How To: Upgrade vShield Manager

This only came about because I got a call today about a customer that had vCloud up and running then realized they have the 4.1 build of vShield Manager installed (Build #287872) instead of the 4.1 Update 1 Version (Build #310451).  Build #287872 is a valid GA version for 4.1, but if you go to the VMware download site for vCloud Director 1.0.1 you will notice the new .OVA is Build #310451.  It seems a common mistake people are making is they are grabbing the new .OVA from the vCloud Director download site.  Once folks grab the new .OVA they are deleting their existing vShield Manager VM and deploying the new one only to discover…..everything BROKE!

vCloud Director Download with OVA only

Well here is a little background for you to understand why that is.  the vShield Manager runs a locl MySQL database inside the appliance.  When vCloud director deploys a vShield Edge for a NAT routed network, it is tracked by vSphere VM-ID in that MySQL Database.  When you delete the vSHield Manager VM, you in turn deleted the MySQL Database.  Now, you can backup the database using FTP as shown in the screenshot, however I personally have not tried to restore it to a newly deploy vShield Manager of the same version let alone a new version.

vShield Manager Backup Options

So you ask…..where and how do I go from the GA build to the latest version of vShield manager?  Well that is easy for the most part.  First you need to download the upgrade files from the vShield Edge Download page.  Provided the version you are grabbing is supported with vCloud Director of course.  Notice there is not only the .OVA but the .tar.gz file as well!

vShield Download Page with TAR file

Now the rest is pretty easy.  From the UI go to Settings and Reports –> Updates and select upload file.  You want to upload the TAR file as is, and once you do you will be presented with an install screen.

vShield Manager Install Update

After that the system will load the update and reboot.  There is some additional items you may need to do like reconnecting to vCenter but generally that will still work.  The bottom line here is you can upgrade vShield Manager and you DO NOT want to just delete it and re-deploy it.  There is a lot of information stored on that Virtual Machine.

Stay tuned for specifics in a few months on upgrading to vShield 5.0.  The new vCloud 1.5 download site does have both the TAR and the OVA versions listed now as well to minimize confusion.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.


  1. Hi Chris,

    Small cosmetic fixes : “locl MySQL” -> “local MySQL”.

    I have tried once the restore from ftp backup and it worked great (same vSM version), but I would need to retest it on a vCloud 1.0.1 -> 1.5 context to see how it behaves and document it.

    Therefore I really like your method, it’s simple and efficient in the different vCloud lab deployments I’ve tried.

    • I still take the FTP backup before the in place upgrade……just in case 🙂

      • Yes, we should never let your guard down ;-).

        Always have multiple ways to restore, only those who didn’t fail on such *stupid* topic would think differently.

        I’ve seen many companies backing up data, without testing the restore process, and just when they need it, it never works the way they expected.

  2. What about upgrading shield manager from ver4.1 to ver 5.0 with out losing a ping from the vm

    • Tommy, vShield Manager needs to reboot on the upgrade and restart the Java services so it will do offline for a couple minutes. However that does not affect running vShield Edges and their deployed rules, it just means you can not update vSE’s or deploy new ones until the vSM is back online. Has not proven to be a big deal yet for most people. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *