Table of Contents

Overview of vController Solution 1

Network Preparations 2
Leverage the Checklists and Worksheets 2
Configure the Physical Switch 2
Configure VLAN Translation in the IPS 3
Designate IP addresses for vController components 4
Configure the Firewall for Internet Access 4
B
VMware Environment Preparations 5
Designate VMware Host for VMC Server 5
Designate Host for VMC Client 5
Verify each VMware Host Has Sufficient Resources for the vController 5
E
Deploy the VMC Management Application 6
Deploy the VMC Server 6
Configure the VMC Server 7
Install the VMC Client and Connect to the VMC Server 8
T
Configure the VMC for Discovery of VMware ESX/ESXi Hosts 10

Deploy the vController to an ESX/ESXi Host 12

A
Configure the vController Redirector 12
Prepare the VMware Environment for vController Deployment 14
Deploy the vController onto an ESX/ESXi host 14
Verify the Redirector Tunnel 21
Connect Host VMs to the vController 22

Configure vController Redirection Policies 25

Accept the Default Redirection Policies 25
Create a New Redirection Policy 27
Assign a Zone to a Policy 28
Create Filtered Device Lists with the Virtual Query Language (VQL) 30
 A
T
E
B
B

TippingPoint Virtual Controller V 1.0

E

Installation and Configuration Guide

T
A
Part Number: TECHD-0353
Publication Control Number: 040810:0231

Copyright © 2010 TippingPoint Technologies, Inc. TippingPoint® , the TippingPoint logo, and Digital Vaccine® are
registered trademarks of TippingPoint Technologies, Inc. All other company and product names may be trademarks of
their respective holders. All rights reserved. This document contains confidential information, trade secrets or both,
which are the property of TippingPoint Technologies, Inc. No part of this documentation may be reproduced in any form
or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written
permission from TippingPoint Technologies, Inc. or one of its subsidiaries.

TippingPoint Technologies, Inc. reserves the right to revise this documentation and to make changes in content from time
to time without obligation on the part of TippingPoint Technologies, Inc. to provide notification of such revision or
change.

TippingPoint Technologies, Inc. provides this documentation without warranty, term, or condition of any kind, either
implied or expressed, including, but not limited to, the implied warranties, terms, or conditions of merchantability,
satisfactory quality, and fitness for a particular purpose. TippingPoint Technologies, Inc. may make improvements or
changes in the product(s) and/or the program(s) described in this documentation at any time.If there is any software on
B
removable media described in this documentation, it is furnished under a license agreement included with the product as
a separate document.

UNITED STATES GOVERNMENT LEGENDS:

If you are a United States government agency, then this documentation and the software described herein are provided to
E
you subject to the following:

United States Government Legend: All technical data and computer software is commercial in nature and developed
solely at private expense. Software is delivered as Commercial Computer Software as defined in DFARS 252.227-7014
(June 1995) or as a commercial item as defined in FAR 2.101(a) and as such is provided with only such rights as are
T
provided in TippingPoint’s standard commercial license for the Software. Technical data is provided with limited rights
only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not
to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or
delivered to you in conjunction with guide.
A
Unless otherwise indicated, TippingPoint registered trademarks are registered in the United States and may or may not be
registered in other countries.

Microsoft and Windows are registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.

Other brand and product names may be registered trademarks or trademarks of their respective holders.
1
Installation and
Configuration Guide
Overview of vController Solution
This document provides a brief summary of the installation procedures for the TippingPoint Virtual
Controller (vController). The vController is a software solution that enables network traffic within a
B
VMware-based virtual environment to be inspected and filtered by a TippingPoint Intrusion Protect
System (IPS) on the external physical LAN. Because the solution uses standard ethernet technologies it
allows an existing Intrusion Prevention System (IPS) to be leveraged by multiple VMware hosts with
little or no modification.

The vController solution requires that the following components be deployed into an existing VMware
E
vSphere environment:

• The vController management application, referred to as the Virtual Management Center (VMC),
which is comprised of a management server and a client console
• The vController itself, which is deployed to each VMware ESX/ESXi host whose virtual machine
T
network traffic is to be inspected by the TippingPoint IPS
• The vController VMsafe module, which is deployed to the VMware hypervisor of each virtual
machine whose network traffic is to be inspected by the TippingPoint IPS

The vController solution requires the following from the physical network upon which the IPS resides:
A
• A TippingPoint IPS, operating TippingPoint Operating System (TOS) v3.1 or later, which initially is
available on the IPS N-Platform series.
• A network device that supports VLANs.

