Installing the WinSec Controller (Virtual Edition)
The WinSec Controller-v can be installed on VMware, Microsoft, and Linux virtualization platforms.
Qualified virtualization platforms and host requirements
WinSec Controller-v software images are manufactured with a 250-GB disk, and have a partition layout that expects that size. You can choose a custom disk size when installing from the boot file. The minimum disk size for this type of installation is 25 GB; there is no upper limit.
By default, WinSec Controller-v software images install the virtual disk as a sparse disk for thin provisioning. However, we recommend thick provisioned disks for best performance.
Before installing the WinSec Controller-v, ensure that your virtualization platform meets these requirements.
• vSphere/ESXi—Version 6.5, Update 1, with patch ESXi 650-201712001.
• Hyper-V—Generation 1 running version 10.0.17763.1 on a bare-metal Windows Server 2019 host running version 10.0.17763.168.
• Linux KVM—CentOS 8.4 with kernel 4.18, QEMU 5.2 and Ubuntu 20.04 with kernel 5.4, QEMU 4.2
Two network adapters are required, with the primary adapter being the first adapter and the auxiliary adapter being the second adapter. The auxiliary adapter must be connected to an external switch. Ensure that an external switch is preset prior to installing the WinSec Controller-v.
We recommend that your target host virtual machine, regardless of platform, meets these specifications:
• 16 GB RAM
• 6 CPU cores
• 250 GB thick-provisioned disk space
Installing the WinSec Controller-v on VMware ESXi
The steps for installing the WinSec Controller-v are the same whether you are installing directly through the EXSi management interface or by using VMware vSphere, except that vSphere enables you to load the installation package from a URL.
The WinSec Controller-v installation package’s virtual hardware is version 13, which is compatible with ESXi 6.5 and later. When deploying the WinSec Controller-v, you might encounter a message warning that the guest operating system is CentOS 7 while the VMware Tools indicates that the guest operating system is CentOS 8. CentOS 7 and CentOS 8 are functionally identical, and the warning message can be ignored. You can upgrade the guest operating system if you want to clear the message.
To upload the WinSec Controller-v installation package to your virtualization environment
2. Obtain the WinSec Controller-v installation package, and then place it in a location on your local system that is accessible to your virtualization environment.
If you are using vSphere, you can place the package at an accessible URL.
3. Log in to the system that hosts your virtualization environment.
4. Upload the WinSec Controller-v installation package to the host.
To create an ESXi virtual machine host for the WinSec Controller-v
1. Log in to vSphere or the ESXi host’s management interface.
2. Click Create/Register VM.
3. Select Create a new virtual machine.
4. Enter a name for the virtual machine.
Virtual machine names must be unique within each ESXi instance and can have a maximum of 80 characters.
5. Select ESXi 6.5 or later virtual machine from the Compatibility menu.
6. Select Linux from the Guest OS family menu.
7. Select CentOS 7 (64-bit), or CentOS 8 if available, from the Guest OS version menu.
8. Click Next.
9. Select a datastore with sufficient space.
10. Click Next.
11. In the Customize settings page, select the Virtual Hardware tab.
12. Select a number of CPUs (1 minimum, 6 recommended).
13. Enter an amount of RAM memory in megabytes (2,048 MB minimum, 16,384 MB recommended).
14. Enter an amount of disk size in gigabytes for the provisioned disk (25 GB minimum, 250 GB or larger recommended).
15. For Network Adapter 1, select your data network, and then select Connect.
16. For Network Adapter 2, select your management network, and then select Connect.
17. For CD/DVD Drive 1, select ISO file.
The Datastore browser appears.
18. In the Datastore browser, ensure the datastore is selected, and then select the boot file.
19. Click Select.
20. Return to the Custom settings page, and then select the VM Options tab.
21. Expand the Boot Options area, and then select the option to Force BIOS setup.
Selecting this option ensures that the CD-ROM boots first.
22. Leave all other settings on this page at their default values, and then click Next.
23. On the Ready to complete page, review your settings, and then click Finish.
The virtual machine is created.
To install the WinSec Controller-v on the host virtual machine
1. In the virtual machine management interface (either ESXi or vSphere), select the virtual machine host where you will install the WinSec Controller-v.
2. Power on the virtual machine, and then open the virtual machine console.
3. Enter the virtual machine’s BIOS setup, and then select the Boot tab.
4. Move the CD-ROM Drive option to the first position in the list of options.
5. Press F10 to save your changes and start the installation.
The WinSec Controller-v installation begins. Installation can take several minutes.
6. Return to the virtual machine management interface, and then select the WinSec Controller-v host.
7. Wait for the installation to complete. The virtual machine’s Power on button is disabled until the installation is complete.
8. After the Power on button is enabled, click Edit to open the virtual machine’s Edit settings dialog box.
9. Select the VM Options tab, and then expand the Boot Options section.
10. Ensure the Force BIOS setup option is selected, and then click Save (or Cancel if you made no changes).
11. Power on the virtual machine.
12. Open the virtual machine console.
13. In the BIOS Setup Utility, select the Boot tab.
14. Move the Hard Drive option to the first position in the list of options.
15. Press F10 to save your changes, and then exit the BIOS Setup Utility.
The Boot menu appears.
16. In the Boot menu, select Riverbed WinSec Controller.
The boot process begins after a few seconds. After the process is complete, the virtual machine’s console displays a login prompt.
