VMware NSX 6.4 adds a range of features and improvements that VMware administrators should examine and implement, including an upgrade planner and more powerful firewall functionality.
VMware NSX 6.4 improves firewall functionality by inspecting traffic at Layer 7. Previously, admins could configure rules to block Secure Shell (SSH) on TCP port 22, for example. So when a VM owner configures SSH on port 80, and firewall rules allow traffic for TCP port 80, access to SSH is still possible because only port 22 is blocked.
The new deep packet inspection functionality in VMware NSX 6.4 enables the distributed firewall to look inside the actual packets to identify the applications. Using the previous example, admins can block SSH traffic regardless of the port. Such functionality was previously only available with third-party products from companies such as Palo Alto Networks or Check Point Software.
This new functionality doesn't eliminate the need for such products because they still offer features such as intrusion and malware detection. For example, the distributed firewall may let HTTP traffic through even if the URL contains SQL injection code, something that other firewalls would be able to detect and block.
Be aware of new service specifications with the APP_ prefix when using this new functionality to create a firewall rule. VMware's online documentation provides an overview of the current VMware NSX 6.4 release's supported applications.
This all works because of a new component on the ESXi host for the context-aware firewall that works with the distributed firewall. It keeps track of each traffic flow from a virtual network interface card (vNIC) and evaluates the firewall rules for that flow.
Implement VMware NSX 6.4 features
Due to the context engine and distributed firewall, VMware NSX features now include the ability to identify which user session traffic originates from on a Remote Desktop Services (RDS) host. Without this functionality, all the traffic from the host forms one stream of data and the identity-based firewall becomes useless in multiuser sessions hosts.
The feature is mainly useful with virtual desktops where a single user logs into a VM. When a user logs into a session on an RDS host with the Guest Introspection agent installed on VMware NSX 6.4, that agent sends the Active Directory user information to the context table on the ESXi host where the RDS host runs. When the distributed firewall inspects traffic leaving the vNIC of the RDS host, it matches the rules for the specific user based on the user's security identifier.
VMware NSX 6.4 also introduces an upgrade planner that enables admins to streamline the upgrade process of their NSX deployments. The upgrade order remains the same as previous versions. Update the NSX Manager, Controllers, Clusters, NSX Edge appliances and then the Service VMs.
In VMware NSX 6.4, a single overview shows the status of the components and enables the use of an upgrade procedure to plan and start the upgrade process.
Figure A below shows an overview of a small lab environment. The overview indicates which components need to be upgraded and any relevant warnings.
There are two main options when upgrading: Plan Your Upgrade or One Click Upgrade. In the latter choice, the only steps are to click Next and Finish. All the components will upgrade automatically without intervention as long as no errors occur. If more control is necessary, choose Plan Your Upgrade, which includes a pause after each major step and in the event of any errors.
Admins can monitor the upgrade process after it has begun, as shown in Figure B below. Figure B also shows one of the warnings that might display before starting the upgrade. In this case, the lab cluster didn't have distributed resource scheduler enabled, which requires manual intervention.
The other warning in that the overview screen is for edge appliances. The edge appliances don't have high availability enabled, which could cause some downtime for those services during the upgrade process.
Added VMware NSX features include improved HTML5 functionality
VMware NSX 6.4 also debuts networking and security plug-ins for vSphere Client and vSphere Web Client. There was a networking and security plug-in for the HTML5-based vSphere Client, but the functionality of that initial release was limited. With vSphere and vCenter support, this plug-in will update with new features with every release.
Figure C below shows that admins can manage firewall rules from this client. A few more releases will be necessary to implement all the functionality.
In the new, flash-based vSphere Web Client, many administrator panels have updated to HTML5. They're now more responsive and their look and feel align with vSphere Client, which will make future transitions smoother. For VMware, maintaining one version of the installation and upgrade panel is efficient for developer resources, which frees those resources to transform all the functionality into the HTML5-based vSphere Client.
Another VMware NSX feature is System Events. In the NSX Manager events tab, admins could already identify many events with their event ID, but with VMware NSX 6.4, this has improved significantly, especially for events related to dynamic routing with Border Gateway Protocol and the Open Shortest Path First router protocol. Previously, this was only available via system logs.