Because the vController inspects traffic that is passing between VMware virtual machines, the VMware
environment must meet the following vController versioning requirements:

• The VMware environment in which the vController solution is deployed must be built on VMware
vSphere 4.0 Update 1.
• The VMware environment must include at least one instance of vCenter 4.0, the vSphere
management console. Only the Windows version of vCenter 4.0 is supported by the vController.
• The VMware hosts upon which the vController is installed must be running VMware ESX/ESXi 4.0.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 1

 In order to fully utilize and test all capabilities of vController it is recommended that the VMware
vSphere environment support vMotion across two or more hosts within a cluster.

This document includes the following topics:

• “Network Preparations” on page 2

• “VMware Environment Preparations” on page 5
• “Deploy the VMC Management Application” on page 6
• “Configure the VMC for Discovery of VMware ESX/ESXi Hosts” on page 10
• “Deploy the vController to an ESX/ESXi Host” on page 12
• “Configure vController Redirection Policies” on page 25

Network Preparations
B
Leverage the Checklists and Worksheets
The tasks to prepare the network are precise in both their order and their actions. Failure to perform
these tasks appropriately may result in a network loop condition or a failed vController installation.

To ensure all the tasks are performed, and performed in the correct order, make use of the vController
E
Pre-Installation Checklist document. While similar information is contained in this document, the
checklists offer a direct, step-by-step approach to preparing the network.

CAUTION: Do not connect cables between the physical switch and the IPS until all
switch interfaces are configured. Failure to do so may result in a network loop condition.
T
Configure the Physical Switch
A
The vController solution assumes a VLAN-capable physical switch resides in the network path between
the ESX/ESXi host and the IPS. The physical switch ensures a distinct tunnel exists for each
vController-to-IPS network path. Within each of these paths, the switch ensures the separation of
inspected and uninspected traffic, made possible through the use of virtual local area networks,
known as VLANs.

The solution requires specific configuration tasks be performed on the switch before the vController
software is deployed and before the IPS is physically connected to the switch.

Configure Interfaces
For each vController-to-IPS network path, at least three interfaces on the physical switch must be
configured. The first interfaces are the pair designated to connect to the IPS. The third interface is the
one between the switch and the ESX/ESXi host upon which the vController is deployed.

For the switch-to-IPS interfaces, perform the following steps on each:

2 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

 1. Designate the interface as a trunk link.
2. Remove from the interface all VLANs, including the default VLAN.
3. Disable STP on the interface.
4. Set MTU to 1504 or greater.

Connect the Switch to the IPS

Once all the physical switch configuration tasks are complete, connect the switch to the IPS. Be certain
to connect cables between the switch port whose interface is designated for outbound traffic and the
IPS A-side port, and then connect a cable between the IPS B-side port and the switch port designated
for inbound traffic.

Define VLANs
The vController solution uses VLAN translation functionality within the IPS device and therefore
requires that the networking environment in which the IPS resides supports VLANs. VLANs are used
to tunnel uninspected and inspected traffic between the virtual machines and the TippingPoint IPS,
B
which uses VLAN translation to translate traffic between two VLANs.

Each vController installed on a VMware ESX/ESXi host requires the use of two VLANs. The virtual
machines running on a ESX/ESXi host use the VLAN IDs to tag each network packet, according to the
802.1Q specification, to ensure the packet follows the correct route to the IPS and then follows the
correct route to the packet’s intended destination. The VLAN through which traffic moves from the
E
vController to the IPS is termed the outbound VLAN. The VLAN through which traffic moves from the
IPS back to the vController is termed the inbound VLAN.

To prepare the physical network define a pair of VLANs for each vController that will be deployed, and
document which VLAN IDs to assign to each vController. The information will be requested during the
T
deployment and configuration of each vController.

To learn more about defining and configuring VLANs refer to the configuration guide for your physical
switch.
A
Assign VLANs to Switch-to-Host Interface
Because both inbound and outbound network traffic passes through the switch interface that connects,
physically, to the ESX/ESXi host, the interface must reside within both the inbound and outbound
VLANs.

To accomplish this, configure the interface to be a trunk link, then assign both VLANs to the interface.
If multiple connections are implemented, for redundancy or pooling purposes, repeat this task for each
switch-to-host interface through which the vController-to-IPS traffic flows.

Configure VLAN Translation in the IPS

The TippingPoint IPS also uses the IDs of the two VLANs. The IPS is responsible for performing the
VLAN translation to keep uninspected traffic on one VLAN and inspected traffic on the other VLAN.

