Installing HyTrust’s Cloud Advisor

This is the next gen of the DataGravity product.  Very happy it did not die with DataGravity. HyTrust bought the IP and now we have a new version – 2.0 – and we will get it going in my lab and take a look at it.

If you are not familiar with DG, this tool will watch inside VMs, and inside backups for Potentially Identifiable Information (PII).  You can also add things to be monitored for and your own alerting processes.  It can also do actions when things are found.  So a user deleting a lot of files in a short period can be booted from AD for example.  One of the common things would be making sure no PII exists in your environment to avoid fines. With Cloud Advisor your environment is defined as your virtual machines and backups.

You need to get the bits, and the docs. Generally, you will have links for both in an email from HyTrust.  In particular, make sure to check out the release notes.

I am working through this with Cloud Advisor 2.0 build 35707 and VMware vSphere 6.5 Update 1.

There is a nice Getting Started doc that has a bit of a worksheet in it.  For all the service account, passwords, and IP address type of stuff.

Things to have ready

  • FQDN and IP for the appliance.
  • Service account for AD. This service account needs to have domain admin rights due to it being used for actions.
  • SMTP and NTP info.
  • FQDN of the vCenter – with the service account having rights to the vC.  The docs have the detailed requirements for the rights.
  • FQDN of the Veeam server, and an account for it.

All the VMs you wish to secure, and Veeam too, if you want to check out the backups, need to be all in the same AD domain – same too with the HyTrust appliance.

Install

So deploy the OVA (I used the vSphere Web Client with no issues to deploy it). Minimum questions so pretty easy.  We need to connect to the console to finish the setup / config.

Configuration

Once finished with the deploy of the OVA, power it up, and access the console.

  • log in  using admin / dg

  • Change the password and answer a few network type questions and let it commit. It will take a few minutes.

After it finishes you will need to visit https://fqdn to finish the setup.

  • Log in as admin with you new password.
  • You will see a Setup Now option.
  • First step is add your license.  Easy if on the internet as you copy and paste.
  • Make sure to leave Phone Home enabled as it really helps them to help you.
  • You should see a congrats message when your key works, and then use the continue green button.
  • Configure your DNS info on the second screen (DNS).  I added a second DNS here which I could not do on the console. Use the Test button. Make sure it passes before you continue.

  • So now on the Date and Time screen.  Select your TimeZone and some NTP servers. Then test. I used 0.ca.pool.ntp.org and 1.ca.pool.ntp.org.  If you are in the US change ca to us or use your on-prem NTP if yo have that.
  • Now we need to connect to AD.  I used a my service account user to do that, and just the service account name when prompted – not the full user name.
  • Next is SMTP. Again make sure to test and that you actually get the email.
  • Next step is Virtualization Manager. Again, make sure to test.
  • Next we add our backup provider.  Easy but no test button.  After you add it you need to do Blackout Window when backups will not be mounted and that is a bit tricky.  I just checked out M – F and hope I can tweak it better once configured.
  • Now Configure.

Now we are complete.  I selected Explore on my own rather than add virtual machines.

Additional Setup

First we want to setup logging.

  • Select System from the Home screen, followed by, System Settings.
  • Now use Settings \ Syslog Destinations to access the config.

  • Define your syslog, and yes, there is no test here either.

  • Log out, and log in again to Cloud Advisor, then check your log server and you should see a few things.

Now we are going to define who has access to Cloud Advisor

  • So use Settings \ Active Directory so we can set some access groups.

Fill in the fields with the appropriate groups.  Note that the Cloud Advisor Service account is required and also very powerful.  It appears that it must be a domain admin equivalent.  I got an odd error when my service account was not.

You do not need to test while you are adding groups.

Now we are ready to add some virtual machines to our system.

Adding virtual machines to Cloud Advisor

Starting at the home screen select Inventory, and Add VMs to Inventory.

We have a wizard now and need to choose VMs from my vCenter, or my Veeam Server.  I am going to pick a VM or two from the vCenter.

Nice touch we can see the number of managed and unmanaged.

  • On the next screen it is about Insight Profiles.  I am leaving it at the default for now.

Now we work on the schedule for snapshots – which is how information is gotten into the Cloud Advisor. Leaving it for the default for now.

The next screen is the Discovery Tools screen.  These are the tools that will help provide additional information from inside the VMs to Cloud Advisor.  It is a small footprint agent that provides very good value.  I use the column header checkbox to highlight the whole roll of VMs.  Then I use the Manage Discovery Tools button.

You will have the option to decide to configure the agent to report information in real time, or via DiscoveryPoint (DP).  Make the decision that is best for you.  For normal operations probably at DP but for the highly secure environments maybe Real Time.  I am using the default of Real Time.

You will be prompted for credentials to access those VMs and install the agent.  No restart is needed.

You can see how things go in the UI.

You can see one of my VMs had a failure to install. I look at that VM and it turns out it has the original DataGravity Discovery Tools installed, and it is a later version than what I just tried to push to it.  So I am uninstalling the DG Tools, restarting, and will try again. I click on the Failure and can try again easily and it works.

Instead of the 4 or 5 VMs I only get one ingested but that is due to my license which I only noticed now is for 1 VM.  That will be easy to for HyTrust as they can fix that behind the scenes and it just shows up – nice system.

It will take a little bit to see what is found.  The first DP takes the longest.  When you add a VM an Admin DP is taken so we have a baseline. When it is finished we see stuff.  The next DP takes way less time.

So Cloud Advisor is installed and configured and is now monitoring VMs.  Cool.  I will share more info in additional articles.

Michael

=== END ===

Tagged with: ,
Posted in Home Lab, How To

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: