Welcome to the 2nd part of the VMware vDefend SSP series. In the first post of this series, I discussed what SSP is and how it helps secure a VCF private cloud by implementing microsegmentation. In this post, I will demonstrate the deployment of the SSP installer appliance.
The vDefend SSP Installer is shipped in OVA form factor and is used to deploy the VMware vDefend Security Services Platform (SSP). After booting the SSP Installer VM and performing initial configuration, you can access its web interface to set up the actual SSP instance by uploading an SSP bundle and connecting to your vCenter and NSX managers.
Network/Subnet Requirements
- SSP Installer: One IP address from the infrastructure management network.
- SSP Node Pool: 16 IPs from the network where SSP nodes will be deployed.
- SSP Service Pool: 11 IPs from the network where SSP nodes will be deployed.
DNS Requirements
Ensure that the following DNS records are in place before the deployment.
| Component | Sample FQDN | Sample IP Address |
| SSP Installer | sspi.<your-domain> | 192.168.10.51 |
| SSP Instance | ssp.<your-domain> | 192.168.10.52 |
| SSP Messaging | ssp-msg.<your-domain> | First IP of the SSP Service Pool |
Firewall Requirements
If you are planning to deploy the SSP installer and SSP instance in the same workload domain, refer to the vDefend Port and Protocols page for the required firewall whitelisting. In a typical VCF environment, the SSP installer is deployed in the management domain, and the SSP instance is in the workload domain. You must whitelist the following in your management domain NSX.
| Source | Destination | Port/Protocols | Purpose |
| SSP Installer | Workload vCenter | TCP/443 | vCenter API |
| WLD Domain ESXi Hosts | TCP/443 | SSP VMs Deployment | |
| SSP Node IP Pool | TCP/22 | Pre-check VM deployment | |
| SSP Node IP Pool | TCP/6443 | SSP K8 Cluster API | |
| DNS | UDP/53 | Name Resolution | |
| NTP | UDP/123 | Time Sync | |
| SFTP Server | TCP/22 | Dump Config Backup | |
| SSP Node IP Pool | Workload vCenter | TCP/443 | vSphere CSI |
| Workload NSX | TCP/443 | NSX Onboarding | |
| SSP Installer | TCP/443 | Access to SSPi Registry | |
| DNS | UDP/53 | Name Resolution | |
| NTP | UDP/123 | Time Sync | |
| LDAP Server | TCP/389/636 | SSP Remote Authentication | |
| SFTP Server | TCP/22 | SSP Backup | |
| Syslog Server | UDP/514 | Syslog | |
| SSP Service IP Pool | Workload NSX | TCP/1234 TCP/1235 |
Communicate with NSX Mgr Mgmt & Control Plane |
| Workload NSX | SSP Service IP Pool | TCP/443 TCP/9092 |
SSP inbound Ingress SSP inbound Kafka |
Note: For whitelisting SSP communication with workload domain components, see the next post or consult Broadcom’s portal.
Note: SSP installation requires NSX version 4.2.3 or higher. See Broadcom KB-414369 for interop details.
Step 1: Download the installer
Login to the Broadcom Support Portal and locate the Security Services Platform installer OVA file.
Step 2: Deploy the OVA template
- Log in to your vSphere Client and select “Deploy OVF Template.”
- Follow the wizard, providing a name and location for the instance and accepting the OVF template details. Deploy the appliance on the infrastructure management network.
Step 3: Access the installer and deploy the SSP instance
Access to the SSP installer web interface using the FQDN and credentials set during the OVA deployment.
Accept the EULA to continue.
Step 4: Upload the Security Services Platform package
The platform package has the necessary binaries for installing the SSP instance. You can download the SSP v5.1 package from here
Browse to the location where you downloaded the tar bundle and click Upload.
The upload might take some time depending on your network speed.
After the upload is finished, proceed to the next step.
Initiate the Deploy SSP instance workflow.
- Specify the instance name and select the SSP version to install.
- For production deployment, select the Advanced deployment type and choose the number of worker nodes to start with.
- Specify the SSP instance and SSP messaging FQDN.
Click on the set button to specify the SSP instance admin/audit user passwords.
Click Next to continue.
Click on the Connect Now button to add the workload domain vCenter server.
Specify the vCenter FQDN and the credentials, and upload the vCenter SSL certificate.
Click on the Connect Now button.
Select the Datacenter/Cluster/Datastore where SSP VMs will be deployed.
- Select the VDS and portgroup where SSP VMs will be connected.
- Specify the subnet CIDR of the selected network and add the SSP node IP pool and SSP service IP pool.
- Specify DNS/NTP IPs and the DNS search domain.
Proceed to the next step.
Click on the Run Pre-Check button to validate the inputs for a successful deployment.
Click the Start deployment after a successful pre-check.
SSP deployment takes roughly 30-40 minutes to complete.
In the backend, a content library is created in the vCenter server, and the SSP template is pushed.
The installer deploys the control plane and worker nodes using the content library template.
A resource pool is created in the workload vCenter to store the SSP VMs.
The installer provides the SSP instance FQDN/IP address after the successful deployment.
Navigate to the Home page for instance details and health status.
And that’s it for this post.
In the next post of this series, I will demonstrate the configuration of the SSP instance. Stay tuned!!!
I hope you enjoyed reading this post. Feel free to share this post on social media if it’s worth sharing.