of the enterprises either use Symantec or McAffe for there physical desktop security as well. So when it comes to VDI they usually like to extend the same product in VDI as well, this helps in getting better pricing , no skill update required as the same team manages both VDI and other installs.
So there are multiple factors in customer taking a decision , however any body should avoid a full agent based solution with VDI with no integration with vShiled Endpoint (VMsafe APIs) for offloading.
Thanks,
Samir
P.S : Symantec is currently working on getting a complete agent less solution.
I cannot find part 2 of your post. Curious to know the implementation steps. So you are saying that even with the appliance, each VDI still needs the symantec client installed on it? Does this have to happen before the VM is created for the first time? How does the recompose impact the client?
Hi Samir,
great blog you are running here. What happened to other parts?
I’m interested in ways we can use SEP to control USB access policies in View VDI. Have you had experience with this?
Stevan
For USB access policies you should use the VMware view ADM templates. I will be soon updating the blog with other parts, have been busy with other work lately.
I have used SEP for a few years to “control” USB use. I have SEP configured to block *USBSTOR\DISK*
This means any USB storage device will be blocked. HOWEVER, we do have our agency-owned devices (I’m with an agency of state government) These are secure/encrypted “USB sticks” and USB hard drives (such as the WD external drives, etc.) and I have exceptions written for those. You can go as granular or as generic as you want. I have the exceptions narrowed down to specific devices – I insert a device on a clean computer, let Windows “install” it, and watch the logs for when SEP blocks it. I grab the devices specific info from the logs (registry key, model and serial number) and create a hardware device definition, include that in allowed or exceptions. I have done similar for our agency-owned cameras and so on as otherwise when someone docks a camera, Windows saw the storage and tried to connect it as a USB storage device. It’s a bit to set up, but if you know where to look, how to do it, and work smart, it’s almost “configure and forget”. The nice thing is that much of this seems to work with VDI. And if you have SEP’s SNAC part – SNAC can do some of these things using a host integrity policy, including running scripts, changing registry keys and more.
As for SEP – there’s probably fears as folks remember the past and the load on the desktop. Not with the latest versions and builds. It’s not a big deal and tests I’ve run shows little difference SEP-equipped computer vs. computer sans-SEP. Yes, it is installed on your “gold image”, then you run the virtual image exception tool which allows you to tell SEP – no need to check anything on the base image as we’ve scanned and certified. That’s a big load off right there! Further, the VERY LAST thing you do after you build your gold image, tweak, clean, whatever, run a tool that preps SEP – it’s a clone prep tool. It MUST be run as the very last step before shutting off the image. It removes the keys and serialization that SEP builds to track that “specific machine”. Otherwise you’d have hundreds of identical computers showing up in SEP’s management and it would get nasty. Running that tool sterilizes the gold image so that each desktop created from it starts the SEP services, which build a new ID based on whatever. It’s just like “SYSPREP” in the physical world when you create an image to push onto many computers – the specifics are removed. In this case, it only touches SEP parts – all things identifying that specific “machine” are removed, and will be recreated when clones are launched and turned on. Since the base gold image is certified and SEP will ignore it/those files (if you certify it and run the exception tool) and SEP will check the SVA for info on other files before scanning, you end up with the SEP agent doing very little as far as actual file “scans”. Only files not part of the image, or not already checked with the current definitions and found clean by another computer will be scanned.
Hi Samir,
what about the recompose/refresh operation? Have you experience in duplicate ID on the AV console? How do you execute the ClientSideClonePrepTool?
Alex,
The process is below.
1.Install the operating system, applications, and patches
2.Install the Symantec Endpoint Protection Client and update the definitions
3.Copy ClientSideClonePrepTool.exe to a folder on this computer
4.Open a command prompt with administrative privileges
5.Navigate to the directory where the ClientSideClonePrepTool.exe is copied
6.Run ClientSideClonePrepTool.exe.
Note: Once the ClientSideClonePrepTool is run on the VM, the VM should not be restarted. This will cause the SEP services to turn on and bring back the SEP client to normal state. The VM should be shutdown and used for cloning. In case the VM is rebooted this process should be repeated.
Hope this helps.
Hi Samir,
Please advise when you will be posting the next 2 parts as I need to install SEP in a View environment in the next day or 2.
Thanks,
Steve,
I will be posting it in next two days.
Thanks,
Samir
Part 2 and 3 still being worked on?
Part2 is published now. thanks for reading.
Pingback: Symantec Endpoint Protection Integration with VMware Horizon View – Part3
Pingback: Newsletter: April 5, 2013 | Notes from MWhite
Pingback: SEPM12.1 – Security Virtual Appliance Unknown Status | myitblog