Deploying Ivanti Security Appliance on Hyper-V
Overview of ICS Hyper-V Enablement
Ivanti Security Appliance are now supported on Microsoft's Hyper-V hypervisor in addition to VMWare platform.
The following table contains data regarding the Number of cores to be allocated to each Hyper-V model:
|
Platform |
Cores Per VM |
RAM |
Disk Space in 22.6R2 and Later |
Disk Space prior to 22.6R2 |
|---|---|---|---|---|
|
ISA4000-V |
4 |
8 GB |
80 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
80 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
80 GB |
40 GB |
Limitations
•The image supports only IDE disks and will support only the ‘Generation 1’ type of Virtual machine in Hyper-V Manager due to the above limitation.
Deploying a Hyper-V ISA-V through the Hyper-V Manager
To deploy a Ivanti Security appliance through the Hyper-V Manager:
1.Copy the Hyper-V ISA-V Package to the Hyper-V Server
2.Open Hyper-V Manager.
3.Deploy Hyper-V ISA-V
4.On Before you Begin screen click Next.
5.Enter Specify Name and Location and Click Next.
6.Select Generation 1 as Hyper-V ISA-V does not support Generation 2 and click on Next.
7.Now assign the appropriate memory. Enter 8192 MB for ISA-V and click on Next.
8.The Configure Networking page opens. Select a virtual switch to be used by the network adapter and click on Next.
9.The Connect Virtual Hard Disk page appears. Select the Use an existing virtual hard disk button and provide the location of the Hyper-V ISA-V package.vhdx (step 1).
10.Click on Finish. Hyper-V Server creates an entry under Virtual Machines.
11.Now, add a network adapter for External Port and Management Port.
a. Right Click on the VM Name and click on Settings.
b. Enter Number of virtual processors required.
c. In the dialog box that opens, click on Add Hardware in the left pane.
d. On the right pane, select Network Adapter.
e. Click on Add.
It is important to add all the three network adapters to Hyper-V ISA-V before powering on the VM. Adding network adapters after powering-on the Hyper-V ISA-V may result in network connectivity issues. The following list indicates the order of virtual adapters:
1. Network Adapter: Internal
2. Network Adapter 2: External
3. Network Adapter 3: Management
12.Select the virtual switch for the External Port. Click on apply.
13. Now add network adapter for management port.
a. Click on Add Hardware on the left pane. Select Network Adapter. Click on Add.
b. Select the Virtual Switch for the Management Port. Click on Apply.
14.Select Start to power on the virtual machine.
Once Deployment is successful, You can see the deployed VM Console.
Deploying Connect Secure with Automatic Initial Configurations
1.Download the Hyper-V package file and find the hyperv_template.xml file.
2.Customize the required fields like IP address/Subnet Mask/Default Gateway for internal, external, and management ports and then convert to .iso image (hyperv.iso) using the following command.
Command Sample: mkisofs -l -o hyperv.iso hyperv_template.xml.
3.Under DVD Drive, click Browse and upload the .iso file and then start the VM.
Deploying a Hyper-V ISA-V through Powershell cmdlets
To deploy a Hyper-V ISA-V through Powershell cmdlets:
1.Copy the Hyper-V ISA-V Package to the Hyper-V Server.
2.Open PowerShell as administrator.
3.Enter the vm-name, memory (in MB), location of VHDx file, and the internal network switch name. Use the example below to perform this step. Create a Hyper-VA ISA-V on the Hyper-V server.
For example, for deploying the ISA-V:
PS> New-VM -Name hyper-v-va -MemoryStartupBytes 2048MB -VHDPath F:\hyper_v_packages/ISA-V-HYPERV-ICS-<Version No.>-VT-hyperv.vhdx -SwitchName Int_Network_Switch -Generation 1
4.Now, add two network adapters for the External Port and Management Port.
|
Port |
Format |
Example |
|---|---|---|
|
External Port |
PS> ADD-VMNetworkAdapter –VMName <vm-name> –Switchname <External Network Switch Name> |
PS> ADD-VMNetworkAdapter –VMName hyper-v-va –Switchname Ext_Network_Switch -Name External_Port |
|
Management Port
|
PS> ADD-VMNetworkAdapter –VMName <vm-name> –Switchname <Management Network Switch Name> |
PS> ADD-VMNetworkAdapter –VMName hyper-v-va –Switchname Mgmt_Network_Switch -Name |
5.Set the number of processors to assign to the Hyper-V
PS> SET-VMProcessor –VMName <vm-name> –count <cpu-count>
For example:
PS> SET-VMProcessor –VMName hyper-v-va –count 1
6.Perform the following steps to change the name of internal network adapter:
PS> Get-VMNetworkAdapter -VMName <vm-name>
Sample Output:
Name IsManagementOs VMName SwitchName MacAddress Status IPAddresses
---- -------------- ------ ---------- ---------- ------ ------
Network
Adapter False hyper-v-va IntSwitch 000000000000 {}
Ext_Port False hyper-v-va ExtSwitch 000000000000 {}
Mgmt_Port False hyper-v-va MgmtSwitch 000000000000 {}
Now, change the name of Internal Network Adapter:
PS> Rename-VMNetworkAdapter -VMName user1_ISA-V_115_132 -Name "Network Adapter" -NewName "Int_Port"
Sample Output
PS> Get-VMNetworkAdapter -VMName <vm-name>
Name IsManagementOs VMName SwitchName MacAddress Status IPAddresses
---- -------------- ------ ---------- ---------- ------ -----------
Int_Port False hyper-v-va IntSwitch 000000000000 {}
Ext_Port False hyper-v-va ExtSwitch 000000000000 {}
Mgmt_Port False hyper-v-va MgmtSwitch 000000000000 {}
7.To power on the Hyper-V VA enter:
PS> Start-VM -name <vm-name>
Cloning of VM on Hyper-V
In this type of cloning it generates unique license id. (Licensing hardware ID will be unique in both existing machine and cloned machine). If we clone 22.2R1 and higher releases, it supports automatic initial configurations. By passing iso files with overwrite IP address = 1 before starting the VM, we can get the new IP address/Mask/GW. So that we can avoid assigning IP addresses manually after the VM comes up.
