BlastShield Documentation

From the ESXi host/Networking screen.

1. Configure the vSwitches.

   Two vSwitches will be required as described below.

   1. vSwitch 0  

      The default vSwitch and the hypervisor should have already created this vSwitch.  This vSwitch will provide the physical uplink for the Gateway.

      

   2. BlastShield Downstream

      You must add this vSwitch. This vSwitch is created for downstream protected traffic and the protected guest hosts will connect to this vSwitch.

      It should not have an uplink to the external NIC and you should remove the default uplink.

      

   The vSwitiches are shown below.

   

2. Configure the port groups.

   From the Networking User Interface

   1. Add port groups for the gateway

      1. From the ESXi host / networking user interface, add the following port groups.

      2. VM Network port group.  Mapped to vSwitch 0.  Used to attach the BlastShield instance to the outside world.

      3. BlastShield Downstream port group.  Mapped to the 'BlastShield Downstream' vSwitch.  Assign it VLAN ID = 4095.

         Tip

         VLAN ID 4095 specifies that the port group should use trunk mode, also known as virtual guest tagging mode, which allows the guest operating system to manage its own VLAN tags.

      4. A ‘Management Network’ port group will already have been created by default for the VM Kernel port.

   2. Add port groups for the linux test host endpoints.

      From the Networking User interface, add the following ports

      1. VM1 port group.  This should be mapped to BlastShield Downstream vSwitch for the VM 1 endpoint.  Assign it VLAN ID = 1

      2. VM2 port group.  This should be mapped to BlastShield Downstream vSwitch for the VM 2 endpoint.   Assign it VLAN ID = 2

   The port groups are shown below.

   

1. Add a new Gateway in the Orchestrator.

   1. Connect to the Orchestrator and select Gateways from the left Menu.

   2. Select Add New Gateway from the Gateway List.

   3. Enter a name for the new Gateway.

   4. Select the Addressing Mode for the Gateway to be VLAN.

   5. Select Save and Download Invitation. You can chose to either download the invitation file or copy the contents to the clipboard. Retain the invitation file data as you will need it later when you install the Gateway OVA.

      

2. Download the Gateway OVA file.

   1. Download the Gateway OVA file from here and keep it available so that you can upload it to your ESXi server.

3. Install the BlastShield Gateway™ OVA file on the ESXi client.

   Using the VMWare ESXi new virtual machine installer, the Invitation (.bsi) file generated in step 1 and the OVA file you downloaded in step 2 you will install the software on your ESXi hypervisor and bind it to the BlastShield™ Network. Below are the steps for this process.

   1. From the ESXi host, go to Virtual Machines / Create /Register VM / Create a virtual machine from an OVF/OVA file.

      

   2. Give the new Gateway a name and select the BlastShield™ OVA file which you downloaded in the previous step.

      

   3. Leave the default datastore option.

      

   4. Set the deployment options as shown:

      1. Public Network: VM Network port group.

      2. Protected Network: BlastShield Downstream port group.

         

   5. In Additional Settings, add the contents of the bsi file.

      1. Paste the contents of the Gateway bsi file into the Invitation contents field.

      2. For IP addressing, the default option is that the Gateway will use DHCP.  If you are setting a manually assigned IP address, default gateway and DNS, then enter them here (leaving the boxes blank here will use DHCP).

      3. Click next, then click finish to add the new Gateway virtual machine.

         

1. Create two endpoints in the Orchestrator.

   1. VM1 will have VLAN ID = 1 set in the Orchestrator. This will use port group VM1 on the hypervisor.

      

   2. VM2 will have VLAN ID =2 set in the Orchestrator. This will use port group VM2 on the hypervisor.

      

   3. Note that the Protected IP address is automatically set and is the IP address for the endpoint as used in the BlastShield™ network overall. You can overwrite it if necessary. Please be sure not to create a duplicate IP address if you do this.

      If you wish to add more endpoints for additional guest hosts then give each endpoint a unique VLAN ID in the Orchestrator and create a corresponding port group for it in the hypervisor.

2. Create corresponding virtual machine guest hosts in the ESXi hypervisor.

   1. Create your virtual guest hosts on the ESXi server in the usual way.

   2. In the Customize settings step of the New virtual machine wizard, set the Network adapter for the VM guest to match the port group which has been created for it.

      In our example virtual guest "VM1" will use Network adapter "VM 1" (which is the port group "VM 1"). Port group VM 1 has VLAN ID = 1 and this maps to the VLAN ID which is set in the Orchestrator.

      

3. Now check that the endpoints have come online.

   1. Login to the Orchestrator and select your Gateway.

   2. Click on the endpoints tab.

   3. Your endpoints should appear Online as shown below.

      

4. Setup a policy to allow access to the guest host endpoints.

   1. Login to the Orchestrator and create Groups and Policy as shown.

   2. Add the new endpoints which you created to an Endpoint Group.

   3. Add the test user(s) to a User Group.

   4. Create a policy to allow the User Group to access the Endpoint Group. An example of such a policy is shown below.