VMware Validated Design™

Deployment Guide for Region A

VMware Validated Design for Software-

Defined Data Center 2.0

This document supports the version of each product listed

and supports all subsequent versions until the document is
replaced by a new edition. To check for more recent
editions of this document, see
http://www.vmware.com/support/pubs.

EN-002169-00
 VMware Validated Design Deployment Guide for Region A

You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
[email protected]

© 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright
and intellectual property laws. This product is covered by one or more patents listed at
http://www.vmware.com/download/patents.html.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. All other marks and names mentioned herein may be trademarks of their respective
companies.

VMware, Inc.
3401 Hillview Avenue
Palo Alto, CA 94304
www.vmware.com

© 2016 VMware, Inc. All rights reserved.

Page 2 of 545
 VMware Validated Design Deployment Guide for Region A

Contents

1. Purpose and Intended Audience ...................................................... 5

2. Virtual Infrastructure Implementation in Region A ............................ 6
2.1 Install and Configure ESXi Hosts in Region A ............................................................... 6
2.2 Deploy and Configure the Management Cluster Components in Region A ................ 18
2.3 Deploy and Configure the Management Cluster NSX Instance in Region A ............... 54
2.4 Deploy and Configure the Compute and Edge Clusters Components in Region A .. 104
2.5 Deploy and Configure the Compute and Edge Clusters NSX Instance in Region A . 147
2.6 Replace Certificates in Region A ............................................................................... 186
2.7 Deploy vSphere Data Protection in Region A ............................................................ 203

3. vRealize Operations Implementation in Region A ........................ 216

3.1 Deploy vRealize Operations Manager in Region A ................................................... 216
3.2 Configure Load Balancer for vRealize Operations Manager in Region A ................. 252
3.3 Connect vRealize Operations Manager to the vSphere Environment in Region A ... 257
3.4 Install the vRealize Operations Manager Management Pack for vRealize Log Insight265
3.5 Connect vRealize Operations Manager to the NSX Managers in Region A ............. 267
3.6 Connect vRealize Operations Manager to vRealize Automation in Region A ........... 277
3.7 Enable Storage Device Monitoring in vRealize Operations Manager in Region A .... 281
3.8 Configure User Access in vRealize Operations Manager in Region A ...................... 286
3.9 Configure E-Mail Alerts in vRealize Operations Manager ......................................... 292

4. vRealize Log Insight Implementation in Region A ........................ 295

4.1 Deploy vRealize Log Insight in Region A ................................................................... 295
4.2 Install a CA-Signed Certificate on vRealize Log Insight in Region A ......................... 313
4.3 Connect vRealize Log Insight to the vSphere Environment in Region A .................. 319
4.4 Install the vRealize Log Insight Content Pack for Virtual SAN in Region A ............... 330
4.5 Enable the vRealize Log Insight Integration with vRealize Operations Manager for Region
A 331
4.6 Connect vRealize Log Insight to vRealize Operations Manager in Region A ........... 333
4.7 Connect vRealize Log Insight to the NSX Instances in Region A ............................. 341
4.8 Connect vRealize Log Insight to vRealize Automation in Region A .......................... 350
4.9 Configure Log Retention and Archiving in Region A ................................................. 361

5. Region A Cloud Management Platform Implementation ............... 364

5.1 Prerequisites for Cloud Management Platform Implementation in Region A ............ 364
5.2 Configure Service Account Privileges in Region A .................................................... 381
5.3 vRealize Automation Installation in Region A ............................................................ 385
5.4 vRealize Automation Default Tenant Configuration in Region A ............................... 435

© 2016 VMware, Inc. All rights reserved.

Page 3 of 545
 VMware Validated Design Deployment Guide for Region A

5.5 vRealize Automation Tenant Creation in Region A ................................................... 440

5.6 vRealize Orchestrator Installation in Region A .......................................................... 454
5.7 vRealize Business Installation in Region A ................................................................ 476
5.8 Cloud Management Platform Post-Installation Tasks ................................................ 489
5.9 Content Library Configuration in Region A ................................................................ 494
5.10 Tenant Content Creation ............................................................................................ 499

© 2016 VMware, Inc. All rights reserved.

Page 4 of 545
 VMware Validated Design Deployment Guide for Region A

1. Purpose and Intended Audience

VMware Validated Design Deployment Guide for Region A provides step-by-step instructions for
installing, configuring, and operating a software-defined data center (SDDC) based on the VMware
Validated Design for Software-Defined Data Center.
VMware Validated Deployment Guide for Region A does not contain step-by-step instructions for
performing all of the required post-configuration tasks because they often depend on customer
requirements.

Note The VMware Validated Design Deployment Guide for Region A is compliant and validated
with certain product versions. See Introducing VMware Validated Design for more information
about supported product versions.

VMware Validated Design Deployment Guide for Region A is intended for cloud architects,
infrastructure administrators and cloud administrators who are familiar with and want to use VMware
software to deploy in a short time and manage an SDDC that meets the requirements for capacity,
scalability, backup and restore, and extensibility for disaster recovery support.

© 2016 VMware, Inc. All rights reserved.

Page 5 of 545
 VMware Validated Design Deployment Guide for Region A

2. Virtual Infrastructure Implementation in Region A

The Virtual Infrastructure in Region A is implemented through the following high level procedures.
 Install and Configure ESXi Hosts in Region A
 Deploy and Configure the Management Cluster Components in Region A
 Deploy and Configure the Management Cluster NSX Instance in Region A
 Deploy and Configure the Compute and Edge Clusters Components in Region A
 Deploy and Configure the Compute and Edge Clusters NSX Instance in Region A
 Replace Certificates in Region A
 Deploy vSphere Data Protection in Region A

2.1 Install and Configure ESXi Hosts in Region A

Start the deployment of your virtual infrastructure by installing and configuring all the ESXi hosts.
 Prerequisites for Installation of ESXi Hosts in Region A
 Install ESXi Interactively on All Hosts in Region A
 Configure the Network on All Hosts in Region A
 Configure vSphere Standard Switch on a Host in the Management Cluster in Region A
 Configure NTP on All Hosts in Region A
 Set Up Virtual SAN Datastore in Region A

2.1.1 Prerequisites for Installation of ESXi Hosts in Region A

Install and configure the ESXi hosts for the management cluster, compute cluster, and edge cluster
by using the same process.
Before you start:
 Make sure that you have a Windows host that has access to your data center. You use this host
to connect to your hosts and perform configuration steps.
 Ensure that Routing is in place between the two regional management networks 172.16.11.0/24
and 172.17.11.0/24 as this will be needed to join the common SSO domain.
You must also prepare the installation files.
 Download the ESXi ISO installer.
 Create a bootable USB drive that contains the ESXi Installation. For more information, see
Format a USB Flash Drive to Boot the ESXi Installation or Upgrade in the vSphere Installation
and Setup documentation.

© 2016 VMware, Inc. All rights reserved.

Page 6 of 545
 VMware Validated Design Deployment Guide for Region A

IP Addresses, Hostnames, and Network Configuration

The following tables contain all the values needed to configure your hosts.
Table 1. Management Cluster Hosts in Region A

Hostname FQDN IP

mgmt01esx01 mgmt01esx01.sfo01.rainpole.local 172.16.11.101

mgmt01esx02 mgmt01esx02.sfo01.rainpole.local 172.16.11.102

mgmt01esx03 mgmt01esx03.sfo01.rainpole.local 172.16.11.103

mgmt01esx04 mgmt01esx04.sfo01.rainpole.local 172.16.11.104

Table 2. Management Cluster Global Settings in Region A

Setting Value

Management VLAN 1611

Default Gateway 172.16.11.253

NTP Server ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

Table 3. Compute Cluster Hosts in Region A

Hostname FQDN IP

comp01esx01 comp01esx01.sfo01.rainpole.local 172.16.21.101

comp01esx02 comp01esx02.sfo01.rainpole.local 172.16.21.102

comp01esx03 comp01esx03.sfo01.rainpole.local 172.16.21.103

comp01esx04 comp01esx04.sfo01.rainpole.local 172.16.21.104

Table 4. Compute Cluster Global Settings in Region A

Setting Value

Management VLAN 1621

Default Gateway 172.16.21.253

NTP Server ntp.sfo01.rainpole.local Table 5. Edge Cluster

Hosts in Region A
ntp.lax01.rainpole.local

Hostname FQDN IP

© 2016 VMware, Inc. All rights reserved.

Page 7 of 545
 VMware Validated Design Deployment Guide for Region A

edge01esx01 edge01esx01.sfo01.rainpole.local 172.16.31.101

edge01esx02 edge01esx02.sfo01.rainpole.local 172.16.31.102

edge01esx03 edge01esx03.sfo01.rainpole.local 172.16.31.103

edge01esx04 edge01esx04.sfo01.rainpole.local 172.16.31.104

Table 6. Edge Cluster Global Settings in Region A

Setting Value

Management VLAN 1631

Default Gateway 172.16.31.253

NTP Server ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

2.1.2 Install ESXi Interactively on All Hosts in Region A

Install all ESXi hosts for all clusters interactively.
Procedure
Power on the mgmt01esx01 host in Region A, mount the USB drive containing the ESXi ISO file,
and boot from that USB drive.
On the Welcome to the VMware Installation screen, press Enter to start the installation.
On the End User License Agreement (EULA) screen, press the F11 to accept the EULA.
On the Select a Disk to Install or Upgrade screen, select the USB drive or SD card under local
storage to install ESXi, and press Enter to continue.

Select the keyboard layout, and press Enter.

© 2016 VMware, Inc. All rights reserved.

Page 8 of 545
 VMware Validated Design Deployment Guide for Region A

Enter the esxi_root_user_password, confirm, and press Enter.

On the Confirm Install screen, press F11 to start the installation.

After the installation has completed, unmount the USB drive, and press Enter to reboot the host.

Repeat all steps for all hosts in the data center. Enter the respective values for each host that you
configure.

2.1.3 Configure the Network on All Hosts in Region A

After the initial boot, use the ESXi Direct Console User Interface (DCUI) for initial host network
configuration and administrative access. You configure the following host network settings:
 Set network adapter (vmk0) and VLAN ID for the Management Network.

© 2016 VMware, Inc. All rights reserved.

Page 9 of 545
 VMware Validated Design Deployment Guide for Region A

 Set IP address, subnet mask, gateway, DNS server, and FQDN for the ESXi host.
Procedure
Open the DCUI on the physical ESXi host mgmt01esx01.
a. Open a console window to the host.
b. Press F2 to enter the DCUI.
c. Enter root as login name, enter the esxi_root_user_password, and press Enter.
Configure the network.
a. Select Configure Management Network and press Enter.
b. Select VLAN (Optional) and press Enter.
c. Enter 1611 as VLAN ID for the Management Network and press Enter.

d. Select IPv4 Configuration and press Enter.

e. Configure IPv4 network by using the following settings, and press Enter.

Setting Value

Set static IPv4 address and network configuration Selected

IP 172.16.11.101

Subnet Mask 255.255.255.0

Default Gateway 172.16.11.253

© 2016 VMware, Inc. All rights reserved.

Page 10 of 545
 VMware Validated Design Deployment Guide for Region A

f. Select DNS Configuration and press Enter.

g. Configure the DNS by using the following settings, and press Enter.

Setting Value

Use the following DNS Server address and hostname Selected

Primary DNS Server 172.16.11.5

Hostname mgmt01esx01

h. Select Custom DNS Suffixes and press Enter.

i. Enter sfo01.rainpole.local as suffix, and press Enter.
After completing all host network settings, press Escape to exit, and press Y to confirm the
changes.

Repeat all steps for all hosts in the management, compute, and edge pods. Enter the respective
values from the prerequisites section for each host that you configure.

2.1.4 Configure vSphere Standard Switch on a Host in the Management

Cluster in Region A
You must perform network configuration from the vSphere Client only for the mgmt01esx01 host. You
perform all other host networking configuration after the deployment of the vCenter Server systems
that manage the hosts.
You configure a vSphere Standard Switch with two port groups:
 Virtual machine port group.
 VMkernel port group.
This configuration provides connectivity and common network configuration for virtual machines that
reside on each host.
Procedure
Install the VMware vSphere Client to manage the mgmt01esx01 host.
a. Log in to the Windows host that has access to your data center as an administrator.

© 2016 VMware, Inc. All rights reserved.

Page 11 of 545
 VMware Validated Design Deployment Guide for Region A

b. Open a Web browser and go to https://mgmt01esx01.sfo01.rainpole.local.

c. On the VMware ESXi Welcome page, click Download vSphere Client for Windows.
d. Download and install the vSphere Client.
Log in to the mgmt01esx01.sfo01.rainpole.local host by using the vSphere Client.
a. Open the vSphere Client, go to Start > All Programs > VMware > VMware vSphere Client.
b. Log in by using the following values.

Setting Value

IP address / Name mgmt01esx01.sfo01.rainpole.local

User name root

Password esxi_root_user_password

Create new VMkernel Connection.

a. On the Home page, click Inventory, click the Configuration tab, and click Networking.

b. Click vSphere Standard Switch, and click Properties next to the vSwitch0.
c. In the vSwitch0 Properties window, click Add.
d. In the Add Network Wizard, on the Connection Type page, select VMkernel, and click
Next.
e. In the VMkernel - Connection Settings page, enter the following settings, and click Next.

Setting Value

Network Label VSAN

VLAN ID 1613

f. In the VMkernel - IP Connection Settings page, enter the following settings, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 12 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

IP Address 172.16.13.101

Subnet Mask 255.255.255.0

g. In the Ready to Complete page, click Finish.

2.1.5 Configure NTP on All Hosts in Region A

Time synchronization issues can result in serious problems with your environment. Configure NTP for
each of your hosts in the management, compute, and edge clusters.
Procedure
Log in to the mgmt01esx01.sfo01.rainpole.local host by using the vSphere Client.
a. Log in to the Windows host that has access to your data center as an administrator.
b. Open the VMware vSphere Client, go to Start > All Programs > VMware > VMware
vSphere Client.
c. Log in by using the following values.

Setting Value

IP address / Name mgmt01esx01.sfo01.rainpole.local

User name Root

Password esxi_root_user_password

Configure the NTP Daemon (ntpd) Options.

a. Click Configuration, click Time Configuration, and click Properties.

b. In the Time Configuration dialog box, select the NTP Client Enabled check box, and click
Options.

© 2016 VMware, Inc. All rights reserved.

Page 13 of 545
 VMware Validated Design Deployment Guide for Region A

c. In the NTP Daemon (ntpd) Options dialog box, select General on the left, and select Start
and stop with host as the Startup Policy.

d. In the NTP Daemon (ntpd) Options dialog box, select NTP Settings, and click Add.
e. Enter ntp.sfo01.rainpole.local and ntp.lax01.rainpole.local, and click OK.
f. Select the Restart NTP service to apply changes check box, and click OK.

Click OK again to exit the Time Configuration dialog box.

Repeat all steps for all hosts in the data center. Enter the respective values to log in on each host
that you configure.

© 2016 VMware, Inc. All rights reserved.

Page 14 of 545
 VMware Validated Design Deployment Guide for Region A

2.1.6 Set Up Virtual SAN Datastore in Region A

Before you can use Virtual SAN storage in your environment, you must set it up. This process is
divided into two main tasks:
 Bootstrap the first ESXi host from the command line and create the Virtual SAN datastore.
 After vCenter Server installation, perform Virtual SAN configuration for all other hosts from the
vSphere Web Client.
Procedure
Open the ESXi Shell on the physical ESXi host mgmt01esx01.
a. Open a console window to the host.
b. Press Alt+F1 to access the ESXi Shell.
c. Enter root as localhost login and press Enter.
d. Enter the esxi_root_user_password and press Enter.
Execute the following command to determine the current Virtual SAN storage policy.
esxcli vsan policy getdefault

Modify the default Virtual SAN storage policy to force provisioning of Virtual SAN datastore
without generating errors.
esxcli vsan policy setdefault -c vdisk -p "((\"hostFailuresToTolerate\" i1)
(\"forceProvisioning\" i1))"
esxcli vsan policy setdefault -c vmnamespace -p "((\"hostFailuresToTolerate\"
i1) (\"forceProvisioning\" i1))"
esxcli vsan policy getdefault

List the devices and determine the device name for the SSD and HDD. These disks will be used
to provision the Virtual SAN datastore.
vdq -q
Identify all devices that can be used by Virtual SAN.

Property SSD Value HDD Value

State Eligible for use by VSAN Eligible for use by VSAN

© 2016 VMware, Inc. All rights reserved.

Page 15 of 545
 VMware Validated Design Deployment Guide for Region A

IsSSD 1 0

Generate the Virtual SAN cluster UUID and create the Virtual SAN cluster.
python -c 'import uuid; print str(uuid.uuid4());'

Note You need the $UUID_GENERATED from the generated output for the next command.
esxcli vsan cluster join -u <UUID_GENERATED>
esxcli vsan cluster get

© 2016 VMware, Inc. All rights reserved.

Page 16 of 545
 VMware Validated Design Deployment Guide for Region A

Create Virtual SAN datastore using available SSD and HDD disks determined from previous step.
esxcli vsan storage add -s <SSD_Device_name> -d <HDD_Device Name>

Confirm that the Virtual SAN datastore has been created.

esxcli storage filesystem list

Virtual SAN datastore is now created and ready for the Management vCenter Server installation.

© 2016 VMware, Inc. All rights reserved.

Page 17 of 545
 VMware Validated Design Deployment Guide for Region A

2.2 Deploy and Configure the Management Cluster Components

in Region A
To deploy the management cluster of the SDDC you deploy a Platform Services Controller and
connect it with the Management vCenter Server during vCenter Server deployment. You create a
vSphere Distributed Switch with the port groups required for the traffic types in the SDDC and mount
the NFS storage that is required by some management applications.
 Deploy the External Platform Services Controller for the Management vCenter Server in Region A
 Join the Platform Services Controller for the Management vCenter Server to the Active Directory
in Region A
 Deploy the Management vCenter Server Instance in Region A
 Configure the Management Cluster in Region A
 Create a vSphere Distributed Switch for the Management Cluster in Region A
 Change the Default Domain Administration Group on the ESXi Hosts in the Management Cluster
in Region A
 Mount NFS Storage for Management Cluster in Region A
 Create the VM and Template Folders in Region A

2.2.1 Deploy the External Platform Services Controller for the Management
vCenter Server in Region A
You must first install the external Platform Services Controller instance for the management cluster by
using the vCenter Server appliance ISO file.
Procedure
Log in to the Windows host that has access to your data center as an administrator.
Install the VMware Client Integration Plug-in.
a. Browse the vCenter Server Appliance ISO file.
b. Navigate to the vcsa directory.
c. Start the VMware-ClientIntegrationPlugin-x.x.x.exe file.
d. Follow the prompts and finish the installation.
Start the VMware vCenter Server Appliance Deployment Wizard.
a. Browse to the vCenter Server Appliance ISO file.
b. Open the vcsa-setup.html file in a Web browser.
c. Click Install to start the installation.

© 2016 VMware, Inc. All rights reserved.

Page 18 of 545
 VMware Validated Design Deployment Guide for Region A

Complete the VMware vCenter Server Appliance Deployment wizard.

a. On the End User License Agreement page, select the I accept the terms of the license
agreement check box, and click Next.
b. On the Connect to target server page, enter the following settings, and click Next.

Setting Value

FQDN or IP Address mgmt01esx01.sfo01.rainpole.local

User name root

Password esxi_root_user_password

c. In the Certificate Warning dialog box, click Yes to accept the host certificate.
d. On the Set up virtual machine page, enter the following settings, and click Next.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 19 of 545
 VMware Validated Design Deployment Guide for Region A

Appliance name mgmt01psc01.sfo01

OS password mgmtpsc_root_password

Confirm OS password mgmtpsc_root_password

e. On the Select deployment type page, under External Platform Services Controller, select
the Install Platform Services Controller radio button, and click Next.

f. On the Set up Single Sign-on (SSO) page, select the Create a new SSO Domain radio
button, enter the following settings, and click Next.

Setting Value

vCenter SSO Password vsphere_admin_password

Confirm password vsphere_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 20 of 545
 VMware Validated Design Deployment Guide for Region A

SSO Domain name vsphere.local

SSO Site name SFO01

g. On the Select appliance size page, click Next.

h. On the Select datastore page, select the vsanDatastore datastore to deploy the Platform
Services Controller on, select the Enable Thin Disk Mode check box, and click Next.
i. On the Network Settings page, enter the following settings, and click Next.

Setting Value

Choose a network VM Network

IP address family IPv4

Network type Static

Network address 172.16.11.61

System name mgmt01psc01.sfo01.rainpole.local

Subnet mask 255.255.255.0

Network gateway 172.16.11.253

Network DNS servers 172.16.11.5

Configure time sync ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

Enable SSH Selected

© 2016 VMware, Inc. All rights reserved.

Page 21 of 545
 VMware Validated Design Deployment Guide for Region A

j. On the Ready to complete page, review the configuration, and click Finish to start the
deployment.

2.2.2 Join the Platform Services Controller for the Management vCenter
Server to the Active Directory in Region A
After you have successfully installed the Platform Services Controller instance, you must add the
appliance to your Active Directory domain. After that add the Active Directory domain as an identity
source to vCenter Single Sign-On. When you do, users in the Active Directory domain are visible to
vCenter Single Sign-On and can be assigned permissions to view or manage SDDC components.
Procedure
Log in to the Platform Services Controller administration interface.
a. Open a Web browser and go https://mgmt01psc01.sfo01.rainpole.local/psc.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Add the management Platform Services Controller instance to the Active Directory domain.
a. In the Navigator, click Appliance Settings, click the Manage tab, and click the Join button.

b. In the Join Active Directory Domain dialog box, enter the following settings, and click OK.

Setting Value

Domain sfo01.rainpole.local

User name [email protected]

Password ad_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 22 of 545
 VMware Validated Design Deployment Guide for Region A

Reboot the Platform Services Controller instance to apply the changes.

a. Click the Appliance settings tab, and click the VMware Platform Services Appliance link.

b. Log in to the VMware vCenter Server Appliance administration interface with the following
credentials.

Setting Value

User name root

Password mgmtpsc_root_password

c. On the Summary page, click Reboot.

© 2016 VMware, Inc. All rights reserved.

Page 23 of 545
 VMware Validated Design Deployment Guide for Region A

d. In the System Reboot dialog box, click Yes.

e. Wait for the reboot process to finish.
After the reboot process finishes, log in
to https://mgmt01psc01.sfo01.rainpole.local/psc again, by using the following
credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

To verify that the Platform Services Controller successfully joined the domain, click Appliance
Settings, and click the Manage tab.

Add the Active Directory as a vCenter Single Sign-On identity source.

a. In the Navigator, click Configuration, and click the Identity Sources tab.

b. Click the Add icon to add a new identity source.

c. In the Add Identity Source dialog box, select the following settings, and click OK.

Setting Value

Identity source type Active Directory (Integrated Windows Authentication)

© 2016 VMware, Inc. All rights reserved.

Page 24 of 545
 VMware Validated Design Deployment Guide for Region A

Domain name SFO01.RAINPOLE.LOCAL

Use machine account Selected

d. Under Identity Sources, select the rainpole.local identity source, and click Set as Default
Domain to make rainpole.local the default domain.

e. In the confirmation dialog box, click Yes.

2.2.3 Deploy the Management vCenter Server Instance in Region A

You can now install the vCenter Server appliance for the management applications and assign a
license.
Procedure
Start the VMware vCenter Server Appliance deployment wizard.
a. Browse to the vCenter Server Appliance ISO file.
a. Open the vcsa-setup.html file in a browser.

© 2016 VMware, Inc. All rights reserved.

Page 25 of 545
 VMware Validated Design Deployment Guide for Region A

b. Click Install to start the installation.

Complete the VMware vCenter Server Appliance Deployment wizard.

a. On the End User License Agreement page, select the I accept the terms of the license
agreement check box and click Next.
b. On the Connect to target server page, enter the following settings, and click Next.

Setting Value

FQDN or IP Address mgmt01esx01.sfo01.rainpole.local

User name root

Password esxi_root_user_password

c. In the Certificate Warning dialog box, click Yes to accept the host certificate.
d. On the Set up virtual machine page, enter the following settings, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 26 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

Appliance name mgmt01vc01.sfo01

OS password mgmtvc_root_password

Confirm OS password mgmtvc_root_password

e. On the Select deployment type page, under External Platform Services Controller, select
the Install vCenter Server (Requires External Platform Services Controller) radio button
and click Next.

f. On the Configure Single Sign-On (SSO) page, enter the following values, and click Next.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 27 of 545
 VMware Validated Design Deployment Guide for Region A

Platform Services Controller FQDN or IP address mgmt01psc01.sfo01.rainpole.local

vCenter SSO password vsphere_admin_password

vCenter Single Sign-On HTTPS Port 443

g. On the Select appliance size page, select Small (up to 100 hosts, 1,000 VMs), and click
Next.

h. On the Select datastore page, select the vsanDatastore datastore, select the Enable Thin
Disk Mode check box and click Next.
i. On the Configure database page, select Use an embedded database (PostgreSQL) radio
button and click Next.
j. On the Network Settings page, enter the following settings and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 28 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

Choose a network VM Network

IP address family IPv4

Network type Static

Network address 172.16.11.62

System name mgmt01vc01.sfo01.rainpole.local

Subnet mask 255.255.255.0

Network gateway 172.16.11.253

Network DNS servers 172.16.11.5

Configure time sync ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

Enable SSH Selected

k. On the Ready to complete page, review the configuration, and click Finish to start the
deployment.
Add new licenses for this vCenter Server instance and the management cluster ESXi hosts.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

c. Under Administration, click Licensing.

d. Click the Licenses tab.

© 2016 VMware, Inc. All rights reserved.

Page 29 of 545
 VMware Validated Design Deployment Guide for Region A

e. Click the Create New Licenses icon to add license keys.

f. On the Enter license keys page, enter license keys for vCenter Server and ESXi, one per
line, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 30 of 545
 VMware Validated Design Deployment Guide for Region A

g. On the Edit license name page, enter a descriptive name for each license key and click
Next.
h. On the Ready to complete page, review your entries and click Finish.
Assign the newly added licenses to the respective assets.
a. Click the Assets tab.

b. Select the vCenter Server instance, and click the Assign License icon.

© 2016 VMware, Inc. All rights reserved.

Page 31 of 545
 VMware Validated Design Deployment Guide for Region A

c. Select the vCenter Server license that you entered in the previous step, and click OK.
Assign the vCenterAdmins domain group to the vCenter Server Administrator role.
a. In the Navigator, click Home.
b. Click Hosts and Clusters.
c. Select the mgmt01vc01.sfo01.rainpole.local tree.
d. Click the Manage tab, click Permissions, and click the Add icon.

e. In the mgmt01vc01.sfo01.rainpole.local - Add Permission dialog box, click the Add button.
f. In the Select Users/Groups dialog box, select SFO01 from the Domain drop-down menu.
g. In the search box, enter vCenterAdmins and press Enter.
h. Select vCenterAdmins and click Add.

© 2016 VMware, Inc. All rights reserved.

Page 32 of 545
 VMware Validated Design Deployment Guide for Region A

i. Click OK.
j. In the mgmt01vc01.sfo01.rainpole.local - Add Permission dialog box, select
Administrator as Assigned Role and select the Propagate to children check box.

k. Click OK.

2.2.4 Configure the Management Cluster in Region A

You must now create and configure the management cluster. This process consists of the following
actions:
 Create the cluster.
 Configure DRS.

© 2016 VMware, Inc. All rights reserved.

Page 33 of 545
 VMware Validated Design Deployment Guide for Region A

 Enable Virtual SAN for the cluster.

 Add the hosts to the cluster.
 Add the hosts to the active directory domain.
 Set the Platform Services Controller and vCenter Server appliances to the default Virtual SAN
storage policy.
 Reset the Virtual SAN storage policy to default for the ESXi host that is used for Bootstrap.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a data center object.

a. In the Navigator, click Hosts and Clusters.
b. Click Actions > New Datacenter.
c. In the New Datacenter dialog box, enter SFO01 as name, and click OK.
Create the management cluster.
a. Right-click the SFO01 data center and click New Cluster.
b. In the New Cluster wizard, enter the following values, and click OK.

Setting Value

Name SFO01-Comp01

DRS Turn ON Selected

Other DRS Options Default values

vSphere HA Turn ON Deselected

EVC Set EVC mode to the lowest available setting supported

for the hosts in the cluster

Virtual SAN Turn ON Deselected

© 2016 VMware, Inc. All rights reserved.

Page 34 of 545
 VMware Validated Design Deployment Guide for Region A

Add a management host to the management cluster.

a. Right-click the SFO01-Mgmt01 cluster, and click Add Host.
b. On the Name and location page, enter mgmt01esx01.sfo01.rainpole.local in the
Host name or IP address text box, and click Next.

c. On the Connection settings page, enter the following credentials, and click Next.

Setting Value

User name root

Password esxi_root_user_password

d. In the Security Alert dialog box, click Yes.

© 2016 VMware, Inc. All rights reserved.

Page 35 of 545
 VMware Validated Design Deployment Guide for Region A

e. On the Host summary page, review the host information, and click Next.
f. On the Assign license page, select the ESXi license key that you entered during the vCenter
Server deployment, and click Next.
g. On the Lockdown mode page, leave default, and click Next.
h. On the Resource pool page, leave default, and click Next.
i. On the Ready to complete page, review your entries, and click Finish.
Repeat the previous step for the three remaining hosts to add them to the management cluster.

Object FQDN

Management host 2 mgmt01esx02.sfo01.rainpole.local

Management host 3 mgmt01esx03.sfo01.rainpole.local

Management host 4 mgmt01esx04.sfo01.rainpole.local

Add ESXi hosts to the active directory domain

a. In the Navigator, click Hosts and Clusters, and expand the entire
mgmt01vc01.sfo01.rainpole.local tree.
b. Select the mgmt01esx01.sfo01.rainpole.local host.
c. Click the Manage tab, and click Settings.
d. Under System, select Authentication Services.
e. In the Authentication Services panel, click the Join Domain button.

f. In the Join Domain dialog box, enter the following settings and click OK.

Setting Value

Domain sfo01.rainpole.local

User name [email protected]

Password ad_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 36 of 545
 VMware Validated Design Deployment Guide for Region A

Repeat the previous step to add all remaining hosts to the domain.

Object FQDN

Management host 2 mgmt01esx02.sfo01.rainpole.local

Management host 3 mgmt01esx03.sfo01.rainpole.local

Management host 4 mgmt01esx04.sfo01.rainpole.local

Rename the Virtual SAN datastore.

a. Select the SFO01-Mgmt01 cluster.
b. Click Related Objects, and click Datastores.
c. Select vsanDatastore, and click Actions > Rename.
d. In the Datastore - Rename dialog box, enter SFO01A-VSAN01-MGMT01 as datastore
name, and click OK.
Set the Platform Services Controller and vCenter Server appliances to the default Virtual SAN
storage policy.
a. In the Navigator, click Hosts and Clusters.
b. Expand the entire mgmt01vc01.sfo01.rainpole.local tree.
c. Select the mgmt01psc01.sfo01 virtual machine.
d. Click the Manage tab, click Policies, and click Edit VM Storage Policies.
e. In the mgmt01psc01.sfo01:Manage VM Storage Policies dialog box, from the VM storage
policy drop-down menu, select Virtual SAN Default Storage Policy, and click Apply to all.

© 2016 VMware, Inc. All rights reserved.

Page 37 of 545
 VMware Validated Design Deployment Guide for Region A

f. Click OK to apply the changes.

g. Verify that the Compliance Status column shows a Compliant status for all items in the
table.

h. Repeat the step to apply the Virtual SAN Default Storage Policy on the mgmt01vc01.sfo01
virtual machine.
Reset the Virtual SAN Storage Policy to default for the ESXi host that is used for Bootstrap.
a. Open an SSH connection to the ESXi host mgmt01esx01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name root

Password esxi_root_user_password

© 2016 VMware, Inc. All rights reserved.

Page 38 of 545
 VMware Validated Design Deployment Guide for Region A

c. Run the following command to determine the current Virtual SAN storage policy.
esxcli vsan policy getdefault

d. Modify the default Virtual SAN storage policy to force provisioning of Virtual SAN datastore.
esxcli vsan policy setdefault -c vdisk -p "((\"hostFailuresToTolerate\"
i1))"
esxcli vsan policy setdefault -c vmnamespace -p
"((\"hostFailuresToTolerate\" i1))"
esxcli vsan policy getdefault

2.2.5 Create a vSphere Distributed Switch for the Management Cluster in

Region A
After all ESXi hosts have been added to the clusters, create a vSphere Distributed Switch to handle
the traffic of the management applications in the SDDC.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a vSphere Distributed Virtual Switch for the management cluster.

a. In the Navigator, click Networking.
b. Right-click the SFO01 data center, and select Distributed Switch > New Distributed
Switch to start the New Distributed Switch wizard.

© 2016 VMware, Inc. All rights reserved.

Page 39 of 545
 VMware Validated Design Deployment Guide for Region A

c. On the Name and location page, enter vDS-Mgmt as the name, and click Next.
d. On the Select version page, ensure the Distributed switch version - 6.0.0 radio button is
selected, and click Next.
e. On the Edit settings page, enter the following settings, and click Next.

Setting Value

Number of uplinks 2

Network I/O Control Enabled

Create a default port group Deselected

f. On the Ready to complete page, review your entries, and click Finish.
Edit the settings of the vDS-Mgmt distributed switch.
a. Right-click the vDS-Mgmt distributed switch, and select Settings > Edit Settings.
b. Click the Advanced tab.
c. Enter 9000 as MTU (Bytes) value, and click OK.
Create port groups in the vDS-Mgmt distributed switch for the management traffic types.
a. Right-click the vDS-Mgmt distributed switch, and select Distributed Port Group > New
Distributed Port Group.
b. Create port groups with the following settings, and click Next.

Port Group Name Port Binding VLAN type VLAN ID

vDS-Mgmt-Management Ephemeral - no binding VLAN 1611

vDS-Mgmt-vMotion Static binding VLAN 1612

vDS-Mgmt-VSAN Static binding VLAN 1613

vDS-Mgmt-NFS Static binding VLAN 1615

vDS-Mgmt-VR Static binding VLAN 1616

vDS-Mgmt-Uplink01 Static binding VLAN 2711

vDS-Mgmt-Uplink02 Static binding VLAN 2712

vDS-Mgmt-Edge-Management Static binding VLAN 1631

Note The port group for VXLAN traffic is automatically created later during the configuration of the
NSX Manager for the management cluster.

© 2016 VMware, Inc. All rights reserved.

Page 40 of 545
 VMware Validated Design Deployment Guide for Region A

c. On the Ready to complete page, review your entries, and click Finish.
Change the port groups to use the Route Based on Physical NIC Load teaming algorithm.
a. Right-click the vDS-Mgmt distributed switch and select Distributed Port Group > Manage
Distributed Port Groups.
b. On the Select port group policies page, select Teaming and failover and click Next.
c. Click the Select distributed port groups button, add all port groups and click Next.

d. On the Teaming and failover page, select Route based on physical NIC load from the
Load balancing drop-down menu, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 41 of 545
 VMware Validated Design Deployment Guide for Region A

e. Click Finish.
Connect the ESXi hosts to the vDS-Mgmt distributed switch by migrating their VMkernel and
virtual machine network adapters.
a. Right-click the vDS-Mgmt distributed switch, and click Add and Manage Hosts.
b. On the Select task page, select Add hosts, and click Next

c. On the Select hosts page, click New hosts.

d. In the Select new hosts dialog box, select all four hosts, and click OK.
e. On the Select hosts page, select Configure identical network settings (template
mode) check box, and click Next.
f. On the Select template host page, select the first host as a template host, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 42 of 545
 VMware Validated Design Deployment Guide for Region A

g. On the Select network adapter tasks page, ensure that both Manage physical adapters
(Template mode) and Manage VMkernel adapters (template mode) check boxes are
checked, and click Next.
h. On the Manage physical network adapters (template mode) page, click vmnic1, and click
Assign uplink.
i. In the Select an Uplink for vmnic1 dialog box, select Uplink 1, and click OK.
j. On the Manage physical network adapters (template mode) page, click Apply to all, and
click Next.

Configure the VMkernel network adapters, edit the existing, and add new adapters as needed.
a. On the Manage VMkernel network adapters (template mode) page, click vmk0, and
click Assign port group.
b. Select vDS-Mgmt-Management, and click OK.
c. On the Manage VMkernel network adapters (template mode) page, select vmk0 and click
Edit adapter.
d. In vmk0 - Edit Settings page, under Port properties and select the Management traffic
check box.
e. In vmk0 - Edit Settings page, click NIC Settings, enter an MTU value of 1500 and click OK.
f. On the Manage VMkernel network adapters (template mode) page, click On this switch
and click New adapter.
g. On the Add Networking page, select Select an existing network, browse to select the vDS-
Mgmt-vMotion port group, click OK, and click Next.
h. On the Port properties page, select the vMotion traffic check box, and click Next.
i. On the IPv4 settings page, select Use static IPv4 settings, enter IP address
172.16.12.101, subnet 255.255.255.0, and click Next.
j. Click Finish.
A vmk1 adapter is created.
k. On the Manage VMkernel network adapters (template mode) page, select vmk1, and click
Edit adapter.
l. In vmk1 - Edit Settings page, click NIC Settings, enter an MTU value of 9000, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 43 of 545
 VMware Validated Design Deployment Guide for Region A

m. Repeat steps 7.h. - 7.n. to create the remaining VMkernel network adapters.

Adapter Existing Service Static IPv4 Subnet mask MTU

network Address

vmk1 vDS-Mgmt- vMotion traffic 172.16.12.101 255.255.255.0 9000

vMotion

vmk2 vDS-Mgmt- Virtual SAN traffic 172.16.13.101 255.255.255.0 9000

VSAN

vmk3 vDS-Mgmt- N/A 172.16.15.101 255.255.255.0 9000

NFS

vmk4 vDS-Mgmt-  vSphere 172.16.16.101 255.255.255.0 9000

VR Replication traffic
 vSphere
Replication NFC
traffic

n. In the Manage physical network adapters (template mode) page, click Apply to all.
o. In the mgmt01esxi01...configuration to other hosts dialog box, enter the IPv4 addresses
for each of the VMkernel adapters, and click OK

VMKernel Adapter IPv4 address

vmk0 172.16.11.102#3

vmk1 172.16.12.102#3

vmk2 172.16.13.102#3

vmk3 172.16.15.102#3

vmk4 172.16.16.102#3

p. On the Analyze impact page, click Next.

© 2016 VMware, Inc. All rights reserved.

Page 44 of 545
 VMware Validated Design Deployment Guide for Region A

q. On the Ready to complete page, review your entries, and click Finish.
Migrate the Management Platform Services Controller and vCenter Server instances from the
standard switch to the distributed switch.
a. Right-click the vDS-Mgmt distributed switch, and click Migrate VM to Another Network.
b. On the Select source and destination networks page, browse the following networks, and
click Next.

Portgroup Type Value

Source network VM Network

Destination network vDS-Mgmt-Management

c. On the Select VMs to migrate page, select both mgmt01psc01.sfo01.rainpole.local, and

mgmt01vc01.sfo01.rainpole.local, and click Next.
d. On the Ready to complete page, review your entries, and click Finish.
Enable vSphere HA for the management cluster.
a. In the Home > Hosts and Clusters, click the SFO01-MGMT01 cluster.
b. Click the Manage tab and click Settings.
c. Click Edit.
d. In the Edit Cluster Settings dialog box, select the Turn on vSphere HA check box.
e. In the Edit Cluster Settings dialog box, under Virtual Machine Monitoring, select VM
Monitoring Only from the drop-down menu.
f. Under Virtual Machine Monitoring, expand the Failure conditions and VM response
setting.
g. From the Response for Host Isolation drop-down menu, select Power off and restart VMs.

© 2016 VMware, Inc. All rights reserved.

Page 45 of 545
 VMware Validated Design Deployment Guide for Region A

h. Under Virtual Machine Monitoring, expand the Admission Control settings.

i. Under the Admission Control settings, select Define failover capacity by reserving a
percentage of the cluster resources, and enter the following settings.

Setting Value

Reserved failover CPU capacity (% CPU) 25

Reserved failover Memory capacity (% Memory) 25

j. Click OK.

© 2016 VMware, Inc. All rights reserved.

Page 46 of 545
 VMware Validated Design Deployment Guide for Region A

Upgrade Network I/O Control to version 3.

a. In the Navigator, click Networking, and click the SFO01 data center.
b. Click the vDS-Mgmt distributed switch.
c. Click the Manage tab and click Resource Allocation.
d. Click the Upgrade link next to Version: 2.
e. Click Next in the Upgrade Network I/O Control Overview dialog.
f. Click Next in the Upgrade Network I/O Control Validate prerequisites dialog.
g. Click Finish in the Upgrade Network I/O Control Ready to complete dialog.
Define Network I/O Control shares for the different traffic types on the vDS-Mgmt distributed
switch.
a. In the Navigator, click Networking, and click the SFO01 data center.
b. Click the vDS-Mgmt distributed switch.
c. Click the Manage tab and click Resource Allocation.
d. Under System Traffic, configure each of the following traffic types with the following values.

Traffic Type Physical Adapter Shares

Virtual SAN Traffic High

NFS Traffic Low

vMotion Traffic Low

vSphere Replication Traffic Low

Management Traffic Normal

© 2016 VMware, Inc. All rights reserved.

Page 47 of 545
 VMware Validated Design Deployment Guide for Region A

vSphere Data Protection Backup Low

Traffic

Virtual Machine Traffic High

Fault Tolerance Traffic Low

iSCSI Traffic Low

Migrate the last physical adapter from the standard switch to the vDS-Mgmt distributed switch.
a. In the Navigator, click Networking and expand the SFO01 data center.
b. Right-click the vDS-Mgmt distributed switch and select Add and Manage Hosts.
c. On the Select task page, select Manage host networking, and click Next.
d. On the Select hosts page, click Attached hosts.
e. In the Select member hosts dialog box, select all ESXi hosts, and click OK.
f. On the Select hosts page, click Next.
g. On the Select network adapter tasks page, select Manage physical adapters, and click
Next.
h. On the Manage physical network adapters page, under
mgmt01esx01.sfo01.rainpole.local, select vmnic0, and click Assign uplink.
i. In the Select an Uplink dialog box, select dvUplink2, and click OK.
j. Assign uplinks for the 3 remaining hosts to reassign their physical adapters to the distributed
switch, and click Next.
k. On the Analyze Impact page, click Next.
l. On the Ready to complete page, click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 48 of 545
 VMware Validated Design Deployment Guide for Region A

2.2.6 Change the Default Domain Administration Group on the ESXi Hosts in
the Management Cluster in Region A
Change the default ESX Admins group to achieve greater levels of security by removing a known
administrative access point.
Procedure
Log in to vCenter Server, by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the Navigator, click Hosts and Clusters.

Expand the entire vCenter Server inventory tree, and select the
mgmt01esx01.sfo01.rainpole.local host.
Click the Manage tab, click Settings, and under System click Advanced System Settings.
In the search box, enter esxAdmins and wait for the search results.

Select Config.HostAgent.plugins.hostsvc.esxAdminsGroup, and click the Edit icon to change

the ESXi host admin group.
In the plugins.hostsvc.esxAdminsGroup text box, enter SDDC-Admins, and click OK.

Repeat the process for all remaining hosts in the management cluster.

© 2016 VMware, Inc. All rights reserved.

Page 49 of 545
 VMware Validated Design Deployment Guide for Region A

Object FQDN

Management host 2 mgmt01esx02.sfo01.rainpole.local

Management host 3 mgmt01esx03.sfo01.rainpole.local

Management host 4 mgmt01esx03.sfo01.rainpole.local

Reboot all hosts in the management cluster.

2.2.7 Mount NFS Storage for Management Cluster in Region A

You must mount a NFS datastore where vSphere Data Protection will later be deployed.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a datastore for the SFO01-Mgmt01 cluster.

a. In the Navigator, select vCenter Inventory Lists, and select Datastores.
b. Click the Create a New Datastore icon.
c. On the Location page, expand the entire mgmt01vc01.sfo01.rainpole.local tree, select
the SFO01-Mgmt01 cluster, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 50 of 545
 VMware Validated Design Deployment Guide for Region A

d. On the Type page, select NFS and click Next.

e. On the NFS version page, select NFS 3, and click Next.
f. On the Name and configuration page, enter the following datastore information, and click
Next.

Option Value

Datastore Name SFO01A-NFS01-VDP01

Folder /V2D_vDP_MgmtA_4TB

Server 172.16.15.251

g. On the Host accessibility page, select all the hosts that require access to the datastore, and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 51 of 545
 VMware Validated Design Deployment Guide for Region A

h. On the Ready to complete page, review the configuration, and click Finish.

2.2.8 Create the VM and Template Folders in Region A

Create folders to group objects of the same type for easier management.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create folders for each of the management applications.

Folder Name Management Components

vRA01 vRealize Automation + vRealize Orchestrator + vRealize Business

vRA01IAS vRealize Automation (Proxy Agent) + vRealize Business (Data Collector)

vROps01 vRealize Operations Manager

vROps01RC vRealize Operations Manager (Remote Collectors)

vRLI01 vRealize Log Insight

a. In the Navigator, click VMs and Templates.

b. Expand the mgmt01vc01.sfo01.rainpole.local tree.
c. Right-click the SFO01 data center, and select New Folder > New VM and Template Folder.

© 2016 VMware, Inc. All rights reserved.

Page 52 of 545
 VMware Validated Design Deployment Guide for Region A

d. In the New Folder dialog box, enter vRA01 as name, and click OK.
e. Repeat the step to create the remaining folders.

© 2016 VMware, Inc. All rights reserved.

Page 53 of 545
 VMware Validated Design Deployment Guide for Region A

2.3 Deploy and Configure the Management Cluster NSX Instance

in Region A
 Deploy the NSX Manager for the Management Cluster NSX Instance in Region A
 Deploy the NSX Controllers for the Management Cluster NSX Instance in Region A
 Prepare the ESXi Hosts in the Management Cluster for NSX in Region A
 Configure the NSX Logical Network for the Management Cluster in Region A
 Configure NSX Dynamic Routing in the Management Cluster in Region A
 Test the Management Clusters NSX Configuration in Region A
 Deploy Application Virtual Networks in Region A
 Deploy the NSX Load Balancer in Region A

2.3.1 Deploy the NSX Manager for the Management Cluster NSX Instance in
Region A
You must first deploy the NSX Manager virtual appliance. After the NSX Manager is successfully
deployed you must connect it to the Management vCenter Server instance.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Assign the vCenter Server Administrator role to a service account.

a. In the Navigator, click Hosts and Clusters.
b. Select mgmt01vc01.sfo01.rainpole.local.
c. Click the Manage tab, click Permissions, and click the Add icon.

d. In the mgmt01vc01.sfo01.rainpole.local - Add Permission dialog box, click the Add button.
e. In the Select Users/Groups dialog box, select RAINPOLE from the Domain drop-down
menu.

© 2016 VMware, Inc. All rights reserved.

Page 54 of 545
 VMware Validated Design Deployment Guide for Region A

f. In the search box, enter svc-nsxmanager, and press Enter.

g. Select svc-nsxmanager, and click Add.

h. Click OK.
i. In the mgmt01vc01.sfo01.rainpole.local - Add Permission dialog box, select
Administrator as Assigned Role and select the Propagate to children check box.

j. Click OK.
Open the Deploy OVF Template wizard.
a. In the Navigator, expand the entire mgmt01vc01.sfo01.rainpole.local tree
b. Right-click the SFO01-Mgmt01 cluster, and click Deploy OVF Template.

© 2016 VMware, Inc. All rights reserved.

Page 55 of 545
 VMware Validated Design Deployment Guide for Region A

Use the Deploy OVF Template wizard to deploy the NSX Manager virtual appliance.
a. On the Select source page, click the Browse button, select the VMware NSX Manager .ova
file, and click Next.
b. On the Review details page, select the Accept extra configuration option check box, and
click Next.
c. On the Accept License Agreements page, click Accept, and then click Next.
d. On the Select name and folder page, enter the following settings, and click Next.