An IPS rule similar to Side A:<VLAN ID x> to Side B: <VLAN ID y>, with auto-reverse enabled must
be created. A separate VLAN translation rule must be created for each deployed vController.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 3

 To learn more about VLAN translation refer to the TippingPoint Local Security Manager User’s Guide
v3.1 or later, available from the TippingPoint Threat Management Center (TMC) at http://
tmc.tippingpoint.com/tmc/ or from your TippingPoint representative.

Note: Initial support for VLAN translation was released in the TippingPoint N-
Platform IPS series, running TippingPoint OS (TOS) v3.1.1.

Designate IP addresses for vController components

The vController management server, known as the Virtual Management Center (VMC) Server, requires
its own network identity and therefore needs an IP address assigned to it. The IP address must reside
on a network that supports communication between the VMC Server and the vCenter Servers, the
VMware ESX hosts, and the VMC Client. Document the IP address, network mask, gateway, and so on
for use during the procedure to configure the VMC Server.

For each VMware ESX/ESXi host whose virtual machine network traffic is targeted for inspection, the
B
vController solution installs the vController. The vController requires its own network identity and
therefore requires its own IP address. It must reside on the same network as the VMC and at least one
vCenter Server. Document the IP address, network mask, gateway, and so on for each vController for
use in a future installation procedure.
E
Configure the Firewall for Internet Access
The following TCP ports need to be open for communications between the components:

Source Destination Reason Protocol Type Port

T
VMC VMC Server Client connection for system SSH TCP 1301
Client management

VMC vController Redirector configuration and SSH TCP 22

Server redirectors management
A
VMC VMware Virtual Collection of virtual environment SSL TCP 443
Server Center Server information and event gathering

VMC Each ESX Host Deployment of vController. SSL TCP 443, 902
Server being managed Software asset inventory
collection.

VMC support.reflexsy Support Tunnel connection to SSH TCP 22,80,443

Server stems.com Reflex for live support (optional)

CAUTION: Automatic deployment of the TippingPoint components requires network

connectivity between the TippingPoint VMC and the service console interface of each ESX
host to which the components will be deployed. If the optional components are not
automatically deployed then the TippingPoint VMC only needs network connectivity to the
VMware vCenter servers.

4 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

VMware Environment Preparations
Designate VMware Host for VMC Server
The VMC Server operates within a virtual machine. It requires network communications with the
VMware vCenter Servers and with the ESX/ESXi hosts to which vControllers will be deployed. The
minimum system requirements for a VMC Server are a single CPU, two GB of RAM, and two GB of disk
space.

Only one VMC Server is needed to manage multiple deployed vControllers. Designate an appropriate
VMware ESX/ESXi host upon which the VMC Server will be deployed.

Designate Host for VMC Client

While the VMC Server operates within a virtual machine is corresponding client is supported on a
virtual machine or on a physical system. The VMC Client must reside on a network that assures it can
B
communicate with the VMC Server. The VMC client is supported on Windows XP or later. Its
minimum system requirements are a single CPU, one GB of RAM, and 200 MB disk space.

Designate an appropriate virtual machine or physical system upon which the VMC Client will be
installed.
E
Verify each VMware Host Has Sufficient Resources for
the vController
The vController is itself a virtual machine. It must reside on each VMware ESX/ESXi host whose virtual
T
machine network traffic will be inspected. The vController minimum system requirements are one
CPU, 640 MB of RAM, and one GB of disk space.

Verify that each VMware ESX/ESXi host has sufficient available resources to allocate to the vController.
A
Deploy the VMC Management Application
Deploy the VMC Server
The VMC Server is pre-packaged as a virtual machine, compressed using the VMware Open
Virtualization Format (OVF). The virtual machine contains an installed and ready-to-be-configured
instance of the VMC Server. It also contains the distribution package for the VMC Client as well as the
vController.

1. Logon to the vCenter Server that manages the ESX/ESXi host upon which you want to deploy
the VMC Server.
2. Select the host to which you want to deploy the VMC Server.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 5

 The VMC Server and the vController are not supported on the same ESX/ESXi host. When
you deploy the VMC Server be sure to deploy it onto an ESX/ESXi host whose virtual machine
network traffic is not targeted for inspection.
3. Click FILE->Deploy OVF Template...
4. Locate the OFV file and select Next. Continue through wizard until the deployment
completes.
5. Verify that the virtual NIC assigned to your VMC Server during the deployment process
matches your desired configuration. If you need to modify the configuration use the VMware
vCenter application to select a different virtual NIC.
6. Using VMware vCenter, power on the TippingPoint VMC virtual machine.
B
E
Configure the VMC Server
After the VMC Server is deployed and powered on, configure it by using the pre-installed Setup Helper
T
wizard. The Setup Helper is a CLI-based wizard that prompts for basic network configuration,
creation of administrative users, and configuration of SSH for remote console access..

