Symantec Web Gateway (SWG) - Best Practices: Configuring ESX for a Virtual Web Gateway Deployment
|Article:TECH183599|||||Created: 2012-03-12|||||Updated: 2015-01-08|||||Article URL http://www.symantec.com/docs/TECH183599|
You are about to deploy the Virtual version of Symantec Web Gateway (SWG 84v) on ESX or ESXi and want to know how to prepare your environment.
We are providing this information to help alleviate some of the frustration Administrators new to virtual environments are experiencing. We are in no way associated with VMware.
If you are experiencing problems with your virtual environment, or have questions about it, please contact VMware directly.
- Starting with SWG 5.2.2 any ESX 5.x version (including 5.1 and 5.5) is supported, note this also means support for virtual ESX hardware versions 8,9 and 10.
- The SWG 84v requires a dedicated Network Card for each virtual interface, each of which should be connected to a dedicated vSwitch (with uplink via separate physical network).
- All vSwitches should be configured to enable promiscuous mode (see instructions below).
- The SWG 84v requires a minimum of 8GB RAM. Both RAM and CPU resources must be reserved in the ESX Configuration Manager to ensure that they are available at all times.
NOTE: Inline and Inline+Proxy mode deployments of SWG will work, but are NOT supported in Virtual Implementations as there is no Network Bypass facility available.
1. Select your ESX server and click on the Configuration tab.
2. In the Hardware column on the left click on Networking.
3. You will see an Add Networking... link at the top of the screen, click on this.
4. In the first screen make sure it is set to the Virtual Machine network type and click next.
5. In the next screen select one of your Physical NIC’s and click next.
· You need 1 physical NIC for each Virtual switch you create. You cannot use NIC teaming.
· The very minimum number of dedicated physical NIC’s you will need for vSWG is two (for proxy-only mode) 1st-Management port, 2nd-Lan/Proxy/Span-Tap.
· An additional WAN interface and vSwitch is required for Inline or Inline+Proxy mode.
· Remember which Physical NIC you assigned to which role as this will be very important during cabling.
6. Now you should label the vSwitch in a manner that identifies what you plan to use it for. For example if you are building the vSWG for a Proxy deployment you need a Management Port and a Proxy(LAN) Port. So you could name your first Switch SWG-MGMT and your second SWG-PRXY.
7. Once you have all necessary switches created go back into your main Networking screen under Configuration.
· Find the newly created switch in your list of Virtual Switches and click the Properties... link above it.
· Double click the vSwitch icon and then the Security tab.
· Set Promiscuous Mode, MAC Address Changes, and Forged Transmits to Accept
· Click on the NIC Teaming tab and change Notify Switches and Failback both to No then hit OK.
· Do this for all your SWG related switches.
1. Now deploy your OVF Web Gateway template.
2. During the deployment of the template you can specify your NICS. You can do this later but it is easy to do it here. Simply click the dropdown underDestination Networks (which you named in step 6) and match it to the appropriate Source Network, VSWG_LAN to SWG-LAN etc. Next andFinish.
3. Now select your new SWG virtual server and click on Edit virtual machine settings.
4. You will see 4 network adapters listed:
· Network adapter 1 is the Management port
· Network adapter 2 is the WAN port (used in Inline mode)
· Network adapter 3 is the LAN port (used in Inline or Proxy mode)
· Network adapter 4 is the Monitor port (only used in Span-Tap mode)
Here you will assign the connection. For example in Proxy mode you would choose Network Adapter 1 then on the right under Network Label drop down the menu and choose SWG-MGMT,then click on Network Adapter 3 and select SWG-Proxy or whatever you named your virtual switches in step 6 above.
1. Right-click on the new Virtual SWG and select "Edit Settings".
2. You can now Power on the Virtual Machine and go to the Console tab to do the initial setup of the SWG.
Article URL http://www.symantec.com/docs/TECH183599