Setting Value

Name mgmt01nsxm01.sfo01

Folder or Datacenter SFO01

e. On the Select storage page, enter the following settings and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 56 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

VM Storage Policy Virtual SAN Default Storage Policy

Datastore SFO01A-VSAN01-MGMT01

f. On the Setup networks page, under Destination, select vDS-Mgmt-Management and click
Next.
g. On the Customize template page, expand all options, enter the following settings, and click
Next.

Setting Value

CLI "admin" User Password / enter mgmtnsx_admin_password

CLI "admin" User Password / confirm mgmtnsx_admin_password

CLI Privilege Mode Password / enter mgmtnsx_priviledge_password

CLI Privilege Mode Password / confirm mgmtnsx_priviledge_password

Hostname mgmt01nsxm01.sfo01.rainpole.local

Network 1 IPv4 Address 172.16.11.65

Network 1 Netmask 255.255.255.0

Default IPv4 Gateway 172.16.11.253

DNS Server List 172.16.11.5

Domain Search List sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 57 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

NTP Server List ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

Enable SSH Selected

h. On the Ready to complete page, select the Power on after deployment check box, and
click Finish.

Connect the NSX Manager to the Management vCenter Server.

a. Open a Web browser and go to https://mgmt01nsxm01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password mgmtnsx_admin_password

c. Click Manage vCenter Registration.

d. Under Lookup Service, click the Edit button.
e. In the Lookup Service dialog box, enter the following settings, and click OK.

Setting Value

Lookup Service IP mgmt01psc01.sfo01.rainpole.local

Lookup Service Port 443

© 2016 VMware, Inc. All rights reserved.

Page 58 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

SSO Administrator User Name [email protected]

Password vsphere_admin_password

f. In the Trust Certificate? dialog box, click Yes.

g. Under vCenter Server, click the Edit button.
h. In the vCenter Server dialog box, enter the following settings, and click OK.

Setting Value

vCenter Server mgmt01vc01.sfo01.rainpole.local

vCenter User Name [email protected]

Password svc-nsxmanager_password

i. In the Trust Certificate? dialog box, click Yes.

j. Wait until the Status indicators for the Lookup Service and vCenter Server change to
Connected.
Log out from the Management vCenter Server session in the vSphere Web Client.
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password svc-nsxmanager_password

Assign the [email protected] account access to NSX.

a. In the Navigator, click Network & Security.
b. Select NSX Managers.
c. Select 172.16.11.65 from the tree control.
d. Click the Manage tab and click Users.

© 2016 VMware, Inc. All rights reserved.

Page 59 of 545
 VMware Validated Design Deployment Guide for Region A

e. Click the Add icon.

f. In the Assign Role dialog box enter [email protected] and click Next.

g. Click Enterprise Administrator and click Finish.

Log out from the Management vCenter Server session in the vSphere Web Client.

© 2016 VMware, Inc. All rights reserved.

Page 60 of 545
 VMware Validated Design Deployment Guide for Region A

2.3.2 Deploy the NSX Controllers for the Management Cluster NSX Instance in
Region A
After the NSX Manager is successfully connected to the Management vCenter Server, you deploy
three NSX Controller nodes that form the NSX Controller cluster. Deploy every node only after the
previous one is successfully deployed.
Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Promote the NSX Manager to the primary role.

a. Under Inventories, click Networking & Security.
b. In the Navigator, click Installation.
c. On the Management tab click the 172.16.11.65 instance.
d. Click the Actions menu and click Assign Primary Role.

e. Click Yes to confirm the assignment.

Configure an IP pool for the NSX Controller cluster.

a. In the Navigator, click NSX Managers.
b. Under NSX Managers, click the 172.16.11.65 instance.

© 2016 VMware, Inc. All rights reserved.

Page 61 of 545
 VMware Validated Design Deployment Guide for Region A

c. Click the Manage tab, click Grouping Objects, click IP Pools, and click the Add New IP
Pool icon.
d. In the Add Static IP Pool dialog box, enter the following settings, and click OK.

Setting Value

Name Mgmt01-NSXC01

Gateway 172.16.11.253

Prefix Length 24

Primary DNS 172.16.11.5

DNS Suffix sfo01.rainpole.local

Static IP Pool 172.16.11.118-172.16.11.120

Deploy the NSX Controller cluster.

a. In the Navigator, click Networking & Security to go back, and click Installation.
b. Under NSX Controller nodes, click the Add icon to deploy three NSX Controller nodes with
the same configuration.
c. In the Add Controller page, enter the following settings and click OK.

Note You configure a password only during the deployment of the first controller. The other
controllers will use the same password.

Setting Value

NSX Manager 172.16.11.65

Datacenter SFO01

Cluster/Resource Pool SFO01-Mgmt01

Datastore SFO01A-VSAN01-MGMT01

Connected To vDS-Mgmt-Management

IP Pool Mgmt01-NSXC01

Password mgmtnsx_controllers_password

Confirm Password mgmtnsx_controllers_password

© 2016 VMware, Inc. All rights reserved.

Page 62 of 545
 VMware Validated Design Deployment Guide for Region A

d. After the Status of the controller node changes to Normal, repeat the step and deploy the
remaining two NSX Controller nodes in the controller cluster with the same configuration.
Configure DRS affinity rules for the NSX Controller nodes.
a. Go back to the Home page.
b. In the Navigator, click Hosts and Clusters, and expand the
mgmt01vc01.sfo01.rainpole.local tree.
c. Select the SFO01-Mgmt01 cluster, and click the Manage tab.
d. Under Configuration, click VM/Host Rules.
e. Click Add.
f. In the SFO01-Mgmt01 - Create VM/Host Rule dialog box, enter the following settings, and
click Add.

Setting Value

Name Mgmt_NSX_Controllers

Enable rule Select the check box

Type Separate Virtual Machine

g. In the Add Rule Member dialog box, select the check box next to each of the three NSX
Controller virtual machines, and click OK.
h. In the SFO01-Mgmt01 - Create VM/Host Rule dialog box, click OK.

2.3.3 Prepare the ESXi Hosts in the Management Cluster for NSX in Region A
You must install the NSX kernel modules on the management cluster ESXi hosts to be able to use
NSX.
Procedure

© 2016 VMware, Inc. All rights reserved.

Page 63 of 545
 VMware Validated Design Deployment Guide for Region A

Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Install the NSX kernel modules on the management cluster ESXi hosts.
a. In the Navigator, click Networking & Security.
b. In the Navigator, click Installation, and click the Host Preparation tab.
c. Select 172.16.11.65 from the NSX Manager drop-down menu.
d. Under Installation Status, click Install for SFO01-Mgmt01 clusters
Verify that the Installation Status column shows the NSX version for all hosts in the cluster to
confirm that NSX kernel modules are successfully installed.

2.3.4 Configure the NSX Logical Network for the Management Cluster in
Region A
After all the deployment tasks are ready, you must configure the NSX logical network. Complete this
process in three main steps:
 Configure the Segment ID allocation.
 Configure the VXLAN networking.
 Configure the transport zone.
Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.

© 2016 VMware, Inc. All rights reserved.

Page 64 of 545
 VMware Validated Design Deployment Guide for Region A

b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Configure the Segment ID allocation.

a. In the Navigator, click Networking & Security.
b. Click Installation, click the Logical Network Preparation tab, and click Segment ID.
c. Select 172.16.11.65 from the NSX Manager drop-down menu.
d. Click Edit, enter the following values, and click OK.

Setting Value

Segment ID pool 5000-5200

Enable Multicast addressing Yes (select check box)

Multicast addresses 239.255.16.0-239.255.16.255

Universal Segment ID Pool 30000-39000

Enable Universal Multicast addressing Yes (select check box)

Universal Multicast addresses 239.1.0.0-239.1.255.255

© 2016 VMware, Inc. All rights reserved.

Page 65 of 545
 VMware Validated Design Deployment Guide for Region A

Configure the VXLAN networking.

a. Click the Host Preparation tab.
b. Under VXLAN, click Not Configured on the SFO01-Mgmt01 row, enter the following values,
and click OK.

Setting Value

Switch vDS-Mgmt

VLAN 1614

MTU 9000

VMKNic IP Addressing Use DHCP

VMKNic Teaming Policy Load Balance - SRCID

VTEP 2

Configure the transport zone.

a. With Installation still selected in the Navigator, click the Logical Network Preparation tab,
and click Transport Zones.
b. Select 172.16.11.65 from the NSX Manager drop-down menu.
c. Click the Add New Transport zone icon, enter the following settings, and click OK.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 66 of 545
 VMware Validated Design Deployment Guide for Region A

Mark this object for Universal Synchronization Yes (select check box)

Name Mgmt Transport Zone

Replication mode Hybrid

Select clusters that will be part of the Transport SFO01-Mgmt01

Zone

2.3.5 Configure NSX Dynamic Routing in the Management Cluster in Region A

NSX for vSphere creates a network virtualization layer on top of which all virtual networks are created.
This layer is an abstraction between the physical and virtual networks. You configure NSX dynamic
routing within the management cluster, deploying two NSX Edge devices and a Universal Distributed
Logical Router (UDLR).
 Create a Universal Logical Switch for Use as the Transit Network in Region A
 Deploy NSX Edge Devices for North-South Routing in Region A
 Disable the Firewall Service in Region A

© 2016 VMware, Inc. All rights reserved.

Page 67 of 545
 VMware Validated Design Deployment Guide for Region A

 Enable and Configure the Border Gateway Protocol in Region A

 Verify Peering of Upstream Switches and Establishment of BGP in Region A
 Deploy the Universal Distributed Logical Router in Region A
 Configure Universal Distributed Logical Router for Dynamic Routing in Region A
 Verify Establishment of BGP for the Universal Distributed Logical Router in Region A

2.3.5.1. Create a Universal Logical Switch for Use as the Transit Network in Region A
Create a Universal Logical Switch for use as the Transit Network
Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click Logical Switches.
Select the instance labelled 172.16.11.65.
Click the Add icon.
The New Logical Switch dialog box appears.
In the New Logical Switch dialog box, enter the following settings, and click OK.

Setting Value

Name Universal Transit Network

Transport Zone Mgmt Universal Transport Zone

Replication Mode Hybrid

© 2016 VMware, Inc. All rights reserved.

Page 68 of 545
 VMware Validated Design Deployment Guide for Region A

2.3.5.2. Deploy NSX Edge Devices for North-South Routing in Region A

Deploy two NSX Edge devices for North-South Routing.
Repeat this procedure two times to deploy two NSX Edge devices: SFOMGMT-ESG01 and
SFOMGMT-ESG02.

NSX Edge Device Device Name

NSX Edge Device 1 SFOMGMT-ESG01

NSX Edge Device 2 SFOMGMT-ESG02

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edge.
Select the instance labelled 172.16.11.65.
Click the Add icon to deploy a new NSX Edge.
The New NSX Edge dialog box appears.

© 2016 VMware, Inc. All rights reserved.

Page 69 of 545
 VMware Validated Design Deployment Guide for Region A

On the Name and description page, enter the following settings, and click Next.

Setting NSX Edge Device 1 NSX Edge Device 1

Install Type Edge Service Gateway Edge Service Gateway

Name SFOMGMT-ESG01 SFOMGMT-ESG02

Deploy NSX Edge Selected Selected

Enable High Availability Deselected Deselected

On the Settings page, enter the following settings, and click Next.

Setting Value

User name admin

Password edge_admin_password

Enable SSH access Selected

Enable auto rule generation Selected

Edge Control Level logging INFO

On the Configure deployment page, select the Large radio button to specify the Appliance
Size, and click the Add icon.
The Add NSX Edge Appliance dialog box appears.
In the Add NSX Edge Appliance dialog box, enter the following settings, and click OK.

Setting Value

Cluster/Resource Pool SFO01-Mgmt01

Datastore SFO01A-VSAN01-MGMT01

© 2016 VMware, Inc. All rights reserved.

Page 70 of 545
 VMware Validated Design Deployment Guide for Region A

Click Next.

On the Configure Interfaces page, click the Add icon to configure the Uplink01 interface, enter
the following settings, and click OK.

Setting SFOMGMT-ESG01 Value SFOMGMT-ESG02 Value

Name Uplink01 Uplink01

Type Uplink Uplink

Connected To vDS-Mgmt-Uplink01 vDS-Mgmt-Uplink01

Connectivity Status Connected Connected

Primary IP Address 172.27.11.2 172.27.11.3

Subnet Prefix Length 24 24

MTU 9000 9000

Send ICMP Redirect Selected Selected

Click the Add icon once again to configure the Uplink02 interface, enter the following settings,
and click OK.

Setting SFOMGMT-ESG01 Value SFOMGMT-ESG02 Value

Name Uplink02 Uplink02

© 2016 VMware, Inc. All rights reserved.

Page 71 of 545
 VMware Validated Design Deployment Guide for Region A

Type Uplink Uplink

Connected To vDS-Mgmt-Uplink02 vDS-Mgmt-Uplink02

Connectivity Status Connected Connected

Primary IP Address 172.27.12.3 172.27.12.2

Subnet Prefix Length 24 24

MTU 9000 9000

Send ICMP Redirect Selected Selected

Click the Add icon a third time to configure the UDLR interface, enter the following settings, and
click OK.

Setting SFOMGMT-ESG01 Value SFOMGMT-ESG02 Value

Name UDLR UDLR

Type Internal Internal

Connected To Universal Transit Network Universal Transit Network

Connectivity Status Connected Connected

Primary IP Address 192.168.10.1 192.168.10.2

Subnet Prefix Length 24 24

MTU 9000 9000

Send ICMP Redirect Selected Selected

Click Next.
On the Default gateway settings page, deselect the Configure Default Gateway check box,
and click Next.
On the Firewall and HA page, click Next.
On the Ready to complete page, review the configuration settings you entered, and click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 72 of 545
 VMware Validated Design Deployment Guide for Region A

Repeat this procedure using the settings for the NSX Edge device labeled SFOMGMT-ESG02.
Upon repeating the procedure to configure SFOMGMT-ESG02, the Ready to complete page in
the New NSX Edge wizard will display the configuration values shown in the following illustration.

© 2016 VMware, Inc. All rights reserved.

Page 73 of 545
 VMware Validated Design Deployment Guide for Region A

2.3.5.3. Disable the Firewall Service in Region A

Disable the firewall of the NSX Edge devices, this is required for equal-cost multi-path (ECMP) to
operate correctly.
You repeat this procedure two times for each of the NSX Edge devices: SFOMGMT-ESG01 and
SFOMGMT-ESG02.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edges.
Select the instance labeled 172.16.11.65.
Double-click the SFOMGMT-ESG01 NSX Edge device.
Click the Manage tab, then click Firewall.
In the Firewall page, click the Disable button.
Click the Publish button.
Repeat this procedure for the NSX Edge device SFOMGMT-ESG02.

2.3.5.4. Enable and Configure the Border Gateway Protocol in Region A

The Border Gateway Protocol (BGP) is a protocol for exchanging routing information between
gateway hosts (each with its own router) in a network of autonomous systems (AS).
Repeat this procedure two times to enable BGP for both NSX Edge devices: SFOMGMT-ESG01 and
SFOMGMT-ESG02.

NSX Edge Device Device Name

NSX Edge Device 1 SFOMGMT-ESG01

NSX Edge Device 2 SFOMGMT-ESG02

Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

© 2016 VMware, Inc. All rights reserved.

Page 74 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edges.
Select the instance labeled 172.16.11.65.
Double-click the SFOMGMT-ESG01 NSX Edge device.
Click the Manage tab, and click Routing.
On the Global Configuration page, enter the following settings.
a. Click the Enable button for ECMP.
b. Click the Edit button for Dynamic Routing Configuration.
c. Choose Uplink01 as the Router ID.
d. Click Publish Changes.

On the Routing tab, click BGP.

Click the Edit button, enter the following settings, and click OK.

Setting Value

Enable BGP Selected

Enable Graceful Restart Selected

Local AS 65003

© 2016 VMware, Inc. All rights reserved.

Page 75 of 545
 VMware Validated Design Deployment Guide for Region A

Click the Add icon to add a Neighbor.

The New Neighbor dialog box appears. You add two neighbors: the first Top of Rack Switch and
the second Top of Rack Switch.
In the New Neighbor dialog box, enter the following values, and click OK.

Setting Value

IP Address 172.27.11.1 The IP address of the first Top of Rack Switch.

Remote AS 65001 The remote AS of the first Top of Rack Switch.

Weight 60

Keep Alive Time 4 The keep alive value set on the first Top of
Rack Switch.

Hold Down 12 The hold down time set on the first Top of
Time Rack Switch.

Password BGP_password

© 2016 VMware, Inc. All rights reserved.

Page 76 of 545
 VMware Validated Design Deployment Guide for Region A

Click the Add icon to add another Neighbor.

The New Neighbor dialog box appears. Add the second Top of Rack switch, whose IP address is
172.27.12.1.
In the New Neighbor dialog box, enter the following values, and click OK.

Setting Value

IP Address 172.27.12.1 The IP address of the first Top of Rack Switch.

Remote AS 65001 The remote AS of the first Top of Rack Switch.

Weight 60

Keep Alive Time 4 The keep alive value set on the first Top of
Rack Switch.

Hold Down 12 The hold down time set on the first Top of
Time Rack Switch.

Password BGP_password

© 2016 VMware, Inc. All rights reserved.

Page 77 of 545
 VMware Validated Design Deployment Guide for Region A

Click the Add icon to another Neighbor.

The New Neighbor dialog box appears. Configure the universal distributed logical router (UDLR)
as a neighbor.
In the New Neighbor dialog box, enter the following values, and click OK.

Setting Value

IP Address 192.168.10.4

Remote AS 65003

Weight 60

Keep Alive Time 1

Hold Down 3
Time

Password BGP_password

© 2016 VMware, Inc. All rights reserved.

Page 78 of 545
 VMware Validated Design Deployment Guide for Region A

Click Publish Changes.

The three neighbors you added are now visible in the Neighbors table. Confirm that configuration
the values you entered for each neighbor are correct.

In the Navigator, click Route Redistribution.

In the Change redistribution settings dialog box, select the BGP check box.

© 2016 VMware, Inc. All rights reserved.

Page 79 of 545
 VMware Validated Design Deployment Guide for Region A

Click the Add icon for Route Redistribution Table.

In the New Redistribution criteria dialog box, enter the following settings, and click OK.

Setting Value

Prefix Any

Learner BGP
Protocol

OSPF Deselected

ISIS Deselected

Connected Selected

Action Permit

Click the Publish Changes button.

© 2016 VMware, Inc. All rights reserved.

Page 80 of 545
 VMware Validated Design Deployment Guide for Region A

The route redistribution configuration is now visible in the Route Redistribution table. Confirm
that the configuration values you entered are correct.

Repeat this procedure for the NSX Edge device SFOMGMT-ESG02.

2.3.5.5. Verify Peering of Upstream Switches and Establishment of BGP in Region A

The NSX Edge devices need to establish a connection to each of it's upstream BGP switches before
BGP updates can be exchanged. Verify that the NSX Edges devices are successfully peering, and
that BGP routing has been established.
You repeat this procedure two times for each of the NSX Edge devices: SFOMGMT-ESG01 and
SFOMGMT-ESG02.
Procedure
Log in to the NSX Edge device using a Secure Shell (SSH) client.
a. Open an SSH connection to the NSX Edge device whose peering and BGP configuration you
want to verify.

NSX Edge Device Device Name

NSX Edge Device 1 SFOMGMT-ESG01

NSX Edge Device 2 SFOMGMT-ESG02

b. Log in using the following credentials.

Setting Value

User name [email protected]

© 2016 VMware, Inc. All rights reserved.

Page 81 of 545
 VMware Validated Design Deployment Guide for Region A

Password edge_admin_password

Run the show ip bgp neighbors command to display information about the BGP connections
to neighbors.
The BGP State will display Established, UP if you have peered with the upstream switches.

Note You have not yet created the Universal Distributed Logical Router (UDLR), so it will not
display the Established, UP status message.

Run the show ip route command to verify that you are receiving routes using BGP, and that
there are multiple routes to BGP learned networks.
You verify multiple routes to BGP learned networks by locating the same route using a different IP
address. The IP addresses are listed after the word via in the right-side column of the routing
table output. In the image below there are two different routes to the following BGP networks:
0.0.0.0/0 and 172.27.22.0/24.
You can identify BGP networks by the letter B in the left-side column. Lines beginning with C
(connected) have only a single route.

© 2016 VMware, Inc. All rights reserved.

Page 82 of 545
 VMware Validated Design Deployment Guide for Region A

Repeat this procedure for the NSX Edge device SFOMGMT-ESG02.

2.3.5.6. Deploy the Universal Distributed Logical Router in Region A

Deploy the universal distributed logical routers (UDLR).
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edges.
Select the instance labeled 172.16.11.65.
Click the Add icon to create a new UDLR.
The New NSX Edge wizard appears.
On the Name a description page, enter the following settings, and click Next.

Setting Value

Universal Logical (Distributed) Router Selected

Name UDLR01

Deploy Edge Appliance Selected

Enable High Availability Selected

© 2016 VMware, Inc. All rights reserved.

Page 83 of 545
 VMware Validated Design Deployment Guide for Region A

On the Settings page, enter the following settings, and click Next.

Setting Value

User Name admin

Password udlr_admin_password

Enable SSH access Selected

Edge Control Level logging INFO

On the Configure deployment page, and click the Add icon.

The Add NSX Edge Appliance dialog box appears.
In the Add NSX Edge Appliance dialog box, enter the following settings, and click OK.

Setting Value

Cluster/Resource Pool SFO01-Mgmt01

Datastore SFO01A-VSAN01-MGMT01

© 2016 VMware, Inc. All rights reserved.

Page 84 of 545
 VMware Validated Design Deployment Guide for Region A

On the Configure deployment page, and click the Add icon a second time to add a second NSX
Edge device.
The Add NSX Edge Appliance dialog box appears.
In the Add NSX Edge Appliance dialog box, enter the following settings, and click OK.

Setting Value

Cluster/Resource Pool SFO01-Mgmt01

Datastore SFO01A-VSAN01-MGMT01

© 2016 VMware, Inc. All rights reserved.

Page 85 of 545
 VMware Validated Design Deployment Guide for Region A

On the Configure interfaces page, under HA Interface Configuration, click Change and
connect to vDS-Mgmt-Management.
On the Configure interfaces page enter the following configuration settings, and click Next.
a. Click the Add icon.
The Add Interface dialog box appears.
b. Enter the following settings in the Add Interface dialog box, and click OK.

Setting Value

Name Uplink

Type Uplink

Connected To Universal Transit Network

Connectivity Status Connected

Primary IP Address 192.168.10.3

Subnet Prefix Length 24

MTU 9000

© 2016 VMware, Inc. All rights reserved.

Page 86 of 545
 VMware Validated Design Deployment Guide for Region A

In the Default gateway settings page, deselect Configure Default Gateway, and click Next.
In the Ready to complete page, click Finish.

2.3.5.7. Configure Universal Distributed Logical Router for Dynamic Routing in Region A
Configure the universal distributed logical router (UDLR) to use dynamic routing.
Procedure
Log in to vCenter Server by using the vSphere Web Client.

© 2016 VMware, Inc. All rights reserved.

Page 87 of 545
 VMware Validated Design Deployment Guide for Region A

a. Open a Web browser and go to

https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edge.
Select the instance labelled 172.16.11.65.
Double-click UDLR01.
Click the Manage tab, then click Routing.
In the Global Configuration page, perform the following configuration steps.
a. Click the Edit button under Routing Configuration, select Enable ECMP, and click OK.
b. Click the Edit button under Dynamic Routing Configuration, select Uplink as the Router
ID, and click OK.
c. Click Publish Changes.

In the Navigator panel, click BGP.

In the BGP page, click the Edit button.
The Edit BGP Configuration dialog box appears.
In the Edit BGP Configuration dialog box, enter the following settings, and click OK.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 88 of 545
 VMware Validated Design Deployment Guide for Region A

Enable BGP Selected

Enable Graceful Restart Selected

Local AS 65003

Click the Add icon to add a Neighbor.

The New Neighbor dialog box appears.
In the New Neighbor dialog box, enter the following values for both NSX Edge devices, and click
OK.
You repeat this step two times to configure the UDLR for both NSX Edge devices: SFOMGMT-
ESG01 and SFOMGMT-ESG02.

Setting SFOMGMT-ESG01 Value SFOMGMT-ESG02 Value

IP Address 192.168.10.1 192.168.10.2

Forwarding Address 192.168.10.3 192.168.10.3

Protocol Address 192.168.10.4 192.168.10.4

Remote AS 65003 65003

Weight 60 60

Keep Alive Time 1 1

Hold Down Time 3 3

Password BGP_password BGP_password

© 2016 VMware, Inc. All rights reserved.

Page 89 of 545
 VMware Validated Design Deployment Guide for Region A

Click Publish Changes.

In the Navigator, click Route Redistribution.

Click the Edit button.
In the Change redistribution settings dialog box, enter the following settings, and click OK.

Setting Value

OSPF Deselected

BGP Selected

On the Route Redistribution page, select the default OSPF entry and click the Edit button.
Select BGP from the Learner Protocol drop-down menu, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 90 of 545
 VMware Validated Design Deployment Guide for Region A

Click Publish Changes.

2.3.5.8. Verify Establishment of BGP for the Universal Distributed Logical Router in Region A
The universal distributed logical routers (UDLR) needs to establish a connection to Edge Services
Gateway before BGP updates can be exchanged. Verify that the UDLR is successfully peering, and
that BGP routing has been established.
Procedure
Log in to the UDLR by using a Secure Shell (SSH) client.
a. Open an SSH connection to UDLR01, the UDLR whose peering and BGP configuration you
want to verify.
b. Log in using the following credentials.

Setting Value

User name admin

Password udlr_admin_password

Run the show ip bgp neighbors command to display information about the BGP and TCP
connections to neighbors. The BGP State will display Established, UP if you have
successfully peered with the Edge Service Gateway.

Run the show ip route command to verify that you are receiving routes using BGP, and that
there are multiple routes to BGP learned networks.
You verify multiple routes to BGP learned networks by locating the same route using a different IP
address. The IP addresses are listed after the word via in the right-side column of the routing
table output. In the image below there are two different routes to the following BGP networks:
0.0.0.0/0, 172.27.11.0/24,172.27.12.0/24, and 172.27.22.0/24.

© 2016 VMware, Inc. All rights reserved.

Page 91 of 545
 VMware Validated Design Deployment Guide for Region A

You can identify BGP networks by the letter B in the left-side column. Lines beginning with C
(connected) have only a single route.

© 2016 VMware, Inc. All rights reserved.

Page 92 of 545
 VMware Validated Design Deployment Guide for Region A

2.3.6 Test the Management Cluster NSX Configuration in Region A

Test the configuration of the NSX logical network.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Logical Switches, double-click Universal Transit Network.

Click the Monitor tab.
From the Source host drop-down menu select mgmt01esx01.sfo01.rainpole.local.
From the Destination host drop-down menu select mgmt01esx03.sfo01.rainpole.local.
Click Start Test.
The host-to-host ping test results are displayed in the Results text box. Verify that there are no
error messages.

© 2016 VMware, Inc. All rights reserved.

Page 93 of 545
 VMware Validated Design Deployment Guide for Region A

2.3.7 Deploy Application Virtual Networks in Region A

Deploy the application virtual networks.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a Universal Logical Switch for workloads that move between sites.
a. Under Inventories, click Networking & Security.
b. In the Navigator, click Logical Switches.
c. Select 172.16.11.65 from the NSX Manager drop-down menu.
d. Click the Add icon to create a new Logical Switch.
e. In the New Logical Switch dialog box, enter the following settings, and click OK.

Setting Value

Name Mgmt-xRegion01-VXLAN

Transport Zone Mgmt Universal Transport Zone

Replication Mode Hybrid

Create a Universal Logical Switch for workloads that are specific to Region A.
a. Under Inventories, click Networking & Security.
b. In the Navigator, click Logical Switches.

© 2016 VMware, Inc. All rights reserved.

Page 94 of 545
 VMware Validated Design Deployment Guide for Region A

c. Select 172.16.11.65 from the NSX Manager drop-down menu.

d. Click the Add icon to create a new Logical Switch.
e. In the New Logical Switch dialog box, enter the following settings, and click OK.

Setting Value

Name Mgmt-RegionA01-VXLAN

Transport Zone Mgmt Universal Transport Zone

Replication Mode Hybrid

Connect Mgmt-xRegion01-VXLAN to the Universal Distributed Logical Router.

a. Under Inventories, click Networking & Security.
b. In the Navigator, click Logical Switches.
c. Select 172.16.11.65 from the NSX Manager drop-down menu.
d. Select the Mgmt-xRegion01-VXLAN Logical Switch.
e. Click the Connect Edge icon.
f. On the Connect an Edge page select UDLR01 and click Next.
g. On the Edit NSX Edge Interface page enter the following settings and click Next.

Setting Value

Name Mgmt-xRegion01

Type Internal

Connectivity Status Connected

Primary IP Address 192.168.11.1

© 2016 VMware, Inc. All rights reserved.

Page 95 of 545
 VMware Validated Design Deployment Guide for Region A

Subnet Prefix Length 24

h. On the Ready to complete page click Finish.

Connect Mgmt-RegionA01-VXLAN to the Universal Distributed Logical Router.
a. Under Inventories, click Networking & Security.
b. In the Navigator, click Logical Switches.
c. Select 172.16.11.65 from the NSX Manager drop-down menu.
d. Select the Logical Switch.
e. Click the Connect Edge icon.
f. On the Connect an Edge page select UDLR01 and click Next.
g. On the Edit NSX Edge Interface page enter the following settings and click Next.

Setting Value

Name Mgmt-RegionA01

Type Internal

Connectivity Status Connected

Primary IP Address 192.168.31.1

Subnet Prefix Length 24

© 2016 VMware, Inc. All rights reserved.

Page 96 of 545
 VMware Validated Design Deployment Guide for Region A

h. On the Ready to complete page click Finish.

2.3.8 Deploy NSX Load Balancer in Region A

Deploy a load balancer for use by management applications connected to the AVN, Mgmt-xRegion01-
VXLAN.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edges.
Select 172.16.11.65 from the NSX Manager drop-down menu.
Click the Add icon to create a new NSX Edge.
The New NSX Edge wizard appears.
On the Name and description page, enter the following settings, and click Next.

Setting Value

Install Type Edge Services Gateway

© 2016 VMware, Inc. All rights reserved.

Page 97 of 545
 VMware Validated Design Deployment Guide for Region A

Name SFOMGMT-LB01

Deploy NSX Edge Selected

Enable High Availability Selected

On the Settings page, enter the following settings, and click Next.

Setting Value

User Name admin

Password edge_admin_password

Enable SSH access Selected

Enable auto rule generation Selected

Edge Control Level logging INFO

On the Configure deployment page, perform the following configuration steps, and click Next.
a. Select SFO01 from the Datacenter drop-down menu.
b. Select the Large radio button to specify the Appliance Size.
c. Click the Add icon, enter the following settings, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 98 of 545
 VMware Validated Design Deployment Guide for Region A

Setting Value

Resource pool Resource pool

Datastore SFO01A-VSAN01-MGMT01

d. To create a second appliance, click the Add icon again, make the same selections in the New
NSX Appliance dialog box, and click OK.

On the Configure Interfaces page, click the Add icon to configure the OneArmLB interface,
enter the following settings, and click OK.

Setting Value

Name OneArmLB

Type Internal

Connected To Mgmt-xRegion01-VXLAN

Connectivity Status Connected

Primary IP Address 192.168.11.2

Subnet Prefix Length 24

MTU 9000

© 2016 VMware, Inc. All rights reserved.

Page 99 of 545
 VMware Validated Design Deployment Guide for Region A

Send ICMP Redirect Selected

Click Next.
On the Default gateway settings page, enter the following settings, and click Next.

Setting Value

Gateway IP 192.168.11.1

MTU 9000

© 2016 VMware, Inc. All rights reserved.

Page 100 of 545

 VMware Validated Design Deployment Guide for Region A

On the Firewall and HA page, select the following settings, and click Next.

Setting Value

Configure Firewall default policy Selected

Default Traffic Policy Accept

Logging Disable

vNIC any

Declare Dead Time 15

© 2016 VMware, Inc. All rights reserved.

Page 101 of 545

 VMware Validated Design Deployment Guide for Region A

On the Ready to complete page, review the configuration settings you entered, then click Finish.

Enable the Load Balancer service.

a. In the Navigator, click NSX Edges.
b. Select 172.16.11.65 from the NSX Manager drop-down menu.
c. Double click on SFOMGMT01-LB01.
d. Click the Manage tab, then click the Load Balancer tab.
e. Click Global Configuration, then click Edit.

In the Edit load balancer global configuration dialog box, select Enable Load Balancer and
click OK.

© 2016 VMware, Inc. All rights reserved.

Page 102 of 545

 VMware Validated Design Deployment Guide for Region A

© 2016 VMware, Inc. All rights reserved.

Page 103 of 545

 VMware Validated Design Deployment Guide for Region A

2.4 Deploy and Configure the Compute and Edge Clusters

Components in Region A
 Deploy the External Platform Services Controller for the Compute vCenter Server in Region A
 Join the Platform Services Controller for the Compute vCenter Server to the Active Directory in
Region A
 Deploy the Compute vCenter Server Instance in Region A
 Configure the Compute and Edge Clusters in Region A
 Create a vSphere Distributed Switch for the Compute Cluster in Region A
 Create a vSphere Distributed Switch for the Edge Cluster in Region A
 Change the Default Domain Administration Group on the ESXi Hosts in the Compute and Edge
Clusters in Region A
 Mount NFS Storage for the Compute Cluster in Region A
 Configure Lockdown Mode on All ESXi Hosts in Region A

2.4.1 Deploy the External Platform Services Controller for the Compute
vCenter Server in Region A
You must first install the external Platform Services Controller instance for the compute cluster by
using the vCenter Server appliance ISO file.
Procedure
Log in to the Windows host that has access to your data center as an administrator.
Start the VMware vCenter Server Appliance Deployment wizard.
a. Browse to the vCenter Server Appliance .iso file.
b. Open the vcsa-setup.html file in a Web browser.
c. Click Install to start the installation.

Complete the VMware vCenter Server Appliance Deployment wizard.

a. On the End User License Agreement page, select the I accept the terms of the license
agreement check box, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 104 of 545

 VMware Validated Design Deployment Guide for Region A

b. On the Connect to target server page, enter the following settings, and click Next.

Setting Value

FQDN or IP Address mgmt01esx01.sfo01.rainpole.local

User name root

Password esxi_root_user_password

c. In the Certificate Warning dialog box, click Yes to accept the host certificate.
d. On the Set up virtual machine page, enter the following settings, and click Next.

Setting Value

Appliance name comp01psc01.sfo01

OS password comppsc_root_password

Confirm OS password comppsc_root_password

© 2016 VMware, Inc. All rights reserved.

Page 105 of 545

 VMware Validated Design Deployment Guide for Region A

e. On the Select deployment type page, under External Platform Services Controller, select
the Install Platform Services Controller radio button, and click Next.

f. On the Set up Single Sign-on (SSO) page, select the Join an SSO domain in an existing
vCenter 6.0 platform services controller radio button, enter the following settings, and
click Next.

Setting Value

Platform Services Controller FQDN or IP mgmt01psc01.sfo01.rainpole.local

address

vCenter SSO Password vsphere_admin_password

Port 443

© 2016 VMware, Inc. All rights reserved.

Page 106 of 545

 VMware Validated Design Deployment Guide for Region A

g. On the Single Sign-on site page, select the Join an existing site radio button,
select SFO01 from the drop-down list, and click Next.

h. On the Select appliance size page, click Next, as there is only one appliance size for the
Platform Services Controller.
i. On the Select datastore page, select the SFO01A-VSAN01-MGMT01 datastore to deploy
the Platform Services Controller on, select the Enable Thin Disk Mode check box, and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 107 of 545

 VMware Validated Design Deployment Guide for Region A

j. On the Network Settings page, enter the following settings, and click Next.

Setting Value

Choose a network vDS-Mgmt-Management

IP address family IPv4

Network type Static

Network address 172.16.11.63

System name comp01psc01.sfo01.rainpole.local

Subnet mask 255.255.255.0

Network gateway 172.16.11.253

Network DNS servers 172.16.11.5

Configure time sync ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

Enable SSH Enabled (Select checkbox)

k. On the Ready to complete page, review the configuration, and click Finish to start the
deployment.

2.4.2 Join the Platform Services Controller for the Compute vCenter Server to
the Active Directory in Region A
After you have successfully installed the external Platform Services Controller for the compute cluster,
you must join it to the Active Directory.

© 2016 VMware, Inc. All rights reserved.

Page 108 of 545

 VMware Validated Design Deployment Guide for Region A

Procedure
Log in to the Platform Services Controller administration interface.
a. Open a Web browser and go to https://comp01psc01.sfo01.rainpole.local/psc.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Add the Compute Platform Services Controller instance to the Active Directory domain.
a. In the Navigator, click Appliance Settings, click the Manage tab, and click the Join button.

b. In the Join Active Directory Domain dialog box, enter the following settings, and click OK.

Setting Value

Domain sfo01.rainpole.local

User name [email protected]

Password ad_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 109 of 545

 VMware Validated Design Deployment Guide for Region A

Reboot the Platform Services Controller node to apply the changes.

a. Click the Appliance settings tab, and click the VMware Platform Services Appliance link.

b. Log in to the VMware vCenter Server Appliance administration interface using the following
credentials.

Setting Value

User name root

Password comppsc_root_password

c. On the Summary page, click Reboot.

d. In the System Reboot dialog box, click Yes.

e. Click Cancel to logout immediately.
After the reboot process finishes, log in
to https://comp01psc01.sfo01.rainpole.local/psc again, by using the following
credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 110 of 545

 VMware Validated Design Deployment Guide for Region A

To verify that the Platform Services Controller successfully joined the domain, click Appliance
Settings, and click the Manage tab.

2.4.3 Deploy the Compute vCenter Server Instance in Region A

After you install and configure the external Platform Services Controller instance for the compute and
edge clusters, you can now install the vCenter Server appliance and assign a license.
Procedure
Start the VMware vCenter Server Appliance deployment wizard.
a. Browse the vCenter Server Appliance ISO file.
b. Open the vcsa-setup.html file in a browser.
c. Click Install to start the installation.

Complete the VMware vCenter Server Appliance deployment wizard.

a. On the End User License Agreement page, select the I accept the terms of the license
agreement check box and click Next.
b. On the Connect to target server page, enter the following settings, and click Next.

Setting Value

FQDN or IP Address mgmt01esx01.sfo01.rainpole.local

User name root

Password esxi_root_user_password

© 2016 VMware, Inc. All rights reserved.

Page 111 of 545

 VMware Validated Design Deployment Guide for Region A

c. In the Certificate Warning dialog box, click Yes to accept the host certificate.
d. On the Set up virtual machine page, enter the following settings, and click Next.

Setting Value

Appliance name comp01vc01.sfo01

OS password compvc_root_password

Confirm OS password compvc_root_password

e. On the Select deployment type page, under External Platform Services Controller, select
the Install vCenter Server (Requires External Platform Services Controller) radio button,
and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 112 of 545

 VMware Validated Design Deployment Guide for Region A

f. On the Configure Single Sign-On (SSO) page, enter the following values, and click Next.

Setting Value

Platform Services Controller FQDN or IP address comp01psc01.sfo01.rainpole.local

vCenter SSO password vsphere_admin_password

vCenter Single Sign-On HTTPS Port 443

g. On the Select appliance size page, select Large (up to 1,000 hosts, 10,000 VMs), and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 113 of 545

 VMware Validated Design Deployment Guide for Region A

h. On the Select datastore page, select the SFO01A-VSAN01-MGMT01 datastore, select

the Enable Thin Disk Mode check box, and click Next.

i. On the Configure database page, select Use an embedded database (PostgreSQL) radio
button, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 114 of 545

 VMware Validated Design Deployment Guide for Region A

j. On the Network Settings page, enter the following settings, and click Next.

Setting Value

Choose a network vDS-Mgmt-Management

IP address family IPv4

Network type Static

Network address 172.16.11.64

System name comp01vc01.sfo01.rainpole.local

Subnet mask 255.255.255.0

Network gateway 172.16.11.253

Network DNS servers 172.16.11.5

Configure time sync ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

Enable SSH Selected

k. On the Ready to complete page, review the configuration, and click Finish to start the
deployment.
Log in to the Compute vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 115 of 545

 VMware Validated Design Deployment Guide for Region A

User name [email protected]

Password vsphere_admin_password

Assign new licenses for this vCenter Server instance and the compute and edge clusters ESXi
hosts, if a license was not assigned during Management vCenter Server deployment.
a. In the Navigator, click Home.
b. Click Licensing.
c. Click the Licenses tab.

d. Assign the licenses to the respective assets.

Note Verify that you have the licenses required for this functionality. Talk to your VMware
representative for details.

e. Click the Assets tab.

© 2016 VMware, Inc. All rights reserved.

Page 116 of 545

 VMware Validated Design Deployment Guide for Region A

f. Select the vCenter Server instance, and click the Assign License icon.

g. Select the vCenter Server license that you entered in the previous step, and click OK.
Assign the vCenter Server Administrator role to the vCenterAdmins domain group.
a. In the Navigator, click Home.
b. Click Hosts and Clusters.
c. Select the comp01vc01.sfo01.rainpole.local tree.
d. Click the Manage tab, click Permissions, and click the Add icon.

© 2016 VMware, Inc. All rights reserved.

Page 117 of 545

 VMware Validated Design Deployment Guide for Region A

e. In the comp01vc01.sfo01.rainpole.local - Add Permission dialog box, click the Add button.
f. In the Select Users/Groups dialog box, select SFO01 from the Domain drop-down menu.
g. In the search box, enter vCenterAdmins, and press Enter.
h. Select vCenterAdmins, and click Add.

i. Click OK.
j. In the comp01vc01.sfo01.rainpole.local - Add Permission dialog box, select
Administrator as Assigned Role and select the Propagate to children check box.

© 2016 VMware, Inc. All rights reserved.

Page 118 of 545

 VMware Validated Design Deployment Guide for Region A

k. Click OK.

2.4.4 Configure the Compute and Edge Clusters in Region A

After you deploy the Compute vCenter Server, you must now create and configure the compute and
edge clusters.
 Create the clusters.
 Configure DRS.
 Enable Virtual SAN datastore for the Edge cluster.
 Add the hosts to the clusters.
 Add the hosts to the active directory domain.
Procedure
Log in to the Compute vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a data center object.

a. In the Navigator, click Hosts and Clusters.

© 2016 VMware, Inc. All rights reserved.

Page 119 of 545

 VMware Validated Design Deployment Guide for Region A

b. Click Actions > New Datacenter.

c. In the New Datacenter dialog box, enter SFO01 as name, and click OK.
Create the compute cluster.
a. Right-click the SFO01 data center and click New Cluster.
b. In the New Cluster wizard, enter the following values, and click OK.

Setting Value

Name SFO01-Comp01

DRS Turn ON Selected

Other DRS Options Default values

vSphere HA Turn ON Deselected

EVC Set EVC mode to the lowest available setting supported

for the hosts in the cluster

Virtual SAN Turn ON Deselected

Create the edge cluster.

a. Right-click the SFO01 data center and click New Cluster.
b. Enter the following values, in the New Cluster wizard, and click OK.

Setting Value

Name SFO01-Edge01

DRS Turn ON Selected

Other DRS Options Default values

© 2016 VMware, Inc. All rights reserved.

Page 120 of 545

 VMware Validated Design Deployment Guide for Region A

vSphere HA Turn ON Deselected

EVC Set EVC mode to the lowest available setting supported

for the hosts in the cluster

Virtual SAN Turn ON Deselected

Add a compute host to the compute cluster.

a. Right-click the SFO01-Comp01 cluster, and click Add Host.
b. On the Name and location page, enter comp01esx01.sfo01.rainpole.local in
the Host name or IP address text box, and click Next.

c. On the Connection settings page, enter the following credentials, and click Next.

Setting Value

User name root

© 2016 VMware, Inc. All rights reserved.

Page 121 of 545

 VMware Validated Design Deployment Guide for Region A

Password esxi_root_user_password

d. In the Security Alert dialog box, click Yes.

e. On the Host summary page, review the host information, and click Next.
f. On the Assign license page, select the ESXi license key that you entered during the vCenter
Server deployment, and click Next.
g. On the Lockdown mode page, leave default, and click Next.
h. On the Resource pool page, leave default, and click Next.
i. On the Ready to complete page, review your entries, and click Finish.
Repeat step 5 for the three remaining hosts, to add them to the compute cluster.

Object FQDN

Compute host 2 comp01esx02.sfo01.rainpole.local

Compute host 3 comp01esx03.sfo01.rainpole.local

Compute host 4 comp01esx04.sfo01.rainpole.local

Repeat step 5 to add hosts to the edge cluster.

Object FQDN

Edge host 1 edge01esx01.sfo01.rainpole.local

Edge host 2 edge01esx02.sfo01.rainpole.local

Edge host 3 edge01esx03.sfo01.rainpole.local

Edge host 4 edge01esx04.sfo01.rainpole.local

Add ESXi hosts to the active directory domain

a. In the Navigator, click Hosts and Clusters, expand the entire
comp01vc01.sfo01.rainpole.local tree
b. Select the comp01esx01.sfo01.rainpole.local host.
c. Click the Manage tab, and click Settings.
d. Under System, select Authentication Services.
e. In the Authentication Services panel, click the Join Domain button.

© 2016 VMware, Inc. All rights reserved.

Page 122 of 545

 VMware Validated Design Deployment Guide for Region A

f. In the Join Domain dialog box, enter the following settings and click OK.

Setting Value

Domain sfo01.rainpole.local

User name [email protected]

Password ad_admin_password

Repeat step 8 to add all remaining hosts to the domain.

Object FDQN

Compute host 2 comp01esx02.sfo01.rainpole.local

Compute host 3 comp01esx03.sfo01.rainpole.local

Compute host 4 comp01esx04.sfo01.rainpole.local

Edge host 1 edge01esx01.sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 123 of 545

 VMware Validated Design Deployment Guide for Region A

Object FDQN

Edge host 2 edge01esx02.sfo01.rainpole.local

Edge host 3 edge01esx03.sfo01.rainpole.local

Edge host 4 edge01esx04.sfo01.rainpole.local

Configure the Virtual SAN datastore for the edge cluster.

a. In the Navigator, click Hosts and Clusters.
b. Click the SFO01-Edge01 cluster, click Manage tab, click Settings.
c. Under Virtual SAN, select General, and click the Configure button.

d. In the Configure Virtual SAN dialog box, select Automatic in the Disk Claiming drop-down
menu, and click Next.

e. Verify that all hosts have Virtual SAN enabled VMkernel adapters and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 124 of 545

 VMware Validated Design Deployment Guide for Region A

f. On the Ready to complete page, click Finish.

g. With the SFO01-Edge01 cluster selected, click the Related Objects tab, and click
Datastores.
h. Select the vsanDatastore, click the Actions icon, and click Rename.
i. In the Datastore - Rename dialog box, enter SFO01A-VSAN01-EDGE01 as datastore name,
and click OK.

2.4.5 Create a vSphere Distributed Switch for the Compute Cluster in Region
A
After all ESXi hosts have been added to the clusters, create vSphere Distributed Switches. Start with
creating the switch for the compute cluster.
Procedure
Log in to the Compute vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

© 2016 VMware, Inc. All rights reserved.

Page 125 of 545

 VMware Validated Design Deployment Guide for Region A

Password vsphere_admin_password

Create a vSphere Distributed Switch for the compute cluster.

a. In the Navigator, click Networking.
b. Right-click the SFO01 data center, and select Distributed Switch > New Distributed
Switch to start the New Distributed Switch wizard.
c. On the Name and location page, enter vDS-Comp as the name, and click Next.
d. On the Select version page, ensure the Distributed switch version: 6.0.0 radio button is
selected, and click Next.
e. On the Edit settings page, enter the following values, and click Next.

