vCenter Server and ESXi Hypervisor Requirements

The functions provided by the Virtual Inventory feature are designed for use with the following VMware vSphere licensed environments: VMware vSphere Essentials, Essentials Plus, Standard, and Standard with Operations Management. While the functions can be used in enterprise-level environments, the user experience and performance has been optimized for use in small and medium-sized business environments.

vCenter Server Requirements and Recommendations

  • The vCenter Servers that are added to the Virtual Inventory list must be at VMware vCenter Server 6.5 or later
  • You must have valid credentials for the vCenter Server
  • You must be able to connect to the vCenter Server
  • If the hypervisors in your organization are managed by a vCenter Server, you should add those hypervisors to Security Controls by adding the managing vCenter Server. The scanning and deployment actions you take on the hypervisors are more complete when performed through a vCenter Server.

ESXi Hypervisor Scanning Requirements

You must meet the following requirements in order to successfully scan an ESXi hypervisor:

  • You must have valid credentials for the ESXi hypervisor
  • You must be able to connect to the ESXi hypervisor
  • The hypervisor must be using ESXi version 6.5 or later

    • If you are using ESXI 7.0 Update 1 or later, the patch offline bundle must be installed on your hypervisor. For more information, see the VMware ESXi 7.0 Update 1 Release Notes.

  • Your firewall must be configured to allow an HTTP Client connection

ESXi Hypervisor Deployment Requirements and Recommendations

You must meet the following requirements in order to successfully deploy bulletins to ESXi hypervisors:

  • The Security Controls console must be online
  • The ESXi hypervisor must be online in order to access assessment data and download updates
  • The hypervisor must be using ESXi version 6.5 or later
  • Port 443 must be open on the hypervisor
  • The latest version of VMware Tools is required on all virtual machines running on the hypervisor
  • You must have previously scanned the ESXi hypervisor to identify the missing bulletins
  • You can only deploy bulletins to one ESXi hypervisor at a time in a single deployment. You can, however, start multiple deployments to different hypervisors and have them run concurrently (do not do this if the hypervisors are being managed by the same vCenter Server).
  • You cannot schedule deployments
  • For vCenter Servers using fully automated Distributed Resources Scheduler (DRS), during a deployment Security Controls will attempt to put the ESXi hypervisor into maintenance mode and allow DRS to manage the virtual machines. Security Controls will not support DRS for vCenter Servers that have their DRS automation level set to Manual or Partially Automated because these DRS settings require user intervention at the vSphere client level. In this case Security Controls may suspend or shut down the virtual machines, or it may cancel the deployment.
  • You should not attempt to patch a hypervisor that contains a vCenter Server or vCenter Server Appliance without first moving the vCenter Server to another hypervisor. Consider using DRS to move the vCenter Server. 
  • You should not attempt to patch a hypervisor that contains the Security Controls console without first moving the console to another hypervisor. Consider using DRS to move the console.
  • You must use a role that contains the following permissions on the ESXi hypervisor:
    • Global
      • Act as vCenter Server
      • Cancel task
      • Diagnostics
      • Licenses
      • Log event
      • Proxy
    • Host: Configuration
      • Connection
      • Maintenance
      • Power
      • Query patch
      • System Management
      • System resources
    • Host: Replication
    • Resource
    • Scheduled task
    • Sessions
    • Tasks
    • vApp
    • vCenter Inventory Services (v6.5 or later)
    • vService (v6.5 or later)
    • Virtual machine