VEN Installation Using VEN Library in PCE

Installing VENs by using the VEN Library in the PCE is only available for Windows and Linux hosts. You install VENs on AIX and Solaris hosts by downloading the VEN packages for those platforms and using the VEN CTL.

About VEN Installation, Pairing, and Upgrade

These are some general considerations for installing and upgrading VENs by using the VEN Library in the PCE web console.

  • The target VENs can be in any state for installation or upgrade.
  • Environment variables supported by the VEN CTL are not supported with when using the VEN Library to install VENs.
  • Exact time to install or upgrade a VEN depends on many factors, including the speed of the workload hardware, the speed of its network connections, and its performance load.
  • Before installation or upgrade, ensure that all the workloads on which you want to install or upgrade the VEN are online and reachable from the PCE. If they are not reachable when the installation or upgrade is running, they will be skipped.

About Installing VENs by Using the VEN Library

Installing the VEN by using VEN Library in the PCE web console is a two-step process. For each workload, perform the following high-level steps:

  1. In the PCE web console, generate a pairing profile. Generating a pairing profile generates a pairing script.
  2. Copy that pairing script to the workload and run it.

About Pairing Workloads

Pairing is the process of installing a VEN on a workload.

When you pair a workload, you run a script that installs the VEN on the workload. The VEN then reports detailed workload information to the PCE, such as all services running on the workload, all of its open ports, details about the operating system, workload location, and more.

When you configure and then provision rules, the PCE calculates and configures policy for each paired workload.

When you pair workloads, you can choose to place those workloads in one of these policy states:

Enforcement Mode for Policy

You can choose one of the enforcement modes for workloads when you pair them: 

  • Idle: A state in which the VEN does not take control of the workload’s iptables (Linux) or WFP (Windows), but uses workload network analysis to provides the PCE relevant details about the workload, such as the workload’s IP address, operating system, and traffic flows. This snapshot is taken every ten minutes.

    NOTE:

    SecureConnect is not supported on workloads in the Idle policy state. If you activate SecureConnect for a rule that applies to workloads that are in both Idle and non-Idle policy states, it could impact the traffic between these workloads.

  • Visibility: In the Visibility Only state, the VEN inspects all open ports on a workload and reports the flow of traffic between it and other workloads to the PCE. In this state, the PCE displays the flow of traffic to and from the workload, providing insight into the datacenter and the applications running in it. No traffic is blocked in this state. This state is useful when firewall policies are not yet known. This state can be used for discovering the application traffic flows in the organization and then generating a security policy that governs required communication.
  • Selective: Segmentation rules are enforced only for selected inbound services when a workload is within the scope of a Selective Enforcement Rule.
  • Full: Segmentation Rules are enforced for all inbound and outbound services. Traffic that is not allowed by a Segmentation Rule is blocked.

For information about how these enforcement modes impact workload security policy, see Enforcement States and Enforcement States for Rules in the Security Policy Guide.

You can choose one of three modes for the traffic visibility for workloads:

  • Off (no detail): The VEN does not collect any details about traffic connections. This option provides no Illumination detail and utilizes the least amount of resources from workloads. This state is useful when you are satisfied with the rules that have been created and do not need additional overhead from observing workload communication.
  • Blocked: The VEN only collects the blocked connection details (source IP, destination IP, protocol and source port and destination port), including all packets that were dropped. This option provides less Illumination detail but also demands fewer system resources from a workload than high detail.
  • Blocked + Allowed: The VEN collects connection details (source IP, destination IP, protocol and source port and destination port). This applies to both allowed and blocked connections. This option provides rich Illumination detail but requires some system resources from a workload.

To start the Workload pairing process, you need to:

  • Create a Pairing Profile or use the default pairing profile
  • Pair workloads: Linux or Windows

VEN Package Format Changes (Windows only)

In Illumio Core 21.2.1, the Windows VEN installer switched from MSI to EXE package format. Customers using the PCE-based VEN deployment must take an extra step for the transition. Specifically, Illumio Core customers running older MSI-based Windows VENs must upgrade to 19.3.6+H1-VEN or 21.2.0+H2-VEN before upgrading to their VENs to 21.2.1 or a later version. Older VEN versions are not EXE package aware and cannot upgrade themselves without manual intervention on the CLI.

For the detailed steps required for this transition, see New Windows VEN Installer Starting with 21.2.1, Knowledge Base Article 3561 (login required).

Pair a Windows Workload

Pairing a workload requires running the pairing script on it to install the VEN.

When you first log into the PCE web console, a default pairing profile containing a pairing script is provided so you can begin pairing workloads. You also have the option to create a new pairing profile if you want to configure your own workload pairing settings.