Setting Value

Number of uplinks 2

Network I/O Control Enabled

Create a default port group Deselected

f. On the Ready to complete page, review your entries, and click Finish.
Edit the settings of the vDS-Comp distributed switch.
a. Right-click the vDS-Comp distributed switch, and select Settings > Edit Settings.
b. Click the Advanced tab.
c. Enter 9000 as MTU (Bytes) value, and click OK.
Create new port groups in the vDS-Comp distributed switch.
a. Right-click the vDS-Comp distributed switch, and select Distributed Port Group > New
Distributed Port Group.
b. Create port groups with the following settings, and click Next.

Port Group Name Port Binding VLAN type VLAN ID

vDS-Comp-Management Static binding VLAN 1621

vDS-Comp-vMotion Static binding VLAN 1622

vDS-Comp-NFS Static binding VLAN 1625

Note The port group for VXLAN traffic is automatically created later during the configuration of the
NSX Manager for the compute and edge clusters.

© 2016 VMware, Inc. All rights reserved.

Page 126 of 545

 VMware Validated Design Deployment Guide for Region A

c. On the Ready to complete page, review your entries, and click Finish.
Change the port groups to use the Route Based on Physical NIC Load teaming algorithm.
a. Right-click the vDS-Comp distributed switch and select Distributed Port Groups > Manage
Distributed Port Groups.
b. Select Teaming and failover and click Next.
c. Click the Select Distributed Port Groups button, add all port groups and click Next.

d. Select Route based on on physical NIC load under Load Balancing and click Next.

Attach the ESXi hosts to the vDS-Comp distributed switch by migrating their VMkernel and virtual
machine network adapters.

© 2016 VMware, Inc. All rights reserved.

Page 127 of 545

 VMware Validated Design Deployment Guide for Region A

a. Right-click the vDS-Comp distributed switch, and click Add and Manage Hosts.
b. On the Select task page, select Add hosts, and click Next.

c. On the Select hosts page, click New hosts.

d. In the Select new hosts dialog box, select all four hosts, and click OK.
e. On the Select hosts page, select the Configure identical network settings (template
mode) check box, and click Next.
f. On the Select template host page, select the first host as a template host, and click Next.
g. On the Select network adapter tasks page, ensure both Manage physical adapters
(Template mode), and Manage VMkernel adapters (template mode) check boxes are
selected, and click Next.
h. On the Manage physical network adapters (template mode) page, click vmnic1,
and click Assign uplink.
i. In the Select an Uplink for vmnic1 dialog box, select Uplink 1, and click OK.
j. On the Manage physical network adapters (template mode) page, click Apply to all, and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 128 of 545

 VMware Validated Design Deployment Guide for Region A

k. On the Manage VMkernel network adapters (template mode) page, click vmk0, and
click Assign port group.

vmnic Source Port Destination Port Port Properties MTU

Group Group

vmk0 Management vDS-Comp- Management 1500

Network Management traffic

l. Select vDS-Comp-Management, and click OK.

m. Select vmk0, and click Edit adapter.
n. In vmk0 - Edit Settings page, under Port properties, select the box for Management traffic.
o. In vmk0 - Edit Settings page, click NIC Settings.
p. Enter the MTU value of 1500, and click OK.
q. On the Manage VMkernel network adapters (template mode) page, click On this switch.

vmnic Port Group Port IPv4 Address Netmask MTU

Properties

vmk1 vDS-Comp- vMotion traffic 172.16.22.101 255.255.255.0 9000

vMotion

vmk2 vDS-Comp-NFS N/A 172.16.25.101 255.255.255.0 9000

r. Click on + New adapter

s. In Add Networking page, browse to select vDS-Comp-vMotion in the Select Network, click
OK and click Next.
t. Under Port properties, select the vMotion traffic check box, and click Next.
u. Under IPv4 settings, select Use static IPv4 settings, enter the IP address and subnet, and
click Next.
v. Click Finish.
w. Select vmk1, and click Edit adapter.
x. In vmk1 - Edit Settings page, click NIC Settings
y. Enter the MTU value of 9000, and click OK
z. Repeat steps to create vmk2.
aa. In the Manage physical network adapters (template mode) page, click Apply to all.
In the comp01esxi01...configuration to other hosts dialog box, enter the IPv4 addresses for
each of the VMkernel adapters, and click OK.

VMkernel adapter IPv4 address

vmk0 172.16.21.102#3

vmk1 172.16.22.102#3

© 2016 VMware, Inc. All rights reserved.

Page 129 of 545

 VMware Validated Design Deployment Guide for Region A

vmk2 172.16.25.102#3

a. On the Analyze impact page, click Next.

b. On the Ready to complete page, review your entries, and click Finish.
Enable vSphere HA for the compute cluster.
a. In the Home > Hosts and Clusters, click the SFO01-Comp01 cluster.
b. Click the Manage tab, click Settings, and click vSphere HA.
c. Click Edit.
d. In the Edit Cluster Settings dialog box, select the Turn on vSphere HA check box.

e. In the Edit Cluster Settings dialog box, under Virtual Machine Monitoring, select VM
Monitoring Only from the drop-down menu.
f. Under Virtual Machine Monitoring, expand the Admission Control settings.
g. Under Admission Control settings, select Define failover capacity by reserving a
percentage of the cluster resources, and enter the following settings.

© 2016 VMware, Inc. All rights reserved.

Page 130 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Reserved failover CPU capacity (% CPU) 25

Reserved failover Memory capacity (% Memory) 25

h. Click OK.
Upgrade Network I/O Control to version 3.
a. In the Navigator, click Networking, and click the SFO01 data center.
b. Click the vDS-Comp distributed switch.
c. Click the Manage tab and click Resource Allocation.
d. Click the Upgrade link next to Version: 2.
e. Click Next in the Upgrade Network I/O Control Overview dialog.
f. Click Next in the Upgrade Network I/O Control Validate prerequisites dialog.
g. Click Finish in the Upgrade Network I/O Control Ready to complete dialog.
Define Network I/O Control shares for the different traffic types on the vDS-Comp distributed
switch.
a. In the Navigator, click the Networking icon, and click the SFO01 data center.
b. Click the vDS-Comp distributed switch.
c. Click the Manage tab, and click Resource Allocation.
d. Under System Traffic, edit each of the following traffic types with the values.

Traffic Type Physical Adapter Shares

Virtual SAN Traffic High

NFS Traffic Low

vMotion Traffic Low

vSphere Replication Traffic Low

Management Traffic Normal

vSphere Data Protection Backup Traffic Low

Virtual Machine Traffic High

Fault Tolerance Traffic Low

iSCSI Traffic Low

© 2016 VMware, Inc. All rights reserved.

Page 131 of 545

 VMware Validated Design Deployment Guide for Region A

Migrate the last physical adapter from the standard switch to the vDS-Comp distributed switch.
a. In the Navigator, click Networking and expand SFO01 data center.
b. Right-click the vDS-Comp distributed switch and select Add and Manage hosts.
c. On the Select task page, select Manage host networking, and click Next.
d. On the Select hosts page, click Attached hosts.
e. In the Select member hosts dialog box, select all ESXi hosts, and click OK.
f. On the Select hosts page, click Next.
g. On the Select network adapter tasks page, select Manage Physical adapters only, and
click Next.
h. On the Manage physical network adapters page, under
comp01esx01.sfo01.rainpole.local, select vmnic0, and click Assign uplink.
i. In the Select an Uplink dialog box, select dvUplink2, and click OK.
j. Assign uplinks for the 3 remaining hosts to reassign their vmnics, and click Next.
k. On the Analyze Impact page, click Next.
l. On the Ready to complete page, click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 132 of 545

 VMware Validated Design Deployment Guide for Region A

2.4.6 Create a vSphere Distributed Switch for the Edge Cluster in Region A
After the vSphere distributed switch for the compute cluster is configured, create vSphere distributed
switch for the edge cluster.
Procedure
Log in to the Compute vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a Distributed Virtual Switch for the edge cluster.

a. In the Navigator, click Networking.
b. Right-click the SFO01 data center, and select Distributed Switch > New Distributed
Switch to start the New Distributed Switch wizard.
c. On the Name and location page, enter vDS-Edge as the name, and click Next.
d. On the Select version page, ensure the Distributed switch version - 6.0.0 radio button is
selected, and click Next.
e. On the Edit settings page, enter the following values, and click Next.

Setting Value

Number of uplinks 2

Network I/O Control Enabled

Create a default port group Deselected

f. On the Ready to complete page, review your entries, and click Finish.
Edit the settings of the vDS-Edge distributed switch.
a. Right-click the vDS-Edge distributed switch, and select Settings > Edit Settings.
b. Click the Advanced tab.
c. Enter 9000 as MTU (Bytes) value, and click OK.
Create new port groups in the vDS-Edge distributed switch.
a. Right-click the vDS-Edge distributed switch, and select Distributed Port Group > New
Distributed Port Group.
b. Create port groups with the following settings.

Port Group Name Port Binding VLAN type VLAN ID

© 2016 VMware, Inc. All rights reserved.

Page 133 of 545

 VMware Validated Design Deployment Guide for Region A

vDS-Edge-Management Static binding VLAN 1631

vDS-Edge-vMotion Static binding VLAN 1632

vDS-Edge-VSAN Static binding VLAN 1633

vDS-Edge-Uplink01 Static binding VLAN 1635

vDS-Edge-Uplink02 Static binding VLAN 2713

vDS-Edge-Ext-Tenants Static binding VLAN 140

Note VXLAN port group will be created later during NSX Manager (Compute Cluster)
configuration.

c. On the Ready to complete page, review your entries, and click Finish.
Change Port Groups to use the Route Based on Physical NIC Load teaming algorithm.
a. Right-click the vDS-Comp Distributed Switch and select Distributed Port Groups > Manage
Distributed Port Groups.
b. Select Teaming and failover and click Next.
c. Click the Select Distributed Port Groups button and add all port groups and click Next.

d. Select Route based on on physical NIC load under Load Balancing and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 134 of 545

 VMware Validated Design Deployment Guide for Region A

e. Click Finish.
Attach the ESXi hosts to the vDS-Edge distributed switch by migrating their VMkernel and virtual
machine network adapters.
a. Right-click the vDS-Edge distributed switch, and click Add and Manage Hosts.
b. On the Select task page, select Add hosts, and click Next.

c. On the Select hosts page, click New hosts.

d. In the Select new hosts dialog box, select all four hosts, and click OK.
e. On the Select hosts page, select Configure identical network settings...(template
mode) check box, and click Next.
f. On the Select template host page, select the first host as a template host, and click Next.
g. On the Select network adapter tasks page, ensure both Manage physical adapters
(Template mode) and Manage VMkernel adapters (template mode) check boxes are
checked, and click Next.
h. On the Manage physical network adapters (template mode) page, click vmnic1,
and click Assign uplink.
i. In the Select an Uplink for vmnic1 dialog box, select Uplink 1, and click OK.
j. On the Manage physical network adapters (template mode) page, click Apply to all, and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 135 of 545

 VMware Validated Design Deployment Guide for Region A

k. On the Manage VMkernel network adapters (template mode) page, click vmk0, and
click Assign port group.

vmnic Source Port Group Destination port group Port Properties MTU

vmk0 Management Network vDS-Edge-Management Management traffic 1500

l. Select vDS-Edge-Management, and click OK.

m. Select vmk0, and click on Edit adapter.
n. In vmk0 - Edit Settings page, under Port properties, check the box for Management traffic
o. In vmk0 - Edit Settings page, click on NIC Settings
p. Enter the MTU value of 1500, and click OK
q. On the Manage VMkernel network adapters (template mode) page, click on On this
switch.

vmnic Port Group Port Properties IPv4 Address Netmask MTU

vmk1 vDS-Edge-vMotion vMotion traffic 172.16.32.101 255.255.255.0 9000

vmk2 vDS-Edge-VSAN Virtual SAN traffic 172.16.33.101 255.255.255.0 9000

r. Click on + New adapter

s. In Add Networking page, browse to select vDS-Edge-vMotion in the Select Network and
click OK. Click Next.
t. Under Port properties, check box vMotion traffic. Click Next.
u. Under IPv4 settings, select radio button Use static IPv4 settings and enter the IP address
and subnet. Click Next.
v. Click Finish.
w. Select vmk1, and click on Edit adapter
x. In vmk1 - Edit Settings page, click on NIC Settings
y. Enter the MTU value of 9000, and click OK

© 2016 VMware, Inc. All rights reserved.

Page 136 of 545

 VMware Validated Design Deployment Guide for Region A

z. Repeat steps to create vmk2.

a. On the Manage VMkernel network adapters (template mode) page, click Apply to all.
In the edge01esxi01...configuration to other hosts dialog box, enter the IPv4 addresses for
each of the VMkernel adapters, and click OK.

VMkernel adapter IPv4 address

vmk0 172.16.31.102#3

vmk1 172.16.32.102#3

vmk2 172.16.33.102#3

a. On the Analyze impact page, click Next.

b. On the Ready to complete page, review your entries, and click Finish.
Enable vSphere HA for the edge cluster.
a. In the Home > Host and Clusters, click the SFO01-Edge01 cluster.
b. Click the Manage tab, click Settings, and click vSphere HA.
c. Click Edit.
d. In the Edit Cluster Settings dialog box, select the Turn on vSphere HA check box.

© 2016 VMware, Inc. All rights reserved.

Page 137 of 545

 VMware Validated Design Deployment Guide for Region A

e. In the Edit Cluster Settings dialog box, under Virtual Machine Monitoring, select VM
Monitoring Only from the drop-down menu.
f. Under Virtual Machine Monitoring, expand the Failure conditions and VM response
setting.
g. Select Power off and restart VMs from the Response for Host Isolation drop-down menu.

h. Under Virtual Machine Monitoring, expand the Admission Control settings.

i. Under Admission Control settings, select Define failover capacity by reserving a
percentage of the cluster resources, enter the following settings.

Setting Value

Reserved failover CPU capacity (% CPU) 25

Reserved failover Memory capacity (% Memory) 25

© 2016 VMware, Inc. All rights reserved.

Page 138 of 545

 VMware Validated Design Deployment Guide for Region A

j. Click OK.
Upgrade Network I/O Control to version 3.
a. In the Navigator, click Networking, and click the SFO01 data center.
b. Click the vDS-Edge distributed switch.
c. Click the Manage tab and click Resource Allocation.
d. Click the Upgrade link next to Version: 2.
e. Click Next in the Upgrade Network I/O Control Overview dialog.
f. Click Next in the Upgrade Network I/O Control Validate prerequisites dialog.
g. Click Finish in the Upgrade Network I/O Control Ready to complete dialog.
Define Network I/O Control Share values for the different traffic types on the vDS-
Edge distributed switch.
a. In the Navigator, click the Networking icon, and click the SFO01 data center.
b. Click the vDS-Edge distributed switch.
c. Click the Manage tab, and click Resource Allocation.
d. Under System Traffic, edit each of the following traffic types with the values from the table.

Traffic Type Physical Adapter Shares

Virtual SAN Traffic High

NFS Traffic Low

vMotion Traffic Low

vSphere Replication Traffic Low

Management Traffic Normal

vSphere Data Protection Backup Traffic Low

Virtual Machine Traffic High

Fault Tolerance Traffic Low

iSCSI Traffic Low

© 2016 VMware, Inc. All rights reserved.

Page 139 of 545

 VMware Validated Design Deployment Guide for Region A

Migrate the last physical adapter from the standard switch to the vDS-Edge distributed switch.
a. In the Navigator, click Networking and expand SFO01 datacenter.
b. Right-click the vDS-Edge distributed switch and select Add and Manage hosts.
c. On the Select task page, select Manage host networking, and click Next.
d. On the Select hosts page, click Attached hosts.
e. In the Select member hosts dialog box, select all four ESXi hosts, and click OK.
f. On the Select hosts page, click Next.
g. On the Select network adapter tasks page, select Manage Physical adapters only, and
click Next.
h. On the Manage physical network adapters page, under
edge01esx01.sfo01.rainpole.local, select vmnic0, and click Assign uplink.
i. In the Select an Uplink dialog box, select dvUplink2, and click OK.
j. Assign uplinks for the 3 remaining hosts to reassign their vmnics, and click Next.
k. On the Analyze Impact page, click Next.
l. On the Ready to complete page, click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 140 of 545

 VMware Validated Design Deployment Guide for Region A

2.4.7 Change the Default Domain Administration Group on the ESXi Hosts in
the Compute and Edge Clusters in Region A
Change the default ESX Admins group to achieve greater levels of security by removing a known
administrative access point.
Procedure
Log in to the Compute vCenter Server, by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the Navigator, click Hosts and Clusters.

Expand the entire vCenter Server inventory tree, and select
the comp01.esx01.sfo01.rainpole.local host.
Click the Manage tab and the Settings subtab, and click System > Advanced System Settings.
In the search box, enter esxAdmins and wait for the search results.

Select the Config.HostAgent.plugins.hostsvc.esxAdminsGroup, and click the Edit icon to

change the ESXi host admin group.
In the plugins.hostsvc.esxAdminsGroup text box, enter SDDC-Admins, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 141 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat the steps for all remaining hosts in the compute and edge clusters.

Object FQDN

Compute host 2 comp01esx02.sfo01.rainpole.local

Compute host 3 comp01esx03.sfo01.rainpole.local

Compute host 4 comp01esx04.sfo01.rainpole.local

Edge host 1 edge01esx01.sfo01.rainpole.local

Edge host 2 edge01esx02.sfo01.rainpole.local

Edge host 3 edge01esx03.sfo01.rainpole.local

Edge host 4 edge01esx04.sfo01.rainpole.local

Reboot all hosts in the compute and edge clusters.

2.4.8 Mount NFS Storage for the Compute Cluster in Region A

You must mount an NFS datastore for the content library consumed by vRealize Automation for
virtual machine provisioning.
Procedure
Log in to the Compute vCenter Server, by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a datastore for the SFO01-Comp01 cluster.

a. In the Navigator, select vCenter Inventory Lists, and select Datastores.
b. Click the Create a New Datastore icon.

© 2016 VMware, Inc. All rights reserved.

Page 142 of 545

 VMware Validated Design Deployment Guide for Region A

c. On the Location page, under comp01vc01.sfo01.rainpole.local, under SFO01 data center,

select the SFO01-Comp01 cluster, and click Next.

d. On the Type page, select NFS and click Next.

e. On the NFS version page, select NFS 3, and click Next.
f. On the Name and configuration page, enter the following datastore information, and click
Next.

Setting Value

Datastore Name SFO01A-NFS01-VRALIB01

Folder /V2D_vRA_ComputeA_1TB

Server 172.16.25.251

© 2016 VMware, Inc. All rights reserved.

Page 143 of 545

 VMware Validated Design Deployment Guide for Region A

g. On the Host accessibility page, select all the hosts that require access to the datastore, and
click Next.

h. On the Ready to complete page, review the configuration, and click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 144 of 545

 VMware Validated Design Deployment Guide for Region A

2.4.9 Configure Lockdown Mode on All ESXi Hosts (Region A)

To increase security of your ESXi hosts, you put them in Lockdown mode, so that administrative
operations can be performed only from vCenter Server.
vSphere supports an Exception User list, which is for service accounts that have to log in to the host
directly. Accounts with administrator privileges that are on the Exception Users list can log in to the
ESXi Shell. In addition, these users can log in to a host's DCUI in normal lockdown mode and can exit
lockdown mode.
Procedure
Log in to the Compute vCenter Server, by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Activate normal lockdown mode on the mgmt01esx01.sfo01.rainpole.local host.

a. In the Navigator, click Hosts and Clusters, expand the
entire mgmt01vc01.sfo01.rainpole.local tree.
b. Select the mgmt01esx01.sfo01.rainpole.local host.
c. Click the Manage tab and click Settings.
d. Under System, select Security Profile.
e. In the Lockdown Mode panel, click Edit.

f. In the Lockdown Mode dialog box, select the Normal radio button, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 145 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat the previous step to enable normal lockdown mode for all remaining hosts in the data
center.

Object FQDN

Management host 2 mgmt01esx02.sfo01.rainpole.local

Management host 3 mgmt01esx03.sfo01.rainpole.local

Management host 4 mgmt01esx04.sfo01.rainpole.local

Compute host 1 comp01esx01.sfo01.rainpole.local

Compute host 2 comp01esx02.sfo01.rainpole.local

Compute host 3 comp01esx03.sfo01.rainpole.local

Compute host 4 comp01esx04.sfo01.rainpole.local

Edge host 1 edge01esx01.sfo01.rainpole.local

Edge host 2 edge01esx02.sfo01.rainpole.local

Edge host 3 edge01esx03.sfo01.rainpole.local

Edge host 4 edge01esx04.sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 146 of 545

 VMware Validated Design Deployment Guide for Region A

2.5 Deploy and Configure the Compute and Edge Clusters NSX
Instance in Region A
 Deploy the NSX Manager for the Compute and Edge Clusters NSX Instance in Region A
 Deploy the NSX Controllers for the Compute and Edge Clusters NSX Instance in Region A
 Prepare the ESXi Hosts in the Compute and Edge Clusters for NSX in Region A
 Configure the NSX Logical Network for the Compute and Edge Clusters in Region A
 Configure NSX Dynamic Routing in Compute and Edge Clusters in Region A

 Test the Compute and Edge Clusters NSX Configuration in Region A

2.5.1 Deploy the NSX Manager for the Compute and Edge Clusters NSX
Instance in Region A
You must first deploy the NSX Manager virtual appliance. After the NSX Manager is successfully
deployed you must connect it to the Management vCenter Server instance.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Assign a service account to the vCenter Server Administrator role.

a. In the Navigator, click Hosts and Clusters.
b. Select the comp01vc01.sfo01.rainpole.local tree.
c. Click the Manage tab, click Permissions, and click the Add icon.

d. In the comp01vc01.sfo01.rainpole.local - Add Permission dialog box, click the Add button.
e. In the Select Users/Groups dialog box, select RAINPOLE from the Domain drop-down
menu.
f. In the search text box, enter svc-nsxmanager, and press Enter.
The svc-nsxmanager is returned in the search results.
g. Select svc-nsxmanager, click the Add button, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 147 of 545

 VMware Validated Design Deployment Guide for Region A

h. In the comp01vc01.sfo01.rainpole.local - Add Permission dialog box, select

Administrator as Assigned Role and select the Propagate to children check box.
i. Click OK.

Open the Deploy OVF Template wizard.

a. In the Navigator, expand the entire mgmt01vc01.sfo01.rainpole.local tree.
b. Right-click the SFO01-Mgmt01 cluster, and click Deploy OVF Template.

© 2016 VMware, Inc. All rights reserved.

Page 148 of 545

 VMware Validated Design Deployment Guide for Region A

Use the Deploy OVF Template wizard to deploy the NSX Manager virtual appliance.
a. On the Select source page, click the Browse button, select the VMware NSX Manager .ova
file, and click Next.
b. On the Review details page, select the Accept extra configuration option check box, and
click Next.
c. On the Accept License Agreements page, click Accept, and click Next.
d. On the Select name and folder page, enter the following settings, and click Next.

Setting Value

Name comp01nsxm01.sfo01

Folder or Datacenter SFO01

e. On the Select storage page, enter the following settings, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 149 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

VM Storage Policy Virtual SAN Default Storage Policy

Datastore SFO01A-VSAN01-MGMT01

f. On the Setup networks page, under Destination, select vDS-Mgmt-Management, and

click Next.
g. On the Customize template page, expand the different options, enter the following settings,
and click Next.

Setting Value

CLI "admin" User Password / enter compnsx_admin_password

CLI "admin" User Password / confirm compnsx_admin_password

CLI Privilege Mode Password / enter compnsx_priviledge_password

CLI Privilege Mode Password / confirm compnsx_priviledge_password

Hostname comp01nsxm01.sfo01.rainpole.local

Network 1 IPv4 Address 172.16.11.66

Network 1 Netmask 255.255.255.0

Default IPv4 Gateway 172.16.11.253

DNS Server List 172.16.11.5

Domain Search List sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 150 of 545

 VMware Validated Design Deployment Guide for Region A

NTP Server List ntp.sfo01.rainpole.local

ntp.lax01.rainpoel.local

Enable SSH Selected

h. On the Ready to complete page, select the Power on after deployment check box, and
click Finish.

Connect the NSX Manager to the Compute vCenter Server.

a. Open a Web browser and go to https://comp01nsxm01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password compnsx_admin_password

c. Click Manage vCenter Registration.

d. Under Lookup Service, click the Edit button.
e. In the Lookup Service dialog box, enter the following settings, and click OK.

Setting Value

Lookup Service IP comp01psc01.sfo01.rainpole.local

Lookup Service Port 443

SSO Administrator User Name [email protected]

© 2016 VMware, Inc. All rights reserved.

Page 151 of 545

 VMware Validated Design Deployment Guide for Region A

Password vsphere_admin_password

f. In the Trust Certificate? dialog box, click Yes.

g. Under vCenter Server, click the Edit button.
h. In the vCenter Server dialog box, enter the following settings, and click OK.

Setting Value

vCenter Server comp01vc01.sfo01.rainpole.local

vCenter User Name [email protected]

Password svc-nsxmanager_password

i. In the Trust Certificate? dialog box, click Yes.

j. Wait until the Status indicators for the Lookup Service and vCenter Server change
to Connected.
Log out of the vCenter Server session in the vSphere Web Client.
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Using a Web browser go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-
client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password svc-nsxmanager_password

Assign the [email protected] account access to NSX.

a. In the Navigator, click Network & Security.
b. Select NSX Managers.
c. Select 172.16.11.66 from the tree control.
d. Click the Manage tab, then click Users.

© 2016 VMware, Inc. All rights reserved.

Page 152 of 545

 VMware Validated Design Deployment Guide for Region A

e. Click the Add icon.

f. In the Assign Role dialog box enter [email protected] and click Next.

g. Select Enterprise Administrator and click Finish.

Log out from the vCenter Server session in the vSphere Web Client.

2.5.2 Deploy the NSX Controllers for the Compute and Edge Clusters NSX
Instance in Region A
After the NSX Manager is successfully connected to the Compute vCenter Server, you must deploy
the three NSX Controller nodes that form the NSX Controller cluster. It is important to deploy every
node only after the previous one is successfully deployed.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Using a Web browser go to https://comp01vc01.sfo01.rainpole.local/vsphere-
client.
b. Log in with the following credentials.

© 2016 VMware, Inc. All rights reserved.

Page 153 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

User name [email protected]

Password vsphere_admin_password

Promote the NSX Manager to the primary role.

a. Under Inventories, click Networking & Security.
b. In the Navigator, click Installation.
c. On the Management tab click the 172.16.11.66 instance.
d. Click the Actions menu and click Assign Primary Role.

e. Click Yes to confirm the assignment.

Configure an IP pool for the NSX Controller Cluster.
a. In the Navigator, click NSX Managers.
b. Under NSX Managers, click the 172.16.11.66 instance.
c. Click the Manage tab, click Grouping Objects, click IP Pools, and click the Add New IP
Pool icon.
d. In the Add Static IP Pool dialog box, enter the following settings, and click OK.

Setting Value

Name Edge01-NSXC01

Gateway 172.16.31.253

Prefix Length 24

Primary DNS 172.16.11.5

DNS Suffix sfo01.rainpole.local

Static IP Pool 172.16.31.118-172.16.31.120

Deploy the NSX Controller cluster.

a. In the Navigator, click Networking & Security to go back, and click Installation.
b. Under NSX Controller nodes, click the Add icon to deploy three NSX Controller nodes
with the same configuration.

© 2016 VMware, Inc. All rights reserved.

Page 154 of 545

 VMware Validated Design Deployment Guide for Region A

c. In the Add Controller page, enter the following settings and click OK.

Note You may only configure the password during the deployment of the first controller. The other
controllers will use the same password.

Setting Value

NSX Manager 172.16.11.66

Datacenter SFO01

Cluster/Resource Pool SFO01-Edge01

Datastore SFO01A-VSAN01-EDGE01

Connected To vDS-Edge-Management

IP Pool Edge01-NSXC01

Password compnsx_controllers_password

Confirm Password compnsx_controllers_password

© 2016 VMware, Inc. All rights reserved.

Page 155 of 545

 VMware Validated Design Deployment Guide for Region A

d. After the Status of the controller node changes to Normal, repeat the step and deploy the
remaining two NSX Controller nodes, with the same configuration, that form the controller
cluster.

Configure DRS affinity rules for the NSX Controllers.

a. Navigate back to the Home page.
b. In the Navigator, click Hosts and Clusters, and expand the
comp01vc01.sfo01.rainpole.local tree.
c. Select the SFO01-Edge01 cluster, and click the Manage tab.
d. Under Configuration, click VM/Host Rules.
e. Under VM/Host Rules, click Add.

© 2016 VMware, Inc. All rights reserved.

Page 156 of 545

 VMware Validated Design Deployment Guide for Region A

f. In the SFO01-Edge01 - Create VM/Host Rule dialog box, enter the following settings, and
click Add.

Setting Value

Name Edge_NSX_Controllers

Enable rule Selected

Type Separate Virtual Machine

g. In the Add Rule Member dialog box, select the three NSX Controller VMs, and click OK.
h. In the SFO01-Edge01 - Create VM/Host Rule dialog box, click OK.

2.5.3 Prepare the ESXi Hosts in the Compute and Edge Clusters for NSX in
Region A
You install the NSX kernel modules on the compute and edge clusters ESXi hosts so that you are
able to use NSX.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Using a Web browser go to https://comp01vc01.sfo01.rainpole.local/vsphere-
client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Install the NSX kernel modules on the compute and edge clusters ESXi hosts.
a. In the Navigator, click Networking & Security.
b. In the Navigator, click Installation, then click the Host Preparation tab.
c. Change the NSX Manager that you edit to 172.16.11.66.
d. Under Installation Status, click Install for both the SFO01-Edge01 and SFO01-Comp01
clusters.
Verify that the Installation Status column shows the NSX version for all hosts in the cluster o
confirm the successful installation of the NSX kernel modules.

© 2016 VMware, Inc. All rights reserved.

Page 157 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.4 Configure the NSX Logical Network for the Compute and Edge Clusters
in Region A
After all the deployment tasks are ready, you must configure the NSX logical network. Complete this
process in three main steps:
 Configure the Segment ID allocation.
 Configure the VXLAN networking.
 Configure the transport zone.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Configure the Segment ID allocation.

a. In the Navigator, click Networking & Security.
b. Click Installation, click Logical Network Preparation, and click Segment ID.
c. Change to the NSX Manager labelled 172.16.11.66.
d. Click Edit, enter the following settings, and click OK.

Setting Value

Segment ID pool 5000-9000

Enable Multicast addressing Selected

Multicast addresses 239.1.0.0-239.1.255.255

Universal Segment ID Pool 20000-29000

© 2016 VMware, Inc. All rights reserved.

Page 158 of 545

 VMware Validated Design Deployment Guide for Region A

Enable Universal Multicast addressing Selected

Universal Multicast addresses 239.1.0.0-239.1.255.255

Configure the VXLAN networking.

a. Click the Host Preparation tab.
b. Under VXLAN, click Not Configured on the row labelled SFO01-Comp01, enter the following
settings, and click OK.

Setting Value

Switch vDS-Comp

VLAN 1624

MTU 9000

VMKNic IP Addressing Use DHCP

VMKNic Teaming Policy Load Balance - SRCID

VTEP 2

c. Under VXLAN, click Not Configured on the row labelled SFO01-Edge01, enter the following
settings, and click OK.

Setting Value

Switch vDS-Edge

© 2016 VMware, Inc. All rights reserved.

Page 159 of 545

 VMware Validated Design Deployment Guide for Region A

VLAN 1634

MTU 9000

VMKNic IP Addressing Use DHCP

VMKNic Teaming Policy Load Balance - SRCID

VTEP 2

Configure the transport zone.

a. With Installation still selected in the Navigator, click the Logical Network Preparation tab,
and click Transport Zones.
b. Change to the NSX Manager labelled 172.16.11.66.
c. Click the Add New Transport zone icon, enter the following settings, and click OK.

Setting Value

Mark this object for Universal Synchronization Selected

Name Comp Universal Transport Zone

Replication mode Hybrid

Select clusters part of the Transport Zone SFO01-Edge01, SFO01-Comp01

© 2016 VMware, Inc. All rights reserved.

Page 160 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.5 Configure NSX Dynamic Routing in Compute and Edge Clusters (Region
A)
NSX for vSphere creates a network virtualization layer on top of which all virtual networks are created.
This layer is an abstraction between the physical and virtual networks. You configure NSX dynamic
routing within the compute and edge clusters, deploying two NSX Edge devices and a Universal
Distributed Logical Router (UDLR).
 Create a Universal Logical Switch for Use as the Transit Network in Compute and Edge Clusters
in Region A
 Deploy NSX Edge Devices for North-South Routing in Compute and Edge Clusters in Region A
 Disable the Firewall Service in the Compute and Edge Clusters in Region A
 Enable and Configure the Border Gateway Protocol in the Compute and Edge Clusters in Region
A
 Verify Peering of Upstream Switches and Establishment of BGP in Compute and Edge Clusters in
Region A
 Deploy the Universal Distributed Logical Router in the Compute and Edge Clusters in Region B
 Configure Universal Distributed Logical Router for Dynamic Routing in Compute and Edge
Clusters in Region A
 Verify Establishment of BGP for the Universal Distributed Logical Router in the Compute and
Edge Clusters in Region A

2.5.5.1. Create a Universal Logical Switch for Use as the Transit Network in Compute and Edge
Clusters in Region A
Create a universal logical switch for use as the transit network.
Procedure
Log in to vCenter Server by using the vSphere Web Client.

© 2016 VMware, Inc. All rights reserved.

Page 161 of 545

 VMware Validated Design Deployment Guide for Region A

a. Open a Web browser and go to

https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a Universal Logical Switch for use as the Transit Network.

a. Under Inventories, click Networking & Security.
b. In the Navigator, click Logical Switches.
c. Select 172.16.11.66 from the NSX Manager drop-down menu.
d. Click the Add icon.
The New Logical Switch dialog box appears.
In the New Logical Switch dialog box, enter the following settings, and click OK.

Setting Value

Name Universal Transit Network

Transport Zone Comp Universal Transport Zone

Replication Mode Hybrid

© 2016 VMware, Inc. All rights reserved.

Page 162 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.5.2. Deploy NSX Edge Devices for North-South Routing in Compute and Edge Clusters in
Region A
Deploy NSX Edge Devices for North-South routing in the compute and edge clusters.
Repeat this procedure two times to deploy two NSX Edge devices: SFOEDGE-ESG01 and
SFOEDGE-ESG02.

NSX Edge Device Device Name

NSX Edge Device 1 SFOEDGE-ESG01

NSX Edge Device 2 SFOEDGE-ESG02

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Deploy Edge devices for North-South Routing.

In the Navigator, click NSX Edges.
Select 172.16.11.66 from the NSX Manager drop-down menu.
Click the Add icon to create a new NSX Edge.
The New NSX Edge wizard appears.
On the Name and description page, enter the following settings, and click Next.

Setting NSX Edge Device 1 NSX Edge Device 1

Install Type Edge Service Gateway Edge Service Gateway

Name SFOEDGE-ESG01 SFOEDGE-ESG02

Deploy NSX Edge Selected Selected

Enable High Availability Deselected Deselected

On the Settings page, enter the following settings, and click Next.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 163 of 545

 VMware Validated Design Deployment Guide for Region A

User name admin

Password edge_admin_password

Enable SSH access Selected

Enable auto rule generation Selected

Edge Control Level logging INFO

On the Configure deployment page, select the Large radio button to specify the Appliance
Size, and click the Add icon.
The Add NSX Edge Appliance dialog box appears.
In the Add NSX Edge Appliance dialog box, enter the following settings, and click OK.

Setting Value

Cluster/Resource Pool SFO01-EDGE01

Datastore SFO01A-VSAN01-EDGE01

Click Next.

© 2016 VMware, Inc. All rights reserved.

Page 164 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Add icon to configure the Uplink01 interface, enter the following settings, and click OK.

Setting SFOEDGE-ESG01 Value SFOEDGE-ESG02 Value

Name Uplink01 Uplink01

Type Uplink Uplink

Connected To vDS-Edge-Uplink01 vDS-Edge-Uplink01

Connectivity Status Connected Connected

Primary IP Address 172.16.35.2 172.16.35.3

Subnet Prefix Length 24 24

MTU 9000 9000

Send ICMP Redirect Selected Selected

Click the Add icon once again to configure the Uplink02 interface, enter the following settings,
and click OK.

Setting SFOEDGE-ESG01 Value SFOEDGE-ESG02 Value

Name Uplink02 Uplink02

Type Uplink Uplink

Connected To vDS-Edge-Uplink02 vDS-Edge-Uplink02

© 2016 VMware, Inc. All rights reserved.

Page 165 of 545

 VMware Validated Design Deployment Guide for Region A

Connectivity Status Connected Connected

Primary IP Address 172.27.13.3 172.27.13.2

Subnet Prefix Length 24 24

MTU 9000 9000

Send ICMP Redirect Selected Selected

Click the Add icon a third time to configure the UDLR interface, enter the following settings, and
click OK.

Setting SFOEDGE-ESG01 Value SFOEDGE-ESG02 Value

Name UDLR UDLR

Type Internal Internal

Connected To Universal Transit Network Universal Transit Network

Connectivity Status Connected Connected

Primary IP Address 192.168.100.1 192.168.100.2

Subnet Prefix Length 24 24

MTU 9000 9000

Send ICMP Redirect Selected Selected

Click Next.
On the Default gateway settings page, deselect the Configure Default Gateway check box,
and click Next.
On the Firewall and HA page click Next.
On the Ready to complete page, review the configuration settings you entered, then click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 166 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat this procedure using the settings for the NSX Edge device labeled SFOMGMT-ESG02.
Upon repeating the procedure to configure SFOMGMT-ESG02, the Ready to complete page in the
New NSX Edge wizard will display the configuration values shown in the following illustration.

© 2016 VMware, Inc. All rights reserved.

Page 167 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.5.3. Disable the Firewall Service in the Compute and Edge Clusters in Region A
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edges.
Select 172.16.11.66 from the NSX Manager drop-down menu.
Double-click the SFOEDGE-ESG01 NSX Edge device.
Click the Manage tab, and click Firewall.
On the Firewall page, click the Disable button.
Click the Publish button.
Repeat this procedure for the NSX Edge device SFOEDGE-ESG02.

© 2016 VMware, Inc. All rights reserved.

Page 168 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.5.4. Enable and Configure the Border Gateway Protocol in the Compute and Edge Clusters
in Region A
The Border Gateway Protocol (BGP) is a protocol for exchanging routing information between
gateway hosts (each with its own router) in a network of autonomous systems (AS). BGP is often the
protocol used between gateway hosts on the Internet.
Repeat this procedure two times to enable BGP for both NSX Edge devices: SFOEDGE-ESG01 and
SFOEDGE-ESG02.

NSX Edge Device Device Name

NSX Edge Device 1 SFOEDGE-ESG01

NSX Edge Device 2 SFOEDGE-ESG02

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edges.
Select 172.16.11.66 from the NSX Manager drop-down menu.
Double-click the SFOEDGE-ESG01 NSX Edge device.
Click the Manage tab, and click Routing.
On the Global Configuration page, enter the following settings.
a. Click the Enable button for ECMP.
b. To configure dynamic routing, click the Edit button next to Dynamic Routing Configuration.
c. Choose Uplink01 as the Router ID.
d. Click Publish Changes.

© 2016 VMware, Inc. All rights reserved.

Page 169 of 545

 VMware Validated Design Deployment Guide for Region A

In the Navigator, click BGP.

Click the Edit button, enter the following settings, and click OK.

Setting Value

Enable BGP Selected

Enable Graceful Restart Selected

Local AS 65000

Click the Add icon to add a Neighbor.

The New Neighbor dialog box appears. You add two neighbors: the first Top of Rack Switch and
the second Top of Rack Switch.
In the New Neighbor dialog box, enter the following values, and click OK.

Setting Value

IP Address 172.27.11.1 This is the IP address of the first Top of Rack Switch.

Remote AS 65001 This is the remote AS of the first Top of Rack Switch.

Weight 60

Keep Alive Time 4 The keep alive value set on the Top of Rack Switch.

Hold Down Time 12 The hold down time set on the Top of Rack Switch.

Password BGP_password

© 2016 VMware, Inc. All rights reserved.

Page 170 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Add icon to add annother Neighbor.

The New Neighbor dialog box appears. Add the second Top of Rack switch, whose IP address is
172.27.13.1.
In the New Neighbor dialog box, enter the following values, and click OK.

Setting Value

IP Address 172.27.13.1 This is the IP address of the second Top of Rack

Switch.

Remote AS 65001 This is the remote AS of the second Top of Rack Switch.

Weight 60

Keep Alive Time 4 The keep alive value set on the Top of Rack Switch.

Hold Down Time 12 The hold down time set on the Top of Rack Switch.

Password BGP_password

© 2016 VMware, Inc. All rights reserved.

Page 171 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Add icon to add annother Neighbor.

The New Neighbor dialog box appears. Configure the Universal Distributed Logical Router
(UDLR) as a neighbor.
In the New Neighbor dialog box, enter the following values, and click OK.

Setting Value

IP Address 192.168.100.4

Remote AS 65000

Weight 60

Keep Alive Time 1

Hold Down Time 3

Password BGP_password

© 2016 VMware, Inc. All rights reserved.

Page 172 of 545

 VMware Validated Design Deployment Guide for Region A

Click Publish Changes.

The three neighbors you added are now visible in the Neighbors table. Confirm that configuration
the values you entered for each neighbor are correct.

In the Navigator, click Route Redistribution.

Click the Edit button.
In the Change redistribution settings dialog box, select the BGP check box.

Click the Add icon for Route Redistribution Table.

© 2016 VMware, Inc. All rights reserved.

Page 173 of 545

 VMware Validated Design Deployment Guide for Region A

In the New Redistribution criteria dialog box, enter the following settings, and click OK.

Setting Value

Prefix Any

Learner Protocol BGP

OSPF Deselected

ISIS Deselected

Connected Selected

Action Permit

Click the Publish Changes button.

The route redistribution configuration is now visible in the Route Redistribution table. Confirm
that the configuration values you entered are correct

Repeat this procedure for the NSX Edge device SFOEDGE-ESG02.

© 2016 VMware, Inc. All rights reserved.

Page 174 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.5.5. Verify Peering of Upstream Switches and Establishment of BGP in Compute and Edge
Clusters in Region A
The NSX Edge devices need to establish a connection to each of it's upstream BGP switches before
BGP updates can be exchanged. Verify that the NSX Edges devices are successfully peering, and
that BGP routing has been established.
You repeat this procedure two times for each of the NSX Edge devices: SFOEDGE-ESG01 and
SFOEDGE-ESG02.
Procedure
Log in to the NSX Edge device using a Secure Shell (SSH) client.
a. Open an SSH connection to the NSX Edge device whose peering and BGP configuration you
want to verify. For example, SFOMGMT-ESG01.

NSX Edge Device Device Name

NSX Edge Device 1 SFOEDGE-ESG01

NSX Edge Device 2 SFOEDGE-ESG02

b. Log in using the following credentials.

Setting Value

User name admin

Password edge_admin_password

Run the show ip bgp neighbors command to display information about the BGP connections
to neighbors. The BGP State will display Established, UP if you have peered with the
upstream switches.

Note You have not yet created the Universal Distributed Logical Router (UDLR), so it will not
display the Established, UP status message.

© 2016 VMware, Inc. All rights reserved.

Page 175 of 545

 VMware Validated Design Deployment Guide for Region A

Run the show ip route command to verify that you are receiving routes using BGP, and that
there are multiple routes to BGP learned networks.
You verify multiple routes to BGP learned networks by locating the same route using a different IP
address. The IP addresses are listed after the word via in the right-side column of the routing
table output. In the image below there are two different routes to the following BGP networks:
0.0.0.0/0 and 172.27.22.0/24.
You can identify BGP networks by the letter B in the left-side column. Lines beginning with C
(connected) have only a single route.

Repeat this procedure for the NSX Edge deviceSFOEDGE-ESG02.

2.5.5.6. Deploy the Universal Distributed Logical Router in the Compute and Edge Clusters in
Region A
Deploy the Universal Distributed Logical Router (UDLR).
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edges.
Select 172.16.11.66 from the NSX Manager drop-down menu.
Click the Add icon to create a new UDLR.
The New NSX Edge wizard appears.
On the Name and description page, enter the following settings, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 176 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Universal Logical (Distributed) Router Selected

Name UDLR01

Deploy Edge Appliance Selected

Enable High Availability Selected

On the Settings page, enter the following settings, and click Next.

Setting Value

User Name admin

Password udlr_admin_password

Enable SSH access Selected

Edge Control Level logging INFO

On the Configure deployment page, and click the Add icon.

The Add NSX Edge Appliance dialog box appears.
In the Add NSX Edge Appliance dialog box, enter the following settings, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 177 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Cluster/Resource Pool SFO01-EDGE01

Datastore SFO01A-VSAN01-EDGE01

On the Configure deployment page, and click the Add icon a second time to add a second NSX
Edge device.
The Add NSX Edge Appliance dialog box appears.
In the Add NSX Edge Appliance dialog box, enter the following settings, and click OK.

Setting Value

Cluster/Resource Pool SFO01-EDGE01

Datastore SFO01A-VSAN01-EDGE01

© 2016 VMware, Inc. All rights reserved.

Page 178 of 545

 VMware Validated Design Deployment Guide for Region A

On the Configure interfaces page, under HA Interface Configuration, click Change and
connect to vDS-Edge-Management.

On the Configure interfaces page enter the following configuration settings, and click Next.
a. Click the Add icon.
The Add Interface dialog box appears.

© 2016 VMware, Inc. All rights reserved.

Page 179 of 545

 VMware Validated Design Deployment Guide for Region A

b. Enter the following settings in the Add Interface dialog box, and click OK.

Setting Value

Name Uplink

Type Selected

Connected To Universal Transit Network

Connectivity Status Connected

Primary IP Address 192.168.100.3

Subnet Prefix Length 24

MTU 9000

In the Default gateway settings page, deselect Configure Default Gateway, and click Next.
In the Ready to complete page, click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 180 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.5.7. Configure Universal Distributed Logical Router for Dynamic Routing in Compute and
Edge Clusters in Region A
Configure the universal distributed logical router (UDLR) to use dynamic routing.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Inventories, click Networking & Security.

In the Navigator, click NSX Edge.
Select 172.16.11.66 from the NSX Manager drop-down menu.
Double-click UDLR01.
Click the Manage tab, and click Routing.
In the Global Configuration page, perform the following configuration steps.
a. Click the Edit button under Routing Configuration, select Enable ECMP, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 181 of 545

 VMware Validated Design Deployment Guide for Region A

b. Click the Edit button under Dynamic Routing Configuration, select Uplink as the Router
ID, and click OK.
c. Click Publish Changes.

In the Navigator panel, click BGP.

In the BGP page, click the Edit button.
The Edit BGP Configuration dialog box appears.
In the Edit BGP Configuration dialog box, enter the following settings, and click OK.

Setting Value

Enable BGP Selected

Enable Graceful Restart Selected

Local AS 65000

Click the Add icon to add a Neighbor.

The New Neighbor dialog box appears.
In the New Neighbor dialog box, enter the following values for both NSX Edge devices, and click
OK.

© 2016 VMware, Inc. All rights reserved.

Page 182 of 545

 VMware Validated Design Deployment Guide for Region A

You repeat this step two times to configure the UDLR for both NSX Edge devices: SFOEDGE-
ESG01 and SFOEDGE-ESG02.

Setting SFOEDGE-ESG01 Value SFOEDGE-ESG02 Value

IP Address 192.168.100.1 192.168.100.2

Forwarding Address 192.168.100.3 192.168.100.3

Protocol Address 192.168.100.4 192.168.100.4

Remote AS 65000 65000

Weight 60 60

Keep Alive Time 1 1

Hold Down Time 3 3

Password bgp_password bgp_password

Click Publish Changes.

In the Navigator, click Route Redistribution.
Click the Edit button.
In the Change redistribution settings dialog box, enter the following settings, and click OK.

Setting Value

OSPF Deselected

BGP Selected

© 2016 VMware, Inc. All rights reserved.

Page 183 of 545

 VMware Validated Design Deployment Guide for Region A

On the Route Redistribution page, select the default OSPF entry and click the Edit button.
Select BGP from the Learner Protocol drop-down menu, and click OK.

Click Publish Changes.

