Prerequisites for VEN Installation
Before installing VENs on the workloads in your environment, you must understand and meet the following prerequisites.
VEN Version
Make sure you are installing the correct VEN version for your environment.
VEN for Servers Endpoints
The default version (22.5.20) of the VEN supports policies on both servers and endpoints for all types of rules.
Automatic Detection of Server Roles
VEN versions 22.5 and above support automatic detection of server roles, and versions 22.5.20 and above support automatic server role detection for Windows Server 2008.
Legacy VEN Support
Illumio maintains feature support for older VEN versions, which can be downloaded from Illumio Xpress clusters. For detailed information, contact xpress-feedback@illumio.com.
PATH Environment Variable for illumio-ven-ctl
For easier invocation of illumio-ven-ctl
and other control scripts, set your PATH
environment variable to the directories where they are located:
- Linux: default location is
/opt/illumio_ven
- Windows: default location is
C:\Program Files\Illumio
For more information about using the VEN CTL, see illumio-ven-ctl General Syntax in the VEN Administration Guide.
VEN OSs and Package Dependencies
Some packages, such as SecureConnect StrongSwan for enforcing IPsec, are included as part of the VEN package. For example, when the ipset
kernel module is not installed, the VEN downloads and installs it on the workload.
Other packages are installed on the workload itself if they are not already present. When these required packages are not installed on the workload, the VEN downloads and installs them via package dependencies, such as RPM dependencies.
For the complete list of package dependencies by operating system, see the VEN OS Support and Package Dependencies page on the Illumio Support portal.
VEN-to-PCE Communication
Illumio Xpress uses Transport Layer Security (TLS) version 1.2 by default for VEN-to-PCE communications.
Before installing a VEN, the workload must meet the following requirements for VEN-to-PCE communication:
- The workload can validate its certificate's chain of trust back to the root Certificate Authority (CA) of the server certificate on the PCE.
- The VEN can reach the PCE on the ports configured for the PCE.
- To prevent time drift between the PCE and VENs, Network Time Protocol (NTP) must be installed and working on the PCE and the VENs.
Workload Disk Size Requirements
Illumio recommends that you reserve the following disk space on workloads for the VEN:
- Minimum: 500MB
- Recommended: 1.5GB to 2.0GB
Application logs are rotated from primary to backup when their size reaches 15 MB. Application log files are preserved at reboot, because application logs are stored in files on a workload.
IP Address Support
The VEN supports both IPv4 and Ipv6 address versions and the IP address version appears correctly in the PCE; for example, in the Workload section of the VEN summary page in the PCE web console.
You can configure how the PCE treats IPv6 traffic from workloads. For more information, see Allow or Block IPv6 Traffic in the PCE Administration Guide.
Obtain the VEN Packages
PCE-based VEN software bundle
Illumio Xpress customers you do not have shell access to the PCE; therefore, the Illumio Xpress Operations team downloads and sets up the PCE-based VEN software bundle for customers. They download all necessary VEN packages for Illumio Xpress customers.
CLI-based VEN software packages
All VEN software is available for download from the Illumio Support portal. A VEN package is downloadable from the Illumio Support portal for each version of the VEN. Illumio provides the package as a tar file that contains a version of the VEN for all supported operating systems.
To download the VEN package:
- Go to the Illumio Support site (login required).
-
Select Software > Download under the VEN section > VEN version.
The Download VEN page appears.
- In the VEN Packages row of the VEN table, click the filename for the VEN tar file.
- Download the file to a convenient location.
VEN Package CPU Architecture
For VEN installation using the VEN CTL, after you have downloaded and unpacked the software, determine the VEN appropriate for your operating systems and hardware architecture.
See the Supported Operating Systems for Illumio VEN table - CPU Architecture Identifier in Filename column on the Illumio Support portal (login required).
(Optional) Verify Package Signature
For additional security, verify the identity of the downloaded VEN packages against the Illumio public key.
- You can verify the signature of the VEN RPM packages for CentOS, Red Hat Enterprise Linux (RHEL), Ubuntu, and SUSE Linux Enterprise Server.
- Signature verification is not support for AIX, Debian, Solaris, and Windows VEN packages.
The Illumio Xpress public key is available on the Download VEN page of the Illumio Support portal (login required).
For information about using a public key to verify package signatures, see Checking a Package's Signature on the Red Hat Customer Portal.
Firewall Tampering Protection on Linux
To enable faster host firewall tampering protection (within approximately three seconds) for Linux firewalls, make sure that:
tracefs
is mounted (newer Linux distributions)debugfs
is mounted (older Linux distributions that includetracefs
indebugfs
)
For information, see VEN Firewall Tampering Detection in the VEN Administration Guide.
Faster host firewall tampering protection is enabled for Windows automatically.
VEN Compatibility Check
In additional to meeting the requirements in this topic and being aware of the limitations for installing VENs on workloads, you can use the VEN Compatibility Check feature to verify the functionality of the VEN on a workload. The compatibility information for the VEN is available only while the VEN is in Idle mode.
For information about this feature, see VEN Compatibility Check.
SecureConnect Setup on Workloads
For information about SecureConnect requirements for VENs, see SecureConnect in the Security Policy Guide.
Requirements for Kerberos Authentication
You can configure the PCE and VEN to rely on authentication by a pre-configured Kerberos-based system, such as Microsoft Active Directory.
You configure Kerberos-based authentication for the VEN at installation. Illumio Xpress supports Kerberos authentication for Linux, Windows, Solaris, and AIX VENs.
For information, see the following topics:
For all VENs to be paired via Kerberos, be sure to add policy rules allowing access to the required Kerberos servers.
Obtain an activation code for the VEN. When installing the VEN by using the VEN CTL, you can use the activation code either during installation or after installation. For information about activation codes for the VEN, see About the VEN Activation Code.