Re: AMP for Endpoints - Deploying on VMView VDIs

aswantek · ‎02-20-2018

Has anyone had any real world experience deploying AMP for Endpoints on Virtual Desktops (VMView to be specific) Our VDI environment uses non-persistent WIndows 7 and WIndows 10 desktops. The official CISCO/Firepower documentation is a bit vague. I have a few questions:

1.) Can a specific group/policy be used instead of the "default" policy as defined in the "Business" pull down. This is quite important in our environment.

2.) When creating the VDI template, does it need to connect/register with the AMP cloud? I am not sure why you would register the template as it never is "used" in production except to generate the non-peristent VDIs

3.) One of the CISCO docs recommends Identity Persistence of By hostname across business be used. Is that reasonable?

4.) Also recommended was to NOT install TETRA. Is that reasonable?

Jetsy Mathew · ‎02-20-2018

Hello aswantek

I have reviewed your queries.

1.) Can a specific group/policy be used instead of the "default" policy as defined in the "Business" pull down. This is quite important in our environment - Yes, you can create specific group/policy from the Policy tab accordingly and enable the features as per your requirements.

2.) When creating the VDI template, does it need to connect/register with the AMP cloud? I am not sure why you would register the template as it never is "used" in production except to generate the non-peristent VDIs - Are you mentioning about creating the golden image for Identity persistence here ?

3.) One of the CISCO docs recommends Identity Persistence of By hostname across business be used. Is that reasonable? Its completely based on your environment . Without knowing about your environment we cannot really commend on the same.

4.) Also recommended was to NOT install TETRA. Is that reasonable? Its recommended to avoid using TETRA in Server environment and also if there is any other antivirus already running in the system.

Regards

Jetsy

aswantek · ‎02-26-2018

We are having issues following the limited documentation provided by CISCO with regard to deploying the AMP connector on VMView VDI desktops. Is there a DEFINITIVE step by step document that goes through this process?

phil.reeves · ‎10-10-2018

Hi Aswantek, I have successfully deployed Cisco AMP on non-persistent virtual desktops in a XenServer / XenDesktop environment. It took some time to get it to a functional state without filling the write-cache disk and without causing performance issues.

You first need to make sure you have all the correct exclusions for your environment.

Steps I followed are:

1. Modify the policies for both your Cisco AMP default group and your target group as follows:

a) Disable Tetra Engine

b) Enable Identity Persistence with the option "By Hostname across Business"

2. Download the connector (with policy) and install onto your imaging machine using command-line install with the switches: /skipdfc 1 /skiptetra 1

3. Once installed, stop the Cisco AMP service. Easiest way is from command-line:

%programfiles%\cisco\amp\x.x.x\sfc.exe -k <protectionpassword>

4. Run the following commands to recreate the local.xml file (contains GUID)

del "%PROGRAMFILES%\Cisco\AMP\local.xml"

echo ^<config^>^</config^> > "%PROGRAMFILES%\Cisco\AMP\local.xml"

5. Shutdown the machine without restarting the service.