2.5.5.8. Verify Establishment of BGP for the Universal Distributed Logical Router in the
Compute and Edge Clusters in Region A
The universal distributed logical router (UDLR) needs to establish a connection to Edge Services
Gateway before BGP updates can be exchanged. Verify that the UDLR is successfully peering, and
that BGP routing has been established.
Procedure
Log in to the UDLR by using a Secure Shell (SSH) client.
a. Open an SSH connection to UDLR01, the UDLR whose peering and BGP configuration you
want to verify.
b. Log in using the following credentials.

Setting Value

User name admin

Password udlr_admin_password

Run the show ip bgp neighbors command to display information about the BGP and TCP
connections to neighbors. The BGP State will display Established, UP if you have
successfully peered with the Edge Service Gateway.

© 2016 VMware, Inc. All rights reserved.

Page 184 of 545

 VMware Validated Design Deployment Guide for Region A

Run the show ip route command to verify that you are receiving routes using BGP, and that
there are multiple routes to BGP learned networks.
You verify multiple routes to BGP learned networks by locating the same route using a different IP
address. The IP addresses are listed after the word via in the right-side column of the routing
table output. In the image below there are two different routes to the following BGP networks:
0.0.0.0/0, 172.16.35.0/24, 172.27.13.0/24, and 172.27.22.0/24.
You can identify BGP networks by the letter B in the left-side column. Lines beginning with C
(connected) have only a single route.

© 2016 VMware, Inc. All rights reserved.

Page 185 of 545

 VMware Validated Design Deployment Guide for Region A

2.5.6 Test the Compute and Edge Clusters NSX Configuration in Region A
Test the configuration of the NSX logical network using a ping test. A ping test checks if two hosts in a
network can reach each other.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Logical Switches, double-click Universal Transit Network.

Click the Monitor tab.
From the Source host drop-down menu select edge01esx01.sfo01.rainpole.local.
From the Destination host drop-down menu select edge01esx02.sfo01.rainpole.local.
Click Start Test.
The host-to-host ping test results are displayed in the Results text box. Verify that there are no
error messages.

2.6 Replace Certificates in Region A

By default, vSphere components use TLS/SSL certificates that are signed by the VMware Certificate
Authority (VMCA). These certificates are not trusted by end-user devices. That might mean, for

© 2016 VMware, Inc. All rights reserved.

Page 186 of 545

 VMware Validated Design Deployment Guide for Region A

example, that a certificate warning appears when a user connects to a vCenter Server system by
using the vSphere Web Client.
Infrastructure administrators connect to different SDDC components, such as vCenter Server systems
or a Platform Services Controller from a Web browser to perform configuration, management and
troubleshooting. The authenticity of the network node to which the administrator connects must be
confirmed with a valid TLS/SSL certificate.
In this design, you replace user-facing certificates with certificates that are signed by a custom
Microsoft Certificate Authority (CA). You do not replace certificates for machine-to-machine
communication. If necessary, you can manually mark these certificates as trusted.
Certificate replacement covers the following VMware products from the virtual infrastructure layer:
 Platform Services Controller (both management pod and compute pod)
 vCenter Server system (both management pod and compute pod)
 VMware NSX Manager (both management pod and compute pod)

Replacement Tasks Order

1. Set up your Microsoft CA, create a custom template, and add the custom templates to the set of
available templates. You do this only once.
2. Next, replace certificates on the virtual infrastructure products, as follows:
a. Management Platform Services Controller
b. Management vCenter Server system
c. Management NSX Manager
d. Compute Platform Services Controller
e. Compute vCenter Server system
f. Compute NSX Manager

2.6.1 Create and Add a Microsoft Certificate Authority Template

As part of the certificate replacement process, you submit Certificate Signing Requests (CSRs) to a
Microsoft Certificate Authority (CA) server. You then replace the VMCA-signed or self-signed
certificates with CA-signed certificates.
This VMware Validated Design uses a Microsoft Certificate Authority server.
 The first step is setting up a Microsoft Certificate Authority template through a Remote Desktop
Protocol session.
 After you have created the new template, you it to the certificate templates of the Microsoft
Certificate Authority.

Prerequisite
This VMware Validated Design sets up the CA on the Active Directory (AD) server
dc01rpl.rainpole.local, which is running Microsoft Windows Server 2012 R2.
 Verify that you installed Microsoft Server 2012 R2 with Active Directory Services enabled.
 Verify that your AD Server is installed and configured with the Certificate Authority Service role
and the Certificate Authority Web Enrolment role.

© 2016 VMware, Inc. All rights reserved.

Page 187 of 545

 VMware Validated Design Deployment Guide for Region A

If a different Microsoft CA already exists in your environment, you can use that CA instead.
Procedure
1. Use Remote Desktop Protocol to connect to the CA server dc01rpl.rainpole.local as the
AD administrator with the ad_admin_password password.
2. Click Start > Run, type certtmpl.msc, and click OK.
3. In the Certificate Template Console, under Template Display Name, right-click Web Server
and click DuplicateTemplate.
4. In the Duplicate Template window, leave Windows Server 2003 Enterprise selected for
backward compatibility and click OK.
5. In the Properties of New Template dialog, click the General tab.
6. In the Template display name text box, enter VMware as the name of the new template.
7. Click the Extensions tab and specify extensions information:
a. Select Application Policies and click Edit.
b. Select Server Authentication, click Remove, and click OK.
c. Select Key Usage and click Edit.
d. Click the Signature is proof of origin (nonrepudiation) check box.
e. Leave the default for all other options.
f. Click OK.
8. Click the Subject Name tab, ensure that the Supply in the request option is selected, and click
OK to save the template.
9. To add the new template to your CA, click Start > Run, type certsrv.msc, and click OK.
10. In the Certification Authority window, expand the left pane if it is collapsed.
11. Right-click Certificate Templates and select New > Certificate Template to Issue.
12. In the Enable Certificate Templates dialog, in the Name column, select the VMware certificate
that you just created and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 188 of 545

 VMware Validated Design Deployment Guide for Region A

2.6.2 Obtain Custom Certificates for the Management Components in Region

A
For each certificate that you want to replace, you need a certificate file that is signed by the certificate
authority (CA) that you set up earlier on the Active Directory server.
You perform these tasks, in sequence:
1. Generate a CSR for the certificate that you want to replace. You generate the CSR on the
machine where the certificate lives. For vCenter Server and Platform Services Controller
certificate replacement, you use the vSphere Certificate Manager utility.
2. Submit the certificate request to your AD server for signing by the CA on the server and export
the signed certificate.
3. Copy the certificate and the associated root certificate to the virtual machine where you want to
replace the certificate.
4. Replace the existing certificates with the new certificates.
For additional details, see VMware Knowledge Base article 2112014.
You obtain custom certificates for the Platform Services Controllers, vCenter Server instances and
NSX Managers.
This example illustrates how you generate the signed certificate for the
mgmt01psc01.sfo01.rainpole.local Platform Services Controller instance.
Procedure
Log in to the Windows host that has access to the AD server as an administrator.
Submit a request and download the certificate chain that contains the CA-signed certificate and
the CA certificate.
a. Open a Web Browser and go to http://dc01rpl.rainpole.local/CertSrv/ to open the Web
interface of the CA server.
b. Log in using the following credentials.

Setting Value

User name domain administrator

Password ad_admin_password

c. Click the Request a certificate link.

d. Click advanced certificate request.
e. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or
submit a renewal request by using a base-64-encoded PKCS #7 file.
f. Open the CSR file, mgmt01psc01.sfo01_ssl.csr, in a plain text editor.
g. Copy everything from -----BEGIN CERTIFICATE REQUEST----- to -----END
CERTIFICATE REQUEST----- into the Saved Request box.
h. On the Submit a Certificate Request or Renewal Request page, paste the contents of the
CSR file into the Saved Request box.
i. From the Certificate Template drop down, select VMware and click Submit.

© 2016 VMware, Inc. All rights reserved.

Page 189 of 545

 VMware Validated Design Deployment Guide for Region A

j. On the Certificate issued screen, click Base 64 encoded.

k. Click the Download Certificate chain link and save the certificate chain file certnew.p7b to
the Downloads folder.
Export the certificate to the correct format, as follows:
a. Double-click the certnew.p7b file to open it in the Microsoft Certificate Manager.
b. Navigate to certnew.p7b > Certificates and notice the two certificates.
c. Right-click the certificate and select All Tasks > Export.
d. In the Certificate Export Wizard, click Next.
e. Select Base-64 encoded X.509 (.CER), and click Next.
f. Browse to C:\certs and specify the certificate name mgmt01psc01.sfo01 in the File name
field.
g. Click Next and click Finish.
The mgmt01psc01.sfo01.cer file is saved to the C:\certs folder.
Export the root certificate file in the correct format, as follows:
a. Right-click the root certificate and select All Tasks > Export.
b. In the Certificate Export Wizard, click Next.
c. Select Base-64 encoded X.509 (.CER), and click Next.
d. Browse to C:\certs and specify Root64 in the File name text box.
e. Click Next, and click Finish.
The Root64.cer file is saved to the C:\certs folder.

© 2016 VMware, Inc. All rights reserved.

Page 190 of 545

 VMware Validated Design Deployment Guide for Region A

2.6.3 Replace the Platform Services Controller Certificates in Region A

The first step is replacing the machine SSL certificate on each Platform Services Controller instance
with a custom certificate that is signed by the certificate authority (CA) available on the parent Active
Directory (AD) server.
For details on performing this tasks, see Replace the Machine SSL Certificate with Custom
Certificates in the vSphere Security documentation, or VMware Knowledge Base article 2112277.
You generate a Certificate Signing Request (CSR) on the Platform Services Controller instances by
using the vSphere Certificate Manager utility, obtain CA-signed certificates from the parent AD server
and replace the default certificates on the Platform Services Controller instances.
You replace certificates twice: on the Platform Services Controller for the Management vCenter
Server mgmt01psc01.sfo01.rainpole.local and on the Platform Services Controller for the
Compute vCenter Server comp01psc01.sfo01.rainpole.local. You start replacing certificates
on Platform Services Controller mgmt01psc01.sfo01.rainpole.local first.

Platform Services CSR File Name Certificate File Name Replacement

Controller Order

mgmt01psc01.sfo01 mgmt01psc01.sfo01_ssl.csr mgmt01psc01.sfo01.cer First

.rainpole.local

comp01psc01.sfo01 comp01psc01.sfo01_ssl.csr comp01psc01.sfo01.cer After you replace

.rainpole.local the default
certificate on the
NSX Manager for
the management
cluster.

Procedure
Log in to a Windows host that has access to both the AD server and the Platform Services
Controllers as an administrator.
Generate a CSR by using the vSphere Certificate Manager utility.
a. Open a Secure Shell (SSH) connection to the Platform Services Controller by using an SSH
client.
b. Log in using the following credentials.

Platform Services Controller User Password

mgmt01psc01.sfo01.rainpole.com root mgmtpsc_root_password

comp01psc01.sfo01.rainpole.com root comppsc_root_password

c. Enable the Bash shell by running these commands.

shell.set --enabled True
shell
chsh -s /bin/bash root
d. Create a directory to save the certificate signing request and private key to.
mkdir /tmp/ssl
e. Start the vSphere Certificate Manager utility.

© 2016 VMware, Inc. All rights reserved.

Page 191 of 545

 VMware Validated Design Deployment Guide for Region A

/usr/lib/vmware-vmca/bin/certificate-manager
f. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the
default vCenter Single Sign-On user name [email protected] and the
vsphere_admin password.
g. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL
certificate), and provide the directory /tmp/ssl to save the certificate signing request and
private key to.
h. Provide the following settings to configure certool.cfg which the vSphere Certificate
Manager uses for the CSR generation, and close the vSphere Certificate Manager.

Setting Management Platform Services Compute Platform Services

Controller Values Controller Values

Country US US

Name mgmt01psc01.sfo01.rainpole.local comp01psc01.sfo01.rainpole.local

Organization Rainpole Inc. Rainpole Inc.

OrgUnit Rainpole.local Rainpole.local

State California California

Locality Palo Alto Palo Alto

IP Address - -

Email [email protected] [email protected]

Hostname mgmt01psc01.sfo01.rainpole.local comp01psc01.sfo01.rainpole.local

The created CSR files are vmca_issued_csr.csr and vmca_issued_key.key in the

/tmp/ssl folder.
i. Rename the vmca_issued_csr.csr and vmca_issued_key.key files to match the
virtual machine name of the Platform Services Controller.

Host Command

mgmt01psc01.sfo01.rainpole.com mv vmca_issued_csr.csr mgmt01psc01.sfo01_ssl.csr

mv vmca_issued_key.key mgmt01psc01.sfo01_ssl.key

© 2016 VMware, Inc. All rights reserved.

Page 192 of 545

 VMware Validated Design Deployment Guide for Region A

comp01psc01.sfo01.rainpole.com mv vmca_issued_csr.csr comp01psc01.sfo01_ssl.csr

mv vmca_issued_key.key comp01psc01.sfo01_ssl.key

Submit the CSR to the parent Windows domain controller CA and save the generated CA-signed
certificate chain.
a. Copy the .csr file to the C:\certs directory on the Windows host that you use to access
the Platform Services Controller and the AD server.
Use the scp command, FileZilla, or WinSCP to copy the file.
b. Open a Web browser, and go to http://dc01rpl.rainpole.local/CertSrv/.
c. If prompted, log in as the AD administrator with the ad_admin_password password.
d. Follow the steps in Obtain Custom Certificates for the Management Components in Region A
to enroll the certificate for this Platform Services Controller with the AD-CA server.
Save the certificate and Root64.cer files to the /tmp/ssl directory on the Platform Services
Controller.
Use the scp command, FileZilla, or WinSCP to copy the files.

Platform Services Controller Files

mgmt01psc01.sfo01.rainpole.com mgmt01psc01.sfo01.cer (signed certificate)

Root64.cer file (root certificate)

comp01psc01.sfo01.rainpole.com comp01psc01.sfo01.cer (signed certificate)

Root64.cer file (root certificate)

Replace the CA-signed certificate on the Platform Services Controller.

a. From the SSH client connected to the Platform Services Controller, add the Root certificate to
the VMware Endpoint Certificate Store as a Trusted Root Certificate using following
command.
Enter the vCenter Single Sign-On password when prompted.
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert
/tmp/ssl/Root64.cer
b. Start the vSphere Certificate Manager utility again on the Platform Services Controller.
/usr/lib/vmware-vmca/bin/certificate-manager
c. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter default
vCenter Single Sign-On user name [email protected] and the the
vsphere_admin password.
d. Select Option 2 (Import custom certificate(s) and key(s) to replace existing Machine
SSL certificate).
e. When prompted, provide the full path to the signed certificate file, the Root certificate file, and
the key file that have been generated by vSphere Certificate Manager earlier, and confirm the
import with Yes (Y).

Platform Services Controller Files

© 2016 VMware, Inc. All rights reserved.

Page 193 of 545

 VMware Validated Design Deployment Guide for Region A

mgmt01psc01.sfo01.rainpole.com Please provide valid custom certificate

for Machine SSL.
File : /tmp/ssl/mgmt01psc01.sfo01.cer
Please provide valid custom key for
Machine SSL.
File : /tmp/ssl/mgmt01psc01.sfo01_ssl.key
Please provide the signing certificate of
the Machine SSL certificate
File : /tmp/ssl/Root64.cer

comp01psc01.sfo01.rainpole.com Please provide valid custom certificate

for Machine SSL.
File : /tmp/ssl/comp01psc01.sfo01.cer
Please provide valid custom key for
Machine SSL.
File : /tmp/ssl/comp01psc01.sfo01_ssl.key
Please provide the signing certificate of
the Machine SSL certificate
File : /tmp/ssl/Root64.cer

After Status shows 100% Completed on the Platform Services Controller, restart all services on
the vCenter Server instance that is connected to this Platform Services Controller.

a. Open a Secure Shell (SSH) connection to the vCenter Server instance by using an SSH
client.

vCenter Server Host

Management vCenter Server mgmt01vc01.sfo01.rainpole.local

Compute vCenter Server comp01vc01.sfo01.rainpole.local

b. Log in using the following credentials.

Setting Value

User name root

Password vc_root_password

c. Enable the Bash shell by running these commands.

shell.set --enabled True

© 2016 VMware, Inc. All rights reserved.

Page 194 of 545

 VMware Validated Design Deployment Guide for Region A

shell
chsh -s /bin/bash root
d. Run these commands to restart all services on the vCenter Server instance.
service-control --stop –all
service-control --start –all
After you replace the certificate of the NSX Manager for the management cluster, repeat the steps
to generate a CSR file, generate CA-signed certificate and replace the default certificate on the
second Platform Services Controller.

2.6.4 Replace the vCenter Server Certificates in Region A

After you replace the Platform Services Controller certificate, you replace the vCenter Server machine
SSL certificate.
For details on performing this tasks, see Replace the Machine SSL Certificate with Custom
Certificates in the vSphere Security documentation, or VMware Knowledge Base article 2112277.
You generate a Certificate Signing Request (CSR) on the vCenter Server instances by using the
vSphere Certificate Manager utility, obtain CA-signed certificates from the parent AD server and
replace the default certificates on the vCenter Server instances.
You replace certificates twice, once for each vCenter Server instance. You can start replacing
certificates on Management vCenter Server mgmt01vc01.sfo01.rainpole.local first.
Certificate-Related Files on the vCenter Server Instances

vCenter Server CSR File Name Certificate File Name Replacement Order

mgmt01vc01.sfo01 mgmt01vc01.sfo01_ssl.csr mgmt01vc01.sfo01.cer After you replace the

.rainpole.local certificate on the
management Platform
Services Controller.

comp01vc01.sfo01 comp01vc01.sfo01_ssl.csr comp01vc01.sfo01.cer After you replace the

.rainpole.local certificate on the
compute Platform
Services Controller.

Procedure
Log in to a Windows host that has access to both the AD server and the vCenter Server instance
as an administrator.
Generate a CSR for the vCenter Server instance by using the VMware Certificate Manager utility.
a. Open a Secure Shell (SSH) connection to the vCenter Server instance by using an SSH
client.
b. Log in using the following credentials.

Setting Value

User name root

Password vc_root_password

© 2016 VMware, Inc. All rights reserved.

Page 195 of 545

 VMware Validated Design Deployment Guide for Region A

c. Enable the Bash shell by running these commands.

shell.set --enabled True
shell
chsh -s /bin/bash root
d. Create a directory to save the certificate signing request and private key to.
mkdir /tmp/ssl
e. Start the vSphere Certificate Manager utility.
/usr/lib/vmware-vmca/bin/certificate-manager
f. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter the
default vCenter Single Sign-On user name [email protected] and the
vsphere_admin password.
g. When prompted for the Infrastructure Server IP, provide the IP address of the Platform
Services Controller that manages this vCenter Server instance.

vCenter Server IP Address of Conneced Platform Services Controller

mgmt01vc01.sfo01.rainpole.local 172.16.11.61

comp01vc01.sfo01.rainpole.local 172.16.11.63

h. Select Option 1 (Generate Certificate Signing Request(s) and Key(s) for Machine SSL
certificate), and provide the directory /tmp/ssl to save the certificate signing request and
private key to.
i. Provide the following settings to configure certool.cfg which the vSphere Certificate Manager
uses for the CSR generation, and close the vSphere Certificate Manager.

Setting Value

Country US

Name mgmt01vc01.sfo01.rainpole.local

Organization Rainpole Inc.

OrgUnit Rainpole.local

State California

Locality Palo Alto

IP Address -

Email [email protected]

Hostname mgmt01vc01.sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 196 of 545

 VMware Validated Design Deployment Guide for Region A

The created CSR files are vmca_issued_csr.csr and vmca_issued_key.key in the

/tmp/ssl folder.
j. Rename the vmca_issued_csr.csr and vmca_issued_key.key files to match the
virtual machine name of the vCenter Server instance.

Host Command

mgmt01vc01.sfo01.rainpole.local mv vmca_issued_csr.csr mgmt01vc01.sfo01_ssl.csr

mv vmca_issued_key.key mgmt01vc01.sfo01_ssl.key

comp01vc01.sfo01.rainpole.local mv vmca_issued_csr.csr comp01vc01.sfo01_ssl.csr

mv vmca_issued_key.key comp01vc01.sfo01_ssl.key

Submit the CSR to the parent Windows domain controller CA and save the generated CA-signed
certificate chain.
Use the scp command, FileZilla, or WinSCP to copy the file.
a. Open a Web browser, and go to http://dc01rpl.rainpole.local/CertSrv/.
b. If prompted, log in as the AD administrator with the ad_admin_password password.
c. Follow the steps in Obtain Custom Certificates for the Management Components in Region A
to enroll the certificate for this vCenter Server with the AD-CA server.
Save the certificate and Root64.cer files to the /tmp/ssl directory on the vCenter Server instance.
Use the scp command, FileZilla, or WinSCP to copy the files.

vCente Server Files

mgmt01vc01.sfo01.rainpole.local mgmt01vc01.sfo01.cer file (signed certificate)

Root64.cer file (root certificate)

comp01vc01.sfo01.rainpole.local comp01vc01.sfo01.cer file (signed certificate)

Root64.cer file (root certificate)

Replace the CA-signed certificate on the vCenter Server instance.

a. From the SSH client connected to the vCenter Server instance, add the Root certificate to the
VMware Endpoint Certificate Store as a Trusted Root Certificate using following command.
Enter the vCenter Single Sign-On password when prompted.

© 2016 VMware, Inc. All rights reserved.

Page 197 of 545

 VMware Validated Design Deployment Guide for Region A

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert

/tmp/ssl/Root64.cer
b. Start the vSphere Certificate Manager utility on the vCenter Server instance.
/usr/lib/vmware-vmca/bin/certificate-manager
c. Select Option 1 (Replace Machine SSL certificate with Custom Certificate), enter default
vCenter Single Sign-On user name [email protected] and the vsphere_admin
password.
d. Select Option 2(Import custom certificate(s) and key(s) to replace existing Machine SSL
certificate).
e. When prompted, provide the full path to the custom certificate, the Root certificate file, and
the key file that have been generated by vSphere Certificate Manager earlier, and confirm the
import with Yes (Y).

vCenter Sever Files

mgmt01vc01.sfo01.rainpole.local Please provide valid custom certificate

for Machine SSL.
File : /tmp/ssl/mgmt01psc01.sfo01.cer
Please provide valid custom key for
Machine SSL.
File : /tmp/ssl/mgmt01psc01.sfo01_ssl.key
Please provide the signing certificate of
the Machine SSL certificate
File : /tmp/ssl/Root64.cer

comp01vc01.sfo01.rainpole.local Please provide valid custom certificate

for Machine SSL.
File : /tmp/ssl/comp01vc01.sfo01.cer
Please provide valid custom key for
Machine SSL.
File : /tmp/ssl/comp01vc01.sfo01_ssl.key
Please provide the signing certificate of
the Machine SSL certificate
File : /tmp/ssl/Root64.cer

After Status shows 100% Completed, wait several minutes until all vCenter Server services are
restarted.

After you replace the certificate on the compute Platform Services Controller, repeat the steps to
generate a CSR file, generate a CA-signed certificate and replace the default certificate on the
second vCenter Server.

© 2016 VMware, Inc. All rights reserved.

Page 198 of 545

 VMware Validated Design Deployment Guide for Region A

2.6.5 Replace the NSX Manager SSL Certificate

After you replace the certificates of all Platform Services Controller instances and all vCenter Server
instances, replace the certificates for the NSX Manager instances.
You replace certificates twice, once for each NSX Manager. You can start replacing certificates on
NSX Manager for the management cluster mgmt01nsxm01.sfo01.rainpole.local first.

NSX Manager CSR File Name Certificate File Replacement Order

Name

mgmt01nsxm01.sfo01 mgmt01nsxm01.sfo01 mgmt01nsxm01.sfo01 After you replace the

.rainpole.local _ssl.csr .cer certificate on the
Management vCenter
Server

comp01nsxm01.sfo01 comp01nsxm01.sfo01 comp01nsxm01.sfo01 After you replace the

.rainpole.local _ssl.csr .cer certificate on the
Compute vCenter
Server

Procedure
Log in to a Windows host that has access to both the AD server and the NSX Manager instances
as an administrator.
On the Windows host, log in to the NSX Manager Web interface.
a. Open a Web browser and go to following URL.

NSX Manger URL

NSX Manager for the management cluster https://mgmt01nsxm01.sfo01.rainpole.local

NSX Manager for the compute and edge https://comp01nsxm01.sfo01.rainpole.local

clusters

b. Log in using the following credentials.

Setting Value

User name admin

Password nsx_mngr_admin_password

Click Manage Appliance Settings.

In the Settings panel on the left, click SSL Certificates.
Under SSL Certificates on the right, click Generate CSR.
In the Generate Certificate Signing Request dialog, supply the following information, and click
OK.

© 2016 VMware, Inc. All rights reserved.

Page 199 of 545

 VMware Validated Design Deployment Guide for Region A

CSR Info Value

Algorithm RSA

Key size 2048

Common Name mgmt01nsxm01.sfo01.rainpole.local (for the first NSX Manager instance)

comp01nsxm01.sfo01.rainpole.local (when you repeat the process for
the second NSX Manager instance)

Organization Unit Rainpole

Organization Rainpole
Name

Locality Name SFO

State Name CA

Country Code US

Under SSL Certificates, click Download CSR.

VMware NSX downloads a CSR file called NSX to the default download directory.

Copy the NSX file to the local c:\certs\nsx\sfo\ directory.

Create the directory if necessary.
Rename the file adding the .csr extension at the end of the file name.

NSX Manager Filename

mgmt01nsxm01.sfo01.rainpole.local mgmt01nsxm01.sfo01_ssl.csr

comp01nsxm01.sfo01.rainpole.local comp01nsxm01.sfo01_ssl.csr

Follow the steps in the Obtain Custom Certificates for the Management Components in Region "
section to enroll the certificate of this NSX Manager instance
Save the signed certificates to the local c:\certs\nsx\sfo directory.

NSX Manager Filenames

© 2016 VMware, Inc. All rights reserved.

Page 200 of 545

 VMware Validated Design Deployment Guide for Region A

mgmt01nsxm01.sfo01.rainpole.local mgmt01nsxm01.sfo01.cer
Root64.cer

comp01nsxm01.sfo01.rainpole.local comp01nsxm01.sfo01.cer
Root64.cer

Combine the certificate file with the CA's root certificate file into a single file as follows.
a. Open a command prompt and navigate to the directory c:\certs\nsx\sfo.
b. Run the following command.

NSX Manager Command

mgmt01nsxm01.sfo01.rainpole.loca copy mgmt01nsxm01.sfo01.cer+Root64.cer mg

l mt01nsxm01.sfo01.chain.cer

comp01nsxm01.sfo01.rainpole.local copy comp01nsxm01.sfo01.cer+Root64.cer co

mp01nsxm01.sfo01.chain.cer

From the Web browser that is connected to the NSX Manager interface, with the Manage tab and
the SSL Certificate setting still selected on the left, click Import and provide your chained
certificate file.

NSX Manager Filenames

mgmt01nsxm01.sfo01.rainpole.local mgmt01nsxm01.sfo01.chain.cer

comp01nsxm01.sfo01.rainpole.local comp01nsxm01.sfo01.chain.cer

Reboot NSX Manager so the custom certificate is used.

a. In the right corner of the NSX Manager page click the Settings icon.
b. From the pull-down menu, choose Reboot Appliance.

© 2016 VMware, Inc. All rights reserved.

Page 201 of 545

 VMware Validated Design Deployment Guide for Region A

Re-register the NSX Manager to the Management vCenter Server.

a. Open a Web browser and go to the NSX Manager Web interface.

NSX Manger URL

NSX Manager for the management cluster https://mgmt01nsxm01.sfo01.rainpole.local

NSX Manager for the compute and edge https://comp01nsxm01.sfo01.rainpole.local

clusters

b. Log in using the following credentials.

Setting Value

User name admin

Password nsx_mngr_admin_password

c. Click Manage vCenter Registration.

d. Under Lookup Service, click the Edit button.
e. In the Lookup Service dialog box, enter the following settings, and click OK.

Setting Value

Lookup Service IP mgmt01psc01.sfo01.rainpole.local

Lookup Service Port 443

SSO Administrator User Name [email protected]

Password vsphere_admin_password

f. In the Trust Certificate? dialog box, click Yes.

g. Under vCenter Server, click the Edit button.

h. In the vCenter Server dialog box, enter the following settings, and click OK.

Setting Value

vCenter Server mgmt01vc01.sfo01.rainpole.local

vCenter User Name [email protected]

Password svc-nsxmanager_password

© 2016 VMware, Inc. All rights reserved.

Page 202 of 545

 VMware Validated Design Deployment Guide for Region A

i. In the Trust Certificate? dialog box, click Yes.

j. Wait until the Status indicators for the Lookup Service and vCenter Server change to
Connected.
After you install a CA-signed certificate on the compute Platform Services Controller and the
Compute vCenter Server, repeat the steps for the NSX Manager for the compute and edge
clusters.

2.7 Deploy vSphere Data Protection in Region A

Deploy vSphere Data Protection to provide the capability for backup and restore of SDDC
management components. vSphere Data Protection enables the backup and restore of virtual
machines associated with the following components:
 vCenter Server
o Management vCenter Server and connected external Platform Services Controller
o Compute vCenter Server and connected external Platform Services Controller
 NSX for vSphere
o NSX Manager for the management cluster
o NSX Manager for the compute and edge clusters
 vRealize Automation
 vRealize Operations Manager
 vRealize Log Insight
Procedure
 Prerequisites for Deploying vSphere Data Protection in Region A
 Deploy the Virtual Appliance of vSphere Data Protection in Region A
 Register vSphere Data Protection with Management vCenter Server in Region A
 Install a CA-Signed SSL Certificate for vSphere Data Protection in Region A

2.7.1 Prerequisites for Deploying vSphere Data Protection in Region A

Before you deploy vSphere Data Protection, verify that your environment satisfies the requirements
for this deployment.

2.7.1.1. IP Addresses and Host Names

Verify that static IP address and FQDN for vSphere Data Protection are available for the Region A of
the SDDC deployment.

Network Setting Value

IP address 172.16.11.81

FQDN mgmt01vdp01.sfo01.rainpole.local

Primary DNS server 172.16.11.4

Secondary DNS Server 172.16.11.5

© 2016 VMware, Inc. All rights reserved.

Page 203 of 545

 VMware Validated Design Deployment Guide for Region A

Default gateway 172.16.11.253

Subnet mask 255.255.255.0

2.7.1.2. Deployment Prerequisites

Verify that you have fulfilled the following prerequisites in addition to the networking settings.

Prerequisite Value

Initial Storage  Virtual disk provisioning.

o Thin
 Required storage
o 4 TB NFS

Software Features  vSphere

o Management vCenter Server
o Client Integration Plugin on the machine where you use the
vSphere Web Client
o Management cluster with enabled DRS and HA.
o vSphere Distributed Switch configured for the vSphere
management network

Installation Package Download the .ova file of the vSphere Data Protection virtual appliance
on the machine where you use the vSphere Web Client.

2.7.2 Deploy the Virtual Appliance of vSphere Data Protection in Region A

Deploy vSphere Data Protection as a virtual appliance on the management cluster in Region A.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the vSphere Web Client, navigate to the SFO01-Mgmt01 cluster object.

© 2016 VMware, Inc. All rights reserved.

Page 204 of 545

 VMware Validated Design Deployment Guide for Region A

Inventory Object Value

vCenter Server mgmt01vc01.sfo01.rainpole.local

Data center SFO01

Cluster SFO01-Mgmt01

Right-click the SFO01-Mgmt01 object and select Deploy OVF Template.

On the Select source page, select Local file, browse to the location of the vSphere Data
Protection OVA file on your file system, and click Next.

On the Review details page, examine the virtual appliance details, such as product, version,
download and disk size, and click Next.
On the Accept License Agreements page, accept the end user license agreements and
click Next.
On the Select name and folder page, enter a node name, select the inventory folder for the
virtual appliance, and click Next.

Setting Value

Name mgmt01vdp01

vCenter Server mgmt01vc01.sfo01.rainpole.local

Data center SFO01

© 2016 VMware, Inc. All rights reserved.

Page 205 of 545

 VMware Validated Design Deployment Guide for Region A

Select the SFO01A-NFS01-VDP01 NFS datastore provisioned for vSphere Data Protection, leave
thin provisioned virtual disk format and the default VM storage policy, and click Next.

On the Setup networks page, select the vDS-Mgmt-Management distributed port group from
the Isolated Network drop-down menu, select IPv4 from the IP protocol drop-down menu, and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 206 of 545

 VMware Validated Design Deployment Guide for Region A

On the Customize template page, enter the networking settings for the virtual appliance, and
click Next.

IPv4 Setting Value

Default gateway 172.16.11.253

DNS server 172.16.11.4, 172.16.11.5

Static IPv4 address 172.16.11.81

Subnet mask 255.255.255.0

On the Ready to complete page, verify that the settings are correct, select the Power on after
deployment check box, and click Finish.

2.7.3 Register vSphere Data Protection with Management vCenter Server in

Region A
After you deploy the virtual appliance for vSphere Data Protection on the management cluster in
Region A, complete the initial configuration of vSphere Data Protection.
Procedure
Log in to the vSphere Data Protection Configuration Utility.
a. Open a Web browser and go to https://
mgmt01vdp01.sfo01.rainpole.local:8543/vdp-configure.
b. Log in using the following credentials.

Setting Value

User name root

Password changeme

The configuration wizard of vSphere Data Protection appears.

On the Welcome page, click Next.
On the Network Settings page, verify that the network settings are populated correctly and click
Next.
On the Time Zone page, select the UTC timezone and click Next.
On the VDP Credentials page, enter and confirm a new password for the root Linux appliance
user and click Next.
The password must satisfy the following requirements:
 If all four character classes are used, the password must be at least 6 characters.
 If three character classes are used, the password must be at least 7 characters.
 If one or two character classes are used, the password must be at least 8 characters.
 The four-character classes are as follows:

© 2016 VMware, Inc. All rights reserved.

Page 207 of 545

 VMware Validated Design Deployment Guide for Region A

o Upper case letters A-Z

o Lower case letters a-z
o Numbers 0-9
o Special characters (for example: ~!@#,.)
On the vCenter Server Registration page, configure the settings for registration with the
Management vCenter Server.
a. Enter the settings for connection to the Management vCenter Server.

vCenter Server Setting Value

vCenter Server user name vsphere.local\administrator

vCenter Server password vsphere_admin_password

vCenter FQDN or IP address mgmt01vc01.sfo01.rainpole.local

vCenter Server HTTP port 80

vCenter Server HTTPS port 443

Verify vCenter Server certificate No

b. Deselect the Use vCenter for SSO authentication check box and enter the settings for
VMware Single Sign-On on the Management Platform Services Controller.

Single Sign-On Setting Value

Use vCenter for SSO authentication No

SSO FQDN or IP address mgmt01psc01.sfo01.rainpole.local

SSO port 443

© 2016 VMware, Inc. All rights reserved.

Page 208 of 545

 VMware Validated Design Deployment Guide for Region A

c. Click Test Connection and in the success message box, click OK.
d. On the vCenter Registration page, click Next.
On the Create Storage page, select Create new storage and in the Capacity text box select 4
TB and click Next.

On the Device Allocation page, from the Provision drop-down menu, select Thin and click
Next.

On the CPU and Memory page, leave the default settings and click Next.
On the Product Improvement page, select Enable Customer Experience Improvement
Program and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 209 of 545

 VMware Validated Design Deployment Guide for Region A

On the Ready to Complete page, select Run performance analysis on storage configuration
and Restart the appliance if successful, and click Next.

In the warning message box about storage configuration, click Yes.

vSphere Data Protection setup starts configuring data disks.
After disk configuration is complete, click OK in the success box.
Verify that the vSphere Data Protection is accessible in the vSphere Web Client after you
complete the initial configuration of vSphere Data Protection.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

© 2016 VMware, Inc. All rights reserved.

Page 210 of 545

 VMware Validated Design Deployment Guide for Region A

Password vsphere_admin_password

c. On the vSphere Web Client Home page, verify that the VDP icon is available.

2.7.4 Install a CA-Signed SSL Certificate for vSphere Data Protection in

Region A
vSphere Data Protection comes with a default self-signed certificate. Install a CA-signed certificate
that authenticates vSphere Data Protection over HTTPS.
Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the vSphere Data Protection virtual appliance mgmt01vdp0.

Change the SSH configuration.
a. Right-click mgmt01vdp01 and select Open Console to open the remote console to the
appliance.
b. Log in as the root user using the vdp_root_password password.
c. Run the following console command to open the sshd_config file for editing.
vi /etc/ssh/sshd_config
d. Remove the # comment from the beginning of the line #PermitRootLogin yes.

e. Run the following command in the vi editor to save the file and exit the editor.
:wq!

f. In the console, restart the SSH service to update the running configuration.
/etc/init.d/sshd restart

© 2016 VMware, Inc. All rights reserved.

Page 211 of 545

 VMware Validated Design Deployment Guide for Region A

g. Log out and close the console to the appliance.

Open an SSH connection to the vSphere Data Protection appliance
mgmt01vdp01.sfo01.rainpole.local with the root user name and vdp_root_password
password.
Stop the vSphere Data Protection Services by running the following command.
emwebapp.sh –stop

Delete the Tomcat alias from the certificate store.

/usr/java/latest/bin/keytool -delete -alias tomcat
When prompted for the keystore password use changeit.

Generate a certificate signing request (CSR) vdpcsr.csr by running the following two
commands.
When prompted for the keystore password use changeit.
a. /usr/java/latest/bin/keytool -genkeypair -v -alias tomcat -keyalg RSA
-sigalg SHA256withRSA -keystore /root/.keystore -storepass changeit -
keypass changeit -validity 3650 -dname "CN=vdp-mgmt-
01.sfo01.rainpole.local, OU=rainpole.local, O=Rainpole Inc., L=Palo
Alto, S=CA, C=US"
b. /usr/java/latest/bin/keytool -certreq -keyalg RSA -alias tomcat -file
vdpcsr.csr
Submit the CSR to the Windows domain controller CA.
a. Run the following console command.
cat vdpcsr.csr
b. Copy the output from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE
REQUEST----- inclusive.

© 2016 VMware, Inc. All rights reserved.

Page 212 of 545

 VMware Validated Design Deployment Guide for Region A

c. In a Web browser, log in

to http://dc01rpl.rainpole.local/certsrv/certrqxt.asp with a
domain administrator user name and domain_admin_password password
d. Paste the request in the Saved Request text box, select VMware from the Certificate
Template drop-down menu, and click Submit

On the Certificate Issued page, select the Base 64 encoded radio box, click the Download
certificate chain link and save the file as a vdp.p7b.

© 2016 VMware, Inc. All rights reserved.

Page 213 of 545

 VMware Validated Design Deployment Guide for Region A

If the save as dialog does not appear, the signed certificate is saved as certnew.p7b in your
default downloads folder. Rename the file to vdp.p7b.
Copy the vdp.p7b certificate file to the /root folder on the vSphere Data Protection virtual
appliance. You can use scp, FileZilla or WinSCP.
Import the certificate.
a. Run the following console command.
/usr/java/latest/bin/keytool -import -alias tomcat -keystore
/root/.keystore -file /root/vdp.p7b
b. When prompted for the keystore password, use changeit.
c. When prompted to trust the certificate, type yes and press Enter.

Verify that the certificate is installed successfully.

a. Run the following command.
/usr/java/latest/bin/keytool -list -v -keystore /root/.keystore -
storepass changeit -keypass changeit | grep tomcat
b. Verify that the output contains Alias name: tomcat.

Run the addFingerprint.sh script.

© 2016 VMware, Inc. All rights reserved.

Page 214 of 545

 VMware Validated Design Deployment Guide for Region A

/usr/local/avamar/bin/addFingerprint.sh
This script does not return any output.
Start the vSphere Data Protection services.
emwebapp.sh --start

© 2016 VMware, Inc. All rights reserved.

Page 215 of 545

 VMware Validated Design Deployment Guide for Region A

3. vRealize Operations Implementation in Region A

vRealize Operations Manager in Region A is implemented through the following high level
procedures.
 Deploy vRealize Operations Manager in Region A
 Configure the Load Balancer for vRealize Operations Manager in Region A
 Connect vRealize Operations Manager to the vSphere Environment in Region A
 Install the vRealize Operations Manager Management Pack for vRealize Log Insight
 Connect vRealize Operations Manager to the NSX Managers in Region A
 Connect vRealize Operations Manager to vRealize Automation
 Enable Storage Device Monitoring in vRealize Operations Manager in Region A
 Configure User Access in vRealize Operations Manager
 Configure E-Mail Alerts in vRealize Operations Manager

3.1 Deploy vRealize Operations Manager in Region A

Start the deployment of vRealize Operations Manager in Region A by deploying the nodes of the
analytics cluster and the remote collector nodes.
 Prerequisites for Deploying vRealize Operations Manager in Region A
 Deploy the Virtual Appliance for Each Node of the Analytics Cluster in Region A
 Generate a CA-Signed SSL Certificate for the Analytics Cluster
 Configure the Master Replica Node in the Analytics Cluster
 Configure the Data Nodes in the Analytics Cluster
 Deploy the Remote Collector Virtual Appliances in Region A
 Connect the Remote Collector Nodes to the Analytics Cluster
 Configure a DRS Anti-Affinity Rule for vRealize Operations Manager in Region A
 Enable High Availability and Start vRealize Operations Manager
 Assign a License to vRealize Operations Manager
 Group Remote Collector Nodes in Region A
 Verify and Import the CA-Signed Certificate on Your Computer

3.1.1 Prerequisites for Deploying vRealize Operations Manager in Region A

Before you deploy vRealize Operations Manager, verify that your environment satisfies the
requirements for this deployment.
IP Addresses and Host Names
Verify that static IP address and FQDNs for the vRealize Operations Manager application virtual
network are available for the first region of the SDDC deployment.
For the analytics cluster application virtual network, allocate 4 static IP addresses and FQDNs for the
nodes and one for the load balancer, and map host names to the IP addresses. For the remote
collector cluster, allocate 2 static IP addresses and FQDNs.

© 2016 VMware, Inc. All rights reserved.

Page 216 of 545

 VMware Validated Design Deployment Guide for Region A

Table 7. IP Addresses and Host Name for the Analytics Cluster in Region A

Role IP Address FQDN

External load balancer VIP 192.168.11.35 vrops-cluster-01.rainpole.local

address

Master node 192.168.11.31 vrops-mstrn-01.rainpole.local

Master replica node 192.168.11.32 vrops-repln-02.rainpole.local

Data node 1 192.168.11.33 vrops-datan-03.rainpole.local

Data node 2 192.168.11.34 vrops-datan-04.rainpole.local

Default gateway 192.168.11.1 -

DNS server 172.16.11.4 -

172.17.11.4

Subnet mask 255.255.255.0 -

NTP servers 172.16.11.251 ntp.sfo01.rainpole.local

172.16.11.252 ntp.lax01.rainpole.local
172.17.11.251
172.17.11.252

Table 8. IP Addresses and Host Name for the Remote Collectors in Region A

Role IP Address FQDN

Remote collector 1 192.168.31.31 vrops-rmtcol-01.sfo01.rainpole.local

Remote collector 2 192.168.31.32 vrops-rmtcol-02.sfo01.rainpole.local

Default gateway 192.168.31.1 -

DNS server 172.16.11.5 -

Subnet mask 255.255.255.0 -

© 2016 VMware, Inc. All rights reserved.

Page 217 of 545

 VMware Validated Design Deployment Guide for Region A

Deployment Prerequisites
Verify that your environment satisfies the following prerequisites to deployment vRealize Operations
Manager.

Prerequisite Value

Storage  Virtual disk provisioning.

o Thin
 Required storage per node
o Initial storage for node deployment: 1.3 GB
o Storage for monitoring data for analytics cluster nodes: 1 TB

Software Features  vSphere

o Management vCenter Server
o Client Integration Plugin on the machine where you use the vSphere
Web Client
o Management cluster with enabled DRS and HA.
 NSX for vSphere
o Application virtual network for the 4-node analytics cluster.
o Application virtual network for the 2 remote collector nodes.

Installation Package Download the .ova file of the vRealize Operations Manager virtual appliance
on the machine where you use the vSphere Web Client.

License Verify that you have obtained a license that covers the use of vRealize
Operations Manager.

Active Directory Verify that you have a parent active directory with the SDDC user roles
configured for the rainpole.local domain.

Certification Configure the root Active Directory domain controller as a certificate authority
Authority for the environment.

© 2016 VMware, Inc. All rights reserved.

Page 218 of 545

 VMware Validated Design Deployment Guide for Region A

3.1.2 Deploy the Virtual Appliance for Each Node of the Analytics Cluster in
Region A
Use the vSphere Web Client to deploy each vRealize Operations Manager node as a virtual appliance
on the management cluster in Region A.
You repeat the deployment for each of the four analytics nodes: master, master replica, data node 1
and data node 2.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server object.

Right-click the mgmt01vc01.sfo01.rainpole.local object and select Deploy OVF
Template.
On the Select source page, select Local file, browse to the location of the vRealize Operations
Manager OVA file on your file system, and click Next.

On the Review details page, examine the virtual appliance details, such as product, version,
download and disk size, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 219 of 545

 VMware Validated Design Deployment Guide for Region A

On the Accept License Agreements page, accept the end user license agreements and click
Next.
On the Select name and folder page, enter a node name, select the inventory folder for the
virtual appliance, and click Next.

a. Enter a name for the node according to its role.

Name Role

vrops-mstrn-01 Master node

vrops-repln-02 Master replica node

© 2016 VMware, Inc. All rights reserved.

Page 220 of 545

 VMware Validated Design Deployment Guide for Region A

vrops-datan-03 Data node 1

vrops-datan-04 Data node 2

b. Select the inventory folder for the virtual appliance.

Object Value

vCenter Server mgmt01vc01.sfo01.rainpole.local

Data center SFO01

Folder vROps01

On the Select configuration page, from the Configuration drop-down menu, select the Medium
deployment configuration of the virtual appliance, and click Next.

On the Select a resource page, select the SFO01-Mgmt01 management cluster as the resource
to run the virtual appliance, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 221 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select storage page, select the datastore indicated in the table below, and click Next.

Note By default, the virtual appliance disk is thin provisioned.

Object Value

VM Storage Policy Virtual SAN Default Storage Policy

Datastore table SFO01A-VSAN01-MGMT01

On the Setup networks page, select the distributed port group on the vDS-Mgmt distributed
switch that ends with vROps01-VXLAN, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 222 of 545

 VMware Validated Design Deployment Guide for Region A

On the Customize template page, select the time zone and set IPv4 settings for the virtual
appliance.
a. From the Timezone setting drop-down menu, select the Etc/UTC time zone.
b. In the Networking Properties Enter section, configure the following IPv4 settings.

IPv4 Setting Value Node

Default gateway 192.168.11.1

DNS server 172.16.11.4, 172.17.11.4

Static IPv4 address 192.168.11.31 vrops-mstrn-01

192.168.11.32 vrops-repln-02

192.168.11.33 vrops-datan-03

192.168.11.34 vrops-datan-04

Subnet mask 255.255.255.0

Verify that the settings for deployment are correct, and click Finish.
After the virtual appliance is deployed, expand the data disk of the virtual appliance to collect and
store data from a large number of virtual machines.
a. In the vSphere Web Client, navigate to the virtual appliance object.
b. Right-click the virtual appliance and select the Edit Settings menu item.
c. In the Edit Settings dialog box, next to Hard disk 2 increase the size of the virtual appliance
disk from 250 GB to 1 TB, and click OK.

Right-click the virtual appliance object and select the Power > Power On.

© 2016 VMware, Inc. All rights reserved.

Page 223 of 545

 VMware Validated Design Deployment Guide for Region A

During the power-on process, the virtual appliance expands the vRealize Operations
Manager data partition as well.
Repeat this procedure to deploy the vRealize Operations Manager virtual appliance for the next
node in the analytics cluster.

