Installing NSX Manager GUEST INTROSPECTION NSX Data Security

Guest introspection is a service that is deployed from NSX Manager to offload security functions. Guest Introspection installs a new vib and a service virtual machine on each host in the cluster. Guest Introspection is required for NSX Data Security, Activity Monitoring, and several third-party security solutions.

System Requirements for NSX

To install Guest Introspection First need to login into the vSphere web client and browse to Networking & Security.
on the left hand side click on Installation. Click the green plus symbol to add a new service deployment.

After this select Guest introspection


Select Storage and Network

Create IP Pool for the VM which NSX install for AV purpose.



Now select the IP Pool and click next

After that it will appear here in last tab

If you closely monitor vCenter task then it will start installing VM

In NSX manager you can see status.

Now your Guest Introspection is ready.


You can check this in vCenter under Newly created resource pool > ESX Agent.
This resource pool is auto created by NSX manager for these VM’s only.


If this VM giving you error or warning like Failed then just click on Resolve and it will delete the VM and create new VM.


Configuring IPsec VPN within VMware NSX Edge

This article shows you how to create an IPsec VPN between a NSX Edge Gateway with a vCloud Director/NSX Manager and a remote Client site.

First you need basic details from client so that you can configure IPSec VPN from your end.Like you need Phase 1 and Phase 2 Details. (This document related to NSX Edge 6.3.2)


Image Credit VMware

Note: NSX Edge supports Main Mode for Phase 1 and Quick Mode for Phase 2.

Phase 1 Parameters

Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:

  • Main mode
  • TripleDES / AES [Configurable]
  • SHA-1
  • MODP group 2 (1024 bits)
  • pre-shared secret [Configurable]
  • SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
  • ISAKMP aggressive mode disabled

In 6.3.2 you Can see basic details or you can say this is mixed mode like Phase 1 and Phase 2 they don’t have different tabs or options.


Here are details which you have to fill while configuring IPSec VPN for client.

Note: If you are doing this from HTML5 Console then in “Peer Subnets” You have to provide IP range from Increasing to Decreasing order like ( and after that


I was trying to update this tab from vCloud Director Web and i was not able to do so i changed this from vCenter > NSX manager > Edge settings.

Client side settings must match with your Edge settings.

If your Client have old router (Cisco) then you have to ask them to do settings with supported parameter and these parameters are:

1. SHA1
2. Diffie-Hellman Group – DH5 or DH2 (Old router can only support this IOS 12.4)
3. Encryption Algorithm – AES256

NSX Edge to Cisco

  • proposal: encrypt 3des-cbc, sha, psk, group5(group2)

After setup you can export Settings from Edge and share it with Client Network Team so that they can run it in their router and do the same setup which you have done in your Edge gateway.

Go to vCenter > NSX Manager > NSX Edges > Search your Edge and double click > Manage (R.H.S) > VPN Tab > IPSec VPN and from here you can download script for Cisco router.


You can copy and send it to client IT team.

Note: It will copy Shared key also so before sending to Client IT team remove that.

After this check the Tunnel status.

Go to vCenter > NSX Manager > NSX Edges > Search your Edge and double click > Manage (R.H.S) > VPN Tab > IPSec VPN


I was getting below Error so need to check your DH2 or DH14 settings.

  • If the Cisco device does not accept any of the parameters the NSX Edge sent in step one, the Cisco device sends the message with flag NO_PROPOSAL_CHOSEN and terminates the negotiation.

VMware vSphere NSX 6.3.3 Step-By-Step Installation : Howto


NSX Manager Deployment

1. NSX Manager

It will automatically install all the required component as per request Like NSX controller.

2. NSX Controllers: Need to be deploy in odd number like 3 or 5.

3. Edge

4. Distributed Router Controllers


Now First you need to Create NSX Cluster this is not compulsion but suggested or i have created one Resource pool with Expandable check.


Download the OVA file from VMware website.



NSX Components Layer where they Installed.

Data Plane: On ESXi host

          a) Kernel Modules: VXLAN (16 Million VXLAN Segment)

b) Distributed Logical Router (DLR)

c) Distributed Firewall (DFW)

d) VDS switch and Edge Service Appliance.

Control Plane:

             a) NSX Controllers

b) User World Agent

c) Logical Router Control VM

Management Plane:

             a) vCenter Server

b) NSX Manager

             c) Message Bus


Deployment of NSX Manager:

1. Only One NSX manager per vCenter Server.

2. Deploy as a VM.

3. What if my NSX manager is Shutdown: No worries, everything continues to work but you will not able to change anything. No Service impact.

Solution: Protect with vSphere HA.

NSX manager Virtual Machine Requirement: reference vmware doc.

1. 4 vCPUs

2. 16 GB of RAM

3. 60 GB of Storage

Steps for Installation:

1. Right-Click on the cluster in which you would like to deploy the NSX Manager OVA and choose “Deploy OVF Template”

2017-09-12 14_46_23-vSphere Web Client


2. Browse the file and Click next.


3. Select the Resources

2017-09-12 14_50_12-vSphere Web Client

4. Review the details and click Next.


5. Accept the License agreements and click next.


6. Select Storage and click next.


7. Now Provide Network from VDS.


8. Provide IP details, CLI password and DNS sever click next and finish.


After installation you will see new icon with Networking & Security.


when you click on Dashboard option on the left hand side then you can see that status of NSX Manager and Host Preparation Status.


When you click on Installation Option then it will show you NSX manager and it’s controller nodes name and status.

2017-09-12 16_07_09-vSphere Web Client

Now under Installation you have multiple tabs like Management, Host Preparation, Logical Network Preparation and Service deployments

Click on the Host Preparation and you can see whether NSX manager module vCenter, NSX Manager, EAM(ESX Agent Manager) is installed or not.

These are the VIB which will be install.




Open Putty session for ESXi host.


[root@esx002291:~] esxcli software vib list
Name                                                           Version                                Vendor  Acceptance Level  Install Date
—————————–  ——————————————————————-  ——  —————-  ————

esx-vsip                                            6.5.0-0.0.5534171                      VMware  VMwareCertified   2017-07-19
esx-vxlan                                         6.5.0-0.0.5534171                      VMware  VMwareCertified   2017-07-19


How to upgrade NSX Manager from 6.2.6 to 6.3.2

Today i was updating NSX manager from 6.2.6 to 6.3.2 version.

Environment running with vCloud director 8.20 and ESXi 6.5 U1.

1. Check VMware Product Interoperability Matrices for more information “Link”.
2. Check Update sequence for vSphere “KB“.

Before upgrade to NSX 6.3.2.

1. NSX Manager VM Snapshot.
2. NSX Manager Appliance Backup.(FTP server required)

3. Check “Lookup service” and “vCenter” server status in NSX management service.

4. Download the NSX 6.3.2 version from VMware website.

5. After this upload the bundle file into NSX manager console from Upgrade option.





it will start uploading this image to NSX manager and will start installing.

After uploading bundle it will give you Warning! Please create an NSX Manager backup before proceeding with upgrade also it will ask you whether you want to enable SSH and Finally hit Upgrade button.

After this it will pop up with new version with 6.3.2 version.

After this Need to upgrade NSX Controller if you have.

Also install the agent in Agency.

Final Status after upgrade.