Note: While it is not possible to go back a step in the Setup Helper, that the
A
process can be aborted at the end of the wizard before any configuration
changes have been made. The wizard can be rerun at any time to modify
configuration settings.

CAUTION: Each time Setup Helper is run and a configuration change made the
software will reset any active VMC client connections.

Launch the Setup Helper using the following steps:

1. Open the VMware console of the VMC Server virtual machine.

2. A prompt to launch the Setup Helper appears. Type ‘ok’ to begin.

6 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

 3. Type “B” to perform basic setup. The following image captures the steps to launch the Setup
Helper.
Welcome to the TippingPoint Setup Helper (X.X.X build #####) on core.

Type 'ok” to begin: ok<enter>

Do you want to do Basic setup or run the Advanced configuration shell?

[B/a] b<enter>

Respond to the Setup Helper prompts using the following steps:

1. Configure VMC Server networking.

A. Enter the IP address you previously designated for the VMC Server. With this IP address,
the VMC Server virtual machine obtains its unique network identity and enables the
VMC Server to communicate with other components of the vController solution. The IP
address must reside on a network that supports communication between the VMC
B
Server and the vCenter Servers, the VMware ESX hosts, and the VMC Client. If assigning
an IP address from a DHCP server, enter “dhcp” at the prompt.
B. Enter the subnet mask in dotted-quad notation (i.e. 255.255.255.0).
C. Enter the default gateway address.
E
D. Accept the management interface default of “en0” .
E. Enter the DNS server addresses.
2. Optionally, configure SSH access to the VMC Server.
A. If you prefer to use SSH to access the Setup Helper enable and configure SSH by setting
T
an SSH password. The user ID for SSH is “reflex.”
3. Create user credentials for VMC administrative users.
A. At least one administrative user must be created during the initial configuration of the
VMC Server. Enter the username and password for an administrative user.
A
Following the creation of this initial user, user management functions such as adding,
removing, and modifying users, occur through the VMC client.
4. Configure the Support Label of the VMC Server.
A. The support label is a common name for the VMC Server and it typically set to
something meaningful to support personnel. For example, the label can be set to a
combination of the site/company name and its location or logical function (i.e. AcmeInc-
DevLab-London). It is transmitted to the vendor support department during remote
support sessions.
5. Apply the changes.
6. After the Setup Helper applies the changes it returns to its initial screen. The configuration
information is applied. Unless you need to make a change to the configuration, close the
VMware console and return to vCenter.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 7

 Install the VMC Client and Connect to the VMC Server
Install the VMC Client using the following steps:

1. Log on to virtual machine or physical system to which you want to install the VMC Client. It
must have connectivity to the VMC Server.
2. Open a web browser and enter the IP address of the VMC Server.
3. When the browser connects to the VMC Server, the TippingPoint vController web page
displays. Click the “Download TippingPoint vController Client” link and save the file.
B
E

4. Locate the file, which is a standard Microsoft Windows installer. Launch the file by double-
T
clicking it.
5. Step through the installation wizard, closing it when complete.
The VMC Client installs.
Launch the VMC Client using the desktop icon or through the Start->Programs-
A
6.
>TippingPoint menu.
7. The startup screen prompts for logon credentials to the VMC Server. Enter the IP address/
hostname and administrative credentials that were entered in the VMC Server Setup Helper
wizard.

8 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

Configure the VMC for Discovery of VMware
ESX/ESXi Hosts
With the VMC Server and VMC Client installed, the next step is to facilitate discovery of the VMware
hosts whose virtual machines are to be protected with the TippingPoint vController. The VMC
leverages vCenter, requesting from it a list of all hosts that vCenter manages.

Note: Until at least one VMware host has been identified to, and discovered by,
the VMC, the VMC continues to request this information each time a VMC client
logs on to the VMC server.

The VMC presents the following dialog box to perform discovery of VMware hosts.
B
E
T
A
In the first field enter the IP address or hostname of a vCenter Server that manages ESX/ESXi hosts
whose virtual machine network traffic is targeted for inspection by the IPS. In the second field enter a
name that uniquely identifies the host to the VMC, or choose to keep the same name as entered in the
first field. In the next two fields enter the credentials needed to log on to the vCenter Server. The
credentials must be sufficient to create virtual machines and manipulate network configurations.