3.1.3 Generate a CA-Signed SSL Certificate for the Analytics Cluster

vRealize Operations Manager comes with default self-signed certificates that are generated and
signed at installation time. Install a CA-signed certificate that authenticates the analytics cluster of
vRealize Operations Manager so that the Web browser does not show a certificate prompt every time
users log into the Web user interface over HTTPS.
You import the certificate into the master node, and transfer the certificate to the master replica and
data nodes during initial setup.
vRealize Operations Manager accepts only PEM encoded certificates that include the complete
certification chain.
Procedure
On your computer, create a configuration file for OpenSSL certificate request generation,
called vrops01.cfg.
Because all nodes in the cluster share the same certificate, the Subject Alternative Name
field, subjectAltName, of the uploaded certificate must contain the IP addresses and FQDNs of all
nodes and of the load balancer. For common name, use the full domain name of the load
balancer.
[ req ]
default_bits = 4096
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vrops-cluster-01, IP: 192.168.11.35, DNS:vrops-cluster-
01.rainpole.local, DNS:vrops-mstrn-01.rainpole.local, DNS:vrops-mstrn-01,
DNS:vrops-repln-02.rainpole.local, DNS:vrops-repln-02, DNS:vrops-datan-
03.rainpole.local, DNS:vrops-datan-03, DNS:vrops-datan-04.rainpole.local,
DNS:vrops-datan-04

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
0.organizationName = Rain Pole Inc.,

© 2016 VMware, Inc. All rights reserved.

Page 224 of 545

 VMware Validated Design Deployment Guide for Region A

organizationalUnitName = rainpole.local
commonName = vrops-cluster-01.rainpole.local

Log in to vCenter Server using the vSphere Web Client.

a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Enable the SSH service on the virtual appliance.

a. Right-click the vrops-mstrn-01 virtual appliance, and select Open Console.
The remote console to the appliance opens.
b. Press ALT+F1 to switch to the command prompt.
c. In the command prompt, log in as the root user using empty password.
d. In the command prompt, change the default empty password for the root user account and
assign a new password.
You change the default password for the root user because you log in to the virtual appliance
console for the first time .
e. Start the SSH service by running the service sshd start command.
service sshd start
f. Close the virtual appliance console.
Log in to vrops-mstrn-01.rainpole.local virtual machine over SSH using the following
credentials.

Setting Value

User name root

Password vrops_master_root_password

Create a sub-directory called vrops01 in the root user’s home directory.

mkdir /root/vrops01/
Copy the vrops01.cfg to the /root/vrops01 folder on the master node virtual appliance. You
can use scp, FileZilla or WinSCP.
From the /root/vrops01 folder, generate an RSA private key that is 4096 bits long, and save it
as a vrops01.key file.
openssl genrsa -out vrops01.key 4096

© 2016 VMware, Inc. All rights reserved.

Page 225 of 545

 VMware Validated Design Deployment Guide for Region A

Use the vrops01.key private key and the vrops01.cfg configuration file to create a Certificate
Signing Request (CSR) and save it as a vrops01.pem file.
openssl req -new -key vrops01.key -out vrops01.pem -config vrops01.cfg
Submit the CSR to the Windows domain controller CA.
a. Run the following console command.
cat vrops01.pem
b. Copy the output from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE
REQUEST----- inclusive.

c. Open a Web browser and go to

http://dc01rpl.rainpole.local/certsrv/certrqxt.asp.
d. Log in using the following credentials.

Setting Value

User name domain administrator

Password domain_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 226 of 545

 VMware Validated Design Deployment Guide for Region A

e. Paste the request in the Saved Request text box, select VMware from the Certificate
Template drop-down menu, and click Submit.

On the Certificate Issued page, select Base 64 encoded, click on Download certificate, and
save the certificate as vrops01.cer on your computer.
If the Save As dialog box does not appear, the signed certificate is saved as certnew.cer in
your computer's Download folder. Rename the file as vrops01.cer.

Download the root CA certificate.

a. Open a Web browser and go to
http://dc01rpl.rainpole.local/certsrv/certcarc.asp.
b. Log using the following credentials.

Setting Value

User name domain administrator

Password domain_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 227 of 545

 VMware Validated Design Deployment Guide for Region A

Select Base 64, click on Download CA Certificate, and save the certificate as rootca.cer on
your computer.
If the Save As dialog box does not appear, the CA certificate is saved as certnew.cer to your
computers Download folder. Rename the file as rootca.cer.

Copy the vrops01.cer and rootca.cer certificate files to the /root/vrops01 folder on the
master virtual appliance. You can use scp, FileZilla or WinSCP.
In the master node console, create a vrops01-chain.pem file in the /root/vrops01 folder
that contains the signed certificate, CA certificate and private key file.
The order of the certificates in a PEM file must follow the certificate chain sequence starting from
the own certificate up to the root CA certificate. vrops01.cer must be first, rootca.cer next
and vrops01.key last.
cat vrops01.cer rootca.cer vrops01.key > vrops01-chain.pem

Copy the vrops01-chain.pem file to your computer. You can use scp, FileZilla or WinSCP.
Stop the SSH service on the master node virtual appliance by running the service sshd stop
command.
service sshd stop

The next time you attempt to log in to the master virtual appliance, the SSH connection will not be
established.

3.1.4 Configure the Master Node in the Analytics Cluster

After you deploy the virtual appliance for the master node of the vRealize Operations Manager
analytics cluster, enable its administration role in the cluster.
Procedure
Open a Web browser and go to https://vrops-mstrn-01.rainpole.local.

© 2016 VMware, Inc. All rights reserved.

Page 228 of 545

 VMware Validated Design Deployment Guide for Region A

In the initial setup page, click New Installation.

On the Getting Started page, review the steps for creating a cluster, and click Next.

On the Set Administrator Password page, type and confirm the password for admin user
account.

© 2016 VMware, Inc. All rights reserved.

Page 229 of 545

 VMware Validated Design Deployment Guide for Region A

On the Choose Certificate page, select the Install a certificate radio button, click Browse,
select the vrops01-chain.pem file, and click Next.
After the setup imports and validates the certificate, notice that the certificate has a common
name, vrops-cluster-01.rainpole.local, and a subject alternate name that contains
vrops-mstrn-01.rainpole.local for the master node.

On the Deployment Settings page, configure the following settings, and click Next.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 230 of 545

 VMware Validated Design Deployment Guide for Region A

Cluster Master Node Name vrops-mstrn-01

NTP Server Address ntp.sfo01.rainpole.local

ntp.lax01.rainpole.local

On the Ready to complete page, click Finish.

When the configuration process completes, the vRealize Operations Manager Administration
console opens.
Click System Status in the Administration panel.
The virtual appliance instance acting as the master node appears in the Nodes in the vRealize
Operations Manager Cluster list.

3.1.5 Configure the Master Replica Node in the Analytics Cluster

After you deploy a virtual appliance instance for the master replica node and configure a master node
in the cluster, enable the cluster node functionality of the master replica node and join it to the
analytics cluster.

© 2016 VMware, Inc. All rights reserved.

Page 231 of 545

 VMware Validated Design Deployment Guide for Region A

Procedure
Open a Web browser and, go to https://vrops-repln02.rainpole.local.
In the initial setup page, click Expand an Existing Installation.

On the Getting Started page, review the steps for creating a cluster, and click Next.

On the Node Settings and Cluster Info page, configure the settings of the node in the analytics
cluster.
a. In the Node Name text box, enter the DNS short name vrops-repln-02.
This is the short form of the DNS name.
b. From the Node type drop-down menu, select Data.

Note Although you are configuring the replica node, the vRealize Operations Manager setup
considers the replica as data node until you enable high availability.

© 2016 VMware, Inc. All rights reserved.

Page 232 of 545

 VMware Validated Design Deployment Guide for Region A

c. In the Master node IP address or FQDN text box, enter the master node FQDN vrops-
mstrn-01.rainpole.local and click Validate.
The certificate of the master node displays in the text box.
d. Verify that the master certificate is correct, and click Accept this certificate.
e. Click Next.

On the Username and Password page, select the Use cluster administrator user name and
password radio button, enter the vrops_admin_password for the admin user, and click Next.

On the Ready to complete page, click Finish.

When the configuration process completes, the vRealize Operations Manager Administration
console opens.
Click System Status in the Administration panel.
The virtual appliance instance acting as the data node appears in the Nodes in the vRealize
Operations Manager Cluster list.

© 2016 VMware, Inc. All rights reserved.

Page 233 of 545

 VMware Validated Design Deployment Guide for Region A

3.1.6 Configure the Data Nodes in the Analytics Cluster

After you deploy the virtual appliance for a data node of the vRealize Operations Manager analytics
cluster, enable its role in the cluster.
Procedure
For each data node virtual appliance, open a Web browser and go to the vRealize Operations
Manger Initial Setup wizard.

Data Node URL

Data node 1 https://vrops-datan-03.rainpole.local

Data node 2 https://vrops-datan-04.rainpole.local

In the vRealize Operations Manger Initial Setup wizard, click Expand an Existing Installation.
On the Getting Started page, review the steps for creating a cluster, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 234 of 545

 VMware Validated Design Deployment Guide for Region A

On the Node Settings and Cluster Info page, configure the settings of the node in the analytics
cluster.
a. In the Node Name text box, enter the short form of the DNS name for the data node.

Data Node DNS Short Name

Data node 1 vrops-datan-03

Data node 2 vrops-datan-04

b. From the Node type drop-down menu, select Data.

c. In the Master node IP address or FQDN text box, enter the master node FQDN vrops-
mstrn-01.rainpole.local, and click Validate.
d. Verify that the master certificate is correct, and click Accept this certificate.
e. Click Next.

On the Username and password page, select the Use cluster administrator user name and
password radio button, enter the vrops_admin_password for the admin user, and click Next.
On the Ready to complete page, click Finish.
When the configuration process completes, the vRealize Operations Manager Administration
console opens.
Click System Status in the Administration panel.
The virtual appliance instance acting as the data node appears in the Nodes in the vRealize
Operations Manager Cluster list.

© 2016 VMware, Inc. All rights reserved.

Page 235 of 545

 VMware Validated Design Deployment Guide for Region A

3.1.7 Deploy the Remote Collector Virtual Appliances in Region A

After you deploy and enable the roles of the analytics cluster nodes, use the vSphere Web Client to
deploy each of the two virtual appliances for the remote collectors in Region A. This step is required
for a single or multi-region environment. In a multi-region environment, you deploy the remote
collectors to forward data from the vCenter Server instances in Region A to the analytics cluster.
Repeat this procedure two times to deploy two remote collector appliances.
Procedure
Log in to the vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server object.

Right-click the mgmt01vc01.sfo01.rainpole.local object and select Deploy OVF Template.
On the Select source page, select Local file, browse to the location of the vRealize Operations
Manager OVA file on your file system, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 236 of 545

 VMware Validated Design Deployment Guide for Region A

On the Review details page, examine the virtual appliance details, such as product, version,
download and disk size, and click Next.

On the Accept License Agreements page, accept the end user license agreements and
click Next.
On the Select name and folder page, enter a node name, select the inventory folder for the
virtual appliance, and click Next.

Setting Value

Name of remote collector 1 vrops-rmtcol-01

Name of remote collector 2 vrops-rmtcol-02

© 2016 VMware, Inc. All rights reserved.

Page 237 of 545

 VMware Validated Design Deployment Guide for Region A

vCenter Server mgmt01vc01.sfo01.rainpole.local

Data center SFO01

Folder vROps01RC

On the Select configuration page, from the Configuration drop-down menu, select Remote
Collector (Standard), and click Next.

On the Select a resource page, select the SFO01-Mgmt01 management cluster as the resource
to run the virtual appliance, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 238 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select storage page, select the datastore indicated in the table below, and click Next.

Setting Value

VM Storage Policy Virtual SAN Default Storage Policy

Datastore table SFO01A-VSAN01-MGMT01

On the Setup networks page, select the distributed port group on the vDS-Mgmt distributed
switch that ends with Mgmt-RegionA01-VXLAN, and click Next.
On the Customize template page, select the time zone and set the IPv4 settings for the virtual
appliance.

© 2016 VMware, Inc. All rights reserved.

Page 239 of 545

 VMware Validated Design Deployment Guide for Region A

a. From the Timezone setting drop-down menu, select the Etc/UTC time zone.
b. In the Networking Properties section, configure the following IPv4 settings.

Setting Value

Default gateway 192.168.31.1

DNS server 172.16.11.5

Static IPv4 address for vrops-rmtcol-01 192.168.31.31

Static IPv4 address for vrops-rmtcol-02 192.168.31.32

Subnet mask 255.255.255.0

On the Ready to complete page, verify that the settings for deployment are correct and
the Power on after deployment check box is selected, and click Finish.
Repeat the steps to deploy the second remote collector appliance.

3.1.8 Connect the Remote Collector Nodes to the Analytics Cluster

After you deploy the virtual appliances for the remote collector nodes on the Management vCenter
Server, configure the settings of the remote collectors and connect them to the analytics cluster.
Procedure
Open a Web browser, and go to the initial setup user interface of each remote collector node
virtual appliance.

Remote Collector Node URL

Remote collector 1 https://vrops-rmtcol-01.sfo01.rainpole.local

Remote collector 2 https://vrops-rmtcol-02.sfo01.rainpole.local

On the initial setup page, click Expand an Existing Installation.

On the Getting Started page, review the steps for creating a cluster, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 240 of 545

 VMware Validated Design Deployment Guide for Region A

On the Note Settings and Cluster Info page, configure the settings of the node in the analytics
cluster.
a. In the Node Name text box, еnter the DNS short name for the remote collector node.

Remote Collector Node DNS Short Name

Remote collector 1 vrops-rmtcol-01

Remote collector 2 vrops-rmtcol-02

b. From the Node Type drop-down menu, select Remote Collector.

c. Enter the master node FQDN vrops-mstrn-01.rainpole.local and click Validate.
The certificate of the master node appears in the text box.
d. Validate that the master certificate is correct, and click Accept this certificate.
e. Click Next.

On the Username and Password page, select Use cluster administrator user name and
password radio button, type the vrops_admin_password for the admin user, and click Next.
On the Ready to complete page, click Finish.
After configuration of the second remote collector is complete, the cluster on the System Status
page of the administration user interface consists of the following nodes: vrops-mstrn-01, vrops-
repln-02, vrops-datan-03, vrops-datan-04, and the remote collectors vrops-rmtcol-01 and
vrops-rmtcol-02.

© 2016 VMware, Inc. All rights reserved.

Page 241 of 545

 VMware Validated Design Deployment Guide for Region A

3.1.9 Configure a DRS Anti-Affinity Rule for vRealize Operations Manager in

Region A
To protect the vRealize Operations Manager virtual machines from a host-level failure, configure
vSphere DRS to run the virtual machines for the analytics cluster and for the remote collectors on
different hosts in the management cluster.
Procedure
Log in to the vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server object, and under the SFO01
data center object select the SFO01-Mgmt01 cluster.
On the Manage tab, click the Settings tab.
Under the Configuration group of settings, select VM/Host Rules.
In the VM/Host Rules list, click the Add button above the rules list and add a new anti-affinity rule
called vropscluster-antiaffinity-rule for the four vRealize Operations Manager
Analytics analytics virtual machines, and click OK.

Setting Value

Name vropscluster-antiaffinity-rule

Enable rule Selected

© 2016 VMware, Inc. All rights reserved.

Page 242 of 545

 VMware Validated Design Deployment Guide for Region A

Type Separate Virtual Machines

vrops-mstrn-01
vrops-repln-02
Members
vrops-datan-03
vrops-datan-04

In the VM/Host Rules list, click the Add button above the rules list and add a new anti-affinity rule
called vropscollectors-antiaffinity-rule for the two remote collector virtual machines of vRealize
Operations Manager, and click OK.

Setting Value

Name vropscollectors-antiaffinity-rule

Enable rule Selected

Type Separate Virtual Machines

vrops-rmtcol-01
Members
vrops-rmtcol-02

© 2016 VMware, Inc. All rights reserved.

Page 243 of 545

 VMware Validated Design Deployment Guide for Region A

3.1.10 Enable High Availability and Start vRealize Operations Manager

After you deploy the virtual appliances for the analytics cluster nodes and for the remote collector
nodes, enable high availability in the analytics cluster by assigning the replica role to the vrops-repln-
02 node and start the analytics cluster.
Procedure
Log in to vRealize Operations Manager by using the administration console.
a. Open a Web browser and go to https://vrops-mstrn-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

On the System Status page, the cluster status is Not Started, and the high availability of the
cluster is Disabled.

© 2016 VMware, Inc. All rights reserved.

Page 244 of 545

 VMware Validated Design Deployment Guide for Region A

On the System Status page, click Enable under High Availability.

A list of all nodes that have the data node role appears.
In the Enable High Availability dialog box, configure the following values, and click OK.

Setting Value

vrops-repln-02 Selected

Enable High Availability for this cluster Selected

High availability becomes enabled after several minutes. vrops-mstrn-01 is the master, vrops-
repln-02 is the master replica, and the remaining nodes are data nodes.

© 2016 VMware, Inc. All rights reserved.

Page 245 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Start vRealize Operations Manager button.

A confirmation dialog about initial startup appears.

Click Yes to confirm the first startup of vRealize Operations Manager.

After several minutes, the nodes of the cluster are started, and the analytics cluster and remote
collectors for Region A are online.

© 2016 VMware, Inc. All rights reserved.

Page 246 of 545

 VMware Validated Design Deployment Guide for Region A

3.1.11 Assign a License to vRealize Operations Manager

After you deploy and start vRealize Operations Manager in Region A, you assign a valid license.
Procedure
Log in to the vRealize Operations Manager Configuration wizard.
a. Open a Web browser and go to https://vrops-mstrn-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

On the Welcome page of the vRealize Operations Manager Configuration wizard, examine the
process overview, and click Next.

On the Accept EULA page, accept the end user license agreement, and click Next.
On the Enter Product License Key page, enter vRealize Operations manager product license
key.
a. Select Product Key and enter the license key.
b. Click Validate License Key, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 247 of 545

 VMware Validated Design Deployment Guide for Region A

(Optional) On the Customer Experience Improvement Program page, to send technical

information for product improvement, select Enable Customer Experience Improvement
Program and click Next.

On the Ready to Complete page, click Finish.

The vRealize Operations Manager user interface opens.

3.1.12 Group Remote Collector Nodes in Region A

After you start vRealize Operations Manager and assign it a license, join the remote collectors in a
group for adapter resiliency in the cases where the collector experiences network interruption or
becomes unavailable.
Log in to the vRealize Operations Manager administration console.
a. Open a Web browser and go to https://vrops-mstrn-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

On the Home page, click Administration, then click Collector Groups.

© 2016 VMware, Inc. All rights reserved.

Page 248 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Add icon.

In the Add New Collector Group dialog box, configure the following settings, and click Save.

Setting Value

Name SFO01

Description Remote collector group for Region A

vrops-rmtcol-01 Selected

vrops-rmtcol-02 Selected

© 2016 VMware, Inc. All rights reserved.

Page 249 of 545

 VMware Validated Design Deployment Guide for Region A

The SFO01 group will display on the Collector Groups page.

© 2016 VMware, Inc. All rights reserved.

Page 250 of 545

 VMware Validated Design Deployment Guide for Region A

3.1.13 Verify and Import the CA-Signed Certificate on Your Computer

After you start vRealize Operations Manager and configure the remote collector group for Region A,
verify and accept the CA-signed certificate that the Web browser displays when you log in to each
node, for example, in to the master replica node vrops-repln-02.rainpole.local.
Procedure
Open a Web browser and go to https://vrops-repln-02.rainpole.local.
A warning message that the connection is not trusted appears.

Click the Padlock icon to review the certificate.

In the Certificate dialog box, verify that the Subject Alternative Name field contains the names
of the cluster nodes.

If you access vRealize Operations Manager from an external location, import the certificate.
You can use Certificate Manager on Windows or Keychain Access on MAC OS X. The certificate
is required for connection to the external VIP address of the load balancer.

© 2016 VMware, Inc. All rights reserved.

Page 251 of 545

 VMware Validated Design Deployment Guide for Region A

3.2 Configure Load Balancer for vRealize Operations Manager in

Region A
Configure load balancing for the analytics cluster on the dedicated SFOMGMT-LB01 NSX Edge
service gateway for Region A.
Remote collector cluster for Region A does not require load balancing.
Prerequisites
 Verify that the NSX Manager for the management cluster has the management virtual application
network for the analytics cluster configured.
 Verify that the Load Balancer service is enabled on the NSX Edge service gateway.
Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

From the Home menu, select Networking & Security.

The vSphere Web Client displays the NSX Home page.
On the NSX Home page, click NSX Edges and select 172.16.11.65 from the NSX Manager drop-
down menu at the top of the NSX Edges page.
On the NSX Edges page, double-click the SFOMGMT-LB01 NSX edge.
Configure the load balancing VIP address for analytics cluster.
a. On the Manage tab, click the Settings tab and click Interfaces.
b. Select the interface OneArmLB and click the Edit icon.
c. In the Edit NSX Edge Interface dialog box, click the Edit icon and in the Secondary IP
Addresses text box enter the 192.168.11.35 VIP address.
d. Click on OK to save the configuration.
Create an application profile.
a. On the Manage tab for the SFOMGMT-LB01 device, click the Load Balancer tab,
b. Click Application profiles, and click the Add icon.
c. In the New Profile dialog box, configure the profile using the following configuration settings,
and click OK.

Setting Value

Name VROPS_HTTPS

© 2016 VMware, Inc. All rights reserved.

Page 252 of 545

 VMware Validated Design Deployment Guide for Region A

Type HTTPS

Enable SSL Passthrough Selected

Persistence Source IP

Expires in (Seconds) 1800

Client Authentication Ignore

Create service monitoring entry.

a. On the Load Balancer tab for the of the SFOMGMT-LB01 device, click Service
Monitoring and click the Add icon.
b. In the New Service Monitoring dialog box, configure the health check parameters using the
following configuration settings, and click OK.

Setting Value

Name VROPS_MONITOR

Interval 3

Timeout 5

© 2016 VMware, Inc. All rights reserved.

Page 253 of 545

 VMware Validated Design Deployment Guide for Region A

Retries 2

Type HTTPS

Method GET

URL /suite-api/api/deployment/node/status

Receive ONLINE (must be upper case)

Add a server pool.

a. On the Load Balancer tab of the SFOMGMT-LB01 device, select Pools, and click the Add
icon.
b. In the New Pool dialog box, configure the load balancing profile.

Setting Value

Name VROPS_POOL

Algorithm LEASTCONN

Monitors VROPS_MONITOR

© 2016 VMware, Inc. All rights reserved.

Page 254 of 545

 VMware Validated Design Deployment Guide for Region A

c. Under Members, click the Add icon to add the pool members.
d. In the New Member dialog box, add one member for each node of the analytics cluster and
click OK.

Setting Value

Enable Member Selected

Name vrops-mstrn-01

vrops-repln-02

vrops-datan-03

vrops-datan-04

IP Address 192.168.11.31

192.168.11.32

192.168.11.33

192.168.11.34

Port 443

Monitor Port 443

Weight 1

Max Connections 8

Min Connections 8

After you add the analytics cluster nodes to the pool, you see them in the Members table.
e. In the New Pool dialog box, click OK.
Add a virtual server.
a. On the Load Balancer tab of the SFOMGMT-LB01 device, select Virtual Servers and click
the Add icon.

© 2016 VMware, Inc. All rights reserved.

Page 255 of 545

 VMware Validated Design Deployment Guide for Region A

b. In the New Virtual Server dialog box, configure the settings of the virtual server for the
analytics cluster and click OK.

Option Value

Enable Virtual Server Selected

Application Profile VROPS_HTTPS

Name VROPS_VIRTUAL_SERVER

IP Address 192.168.11.35
Click Select IP Address, select OneArmLB from the drop-down menu
and then select 192.168.11.35 IP for the virtual NIC.

Protocol HTTPS

Port 443

Default Pool VROPS_POOL

Connection Limit 0

Connection Rate Limit 0

You can connect to the analytics cluster at the public Virtual Server IP address over
HTTPS: https://vrops-cluster-01.rainpole.local.

Configure auto redirect from HTTP to HTTPS requests.

The NSX Edge can redirect users from HTTP to HTTPS without entering another URL in the
browser.
a. On the Load Balancer tab of the SFOMGMT-LB01 device, select Application Profiles and
click the Add icon.
b. In the Add New Profile dialog box, configure the application profile settings and click OK.

Setting Value

Name VROPS_REDIRECT

Type HTTP

HTTP Redirect URL https://vrops-cluster-01.rainpole.local/vcops-web-ent/login.action

Persistence Source IP

Expires in (Seconds) 1800

c. On the Load Balancer tab of the SFOMGMT-LB01 device, select Virtual Servers and click
Add.

© 2016 VMware, Inc. All rights reserved.

Page 256 of 545

 VMware Validated Design Deployment Guide for Region A

d. Configure the settings of the virtual server for HTTP redirects.

Setting Name

Enable Virtual Server Selected

Application Profile VROPS_REDIRECT

Name VROPS_REDIRECT

IP Address 192.168.11.35

Protocol HTTP

Port 80

Default Pool NONE

Connection Limit 0

Connection Rate Limit 0

You can connect to the analytics cluster at the public Virtual Server IP address over HTTP at
the http://vrops-cluster-01.rainpole.local address.

Verify the pool configuration by examining the pool statistics which reflects the status of the
components behind the load balancer.
a. Log out and log in again to the vSphere Web Client.
b. From the Home menu, select Networking & Security.
c. On the NSX Home page, click NSX Edges and select 172.16.11.65 from the NSX Manager
drop-down menu at the top of the NSX Edges page.
d. On the NSX Edges page, double-click the SFOMGMT-LB01 NSX edge.
e. On Manage tab, click the Load Balancer tab.
f. Click Pools and click Show Pool Statistics.
g. In the Pool and Member Status dialog box, select VROPS_POOL pool.
You see that the load balancer pool is up.

3.3 Connect vRealize Operations Manager to the vSphere

Environment in Region A
After you set up vRealize Operations Manager and the network access to it, connect it to the
Management vCenter Server and the Compute vCenter Server to start collecting monitoring data from
the vCenter Server instances and the ESXi hosts.
 Configure User Privileges in vSphere for Integration with vRealize Operations Manager for Region
A
 Add vCenter Adapter Instances to vRealize Operations Manager for Region A

© 2016 VMware, Inc. All rights reserved.

Page 257 of 545

 VMware Validated Design Deployment Guide for Region A

3.3.1 Configure User Privileges in vSphere for Integration with vRealize

Operations Manager for Region A
Assign the permissions to the svc-vrops user for access from vRealize Operations Manager to the
Management vCenter Server and Compute vCenter Server in Region A.
Prerequisites
 Verify that the Management vCenter Server and Compute vCenter Server for Region A are
connected to the Active Directory domain.
 Verify that the users and groups from the rainpole.local domain are available in the
Management vCenter Server and in the Compute vCenter Server for Region A.
Procedure
Log in to the Management vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the vSphere Web Client, navigate to the vCenter Server object in Region A.

vCenter Server Object

Management vCenter Server mgmt01vc01.sfo01.rainpole.local

Compute vCenter Server comp01vc01.sfo01.rainpole.local

Right-click the vCenter Server object and click Add Permission.

© 2016 VMware, Inc. All rights reserved.

Page 258 of 545

 VMware Validated Design Deployment Guide for Region A

In the Add Permission dialog box, click the Add button to add permissions to a user or a group.

In the Select Users/Groups dialog box, from the Domain drop-down menu, select RAINPOLE
and in the filter box type svc.
From the list of users and groups, select svc-vrops, click the Add button, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 259 of 545

 VMware Validated Design Deployment Guide for Region A

In Add Permission dialog box, from the Assigned Role drop-down menu, select Read-only, and
click OK.

Repeat the steps for the other vCenter Server instance in Region A.
The svc-vrops user has read-only access to all objects in vCenter Server.

© 2016 VMware, Inc. All rights reserved.

Page 260 of 545

 VMware Validated Design Deployment Guide for Region A

3.3.2 Add vCenter Adapter Instances to vRealize Operations Manager for

Region A
After you deploy the analytics cluster and the remote collector nodes of vRealize Operations Manager
in Region A and start vRealize Operations Manager, add vCenter Adapter instances for the
Management and Compute vCenter Server instances in Region A.
Prerequisites
 Verify that the Management vCenter Server and Compute vCenter Server are running.
 Verify that the Management vCenter Server and Compute vCenter Server are configured with the
rainpole.local Active Directory domain.
 Create a custom read-only role for user svc-vrops.
Procedure
Log in to vRealize Operations Manager by using the administration console.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the left pane of vRealize Operations Manager, click Administration, and click Solutions.
From the solution table on the Solutions page, select the VMware vSphere solution, and
click Configure.

The Manage Solution - VMware vSphere wizard appears.

On the Configure adapters page, from the Adapter Type table at the top, select vCenter
Adapter.
Empty settings for the vCenter Adapter appear under Instance Settings if vRealize Operations
Manager does not have vCenter Adapters configured.
Under Instance Settings, enter the settings for connection to vCenter Server.
a. If you already have added another vCenter Adapter, click the Add icon to add an adapter
setting.
b. Enter the name, description and FQDN of vCenter Server.

Management vCenter Server Attribute Value

© 2016 VMware, Inc. All rights reserved.

Page 261 of 545

 VMware Validated Design Deployment Guide for Region A

Name mgmt01vc01-sfo01

Description Management vCenter Server for Region A

vCenter Server mgmt01vc01.sfo01.rainpole.local

Compute vCenter Server Attribute Value

Name comp01vc01-sfo01

Description Compute vCenter Server for Region A

vCenter Server comp01vc01.sfo01.rainpole.local

c. Click the Add icon, and configure the collection credentials for connection to the vCenter
Servers.

Management vCenter Server Credentials Attribute Value

Credential name mgmt01vc01-sfo01-credentials

© 2016 VMware, Inc. All rights reserved.

Page 262 of 545

 VMware Validated Design Deployment Guide for Region A

User Name [email protected]

Password svc-vrops-password

Compute vCenter Server Credentials Attribute Value

Credential name comp01vc01-sfo01-credentials

User Name [email protected]

Password svc-vrops-password

d. Click OK in the Test Connection Info dialog box.

e. Click Test Connection to validate the connection to vCenter Server.
The vCenter Server certificate appears.
f. In the Review and Accept Certificate dialog box, verify the certificate information and
click OK.
g. Click OK in the Test Connection Info dialog box.
h. Click Manage Registrations to configure the registration credentials for connection to the
vCenter Servers.
i. Enter the following credentials:

Setting Value

User name [email protected]

Password vsphere_admin_password

j. Click Register to register with the vCenter Server.

k. Expand the Advanced Settings group of settings.
l. From the Collectors/Groups drop-down menu, select the SFO01 group.

© 2016 VMware, Inc. All rights reserved.

Page 263 of 545

 VMware Validated Design Deployment Guide for Region A

m. Click Save Settings.

n. Repeat the steps for the other vCenter Server instance.
In the Manage Solution - VMware vSphere wizard, click Next.
In the Define monitoring goals page, under Enable vSphere Hardening Guide
Alerts? select Yes, leave the default configuration for the other options, and click Next.

On the Ready to complete page, click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 264 of 545

 VMware Validated Design Deployment Guide for Region A

On the Solutions page, select VMware vSphere from the solution table to view the collection
State and collection status.
The collection state indicates whether vRealize Operations Manager should be collecting data for
the object. The collection status value indicates whether vRealize Operations Manager is
receiving data for the object. An object has a status value only if its collection state is Collecting.
The Collection State column for the vCenter Adapters displays Collecting, and the
Collection Status column displays Data receiving.

3.4 Install the vRealize Operations Manager Management Pack for

vRealize Log Insight
You install the vRealize Operations Manager Management Pack for vRealize Log Insight to examine
the log information about objects that you monitor by using the vRealize Operations Manager user
interface. You see the log events for the objects in the user interface of vRealize Log Insight.
Prerequisites
 Download the .pak file for the vRealize Operations Manager Management Pack for vRealize Log
Insight from VMware Solutions Exchange
 Verify that vRealize Operations Manager is deployed and its analytics cluster is started

© 2016 VMware, Inc. All rights reserved.

Page 265 of 545

 VMware Validated Design Deployment Guide for Region A

 Verify that vRealize Log Insight is deployed

Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration, and click Solutions.
On the Solutions page, click the Add icon

On the Select Solutions page from the Add Solution wizard, browse to the .pak file of the
vRealize Operations Manager Management Pack for vRealize Log Insight and click Upload.

After the upload is complete, click Next.

© 2016 VMware, Inc. All rights reserved.

Page 266 of 545

 VMware Validated Design Deployment Guide for Region A

On the End User License Agreement page, accept the license agreement and click Next.
Installation of the management pack starts. You see the progress of the installation on the Install
page.
After the installation is complete, click Finish on the Install page.
The VMware vRealize Operations Management Pack for Log Insight solution appears on the
Solutions page of the vRealize Operations Manager user interface.

3.5 Connect vRealize Operations Manager to the NSX Managers

in Region A
Install and configure the vRealize Operations Management Pack for NSX for vSphere to monitor the
NSX networking services deployed in each vSphere cluster and view the vSphere hosts in the NSX
transport zones. You can also access end to end logical network topologies between any two virtual
machines or NSX objects for better visibility into logical connectivity. Physical host and network device
relationship in this view also helps in isolating problems in the logical or physical network.
Prerequisites
 Download the .pak file for the vRealize Operations Manager Management Pack for NSX for
vSphere from VMware Solutions Exchange.
 Verify that the vCenter Server instances for Region A are deployed.

© 2016 VMware, Inc. All rights reserved.

Page 267 of 545

 VMware Validated Design Deployment Guide for Region A

 Verify that the NSX Manager is installed and configured for the management cluster, and for the
compute and edge clusters.
 Verify that vRealize Operations Manager is deployed and its analytics cluster is started.
 Verify that the remote collector nodes for Region A are deployed and grouped.
 Verify that vRealize Log Insight is deployed
 Verify that the management pack for vRealize Log Insight is installed in vRealize Operations
Manager.
Procedure
 Install the vRealize Operations Manager Management Pack for NSX for vSphere in Region A
 Add NSX-vSphere Adapter Instances to vRealize Operations Manager for Region A
 Add Network Devices Adapter to vRealize Operations Manager for Region A

3.5.1 Install the vRealize Operations Manager Management Pack for NSX for
vSphere in Region A
Install the .pak file for the management pack for NSX for vSphere to add the management pack as a
solution to vRealize Operations Manager.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Solutions.
On the Solutions page, click the Add icon.
On the Select Solutions page from the Add Solution wizard, browse to the .pak file of the
vRealize Operations Manager Management Pack for NSX for vSphere and click Upload.
After the NSX management pack file has been uploaded, you see details about the management
pack.

© 2016 VMware, Inc. All rights reserved.

Page 268 of 545

 VMware Validated Design Deployment Guide for Region A

After the upload is complete, click Next.

In the confirmation dialog box, click Yes to confirm that you are to install an unsigned solution for
vRealize Operations Manager.
On the End User License Agreement page, accept the license agreement and click Next.
The installation of the management pack starts. You see its progress on the Install page.

After the installation is complete, click Finish on the Install page.

© 2016 VMware, Inc. All rights reserved.

Page 269 of 545

 VMware Validated Design Deployment Guide for Region A

You see the Management Pack for NSX-vSphere solution on the Solutions page of the vRealize
Operations Manager user interface.

3.5.2 Add NSX-vSphere Adapter Instances to vRealize Operations Manager for

Region A
After you install the management pack, configure NSX-vSphere Adapters: one for the NSX Manager
for the management cluster and one for the NSX Manager for the compute and edge clusters.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 270 of 545

 VMware Validated Design Deployment Guide for Region A

In the left pane of vRealize Operations Manager, click Administration, and click Solutions.
On the Solutions page, select the Management Pack for NSX-vSphere from the solution table,
and click Configure.

In Manage Solution - Management Pack for NSX-vSphere dialog box, from the Adapter Type
table at the top, select NSX-vSphere Adapter.
Empty settings for the NSX-vSphere Adapter appear under Instance Settings if vRealize
Operations Manager does not have NSX-vSphere Adapters configured.
Under Instance Settings, enter the settings for connection to the NSX Manager for the
management cluster or to the NSX Manager for the compute and edge clusters.
a. If you already have added another NSX-vSphere Adapter, click the Add icon to add an
adapter setting.
b. Enter the name, description, the FQDN of NSX Manager and the FQDN of the vCenter Server
that is connected to the NSX Manager.
You enable automatic log forwarding to Log Insight for log data related to NSX for vSphere.

© 2016 VMware, Inc. All rights reserved.

Page 271 of 545

 VMware Validated Design Deployment Guide for Region A

Management NSX for vSphere Setting Value

Name Mgmt NSX Adapter - SFO01

Description -

NSX Manager Host mgmt01nsxm01.sfo01.rainpole.local

VC Host mgmt01vc01.sfo01.rainpole.local

Enable Log Insight integration if true

configured

Compute/Edge NSX for vSphere Setting Value

Name Comp NSX Adapter - SFO01

Description -

NSX Manager Host comp01nsxm01.sfo01.rainpole.local

VC Host comp01vc01.sfo01.rainpole.local

Enable Log Insight integration if configured true

c. Click the Add icon and configure the credentials for the connection to NSX Manager and
vCenter Server, and click OK.

Management NSX for vSphere and Value

vCenter Server Credential

Credential name Credentials to Management vCenter Server and

NSX Manager

NSX User Name admin

© 2016 VMware, Inc. All rights reserved.

Page 272 of 545

 VMware Validated Design Deployment Guide for Region A

NSX Manager Password mgmt_nsx_manager_password

vCenter User Name [email protected]

vCenter Password svc-vrops-password

Compute/Edge NSX for vSphere and Value

vCenter Server Credential

Credential name Credentials to Compute/Edge vCenter Server

and NSX Manager

NSX Manager User Name admin

NSX Manager Password comp_nsx_manager_password

vCenter User Name [email protected]

vCenter Password svc-vrops-password

d. Click Test Connection to validate the connection to the Management NSX Manager or
Compute NSX Manager. The NSX Manager certificate appears.
e. In the Review and Accept Certificate dialog box, verify the NSX certificate information and
click OK.
f. Click OK in the test connection dialog box.
g. Expand the Advanced Settings section of settings, and from the Collectors/Groups drop-
down menu, select the SFO01 group.
h. Click Save Settings and click OK in the information box that appears.
i. Repeat the steps to create an NSX-vSphere Adapter for the second NSX Manager.
In the Manage Solution - Management Pack for NSX-vSphere dialog box, click Close.
The two NSX-vSphere Adapters are available on the Solutions page of the vRealize Operations
Manager user interface. The Collection State of the adapters is Collecting and
the Collection Status is Data receiving.

© 2016 VMware, Inc. All rights reserved.

Page 273 of 545

 VMware Validated Design Deployment Guide for Region A

3.5.3 Add Network Devices Adapter to vRealize Operations Manager for

Region A
Configure a Network Devices Adapter to monitor the switches and routers in your environment, and
view related alerts, metrics and object capacity.
Prerequisites
 To monitor network devices, SNMP must be enabled in your network environment.
 For complete monitoring of your environment, Link Layer Discovery Protocol (LLDP) or Cisco
Discovery Protocol (CDP) must also be enabled on each network device.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Solutions.
On the Solutions page, select the Management Pack for NSX-vSphere from the solution table,
and click Configure.

In Manage Solution - Management Pack for NSX-vSphere dialog box, from the Adapter Type
table at the top, select Network Devices Adapter.
Under Instance Settings, enter the settings for SNMP connection to the Network Devices for the
management cluster.
a. Enter the name, description, SNMP Version and credentials.

Setting Value

Name Mgmt Network Devices Adapter - SFO01

© 2016 VMware, Inc. All rights reserved.

Page 274 of 545

 VMware Validated Design Deployment Guide for Region A

Description

SNMP Ports 161

SNMP Version SNMPv2

SNMPv3 Authentication Protocol MD5

SNMPv3 Privacy Protocol AES

b. Click the Add icon, and configure the credentials for connection to the Network Devices
Adapter, and click OK.

Credentials Value

Credential Kind SNMPv1, SNMPv2 Credential

Credential Name Network Devices Credentials

SNMP Read Community Strings public

 For SNMPv1 and SNMPv2 devices, enter a comma-separated list of community names (default is
public)
 For SNMPv3 devices, provide SNMPv3 credentials in addition to the settings for SNMPv1 and
SNMPv2

© 2016 VMware, Inc. All rights reserved.

Page 275 of 545

 VMware Validated Design Deployment Guide for Region A

c. Click Test Connection to verify the settings, and if the test is successful click the OK button.
d. Expand the Advanced Settings section of settings, and from the Collectors/Groups drop-
down menu, select the SFO01 group.
e. Click Save Settings and click OK in the information box that appears.
In the Manage Solution - Management Pack for NSX-vSphere dialog box, click Close.
The Network Devices Adapter appears on the Solutions page of the vRealize Operations
Manager user interface. The adapter is collecting data about the network devices in Region A of
the SDDC. The Collection State of the adapter is Collecting and the Collection Status is
Data receiving.

© 2016 VMware, Inc. All rights reserved.

Page 276 of 545

 VMware Validated Design Deployment Guide for Region A

3.6 Connect vRealize Operations Manager to vRealize Automation

in Region A
Install and configure the vRealize Operations Manager Management Pack for vRealize Automation to
monitor the health and capacity risk of your cloud infrastructure in the context of the tenant's business
groups.
Prerequisites
 Download the .pak file for the vRealize Operations Manager Management Pack for vRealize
Automation from VMware Solutions Exchange.
 Verify that vRealize Operations Manager is deployed and its analytics cluster is started.
 Verify that vRealize Automation is deployed.
Procedures
 Install the vRealize Operations Manager Management Pack for vRealize Automation in Region A
 Add vRealize Automation Adapter to vRealize Operations Manager for Region A

3.6.1 Install the vRealize Operations Manager Management Pack for vRealize
Automation in Region A
Install the .pak file for vRealize Operations Manager Management Pack for vRealize Automation so it
becomes a solution in vRealize Operations Manager.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Solutions.
On the Solutions page, click the Add icon
On the Select Solution page of the Add Solution wizard, browse to the vRealize Operations
Manager Management Pack for vRealize Automation the .pak file, and click Upload.
After the vRealize Automation management pack file has been uploaded, you see details about
the management pack.

© 2016 VMware, Inc. All rights reserved.

Page 277 of 545

 VMware Validated Design Deployment Guide for Region A

After the upload finishes, click Next.

In the confirmation dialog box, click Yes to confirm that you are to install an unsigned solution for
vRealize Operations Manager.
On the End User License Agreement page, accept the license agreement and click Next.
The installation of the management pack starts. You see its progress on the Install page
After the installation finishes, click Finish on the Install page.

The vRealize Automation Management Pack solution appears on the Solutions page of the
vRealize Operations Manager user interface.

© 2016 VMware, Inc. All rights reserved.

Page 278 of 545

 VMware Validated Design Deployment Guide for Region A

3.6.2 Add vRealize Automation Adapter to vRealize Operations Manager for

Region A
After you install the management pack, configure a vRealize Automation adapter to collect monitoring
data from vRealize Automation.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Solutions.
From the solution table on the Solutions page, select the vRealize Automation Management
Pack solution and click Configure.

In Manage Solution - vRealize Automation Management Pack dialog box, from the Adapter
Type table at the top, select vRealize Automation MP.
Under Instance Settings, enter the settings for connection to vRealize Automation.

a. Enter the name, FQDN of vRealize Automation front-end portal and Tenants.

© 2016 VMware, Inc. All rights reserved.

Page 279 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Name vRealize Automation Adapter

Description -

vRealize Automation Appliance URL https://vra01svr01.rainpole.local

Tenants rainpole

b. Click the Add icon, and configure the credentials for connection to vRealize Automation. Click
OK.

Credential Value

Credential name Credentials-vRA-Adapter

SysAdmin User Name [email protected]

SysAdmin Password vsphere_administrator_password

SuperUser User Name [email protected]

SuperUser Password vra_tenant_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 280 of 545

 VMware Validated Design Deployment Guide for Region A

c. Click Test Connection to validate the connection to vRealize Automation.

d. In the Review and Accept Certificate dialog box, verify the vRealize Automation certificate
information and click OK.
e. Click OK in the Test Connection dialog box.
f. Expand the Advanced Settings group of settings, and verify that the Collectors/Groups
option is set to Default Collector Group and the Autodiscovery is set to True.
g. Click Save Settings and click Yes in the information box that appears.
In the Manage Solution - Management Pack for VMware vRealize Automation dialog box,
click Close.
The vRealize Automation MP adapter appears on the Solutions page of the vRealize Operations
Manager user interface. The Collection State of the adapter is Collecting and the Collection
Status is Data receiving.

3.7 Enable Storage Device Monitoring in vRealize Operations

Manager in Region A
Install and configure the vRealize Operations Management Pack for Storage Devices to view the
storage topology, and to monitor the capacity and problems on storage components.
 Install the vRealize Operations Manager Management Pack for Storage Devices in Region A
 Add Storage Devices Adapters in vRealize Operations Manager for Region A

© 2016 VMware, Inc. All rights reserved.

Page 281 of 545

 VMware Validated Design Deployment Guide for Region A

3.7.1 Install the vRealize Operations Manager Management Pack for Storage
Devices in Region A
Install the .pak file of the management pack for storage devices to add the management pack as a
solution to vRealize Operations Manager.
Prerequisites
 Download the .pak file for the vRealize Operations Manager Management Pack for Storage
Devices from VMware Solutions Exchange.
 Verify that vRealize Operations Manager is deployed and its analytics cluster is started.
 Verify that the remote collector nodes for Region A are deployed and grouped.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Solutions.
On Solutions page, click the Add icon.
On the Select Solution page from the Add Solution wizard, browse to the .pak file of the
vRealize Operations Manager Management Pack for Storage Devices and click Upload.
After the file of the management pack for storage devices has been uploaded, you see details
about the management pack.

After the upload is complete, click Next.

© 2016 VMware, Inc. All rights reserved.

Page 282 of 545

 VMware Validated Design Deployment Guide for Region A

In the confirmation dialog box, click Yes to confirm that you are about to install an unsigned
solution for vRealize Operations Manager.
On the End User License Agreement page, accept the license agreement and click Next.
The installation of the management pack starts. You see its progress on the Install page.
After the installation is complete, click Finish on the Install page.

The Management Pack for Storage Devices solution appears on the Solutions page of the
vRealize Operations Manager user interface.

3.7.2 Add Storage Devices Adapters in vRealize Operations Manager for

Region A
After you install the management pack, configure Storage Devices adapter to collect monitoring data
about the storage devices in the SDDC.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.

© 2016 VMware, Inc. All rights reserved.

Page 283 of 545

 VMware Validated Design Deployment Guide for Region A

b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration, then click Solutions.
On the Solutions page, select the Management pack for Storage Devices from the solution
table and click the Configure .

In the Manage Solution - Management Pack for Storage Devices dialog box, from the Adapter
Type table at the top, select Storage Devices.
Under Instance Settings, enter the settings for connection to the Management vCenter Server or
to the Compute vCenter Server.
a. Enter the name, description, and FQDN of the vCenter Server instance.

Management Setting Value

Name Storage MP SFO MGMT

Description Connection to SFO Management vCenter

vCenter Server mgmt01vc01.sfo01.rainpole.local

SNMP Community Strings -

Compute Setting Value

Name Storage MP SFO Compute

Description Connection to SFO Compute vCenter

vCenter Server comp01vc01.sfo01.rainpole.local

SNMP Community Strings -

© 2016 VMware, Inc. All rights reserved.

Page 284 of 545

 VMware Validated Design Deployment Guide for Region A

b. Click the Add icon, and configure the credentials for connection to the vCenter Server, and
click OK.

Credential Value

Credential name Credential-StorageMP

User Name [email protected]

Password vsphere_admin_password

c. Click Test Connection to validate the connection to the Management vCenter Server or the
Compute vCenter Server, and click OK.
d. In the Review and Accept Certificate dialog box, verify the vCenter Server certificate
information and click OK.
e. Expand the Advanced Settings section of settings, and from the Collectors/Groups drop-
down menu, select the SFO01 remote collector group.

© 2016 VMware, Inc. All rights reserved.

