The Symantec Endpoint Detection and Response virtual appliance is delivered as an OVA file that runs as a virtual machine on VMware ESXi.
When installing a virtual appliance on an ESXi server, you must connect the virtual network adapters that are built into the OVA template. Perform this task with the virtual switches that you configure in VMware. When you configure virtual switches, you associate them with physical ports on the ESXi server.
Important: You must reserve 48 GB of memory and at least 12 GHz CPU before you start the VMware computer for the first time.
Symantec EDR does not support inline mode for the virtual appliance. As such, you run a risk when you deploy a virtual appliance in inline mode because there is no bypass ability.
Virtual Machine Configuration
When you run Symantec EDR in a virtual environment, it is important to properly configure the virtual computers on which your Symantec EDR appliances run. The following are some configuration notes:
Make certain your virtual computer has the proper resources allocated. Also, make sure to reserve VM resources (CPU, memory, disk) for the Symantec EDR appliance or you may experience disk space or high-memory usage errors.
Use the proper block size, depending upon the VMFS version of your system. If your ESXi server uses VMFS-2, then your block size must be set to 4 MB or greater. If you use a file system later than VMFS-2, set your block size to 8 MB. If the block size is not properly set, the deployment of the OVA can fail. The failure message indicates that the disk capacity of the computer is greater than the amount available on the datastore.
When you deploy a network scanner on a virtual machine and you have mapped the WAN port to a physical NIC through a vSwitch, change the configuration of the vSwitch to allow all VLAN IDs in the port group properties. Without this setting, Symantec EDR may not capture some network traffic.
For virtual machines intended to function as Symantec EDR network scanners, enable Promiscuous mode on the WAN and LAN virtual switches. This setting permits Symantec EDR to scan all network traffic.
About virtual network adapters
The OVA template includes three virtual network adapters:
Required for all appliances for the management connection
Establishes a monitor connection when the appliance operates in Tap mode
Establishes the WAN connection when the appliance operates in either Inline Block or Inline Monitor mode
Establishes a second monitor connection when the appliance operates in Tap mode
Establishes the LAN connection when the appliance operates in either Inline Block or Inline Monitor mode
When you deploy the OVA, map each virtual adapter to your network.
About virtual switch requirements
For a management platform, you need only one virtual switch for the Management interface.
To configure each virtual adapter and associate it with a physical port, follow the instruction in the VMware documentation. But set certain values for the Symantec EDR virtual appliance.