Prerequisites for VEN Installation

Before installing VENs on the workloads in your environment, you must understand and meet the following prerequisites.

VEN Version

Make sure you are installing the correct VEN version for your environment.

VEN for Servers Endpoints

The default version (22.5.20) of the VEN supports policies on both servers and endpoints for all types of rules.

Automatic Detection of Server Roles

VEN versions 22.5 and above support automatic detection of server roles, and versions 22.5.20 and above support automatic server role detection for Windows Server 2008.

Legacy VEN Support

Illumio maintains feature support for older VEN versions, which can be downloaded from Illumio Xpress clusters. For detailed information, contact xpress-feedback@illumio.com.

PATH Environment Variable for illumio-ven-ctl

For easier invocation of illumio-ven-ctl and other control scripts, set your PATH environment variable to the directories where they are located:

  • Linux: default location is /opt/illumio_ven
  • Windows: default location is C:\Program Files\Illumio

For more information about using the VEN CTL, see illumio-ven-ctl General Syntax in the VEN Administration Guide.

VEN OSs and Package Dependencies

Some packages, such as SecureConnect StrongSwan for enforcing IPsec, are included as part of the VEN package. For example, when the ipset kernel module is not installed, the VEN downloads and installs it on the workload.

Other packages are installed on the workload itself if they are not already present. When these required packages are not installed on the workload, the VEN downloads and installs them via package dependencies, such as RPM dependencies.

For the complete list of package dependencies by operating system, see the VEN OS Support and Package Dependencies page on the Illumio Support portal.

VEN-to-PCE Communication

Illumio Xpress uses Transport Layer Security (TLS) version 1.2 by default for VEN-to-PCE communications.

Before installing a VEN, the workload must meet the following requirements for VEN-to-PCE communication:

  • The workload can validate its certificate's chain of trust back to the root Certificate Authority (CA) of the server certificate on the PCE.
  • The VEN can reach the PCE on the ports configured for the PCE.
  • To prevent time drift between the PCE and VENs, Network Time Protocol (NTP) must be installed and working on the PCE and the VENs.

Workload Disk Size Requirements

Illumio recommends that you reserve the following disk space on workloads for the VEN:

  • Minimum: 500MB
  • Recommended: 1.5GB to 2.0GB

Application logs are rotated from primary to backup when their size reaches 15 MB. Application log files are preserved at reboot, because application logs are stored in files on a workload.

IP Address Support

The VEN supports both IPv4 and Ipv6 address versions and the IP address version appears correctly in the PCE; for example, in the Workload section of the VEN summary page in the PCE web console.

You can configure how the PCE treats IPv6 traffic from workloads. For more information, see Allow or Block IPv6 Traffic in the PCE Administration Guide.

Obtain the VEN Packages

PCE-based VEN software bundle

NOTE:

Illumio Xpress customers you do not have shell access to the PCE; therefore, the Illumio Xpress Operations team downloads and sets up the PCE-based VEN software bundle for customers. They download all necessary VEN packages for Illumio Xpress customers.

CLI-based VEN software packages

All VEN software is available for download from the Illumio Support portal. A VEN package is downloadable from the Illumio Support portal for each version of the VEN. Illumio provides the package as a tar file that contains a version of the VEN for all supported operating systems.

To download the VEN package:

  1. Go to the Illumio Support site (login required).
  2. Select Software > Download under the VEN section > VEN version.

    The Download VEN page appears.

  3. In the VEN Packages row of the VEN table, click the filename for the VEN tar file.
  4. Download the file to a convenient location.

VEN Package CPU Architecture

For VEN installation using the VEN CTL, after you have downloaded and unpacked the software, determine the VEN appropriate for your operating systems and hardware architecture.

See the Supported Operating Systems for Illumio VEN table - CPU Architecture Identifier in Filename column on the Illumio Support portal (login required).

(Optional) Verify Package Signature

For additional security, verify the identity of the downloaded VEN packages against the Illumio public key.

NOTE:
  • You can verify the signature of the VEN RPM packages for CentOS, Red Hat Enterprise Linux (RHEL), Ubuntu, and SUSE Linux Enterprise Server.
  • Signature verification is not support for AIX, Debian, Solaris, and Windows VEN packages.

The Illumio Xpress public key is available on the Download VEN page of the Illumio Support portal (login required).

For information about using a public key to verify package signatures, see Checking a Package's Signature on the Red Hat Customer Portal.

Firewall Tampering Protection on Linux

To enable faster host firewall tampering protection (within approximately three seconds) for Linux firewalls, make sure that:

  • tracefs is mounted (newer Linux distributions)
  • debugfs is mounted (older Linux distributions that include tracefs in debugfs)

For information, see VEN Firewall Tampering Detection in the VEN Administration Guide.

NOTE:
Faster host firewall tampering protection is enabled for Windows automatically.

VEN Compatibility Check

In additional to meeting the requirements in this topic and being aware of the limitations for installing VENs on workloads, you can use the VEN Compatibility Check feature to verify the functionality of the VEN on a workload. The compatibility information for the VEN is available only while the VEN is in Idle mode.

For information about this feature, see VEN Compatibility Check.

SecureConnect Setup on Workloads

For information about SecureConnect requirements for VENs, see SecureConnect in the Security Policy Guide.

Requirements for Kerberos Authentication

You can configure the PCE and VEN to rely on authentication by a pre-configured Kerberos-based system, such as Microsoft Active Directory.

You configure Kerberos-based authentication for the VEN at installation. Illumio Xpress supports Kerberos authentication for Linux, Windows, Solaris, and AIX VENs.

For information, see the following topics:

For all VENs to be paired via Kerberos, be sure to add policy rules allowing access to the required Kerberos servers.

Obtain an activation code for the VEN. When installing the VEN by using the VEN CTL, you can use the activation code either during installation or after installation. For information about activation codes for the VEN, see About the VEN Activation Code.