This is the recommended method for Hyper-V cloning.
1.Login to Hyper-V Manager and shutdown the VM which you want to clone.
2.Right click on the VM and specify the location and export the files.
3.Navigate to Hyper-V manager, New > Virtual Machine
4. On Before you Begin dialog, click Next
5.On Specify Name and location dialog, enter the name for the machine.
6.On Specify Generation dialog, select Generation 1
7.On Assign Memory dialog, enter 8192 MB for 4 core processors, 16 GB for 8 core processors, and 32 GB for 12 core processors.
8.On Configure Networking dialog, select configure the network adaptor to use the virtual switch.
9.On Connect virtual Hard disk dialog, provide the virtual hard disk file path from the exported file.
10.Click Next and then Finish. Now, you can see the virtual machine is listed under virtual machines.
11.Right click on the machine and go to settings. Add the network adapters as required and change the number of processors as required.
12.Click Start to start the machine
13.Once the VM is up, change the IP address/Mask/GW because it clones the same IP addresses from the existing machine. Now we can use the VM. If we clone 22.2R1 and higher releases, it will support automatic initial configurations. By passing iso files with overwrite IP address = 1 before starting the VM, we can get the new IP address/Mask/GW. So that we can avoid assigning IP addresses manually after the VM comes up.
Increasing the Disk Size in Hyper-V
From 22.6R2 release, on fresh installation 80 GB disk space is available by default. You can modify or increase the disk size only once on fresh installation or upgrade of the ICS images, but not on rollback or factory reset images.
If the user is upgrading to 22.6R2 or later, then the disk size change from 40 GB to 80 GB have to be done prior to upgrade on Hyper-V platform.
Disk Size Allocation is supported from 22.6R2 and later releases.
To increase the disk space:
1.Click IDE Controller > Hardware, click Edit.
2.Select Expand and click Next>.
3.Change the disk size in GB and click Finish.
ICS Provisioning Parameters
Provisioning parameters are those parameters which are required during the deployment of a virtual appliance. ICS accepts the following parameters as provisioning parameters in the XML format.
|
<PropertySection> <Property oe:key="vaIPAddress" oe:value=""/> <Property oe:key="vaNetmask" oe:value=""/> <Property oe:key="vaGateway" oe:value=""/> <Property oe:key="vaDefaultVlan" oe:value=""/> <Property oe:key="vaExternalIPAddress" oe:value=""/> <Property oe:key="vaExternalNetmask" oe:value=""/> <Property oe:key="vaExternalGateway" oe:value=""/> <Property oe:key="vaExternalDefaultVlan" oe:value=""/> <Property oe:key="vaManagementIPAddress" oe:value=""/> <Property oe:key="vaManagementNetmask" oe:value=""/> <Property oe:key="vaManagementGateway" oe:value=""/> <Property oe:key="vaManagementDefaultVlan" oe:value=""/> <Property oe:key="vaPrimaryDNS" oe:value=""/> <Property oe:key="vaSecondaryDNS" oe:value=""/> <Property oe:key="vaWINSServer" oe:value="1.2.3.4"/> <Property oe:key="vaDNSDomain" oe:value="ics.company.com"/> <Property oe:key="vaAdminUsername" oe:value="admin"/> <Property oe:key="vaAdminPassword" oe:value="Password123$"/> <Property oe:key="vaCommonName" oe:value="ics-ext-port.company.com"/> <Property oe:key="vaOrganization" oe:value="Ivanti"/> <Property oe:key="vaRandomText" oe:value="randomtextrandomtextrandomtextrandomtext"/> <Property oe:key="vaAcceptLicenseAgreement" oe:value="y"/> <Property oe:key="vaEnableLicenseServer" oe:value="n"/> <Property oe:key="vaAdminEnableREST" oe:value=""/> <Property oe:key="vaAuthCodeLicense" oe:value=""/> <Property oe:key="vaConfigURL" oe:value="http://a.b.c.d/ics_config.xml"/> <Property oe:key="vaConfigServerCACertPEM" oe:value=""/> <Property oe:key="vaConfigData" oe:value=""/> <Property oe:key="vaInternalPortReconfigWithValueInVAppProperties" oe:value="1"/> <Property oe:key="vaManagementPortReconfigWithValueInVAppProperties" oe:value="1"/> <Property oe:key="vaExternalPortReconfigWithValueInVAppProperties" oe:value="1"/> </PropertySection> |
|
Parameter Name |
Type |
Description |
|---|---|---|
|
vaIPAddress |
IP address |
Internal interface IP |
