IMPORTANT INFORMATION YOU MUST READ BEFORE YOU START! ATTENTION! If you only see a single device in the web UI, you must repeat the process, rebuild the gold image and deploy it again to the affected endpoints as soon as possible. For any questions, contact Technical Support. |
Introduction
In large networks with many similar computers, you can automate the process to install the operating system and other software with a gold image. This is sometimes referred to as a master image, base image, or clone image. You then deploy the gold image to all computers on the network, which eliminates most of the manual work required to set up a new computer. To generate a gold image, install an up-to-date operating system with all the software that users might need, such as security tools, on a computer on your network.
This article offers a step-by-step walkthrough of how to install Panda Security solutions on Aether platform in persistent and non-persistent Virtual Desktop Infrastructure (VDI) environments. Due to their characteristics, virtual computers or instances require you to follow a specific procedure to ensure that the images or templates to be used in virtual environments are up to date, and don't have a previously assigned machine ID so that, when a virtual computer is started, it is uniquely registered in the Web UI. In environments with very specific characteristics, you may need to follow the recommendations provided by the virtualization vendor to adapt general instructions to your needs. For a customized solution, contact Panda Security Technical Support.
The installation procedure requires the prepation of a template (for persistent environments) or a gold image (for non-persistent environments) that will be later deployed to the virtual computers on the network. It is very important to follow this procedure closely to:
- Ensure engine and knowledge updates.
- Optimize resource and bandwidth consumption in non-persistent environments.
- Ensure virtual instances are uniquely identified.
- In persistent environments, computers must have fixed MAC addresses.
- The computer used to generate the template or gold image must have an Internet connection.
Generally, the procedure described in this document works with the following types of virtual machines:
- VMware Workstation
- VMware Server
- VMware ESX
- VMware ESXi
- Citrix XenDesktop
- XenApp
- XenServer
- MS Virtual Desktop
- MS Virtual Servers
Procedure for Persistent Environments
In a persistent VDI environment, the information stored on a computer hard disk persists between restarts. Therefore, to create a template you only have to configure updates of the WatchGuard Endpoint Security protection. After you install an updated version of the operating system and all programs that users need, create the template.
- Create a group to host the template and the virtual machines called Virtual machines group from Aether Platform. To do so, follow these steps:
- From the top navigation bar, select Computers.
- From the left pane, select My Organization.
- Select Add Group.
- Create a settings profile with automatic Agent and Adaptive Defense 360 updates. To do so, follow these steps:
- From the top navigation bar, select Settings.
- From the left pane, select Per-computer settings.
- Click Add to create a settings profile and ensure the Automatic agent and Adaptive Defense 360 updates toggles are enabled.
- Assign these settings to the Virtual machines group you created earlier for the template.
- Now, create a settings profile with Automatic Knowledge Updates enabled. To do so, follow these steps:
- From the top navigation bar, select Settings.
- From the left pane, select Workstations and Servers.
- Click Add to create a new profile and type a name and description if required.
- Select General and enable the Automatic Knowledge Updates toggle.
- Assign these settings to the Virtual machines group you created earlier for the template.
- Install the agent and the protection on the Virtual machines group. To do so, follow these steps:
- From the top navigation bar, select Computers.
- Select the Virtual machines template group.
- Select Add computers. This will download the installer.
- Install the agent on the template and wait for the progress window to finish.
During that time, the protection will be automatically installed, configured and updated.
After the installation is completed, the computer will appear on the list of protected computers in the Web UI, with a green icon. The computer's protection and knowledge will be up-to-date.
- Run Endpoint Agent Tool (password panda) on the computer with the template. Follow these steps:
- Select the Detections, Counters and Check commands options and click Send.
Or else, right-click on the protection icon and select Synchronize. - Remove the machine ID:
- If the computer is protected with Anti-Tamper, enter the password in the AntiTamper password field or else, leave it blank.
- Then, click the Prepare image button, but make sure the Is a gold image option is unchecked.
This removes the agent ID from the template, so that all virtual machines obtain their ID when they connect to Aether for the first time.
- Select the Detections, Counters and Check commands options and click Send.
- ATTENTION! Disable the Panda Endpoint Agent service so the service does not start automatically before the template is created for your virtual instances.