Page 285 of 545

 VMware Validated Design Deployment Guide for Region A

f. Click Save Settings and click OK in the information box that appears.
In the Manage Solution - Management Pack for Storage Devices dialog box, click Close.
The Storage Devices adapters appear on the Solutions page of the vRealize Operations
Manager user interface. The Collection State of the adapters is Collecting and
the Collection Status is Data receiving.

3.8 Configure User Access in vRealize Operations Manager in

Region A
After you deploy vRealize Operations Manager, add the users from the Active Directory and configure
their monitoring roles.
 Add an Authentication Source for the Active Directory
 Assign Monitoring Roles to Groups in the Active Directory
 Assign Monitoring Roles to Users in the Active Directory

3.8.1 Add an Authentication Source for the Active Directory

Connect vRealize Operations Manager to the Active Directory of the SDDC for central user
management and access control.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Authentication
Sources.
In the Authentication Sources page, click the Add icon.

© 2016 VMware, Inc. All rights reserved.

Page 286 of 545

 VMware Validated Design Deployment Guide for Region A

In the Add Source for User and Group Import dialog box, enter the settings for the
RAINPOLE.LOCAL and SFO01.RAINPOLE.LOCAL Active Directories.

Active Directory Setting RAINPOLE.LOCAL Value SFO01.RAINPOLE.LOCAL Value

Source Display Name RAINPOLE.LOCAL SFO01.RAINPOLE.LOCAL

Source Type Active Directory Active Directory

Integration Mode Basic Basic

Domain/Subdomain RAINPOLE.LOCAL SFO01.RAINPOLE.LOCAL

Use SSL/TLS Deselected Deselected

User Name svc-vrops svc-vrops

Password svc-vrops_password svc-vrops_password

Settings under the Details section

© 2016 VMware, Inc. All rights reserved.

Page 287 of 545

 VMware Validated Design Deployment Guide for Region A

Automatically synchronize Selected Selected

user membership for
configured groups

Host dc01rpl.rainpole.local dc01sfo.sfo01.rainpole.local

Base DN dc=RAINPOLE,dc=LOCAL dc=SFO01,dc=RAINPOLE,dc=LOC

AL

Common Name userPrincipalName userPrincipalName

Click the Test button to test the connection to the domain controller and in the Info success
message click OK.
In the Add Source for User and Group Import dialog box, click OK.
The two Active Directories are available.

3.8.2 Assign Monitoring Roles to Groups in the Active Directory

After you register the Active Directory domain as an authentication source in vRealize Operations
Manager, import the user groups that are going to monitor the SDDC and configure the access of the
group members to monitoring data.
Members of the vCAdmins group monitor the operation of the vCenter Server instances and have a
read-only access to vRealize Operations Manager data.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Access Control.
On the Access Control page, click the User Groups tab.

© 2016 VMware, Inc. All rights reserved.

Page 288 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Import Groups icon.

On the Import User Groups page, import the vCAdmins group.
a. From the Import From drop-down menu, select RAINPOLE.LOCAL.
b. Select the Basic option for the search query.
c. In the Search String text box, enter vcadmin and click Search.
The search results contain the vCAdmins user.
d. In the search result, select the vCAdmins entry.
e. Click Next.

On the Roles, and Objects page, assign the ReadOnly role to the vCAdmins user group.
a. Click the Select Role drop-down.
b. Select the ReadOnly item.
c. Click Assign this role to the group.

© 2016 VMware, Inc. All rights reserved.

Page 289 of 545

 VMware Validated Design Deployment Guide for Region A

Select Allow access to all objects in the system to configure read-only access of the
vCAdmins user group on all objects.

Click Finish.

3.8.3 Assign Monitoring Roles to Users in the Active Directory

After you register the Active Directory domain as an authentication source in vRealize Operations
Manager, import the users and groups that are going to monitor the SDDC and configure their access
to monitoring data.
Procedure
Log in to vRealize Operations Manager.

© 2016 VMware, Inc. All rights reserved.

Page 290 of 545

 VMware Validated Design Deployment Guide for Region A

a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.

b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Access Control.
On the Access Control page, click the User Accounts tab.
Click the Import Users icon.
On the Import Users page, import the vROps-Admin user.
a. From the Import From drop-down menu, select SFO01.RAINPOLE.LOCAL.
b. Select the Basic option for the search query.
c. In the Search String text box, enter vrops and click Search.
The search results contain the [email protected] user.
d. In the search result, select the [email protected] entry.
e. Click Next.

In the Assign Groups and Permissions page, assign the ContentAdmin role to the vROps-
[email protected] user.
a. Click the Objects tab
b. Select the ContentAdmin item from the Select Role drop-down menu.
c. Select Assign this role to the user.
d. Select Allow access to all objects in the system.

© 2016 VMware, Inc. All rights reserved.

Page 291 of 545

 VMware Validated Design Deployment Guide for Region A

Click Finish.

3.9 Configure E-Mail Alerts in vRealize Operations Manager

You configure e-mail notifications in vRealize Operations Manager so that users and applications
receive the administrative alerts from vRealize Operations Manager about certain situations in the
data center.
Prerequisites
 Verify that you have access to an SMTP server.
Procedure
Log in to vRealize Operations Manager.
a. Open a Web browser and go to https://vrops-cluster-01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrops_admin_password

In the left pane of vRealize Operations Manager, click Administration and click Outbound Alert
Settings.
On the Outbound Alert Settings page, click the Add icon to create an outbound alert instance.

© 2016 VMware, Inc. All rights reserved.

Page 292 of 545

 VMware Validated Design Deployment Guide for Region A

In the Add/Edit Outbound Alert Instance dialog box, configure the settings for the Standard
Email Plug-in, and click OK.

Alert Instance Setting Value

Plugin Type Standard Email Plugin

Instance Name Rainpole Alert Mail Relay

Use Secure Connection Checked

SMTP Host FQDN of the mail server

SMTP Port Server port for SMTP requests

The SMTP service application usually listens on TCP port

25 for incoming requests.

Secure Connection Type TLS

Sender Email Address [email protected]

Sender Name vRealize Operations Admin

© 2016 VMware, Inc. All rights reserved.

Page 293 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Test button to verify the connection with the SMTP server.
After the verification completes, click Save.

© 2016 VMware, Inc. All rights reserved.

Page 294 of 545

 VMware Validated Design Deployment Guide for Region A

4. vRealize Log Insight Implementation in Region A

Deploy vRealize Log Insight in a cluster configuration of 3 nodes with an integrated load balancer:
one master and two worker nodes.
 Deploy vRealize Log Insight in Region A
 Install a CA-Signed Certificate on vRealize Log Insight in Region A
 Connect vRealize Log Insight to the vSphere Environment in Region A
 Install the vRealize Log Insight Content Pack for Virtual SAN in Region A
 Enable the vRealize Log Insight Integration with vRealize Operations Manager for Region A
 Connect vRealize Log Insight to vRealize Operations Manager in Region A
 Connect vRealize Log Insight to the NSX Instances in Region A
 Connect vRealize Log Insight to vRealize Automation in Region A
 Configure Log Retention and Archiving in Region A

4.1 Deploy vRealize Log Insight in Region A

Start the deployment of vRealize Log Insight in Region A by deploying the master and worker nodes
and forming the vRealize Log Insight cluster.
 Prerequisites for Deploying vRealize Log Insight in Region A
 Deploy the Virtual Appliance for Each Node in the vRealize Log Insight Cluster in Region A
 Configure a DRS Anti-Affinity Rule for vRealize Log Insight in Region A
 Start the vRealize Log Insight Instance in Region A
 Join the Worker Nodes to vRealize Log Insight in Region A
 Enable the Integrated Load Balancer of vRealize Log Insight in Region A
 Join vRealize Log Insight to the Active Directory in Region A

4.1.1 Prerequisites for Deploying vRealize Log Insight in Region A

Before you deploy vRealize Log Insight, verify that your environment satisfies the requirements for
this deployment.
IP Addresses and Host Names
Verify that static IP addresses and FQDNs for the vRealize Log Insight are available in the application
virtual network for Region A.
For the application virtual network, allocate 3 static IP addresses for the vRealize Log Insight nodes
and one IP address for the integrated load balancer. Map host names to the IP addresses.

Note Region A must be routable via the vSphere management network.

Table 9. IP Addresses and Host Name for the Analytics Cluster in Region A

Role IP Address FQDN

Integrated load balancer VIP address 192.168.31.10 vrli-cluster-01.sfo01.rainpole.local

Master node 192.168.31.11 vrli-mstr-01.sfo01.rainpole.local

Worker node 1 192.168.31.12 vrli-wrkr-01.sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 295 of 545

 VMware Validated Design Deployment Guide for Region A

Role IP Address FQDN

Worker node 2 192.168.31.13 vrli-wrkr-02.sfo01.rainpole.local

Default gateway 192.168.31.1 -

DNS server 172.16.11.5 -

Subnet mask 255.255.255.0 -

NTP servers 72.16.11.251 ntp.sfo01.rainpole.local

172.16.11.252 ntp.lax01.rainpole.local
172.17.11.251
172.17.11.252

Deployment Prerequisites

Prerequisite Value

Storage  Virtual disk provisioning.

o Thin
 Required storage per node
o Initial storage for node deployment: 270 GB
o Additional storage: 190 GB

Software Features  vSphere

o Management vCenter Server
o Client Integration Plugin on the machine where you use the
vSphere Web Client
o Management cluster with DRS and HA enabled.
 NSX for vSphere
o Application virtual network for the 3-node vRealize Log Insight
cluster

Installation Package Download the .ova file of the vRealize Log Insight virtual appliance on
the machine where you use the vSphere Web Client.

License Obtain a license that covers the use of vRealize Log Insight.

Active Directory Verify that you have a parent and child Active Directory domain controllers
configured with the role-specific SDDC users and groups for the
rainpole.local domain.

Certification Authority Configure the Active Directory domain controller as a certificate authority
for the environment.

E-mail account Provide an email account to send vRealize Log Insight notifications from.

© 2016 VMware, Inc. All rights reserved.

Page 296 of 545

 VMware Validated Design Deployment Guide for Region A

4.1.2 Deploy the Virtual Appliance for Each Node in the vRealize Log Insight
Cluster in Region A
Use the vSphere Web Client to deploy each vRealize Log Insight node as a virtual appliance on the
management cluster in Region A.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server object.

Right-click mgmt01vc01.sfo01.rainpole.local and select Deploy OVF Template.
On the Select source page, select Local file, click Browse and browse to the location of the
vRealize Log Insight .ova file on your local file system, and click Next.

On the Review details page, examine the virtual appliance details, such as product, version,
download size, and disk size, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 297 of 545

 VMware Validated Design Deployment Guide for Region A

On the Accept License Agreements page, accept the end user license agreements and
click Next.
On the Select name and folder page make the following selections, and click Next.
a. Enter a name for the node according to its role.

Name Role

vrli-mstr-01 Master node

vrli-wrkr-01 Worker node 1

vrli-wrkr-02 Worker node 2

b. Select the inventory folder for the virtual appliance.

Setting Value

vCenter Server mgmt01vc01.sfo01.rainpole.local

Data center SFO01

Folder vRLI01

© 2016 VMware, Inc. All rights reserved.

Page 298 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select configuration page, from the Configuration drop-down menu, select
the Medium deployment configuration, and click Next.

On the Setup a resource page, select the SFO01-Mgmt01 management cluster as the resource
to run the virtual appliance on, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 299 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select storage page, select the datastore.

By default, the virtual appliance disk is thin provisioned.
a. From the VM Storage Policy drop-down menu, select Virtual SAN Default Storage Policy.
b. From the datastore table, select the SFO01A-VSAN01-MGMT01 Virtual SAN datastore and
click Next.
On the Setup networks page, select the distributed port group on the vDS-Mgmt distributed
switch that ends with Mgmt-RegionA01-VXLAN, and click Next.
NSX for vSphere creates the distributed port group for the logical switch that connects the
vRealize Log Insight nodes and generates the port group name. The name of the port group
contains the segment ID and the logical switch name Mgmt-RegionA01-VXLAN.
On the Customize template page, set networking settings and the root user credentials for the
virtual appliance.
a. In the Networking Properties section, configure the following networking settings:

Property Value

Host name vrli-mstr-01.sfo01.rainpole.local for the master node

vrli-wrkr-01.sfo01.rainpole.local for the worker node 1
vrli-wrkr-02.sfo01.rainpole.local for the worker node 2

Default gateway 192.168.31.1

DNS server 172.16.11.5

Static IPv4 address 192.168.31.11 for the master node

192.168.31.12 for the worker node 1
192.168.31.13 for the worker node 2

Subnet mask 255.255.255.0

© 2016 VMware, Inc. All rights reserved.

Page 300 of 545

 VMware Validated Design Deployment Guide for Region A

b. In the Other Properties section, enter and confirm a password for the root user.
The password must contain at least 8 characters, and must include:
*one uppercase character
*one lowercase character
*one digit
*one special character.
Use this password when you log in to the console of the vRealize Log Insight virtual
appliance.
c. Click Next.

On the Ready to complete page, click Finish.

The deployment of the virtual appliance is in progress.
After the virtual appliance is deployed, expand the data disk of the virtual appliance to collect and
store data from a large number of virtual machines.
a. In the vSphere Web Client navigate to the virtual appliance object.
b. Right-click the virtual appliance object and select Edit Settings.
c. In the Edit Settings dialog box, from the New device drop-down menu at the bottom, select
New Hard Disk and click Add.
d. In the text box next to the New Hard disk label, enter 190 GB for the size, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 301 of 545

 VMware Validated Design Deployment Guide for Region A

Right-click the virtual appliance object and select the Power > Power On menu item.
During the power-on process, the virtual appliance expands the vRealize Log Insight Manager
logs partition.
Repeat the steps to deploy the vRealize Log Insight virtual appliance for the next node in the
cluster.

4.1.3 Configure a DRS Anti-Affinity Rule for vRealize Log Insight in Region A
To protect the vRealize Log Insight cluster from a host-level failure, configure vSphere DRS to run the
worker virtual appliances on different hosts in the management cluster.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. In a browser, go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server object, and under the SFO01
data center object select the SFO01-Mgmt01 cluster.
On the Manage tab, click the Settings tab.
Under the Configuration group of settings, select VM/Host Rules.

© 2016 VMware, Inc. All rights reserved.

Page 302 of 545

 VMware Validated Design Deployment Guide for Region A

In the VM/Host Rules list, click the Add button above the rules list and add a new anti-affinity rule
called vrli-antiaffinity-rule for the vrli-mstr01, rli-wrkr-01 and vrli-wrkr-02 virtual
machines, and click OK.

Setting Value

Name vrli-antiaffinity-rule

Enable rule Yes

Type Separate Virtual Machines

Members vrli-mstr-01
vrli-wrkr-01
vrli-wrkr-02

4.1.4 Start the vRealize Log Insight Instance in Region A

Configure and start the vRealize Log Insight master node. To form a cluster by adding the worker
nodes, vRealize Log Insight must be running.

© 2016 VMware, Inc. All rights reserved.

Page 303 of 545

 VMware Validated Design Deployment Guide for Region A

Procedure
Open a Web browser and go to https://vrli-mstr-01.sfo01.rainpole.local.
The initial configuration wizard opens.
On the Setup page, click Next.

On the Choose Deployment Type page, click Start New Deployment.

After the deployment is launched, on the Admin Credentials page, set the email address and the
password of the admin user, and click Save and Continue.
The password must contain at least 8 characters, and contain one uppercase character, one
lowercase character, one number, and one special character.

© 2016 VMware, Inc. All rights reserved.

Page 304 of 545

 VMware Validated Design Deployment Guide for Region A

On the License page, enter the license key, click Add New License Key, and click Continue.

On the General Configuration page, enter email addresses to receive system notifications on
from vRealize Log Insight, and click Save and Continue.

Setting Value

Email System Notifications to email_address_to_receive_system_notifications

Send HTTP Post System Notifications To https://vrli-cluster-01.sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 305 of 545

 VMware Validated Design Deployment Guide for Region A

On the Time Configuration page, enter the following settings and click Save and Continue.

Setting Value

Sync Server Time With NTP Server (recommended)

NTP Servers ntp.sfo01.rainpole.local, ntp.lax01.rainpole.local

On the SMTP Configuration page, specify the properties of an SMTP server to enable outgoing
alerts and system notification emails, and to test the email notification.
a. Set the connection setting for the SMTP server that will send the email messages from
vRealize Log Insight. Contact your system administrator for details about the email server.

© 2016 VMware, Inc. All rights reserved.

Page 306 of 545

 VMware Validated Design Deployment Guide for Region A

SMTP Option Description

SMTP Server FQDN of the SMTP server

Port Server port for SMTP requests

SSL (SMTPS) Sets whether encryption should be enabled for the SMTP
transport option connection.

STARTTLS Encryption Enable or disable the STARTTLS encryption.

Sender Address that appears as the sender of the email.

Username User name on the SMTP server.

Password Password for the SMTP server you specified in Username.

b. To verify that the SMTP configuration is correct, type a valid email address and click
Send Test Email.
vRealize Log Insight sends a test email to the address that you provided.

© 2016 VMware, Inc. All rights reserved.

Page 307 of 545

 VMware Validated Design Deployment Guide for Region A

On the Setup Complete page, click Finish.

vRealize Log Insight starts operating in standalone mode.

4.1.5 Join the Worker Nodes to vRealize Log Insight in Region A

After you deploy the virtual appliances for vRealize Log Insight and start the vRealize Log Insight
instance on the master node, join the two worker nodes to form a cluster.
Procedure
For each worker node appliance, go to the initial setup UI in your Web browser.

Worker Node HTTP URL

Worker node 1 https://vrli-wrkr-01.sfo01.rainpole.local

Worker node 2 https://vrli-wrkr-02.sfo01.rainpole.local

The initial configuration wizard opens.

On the Choose Deployment Type page, click Join Existing Deployment.

© 2016 VMware, Inc. All rights reserved.

Page 308 of 545

 VMware Validated Design Deployment Guide for Region A

On the Join Existing Deployment page, enter the mater node FQDN vrli-mstr-
01.sfo01.rainpole.local and click Go.

The worker node sends a request to the vRealize Log Insight master node to join the existing
deployment.
After the worker node contacts the master node, click the Click here to access the
Cluster Management page link.

The login page of the vRealize Log Insight user interface opens.
Log in to the vRealize Log Insight UI by using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

The Cluster page opens in the Log Insight user interface.

On the right of the notification message about adding the worker node, click Allow.

© 2016 VMware, Inc. All rights reserved.

Page 309 of 545

 VMware Validated Design Deployment Guide for Region A

After you join the first worker node to the cluster, the user interface displays a warning message
that another worker node must be added.

Repeat the steps to join the second worker node to the cluster.
After you add the second worker node, the Cluster page of the vRealize Log Insight UI contains
the master and worker nodes as components of the cluster.

4.1.6 Enable the Integrated Load Balancer of vRealize Log Insight in Region A
After you join the master and the worker nodes to create a vRealize Log Insight cluster, enable the
Integrated Load Balancer (ILB) for balancing incoming ingestion traffic of syslog data among the Log
Insight nodes and for high availability.
Procedure
Log in to the vRealize Log Insight UI.
a. Open a Web browser and go to https://vrli-mstr-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

Click the configuration drop-down menu icon and select Administration.

Under Management, click Cluster.
Under Integrated Load Balancer, click New Virtual IP Address.

© 2016 VMware, Inc. All rights reserved.

Page 310 of 545

 VMware Validated Design Deployment Guide for Region A

In the New Virtual IP dialog box, enter the following settings and click Save.

Setting Value

IP 192.168.31.10

FQDN vrli-cluster-01.sfo01.rainpole.local

4.1.7 Join vRealize Log Insight to the Active Directory

To use user roles in vRealize Log Insight that are maintained centrally and are inline with the other
solutions in the SDDC, join vRealize Log Insight to the Active Directory (AD) domain.
Procedure
Log in to the vRealize Log Insight UI.
a. Open a Web browser and go to https://vrli-mstr-
01.sfo01.rainpole.local/admin/auth.
b. Log in using the following credentials.

© 2016 VMware, Inc. All rights reserved.

Page 311 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

User name admin

Password vrli_admin_password

After you log in, the Authentication page opens.

On the Authentication page, enable the support for Active Directory and configure the settings
for connection to the Active Directory domain controller.
a. Configure the Active Directory connection settings according to the details from your IT
administrator.

Setting Value

Enable Active Directory support Yes

Default Domain RAINPOLE.LOCAL

User Name svc-loginsight

Password svc_loginsight_password

Connection Type Standard

Require SSL Yes or No according to the instructions from the IT

administrator

b. Click Test Connection to verify the connection, and click Save.

© 2016 VMware, Inc. All rights reserved.

Page 312 of 545

 VMware Validated Design Deployment Guide for Region A

4.2 Install a CA-Signed Certificate on vRealize Log Insight in

Region A
vRealize Log Insight comes with a default self-signed certificate that is generated and signed at
installation time. After you start vRealize Log Insight in Region A, install a CA-signed certificate to
secure the communication of vRealize Log Insight.
vRealize Log Insight uses a certificate for the following communication:
 Connection to the vRealize Log Insight UI
 SSL syslog transfers
 Communication from the Log Insight agents through the Ingestion API
vRealize Log Insight accepts only PEM encoded certificates that include the complete certification
chain. The private key must not be encrypted by a pass phrase.
 Generate a CA-Signed SSL Certificate for vRealize Log Insight in Region A
 Upload the CA-Signed Certificate to vRealize Log Insight in Region A

4.2.1 Generate a CA-Signed SSL Certificate for vRealize Log Insight in Region
A
To create a CA-signed certificate for vRealize Log Insight, generate a certificate signing request
(CSR) on the Linux appliance for the master node and use the root Windows AD domain controller
to sign the certificate.
Procedure
On your computer, create a configuration file for OpenSSL certificate request generation,
called vrli-sfo.cfg. Because all nodes in the cluster share the same certificate, the Subject
Alternative Name field, subjectAltName, of the uploaded certificate must contain the IP
addresses and FQDNs of all nodes and of the load balancer. For common name, use the full
domain name of the integrated load balancer.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vrli-cluster-01, IP:192.168.31.10, DNS: vrli-cluster-
01.sfo01.rainpole.local, DNS:vrli-mstr-01.sfo01.rainpole.local, DNS:vrli-mstr-
01, DNS:vrli-wrkr-01.sfo01.rainpole.local, DNS:vrli-wrkr-01, DNS:vrli-wrkr-
02.sfo01.rainpole.local, DNS:vrli-wrkr-02
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = Rainpole Inc.,
organizationalUnitName = rainpole.local
commonName = vrli-cluster-01.sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 313 of 545

 VMware Validated Design Deployment Guide for Region A

Log in to the vrli-mstr-01.sfo01.rainpole.local over SSH with the root user name
and vrli_master_root_password password.
Create a sub-directory called vrli in the root home directory and navigate to it.
mkdir /root/vrli
cd /root/vrli

From the /root/vrli folder, generate an RSA private key that is 2048 bits long, and save it as
a vrli.key file.
openssl genrsa -out vrli.key 2048

Copy the vrli-sfo.cfg to the /root/vrli folder on the master node virtual appliance.
You can use scp, FileZilla or WinSCP.
Use the vrli.key private key and the vrli-sfo.cfg configuration file to create a CSR and
save it as a vrli.pem file to the /root/vrli folder.
openssl req -new -key vrli.key -out vrli.pem -config vrli-sfo.cfg
The /root/vrli folder contains the vrli-sfo.cfg, vrli.key and vrli.pem files.
Submit the CSR to the Windows domain controller CA.
a. Run the following console command.
cat vrli.pem
b. Copy the output from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE
REQUEST----- inclusive.

© 2016 VMware, Inc. All rights reserved.

Page 314 of 545

 VMware Validated Design Deployment Guide for Region A

c. In a Web browser, log in to

http://dc01rpl.rainpole.local/certsrv/certrqxt.asp with the
administrator user name and ad_admin_password password.
d. Paste the request in the Saved Request text box, select VMware from the Certificate
Template drop-down menu, and click Submit.

© 2016 VMware, Inc. All rights reserved.

Page 315 of 545

 VMware Validated Design Deployment Guide for Region A

On the Certificate Issued page, download the signed server certificate as a vrli.cer file in
Base 64 encoding.
If the save as dialog does not appear, the signed certificate is saved as certnew.cer in your
downloads folder. Rename the file to vrli.cer.

Download the root CA certificate.

a. In a Web browser, go
to http://dc01rpl.rainpole.local/certsrv/certcarc.asp and log in with the
administrator user name and ad_admin_password password.
b. Select Base 64, click Download CA Certificate, and save the certificate as rootca.cer on
your computer. If the save as dialog does not appear, the CA certificate is saved
as rootca.cer in your downloads folder.

© 2016 VMware, Inc. All rights reserved.

Page 316 of 545

 VMware Validated Design Deployment Guide for Region A

Copy the vrli.cer and rootca.cer certificate files to the /root/vrli folder on the master
virtual appliance. You can use scp, FileZilla or WinSCP.
In the SSH console to the master node, create a vrli-chain.pem file in
the /root/vrli folder that contains the signed certificate, CA certificate and private key file.
The order of the certificates in a PEM file must follow the certificate chain sequence starting from
the own certificate up to the root CA certificate. vrli.cer must be first, rootca.cer next
and vrli.key last.
cat vrli.cer rootca.cer vrli.key > vrli-chain.pem

Copy the vrli-chain.pem file to your computer.

You can use scp, FileZilla or WinSCP.

4.2.2 Upload the CA-Signed Certificate to vRealize Log Insight in Region A

After you generate the vrli-chain.pem certificate chain file that contains the own certificate, the
signer certificate and the private key file, upload the certificate chain to vRealize Log Insight.
Log in to the vRealize Log Insight UI.
a. Open a Web browser and go to https://vrli-mstr-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

In the vRealize Log Insight UI, click the configuration drop-down menu icon and
select Administration.

© 2016 VMware, Inc. All rights reserved.

Page 317 of 545

 VMware Validated Design Deployment Guide for Region A

Under Configuration, click SSL.

On the SSL Configuration page, next to New Certificate File (PEM format) click Choose
File, browse to the location of the vrli-chain.pem file on your computer, and click Save.

The certificate is uploaded to vRealize Log Insight.

Open a Web browser and go to https://vrli-cluser-01.sfo01.rainpole.local.

A warning message that the connection is not trusted appears.

To review the certificate, click the padlock in the address bar of the browser, and verify that
the Subject Alternative Name contains the names of the vRealize Log Insight cluster nodes.

© 2016 VMware, Inc. All rights reserved.

Page 318 of 545

 VMware Validated Design Deployment Guide for Region A

Import the certificate in your Web browser.

For example, in Google Chrome under the HTTPS/TLS settings click the Manage certificates
button, and in the Certificates dialog box import vrli-chain.pem. You can also use Certificate
Manager on Windows or Keychain Access on MAC OS X.

4.3 Connect vRealize Log Insight to the vSphere Environment in

Region A
Start collecting log information about the ESXi and vCenter Server instances in the SDDC.
 Configure User Privileges in vSphere for Integration with vRealize Log Insight for Region A
 Connect vRealize Log Insight to vSphere in Region A
 Configure vCenter Server to Forward Log Events to vRealize Log Insight in Region A

© 2016 VMware, Inc. All rights reserved.

Page 319 of 545

 VMware Validated Design Deployment Guide for Region A

4.3.1 Configure User Privileges in vSphere for Integration with vRealize Log
Insight for Region A
To collect log information from the vCenter Server instances and ESXi hosts in Region A, you must
assign a role to the svc-loginsight AD user on the vCenter Server objects. The svc-loginsight
user account is specifically dedicated to collecting log information from vCenter Server and ESXi.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

From the Home menu, select Administration.

Under Access Control, click Roles.
Create a role specifically for vRealize Log Insight.
a. Select Read-only and click the Clone icon.
You clone the Read-only role because it includes the System.Anonymous, System.View,
and System.Read privileges. vRealize Log Insight requires those privileges for accessing log
information related to the vCenter Server instances.

b. In the Clone Role Read-only dialog box, enter LogInsight in the Role name text box.
c. Select the Host.Configuration.Advanced settings, Host.Configuration.Change
settings, Host.Configuration.Network configuration and Host.Configuration.Security
profile and firewall privileges.
These host privileges allow vRealize Log Insight to configure the syslog service on the ESXi
hosts.

© 2016 VMware, Inc. All rights reserved.

Page 320 of 545

 VMware Validated Design Deployment Guide for Region A

d. Click OK.
Assign the LogInsight role to the svc-loginsight user on the Management vCenter Server
and Compute vCenter Server.
a. In the vSphere Web Client, navigate to the vCenter Server object in Region A.

vCenter Server Object

Management vCenter Server mgmt01vc01.sfo01.rainpole.local

Compute vCenter Server comp01vc01.sfo01.rainpole.local

b. Right-click the vCenter Server object and click Add Permission.

© 2016 VMware, Inc. All rights reserved.

Page 321 of 545

 VMware Validated Design Deployment Guide for Region A

c. In the Add Permission dialog box, click the Add button to assign a role to a user or a group.
d. In the Select Users/Groups dialog box, from the Domain drop-down menu,
select RAINPOLE, and in the filter box type svc.
e. From the list of users and groups, select the svc-loginsight AD user, click the Add button,
and click OK.

f. In the Add Permission dialog box, from the Assigned Role drop-down menu, select Log
Insight, select Propagate to children, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 322 of 545

 VMware Validated Design Deployment Guide for Region A

g. Repeat the step to assign permissions for the svc-loginsight user on the other vCenter Server
instance.

4.3.2 Connect vRealize Log Insight to vSphere in Region A

After you configure the svc-loginsight AD user with the vSphere privileges that are required for
retrieving log information from the vCenter Server instances and ESXi hosts, connect vRealize Log
Insight to vSphere.
Procedure
Log in to the vRealize Log Insight UI.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

Click the configuration drop-down menu icon and select Administration.

Under Integration, click vSphere.
In the vCenter Servers pane, enter the connection settings for the Management vCenter Server
and for the Compute vCenter Server.
a. Enter the host name, user credentials, and collection options for the vCenter Server
instances, and click Test Connection.

© 2016 VMware, Inc. All rights reserved.

Page 323 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Hostname mgmt01vc01.sfo01.rainpole.local
comp01vc01.sfo01.rainpole.local

Username [email protected]

Password svc-loginsight_user_password

Collect vCenter Server events, tasks and alarms Selected

Configure ESXi hosts to send logs to Log Insight Selected

b. Click Advanced Options and examine the list of ESXi hosts that are connected to the
vCenter Server instance to verify that you connect to the correct vCenter Server.

© 2016 VMware, Inc. All rights reserved.

Page 324 of 545

 VMware Validated Design Deployment Guide for Region A

c. Click Add vCenter Server to add a new settings form and repeat the steps to add the
settings for the second vCenter Server instance in Region A.
Click Save.
A progress dialog box appears.

Click OK in the confirmation dialog box that appears after vRealize Log Insight contacts the
vCenter Server instances.
You see the vSphere dashboards under the VMware - vSphere content pack dashboard
category.

© 2016 VMware, Inc. All rights reserved.

Page 325 of 545

 VMware Validated Design Deployment Guide for Region A

4.3.3 Configure vCenter Server to Forward Log Events to vRealize Log Insight
Install the vRealize Log Insight agent to collect and forward events to vRealize Log Insight on the
vCenter Server instances and Platform Services Controllers in the data center.
By installing the Log Insight agent on vCenter Server and Platform Services Controller, you collect log
data that is related to the vCenter Server operation.
Procedure
Download the Linux agent of vRealize Log Insight.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 326 of 545

 VMware Validated Design Deployment Guide for Region A

c. In the vRealize Log Insight UI, click the configuration drop-down menu icon and select
Administration.
d. Under Management, click Agents.
e. On the Agents page, click the Download Log Insight Agent Version 3.3.1 link.
f. In the Download Log Insight Agent Version 3.3.1 dialog box, click Linux BIN (32-bit/64-
bit) and save the .bin file on your computer.

Create a vCenter Server Agent Group.

a. In the vRealize Log Insight UI, click the configuration drop-down menu icon and select
Administration.
b. Under Management, click Agents.
c. On the Agents page, from the Agents drop-down list at the top select vSphere 6.x - vCenter
(Linux) Complete.
You see the agent configuration template file.
d. Under the agent configuration text box, click Copy Template, and in the Copy Agent Group
dialog box click Copy.

© 2016 VMware, Inc. All rights reserved.

Page 327 of 545

 VMware Validated Design Deployment Guide for Region A

e. In the agent filter, set filter attribute to Hostname, the operator to matches, and the value to
the host name for each vCenter Server or Platform Services Controller appliance for the
region that you are working in.

Appliances Host Names in Region A

(Use ENTER to separate each value)

vCenter Server instances mgmt01vc01.sfo01.rainpole.local

comp01vc01.sfo01.rainpole.local

Platform Services Controllers mgmt01psc01.sfo01.rainpole.local

comp01psc01.sfo01.rainpole.local

f. Scroll down to the bottom of the page and click the Save New Group button.
Install the Log Insight agent on the vCenter Server Appliance or Platform Services Controller
appliance.
a. Connect to the appliance over SSH.

Appliances Host Names in Region A

vCenter Server instances mgmt01vc01.sfo01.rainpole.local

comp01vc01.sfo01.rainpole.local

Platform Services Controllers mgmt01psc01.sfo01.rainpole.local

comp01psc01.sfo01.rainpole.local

b. Use the roo t user name and app lia nce _ro ot _pas swo rd password to log in.
c. Copy the .bin file of the agent to the /root folder of the vCenter Server Appliance or the
Platform Services Controller appliance.
You can use scp, FileZilla or WinSCP.
d. Run the following console commands to make the agent .bin file executable.
cd /root
chmod +x VMware-Log-Insight-Agent-3.3.1-3636434_192.168.31.10.bin
e. Install the agent by running the following command.
./VMware-Log-Insight-Agent-3.3.1-3636434_192.168.31.10.bin

© 2016 VMware, Inc. All rights reserved.

Page 328 of 545

 VMware Validated Design Deployment Guide for Region A

Verify whether the /etc/liagent.ini file is configured to send logs to vRealize Log Insight.
a. Verify that the [server] section contains the following hostname parameter
hostname=vrli-cluster-01.sfo01.rainpole.local (for Region A
appliances)
hostname=vrli-cluster-51.lax01.rainpole.local (for Region B
appliances)
b. If the hostname parameter is not available, add it and save the changes to
/etc/liagent.ini.
Repeat steps 3 and 4 for each appliance.
Verify that the appliances are in the vSphere 6.x - vCenter (Linux) Complete agent group in
vRealize Log Insight.
a. Open a Web browser and go to https://vrli-mstr-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

c. In the vRealize Log Insight UI, click the configuration drop-down menu icon and select
Administration.
d. Under Management, click Agents.
e. On the Agents page, from the Agents drop-down menu select vSphere 6.x - vCenter
(Linux) Complete.
f. Verify that the appliances are registered on the page.

© 2016 VMware, Inc. All rights reserved.

Page 329 of 545

 VMware Validated Design Deployment Guide for Region A

4.4 Install the vRealize Log Insight Content Pack for Virtual SAN
in Region A
Install the content pack for VMware Virtual SAN to add the dashboards for viewing log information in
vRealize Log Insight.
Procedure
Log in to the vRealize Log Insight user interface.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

In the vRealize Log Insight user interface, click the configuration drop-down menu icon and
select Content Packs.
Under Content Pack Marketplace, select Marketplace.
In the list of content packs, locate the VMware - VSAN content pack and click its icon.
In the Install Content Pack dialog box, click Install.

© 2016 VMware, Inc. All rights reserved.

Page 330 of 545

 VMware Validated Design Deployment Guide for Region A

After the installation is complete, the VMware - VSAN content pack appears in the Installed Content
Packs list on the left.
Virtual SAN log information becomes available without additional configuration. The integration
between vRealize Log Insight and vSphere accommodates the transfer of Virtual SAN log information
automatically.

4.5 Enable the vRealize Log Insight Integration with vRealize

Operations Manager for Region A
Connect vRealize Log Insight in Region A with vRealize Operations Manager to launch vRealize Log
Insight from within vRealize Operations Manager and to send alerts to vRealize Operations Manager.
Prerequisites
 Verify that the vRealize Log Insight management pack is installed in vRealize Operations
Manager.
 Verify that you have connected vRealize Operations Manager and vRealize Log Insight to the
mgmt01vc01.sfo01.rainpole.local or comp01vc01.sfo01.rainpole.local vCenter
Server instances.
Procedure
Log in to the vRealize Log Insight user interface.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

In the vRealize Log Insight UI, click the configuration drop-down menu icon and
select Administration.

© 2016 VMware, Inc. All rights reserved.

Page 331 of 545

 VMware Validated Design Deployment Guide for Region A

Under Integration, click vRealize Operations.

On the vRealize Operations Manager pane, configure the integration settings for vRealize
Operations Manager.
a. Enter the host name and the user credentials for the vRealize Operations Manager instances.

Setting Value

Hostname vrops-cluster-01.rainpole.local

User name admin

Password vrops_admin_password

b. Click Test Connection.

c. Select the Enable alerts integration check box.
d. Select the Enable launch in context check box.

Click Save.
A progress dialog box appears.

© 2016 VMware, Inc. All rights reserved.

Page 332 of 545

 VMware Validated Design Deployment Guide for Region A

4.6 Connect vRealize Log Insight to vRealize Operations Manager

in Region A
To connect vRealize Log Insight to vRealize Operations Manager, you install and configure vRealize
Log Insight Content Pack for vRealize Operations Manager. The Content Pack allows you to
troubleshoot vRealize Operations Manager by using dashboards and alerts in the vRealize Log
Insight UI.
 Install the vRealize Log Insight Content Pack for vRealize Operations Manager
 Configure the Log Insight Agent on vRealize Operations Manager to Forward Log Events to
vRealize Log Insight in Region A

4.6.1 Install the vRealize Log Insight Content Pack for vRealize Operations
Manager
Install the content pack for vRealize Operations Manager to add the dashboards for viewing log
information in vRealize Log Insight.
Procedure
Log in to the vRealize Log Insight user interface.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

In the vRealize Log Insight UI, click the configuration drop-down menu icon and select
Content Packs.
Under Content Pack Marketplace, select Marketplace.
In the list of content packs, locate the VMware - vR Ops 6.x content pack and click its icon.
In the Install Content Pack dialog box, click Install.

After the installation is complete, the VMware - vR Ops 6.x content pack appears in
the Installed Content Packs list on the left.

© 2016 VMware, Inc. All rights reserved.

Page 333 of 545

 VMware Validated Design Deployment Guide for Region A

4.6.2 Configure the Log Insight Agent on vRealize Operations Manager to

Forward Log Events to vRealize Log Insight in Region A
After you install the content pack for vRealize Operations Manager, configure the Log Insight agent on
vRealize Operations Manager to send audit logs and system events to vRealize Log Insight in Region
A.
Procedure
On your computer, create a liagent.ini file for each of the 6 nodes of vRealize Operations
Manager.
a. Create an empty liagent.ini file and paste the following template configuration.
; Client-side configuration of VMware Log Insight Agent
; See liagent-effective.ini for the actual configuration used by VMware Log
Insight Agent
[server]
; Log Insight server hostname or ip address
; If omitted the default value is LOGINSIGHT
hostname=<YOUR LOGINSIGHT HOSTNAME HERE>
; Set protocol to use:
; cfapi - Log Insight REST API
; syslog - Syslog protocol
; If omitted the default value is cfapi
;
;proto=cfapi
; Log Insight server port to connect to. If omitted the default value is:
; for syslog: 512
; for cfapi without ssl: 9000
; for cfapi with ssl: 9543
;port=9000
;ssl - enable/disable SSL. Applies to cfapi protocol only.
; Possible values are yes or no. If omitted the default value is no.
;ssl=no
; Time in minutes to force reconnection to the server
; If omitted the default value is 30
;reconnect=30
[storage]
;max_disk_buffer - max disk usage limit (data + logs) in MB:
; 100 - 2000 MB, default 200
;max_disk_buffer=200
[logging]
;debug_level - the level of debug messages to enable:
; 0 - no debug messages
; 1 - trace essential debug messages
; 2 - verbose debug messages (will have negative impact on performance)
;debug_level=0
[filelog|messages]
directory=/var/log
include=messages;messages.?
[filelog|syslog]
directory=/var/log
include=syslog;syslog.?

[filelog|ANALYTICS-analytics]
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"ANALYTICS","vmw_vr_ops_clustername":"<YOUR CLUSTER
NAME HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR

© 2016 VMware, Inc. All rights reserved.

Page 334 of 545

 VMware Validated Design Deployment Guide for Region A

NODE NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}

directory = /data/vcops/log
include = analytics*.log*
exclude_fields=hostname

[filelog|COLLECTOR-collector]
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"COLLECTOR","vmw_vr_ops_clustername":"<YOUR CLUSTER
NAME HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR
NODE NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include = collector.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|COLLECTOR-collector_wrapper]
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"COLLECTOR","vmw_vr_ops_clustername":"<YOUR CLUSTER
NAME HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR
NODE NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include = collector-wrapper.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\.\d{3}

[filelog|COLLECTOR-collector_gc]
directory = /data/vcops/log
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"COLLECTOR","vmw_vr_ops_clustername":"<YOUR CLUSTER
NAME HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR
NODE NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
include = collector-gc*.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\w]\d{2}:\d{2}:\d{2}\.\d{3}

[filelog|WEB-web]
directory = /data/vcops/log
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"WEB","vmw_vr_ops_clustername":"<YOUR CLUSTER NAME
HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE
NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
include = web*.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|GEMFIRE-gemfire]
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"GEMFIRE","vmw_vr_ops_clustername":"<YOUR CLUSTER NAME
HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE
NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include = gemfire*.log*
exclude_fields=hostname

[filelog|VIEW_BRIDGE-view_bridge]
tags =
{"vmw_vr_ops_appname":"vROps","vmw_vr_ops_logtype":"VIEW_BRIDGE","vmw_vr_ops
_clustername":"<YOUR CLUSTER NAME HERE>",

© 2016 VMware, Inc. All rights reserved.

Page 335 of 545

 VMware Validated Design Deployment Guide for Region A

"vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE NAME

HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include = view-bridge*.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|VCOPS_BRIDGE-vcops_bridge]
tags =
{"vmw_vr_ops_appname":"vROps","vmw_vr_ops_logtype":"VCOPS_BRIDGE","vmw_vr_op
s_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include = vcops-bridge*.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|SUITEAPI-api]
directory = /data/vcops/log
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"SUITEAPI","vmw_vr_ops_clustername":"<YOUR CLUSTER NAME
HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE
NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
include = api.log*;http_api.log*;profiling_api.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|SUITEAPI-suite_api]
directory = /data/vcops/log/suite-api
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"SUITEAPI","vmw_vr_ops_clustername":"<YOUR CLUSTER NAME
HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE
NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
include = *.log*
exclude_fields=hostname
event_marker=^\d{2}-\w{3}-\d{4}[\s]\d{2}:\d{2}:\d{2}\.\d{3}

[filelog|ADMIN_UI-admin_ui]
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"ADMIN_UI","vmw_vr_ops_clustername":"<YOUR CLUSTER NAME
HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE
NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log/casa
include = *.log*;*_log*
exclude_fields=hostname

[filelog|CALL_STACK-call_stack]
tags = {"vmw_vr_ops_appname":"vROps","vmw_vr_ops_logtype":"CALL_STACK",
"vmw_vr_ops_clustername":"<YOUR CLUSTER NAME
HERE>","vmw_vr_ops_clusterrole":"Master", "vmw_vr_ops_nodename":"<YOUR NODE
NAME HERE>","vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log/callstack
include = analytics*.txt;collector*.txt
exclude_fields=hostname

[filelog|TOMCAT_WEBAPP-tomcat_webapp]
tags =

© 2016 VMware, Inc. All rights reserved.

Page 336 of 545

 VMware Validated Design Deployment Guide for Region A

{"vmw_vr_ops_appname":"vROps","vmw_vr_ops_logtype":"TOMCAT_WEBAPP","vmw_vr_o
ps_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log/product-ui
include = *.log*;*_log*
exclude_fields=hostname

[filelog|OTHER-other1]
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"OTHER","vmw_vr_ops_clustername":"<YOUR CLUSTER NAME
HERE>", "vmw_vr_ops_clusterrole":"Master","vmw_vr_ops_nodename":"<YOUR NODE
NAME HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include =
aim*.log*;calltracer*.log*;casa.audit*.log*;distributed*.log*;hafailover*.lo
g;his*.log*;installer*.log*;locktrace*.log*;opsapi*.log*;query-service-
timer*.log*;queryprofile*.log*;vcopsConfigureRoles*.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|OTHER-other2]
tags = {"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_logtype":"OTHER",
"vmw_vr_ops_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master", "vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include = env-checker.log*
exclude_fields=hostname
event_marker=^\d{2}\D{1}\d{2}\D{1}\d{4}\s\d{2}:\d{2}:\d{2}

[filelog|OTHER-other3]
tags = {"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_logtype":"OTHER",
"vmw_vr_ops_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master", "vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log
include = gfsh*.log*;HTTPPostAdapter*.log*;meta-
gemfire*.log*;migration*.log*
exclude_fields=hostname

[filelog|OTHER-watchdog]
tags = {"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_logtype":"OTHER",
"vmw_vr_ops_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master", "vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log/vcops-watchdog
include = vcops-watchdog.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|ADAPTER-vmwareadapter]
tags = {"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_logtype":"ADAPTER",
"vmw_vr_ops_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master", "vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log/adapters/VMwareAdapter
include = *.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

© 2016 VMware, Inc. All rights reserved.

Page 337 of 545

 VMware Validated Design Deployment Guide for Region A

[filelog|ADAPTER-vcopsadapter]
tags = {"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_logtype":"ADAPTER",
"vmw_vr_ops_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master", "vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log/adapters/VCOpsAdapter
include = *.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

[filelog|ADAPTER-openapiadapter]
tags = {"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_logtype":"ADAPTER",
"vmw_vr_ops_clustername":"<YOUR CLUSTER NAME HERE>",
"vmw_vr_ops_clusterrole":"Master", "vmw_vr_ops_nodename":"<YOUR NODE NAME
HERE>", "vmw_vr_ops_hostname":"<YOUR VROPS HOSTNAME HERE>"}
directory = /data/vcops/log/adapters/OpenAPIAdapter
include = *.log*
exclude_fields=hostname
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}

b. In the node-specific liagent.ini file, change the following parameters and save the file.

Parameter Description Location in liagent.ini Configuration Instructions

hostname IP address or [server] section Replace <YOUR LOGINSIGHT

FQDN of the Log HOSTNAME HERE> with vrli-
Insight VIP cluster-
01.sfo01.rainpole.local.

proto Protocol that the [server] section Remove the ; comment in front of
agent uses to the parameter to set the log protocol
send events to to cfapi.
the Log Insight
server.

port Communication [server] section Remove the ; comment in front of

port that the the parameter to set the port to 9000.
agent uses to
send events to
the vRealize Log
Insight server.

vmw_vr_ops_ Name of the each [filelog|section_na Replace each <YOUR CLUSTER

clustername vRealize me] section NAME HERE> with vrops-cluster-01.
Operations
Manager cluster

vmw_vr_ops_ Role that the each [filelog|section_na Set to Master, Replica, Data or
clusterrole vRealize me] section Remote Collector.
Operations
Manager node

© 2016 VMware, Inc. All rights reserved.

Page 338 of 545

 VMware Validated Design Deployment Guide for Region A

Parameter Description Location in liagent.ini Configuration Instructions

vmw_vr_ops_ IP address or each [filelog|section_na Replace each <YOUR VROPS

hostname FQDN of the me] section HOSTNAME HERE> with the
vRealize following FQDN:
Operations vrops-mstrn-
Manager node 01.rainpole.local for the master
node
vrops-repln-
02.rainpole.local for the replica
node
vrops-datan-
03.rainpole.local for data
node 1
vrops-datan-
04.rainpole.local for data
node 2
vrops-rmtcol-
01.sfo01.rainpole.local fo
r remote collector 1
vrops-rmtcol-
02.sfo01.rainpole.local fo
r remote collector 2

vmw_vr_ops_ Name of the each [filelog|section_na Replace each <YOUR NODE NAME
nodename vRealize me] section HERE> with the following name:
Operations vrops-mstrn-01 for the master
Manager node node
that is set during vrops-repln-02 for the replica
node initial node
configuration vrops-datan-03 for data node 1
vrops-datan-04 for data node 2
vrops-rmtcol-01 for remote
collector 1
vrops-rmtcol-02 for remote
collector 2

You change the [server] section as follows.