To discover hosts immediately leave the Enable Harvesting box checked. Discovery of the hosts may
take a few seconds or a few minutes, depending on the number of hosts being discovered and the
performance of the vCenter Server.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 9

 Additional VMware hosts and vCenter Servers can be identified to the VMC through the VMC Client by
clicking the Topology menu item, then selecting VMS Configuration from the left-side menu, and then
clicking the Add button.

Note: The VMC uses the term Virtual Management Server (VMS) as a generic
identifier for all virtual environment management applications. The VMware
management application is the vCenter.
B
E
T
A

10 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

Deploy the vController to an ESX/ESXi Host
After the VMC is installed and has discovered VMware ESX/ESXi hosts, the next step is to deploy the
vController onto the hosts. For each host whose virtual machine network traffic is targeted for
inspection, one and only one vController must be deployed. A single vController secures network
traffic for all virtual machines running on the host.

The following steps summarize the procedure to deploy a vController to a single ESX/ESXi host.

1. Configure the vController redirector.

2. Prepare the VMware environment for vController deployment.
3. Deploy the vController virtual machine onto an ESX/ESXi host.
4. Verify operation of the tunnel between the vController and the IPS.
5. Connect the host’s virtual machines to the vController.
B
Configure the vController Redirector
The vController redirector informs the vController of the network paths required to send and receive
network traffic between itself and the TippingPoint IPS. The redirector requires three pieces of
information:
E
• The virtual switch through which the network traffic must flow to reach the IPS.
• The outbound VLAN, used to transmit uninspected traffic from the virtual machines to the IPS.
• The inbound VLAN, used to transmit inspected traffic from the IPS back to the virtual machines.

Configure the redirector using the following steps:

T
1. Log on to the VMC Server with the VMC Client.
2. From the top-level menu select Administration.
3. From the menu items on the left, select Redirectors.
A
4. Select the host to which you will deploy the vController.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 11

 5. Click the Edit button. The Redirector dialog box opens.

B
6. Select a vSwitch.
Select the appropriate vSwitch from the dropdown list. The vSwitch must be connected to all
the virtual machines whose network traffic is to be inspected and must also be connected to
the host’s physical NIC that connects to the physical switch, which in turn connects to the
E
TippingPoint IPS.
7. Enter the inbound and outbound VLAN IDs.
Recall that the outbound VLAN carries uninspected traffic and the inbound VLAN carries
inspected traffic from the IPS back to the virtual machines. Be sure you assign the VLANs to
T
match those defined in the physical switch, and to match the flow of traffic into the Side A and
Side B of the TippingPoint IPS.
The inbound and outbound VLAN IDs must be different from each other.
A
CAUTION: Each vController redirector must have a unique pair of VLAN IDs.
That is, no two vControllers can redirect traffic onto the same VLAN. To avoid the
possibility of a routing loop or a packet storm be sure to use a different set of
VLANs for each vController/VMware host.

8. Choose to deny or allow network traffic by checking or unchecking the Fail Open check box.
The purpose of the fail open check box is to allow or deny network traffic if the tunnel
between the virtual machine and the IPS is not functioning. The setting depends on the risk
profile of those who are responsible to secure network traffic. When checked, the vController
will allow network traffic to flow if the tunnel is in a failed state. When unchecked, the
vController will deny network traffic if the tunnel is in a failed state.
9. Click OK.

12 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

Prepare the VMware Environment for vController
Deployment
The host upon which a vController is being deployed will be placed into an operating state that
VMware calls Maintenance Mode. This is a configuration mode that requires all virtual machines
operating on the host to be shutdown and powered off. The vController deployment procedure follows
this Maintenance Mode with a reboot of the host.

VMware requires that all virtual machines running on a host system be powered off before the host can
enter Maintenance Mode. Follow your company policies for handling virtual machine maintenance.
Depending on your policy you may be required to migrate the virtual machines onto another ESX/ESXi
host or you may be required to shutdown the virtual machine guest operating system and then power
off the virtual machine.

Follow these steps to shut down virtual machines on a host.

1. Login to VMware's vCenter management application.

B
2. Select from the vCenter menu, View->Inventory->Hosts and Clusters. This displays all the
hosts managed by vCenter.
3. Within the hierarchy of clusters, hosts, and virtual machines locate the desired host.
4. For each virtual machine in the host, either migrate it to another host or gracefully power it
E
off. To gracefully power off a virtual machine shut down the virtual machine’s guest operating
system and then use vCenter to power it off.
5. Place the host into Maintenance Mode.