17. Log in to the WinSec Controller-v.
18. Initiate the challenge and response security mechanism by running this command:
cli challenge generate
A challenge code is generated.
19. Enter the challenge response by running this command:
cli challenge response <response code>
If the response code is accepted, a message appears that indicates the challenge/response verification succeeded.
If the response code is rejected, a rejection message appears.
20. After successfully completing the verification process, verify that these items are correctly configured and instantiated:
– Verify drive partitions.
– Verify that network adapter names are accurate (adapter 1 = primary, adapter 2 = auxiliary), and that an IP address is present for the auxiliary adapter.
21. Exit the virtual machine console, and then point a web browser to the auxiliary adapter IP address to access the WinSec Controller-v management GUI.
Installing the WinSec Controller-v on Microsoft Hyper-V
The WinSec Controller-v installation script is a PowerShell script. To create the virtual hard drive for the virtual machine, the installation script clones the virtual disk supplied in the installation package. Additionally, the script installs a key-value daemon, which is necessary to communicate guest details to Hyper-V.
The Hyper-V kernel supports paravirtualized NICs and SCSI controllers.
To install the WinSec Controller-v on the host virtual machine
1. Create a Hyper-V virtual machine host for the WinSec Controller-v.
2. Obtain the WinSec Controller-v installation package, and then place it in a location on your local system that is accessible to your virtualization environment.
3. Extract the contents of the installation package.
4. Open a PowerShell command window and change directories to the folder containing the extracted files.
5. Run the following command with parameters, or follow the interactive installation script:
.\install_winsec_hyperv.ps1 -<path-to-installation-destination> .\ -AUXNetwork aux -Model VWSC-01000
A complete listing of the parameters is available using the get-help command:
get-help .\install_winsec_hyperv.ps1 -full
The installation process begins. Installation can take several minutes to complete.
6. After the installation is complete, adjust any settings as needed.
7. Power on the virtual machine.
8. In the Hyper-V console, locate the IP address for the WinSec Controller-v auxiliary interface.
9. Point a browser to the auxiliary IP address, and then log in to the WinSec Controller-v GUI.
Installing the WinSec Controller-v on Linux KVM
Kernel-based Virtual Machine (KVM) is a virtualization solution for Linux on x86 hardware. A KVM consists of a loadable kernel module that provides the core virtualization infrastructure and a processor-specific module that provides virtualization extensions. Using KVM, you can run multiple virtual machines running unmodified Linux or Windows images. KVM is open source software. The kernel component of KVM is included in mainline Linux version 2.6.20 and later. The user-space component of KVM is included in mainline QEMU version 1.3 and later.
KVM supports various I/O virtualization technologies. Paravirtualized drivers, which enable direct communication between hypervisor-level drivers and guest-level drivers, provide the best performance when compared with full virtualization. The libvirt project’s virtio API provides a common set paravirtualized device drivers for KVM.
WinSec Controller-v for KVM supports only virtio-based paravirtualized device drivers.
The virtual NICs must be in this order: primary, auxiliary (aux).
A WinSec Controller-v for KVM can be launched in different ways, each method using a different procedure. This document describes how to launch a WinSec Controller-v for KVM by using the supplied installation script and the virsh command.
Ensure the KVM host system is configured to meet these requirements:
• Ensure the host system has at least two network interfaces available to attach to the virtual appliance. These can be either virtio networks or native bridge interfaces.
• Ensure the host virtual machine meets the minimum requirements for the WinSec Controller-v.
The WinSec Controller-v installation package is a tar file that contains these files:
• install_kvm.sh—Installation script that creates the RiOS data store disk image and generates an XML specification file, domain.xml, for the WinSec Controller-v instance.
• image-winsec.img—Disk image in sparse qcow2 format.
• riverbed_model_tmp—Metadata file that contains the specifications for the WinSec Controller-v.
To download the package from the Support site, go to
https://support.riverbed.com. Access to software downloads requires registration.
The installation procedure described in this section assumes that you have obtained the relevant installation package and extracted its contents.
While the supplied qcow2 disk image is thin provisioned, you can preallocate space by using these commands to convert it:
qemu-img convert -p -f qcow2 -O qcow2 -S 0 image-winsec.qcow2 image-winsec-thick.qcow2
qemu-guest-agent (is installed to communicate guest details to hypervisor)
To install the WinSec Controller-v on a KVM
1. Place the extracted qcow2 disk file where you want to locate the WinSec Controller-v persistent storage. Note this location; you’ll need to supply the full path to the disk file when you run the installation script.
2. Verify that you have virtio networks or native bridge interfaces to represent the WinSec Controller-v’s primary and auxiliary interfaces. Note their names; you’ll need to supply them when you run the installation script.
3. Run the installation script. The script prompts you for this configuration information:
– Name for the virtual appliance.
– WinSec Controller model (VSWC-01000 currently is the only available virtual model).
– Path to the virtual disk image.
– Networks to which you want to connect the primary and auxiliary (aux) interfaces.
– Whether these are virtio networks or native bridges.
4. Create an ephemeral virtual appliance by entering this command:
virsh create <virtual-appliance-name>.xml
—or—
Define and start a persistent virtual appliance by entering these commands:
virsh define <virtual-appliance-name>.xml
virsh start <virtual-appliance-name>