[server]
; Log Insight server hostname or ip address
; If omitted the default value is LOGINSIGHT
hostname=vrli-cluster-01.sfo01.rainpole.local
; Set protocol to use:
; cfapi - Log Insight REST API
; syslog - Syslog protocol
; If omitted the default value is cfapi
;
proto=cfapi
; Log Insight server port to connect to. If omitted the default value
is:
; for syslog: 512
; for cfapi without ssl: 9000
; for cfapi with ssl: 9543
port=9000

© 2016 VMware, Inc. All rights reserved.

Page 339 of 545

 VMware Validated Design Deployment Guide for Region A

;ssl - enable/disable SSL. Applies to cfapi protocol only.

; Possible values are yes or no. If omitted the default value is no.
;ssl=no
; Time in minutes to force reconnection to the server
; If omitted the default value is 30
;reconnect=30

For example, on the master replica node you change the [filelog|ANALYTICS-analytics]
section that is related to the logs files of the analytics module as follows.
[filelog|ANALYTICS-analytics]
tags = {"vmw_vr_ops_appname":"vROps",
"vmw_vr_ops_logtype":"ANALYTICS","vmw_vr_ops_clustername":"vrops-cluster-
01", "vmw_vr_ops_clusterrole":"Replica","vmw_vr_ops_nodename":"vrops-repln-
02", "vmw_vr_ops_hostname":"vrops-repln-02.rainpole.local"}
directory = /data/vcops/log
include = analytics*.log*
exclude_fields=hostname

Enable SSH on each node of vRealize Operations Manager.

a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

c. Under the mgmt01vc01.sfo01.rainpole.local vCenter Server, navigate to the virtual

appliance for the node.

Virtual Appliance Name Role

vrops-mstrn-01 Master node

vrops-repln-02 Master replica node

vrops-datan-03 Data node 1

vrops-datan-04 Data node 2

vrops-rmtcol-01 Remote collector 1

vrops-rmtcol-02 Remote collector 2

d. Right-click the appliance node and select Open Console to open the remote console to the
appliance.
e. Press ALT+F1 to switch to the command prompt.

© 2016 VMware, Inc. All rights reserved.

Page 340 of 545

 VMware Validated Design Deployment Guide for Region A

f. If the node is not the master, at the command prompt, log in by using the root user name
and an empty password, and change the default empty password.
You must change the default password of the root user because you log in for the first time
to the virtual appliance console.
g. Start the SSH service by running the command:
service sshd start
h. Close the virtual appliance console.
Apply the Log Insight agent configuration.
a. On the appliance, replace the liagent.ini file in the /var/lib/loginsight-
agent folder with the node-specific file on your computer.
You can use scp, FileZilla or WinSCP.
b. Restart the Log Insight agent on node by running the following console command as the root
user.
/etc/init.d/liagentd restart
c. Stop the SSH service on the virtual appliance by running the following command.
service sshd stop
Repeat the steps for each of the remaining five vRealize Operations Manager nodes.
You see log information about the operation of vRealize Operations Manager on the VMware - vR
Ops 6.x Log Insight dashboards.

4.7 Connect vRealize Log Insight to the NSX Instances in Region

A
Install and configure the vRealize Log Insight Content Pack for NSX for vSphere for log visualization
and alerting of the NSX for vSphere real-time operation. You can the NSX-vSphere dashboards to
monitor logs about installation and configuration, and about virtual networking services.
 Install the vRealize Log Insight Content Pack for NSX for vSphere
 Configure NSX Managers to Forward Log Events to vRealize Log Insight in Region A
 Configure the NSX Controllers to Forward Events to vRealize Log Insight in Region A

© 2016 VMware, Inc. All rights reserved.

Page 341 of 545

 VMware Validated Design Deployment Guide for Region A

 Configure the NSX Edge Instances to Foward Log Events to vRealize Log Insight in Region A

4.7.1 Install the vRealize Log Insight Content Pack for NSX for vSphere
Install the content pack for NSX for vSphere to add the dashboards for viewing log information in
vRealize Log Insight.
Log in to the vRealize Log Insight user interface.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

In the vRealize Log Insight UI, click the configuration drop-down menu icon and
select Content Packs.
Under Content Pack Marketplace, select Marketplace.
In the list of content packs, locate the VMware - NSX-vSphere content pack and click its icon.
In the Install Content Pack dialog box, click Install.

After the installation is complete, the VMware - NSX-vSphere content pack appears in the
Installed Content Packs list on the left.

© 2016 VMware, Inc. All rights reserved.

Page 342 of 545

 VMware Validated Design Deployment Guide for Region A

4.7.2 Configure NSX Managers to Forward Log Events to vRealize Log Insight
in Region A
Configure the NSX Manager for the management cluster and the NSX Manager for the compute and
edge clusters to send audit logs and system events to vRealize Log Insight in Region A.
Procedure
Log in to the NSX Manager appliance UI.
a. Open a Web browser and go to the following URL.

NSX Manager URL

NSX Manager for the management cluster https://mgmt01nsxm01.sfo01.rainpole.local

NSX Manager for the compute and edge https://comp01nsxm01.sfo01.rainpole.local

clusters

b. Log in using the following credentials.

Setting Value

User name admin

Password mngnsx_admin_password
compnsx_admin_password

On the main page of the appliance UI, click Manage Appliance Settings.

Under Settings, click General, and in the Syslog Server pane, click Edit.
In the Syslog Server dialog box, configure vRealize Log Insight as a syslog server by specifying
the following settings and click OK.

Setting Value

Syslog Server vrli-cluster-01.sfo01.rainpole.local

Port 514

© 2016 VMware, Inc. All rights reserved.

Page 343 of 545

 VMware Validated Design Deployment Guide for Region A

Protocol UDP

4.7.3 Configure the NSX Controllers to Forward Events to vRealize Log

Insight in Region A
Configure the NSX Controller instances for the management, compute and edge clusters to forward
log information to vRealize Log Insight in Region A by using the NSX REST API. You can use a
REST client, such as the RESTClient add-on for Firefox, to enable log forwarding.
Prerequisites
 On a Windows host that has access to your data center, install a REST client, such as the
RESTClient add-on for Firefox.
Procedure
Log in to the Windows host that has access to your data center.
In a Firefox browser, go to chrome://restclient/content/restclient.html.
Specify the request headers for requests to the NSX Manager.
a. From the Authentication drop-down menu, select Basic Authentication.

b. In the Basic Authorization dialog box, enter the following credentials, select Remember
me and click Okay.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 344 of 545

 VMware Validated Design Deployment Guide for Region A

Username admin

Password mngnsx_admin_password
compnsx_admin_password

The Authorization:Basic XXX header appears in the Headers pane.

c. From the Headers drop-down menu, select Custom Header.

d. In the Request Header dialog box, enter the following header details and click Okay.

Request Header Attribute Value

Name Content-Type

Value application/xml

© 2016 VMware, Inc. All rights reserved.

Page 345 of 545

 VMware Validated Design Deployment Guide for Region A

The Content-Type:application/xml header appears in the Headers pane.

Contact the NSX Manager to retrieve the IDs of the associated NSX Controllers.
a. In the Request pane, from the Method drop-down menu, select GET.
b. In the URL text box, enter the following URL, and click Send.
The RESTClient sends a query to the NSX Manager about the installed NSX controllers.

NSX Manager URL

NSX Manager for the https://mgmt01nsxm01.sfo01.rainpole.local/api/2.0/vdn/controller

management cluster

NSX Manager for the https://comp01nsxm01.sfo01.rainpole.local/api/2.0/vdn/controller

compute and edge clusters

c. After the NSX Manager sends a response back, click the Response Body (Preview) tab
under Response. The response body contains a root <controllers> XML element which
groups the details about the three controllers that form the controller cluster.
d. Within the <controllers> element, locate the <controller> element for each controller
and write down the content of the id element.
Controller IDs have the controller-id format where id represents the sequence number
of the controller in the cluster, for example, controller-2.
e. Repeat the steps for the other NSX Manager.

© 2016 VMware, Inc. All rights reserved.

Page 346 of 545

 VMware Validated Design Deployment Guide for Region A

For each NSX Controller, send a request to configure vRealize Log Insight as a remote syslog
server.
a. In the Request pane, from the Method drop-down menu, select POST, and in the URL text
box, enter the following URL.

NSX Manager NSX Controller in POST URL

the Controller
Cluster

NSX Manager for NSX Controller 1 https://mgmt01nsxm01.sfo01.rainpole.local/api/2.0/

the management vdn/controller/controller-1/syslog
cluster
NSX Controller 2 https://mgmt01nsxm01.sfo01.rainpole.local/api/2.0/
vdn/controller/controller-2/syslog

NSX Controller 3 https://mgmt01nsxm01.sfo01.rainpole.local/api/2.0/

vdn/controller/controller-3/syslog

NSX Manager for NSX Controller 1 https://comp01nsxm01.sfo01.rainpole.local/api/2.0/

the compute and vdn/controller/controller-1/syslog
edge clusters
NSX Controller 2 https://comp01nsxm01.sfo01.rainpole.local/api/2.0/
vdn/controller/controller-2/syslog

NSX Controller 3 https://comp01nsxm01.sfo01.rainpole.local/api/2.0/

vdn/controller/controller-3/syslog

b. In the Request pane, paste the following request body in the Body text box and click Send.
<controllerSyslogServer>
<syslogServer>vrli-cluster-01.sfo01.rainpole.local</syslogServer>
<port>514</port>
<protocol>UDP</protocol>
<level>INFO</level>
</controllerSyslogServer>
c. Repeat the steps for the next NSX Controller.

Verify the syslog configuration on each NSX Controller.

a. In the Request pane, from the Method drop-down menu, select GET, and in the URL text
box, enter the collector-specific syslog URL from the previous step.

© 2016 VMware, Inc. All rights reserved.

Page 347 of 545

 VMware Validated Design Deployment Guide for Region A

b. After the NSX Manager sends a response back, click the Response Body (Preview) tab
under Response. The response body contains a root <controllerSyslogServer>
element which represents the settings for the remote syslog server on the NSX Controller.
c. Verify that the value of the <syslogServer> element is vrli-cluster-
01.sfo01.rainpole.local.
d. Repeat the steps for the next NSX Controller.

4.7.4 Configure the NSX Edge Instances to Foward Log Events to vRealize
Log Insight in Region A
Configure the Edge Services Gateways, Universal Distributed Logical Router and Load Balancer of
Management and Compute NSX Manager instances to forward log information to vRealize Log
Insight in Region A.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a browser and go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-
client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

From the Home menu, select Networking & Security.

From the Networking & Security menu on the left, click NSX Edges.
On the NSX Edges page, select the NSX Manager instance from the NSX Manager drop-down
menu.

© 2016 VMware, Inc. All rights reserved.

Page 348 of 545

 VMware Validated Design Deployment Guide for Region A

NSX Manager Intance IP

Management NSX Manager 172.16.11.65

Compute NSX Manager 172.16.11.66

The edge devices in the scope of the NSX Manager appear.

Configure the log forwarding on each edge service gateway of Management and Compute NSX
Managers instances.
a. Double-click the edge device to open its user interface.

Traffic Management NSX Edge Service Compute NSX Edge Service

Gateway Gateway

North-South Routing SFOMGMT-ESG01 SFOEDGE-ESG01

North-South Routing SFOMGMT-ESG02 SFOEDGE-ESG02

East-West Routing UDLR01 UDLR01

Load Balancer SFOMGMT-LB01 -

b. On the NSX Edge device page, click the Manage tab, click Settings, and click
Configuration.
c. In the Details panel, click Change next to Syslog servers.

© 2016 VMware, Inc. All rights reserved.

Page 349 of 545

 VMware Validated Design Deployment Guide for Region A

d. In the Edit Syslog Servers Configuration dialog box, in the Syslog Server 1 text box enter
vrli-cluster-01.sfo01.rainpole.local and from the Protocol drop-down menu, select udp.

e. Click OK.
f. Repeat the steps for the remaining NSX Edge devices of Management and Compute NSX
Manager instances.
The vRealize Log Insight user interface starts showing log data in the NSX-vSphere-Overview
dashboard available under the VMware - NSX-vSphere group of content pack dashboards.

4.8 Connect vRealize Log Insight to vRealize Automation in

Region A
Connect the vRealize Log to vRealize Automation to receive log information from all components of
vRealize Automation in the vRealize Log Insight UI.
 Install the vRealize Log Insight Content Pack for vRealize Automation and vRealize Orchestrator
in Region A
 Install and Configure vRealize Log Insight Windows Agents in Region A
 Configure vRealize Log Insight Linux Agents in Region A
 Configure vRealize Orchestrator to Forward Log Events to vRealize Log Insight in Region A

4.8.1 Install the vRealize Log Insight Content Pack for vRealize Automation in
Region A
Install the following content packs for vRealize Automation and vRealize Orchestrator to add the
dashboards for viewing log information in vRealize Log Insight.

© 2016 VMware, Inc. All rights reserved.

Page 350 of 545

 VMware Validated Design Deployment Guide for Region A

Name of Content Pack Version

VMware - vRA 7 1.0

VMware - Orchestrator 1.1

Procedure
Log in to the vRealize Log Insight user interface.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

In the vRealize Log Insight UI, click the configuration drop-down menu icon and
select Content Packs.
Under Content Pack Marketplace, select Marketplace.
In the list of content packs, locate the VMware - vRA 7 content pack and click its icon.
In the Install Content Pack dialog box, click Install.

Repeat the procedure to install the VMware - Orchestrator content pack

After the installation is complete, the VMware - vRA 7 and VMware - Orchestrator content packs
appear in the Installed Content Packs list on the left.

© 2016 VMware, Inc. All rights reserved.

Page 351 of 545

 VMware Validated Design Deployment Guide for Region A

4.8.2 Install and Configure vRealize Log Insight Windows Agents in Region A
Install the vRealize Log Insight agent on the Windows virtual machines for the Distributed Execution
Manager, IaaS Manager Service, IaaS Web Server, IaaS Microsoft SQL Server and the vSphere
proxy agents. Configure Log Insight Windows Agents from the vRealize Log Insight web interface.
Procedure
Download the Windows agent for vRealize Log Insight to your Jump Host.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

c. Click the configuration drop-down menu icon and select Administration.

d. Under Management, click Agents.
e. On the Agents page, click the Download Log Insight Agent Version 3.0.0 link.
f. In the Download Log Insight Agent Version 3.0.0 dialog box, click Windows MSI (32-
bit/64-bit) and save the .msi file on your computer.

Log in to the Windows virtual machine of the vRealize Automation component.

a. Connect to the following host address using RDP. Use the vrli_admin_user user name
and the vrli_admin_password password to log in.

vRealize Automation Component Host Name/VM Name

IaaS Web Server vra01iws01a.rainpole.local

IaaS Web Server vra01iws01b.rainpole.local

IaaS Manager Service and DEM Orchestrator vra01ims01a.rainpole.local

IaaS Manager Service and DEM Orchestrator vra01ims01b.rainpole.local

IaaS DEM Worker vra01dem01.rainpole.local

IaaS DEM Worker vra01dem02.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 352 of 545

 VMware Validated Design Deployment Guide for Region A

vSphere Proxy Agent vra01ias01.sfo.rainpole.local

vSphere Proxy Agent vra01ias02.sfo.rainpole.local

Microsoft SQL Server vra01mssql01.rainpole.local

b. Copy Log Insight Agent Version 3.3.1 .msi file from the jump host and paste it in the
vRealize Automation Windows VM.
c. Double-click the .msi file to run the installer.
d. In the VMware vRealize Log Insight Agent Setup wizard, accept the license agreement and
click Next.
e. With the Log Insight host name (vli-cluster-01.sfo01.rainpole.local) shown in the Host text
box, click Install.

f. After the installation is complete, click Finish.

Configure Log Insight Windows Agents from the vRealize Log Insight web user interface.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

c. Click the Configuration drop-down menu icon and select Administration.

d. Under Management, click Agents.

© 2016 VMware, Inc. All rights reserved.

Page 353 of 545

 VMware Validated Design Deployment Guide for Region A

e. From the drop down on the top, select vRealize Automation 7 - Windows from the
Available Templates section.

f. Click Copy Template.

g. In the Copy Agent Group dialog box, enter vRA7 - Windows Agent Group in the name text
box and click Copy.

h. In the agent filter fields, use the following selections.

© 2016 VMware, Inc. All rights reserved.

Page 354 of 545

 VMware Validated Design Deployment Guide for Region A

Filter Operator Values

(Use ENTER to separate each value)

Hostname matches vra01iws01a.rainpole.local

vra01iws01b.rainpole.local
vra01ims01a.rainpole.local
vra01ims01b.rainpole.local
vra01dem01.rainpole.local
vra01dem02.rainpole.local
vra01ias01.sfo01.rainpole.local
vra01ias02.sfo01.rainpole.local
vra01mssql01.rainpole.local

i. Click Refresh and verify that all the agents listed in the filter appear in the Agents list.

j. Click Save New Group at the bottom of the page.

k. Click the Dashboard tab and select the VMware VR 7 dashboard from the drop-down menu
on the left.

All VMware vRA 7 dashboards become available on the vRealize Log Insight Home page.

© 2016 VMware, Inc. All rights reserved.

Page 355 of 545

 VMware Validated Design Deployment Guide for Region A

4.8.3 Configure vRealize Log Insight Linux Agents in Region A

Starting with vRealize Automation 7.0, the vRealize Log Insight Agent comes pre-installed on the
vRealize Automation virtual appliance.
Configuration of the Linux Agent is performed by the following procedure:
 Connect over SSH and edit the liagent.ini file on both vRealize Automation virtual appliance to
reflect the FQDN of the vRealize Log Insight cluster, and set communication protocol and port.
 Configure the Linux Agent Group on the Log Insight server.

Virtual Appliance FQDN / SSH Server

vRealize Automation Appliance A vra01svr01a.rainpole.local

vRealize Automation Appliance B vra01svr01b.rainpole.local

Procedure
Edit the liagent.ini file on the first vRealize Automation virtual appliance.
a. Open an SSH connection to the virtual appliance by using the following settings.

Setting Value

SSH Server vra01svr01a.rainpole.local

User name root

Password vra_applianceA_root_password

b. Open the /var/lib/loginsight-agent/liagent.ini file in a text editor.

c. Update the following parameters in the [server] section and save your changes.
[server]
hostname=vrli-cluster-01.sfo01.rainpole.local
proto=cfapi
port=9000

d. Repeat the step on the second vRealize Automation appliance

vra01svr01b.rainpole.local.
Configure the Linux Agent Group on the Log Insight server.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

© 2016 VMware, Inc. All rights reserved.

Page 356 of 545

 VMware Validated Design Deployment Guide for Region A

Password vrli_admin_password

c. Click the Configuration drop-down menu icon and select Administration.

d. Under Management, click Agents.
e. From the drop down on the top, select vRealize Automation 7 - Linux from the Available
Templates section.

f. Click Copy Template.

g. In the Copy Agent Group dialog box, enter vRA7 - Linux Agent Group in the name field
and click Copy.

© 2016 VMware, Inc. All rights reserved.

Page 357 of 545

 VMware Validated Design Deployment Guide for Region A

h. In the agent filter fields, use the following selections.

Filter Operator Values

(Use ENTER to separate each value)

Hostname matches vra01svr01a.rainpole.local

vra01svr01b.rainpole.local

i. Click Refresh and verify that all the agents listed in the filter are showing up in the Agents
list.

j. Click Save New Group at the bottom of the page.

k. Click the Dashboard tab and select the VMware VR 7 dashboard from the drop-down menu
on the left.

All VMware vRA 7 dashboards become available on the vRealize Log Insight Home page.

© 2016 VMware, Inc. All rights reserved.

Page 358 of 545

 VMware Validated Design Deployment Guide for Region A

4.8.4 Configure vRealize Orchestrator to Forward Log Events to vRealize Log

Insight in Region A
You can configure each vRealize Orchestrator appliance to forward syslog log events to the vRealize
Log Insight instance. All syslog information can then be viewed and analyzed from the vRealize Log
Insight web interface. In Region A, you configure the following vRealize Orchestrator instances.

Host Control Center URL

Host A https://vra01vro01b.rainpole.local:8283/vco-controlcenter

Host B https://vra01vro01a.rainpole.local:8283/vco-controlcenter

Procedure
Log in to the vRealize Orchestrator Control Center.
a. Open a Web browser and go to https://vra01vro01a.rainpole.local:8283/vco-
controlcenter.
b. Log in using the following credentials.

Setting Value

User name root

Password hostA_root_password

From the Home page, under Log, click Logging Integration.

On the Logging Integration page, specify the following settings and click Save.

Setting Value

Enable logging to a remote log server Selected

Use Log4j Syslog Appender (Deprecated) Selected

Host vrli-cluster-01.sfo01.rainpole.local

Port 514

Facility LOCAL0

Threshold INFO

Network Protocol TCP

© 2016 VMware, Inc. All rights reserved.

Page 359 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat the procedure for the second vRealize Orchestrator appliance

vra01vro01b.rainpole.local.
Verify that the vRealize Log Insight server is getting the log events forwarded from the vRealize
Orchestrator appliances
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

c. In the vRealize Log Insight user interface, select VMware - Orchestrator, from the Content
Pack Dashboards drop-down menu.
d. Verify that the Server nodes grouped by hostname dashboard, shows the vRealize
Orchestrator hosts.

Server nodes grouped by hostname dashboard becomes available immediately. Other dashbaords
get populated as they get respective events.

© 2016 VMware, Inc. All rights reserved.

Page 360 of 545

 VMware Validated Design Deployment Guide for Region A

4.9 Configure Log Retention and Archiving in Region A

The vRealize Log Insight Design document recommends setting log retention to one week and
archiving on storage that is sized for 90 days.
Prerequisites
 Create an NFS share of 1 TB in Region and export it as /V2D_vRLI_MgmtA_1TB.
 Verify that the NFS server supports NFS v3.
 Verify that the NFS partition allows read and write operations for guest accounts.
 Verify that the mount does not require authentication.
 Verify that the NFS share is directly accessible to vRealize Log Insight
 If using a Windows NFS server, allow unmapped user Unix access (by UID/GID).
Procedure
Log in to the vRealize Log Insight user interface.
a. Open a Web browser and go to https://vrli-cluster-01.sfo01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name admin

Password vrli_admin_password

In the vRealize Log Insight UI, click the configuration drop-down menu icon and
select Administration.
Configure retention threshold notification.
Log Insight continually estimates how long data can be retained with the currently available pool
of storage. If the estimation drops below the retention threshold of one week, Log Insight
immediately notifies the administrator that the amount of searchable log data is likely to drop.
a. Under Configuration, click General.
b. On the General Configuration page, under the Alerts section select the Send a notification
when capacity drops below check box next to the Retention Notification
Threshold settings, and enter a 1-week period in the text box underneath.
c. Click Save.

© 2016 VMware, Inc. All rights reserved.

Page 361 of 545

 VMware Validated Design Deployment Guide for Region A

Configure data archiving.

a. Under Configuration, click Archiving.
b. Select the Enable Data Archiving check box.

c. In the Archive Location text box, enter the path in the form of nfs://nfs-server-
address/V2D_vRLI_MgmtA_1TB to an NFS partition where logs will be archived.

© 2016 VMware, Inc. All rights reserved.

Page 362 of 545

 VMware Validated Design Deployment Guide for Region A

d. Click Test next to the Archive Location text box to verify that the share is accessible.
e. Click Save.

© 2016 VMware, Inc. All rights reserved.

Page 363 of 545

 VMware Validated Design Deployment Guide for Region A

5. Region A Cloud Management Platform Implementation

The Cloud Management Platform are integrated products that provide for the management of public,
private and hybrid cloud environments. VMware's CMP consists of vRealize Automation, vRealize
Orchestrator, and vRealize Business. vRealize Automation incorporates virtual machine provisioning
and a self-service portal. vRealize Business enables billing and chargeback functions. vRealize
Orchestrator provides workflow optimization. The following procedures describe the validated flow of
installation and configuration for the first site in the enterprise.
 Prerequisites for Cloud Management Platform Implementation in Region A
 Configure Service Account Privileges in Region A
 vRealize Automation Installation in Region A
 vRealize Automation Default Tenant Configuration in Region A
 vRealize Automation Tenant Creation in Region A
 vRealize Orchestrator Installation in Region A
 vRealize Business Installation in Region A
 Cloud Management Platform Post-Installation Tasks
 Content Library Configuration
 Tenant Content Creation

5.1 Prerequisites for Cloud Management Platform Implementation

in Region A
Verify that the following configurations are established prior to beginning the CMP procedures.
 DNS Entries and IP Address Mappings in Region A
 Generate Certificates for the Cloud Management Platform in Region A
 SQL Server Configuration for the Cloud Management Platform in Region A

5.1.1 DNS Entries and IP Address Mappings in Region A

Before you deploy vRealize Automation, verify that your environment satisfies the requirements for
this deployment.
IP Addresses and Host Names
Verify that the static IP address and FQDNs listed in the table below, are available for the vRealize
Automation application virtual network for the first region of the SDDC deployment.
Table 10. IP Addresses and Host Name for the vRealize Automation in Region A

Role IP Address FQDN

vRealize Automation Server Appliances 192.168.11.51 vra01svr01a.rainpole.local

192.168.11.52 vra01svr01b.rainpole.local

vRealize Automation Server VIP 192.168.11.53 vra01svr01.rainpole.local

vRealize Automation for IWS 192.168.11.54 vra01iws01a.rainpole.local

192.168.11.55 vra01iws01b.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 364 of 545

 VMware Validated Design Deployment Guide for Region A

vRealize Automation IWS VIP 192.168.11.56 vra01iws01.rainpole.local

vRealize Automation Model Manager IMS 192.168.11.57 vra01ims01a.rainpole.local

192.168.11.58 vra01ims01b.rainpole.local

vRealize Automation IMS VIP 192.168.11.59 vra01ims01.rainpole.local

vRealize DEM Workers 192.168.11.60 vra01dem01.rainpole.local

192.168.11.61 vra01dem02.rainpole.local

MS SQL Server for vRealize Automation 192.168.11.62 vra01mssql01.rainpole.local

vRealize Orchestrator 192.168.11.63 vra01vro01a.rainpole.local

192.168.11.64 vra01vro01b.rainpole.local

vRealize Orchestrator VIP 192.168.11.65 vrb01svr01.rainpole.local

vRealize Business for vRealize 192.168.11.66 vra01bus01.rainpole.local

Automation

Table 11. IP Addresses and Host Name for the vRA Proxy Agents and vRB Data Collector in
Region A

Role IP Address FQDN

vRealize Automation Proxy Agent 192.168.31.52 vra01ias01.sfo01.rainpole.local

192.168.31.53 vra01ias02.sfo01.rainpole.local

vRealize Business Data Collector 192.168.31.54 vra01buc01.sfo01.rainpole.local

Default gateway 192.168.31.1

DNS server 172.16.11.5

Subnet mask 255.255.255.0

ntp 172.16.11.251 ntp.sfo01.rainpole.local

172.16.11.252

172.17.11.251 ntp.lax01.rainpole.local
172.17.11.252

Deployment Prerequisites
Verify that your environment satisfies the following prerequisites to deployment vRealize Automation.

© 2016 VMware, Inc. All rights reserved.

Page 365 of 545

 VMware Validated Design Deployment Guide for Region A

Prerequisite Value

Storage  Virtual disk provisioning.

 Required storage per node

Operating system Windows 2012 R2 Standard

Database Microsoft SQL Server 2012 Standard

Installation package Download the vRealize Automation virtual appliance .ova file.
Download the vRealize Orchestrator virtual appliance .ova file.
Download the vRealize Business virtual appliance .ova file.

License Verify that you have obtained a license that covers the use of vRealize
Automation.

Active directory Verify that you have a parent active directory with the SDDC user roles
configured for the rainpole.local domain.
Verify the existence of the svc-vra user in the rainpole.local domain.
Verify the existence of the svc-vro user in the rainpole.local domain.

Certification authority Configure the root Active Directory domain controller as a certificate
authority for the environment.

5.1.2 Generate Certificates for the Cloud Management Platform in Region A

vRealize Automation, vRealize Orchestrator and vRealize Business use SSL certificates for secure
communication.
Before you run the vRealize Automation deployment wizard you must generate certificates and place
them in a directory accessible from the deployment wizard.
 You need three folders with certificate and key files, one for each product: vRealize Automation,
vRealize Orchestrator and vRealize Business.
 You repeat the certificate generation process three times, once for each product: vRealize
Automation, vRealize Orchestrator and vRealize Business.
Prerequisites
 Verify that you have access to a machine that runs on Linux or Mac OS X where you perform the
procedure.
 Verify that JDK 1.6 or later is installed on that machine, as keytool, a key and certificate
management utility that is required for generating certificates is included with JDK.

Procedure
Prepare the vRealize Certificate Generation Tool.
a. Log in to the machine that you set up for certificate generation.
b. Download the vRealize Certificate Generation Tool.

© 2016 VMware, Inc. All rights reserved.

Page 366 of 545

 VMware Validated Design Deployment Guide for Region A

For information how to download and use the vRealize Certificate Generation Tool, see
http://kb.vmware.com/kb/2107816.
c. Extract the downloaded vRealize Certificate Generation Tool .zip file.
d. Copy the certgen.sh file and place it in the /tmp directory.
e. Change the certgen.sh permissions to execute by using the chmod u+x certgen.sh
command.
chmod u+x certgen.sh
Run the vRealize Certificate Generation Tool.
a. Run the certgen.sh script.
./certgen.sh
b. Enter the following values when prompted.

Prompt Value

Enter Organization Rainpole

Enter Organizational Unit Engineering

Enter Locality/Town San Francisco

Enter State/Country CA

Enter Country Code US

c. Enter all of the host names for the solution for which you are generating certificates.

Product Host Names for CSR Generation

vRealize Automation vra01svr01.rainpole.local

vra01svr01a.rainpole.local
vra01svr01b.rainpole.local
vra01iws01.rainpole.local
vra01iws01a.rainpole.local
vra01iws01b.rainpole.local
vra01ims01.rainpole.local
vra01ims01a.rainpole.local
vra01ims01b.rainpole.local

vRealize Orchestrator vra01vro01.rainpole.local

vra01vro01a.rainpole.local
vra01vro01b.rainpole.local

vRealize Business vra01bus01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 367 of 545

 VMware Validated Design Deployment Guide for Region A

d. When prompted to Enter domain name, enter rainpole.local.

The vRealize Certificate Generation Tool generates a vrealize.csr file.

Submit the vrealize.csr file to the Windows domain controller CA, and request a signed
certificate.
a. Log in to the Windows host that has access to the AD-CA server as an administrator.
b. By using Filezilla or Winscp copy the vrealize.csr file from the virtual appliance that you
use for certificate generation to the local Downloads directory.
c. Open the vrealize.csr file, and copy the text that begins -----BEGIN CERTIFICATE
REQUEST----- to -----END CERTIFICATE REQUEST----- inclusive.

© 2016 VMware, Inc. All rights reserved.

Page 368 of 545

 VMware Validated Design Deployment Guide for Region A

d. Open a Web browser and go to

http://dc01rpl.rainpole.local/certsrv/certrqxt.asp and log in using the
following credentials.

Setting Value

User name [email protected]

Password domain_admin_password

e. Paste the request in the Saved Request text box, select VMware from the Certificate
Template drop-down menu, and click Submit.

f. On the Certificate Issued page, select the Base 64 encoded radio button, and click
Download certificate chain.
If the Save As dialog box does not appear, the signed certificate is saved as certnew.p7b
in your computer's Downloads folder.

Export the certificates from the certnew.p7b file to Root64.cer and vrealize.crt.
a. Double-click the downloads\certnew.p7b file to open it in certmgr.

© 2016 VMware, Inc. All rights reserved.

Page 369 of 545

 VMware Validated Design Deployment Guide for Region A

b. Right-click the root certificate rainpole-DC01RPL-CA and select All Tasks > Export.
The Certificate Export Wizard appears.

c. On the Welcome page of the Certificate Export Wizard, click Next.

d. On the Export File format page, select the Base-64 encoded X.509 (.CER) radio button and
click Next.

e. On the File to Export page, enter Root64.cer in the File name text box and click Next.
f. Repeat the export process to export the VMware vRealize certificate to the Downloads
directory, as vrealize.cer.

© 2016 VMware, Inc. All rights reserved.

Page 370 of 545

 VMware Validated Design Deployment Guide for Region A

g. Rename the vrealize.cer file to vrealize.crt.

h. Copy the following certificate files from the Downloads directory by using Filezilla or Winscp to
the virtual appliance that you use for certificate generation in the certgen.sh folder.
vrealize.crt
Root64.cer
On the virtual appliance that you use for certificate generation, run certgen.sh again, and
enter a password when prompted.
You use that password later when you import the certificate in the virtual appliance.
./certgen.sh
Make a copy of the directory containing the certificate and key files, and rename the directory to
reflect the individual product as instructed in the following table.

Product Folder

vRealize Automation appliance vra

vRealize Orchestrator vro

vRealize Business vrb

Remove all files from the /tmp directory, except the certgen.sh file.
Repeat the procedure to generate certificate files for the remaining products.
When finished you must have the following folders and files.

Product Certificate Files VM Names Used for

vRealize Automation vra\vrealize-full.pem vra01svr01 vRA Virtual Appliance SSL

vra\vrealize.key vra01svr01a
vra01svr01b
vra01iws01
vra01iws01a
vra01iws01b
vra01ims01a
vra01ims01b
vra01ims01

vRealize Orchestrator vro\vrealize-full.pem vra01vro01 vRO Virtual Appliance SSL

vro\vrealize.key vra01vro01a
vra01vro01b

vRealize Business vrb\vrealize.key vra01bus01 vRealize Business SSL

vrb\vrealize-full.pem

© 2016 VMware, Inc. All rights reserved.

Page 371 of 545

 VMware Validated Design Deployment Guide for Region A

5.1.3 SQL Server Configuration for the Cloud Management Platform in Region
A
 Microsoft SQL Server Recommendations in Region A
 Assign the SQL Server System Role to vRealize Automation in Region A
 Create a SQL Server Database for vRealize Orchestrator in Region A
 Configure Network Access for Distributed Transaction Coordinator in Region A
 Disable Windows Firewall for vRealize Automation in Region A

5.1.3.1. Microsoft SQL Server Recommendations in Region A

vRealize Automation, vRealize Orchestrator, and other VMware components use Microsoft SQL
Server as a database to store information. While the specific configuration of SQL Server for use in
your environment is not addressed in this implementation guide, high-level guidance is provided to
ensure more reliable operation of your VMware components.
 Microsoft SQL Server should be configured with separate Operating System Level volumes (drive
letters) for each of the following items. The separation of these items into separate logical
volumes (drive letters) will help prevent database corruption should a single volume reach
capacity.
o Operating System
o Database Application
o SQL User Database Data Files
o SQL User Database Log Files
o SQL TempDB
o SQL Backup Files
 The SQL Server virtual machine (vra01mssql01.rainpole.local) should be configured with 8 vCPU
and 16G vRAM to provide optimal performance for VMware vRealize databases.
For further guidance on the deployment and operation of a production installation of Microsoft SQL
Server, see the Microsoft SQL Server documentation, or consult with a qualified Microsoft SQL Server
database administrator.

5.1.3.2. Assign the SQL Server System Role to vRealize Automation in Region A
Assign the SQL Server system role sysadmin to the vRealize Automation service account. vRealize
Automation uses the SQL Server system role privilege to create and execute scripts on the SQL
Server database. By default, only users who are members of the sysadmin system role, or the
db_owner or db_ddladmin database roles can create objects in the database.
Procedure
Log in to the VRA01MSSQL01.rainpole.local by using a Remote Desktop Protocol (RDP)
client.
a. Open an RDP connection to the virtual machine VRA01MSSQL01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name Windows administrator user

© 2016 VMware, Inc. All rights reserved.

Page 372 of 545

 VMware Validated Design Deployment Guide for Region A

Password windows_administrator_password

From the Start menu, click All Programs, click Microsoft SQL Server, and click SQL Server
Management Studio.

Note If SQL Server Management Studio doesn't appear in your All Programs menu, you may not
have successfully installed SQL Server Management Studio. Verify that you have
successfully installed SQL Server Management Studio, and then continue with this procedure.

In the Connect to Server dialog box, leave the default value of the Server Name text box,
select Windows Authentication from the Authentication drop-down menu, and click Connect.

Note During the SQL Server installation, Database Engine configuration wizard prompts you to
provide the user name and password for the SQL server administrator (rainpole\svc-
vra). If this user was not added during the SQL Server installation, select SQL
Authentication from the Authentication drop-down menu, and enter the user name sa in
the User name text box, and the password sa_password in the Password text box.

In Object Explorer, expand the folder for the server instance VRA01MSSQL01.
Right-click the Security folder, select New, and then select Login.
The Login Properties dialog box opens.

© 2016 VMware, Inc. All rights reserved.

Page 373 of 545

 VMware Validated Design Deployment Guide for Region A

Select the General page of the Login Properties dialog box.

From the Object Explorer Details pane select the General page, and type rainpole\svc-vra
in the Login name text box.

In the Object Explorer Details pane, select the Server Role page.
From the Server roles list item field select the sysadmin check box, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 374 of 545

 VMware Validated Design Deployment Guide for Region A

5.1.3.3. Create a SQL Server Database for vRealize Orchestrator in Region A

vRealize Orchestrator requires a database for storing data related to workflows and actions. You must
create an empty database specifically for use by vRealize Orchestrator. For information on creating a
new database using Microsoft SQL Server, see the documentation supplied by your database vendor.
Procedure
Log in to the VRA01MSSQL01.rainpole.local by using a Remote Desktop Protocol (RDP)
client.
a. Open an RDP connection to the virtual machine VRA01MSSQL01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name Windows administrator user

Password windows_administrator_password

From the Start menu, click All Programs, click Microsoft SQL Server, and click SQL Server
Management Studio.

Note If SQL Server Management Studio doesn't appear in your All Programs menu, you may not
have successfully installed SQL Server Management Studio. Verify that you have
successfully installed SQL Server Management Studio, and then continue with this procedure.

In the Connect to Server dialog box, leave the default value of the Server Name text box,
select Windows Authentication from the Authentication drop-down menu, and click Connect.

© 2016 VMware, Inc. All rights reserved.

Page 375 of 545

 VMware Validated Design Deployment Guide for Region A

Note During the SQL Server installation, Database Engine configuration wizard prompts you to
provide the user name and password for the SQL server administrator (rainpole\svc-
vra). If this user was not added during the SQL Server installation, select SQL
Authentication from the Authentication drop-down menu, and enter the user name sa in
the User name text box, and the password sa_password in the Password text box.

In Object Explorer, expand the folder for the server instance VRA01MSSQL01.
Right-click the Databases folder, and click New Database.
The New Database dialog box displays.

On the General page of the New Database dialog box, enter VRODB-01 in the Database name
text box.

© 2016 VMware, Inc. All rights reserved.

Page 376 of 545

 VMware Validated Design Deployment Guide for Region A

Select the Options page.

On the Options page, specify the following values, and click OK.
a. Select Simple from the Recovery model drop-down menu.
b. In the Miscellaneous field, specify True for the settings listed in the table below.

Setting Value

Allow Snapshot Isolation True

Is Read Committed Snapshot On True

In the Object Explorer Details pane, expand the VRODB-01 database server.

© 2016 VMware, Inc. All rights reserved.

Page 377 of 545

 VMware Validated Design Deployment Guide for Region A

Expand the Security folder, then expand the Users folder.

Right-click the User folder, and select New User.

Enter the User name text box type the vRealize Orchestrator service account name
rainpole\svc-vro.

Setting Value

User type SQL user with login

User name rainpole\svc-vro

Login name rainpole\svc-vro

© 2016 VMware, Inc. All rights reserved.

Page 378 of 545

 VMware Validated Design Deployment Guide for Region A

Select the Membership.

The Database User - New window displays.
In the Database role membership list item field, select the db_owner check box, and click OK.

5.1.3.4. Configure Network Access for Distributed Transaction Coordinator in Region A

You configure network access and security between vRealize Automation and your Microsoft SQL
Server database using Microsoft Distributed Transaction Coordinator (MSDTC). MSDTC coordinates
transactions that update two or more transaction-protected resources, such as databases, message
queues, files systems, and so on. These transaction-protected resources may be on a single
computer, or distributed across many networked computers.
Procedure
Log in to the VRA01MSSQL01.rainpole.local by using a Remote Desktop Protocol (RDP)
client.
a. Open an RDP connection to the virtual machine VRA01MSSQL01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name Windows administrator user

Password windows_administrator_password

From the Windows Start menu select Run, and type comexp.msc in the Open text box and click
OK.
The Component Services manager displays. Component Services lets you manage
Component Object Model (COM+) applications.
Using the navigation tree in the left-side pane, expand Component Services > Computers > My
Computer > Distributed Transaction List > Local DTC.

© 2016 VMware, Inc. All rights reserved.

Page 379 of 545

 VMware Validated Design Deployment Guide for Region A

Right-click Local DTC and select Properties.

The Local DTC Properties dialog box displays.
Click the Security tab in the Local DTC Properties dialog box.
On the Security tab, configure the following values, and click OK.

Setting Value

Network DTC Access Selected

Allow Remote Clients Selected

Allow Remote Administration Deselected

Allow Inbound Selected

Allow Outbound Selected

Mutual Authentication Required Selected

Enable XA Transactions Deselected

Enable SNA LU 6.2 Transactions Selected

Account Leave the default setting

Password Leave blank

Click Yes to restart the MSDTC Service.

Click OK to confirm that the MSDTC Service has successfully restarted.
Close the Component Services manager.

© 2016 VMware, Inc. All rights reserved.

Page 380 of 545

 VMware Validated Design Deployment Guide for Region A

5.1.3.5. Disable Windows Firewall for vRealize Automation in Region A

You can configure Windows Firewall to allow or block specific traffic. For vRealize Automation to
function correctly, ensure that network access to Microsoft Distributed Transaction Coordinator
(MSDTC) and SQL Server is configured to allow access.
Procedure
Log in to the VRA01MSSQL01.rainpole.local by using a Remote Desktop Protocol (RDP)
client.
a. Open an RDP connection to the virtual machine VRA01MSSQL01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name Windows administrator user

Password windows_administrator_password

From the Windows Start menu select Run, and type WF.msc in the Open text box, and click OK.
The Windows Firewall with Advanced Security window displays. You use Windows Firewall
with Advanced Security to configure firewall properties for each network profile.
Allow Access to Microsoft SQL Server on TCP Port 1433.
a. In the navigation pane right-click Windows Firewall with Advanced Security, then right-
click Inbound Rules, and then click New Rule in the action pane.
b. On the Rule Type dialog box, select Port, and then click Next.
c. On the Protocol and Ports dialog box, select TCP. Select Specific local ports, and then
type the port number of 1433. Click Next.
d. On the Action dialog box, select Allow the connection, and then click Next.
e. On the Profile dialog box, select all profiles (Domain, Private, Public), and then click Next.
f. On the Name dialog box, type a name and description for this rule, and then click Finish.
Allow Access to Microsoft Distributed Transaction Coordinator.
a. In the navigation pane right-click Windows Firewall with Advanced Security, then right-
click Inbound Rules, and then click New Rule in the action pane.
b. On the Rule Type dialog box, select Predefined, then select Distributed Transaction
Coordinator, and then click Next.
c. On the Predefined Rules dialog box, select all rules for Distributed Transaction
Coordinator (RPC-EPMAP), Distributed Transaction Coordinator (RPC), Distributed
Transaction Coordinator(TCP-In) Click Next.
d. On the Action dialog box, select Allow the connection, and then click Finish.
Exit Windows Firewall with Advanced Security window.

5.2 Configure Service Account Privileges in Region A

In order for you to provision virtual machines and logical networks, configure privileges for vRealize
Automation for the service account [email protected] on both the Compute vCenter Server and
the Compute Cluster NSX Instance.

© 2016 VMware, Inc. All rights reserved.

Page 381 of 545

 VMware Validated Design Deployment Guide for Region A

 Configure Service Account Privileges on the Compute vCenter Server in Region A

 Configure Service Account Privilege on the Compute Cluster NSX Instance in Region A

5.2.1 Configure Service Account Privileges in the Compute vCenter Server in

Region A
Configure Administrator privileges for the svc-vra and svc-vro users on the Compute vCenter Server
in Region A.
If you add more Compute vCenter Server instances in the future, perform this procedure on those
instances as well.
Procedure
Log in to vCenter Server using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the Navigator pane, select vCenter Inventory Lists > vCenter Servers.
Right-click the comp01vc01.sfo01.rainpole.local instance and select Add Permissions.
In the Add Permission dialog box, click the Add button.
The Select Users/Groups dialog box appears.

© 2016 VMware, Inc. All rights reserved.

Page 382 of 545

 VMware Validated Design Deployment Guide for Region A

Select RAINPOLE from the Domain drop-down menu, and in the Show Users First text box
enter svc to filter user and group names.
Select svc-vra and svc-vro from the User/Group list, click the Add button and click OK.

In the Add Permission dialog box, select Administrator from the Assigned Role drop-down
menu and click OK.
The svc-vra and svc-vro users now have the Administrator privilege on the Compute vCenter
Server in Region A.

© 2016 VMware, Inc. All rights reserved.

Page 383 of 545

 VMware Validated Design Deployment Guide for Region A

5.2.2 Configure Service Account Privilege on the Compute Cluster NSX

Instance in Region A
Configure Enterprise Administrator privileges for the [email protected] service account.
Procedure
Log in to vCenter Server using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the Navigator pane, select Networking & Security > NSX Managers.
Double-click the 172.16.11.66 Compute NSX Manager.
Click Manage, click Users, and click the Add icon.
The Assign Role wizard appears.

On the Identify User page, select the Specify a vCenter User radio button, enter svc-
[email protected] in the User text box, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 384 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select Roles page, select the Enterprise Administrator radio button, and click Finish.

The rainpole\svc-vra user is now configured as an Enterprise Administrator for the compute
cluster NSX instance, and appears in the lists of users and roles.

5.3 vRealize Automation Installation in Region A

A vRealize Automation installation includes installing and configuring single sign-on (SSO)
capabilities, the user interface portal, and Infrastructure as a Service (IaaS) components. After
installation you can customize the installation environment and configure one or more tenants, which
sets up access to self-service provisioning and life-cycle management of cloud services. By using the
secure portal Web interface, administrators, developers, or business users can request IT services
and manage specific cloud and IT resources based on their roles and privileges. Users can request
infrastructure, applications, desktops, and IT service through a common service catalog.
 Load Balancing the Cloud Management Platform in Region A
 Deploy the vRealize Automation Appliance in Region A
 Deploy Windows Virtual Machines for vRealize Automation in Region A
 Install the vRealize Automation Environment in Region A

5.3.1 Load Balancing the Cloud Management Platform

You configure load balancing for all services and components related to vRealize Automation and
vRealize Orchestrator by using an NSX Edge load balancer. You must configure the load balancer
before you deploy the vRealize Automation appliance because you need the VIP addresses during
the deployment.
 Add Virtual IP Addresses to the NSX Load Balancer in Region A

© 2016 VMware, Inc. All rights reserved.

Page 385 of 545

 VMware Validated Design Deployment Guide for Region A

 Create Application Profiles in Region A

 Create Service Monitoring in Region A
 Create Server Pools in Region A
 Create Virtual Servers in Region A

5.3.1.1. Add Virtual IP Addresses to the NSX Load Balancer Interface in Region A
As the first step of configuring load balancing, you add virtual IP Addresses to the edge interfaces.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Click Networking & Security.

In the Navigator, click NSX Edges.
From the NSX Manager drop-down menu, select 172.16.11.65 as the NSX Manager and double-
click the SFOMGMT-LB01 NSX Edge to edit its network settings.
Click the Manage tab, click Settings and select Interfaces.
Select the OneArmLB interface and click the Edit icon.