Deploy the vController onto an ESX/ESXi host

T
With the host in Maintenance Mode, the next step is to deploy the vController onto the host. The
vController is itself a virtual machine, whose purpose is to insert a VMware kernel module onto the
host. The kernel module is designed and operates according to VMware’s VMsafe specification.
A
Follow these steps to deploy and configure the new vController virtual machine:

1. Using the VMC Client, log into the VMC Server.

2. From the top-level menu, select Topology->Inventory.

The VMC displays an inventory of vCenter Servers.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 13

 3. Locate the vCenter Server that manages the host upon which you want to deploy vController,
then right-click the vCenter image. From the drop-down menu, choose Expand All Groups.
4. The VMC displays all hosts, virtual machines, virtual switches, and so on that the vCenter
Server manages. Locate the desired host, right-click its image, and then select vController-
>Install/Update on host(s)... from the drop-down menu.
B
E
T
5. The VMC launches the vController Protection Wizard. Click Next to begin.
A

14 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

6. The wizard displays a summary of actions to be taken, including a list of hosts to which the
vController will be deployed. Click Next to continue.

B
E
T
A

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 15

 7. The wizard next requests Control Path configuration information, which ensures
communications between the VMC Server and the deployed vController. Descriptions of each
requested configuration field are in the table below the following image.

B
E
T
A
Field Description

Tags to add to Tags are user-defined identifiers of virtual machines and their properties. The
vControllers tags are used in rules and policies typically to group like-devices and to trigger
inspection actions. In this field, define tags that you plan to refer to in your
vController rules and policies.

Management vSwitch Select the VMware virtual switch through which communications between the
VMC and the vController will take place.
Management VLAN If communications between the VMC and the vController pass through a VLAN,
designate the VLAN ID here. If the communications do not pass through a VLAN
accept the default value of 0 (zero).

vController VM Name The vController solution deploys a virtual machine onto each host whose virtual
machines will be protected. Enter the desired name of the virtual machine here.

16 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

 Field Description

Management IP Enter the IP address you want allocated to the virtual machine. The IP address
must enable communications from the virtual machine to the VMC.
Before assigning the IP address, verify that it is not already assigned to another
host or virtual machine.
Caution: Mistakenly entering the VMware host IP address here will cause an IP
address conflict and disrupt communications between the VMC and the host to
which the vController is being deployed. [Doc To Do: I’d really like to place the
Caution icon at the beginning of this sentence but can’t figure out how to embed a
table within a table.]

Management Netmask Enter the netmask of the IP address.

Management Gateway Enter the gateway through which the VMC and vController will communicate.

Datastore (free) Choose the virtual machine datastore on which the vController software
components will be placed.
Note that because the vController operates at the VMware host kernel level,
B
migration of a vController to another host is unsupported. For this reason it is best
practice to place the vController on local storage, as a precautionary measure
against unintentional migration during a host outage/failover.

8. Select Next to view the summary of choices you made in the vController deployment wizard.
E
9. Select Finish to deploy the vController.
Deployment of the vController can take up to several minutes, depending on how many hosts
to which the vController is being deployed and the amount of time it takes to reboot each
host.
T
Status indicators are available at the bottom of the VMC Client console, in the VMware
vCenter Recent Task list, in the VMware vCenter host hierarchy, and in the VMC Client
console Logical Topology view.
The following shows the status indicator located at the bottom of the VMC Client console.
A

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 17

 The following shows the list of tasks that appear in the VMware vCenter console.

B
E
T
The following shows the vCenter host hierarchy after the vController has been deployed.
Notice the new virtual machine, named vController-10.100.0.209.
A

18 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

 The following shows the Topology->Inventory view in the VMC Client console. Notice the
newly deployed vController and the additional vmservice virtual switch.

B
E
T
The following shows the Topology->Logical view in the VMC Client console. Notice the
additional services connected to the newly deployed vController virtual machine.
A

10. The vController deployment wizard powers on the new vController virtual machine and
moves the VMware host out of Maintenance Mode. Any virtual machines that were powered
off or migrated to other hosts prior to deployment of the vController can now be migrated
back to the host and powered on.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 19

 Verify the Redirector Tunnel
With the vController deployed onto a VMware host it is now possible, and prudent, to verify the
operation of the tunnel between the VMware host and the IPS. Several status indicators assist with this
objective, including:

• For each host upon which the vController has been deployed, view the status indicator located next to
the hostname/IP address shown in the Physical Redirectors console. The console is located by
clicking the Administration tab in the VMC, then choosing Redirectors from the left-side menu list.
B
The following table shows status indicators and their meaning of the tunnel’s operational state.