This step is critical to ensure that each virtual machine is uniquely identified in the Web UI. - Access the virtual environment management tool and generate the template. If you have questions about this step, contact your vendor.
Once the customization of the deployed virtual machine is completed, you must modify the Panda Endpoint Agent service. To do so, you can use different methods depending on the VDI deployment system. For example, you can use GPO policies for devices within a domain, or you can also use script applications such as Horizon, Windows Logon Scripts, etc.
GPO example
In this example, we explain how to change the Panda Endpoint Agent service's startup type, using GPO. First, you must create a GPO. To do that, follow these steps:
- In the GPO settings, go to the following path: Computer Configuration, Policies, Windows Settings, Security Settings, System Services, Panda Endpoint Agent. The service will be disabled.
- Change the type of start to Automatic. The service will start automatically on the next reboot and will be integrated in the console.
The Group Policy Management Editor screen looks like this:
Procedure for Non-Persistent VDI Environments
In a non-persistent VDI environment, you create two security settings profiles; one to update the gold image when you prepare it and for maintenance purposes, and one to disable updates when you run the gold image because it does not make sense to update Panda if the computer storage system reverts to its original state with each restart. The procedure for managing non-persistent VDI environments consists of three phases:
Before you create the gold image, you must prepare the machine:
- Install/Update the operating system with the customer's applications.
- Create a group to host the gold image ('Gold or template image' group), and another to host virtual machines ('Virtual machines' group).
- 'Gold or template image' group
- Go to the Settings tab, click Per-computer settings and create a settings profile for future image updates.
- Make sure Automatically update Panda All features on computers automatic updates of the protection engine are enabled.
- Select the Automatic Restart both workstations and servers option to make sure the computer will be updated.
- Assign these settings to the group you created for the gold image ('Gold or template image' group).
- Next, click the Settings tab, and select Workstations and servers from the Security section to create a settings profile for future image updates.
- Make sure automatic knowledge updates are enabled.
- Assign these settings to the group you created for the gold image ('Gold or template image' group).
- 'Virtual Machines' group
Virtual instances are based on the updated gold image. To optimize the VDI server's resources and reduce bandwidth usage, disable updates by following the steps below:- Create a Per-computer settings profile that has updates disabled, and assign it to the 'Virtual Machines' group.
- Go to Workstations and servers in the Security section of the Settings tab, disable knowledge updates, and assign those settings to the 'Virtual Machines' group.
- Create a Per-computer settings profile that has updates disabled, and assign it to the 'Virtual Machines' group.
- 'Gold or template image' group
- Install the agent and the protection on the 'Virtual Machines' group in order to generate the gold image:
- Go to the Computers tab, select the gold image group ('Virtual Machines' group), and click Add computers. This will download the installer.
- Install the agent on the machine used to create the gold image and wait for the progress window to finish. During that time, the protection will be automatically installed and configured.
After the installation is completed, the computer will appear on the list of protected computers in the Web UI.
- Move the machine with the gold image to its Gold or template image group so that it receives the settings with the option to update.
We recommend that, from the computer, you right-click the protection icon in the notifications area of the taskbar, and force a synchronization. This will push the settings to the computer so that it will start updating. - Run Endpoint Agent Tool (password panda) on the computer with the gold image.
- Although it is not mandatory, for non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer with the Start cache scan button.
If you have Adaptive Defense 360, you can use the context menu and scan the specific partition. This will fill the goodware cache and prepare the protection for virtual images. The process can take some time, depending on the contents of the hard disk. Wait until the operation finishes. - Select the Detections, Counters and Check commands options and click Send or else, right-click on the protection icon and select Synchronize.
- Remove the machine ID:
- If the computer is protected with AntiTamper, enter the password in the AntiTamper password field or else, leave it blank.
- Click the Prepare image button, and make sure the Is a gold image option is checked.
This removes the agent ID from the gold image, so all virtual machines obtain their ID when they are run and connect to Aether for the first time.
This step is critical to ensure that each virtual instance is uniquely identified in the Web UI.
- Although it is not mandatory, for non-persistent environments with persistence levels of less than a week, we recommend that you scan the computer with the Start cache scan button.
- ATTENTION! Disable the Panda Endpoint Agent service to prevent it from starting automatically before the gold image is created for your virtual instances.
