Archive for October, 2012
I recently went through the configuration of the vCloud Network and Security vShield Edge VPN Appliance.
The SSL-VPN Plus is a client based VPN solution from VMware. IPSEC site to site is also available, but this demo solely focuses on configuring the client / server based SSL-VPN solution.
This demo assumes you have vShield Manager installed in your environment and a Port Group configured to use for the vShield Edge Appliance
The video goes into decent detail, but please reference these steps when doing your configuration:
- Login to your vShield Manager interface (mine is https://vshield)
- The default credentials are Username: admin | password: default
- Click the ‘+’ sign next to Datacenters and left click your datacenter (mine is cllab-dc)
- Next, click on the Network Virtualization Tab on the right hand side of the frame
- Click the green plus sign under ‘List of Edge gateways installed in this datacenter’
- Enter the name of the new Edge Appliance, mine is called ‘demo2-vpn’, then enter your hostname, description, tenant, and select your HA option (all are optional except ‘Name’ and I chose not to use HA for this demo)
- Click new then enter the CLI Credentials (I left this as the default) and choose whether or not you want to enable SSH, however this has no barring on the VPN configuration
- Click next then select your appliance size (mine is compact), make sure to leave the Enable auto rule generation checked, then click the ‘plus’ sign under edge appliances
- Select your cluster from the drop down, mine is ‘Server-Cluster’ then select your datastore and host accordingly, then click ‘Add’
- Click Next, and configure your default Edge Gateway interface again by clicking the ‘plus’ sign
- Give your Edge Interface a name, mine is demo2-vpn-interface. Leave the type as Uplink, then select the Port Group to connect to, mine is VPN-Portgroup
- Leave the connectivity status as Connected, then click the ‘plus’ sign under Configure Subnets
- Again, click the next ‘plus’ sign on the Add Subnet menu that pops up, then type in the IP address for your interface, mine is 192.168.1.19, click ok then type in your subnet mask and in my case it is 255.255.255.0 then click save
- Now click ‘Add’ back at the Add Edge Interface menu
- Click next and configure your default gateway by selecting the Configure Default Gateway check box. Select the vNIC just created, enter your Gateway IP (mine is 192.168.1.1) then click next
- Click the check box for Configure Firewall default policy, then set the Default Traffic Policy to Accept, then click next (HA is grayed out if you chose not to enable HA earlier as I did in this demo)
- Click next and then Finish at the Summary page, the new vShield Edge appliance will now get deployed
- After deployment is complete, double click on the new vShield Edge appliance
- Click on the VPN button, then click the SSL VPN-Plus link
- Click on Server Settings, then click Change
- Be sure the Primary address is selected, and in my case that is 192.168.1.19
- Select your port, the default is 443 which is fine, but I changed my port to 8443 to avoid a port conflict on my router
- You can leave the default cipher as RC4-MD5 and leave the Use Default Certificate checked
- Click Ok, then click on the IP Pool link under Configure
- Click the green ‘plus’ link to configure the IP pool range you want to lease to your VPN clients, in my case that is 172.16.10.20 To 172.16.10.30
- Enter your IP address range, enter the subnet mask (mine is 255.255.255.0) then be sure to leave the Status as enabled and configure your DNS and DNS Suffix settings (mine are 192.168.1.2 as the Primary DNS and cllab.local as the suffix) then click OK
- Next click on Private Networks to configure the internal networks you wish to provide access for your VPN clients
- Click the green ‘plus’ sign again and enter the network, netmask, and leave the rest unchanged. My values are 192.168.1.0 for the network with a netmask of 255.255.255.0. 192.168.1.0 gives access to then entire 192.168.1.x subnet. Click OK
- Next click Authentication, then click the green ‘plus’ sign to add authentication, in my case I chose LOCAL in the drop down menu
- You can leave the rest unchanged, but in my case I chained the Password Expires to 365 days with an expiry reminder to 360 days, then click OK
- Next click Installation Package and then the green ‘plus’ sign to bring up the Add Installation Package menu
- Give it a profile Name, in my case it is just demo2-vpn
- Then type in the public addressable IP address to your network or the DNS name, in my case it is 174.x.x.x and then make sure your port matches what we configured earlier. The default is 443, but in my case I changed this to port 8443 then click the OK button directly to the right of the port entry
- Next select the installation packages you wish to generate, I chose Mac and Windows is enable by default.
- Leave the rest unchanged then click OK
- Now add a LOCAL user by click Users, then click the green ‘plus’ sign and type in the user credentials and select whether or not you want to have the password expire, change at next login, etc. In my case my user name is clucas, password was entered, and I selected to have the Password never expire. Then click OK
- Lastly on this section, I selected General Settings -> Change and set the session idle timeout to 120 minutes from the default of 10. Then click OK
- Now we need to configure a NAT for the VPN Edge Appliance, so select the NAT button directly to the left of the VPN button under the Network Virtualization Tab
- Click the green ‘plus’ sign and select Add SNAT Rule
- Be sure the demo2-vpn interface is select (or what your called yours) and enter the Source IP range of 172.16.10.0/24 (or whatever network IP pool you chose to create) and translate this to the VPN Edge IP address of 192.168.1.19 (yours maybe different)
- Then click enabled then click Add then be sure to click Publish
- Now click back on the VPN button -> Dashboard -> then click the green/white enable button, then click Yes
- Now that the VPN Edge has been enabled, download the client by navigating to the IP/Port of the VPN Edge interface via https (in my example it is https://demo2-vpn:8443 or https://192.168.1.19:8443
- Enter the username previously created, in my case that is clucas, then enter your password and click Login
- Now click the demo2-vpn link (or whatever you named yours) to begin the download and installation of the client
- Once installed, be sure you enable port forwarding on your router for port 443 or in my case 8443 to the vShield Edge Interface of 192.168.1.19
- Launch the VMware VPN naclient and select your VPN server from the drop down list, mine is demo2-vpn
- Click connect and enter your credentials.
You know how you buy a new product, and so many times you have to work to make it act the way it should out of the box? A perfect example is any iOS device from Apple. There is simply no reason an Apple device wouldn’t automatically download podcasts for you in the background so you’re always up to date with the latest episodes. But it doesn’t. You have to buy Downcast for $2 to make the device work as it should from the beginning.
What’s that got to do with vCenter Operations? If you’ve used vCOps (pronounced vee-cee-aaahhhhps, according to the Twitter cognoscenti) extensively, you will no doubt have run into a problem where a VM, datastore, or any other object gets deleted out of vCenter, but will not go away from vCenter Operations’ database.
This can be quite frustrating. It will let you go into the custom UI and delete it as many times as you want. But it truly is an exercise in futility. It will never actually delete until you go in and make some changes to some config files.
Let’s get started.
First, you’ll want to SSH into the Analytics VM. Login with “root” and your password.
Next, type the command in blue below. The prompt shows “secondvm-external“, which indicates you’re on the Analytics VM.
secondvm-external:/ # vi /usr/lib/vmware-vcops/user/conf/controller/controller.properties
Take a look at this file, and find the following line:
deleteNotExisting = false
Change false to true
If you’re in a hurry, you can play with the deletionSchedulePeriod setting, or you can just wait 24 hours, and the objects you wanted deleted will be deleted.
When you’ve made the change, type the following:
One last step for good measure.
Back at the secondvm-external:/ # prompt, type the following:
Note the prompt now changes to firstvm-external:/ #
Type in: su – admin
Now you’re at the admin@firstvm-external:~> prompt.
And you’re all done.
24 hours from now, objects that no longer exist in vCenter won’t exist in vCenter Operations. Why this is not default is not entirely obvious to me, but there you go.