NOTE:
When the Illumio VEN is installed on a Windows workload and paired with the PCE in the Full enforcement policy state, all Internet Group Management Protocol (IGMP) traffic will be blocked unless you add a rule to allow it. Windows servers typically use IGMP for things like Windows Internet Name Service (WINS), Windows Deployment Services (WDS), IGMP Router/Proxy mode, and Network Load Balancing (NLB) in multicast mode.
WARNING:

Your pairing script to install a Windows VEN on a workload cannot contain colons in the values for command options. Including a colon in a option value causes VEN activation to fail. For example, including the following values in the -role option, causes VEN activation to fail:

-role "R: UNKNOWN" -app "A:UNKNOWN" -env "E: UNKNOWN"

Activation fails because Windows uses the colon as a special character and cannot interpret the value even when you include quotation marks around the value.

NOTE:
You must be logged in as an Administrator user on the Windows workload to run the Illumio pairing script.

To pair a workload on Windows:

  1. From the PCE web console menu, choose > Workloads and VENs > Workloads.

  2. Click Add > Pair Workload with Pairing Profile.

    The Pairing Profiles page appears.

  3. From the drop-down list, select a pairing profile. The list contains the default pairing profile and the pairing profiles you've added.

    To create a new pairing profile, see Configure a Pairing Profile.

  4. From the Windows OS Pairing Script field, copy the Windows pairing script.
  5. On the Windows workload you want to pair, open the Windows PowerShell as an Administrator user.

  6. Paste the pairing script you copied into the PowerShell command prompt.

    When the script finishing running, the following output appears:

    PS C:\Program Files> PowerShell -Command "& {Set-ExecutionPolicy -Scope process remotesigned -Force; Start-Sleep -s 3; Set-Variable -Name ErrorActionPreference -Value SilentlyContinue; [System.Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([System.Net.SecurityProtocolType], 3072); Set-Variable -Name ErrorActionPreference -Value Continue; (New-Object System.Net.WebClient).DownloadFile('https://pce.example.com:8443/api/v18/software/ven/image?pair_script=pair.ps1&profile_id=1', '.\Pair.ps1'); .\Pair.ps1  -management-server example.com:8443 -activation-code <code>;}"

             Installing Illumio 
             ------------------ 
Setting up Illumio Repository ........ 
Retrieving Illumio Package ........... 
Installing Illumio Package ........... 
Validating Package Installation ...... 
Pairing with Illumio ................. 
               Pairing Status 
               -------------- 
Illumio Package installation ......SUCCESS 
Pairing Configuration exists ......SUCCESS 
VEN Manager Service running .......SUCCESS 
Master Configuration retrieval ....SUCCESS 
VEN Configuration retrieval .......SUCCESS 
VEN has been SUCCESSFULLY paired with Illumio 

PS C:\Program Files> cd .\Illumio\ 
PS C:\Program Files\Illumio> .\illumio-ven-ctl.ps1 status 
Service venAgentMgrSvc:                 Running 
Service venPlatformHandlerSvc:          Running 
Service venVtapServerSvc:               Running 
Service venAgentMonitorSvc:             Running 
Service venAgentMgrSvc:                 Enabled 
Service venPlatformHandlerSvc:          Enabled 
Service venVtapServerSvc:               Enabled 
Service venAgentMonitorSvc:             Enabled 
Agent State: illuminated
  7. To view the workload after it has finished pairing, choose Workloads and VENs > Workloads from the PCE web console menu.

Unpair a Windows Workload

Unpairing is the process of uninstalling the VEN from a workload so that it no longer reports any information to the PCE and can no longer receive any policy information. After uninstalling the VEN, the PCE will no longer maintain control over the workload.

NOTE:
After you remove a workload from the PCE using the PCE web console or REST API (but not by using the VEN CTL), it remains in policy computation and can continue to appear (for example, in auto complete fields or API responses) until the VEN confirms that it has been uninstalled or a one-hour delay has passed.

Windows Unpair Options

Carefully consider the security state you want to return the Windows workload to after the VEN is uninstalled:

  • Remove Illumio policy: (Recommended) Remove Illumio Windows Filtering Platform (WFP) filters and activate the Windows firewall.
  • Open all ports: Uninstalls the VEN and leaves all ports on the workload open to traffic.
  • Close all ports except remote management: Temporarily allow only RDP/3389 and WinRM/5985, 5986 until the system is rebooted.
NOTE:
When you unpair a workload that uses a Windows GPO policy, the GPO policy overrides local WFP rules.

To unpair a Windows workload:

  1. From the PCE web console menu, choose Workloads and VENs > Workloads.
  2. Select the Windows workload you want to unpair. You can select as many workloads as you want to unpair.
  3. Click Unpair.
  4. Select an unpair option, and then click Remove.

Remove VEN Using Windows Control Panel

You can also use the Windows Control Panel Programs and Features utility to remove the VEN. When you use this utility to remove the VEN, the Windows workload is returned to the “Recommended” state.

Pair a Linux Workload

Pairing a workload requires running the pairing script on it to install the VEN.

When you first log into the PCE web console, a default pairing profile and corresponding pairing script is provided. You can use the default pairing profile to assess installing Linux VENs using the VEN Library.

Or, you can create a new pairing profile to configure your own workload pairing settings. Ultimately, you should create your own Linux pairing profile to designate your own workload pairing settings.