This step is critical to generate a specific ID for each virtual machine. - Access the VDI management tools and generate the gold image. If you have questions about this step, contact your vendor.
- You can configure the maximum number of non-persistent machines that can be active simultaneously in the VDI environments section of the Web UI. This enables automatic management of the licenses used by those machines, relieving you of the task of deleting them from the Aether platform to recover their licenses.
Once the customization of the deployed virtual machine is completed, you must modify the Panda Endpoint Agent service. To do so, you can use different methods depending on the VDI deployment system. For example, you can use GPO policies for devices within a domain, or you can also use script applications such as Horizon, Windows Logon Scripts, etc.
GPO example
In this example, we explain how to change the Panda Endpoint Agent service's startup type, using GPO. First, you must create a GPO. To do that, follow these steps:
- In the GPO settings, go to the following path: Computer Configuration, Policies, Windows Settings, Security Settings, System Services, Panda Endpoint Agent.
- The service will be disabled.
Change the type of start to Automatic. The service will start automatically on the next reboot and will be integrated in the console.
The Group Policy Management Editor screen looks like this:
The agent, the protection, and the signatures of the gold image created must be updated frequently, at least once a month. These updates are essential to ensure maximum protection against the new attack techniques developed by hackers. Follow the steps below to update the gold image:
- Start the machine where the gold image is installed.
- Access Services, find the Panda Endpoint Agent and make sure that the Type of start is Automatic and the Service status is Running.
- From the Web UI, move the machine with the gold image to the 'Gold or template image' group so that it receives the appropriate settings with automatic updates of the engine and knowledge.
- From the computer, right-click the protection icon in the notifications area of the taskbar to force a synchronization. This will update the machine.
- Updates are performed silently in the background. We recommend that you wait a few minutes to make sure the image is properly updated.
- If a new version of the protection is available, a restart window will be displayed and the computer will restart automatically (as configured in the Per-computer settings).
In this case, once the restart is completed, we recommend that you force a new synchronization to make sure the product is fully up-to-date and configured properly.
- Run the Endpoint Agent Tool (password panda) on the computer with the gold image.
- Scan it by using the Start cache scan button. This will fill the goodware cache and leave the protection in an appropriate state for virtual images.
This process can take some time, depending on the contents of the hard disk. Wait until you are notified that the operation has finished. - Select options Detections, Counters and Check commands and click Send or else, right-click on the protection icon and choose Synchronize.
- Remove the machine ID:
- Select the Prepare image button, making sure the Is a gold image option is checked.
This will remove the agent ID from the gold image, so that all virtual instances obtain their unique ID when they are run and connect to Aether for the first time.
This step is critical to ensure that each virtual instance is uniquely identified in the Web UI!
- Select the Prepare image button, making sure the Is a gold image option is checked.
- Scan it by using the Start cache scan button. This will fill the goodware cache and leave the protection in an appropriate state for virtual images.
- Go to services and configure the type of start of Panda Endpoint Agent service as Disabled.
It is essential to ensure that you have followed the procedure correctly.
- View non-persistent computers
Panda Adaptive Defense 360 uses the FQDN (Fully Qualified Domain Name) to identify computers whose ID has been deleted using the Panda Aether Tool program and are marked as gold image.
To get a list of non-persistent VDI computers,follow the steps below:- From the top navigation bar, go to Settings.
- Click VDI environments from the left pane.
- Click the Show non-persistent computers link.
The Computers list is displayed, with the non-persistent computers filter applied.
- View persistent computers
- From the top navigation bar, select Computers.
- Verify that all your cloned devices are correctly displayed in the web UI.
Manage Licences
If the process is followed correctly, that is, if the step to delete the agent ID is performed correctly selecting and clearing the Is a gold image option as indicated, every time a new machine is started, the system will calculate its machine ID and will determine whether the computer is a new computer or an existing one, based on the selected environment.
- In non-persistent environments, if the maximum number of machines that can be active simultaneously for non-persistent images is set, the server will manage licenses automatically, provided there are available licenses and the number of concurrent machines is not exceeded.
- In persistent environments, if there are multiple machines that are no longer used, delete them from the database in order to free up licenses just as you would do with physical machines. This can be done from the Aether console, by selecting all machines to delete and clicking the Delete button, or individually via the context menu of each machine to delete.