In this guide I will take you through the vCloud Networking and Security / vShield Manager and components upgrade to version 5.5.3.1. This release addresses Shellshock vulnerability (VMware KB 2091218).
Before you proceed with the upgrade, please confirm the new version is compatible with the existing VMware and other security products in your environment (Trend Micro Deep Security, for example):
Download VMware vShield Manager Upgrade bundle from my.VMware.com :
- vShield Manager Upgrade Bundle 5.5.3.1
https://my.vmware.com/group/vmware/info/slug/security_products/vmware_vcloud_networking_and_security/5_5
Click on Read More to reveal the release date, build number and simple reference to the upgrade path:
File name: VMware-vShield-Manager-upgrade-bundle-5.5.3-2175697.tar.gz
Upgrade to vCNS 5.5.3.1 from: vCNS 5.1.1, 5.1.2, 5.1.3, 5.1.4.x, 5.5.0, 5.5.1, 5.5.2, 5.5.3.
You must first upgrade the vShield Manager, then update the other components.
vShield Manager Upgrade
- First, take a snapshot of vShield Manager virtual appliance!
- Login to vShield Manager, navigate to inventory panel, View: > Host & Clusters, click Settings & Reports.
- Click the Updates tab.
- Click Upload Upgrade Bundle.
- Click Browse and select the VMware-vShield-Manager-upgrade_bundle-buildNumber.tar.gz file.
- Click Open.
- Click Upload File.
- After the file is uploaded, click Update Status.
- Click Install to begin the upgrade process.
- Click Confirm Install.
The upgrade process reboots vShield Manager, so you might lose connectivity to the vShield Manager user interface. None of the other vShield components are rebooted.
- After the reboot, log back in to the vShield Manager.
- OPTIONAL: Login to Trend Micro Deep Security Manager and make sure it still can connect to vSM.
Although this upgrade looks straightforwards and, in the majority of cases, runs OK, I have a couple of tips for you:
- ALWAYS take a snap of vShield Manager!
- vShield Manager upgrade from 5.0.x to 5.1.x is different as you need to upgrade its virtual hardware. See VMware KB 2044458 for detailed instructions.
- Make sure vShield Manager VA hardware spec is correct (I experienced an issue with the upgrade when someone manually changed vSM VA configuration)
- A minimum of 2.5 GB free disk space is available in the
/common
partition. Login to vSM console and runshow filesystems
:
FAIL:
OK:
vShield App and vShield Endpoint Upgrade
You must upgrade vShield App and vShield Endpoint on each host in your datacenter. Both can can be upgraded either through vSphere Client or vShield Manager interface. I personally prefer the later.
- Login vShield Manager, navigate to inventory panel, select View: > Hosts & Clusters.
- Select Inventory > Hosts and Clusters.
- Under Datacenters / Your_Datacenter / Your_Cluster click the host on which you want to upgrade vShield App / vShield Endpoint.
- The Summary tab displays each vShield component that is installed on the selected host and the available upgrade version.
- Select Update next to vShield App or vShield Endpoint.
- Select the vShield App or vShield Endpoint checkbox. You can also select both and upgrade them in one go.
- Click Install. During vShield App upgrade, the ESXi host is placed into Maintenance Mode and rebooted. Ensure that virtual machines on the ESXi host are migrated (using DRS or vMotion), or that they are powered off to allow the host to be placed into Maintenance Mode.
- All done:
- OPTIONAL: Again, it may be a good idea to check the host in Trend Micro Deep Security Manager…
vShield Edge Upgrade
- Log in to the vShield Manager, navigate to View: > Networks.
- Select the Datacenter, Network Vistualization, Edges.
- Select the vShield Edge. Notice the up arrow – Upgrade available.
- Click the Actions and select Upgrade.
- Click Yes to continue.
- This is where it gets interesting! vShield Manager will NOT upgrade vShield Edge virtual appliance, instead it will deploy a new appliance, copy the config and then deleted the old appliance.
I hope this helps.
super nice of you to provide straight talk procedure for the upgrade!
found your post after failing to find simplicity in the 5.5.3 install and upgrade doc provided by VMware.
Thank a ton!!
Thank you for you feedback. Much appreciated.
Very nicely written.