Before you begin, open an SSH connection to the workload you want to pair.

NOTE:
You must be logged in as a user with root permissions to run the Illumio pairing script.

To pair a workload on Linux:

  1. From the PCE web console menu, choose Workloads and VENs > Workloads.

  2. Click Add > Pair Workload with Pairing Profile.

    The Pairing Profiles page appears.

  3. From the drop-down list, select a pairing profile. The list contains the default pairing profile and the pairing profiles you've added.

    To create a new pairing profile, see Configure a Pairing Profile.

  4. From the Linux/Unix OS Pairing Script field, copy the Linux pairing script.

  5. In a shell window on the workload you want to pair, paste the script you copied from the pairing profile.

    When the script finishing running, the following output appears:

    [root@ven-rhel tmp]# rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir -p /opt/illumio_ven_data/tmp && curl --tlsv1 "https://pce.example.com:8443/api/v18/software/ven/image?pair_script=pair.sh&profile_id=1" -o /opt/illumio_ven_data/tmp/pair.sh && chmod +x /opt/illumio_ven_data/tmp/pair.sh && /opt/illumio_ven_data/tmp/pair.sh --management-server pce.example.com:8443 --activation-code <code>

  % Total  % Received  % Xferd  Average Speed  Time  Time  Time  Current Dload  Upload   Total   Spent    Left  Speed 
  100  40891  100  40891  0  0  93526  0 --:--:-- --:--:-- --:--:-- 93572 

             Installing Illumio 
             ------------------ 
Retrieving Illumio Packages [x86_64][CentOS][7.4] .......... 
Validating sha256 ................. 
Installing Illumio Packages .......... 
EXPECTED_VERSION: <ven_version> 
INSTALLED_VERSION: <ven_version> 
Starting Illumio processes ................. 
Starting illumio-control:  
- Environment Setting up Illumio VEN Environment:         [  OK  ] 
- venAgentMgr Starting venAgentMgr:                       [  OK  ] 
- IPSec Starting IPSec: feature not enabled               [  OK  ] 
- venPlatformHandler Starting venPlatformHandler:         [  OK  ] 
- venVtapServer Starting venVtapServer:                   [  OK  ] 
- venAgentMonitor Starting venAgentMonitor:               [  OK  ] 
Pairing with Illumio ................. 

               Pairing Status 
               -------------- 
Pairing Configuration exists ......SUCCESS  
VEN Manager Daemon running ........SUCCESS  
Master Configuration retrieval ....SUCCESS  
VEN Configuration retrieval .......SUCCESS  
VEN has been SUCCESSFULLY paired with Illumio 

[root@ven-rhel tmp]#

Unpair a Linux Workload

Unpairing is the process of uninstalling the VEN from a Wworkload so that it no longer communicates with the PCE. Once unpaired, the PCE no longer controls the workload.

NOTE:
After you remove a workload from the PCE using the PCE web console or REST API (but not by using the VEN CTL), it remains in policy computation and can continue to appear (for example, in auto complete fields or API responses) until the VEN confirms that it has been uninstalled or a one-hour delay has passed.

Linux Unpair Options

Carefully consider the security state you want to return the Linux workload to after the VEN is uninstalled.

  • Remove Illumio policy: (Recommended) Revert firewall rules to the state previous to pairing.
  • Open all ports: Uninstalls the VEN and leaves all ports on the workload open to traffic.
  • Close all ports except remote management: Temporarily allow only SSH/22 traffic until system is rebooted.
NOTE:
If the Workload you are unpairing is offline during the unpairing process, the Workload may still appear in the Workloads list in the PCE web console, even though the Workload has been unpaired. The unpaired Workload will be removed within 30-35 minutes.

To unpair a Linux Workload:

  1. From the PCE web console menu, choose Workloads and VENs > Workloads.
  2. Select the Linux workload you want to unpair.
  3. Click Unpair.
  4. Select an unpair option, and then click Remove.

Ignored Interfaces

You can now set interfaces from “managed” to “ignored” in the PCE web console. Use this option when you want the workload to ignore visibility and enforcement specific interfaces; for example, on the interconnected interfaces of database clusters, such as Oracle RAC. You can set one or more interfaces to “ignored” during pairing. Using this setting causes the first downloaded firewall to ignore those interfaces. An ignored interface is not be included in the policy configuration and traffic will flow uninterrupted through it without any change in latency. You can see which interfaces are marked as “ignored” on the Workload details page.

IMPORTANT:

Illumio recommends that you designate all private (non-routable) interfaces as ignored interfaces.

To set an interface to ignored:

  1. From the PCE web console menu, choose Workloads and VENs > Workloads.
  2. Select the workload that has interface you want to ignore.
  3. Click Edit.
  4. In the Network Interfaces section, change the interface to Ignored in the PCE Action drop-down menu.
  5. Click Save.
NOTE:
After you set an interface to Ignored, it will not be included in policy configuration provided by the PCE and traffic will continue to flow uninterrupted through that interface.