Prerequisites for VEN Installation
Before installing VENs on the workloads and endpoints in your environment, you must understand and meet the following prerequisites.
PATH Environment Variable for illumio-ven-ctl
For more information about using the VEN CTL, see the "illumio-ven-ctl General Syntax" topic in the VEN Administration Guide.
VEN OSs and Package Dependencies
The VEN software package formally declares dependencies on certain other required software packages. Some of these other packages must be installed before the VEN is installed, while others are installed concurrently during VEN installation.
The VEN software also makes use of certain other software packages without formally declaring dependencies on them. This allows the same VEN software to be installed on various workloads regardless of which other packages may also be installed. The VEN automatically detects and configures the other software as needed, just-in-time, and reports an error if it encounters any problems with the other software.
For the complete list of package dependencies by operating system, see the VEN OS Support and Package Dependencies page on the Illumio Support portal.
Minimum key length with RHEL8+ cryptographic policy set to FUTURE
If the cryptographic policy is set to FUTURE on RHEL8, RHEL9, and related operating systems, the RSA key length must be 3072 bits or greater. For more information, see this Knowledge Base article.
VEN-to-PCE Communication
Illumio Core uses Transport Layer Security (TLS) version 1.2 by default for VEN-to-PCE communications.
The PCE default minimum version is TLS 1.2.
For VEN versions 18.1 and later, all VENs use TLS 1.2.
For more information about the TLS requirements for VEN-to-PCE communication, see TLS Versions for Communication.
Before installing a VEN, the workload or endpoint must meet the following requirements for VEN-to-PCE communication:
The workload or endpoint can validate its certificate's chain of trust back to the root Certificate Authority (CA) of the server certificate on the PCE.
The VEN can reach the PCE on the ports configured for the PCE in the PCE Runtime Environment File
runtime_env.yml. Contact your Illumio Support representative for more information.To prevent time drift between the PCE and VENs, Network Time Protocol (NTP) must be installed and working on the PCE and the VENs.
Workload Disk Size Requirements
Illumio recommends that you reserve 10GB of disk space on workloads for the VEN. The amount of disk space ultimately used will vary depending on the size and complexity of your microsegmentation environment.
Application logs are rotated from primary to backup when their size reaches 15 MB. Application log files are preserved at reboot, because application logs are stored in files on a workload.
IP Address Support
In Illumio Core 20.2.0 and later releases, the VEN supports both IPv4 and Ipv6 address versions and the IP address version appears correctly in the PCE; for example, in the Workload section of the VEN summary page in the PCE web console.
You can configure how the PCE treats IPv6 traffic from workloads. For more information, see Manage Security Settings.
Obtain the VEN Packages
PCE-based VEN software bundle
If you are an Illumio On-premises customer (you are running the PCE in your corporate data center), download the VEN packages to your PCE by running illumio-pce-ctl from your PCE. For more information, see VEN Library Setup in the PCE.
Note
Illumio Cloud customers you do not have shell access to the PCE; therefore, the Illumio Operations team downloads and sets up the PCE-based VEN software bundle for customers. They download all necessary VEN packages for customers.
CLI-based VEN software packages
All VEN software is available for download from the Illumio Support portal. A VEN package is downloadable from the Illumio Support portal for each version of the VEN. Illumio provides the package as a tar file that contains a version of the VEN for all supported operating systems.
To download the VEN package:
Go to the Illumio Support site (login required).
Under the VEN section > VEN version, select Software > Download.
In the VEN Packages row of the VEN table, click the filename for the VEN
tarfile.Download the file to a convenient location.
VEN Package CPU Architecture
For VEN installation using the VEN CTL, after you have downloaded and unpacked the software, determine which VEN is appropriate for your operating system and hardware architecture.
See the Supported Operating Systems for Illumio VEN table - CPU Architecture Identifier in the Filename column on the Illumio Support portal.
(Optional) Verify Package Signature
For additional security, verify the identity of the downloaded VEN packages against the Illumio public key.
Note
You can verify the signature of the VEN RPM packages for CentOS, Red Hat Enterprise Linux (RHEL), Ubuntu, and SUSE Linux Enterprise Server.
Signature verification is not support for AIX, Debian, Solaris, and Windows VEN packages.
The Illumio public key is available from the Download VEN page of the Illumio Support portal (login required).
For information about using a public key to verify package signatures, see Checking a Package's Signature on the Red Hat Customer Portal.
Firewall Tampering Protection on Linux
To enable faster host firewall tampering protection (within approximately three seconds) for Linux firewalls, make sure that:
tracefsis mounted (newer Linux distributions)debugfsis mounted (older Linux distributions that includetracefsindebugfs)
For information, see "VEN Firewall Tampering Detection" in the VEN Installation and Upgrade Guide.
Note
Faster host firewall tampering protection is enabled for Windows automatically.
VEN Compatibility Check
In addition to meeting the requirements in this topic and being aware of the limitations for installing VENs on workloads and endpoints, you can use the VEN Compatibility Check feature to verify the functionality of the VEN. The compatibility information for the VEN is available only while the VEN is in Idle mode.
For information about this feature, see VEN Compatibility Check.
SecureConnect Setup on Workloads
For information about SecureConnect requirements for VENs, see SecureConnect.