Skip to main content

Illumio Core 23.2 Install, Configure, Upgrade

LW-VEN Requirements and Limitations

This section covers the LW-VEN's setup operations, requirements, limitations, and caveats.

The LW-VEN software installs the Illumio Legacy Windows VEN Service on your supported legacy Windows machines. Once installed, the Illumio Legacy Windows VEN Service:

  • Enforces policy received from the PCE.

  • Consumes CPU as needed to calculate or optimize and apply the firewall while remaining idle in the background as much as possible.

You control the Illumio Legacy Windows VEN Service's operations through the PCE web console or from the command line on the Windows machine on which the LW-VEN is installed.

Set-up Sequence

When run, the Illumio Legacy Windows VEN Service automatically does the following:

  1. Checks whether this solution is supported.

  2. Installs and pairs an LW-VEN on your legacy Windows Servers.

  3. Creates a workload on the PCE to represent your legacy Windows Servers as a managed workload. A secured workload is known as a managed workload.

  4. When running, the service:

    • Requests policy from the PCE as follows: after the LW-VEN sends a heartbeat to the PCE every five minutes, if there are any policy updates, the LW-VEN requests them from the PCE. If there are no policy updates, the LW-VEN performs a tamper check on its local policy to ensure that it hasn't been changed.

    • Applies the Illumio firewall rules obtained from the PCE to the Windows workload.

If the Illumio Legacy Windows VEN Service fails, Windows restarts it automatically.

Requirements

  • IllumioLWVENInstaller.exe

  • Illumio Policy Compute Engine (PCE) release 23.2.20 or later.

  • Legacy Windows servers

    • 32-bit or 64-bit Microsoft Windows Server 2003 Service Pack 1 & Service Pack 2 and Windows 2008 Service Pack 1 & Service Pack 2

    • 2x 64-bit CPUs and 8GB RAM

    • .NET Framework 4.0.0 (minimum required; versions 5.0 and later are not supported.)

  • Certificate validations: When sending requests to the PCE, the LW-VEN performs peer certificate validation by validating the certificate against the generally available cert.pem file provided in the Illumio LW-VEN Service\certs directory. If you need to add extra certificate validations, add the appropriate .pem files to the \certs directory before activating the LW-VEN.

  • A dedicated local user account with admin privileges for installing and modifying the Windows firewall, running the service, and issuing the illumio-lwven-ctl commands.

    Important

    You must disable the User Access Control (UAC) feature if it is enabled on the legacy Windows Server machines on which you plan to install the Illumio Legacy Windows VEN Service. Otherwise, you will not be able to install the LW-VEN on the machine. UAC is a Windows security feature that prevents unauthorized changes to the operating system.

  • Make sure the interface language of the user account used to activate and run the LW-VEN is set to any version of English. The LW-VEN requires English to parse the output of the systeminfo and ipconfig /a commands issued to extract system data about your Windows server (for example, host name, operating system, etc.):

    • Windows Server 2003: Click Start, point to Control Panel, and then click Regional and Language Options.

    • Windows Server 2008: Click Start, point to Control Panel, and then in the section Clock, Language, and Region, click Change display language.

Limitations and Caveats

Take careful note of the following limitations and caveats.

Item

Windows 2003 Server SP1 & SP2

Windows 2008 Server SP1 & SP2

Policy size and server specifications

Changing or removing a large policy on an under-powered server may result in policy failure in some cases. To avoid this and possibly other unexpected policy issues, Illumio recommends that you avoid applying a policy that will generate more than with 1000 firewall rules or which affects more than a total of 50000 port/IP combinations on a server with less than 2 x64 CPUs and 8GB RAM.

Enforcement modes

Support for:

  • Idle mode

  • Full Enforcement

If you change the Enforcement Mode from Full to Idle, the Illumio Legacy Windows VEN Service removes all Illumio policy from the Windows server. If you switch back to Full enforcement, the policy is reapplied to the workload.

Although the Visibility and Selective options are not supported with Win 2003 SP1/SP2 servers, the options still appear in the PCE UI in the Enforcement drop-down menu on each Workload's details page. If you change the Enforcement mode from Full to Visibility or Selective, the LW-VEN ignores the policy and logs an event to the Windows Event Log and the PCE.

Support for:

  • Idle mode

  • Visibility mode

  • Selective Enforcement

  • Full Enforcement

If you change the Enforcement Mode from Full to Visibility or Selective, the PCE creates an Illumio ALLOW ALL rule, effectively allowing all non-blocked traffic.

Note

In Selective Enforcement mode, the Windows 2008 Server firewall applies all block rules before applying any allow rules. This behavior is opposite to how the standard Illumio VEN works on other Windows systems.

Inbound/Outbound Rules

Support for:

  • Inbound rules only

Support for:

  • Inbound rules

  • Outbound rules

Policy Rules Limitations

Support for:

  • Port & protocol rules only

  • One rule per port/protocol. For example, if you specify a rule that includes a port range, multiple single rules are created, one per port.

  • Support for programming only a list of IP addresses and/or CIDR blocks per rule. (IP ranges are converted to CIDR blocks.) The LW-VEN always attempts to merge IP addresses into the most compact CIDR addresses possible.

  • If the Illumio Legacy Windows VEN Service is uninstalled, all Illumio rules are removed from the firewall.

Support for:

  • Port & protocol rules only

  • Specifying a rule that includes a port range results in a single rule, but ports are shown in a comma-separated list instead of a port range.

  • IP ranges. (CIDR blocks are converted to an IP range.) The LW-VEN always attempts to merge IP addresses into the most compact IP ranges possible.

  • If the Illumio Legacy Windows VEN Service is uninstalled, all Illumio rules are removed from the firewall.

Matching rules

  • Exact Matches (port/protocol and all IPs match)

    Customer rule remains enforced; Illumio rules are not applied.

  • Partial Matches (port/protocol match but only some or no IP addresses match)

    If a customer rule exists for the same port & protocol as an Illumio rule, the Illumio rule is applied and the customer rule is overwritten.

  • Exact Matches (port/protocol and all IPs match)

    Customer rule remains enforced; Illumio rules are not applied.

  • Partial Matches (port/protocol match but only some or no IP addresses match)

    If a customer rule exists for the same port & protocol as an Illumio rule, the customer rule is disabled and the Illumio rule applies. If the customer suspends or uninstalls the Illumio LW-VEN Service, their partially matching rules, if any, remain disabled.

Rule character limits

Windows limits the size of rules to approximately 8K characters. Rules that exceed 8K characters will cause the entire policy to be rejected and a message to be logged in the Window's Event Log.

Windows limits the size of rules to approximately 8K characters. Rules that exceed 8k characters are split into multiple rules. No limit on the number of rules is enforced.

Error handling

Log messages are written to local logs; errors and warnings are also written to the Windows Event Log and to the PCE.

LW-VEN and workload names in the PCE

After you activate an LW-VEN, the LW-VEN workload appears in the PCE UI with the same name as the Server's hostname.

User interface

  • The Upgrade button that appears on the VEN page in the PCE Web Console doesn't apply to this solution. Clicking the button has no effect.

  • If you unpair the LW-VEN through the PCE UI by clicking Unpair on the LW-VEN's detail page, only the Open All Ports option is supported.