Preparing to Install the Services Director Virtual Appliance
Overview: Platforms
The Services Director Virtual Appliance (VA) can be installed on a number of platforms. Each platform has prerequisites that must be met before you begin installation, see Prerequisites.
You can install the Services Director VA as a Virtual Machine on the following platforms:
•VMware, see Installing the Services Director VA on vSphere.
•KVM-QEMU, see Installing the Services Director VA on KVM-QEMU.
•Amazon Web Services (AWS), see Installing the Services Director VA on Amazon Web Services.
After the Services Director VA is installed as a VM/instance, you must:
•Run the Services Director Setup Wizard to configure the Services Director VA for use, see Running the Services Director VA Setup Wizard.
•Review and update all Services Director settings, see Updating Services Director VA Settings.
Prerequisites
Before you install the Services Director VA and run the Setup Wizard, you must make sure that you have the correct software, files and configuration information.
Required Software for Installation
You need the following software to install the Services Director VA using a VMware hypervisor.
|
Software |
Description |
|
VMware vSphere ESXi 6.0+ |
Ivanti assumes that you are familiar with creating and managing VMs using vSphere. For detailed information about creating virtual machines using vSphere, refer to http://www.vmware.com/products/. |
|
Services Director VMware image in OVA format |
This image is used to install the Services Director VA. You can obtain the Services Director OVA package from Ivanti Support. |
You need the following software to install the Services Director VA using a KVM-QEMU hypervisor.
|
Software |
Description |
|
A virtualization toolset, such as libvirt or Virtual Machine Manager (VMM) |
Ivanti assumes that you are familiar with creating and managing VMs using your chosen toolset. For detailed information about creating virtual machines on KVM-QEMU, refer to http://wiki.qemu.org/KVM. |
|
Services Director KVM image in QCOW2 format |
This image is used to install the Services Director VA on a KVM-QEMU hypervisor. You can obtain the Services Director KVM image in QCOW2 format from Ivanti Support. |
You need an Amazon Web Services (AWS) account and a browser to use Services Director on AWS.
Required Hardware Resources for Virtual Machines
You need the following hardware resources to use Services Director VA on vSphere and KVM-QEMU.
|
VA Type |
CPU |
Memory |
Disk |
|
Services Director VA |
4 vCPU |
8 GB |
46 GB |
Your hardware must support the required configuration.
There are no hardware requirements for AWS, as it is cloud-based.
Required Files and Information
The following table lists the files and information required by the Services Director VA.
All required files must be in accessible locations in your infrastructure during the installation process. For example, locate the files on an accessible server, or your local machine.
|
Information |
Description |
|
Hostnames |
The hostname for the Services Director. When you are creating a High Availability pair, you will need a hostname for both the Primary and the Secondary Services Director nodes. |
|
DNS Server |
(Optional) The IP address for the primary name server. This is not required if you choose to configure your system using IP addresses rather than DNS hostnames. You can also specify a secondary name server if required. |
|
Primary Address |
The IP address for the Primary Services Director in a High Availability pair. |
|
Secondary Address |
The IP address for the Secondary Services Director in a High Availability pair. |
|
Service Endpoint Address |
The Management IP address for your High Availability Services Director installation. This IP address binds to the currently active Services Director. |
|
SSL certification and private key |
A self-signed Secure Socket Layer (SSL) certificate and private key file, which are used to protect and authenticate the REST API port. This is a local file or URL using HTTP, FTP, or SCP. For example: scp://username:password@host/path/filename Ivanti recommends that you do not use a CA-signed certificate. |
|
Services Director License |
The Services Director License, either for Cloud Service Providers or Enterprise customers. If you have not received your Services Director License, contact Ivanti Support for assistance. |
|
Resource Licenses |
For Enterprise Services Director Licenses/Customers only. This includes Bandwidth Resource Licenses, and Analytics Resource Pack Licenses. If you have not received your Licenses, contact Ivanti Support for assistance. |
|
Add-On Licenses |
An Add-On License is a historical license type, that is only supported on “old style” Services Director licenses. It is not compatible with “new style” Services Director licenses. |
|
Legacy FLA License |
(Optional) The Flexible Licensing Architecture (FLA) Legacy License is for: Any Virtual Traffic Manager (vTM) instances at version 10.0 or earlier. Any vTM instances that do not have an enabled REST API. vTMs that are at version 10.1 (or later) with their REST API enabled will use a pre-installed Universal License. |
|
Administrator user and password |
The administrator password for the Services Director. This password is used to access the Services Director GUI and CLI. The default administrator user is admin and the password is password. |
|
SMTP server and port |
(Optional) The hostname (or IP address if DNS is not configured) of the SMTP server and port. External DNS and external access for SMTP traffic is required for email notification of events and failures to function. |
|
Email notification address |
(Optional) A valid email address to which notification of events and failures are to be sent. |
Critical Ports That Must Be Open
The following table lists ports that must be open on the Services Director VA.
|
Port |
Open to Connections From |
Description |
Protocol |
|
22 |
Any machine that may legitimately need to access the Services Director CLI. |
The SSH port used by the CLI. |
TCP |
|
443 |
Any machine that may legitimately need to access the Services Director GUI. |
The graphical user interface (GUI). |
TCP |
|
8100 |
Any machine that may legitimately need to access the Services Director REST API, including HA pair peer and vTMs using Legacy FLA. |
The Services Director REST API. Also used for licensing vTMs that use Legacy FLA Licensing. |
TCP |
|
8101 |
vTMs using Universal FLA. |
The Services Director licensing server port. Used for licensing vTMs that use Universal FLA Licensing. |
TCP |
The following table lists ports that must be open on all vTM instances.
|
Port |
Description |
Protocol |
|
9070 |
The REST API port. |
TCP |
|
9080 |
The control port used for cluster operations. |
TCP |
|
9090 |
The graphical user interface (GUI). |
TCP |
|
9091 |
Internal vTM cluster communication. |
TCP |
Ports Blocked to External Access by the Firewall
To promote system security and to ensure access to the Services Director VA is not compromised, the following ports are blocked to external traffic by default.
Only external access is blocked. Other Services Director VA HA peer instances can continue to access services over these ports.
|
Port |
Description |
Protocol |
|
3306 |
MySQL server connections |
TCP |
|
33060 |
MySQL server monitor used by the Services Director VA vTM instance for health checks. |
TCP |
|
8889 |
Core monitor port used by the Services Director VA vTM instance. |
TCP |
|
9070 |
The REST API port of the internal vTM. |
TCP |
|
9090 |
vTM instance Admin UI and related API. |
TCP |
This behavior is enabled by default in the Services Director VA firewall rules. These rules can be configured on a port-by-port basis, or disabled altogether by changing the configuration of your firewall.
To check or configure the firewall, use the Services Director CLI. Full details on the relevant CLI commands can be found in the Pulse Secure Services Director Command Reference, available at https://www.ivanti.com/support/product-documentation.
For installations on Amazon Web Services (AWS), the firewall is turned off by default. The same protection is instead provided by ec2 security groups.