|
vaNetmask |
IP address |
Internal interface subnet mask |
|
vaGateway |
IP address |
Internal interface IP gateway |
|
vaDefaultVlan |
integer |
VLAN number to assign to this interface |
|
vaExternalIPAddress |
IP address |
External interface IP |
|
vaExternalNetmask |
IP address |
External interface subnet mask |
|
vaExternalGateway |
IP address |
External interface IP gateway |
|
vaExternalDefaultVlan |
integer |
VLAN number to assign to this interface |
|
vaManagementIPAddress |
IP address |
Management interface IP |
|
vaManagementNetmask |
IP address |
Management interface subnet mask |
|
vaManagementGateway |
IP address |
Management interface IP gateway |
|
vaExternalDefaultVlan |
integer |
VLAN number to assign to this interface |
|
vaPrimaryDNS |
IP address |
Primary DNS IP |
|
vaSecondaryDNS |
IP address |
Secondary DNS IP |
|
vaWINSServer |
IP address |
Windows server IP |
|
vaDNSDomain |
string |
Windows domain name |
|
VaAdminUsername |
string |
Admin username |
|
vaAdminPassword |
string |
Admin password |
|
vaCommonName |
string |
Common name |
|
vaOrganization |
string |
Organization name |
|
vaRandomText |
string |
Random text to generate self-signed certificate |
|
vaAcceptLicenseAgreement |
character |
“y” to accept the license agreement |
|
vaEnableLicenseServer |
character |
“y” to enable it as VLS server. “n” to bring it up as a ICS node. |
|
vaAdminEnableREST |
character |
“y” to enable REST for administrator user |
|
vaAuthCodeLicense |
string |
Authentication code that needs to be obtained from Ivanti. |
|
vaConfigURL |
string URL |
Http based URL where XML based ICS configuration can be found. |
|
vaConfigServerCACertPEM |
string |
PEM format of CA certificate. |
|
vaConfigData |
string |
base64 encoded XML based ICS configuration. |
|
vaInternalPortReconfigWithValueIn VAppProperties |
integer |
The Internal port overwrite property. If set to 1, overwrites the virtual appliance’s internal port settings with the ones specified during deployment. Set this value as 1. |
|
vaManagementPortReconfigWithValueIn VAppProperties |
integer |
The Management port overwrite property. If set to 1, overwrites the management port-related parameters in the ICS with the ones defined here. Set this value as 1. |
|
vaExternalPortReconfigWithValueIn VAppProperties |
integer |
The External port overwrite property. If set to 1, overwrite the external port-related parameters in ICS/IPS with the ones defined here. Set this value as 1. |
v6 Parameters
| Parameter | Type | Description |
|---|---|---|
| vaNetworkStack | IPv4 or IPv6 address |
It indicates network address configured during deployment. v4 : IPv4 addresses are allowed to configured. v6 : IPv6 addresses are allowed to configured. Both: IPv4 and IPv6 addresses are allowed to configured. |
| vaIPv6Address | IPv6 address | Internal interface IPv6 address |
|
vaPrefix |
IPv6 address |
Internal interface IPv6 prefix length. |
|
vaIPv6Gateway |
IPv6 address |
Internal interface IPv6 gateway address. |
|
vaManagementIPv6Address |
IPv6 address |
Management interface IPv6 address |
|
vaManagementPrefix |
IPv6 address |
Management interface IPv6 prefix length. |
|
vaManagementIPv6Gateway |
IPv6 address |
Management interface IPv6 gateway address. |
|
vaExternalIPv6Address |
IPv6 address |
External interface IPv6 address |
|
vaExternalPrefix |
IPv6 address |
External interface IPv6 prefix length. |
|
vaExternalIPv6Gateway |
IPv6 address |
External interface IPv6 gateway address. |
ICS supports zero touch provisioning. This feature can detect and assign DHCP networking settings automatically at the ICS boot up. The following ICS parameters should be set to null in order to fetch the networking configuration automatically from the DHCP server.
|
•vaIPAddress |
•vaExternalIPAddress |
•vaManagementIPAddress |
•vaNetworkStack |
•vaManagementIPv6Address |
• vaExternalPrefix |
|
•vaNetmask |
•vaExternalNetmask |
•vaManagementNetmask |
•vaIPv6Address |
•vaManagementPrefix |
•vaExternalIPv6Gateway |
|
•vaGateway |
•vaExternalGateway |
•vaManagementGateway |
•vaPrefix |
• vaManagementIPv6Gateway |
|
|
•vaPrimaryDNS |
•vaSecondaryDNS |
•vaDNSDomain |
• vaIPv6Gateway |
•vaExternalIPv6Address |