Installing and Configuring the AppDefense Appliance

***UPDATE – 11/2/18: AppDefense 2.0 has been released as part of the vSphere Platinum. The overall functionality will be very similar. AppDefense 2.0 is implemented with the vCenter Plug-In and offers two new modes of use: Online and Offline mode. This blog series will continue to be about the AppDefense SaaS offering. More about other versions when I can get my hands on the vSphere Platinum bits. ***

In my last AppDefense post, I gave an overview of the VMware AppDefense components. In this post, I’ll quickly recap those components and then dive into how to deploy AppDefense in your environment.

AppDefense Manager – This is the management point for AppDefense that lives in the cloud. Provisioning of the on-premises appliance and applications Scopes take place here.
AppDefense Appliance – This is an appliance that is deployed on-premises which aggregates data from ESXi hosts (once integrated with vCenter) and communicates with the AppDefense Manager.
AppDefense Host Module – This is installed on each AppDefense-protected ESXi host. This monitors ESXi host integrity and maintains the application manifest (which is detailed information about Scopes and Services as defined in the AppDefense Manager).
AppDefense Guest Module – This is installed on the guestOS and enabled the Host Module to monitor the integrity of the guestOS kernel to ensure it isn’t tampered with.

The hardest part of this is getting access to the AppDefense Manager. There is no free version of AppDefense to play with. The AppDefense Hands on Lab is very limited in it’s scope and is not a live environment. The only way to get hands-on with this is to engage VMware in a Proof of Concept or to purchase AppDefense. Provisioning of access to AppDefense Manager is handled entirely by VMware.

When you do get access, you’ll be brought to the AppDefense Dashboard. This provides a quick overview of what’s happening in the environment. There’s a ton of information on this screen!

Let’s cover that quickly:

Protection Coverage shows you the number of virtual machines running on all of the ESXi hosts which have the Host Module installed on them. I have a single VM deployed that isn’t part of a Scope and is not yet protected. We show all red. The goal of this widget is to show more green than red.
Scopes in Discovery shows the number of Scopes (made up of Services and Members) which are going through their discovery phase. This is the phase where AppDefense is learning common behaviors to do some of the heavy lifting before Protecting the application.
Alarms shows any alarm generated by a Protected Scope. Deviations from known-good behavior show the Scope generating the alarm and the Member (virtual machine, container, etc.) where the alarm originates. This allows for rapid triage of issues. The obvious goal is to have no alarms!
Provisioning events shows what’s happening in AppDefense Manager. Provisioning events count for new VMs being added or removed from the inventory, Scope creation and deletion, Services being added to or modified in a given Scope, and even Member VMs being added to a Service. This is the grit about how things are being created in the environment.

Now that we have access to the AppDefense Manager, we want to download the AppDefense Appliance OVA. Click on the cog in the lower-left hand corner and select Downloads.

The Downloads screen has all AppDefense-related downloads – primarily different versions of the Host Module, Guest Modules for the different supported Guest OSs, and the AppDefense Appliance itself. I also want to highlight an important piece at the top of the screen – links to the Installation Guide (as of the update at the top of this blog post, most of this installation is already covered in better depth by VMware!) and Release Notes.

Once the OVA downloads, you can deploy the OVA similar to many other appliance-based installs. You can opt to deploy to a cluster or an individual ESXi host. You’ll need to:

Supply the name of the virtual appliance
Select the VM Folder location
Identify an individual compute resource (if necessary)
Blindly accept the EULA
Select your desired storage location
Select your desired network
Enter (hopefully unique) passwords for both root and admin accounts
Enter desired networking configuration (more details with a static configuration than with DHCP)

Once the OVA is deployed, power on the VM and wait for the initial configuration to complete. After several minutes, you should be able to browse to the system’s VAMI at https://fully-qualitified-domain.name:5480. Here you’ll log in with the root account.

Once logged in, you’ll be on the Appliance Status page which only seems to show the last time the user has logged in. Click on the Configuration tab and we find that there’s several different fields to fill in. We’ll focus on the required configuration pieces (AppDefense Manager and vCenter), but this is also where NSX and Puppet are configured.

The vCenter Server configuration is relatively easy. Enter the name of your vCenter Server, a username, and password.

*My recommendation is to provision a new service account for your domain and work in a single cluster until you get used to moving around in AppDefense. Give Administrator permissions to the service account on a single cluster until you’re comfortable with the product and then expand those permissions as necessary.*

For AppDefense Manager Configuration, head back to AppDefense, open the cog-menu in the lower left-hand corner and select Appliances.

All provisioned AppDefense Appliances will show here. Remember that there is a 1:1 relationship for vCenter Server and AppDefense Appliance. Click on the Provision New Appliance button in the top right-hand corner.

Enter the name of the Appliance as you would like it to appear in the AppDefense Manager – I like to keep this as the same name of the virtual appliance in vCenter. Click Provision.

Once you click Provision, it’s super important to copy the information that is presented to you. If you click OK or close the tab before you copy the information, you’ll have to provision a new appliance. There is no way to recover a UUID or API key for the appliance.

This information is entered into the corresponding fields in the virtual appliance VAMI and allows communication with the AppDefense Manager.

When finished, click the Save Configuration button and wait a few minutes for communications to be established with the AppDefense Manager. If after a few minutes the AppDefense Manager isn’t showing the Appliance as Connected – double-check your firewall to make sure that traffic is being allowed.

Once you straighten that stuff out, click back over to the Status button and you should now show the Service Status as Active.

Heading back over to the AppDefense Manager in the same Appliances menu, you’ll see that your appliance (Goldilocks01 for me) will report that it’s Active and that it can connect with vCenter.