Status Indicator Tunnel Status Meaning

E
Active, OK

Active, MTU < 1504

The vController solution requires an MTU size of at least 1504. Because the
calculation of MTU varies across network equipment, it is recommended that
T
each vNIC in a vController-protected virtual machine be set to a minimum MTU
of 1504 and that all network equipment between the vNIC and the TippingPoint
IPS be set to a minimum MTU of 1522.

Unknown Status
A
Communication between the VMC and the vController is not occurring as
expected. Verify the network between the two entities is functioning and that the
VMC and vController virtual machines are powered on and running.
Fail Close
While communication between the VMC, vController, and vController redirectors
is operating as expected, communication between the vController and the
physical-switch VLAN (and on to the IPS) is not occurring as expected.

Fail Open
While communication between the VMC, vController, and vController redirectors
is occurring as expected, communication between the vController and the
physical-switch VLAN (and on to the IPS) is not occurring as expected.

Exception
The vController may be in a state of reconfiguration, the vController redirector is
configured incorrectly (ex. configuration refers to a non-existent virtual switch),
or the VMC Server is experiencing problems.

20 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

Connect Host VMs to the vController
With the vController deployed onto the host, the next procedure is to connect the host’s virtual
machines to the vController.

CAUTION: In order to connect a virtual machine to the vController, the virtual machine
must be suspended. When suspended, all processing and all communications to and
from the virtual machine are disrupted.

Follow these steps to connect virtual machines to the vController:

1. Using the VMC Client, log into the VMC Server.

2. From the top-level menu, select Topology->Logical.
B

The VMC displays a logical network topology of the discovered virtual machines, virtual
E
NICs, and networks.
3. Choose the virtual machine to which you want to connect the vController by right-clicking on
the virtual machine’s image, then choosing from the drop-down menu, vController->Install
on VM(s)....
T
To simultaneously connect multiple virtual machines to the vController, click each virtual
machine while holding down the CRTL key, then right-click on one image to bring up the
drop-down menu.
A

4. The VMC launches the vController Protection Wizard. Click Next to begin.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 21

 5. The wizard next displays Control Path configuration information, which was set when the
vController was deployed to the host, and allows you to set tags for the control paths.
Descriptions of the configurable fields are in the table below the following image.

B
E
T
A
Field Description

Tags to add to Tags are user-defined identifiers of virtual machines and their properties. The
vControllers tags are used in rules and policies typically to group like-devices and to trigger
inspection actions. In this field, define tags that you plan to refer to in your
vController rules and policies.

6. Select Next to view the summary of choices you made in the vController deployment wizard.
7. Select Finish to deploy the vController.
Connection of virtual machines to the vController can take up to several minutes, depending
on how many virtual machines are being connected and the amount of time it takes to
suspend and power on the virtual machines.

22 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

Status indicators are available at the bottom of the VMC Client console and in the VMware
vCenter Recent Task list.
The following shows the status indicator located at the bottom of the VMC Client console.

The following shows the list of tasks that appear in the VMware vCenter console.
B
E
T
A

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 23

Configure vController Redirection Policies
The typical purpose of a vController policy is to redirect VM-to-VM network traffic to a TippingPoint
IPS, where the traffic is inspected, based on IPS inspection policies. The vController solution provides
the means to administer, manage, and control the vController policies. Management of the redirection
policies is performed through the VMC Client.

A policy consists of one or more rules, each of which is similar to a conventional firewall rule. A rule
defines a set of criteria, one or more actions to take when the criteria are met, and one or more devices
to which the rule is applied. The following table shows examples of each of these rule components:

Field Description

All traffic going out of port 80 Redirect to IPS All virtual NICs in host
192.168.29.11

All FTP traffic (inbound and
outbound)
B
All Windows Remote Desktop
Protocol traffic (inbound and
outbound)
Redirect to IPS and log
Redirect to IPS
All virtual NICs in hosts that are
located in the DMZ
All virtual NICs in hosts that are
running the Windows Terminal
Server service.

SSH traffic Allow (i.e. do not redirect to IPS) All virtual NICs in hosts that are
E
located behind the DMZ

Accept the Default Redirection Policies

A vController policy is comprised of the policy name, one or more rules, and a zone assignment. The
T
vController solution has available a set of default policies and a default zone. Perform the following
steps to install and view these defaults.
A

24 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

1. Using the VMC Client, log into the VMC Server.
2. From the top-level menu, select Security->vController Workspace. If no redirection
policies yet exist, a dialog box appears asking if you want to install default policies.

B
E
3. Choose Yes to install the default policies.
4. The vController Workspace dialog box opens. The default zone and policies information
appears on the left-side of the dialog box. Click on the All zone and the list of policies
assigned to that zone appear. Notice that the list of all policies, regardless of whether or not
T
A

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 25

 they are assigned to a zone, are displayed in the lower half of the vController Workspace,
accessible via the Policies tab.

B
E
T
Create a New Redirection Policy
Perform the following steps to create a new, single-rule, policy.
A
1. On the lower left of the dialog box, select the Policies tab.

2. Click the icon next to the tab to add a new policy.

3. Name the policy. Click OK.

26 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

 In the upper-right portion of the vController Workspace dialog, a new tab appears with the
policy name, followed by the word "rules."

B
4. Select Add from the right-hand of the policy tab area to create a new rule.
5. Enter the required rule information. A rule is comprised of four categories of information:
Action, Direction, Source/Destination, and Protocol. Define each of these categories, referring
to the category descriptions in the following table:
E
Category Description

Action The action to be performed if the rule criteria are met. The valid
options are to redirect traffic to the IPS so it is inspected, allow
traffic to pass without redirection, and log the event.
T
Direction Monitor for network traffic that is outbound, inbound, or both.

Source/Destination Enter for the source and for the destination an IP address,
resolvable hostname, or a VQL criteria that will dynamically locate
hosts based on the criteria.
A
Protocol Enter the Ethernet protocol, the IP protocol (TCP, UDP, or ICMP),
and the source/destination services (examples: HTTP, RDP, NFS,
SNMP)

6. Click OK to save the rule.

Assign a Zone to a Policy

With the rule defined and the policy created, the next step is to create a zone and then assign it to the
policy.

Perform these steps to create a zone:

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 27

 1. Within the vController Workspace, select the Zone tab in the upper-left side.

2. Click the icon next to the tab to add a new zone.

B
3. Name the zone.
E
4. Create the zone specification using an IP address, hostname, or VQL criteria used to
dynamically locate hosts based on the criteria.
5. Click OK to save the zone.

Perform these steps to assign a zone to a policy:

T
1. Within the vController Workspace, select the Policies tab in the lower-left side.
2. Select the newly created policy.
A

28 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

 3. In the Zones section below the selected policy, click the icon next to the Zones title to
open a dialog box that shows all available zones.

B
4. Select one or more zones from the list.
E
5. Click OK to save the assignment.
r.

CAUTION: To save all the changes made in the vController Workspace, including the
T
policy, the rule, the zone, and the zone-to-policy assignment, you must click Save at the
bottom-right of the vController Workspace dialog box.

Create Filtered Device Lists with the Virtual Query

A
Language (VQL)
Policy rules include in their definitions a collection of devices to which the rule applies. The list of
devices can be static, identified with IP addresses or host names. The list can be dynamic, identified
real-time through the use of the Virtual Query Language (VQL). Similarly, zones are comprised of a
collection of devices, which can be identified statically with IP addresses and host names or
dynamically with VQL.

VQL queries against user-defined tags created within the VMC and also against hundreds of properties
maintained by VMware itself.

For example user-defined tags can be used to categorize virtual machines by physical location, logical
location, or purpose. A tag might be assigned to all virtual machines operating in the Chicago data
center, or operating within a network’s DMZ, or operating for the purpose of servicing internet-based
order inquiries.

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 29

 VMware maintains hundreds of properties for all the devices it creates and administers. For example, it
maintains the names given to virtual machines, virtual switches, data centers, clusters, and so on. It
maintains properties of these devices, such as the network to which a virtual NIC is connected or the
amount of memory allocated to a virtual machine.

The configuration of a policy rule and of a zone allows use of VQL statements to filter the entire
population of vController-secured devices. The VMC also supports running VQL queries as stand-
alone commands. Perform the following steps to run a VQL query:

1. Using the VMC Client, log into the VMC Server.

2. Click the Status drop-down menu in the upper-right of the VMC client console.
The following menu appears.
B
E
3. Select the icon to launch the VQL Editor.

The VQL Editor opens on the lower half of the VMC Client console.
T
A

4. Enter a VQL query in the upper portion of the editor, then click the green arrow to execute the
query command.
The query results are displayed in the lower half of the editor.

30 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide

B
E
T
A

TippingPoint Virtual Controller v1.0 Installation and Configuration Guide 31

 B
E
T
A

32 TippingPoint Virtual Controller v1.0 Installation and Configuration Guide