© 2016 VMware, Inc. All rights reserved.

Page 386 of 545

 VMware Validated Design Deployment Guide for Region A

In the Edit NSX Edge Interface dialog box, add the VIP addresses of the vRealize Automation
nodes in the Secondary IP Addresses text box.

Setting Value

Secondary IP Address 192.168.11.53,192.168.11.56,192.168.11.59,192.168.11.65

© 2016 VMware, Inc. All rights reserved.

Page 387 of 545

 VMware Validated Design Deployment Guide for Region A

Click OK to save the configuration.

5.3.1.2. Create Application Profiles in Region A

Create an application profile to define the behavior of a particular type of network traffic. After
configuring a profile, you associate the profile with a virtual server. The virtual server then processes
traffic according to the values specified in the profile. Using profiles enhances your control over
managing network traffic, and makes traffic-management tasks easier and more efficient.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Click Networking & Security.

In the Navigator, click NSX Edges.
From the NSX Manager drop-down menu, select 172.16.11.65 as the NSX Manager and double-
click the SFOMGMT-LB01 NSX Edge to manage its network settings.
Click the Manage tab, click Load Balancer and select Application Profiles.

© 2016 VMware, Inc. All rights reserved.

Page 388 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Add icon and in the New Profile dialog box, enter the following values.

Setting Value

Name vRealize-https

Type HTTPS

Enable SSL Passthrough Selected

Persistence Source IP

Expires in (Seconds) 120

© 2016 VMware, Inc. All rights reserved.

Page 389 of 545

 VMware Validated Design Deployment Guide for Region A

Click OK to save the configuration.

5.3.1.3. Create Service Monitoring in Region A

The service monitor defines health check parameters for the load balancer. You have to create a
service monitor for each component.

Service Interval Time Max Type Expected Method URL Receive

Monitor Out Retries
Name

vra-svr-443- 3 9 3 HTTPS 204 GET /vcac/services/

monitor api/health

vra-iaas- 3 9 3 HTTPS GET /wapi/api/statu REGISTERED

web-443- s/web
monitor

vra-iaas- 3 9 3 HTTPS GET /VMPSProvisi ProvisionService

mgr-443- on
monitor

vra-vro- 3 9 3 HTTPS GET /vco/api/health RUNNING

8281- status
monitor

Procedure
Log in to vCenter Server by using the vSphere Web Client.

© 2016 VMware, Inc. All rights reserved.

Page 390 of 545

 VMware Validated Design Deployment Guide for Region A

a. Open a Web browser and go to

https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Click Networking & Security.

In the Navigator, click NSX Edges.
From the NSX Manager drop-down menu, select 172.16.11.65 as the NSX Manager and double-
click the SFOMGMT-LB01 NSX Edge to manage its network settings.
Click the Manage tab, click Load Balancer, and select Service Monitoring.

Click the Add icon and in the New Service Monitor dialog box, enter the following values, and
click OK.

Setting Value

Name vra-svr-443-monitor

Interval 3

© 2016 VMware, Inc. All rights reserved.

Page 391 of 545

 VMware Validated Design Deployment Guide for Region A

Timeout 9

Max Retries 3

Type HTTPS

Expected 204

Method GET

URL /vcac/services/api/health

Repeat the previous step to create the remaining service monitors.

© 2016 VMware, Inc. All rights reserved.

Page 392 of 545

 VMware Validated Design Deployment Guide for Region A

5.3.1.4. Create Server Pools in Region A

A server pool consists of backend server members. After you create a server pool, you associate a
service monitor with the pool to manage and share the backend servers flexibly and efficiently.
The following considerations explain the design of the server pools configuration.
 The configuration uses NONE as health monitor for all server pools. Until vRealize Automation is
fully installed and started, the health monitor marks pool members as offline. Health monitors
indicate the status of pool members correctly, only after vRealize Automaton is fully installed and
initialized.
 The configuration disables the second pool member of 3 vRealize Automation VIPs (vra-svr-443,
vra-iaas-web-443, vra-iaas-mgr-443). During the installation or power cycle of vRealize
Automation, the service inside the second node might not be installed or initialized yet. In this
period of time, if the load balancer passes a request to the second node, the request fails. If the
second pool member is not disabled, you can experience random failures during vRealize
Automation installation, and service initialization or registration failure during a vRealize
Automation power cycle.
Perform the procedure multiple times to configure five different server pools.

Pool Name Algorithm Monitors Members Port Monitor Weight

Port
Enable Member IP address
Member Name

vra-svr-443 IP-HASH NONE Yes vra01svr01a 192.168.11.51 443 443 1

No vra01svr01b 192.168.11.52 1

vra-iaas-web- IP-HASH NONE Yes vra01iws01a 192.168.11.54 443 443 1

443
No vra01iws01b 192.168.11.55 1

vra-iaas-mgr- IP-HASH NONE Yes vra01ims01a 192.168.11.57 443 443 1

443
No vra01ims01b 192.168.11.58 1

© 2016 VMware, Inc. All rights reserved.

Page 393 of 545

 VMware Validated Design Deployment Guide for Region A

Pool Name Algorithm Monitors Members Port Monitor Weight

Port
Enable Member IP address
Member Name

vra-vro-8281 IP-HASH NONE Yes vra01vro01a 192.168.11.63 8281 8281 1

No vra01vro01b 192.168.11.64 1

vra-svr-8444 IP-HASH NONE Yes vra01svr01a 192.168.11.51 8444 443 1

Yes vra01svr01b 192.168.11.52 1

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Click Networking & Security.

In the Navigator, click NSX Edges.
From the NSX Manager drop-down menu, select 172.16.11.65 as the NSX Manager and double-
click SFOMGMT-LB01 NSX Edge to manage its network settings.
Click the Manage tab, click Load Balancer, and select Pools.

© 2016 VMware, Inc. All rights reserved.

Page 394 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Add icon and in the New Pool dialog box, enter the following values.

Setting Value

Name vra-svr-443

Algorithm IP-HASH

Monitors NONE

Under Members, click the Add icon to add the first pool member.
In the New Member dialog, specify the following values, and click OK.

Setting Value

Enable Member Selected

Name vra01svr01a

IP Address/VC Container 192.168.11.51

Port 443

Monitor Port 443

Weight 1

© 2016 VMware, Inc. All rights reserved.

Page 395 of 545

 VMware Validated Design Deployment Guide for Region A

Under Members, click the Add icon to add the second pool member.
In the New Member dialog box, enter the following values, click OK and click OK to save the
vRealize Automation server pool.

Setting Description

Enable Member Deselected

Name vra01svr01b

IP Address/VC Container 192.168.11.52

Port 443

Monitor Port 443

Weight 1

© 2016 VMware, Inc. All rights reserved.

Page 396 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat the procedure to create the remaining server pools.

5.3.1.5. Create Virtual Servers in Region A

After load balancing is set up, the NSX load balancer distributes network traffic across multiple
servers. When a virtual server receives a request, it chooses the appropriate pool to send traffic to.
Each pool consists of one or more members.
You create virtual servers for all configured server pools.

Virtual Server Application IP Address Protocol Port Default Pool Description

Name Profile

vra-svr-443 vRealize-https 192.168.11.53 HTTPS 443 vra-svr-443 vRealize Automation

Appliance UI

© 2016 VMware, Inc. All rights reserved.

Page 397 of 545

 VMware Validated Design Deployment Guide for Region A

vra-iaas-web-443 vRealize-https 192.168.11.56 HTTPS 443 vra-iaas-web-443 vRealize Automation IaaS

Web UI

vra-iaas-mgr-443 vRealize-https 192.168.11.59 HTTPS 443 vra-iaas-mgr-443 vRealize Automation IaaS

Manager

vra-vro-8281 vRealize-https 192.168.11.65 HTTPS 8281 vra-vro-8281 vRealize Automation

Orchestrator

vra-svr-8444 vRealize-https 192.168.11.53 HTTPS 8444 vra-svr-8444 vRealize Automation

Remote Console Proxy

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Click on Networking & Security.

In the Navigator, click NSX Edges.
From the NSX Manager drop-down menu, select 172.16.11.65 as the NSX Manager and double-
click on SFOMGMT-LB01 NSX Edge to manage its network settings.
Click the Manage, click Load Balancer, and select Virtual Servers.

© 2016 VMware, Inc. All rights reserved.

Page 398 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Add icon and in the New Virtual Server dialog box, enter the following values, and click
OK.

Setting Value

Enable Virtual server Selected

Application Profile vRealize-https

Name vra-svr-443

Description vRealize Automation Appliance UI

IP Address 192.168.11.53

Protocol HTTPS

Port 443

Default Pool vra-svr-443

Repeat the previous step to create the remaining virtual servers.

5.3.2 Deploy the vRealize Automation Virtual Appliance in Region A

The vRealize Automation appliance is a preconfigured virtual appliance that contains the vRealize
Automation server.

© 2016 VMware, Inc. All rights reserved.

Page 399 of 545

 VMware Validated Design Deployment Guide for Region A

The server includes the vRealize Automation appliance product console, which provides a single
portal for self-service provisioning and management of cloud services, authoring, administration, and
governance.
During deployment of the virtual appliances, a PostgreSQL appliance database is created
automatically on the first vRealize Automation appliance. A replica database can be installed on a
second vRealize Automation appliance to create a high-availability environment.
Perform this procedure twice to deploy two appliances by using the configuration values for host A for
the first appliance, and the configuration values for host B for the second appliance.

Setting Values for Host A Values for Host B

Name vra01svr01a.rainpole.local vra01svr01b.rainpole.local

Select a folder or vRA01 vRA01

datacenter

Network Mgmt-xRegion01-VXLAN Mgmt-xRegion01-VXLAN

(192.168.11.x) (192.168.11.x)

Cluster SFO01-Mgmt01 SFO01-Mgmt01

VM Storage Policy Virtual SAN Default Storage Virtual SAN Default Storage
Policy Policy

Datastore SFO01A-VSAN01-MGMT01 SFO01A-VSAN01-MGMT01

Enter password vra_appA_root_password vra_appB_root_password

Enable SSH service in the Selected Selected

appliance

Hostname vra01svr01a.rainpole.local vra01svr01b.rainpole.local

Default gateway 192.168.11.1 192.168.11.1

Domain Name rainpole.local rainpole.local

Domain Search Path rainpole.local,sfo01.rainpole.local rainpole.local,sfo01.rainpole.local

DNS 172.16.11.5,172.17.11.5 172.16.11.5,172.17.11.5

Network 1 IP Address 192.168.11.51 192.168.11.52

Network 1 Netmask 255.255.255.0 255.255.255.0

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

© 2016 VMware, Inc. All rights reserved.

Page 400 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server object.

Right-click the mgmt01vc01.sfo01.rainpole.local object and select Deploy OVF Template.
On the Select source page, select Local file, browse to the location of the vRealize Automation
Virtual Machine Template file on your file system, and click Next.

On the Review details page, examine the virtual appliance details, such as product, version,
download and disk size, and click Next.
On the Accept License Agreements page, accept the end user license agreements and
click Next.
On the Select name and folder page, type in the following information, and click Next.

Setting Values for Host A

Name vra01svr01a.rainpole.local

Select a folder or datacenter vRA01

© 2016 VMware, Inc. All rights reserved.

Page 401 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select a Resource page, select cluster SFO01-Mgmt01. Click Next

On the Select storage page, select the datastore.
a. Select Virtual SAN Default Storage Policy from the VM Storage Policy drop-down menu.
b. From the datastore table, select the SFO01A-VSAN01-MGMT01 Virtual SAN and click Next.

On the Setup networks page, select the Mgmt-xRegion01-VXLAN network from

the Destination drop-down menu, then click Next.

© 2016 VMware, Inc. All rights reserved.

Page 402 of 545

 VMware Validated Design Deployment Guide for Region A

On the Customize template page, configure the following values and click Next.

Setting Values for Host A

Enter password vra_appA_root_password

Enable SSH service in the appliance Selected

Customer Experience Improvement Program Selected

Hostname vra01svr01a.rainpole.local

Domain Name rainpole.local

Domain Search Path rainpole.local,sfo01.rainpole.local

Default gateway 192.168.11.1

DNS 172.16.11.5,172.17.11.5

Network 1 IP Address 192.168.11.51

Network 1 Netmask 255.255.255.0

On the Ready to complete page, review the configuration settings you specifed, do not select
Power on after deployment, and click Finish.
Wait until the vRealize Automation appliance virtual machine is completely powered on. This may
take several minutes.
From the Virtual Machine Console, verify that vra01svr01a.rainpole.local uses the
configuration settings you specified.
Repeat the procedure to deploy the second vRealize Automation virtual machine
vra01svr01b.rainpole.local.

© 2016 VMware, Inc. All rights reserved.

Page 403 of 545

 VMware Validated Design Deployment Guide for Region A

5.3.3 Deployment of Windows Virtual Machines in Region A

vRealize Automation requires several Windows virtual machines to act as IaaS components in a
distributed configuration. These redundant components provide high availability for the vRealize
Automation infrastructure features.
 Create vSphere Image Customization Specifications
 Create Windows Virtual Machines for vRealize Automation
 Install vRealize Automation Management Agent on Windows IaaS VMs

5.3.3.1. Create vSphere Image Customization Specifications

Create vSphere image customization specifications to use with your vRealize Automation IaaS
Servers and Proxy Agent deployments. The customization specification you create customizes the
guest operating systems of the virtual machines that host the vRealize Automation IaaS Web Server
and IaaS Manager Services.
Customization specifications are XML files that contain guest operating system settings for virtual
machines. You create customization specifications with the Guest Customization wizard, and manage
specifications using the Customization Specification Manager. vCenter Server saves the customized
configuration parameters in the vCenter Server database. When you clone a virtual machine or
deploy a virtual machine from a template, you can customize the guest operating system of the virtual
machine to change properties such as the computer name, network settings, and license settings.
When you apply an image customization specification to the guest operating system during virtual
machine cloning or deployment, you prevent conflicts that might result if you deploy virtual machines
with identical settings, such as duplicate computer names.
 Create a Customization Specification File for IaaS Servers
 Create a Customization Specification File for IaaS Proxy Agent Servers

5.3.3.1.1. Create a Customization Specification File for IaaS Servers

Create a vSphere Image Customization template to use with your vRealize Automation IaaS Servers
deployment.
You can supply a custom sysprep answer file as an alternative to specifying many of the settings in
the Guest Customization wizard. The vSphere Image Customization template sysprep answer file
stores a number of customization settings such as computer name, licensing information, and
workgroup or domain settings.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Under Monitoring, click Customization Specification Manager.

Select mgmt01vc01.sfo01.rainpole.local from the vCenter Server drop-down menu.

© 2016 VMware, Inc. All rights reserved.

Page 404 of 545

 VMware Validated Design Deployment Guide for Region A

Click the New icon.

The Guest Customization wizard opens.
On the Specify Properties page, enter the following settings, and click Next.

Setting Value

Target VM Operating System Windows

Use custom SysPrep answer file Deselected

Customization Spec Name vra7-template

On the Set Registration Information page, enter the following settings, and click Next.

Setting Value

Name Rainpole

Organization Rainpole IT

On the Set Computer Name page, select the Enter a name in the Clone/Deploy wizard radio
button, and click Next.
On the Enter Windows License page, enter the following settings, and click Next.
If you are using Microsoft License Server, or have multiple single license keys, leave the Product
Key text box blank.

Setting Value

Product Key volume_license_key

Include Server License Information Selected

© 2016 VMware, Inc. All rights reserved.

Page 405 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Server License Mode Per seat

On the Set Administrator Password page, enter the following settings, and click Next.

Setting Value

Password local_administrator_pwd

Automatically logon as Administrator Selected

Number of times to logon automatically 1

On the Time Zone page, select (GMT) Coordinated Universal Time from the Time Zone drop-
down menu, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 406 of 545

 VMware Validated Design Deployment Guide for Region A

On the Run Once, Click Next.

On the Configure Network page, select the Manually select custom settings radio button,
select NIC1 from the list of network interfaces in the virtual machine, and click Edit.
The Edit Network Properties dialog box displays.
In the Edit Network dialog box, on the IPv4 page, specify the following settings and click DNS.

Setting Value

Prompt the user for an address when the specification is used Selected

Subnet Mask 255.255.255.0

Default Gateway 192.168.11.1

On the DNS page, provide DNS servers and search suffixes.

a. Specify the following DNS server settings.

Setting Value

Use the following DNS server address Selected

Preferred DNS Server 172.16.11.5

Alternate DNS Server 172.17.11.5

b. Enter rainpole.local in the For all connections with TCP/IP enabled text box and click
the Add button.
c. Enter sfo01.rainpole.local in the For all connections with TCP/IP enabled text box and
click the Add button.

© 2016 VMware, Inc. All rights reserved.

Page 407 of 545

 VMware Validated Design Deployment Guide for Region A

d. Enter lax01.rainpole.local in the For all connections with TCP/IP enabled text box
and click the Add button.
e. Click OK to save settings and close the Edit Network dialog box, and click Next.

On the Set Workgroup or Domain page, enter the following settings, and click Next.

Setting Value

Windows Server Domain rainpole.local

Username [email protected]

Password ad_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 408 of 545

 VMware Validated Design Deployment Guide for Region A

On the Set Operating System options page, select the Generate New Security ID (SID) check
box, and click Next.
On the Ready to Complete page, review the settings you entered, and click Finish.

The customization specification you created is listed in the Customization Specification Manager,
and can be used to customize virtual machine guest operating systems.

5.3.3.1.2. Create a Customization Specification File for IaaS Proxy Agent Servers
Create a vSphere Image Customization template to use with your vRealize Automation IaaS Proxy
Agent deployment.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

From the Home page, click Customization Specification Manager.

Select mgmt01vc01.sfo01.rainpole.local from the vCenter Server drop-down menu.
Click the New icon. The New VM Guest Customization Spec wizard opens.
On the Specify Properties page, enter the following settings, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 409 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Target VM Operating System Windows

Use custom SysPrep answer file Deselected

Customization Spec Name vra7-proxy-agent-template

On the Set Registration Information page, enter the following settings, and click Next.

Setting Value

Name Rainpole

Organization Rainpole IT

On the Set Computer Name page, select the Enter a name in the Clone/Deploy wizard radio
button, and click Next.
On the Enter Windows License page, enter the following settings, and click Next.
If you are using Microsoft License Server, or have multiple single license keys, leave the Product
Key text box blank.

Setting Values

Product Key volume_license_key

Include Server License Information Selected

Server License Mode Per seat

© 2016 VMware, Inc. All rights reserved.

Page 410 of 545

 VMware Validated Design Deployment Guide for Region A

On the Set Administrator Password page, enter the following settings, and click Next.

Setting Value

Password local_administrator_pwd

Automatically logon as Administrator Selected

Number of times to logon automatically 1

On the Time Zone page, select (GMT) Coordinated Universal Time from the Time Zone drop
down menu, and click Next.

On the Run Once page, click Next.

On the Configure Network page, select the Manually select custom settings radio button,
select NIC1 from the list of network interfaces in the virtual machine, and click Edit.
The Network Properties dialog box displays.

© 2016 VMware, Inc. All rights reserved.

Page 411 of 545

 VMware Validated Design Deployment Guide for Region A

In the Edit Network dialog box, on the IPv4 page, specify the following settings and click DNS.

Setting Value

Prompt the user for an address when the specification is used Selected

Subnet Mask 255.255.255.0

Default Gateway 192.168.31.1

On the DNS page, provide DNS servers and search suffixes.

a. Specify the following DNS server settings.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 412 of 545

 VMware Validated Design Deployment Guide for Region A

Use the following DNS server address Selected

Preferred DNS Server 172.16.11.5

Alternate DNS Server 172.17.11.5

b. Enter rainpole.local in the For all connections with TCP/IP enabled text box and click
the Add button.
c. Enter sfo01.rainpole.local in the For all connections with TCP/IP enabled text box
and click the Add button.
d. Enter lax01.rainpole.local in the For all connections with TCP/IP enabled text box
and click the Add button.
e. Click OK to save settings and close the Edit Network dialog box, and click Next.

On the Set Workgroup or Domain page, enter credentials that have administrative privileges in
the domain, and click Next.

Setting Value

Windows Server Domain sfo01.rainpole.local

Username [email protected]

Password ad_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 413 of 545

 VMware Validated Design Deployment Guide for Region A

On the Set Operating System options page, select the Generate New Security ID (SID) check
box, and click Next.
On the Ready to Complete page, review the settings that you entered, and click Finish

The customization specification you created is listed in the Customization Specification Manager,
and can be used to customize virtual machine guest operating systems.

5.3.3.2. Create Windows Virtual Machines for vRealize Automation

vRealize Automation requires several Windows virtual machines to act as IaaS components in a
distributed configuration. These redundant components provide high availability for the vRealize
Automation infrastructure features.
To facilitate cloning, this design uses the vra7-template and the vra7-proxy-agent-template
image customization specification templates and the windows2012r2-template VM template. A

© 2016 VMware, Inc. All rights reserved.

Page 414 of 545

 VMware Validated Design Deployment Guide for Region A

fully redundant vRealize Automation deployment requires eight virtual machines that run on Windows.
Repeat this procedure eight times by using the information in the following table to create eight VMs.

Name of NetBIOS vCenter IP vCPU Memor Image Network

Virtual Name Folder Number y Size Customization
Machine Specification
Template

vra01iws01a.rai vra01iws01 vRA01 192.168.11.5 2 4GB vra7-template vxw-dvs-xxxx-

npole.local a 4 Mgmt-xRegion01-
VXLAN

vra01iws01b.rai vra01iws01 vRA01 192.168.11.5 2 4GB vra7-template vxw-dvs-xxxx-

npole.local b 5 Mgmt-xRegion01-
VXLAN

vra01ims01a.rai vra01ims01 vRA01 192.168.11.5 2 4GB vra7-template vxw-dvs-xxxx-

npole.local a 7 Mgmt-xRegion01-
VXLAN

vra01ims01b.rai vra01ims01 vRA01 192.168.11.5 2 4GB vra7-template vxw-dvs-xxxx-

npole.local b 8 Mgmt-xRegion01-
VXLAN

vra01dem01.rai vra01dem0 vRA01 192.168.11.6 4 6GB vra7-template vxw-dvs-xxxx-

npole.local 1 0 Mgmt-xRegion01-
VXLAN

vra01dem02.rai vra01dem0 vRA01 192.168.11.6 4 6GB vra7-template vxw-dvs-xxxx-

npole.local 2 1 Mgmt-xRegion01-
VXLAN

vra01ias01.sfo0 vra01ias01 vRA01I 192.168.31.5 2 4GB vra7-proxy- vxw-dvs-xxxx-

1.rainpole.local AS 2 agent-template Mgmt-
RegionA01-
VXLAN

vra01ias02.sfo0 vra01ias02 vRA01I 192.168.31.5 2 4GB vra7-proxy- vxw-dvs-xxxx-

1.rainpole.local AS 3 agent-template Mgmt-
RegionA01-
VXLAN

Prerequisites
 Verify that you have created the Windows 2012 R2 template VM windows2012r2-template.
See Virtual Machine Template Specifications.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 415 of 545

 VMware Validated Design Deployment Guide for Region A

Click vCenter Servers and click mgmt01vc01.sfo01.rainpole.local instance.

Select VM Templates in Folders, and from the VM Templates in Folders pane, right-click the
win2012r2-template and select New VM from this Template.

On the Select a name and folder page of the Deploy From Template wizard, specify a name
and location for the virtual machine:
a. Enter vra01iws01a.rainpole.local in the Enter a name for the virtual machine text
box.
b. In the Select a location for the virtual machine pane, select the vRA01 folder in the SFO01
datacenter under mgmt01vc01.sfo01.rainpole.local and click Next.

On the Select a compute resource page, select SFO01-Mgmt01 and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 416 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select storage page, select the datastore on which to create the virtual machine's disks.
a. Select Virtual SAN Default Storage Policy from the VM Storage Policy drop-down menu.
b. Select the SFO01A-VSAN01-MGMT01 Virtual SAN datastore from the datastore table and
click Next.

On the Select Clone options page, select the Customize the operating system check box, and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 417 of 545

 VMware Validated Design Deployment Guide for Region A

On the Customize guest OS page, select the vra7-template from the table, and click Next.
On the User Settings page, enter the following values, and click Next.

Settings Value

NetBIOS name vra01iws01a

IPv4 address 192.168.11.54

On the Ready to Complete page, review your settings click Finish.

When the deployment of the virtual machine completes, you can customize the virtual machine.

© 2016 VMware, Inc. All rights reserved.

Page 418 of 545

 VMware Validated Design Deployment Guide for Region A

In the Navigator, select VMs and Templates tab.

Right-click the vra01iws01a.rainpole.local virtual machine and select Edit Settings.
Click Virtual Hardware and configure the settings for CPU, memory, and for the network adapter.
a. Expand CPU and select 2 from the CPU drop-down menu.
b. Expand Memory, and set the RAM setting to 4096 MB.
c. Expand Network adapter 1 and select vxw-dvs-xxxx-Mgmt-xRegion01-VXLAN from the
drop-down menu and click OK.

Right-click the virtual machine vra01iws01a.rainpole.local, and select Power > Power on.
From the Virtual Machine Console, verify that vra01iws01a.rainpole.local reboots, and uses
the configuration settings you specified. After the Windows customization process completes, a
clean desktop appears.
Log in to the Windows operating system and perform final verification and customization.
a. Verify that the IP address, computer name, and domain correct.

© 2016 VMware, Inc. All rights reserved.

Page 419 of 545

 VMware Validated Design Deployment Guide for Region A

b. Add vRealize Automation service account [email protected] to the Local

Administrators Group.
c. Disable the Windows Firewall for both Domain Networks and Private Networks.
Repeat this procedure to deploy and configure the remaining virtual machines.

5.3.3.3. Install vRealize Automation Management Agent on Windows IaaS VMs

For each Windows VM deployed as part of the vRealize Automation installation, a management agent
must be deployed to facilitate the installation of the Windows dependencies and vRealize
components.
Perform the procedure multiple times to install the Management Agent on all Windows IaaS VMs.
 vra01iws01a.rainpole.local
 vra01iws01b.rainpole.local
 vra01dem01.rainpole.local
 vra01dem02.rainpole.local
 vra01ims01a.rainpole.local
 vra01ims01b.rainpole.local
 vra01ias01.sfo01.rainpole.local
 vra01ias02.sfo01.rainpole.local

Procedure
Log in to the Windows IaaS VM.
a. Connect to vra01iws01a.rainpole.local over RDP.
b. Log in with the local administrator credentials that you specified during the creation of the
customization specification process.
Download the vRealize Management Agent.
a. Open a Web browser and go to
https://vra01svr01a.rainpole.local:5480/installer.
b. Download the Management Agent Installer .msi package.
Install the vRealize Management Agent.
a. Start the vCAC-IaaSManagementAgent-Setup.msi installer.
b. On the Welcome page, click Next to start the install process.
c. On the EULA page, select the I accept the terms of this agreement check box and click
Next.
d. On the Destination Folder page, click Next to install in the default path.
e. On the Management Site Service page, enter the following settings and click Load.

Setting Value

vRA Appliance Address https://vra01svr01a.rainpole.local:5480

Root username root

© 2016 VMware, Inc. All rights reserved.

Page 420 of 545

 VMware Validated Design Deployment Guide for Region A

Password vra_appA_root_password

Select the I confirm the fingerprint matches the Management Site Service SSL certificate
check box, and click Next.

On the Management Agent Account Configuration page, enter the following credentials and
click Next.

Setting Value

Username rainpole\svc-vra

Password svc-vra_password

On the Ready to install page, click Install.

Repeat the procedure to install the Management Agent on the remaining Windows IaaS VMs.

© 2016 VMware, Inc. All rights reserved.

Page 421 of 545

 VMware Validated Design Deployment Guide for Region A

5.3.4 Install the vRealize Automation Environment in Region A

You use the Installation Wizard to deploy a distributed installation with load balancers for high
availability and failover.
Once you start the wizard you must complete it. If you cancel the wizard, you must redeploy the
appliance to run the wizard again.
Procedure
Log in to the first vRealize Automation appliance.
a. Open a Web browser and go to https://vra01svr01a.rainpole.local:5480.
b. Log in using the following credentials.

Setting Value

User name root

Password vra_appA_root_password

On the Welcome to the vRealize Automation Installation Wizard page, click Next.
On the End User License Agreement page, accept the terms of the agreement and click Next.
On the Deployment Type page, specify the following settings and click Next.

Setting Value

Enterprise deployment Selected

Install Infrastructure as a Service Selected

On the Installation Prerequisites page, specify the following time server settings, click Change
Time Settings, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 422 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Time Server ntp.sfo01.rainpole.local

Time Server ntp.lax01.rainpole.local

On the Discovered Hosts page, verify that all Windows IaaS VMs are listed and that the time
offset is within the -1 / 0 / 1 values and click Next.
The Time Offset column shows the time delta between the vRealize Automation appliance and
the Windows IaaS VMs. Time synchronization is critical. If there are values outside of the
acceptable values, remediate those before you proceed.
On the vRealize Appliances page, enter the following settings to add the second vRealize
Appliance based on the table below, click Next.

Setting Value

Host vra01svr01b.rainpole.local

Admin User root

Password vra_appB_root_password

On the Server Roles page, select the respective check boxes for each server based on their role
and click Next.

Hosts Role

© 2016 VMware, Inc. All rights reserved.

Page 423 of 545

 VMware Validated Design Deployment Guide for Region A

vra01iws01a.rainpole.local Initial Web Server and Model Manager

vra01iws01b.rainpole.local Other Webs

vra01ims01a.rainpole.local Manager Service

vra01ims01a.rainpole.local Manager Service

vra01dem01.rainpole.local DEM

vra01dem02.rainpole.local DEM

vra01ias01.sfo01.rainpole.local Agent

vra01ias02.sfo01.rainpole.local Agent

On the Prerequisite checker page, verify that the Windows servers for IaaS components are
correctly configured.
a. Click Run and wait for the prerequisite checker to complete.

© 2016 VMware, Inc. All rights reserved.

Page 424 of 545

 VMware Validated Design Deployment Guide for Region A

b. If warnings appear, click Fix.

c. Verify that the status of all IaaS components changes to OK and click Next.

On the vRealize Automation Host page, enter vra01svr01.rainpole.local in the vRealize

Address text box and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 425 of 545

 VMware Validated Design Deployment Guide for Region A

On the Single Sign-On page, enter and confirm vra_administrator_password for the default
tenant account [email protected], and click Next.

On the IaaS Host page, enter the following values and click Next.

Setting Value

IaaS Web Address vra01iws01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 426 of 545

 VMware Validated Design Deployment Guide for Region A

Manager Service Address vra01ims01.rainpole.local

Security Passphrase sql_db_pass

Confirm Passphrase sql_db_pass

On the Microsoft SQL Server page,specify the following settings, click Validate, wait for
successful validation, and click Next.

Setting Value

Server Name vra01mssql01.rainpole.local

Database Name VRADB-01

Create new database Selected

Default Settings Selected

Windows Authentication Selected

© 2016 VMware, Inc. All rights reserved.

Page 427 of 545

 VMware Validated Design Deployment Guide for Region A

On the Web Role page, enter the following settings for the IaaS servers, click Validate, wait for
successful validation, and click Next.

Setting Value

Website Name Default Web Site

Port 443

vra01iws01a.rainpole.local Username rainpole.local\svc-vra

vra01iws01a.rainpole.local Password svc-vra_password

vra01iws01b.rainpole.local Username rainpole.local\svc-vra

vra01iws01b.rainpole.local Password svc-vra_password

© 2016 VMware, Inc. All rights reserved.

Page 428 of 545

 VMware Validated Design Deployment Guide for Region A

On the Manager Service page, specify the following settings for the IaaS Web servers, click
Validate, wait for successful validation, and click Next.

Active IaaS Hostname Username Password

Selected vra01ims01a.rainpole.local rainpole.local\svc-vra svc-vra_password

Deselected vra01ims01b.rainpole.local rainpole.local\svc-vra svc-vra_password

On the Distributed Execution Managers page, click the Add icon as needed, specify the
following settings, click Validate, wait for successful validation, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 429 of 545

 VMware Validated Design Deployment Guide for Region A

IaaS Hostname Instance Name Username Password

vra01dem01 DEM-WORKER-01 rainpole.local\svc-vra svc-vra_password

vra01dem01 DEM-WORKER-02 rainpole.local\svc-vra svc-vra_password

vra01dem01 DEM-WORKER-03 rainpole.local\svc-vra svc-vra_password

vra01dem02 DEM-WORKER-04 rainpole.local\svc-vra svc-vra_password

vra01dem02 DEM-WORKER-05 rainpole.local\svc-vra svc-vra_password

vra01dem02 DEM-WORKER-06 rainpole.local\svc-vra svc-vra_password

On the Agents page, specify the following settings, click Validate, wait for successful validation,
and click Next.

IaaS Hostname Agent Endpoint Agent Username Password

Name Type

vra01ias01.sfo0 vSphere- comp01vc01.sfo01.r vSphere rainpole.local\svc- svc-vra_password

1.rainpole.local Agent-01 ainpole.local vra

vra01ias02.sfo0 vSphere- comp01vc01.sfo01.r vSphere rainpole.local\svc- svc-vra_password

1.rainpole.local Agent-01 ainpole.local vra

© 2016 VMware, Inc. All rights reserved.

Page 430 of 545

 VMware Validated Design Deployment Guide for Region A

On the next three certificates configuration pages, configure the certificates for all vRealize
Automation.
Because you used the vRealize Certificate Generation Tool during Configure SSL
Certificate for vRealize Business Server in Region A, you complete the three different pages for
certificate configuration of the different nodes by using the same process and values from the
vrealize.key file for the Private Key and the vrealize.pem file for all certificates stored in
the vro folder.
a. On the vRealize Appliance Certificate page, specify the following settings, click Save
Imported Certificate, and click Next.

Setting Value

Certificate Action Import

RSA Private Key ------BEGIN RSA PRIVATE KEY-----private_key_value-----END RSA

PRIVATE KEY-----

Certificate Chain -----BEGIN CERTIFICATE-----Server_certificate_value-----END

CERTIFICATE-----
-----BEGIN CERTIFICATE-----Intermediate_CA_certificate_value-----END
CERTIFICATE-----
-----BEGIN CERTIFICATE-----Root_CA_certificate_value-----END
CERTIFICATE-----

Passphrase vra_cert_passphrase

b. Repeat the step on the Web Certificate and the Manager Service Certificate pages.

© 2016 VMware, Inc. All rights reserved.

Page 431 of 545

 VMware Validated Design Deployment Guide for Region A

On the Load Balancers page, click Next.

Load balancing is already configured in the Load Balancing the Cloud Management Platform in
Region A section.
On the Validation page, click Validate, wait for successful validation, and click Next.

On the Create Snapshots page, do not close the wizard and make snapshots of all vRealize
Automation VMs.
a. Log in to the Management vCenter Server by using the vSphere Web Client.
b. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.

© 2016 VMware, Inc. All rights reserved.

Page 432 of 545

 VMware Validated Design Deployment Guide for Region A

c. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

d. From the Home page, click VMs and Templates.

e. In the Navigator, expand the mgmt01vc01.sfo01.rainpole.local > SFO01 > VRA01 folder.
f. Right-click the vra01dem01.rainpole.local VM and select Snapshots > Take Snapshot.
g. In the Take VM Snapshot dialog box, specify the following settings and click OK.

Setting Value

Name Prior to vRA IaaS component installation

Snapshot the virtual machine's memory Selected

Quiesce guest file system Selected

h. Repeat the above steps to ensure snapshot the following VMs.

Virtual Machine vCenter Folder

vra01svr01a.rainpole.local VRA01

vra01svr01b.rainpole.local VRA01

vra01iws01a.rainpole.local VRA01

vra01iws01b.rainpole.local VRA01

vra01ims01a.rainpole.local VRA01

vra01ims01b.rainpole.local VRA01

vra01dem01.rainpole.local VRA01

vra01dem02.rainpole.local VRA01

vra01ias01.sfo01.rainpole.local VRA01IAS

vra01ias02.sfo01.rainpole.local VRA01IAS

After you create snapshots of all VMs, return to the vRealize Automation Installation wizard.
On the Create Snapshots page, click Next.
On the Installation Details page, click Install.

© 2016 VMware, Inc. All rights reserved.

Page 433 of 545

 VMware Validated Design Deployment Guide for Region A

On the Installation Details page, verify that all items complete successfully and click Next.

On the Licensing page, enter your vRealize_Automation_License_Key, click Submit Key, and
click Next.

© 2016 VMware, Inc. All rights reserved.

Page 434 of 545

 VMware Validated Design Deployment Guide for Region A

On the Telemetry page, click Next.

On the Initial Content Configuration page, click Next, and click Finish to exit the wizard.

5.4 vRealize Automation Default Tenant Configuration in Region

A
In shared cloud environments, where multiple companies, divisions or independent groups are using
a common infrastructure fabric, it is necessary to set up virtual private clouds where authentication,
resources, policy are customized to the needs of each group. Tenants are useful for isolating the
users, resources and services of one tenant from those of other tenants.
 Create a Local Tenant Administrator in Region A
 Join Connectors to an Active Directory Domain in Region A

5.4.1 Create a Local Tenant Administrator in Region A

Join the VMware Identity Manager connectors to the Active Directory domain to support Integrated
Windows Authentication. Perform this operation in the default tenant vsphere.local.
Create a local user for the default tenant in vRealize Automation and assign the Tenant Administrator
role to the default tenant.
Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go to https://vra01svr01.rainpole.local/vcac.
b. Log in using the following credentials.

Setting Value

User name administrator

© 2016 VMware, Inc. All rights reserved.

Page 435 of 545

 VMware Validated Design Deployment Guide for Region A

Password vra_administrator_password

On the Tenants page, click the default tenant vsphere.local to edit its settings.

Click the Local users tab and click New to add a local user to the default tenant.

In the User Details dialog, specify the following settings, click OK, and click Next.

Setting Value

First name ITAC

© 2016 VMware, Inc. All rights reserved.

Page 436 of 545

 VMware Validated Design Deployment Guide for Region A

Last name LocalDefaultAdmin

Email [email protected]

User name ITAC-LocalDefaultAdmin

Password itac-localdefaultadmin password

Confirm password itac-localdefaultadmin password

On the Administrators tab, specify tenant and infrastructure administrators.

a. In the Tenant administrators search text box, enter ITAC-LocalDefaultAdmin and press
Enter.
b. In the IaaS administrators search text box, enter ITAC-LocalDefaultAdmin and press
Enter.
c. Click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 437 of 545

 VMware Validated Design Deployment Guide for Region A

5.4.2 Join Connectors to an Active Directory Domain in Region A

To use an Active Directory domain for tenant authentication, you must join a VMware Identity
Manager connector to vRealize Automation.
Each vRealize Automation appliance includes a connector that supports user authentication. By
default, one connector is typically configured to perform directory synchronization. Perform the
procedure by using the ITAC-LocalDefaultAdmin that you configured in the previous procedure.
Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go to https://vra01svr01.rainpole.local/vcac.
b. Log in using the following credentials.

Setting Value

User name ITAC-LocalDefaultAdmin

Password itac-localdefaultadmin_password

Navigate to Administration > Directories Management > Connectors.

© 2016 VMware, Inc. All rights reserved.

Page 438 of 545

 VMware Validated Design Deployment Guide for Region A

For the first.connector, click Join Domain, specify the following settings and click Join Domain.

Setting Value

Domain Custom Domain

rainpole.local

Domain User administrator

Domain Password domain_admin_password

For the first.connector-Clone, click Join Domain, specify the following settings and click Join
Domain.

© 2016 VMware, Inc. All rights reserved.

Page 439 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Domain Custom Domain

rainpole.local

Domain User administrator

Domain Password domain_admin_password

5.5 vRealize Automation Tenant Creation in Region A

You create additional vRealize Automation tenant so that users can access the appropriate
applications and resources that they need to complete their work assignments.
A tenant is a group of users with specific privileges who work within a software instance.
Administrators can create additional tenants so that users can log in and complete their work
assignments. Administrators can create as many tenants as needed for system operation.
Administrators must specify basic configuration such as name, login URL, local users, and
administrators. The tenant administrator must also log in and set up an appropriate Active Directory
connection and apply custom branding to tenants.
 Create the Rainpole Tenant in Region A
 Configure Identity Management for the vRealize Automation Tenant in Region A
 Configure Directories Management for High Availability in Region A
 Assign Tenant Administrative Roles to Active Directory Users in Region A
 Brand the Tenant Login Pages in Region A
 Configure the Default Email Servers in Region A

© 2016 VMware, Inc. All rights reserved.

Page 440 of 545

 VMware Validated Design Deployment Guide for Region A

5.5.1 Create the Rainpole Tenant in Region A

The vRealize Automation Identity Manager provides Single-Sign On (SSO) capability for vRealize
Automation users.
SSO is an authentication broker and security token exchange that interacts with the Active Directory
to authenticate users. As the system administrator, you configure SSO to provide access to vRealize
Automation by the Rainpole tenant. The Rainpole tenant is the tenant through which you manage
system-wide configuration, that includes global system defaults for branding, notifications, and
monitor system logs.
Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go to https://vra01svr01.rainpole.local/vcac.
b. Log in using the following credentials.

Setting Value

User name administrator

Password vra_administrator_password

On the Tenants page, click New to configure a new tenant.

On the General tab, enter the following settings for the Rainpole tenant, and click Submit and
Next.

Setting Value

Name Rainpole

URL Name rainpole

© 2016 VMware, Inc. All rights reserved.

Page 441 of 545

 VMware Validated Design Deployment Guide for Region A

Contact email [email protected]

On the Local Users tab, click New to add a local user for the tenant.
In the User Details dialog box, specify the following settings, click OK, and click Next.

Setting Value

First name ITAC

Last name LocalRainpoleAdmin

Email [email protected]

User name ITAC-LocalRainpoleAdmin

Password itac-localrainpoleadmin password

Confirm password itac-localrainpoleadmin password

© 2016 VMware, Inc. All rights reserved.

Page 442 of 545

 VMware Validated Design Deployment Guide for Region A

On the Administrators tab, appoint tenant and infrastructure administrators.

a. Enter ITAC-LocalRainpoleAdmin in the Tenant Administrators search text box and
press Enter.
b. Enter ITAC-LocalRainpoleAdmin in the IaaS Administrators search text box and press
Enter.
c. Click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 443 of 545

 VMware Validated Design Deployment Guide for Region A

5.5.2 Configure Identity Management for the vRealize Automation Tenant in

Region A
In this design, vRealize Automation uses VMware Identity Manager to authenticate users.
Each tenant has to be associated with at least one directory as part of the tenant creation. You can
add more directories if necessary. Perform the procedure by using the ITAC-LocalRainpoleAdmin that
you configured.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go to
https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name ITAC-LocalRainpoleAdmin

Password itac-localrainpoleadmin_password

Navigate to Administration > Directories Management > Directories.

Click Add Directory, specify the following settings and click Save & Next.

Setting Value

Directory Name rainpole.local

Directory Type Active Directory (Integrated Windows Authentication)

Sync Connector vra01svr01a.rainpole.local

Authentication Yes

Directory Search Attribute sAMAccountName

Certificates Deselected

Domain Name rainpole.local

Domain Admin Username ad_admin_acct

Domain Admin Password domain_admin_password

Bind User UPN [email protected]

Bind DN Password svc-vra_password

© 2016 VMware, Inc. All rights reserved.

Page 444 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select the Domains page, select rainpole.local (RAINPOLE) and click Next.

On the Map User Attributes page, click Next.

On the Select the groups (users) you want to sync page, enter the groups DNs to sync.
a. Click the Add icon to add the distinguished name to the search criteria.
b. In the Specify the group DNs box, enter dc=rainpole,dc=local and click Find Groups.
c. After the Groups to sync value fills in, click Select.

© 2016 VMware, Inc. All rights reserved.

Page 445 of 545

 VMware Validated Design Deployment Guide for Region A

d. Select the following groups and click Save.

 ug-ITAC-TenantAdmins
 ug-ITAC-TenantArchitects
 ug-SDDC-Admins
 ug-SDDC-Ops
 ug-vROAdmins

e. Click Next.

© 2016 VMware, Inc. All rights reserved.

Page 446 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select the Users you would like to sync page, enter the users DNs to sync.
a. Click the Add icon to add the distinguished name to the search criteria.
b. In the Specify the user DNs text box, enter cn=users,dc=rainpole,dc=local, click the Add
icon on the same row, and click Next.

On the Review page, click Sync Directory.

5.5.3 Configure Directories Management for High Availability in Region A

Each vRealize Automation appliance includes a connector that supports user authentication, although
only one connector is typically configured to perform directory synchronization.
To support Directories Management high availability, you must configure a second connector that
corresponds to your second vRealize Automation appliance. That second connector connects to the
same Identity Provider and, through VMware Identity Manager, points to the same Active Directory
instance. With this configuration, if one appliance fails, the other can take over management of user
authentication.
In a high availability environment, all nodes must serve the same set of users, authentication
methods, and other Active Directory constructs. The most direct method to accomplish this is to
promote the Identity Provider to the cluster by setting the load balancer host as the Identity Provider
host. With this configuration, all authentication requests are directed to the load balancer, which
forwards the request to either connector as appropriate.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go to
https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name ITAC-LocalRainpoleAdmin

Password itac-localrainpoleadmin_password

Navigate to Administration > Directories Management > Identity Providers.

© 2016 VMware, Inc. All rights reserved.

Page 447 of 545

 VMware Validated Design Deployment Guide for Region A

Click the name of the identity provider to edit its settings.

Under Network, specify the following settings and click Add Connector.

Setting Value

Add a Connector vra01svr01b.rainpole.local

Bind DN Password svc-vra_password

Domain Admin Password domain_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 448 of 545

 VMware Validated Design Deployment Guide for Region A

In the Idp Hostname text box, enter vra01svr01.rainpole.local as this is hostname of the load
balancer and click Save.

5.5.4 Assign Tenant Administrative Roles to Active Directory Users in Region

A
After vRealize Automation Directories Management is associated with your Active Directory domain,
domain users can administer the tenant. Assign domain user groups for tenant and infrastructure
administrators.
Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go to https://vra01svr01.rainpole.local/vcac.
b. Log in using the following credentials.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 449 of 545

 VMware Validated Design Deployment Guide for Region A

User name administrator

Password vra_administrator_password

On the Tenants page, click the Rainpole tenant to edit its settings.
Click the Administrators tab, to assign domain user groups for tenant and infrastructure
administrators.
a. Enter ug-ITAC-TenantAdmins in the Tenant administrators search text box and press
Enter.
b. Enter ug-ITAC-TenantAdmins in the IaaS administrators search text box and press Enter.
c. Click Finish.

5.5.5 Brand the Tenant Login Pages in Region A

Apply custom branding on a per customer level to the vRealize Automation tenant login pages.
System administrators control the default branding for all tenants. As a tenant administrator, you
change the branding of the portal. That includes the logo, the background color, and the information in
the header and footer. If the branding for a tenant is changed, a tenant administrator can always
revert back to the system defaults.
Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go to https://vra01svr01.rainpole.local/vcac.
b. Log in using the following credentials.

Setting Value

User name administrator

Password vra_administrator_password

Navigate to Administration, click Branding, and deselect the Use default check box.
On the Header tab specify the following settings for the header branding.

Setting Value

Company Name Rainpole

© 2016 VMware, Inc. All rights reserved.

Page 450 of 545

 VMware Validated Design Deployment Guide for Region A

Product Name Infrastructure Service Portal

Background hex color 3989C7

Text hex color FFFFFF

Click the Footer tab, specify the following settings for the footer banding and click Finish.

Setting Value

Copyright notice Copyright Rainpole. All Rights Reserved

Privacy policy link https://www.rainpole.local

Contact link https://www.rainpole.local/contact

5.5.6 Configure the Default Email Servers in Region A

System administrators configure inbound and outbound email servers to handle email notifications
about events involving tenants' machines. System administrators can create only one inbound email
server and one outbound email server. These servers are the defaults for all tenants.
If tenant administrators do not override the default email server settings before they enable
notifications, vRealize Automation uses the globally configured email server.
Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go to https://vra01svr01.rainpole.local/vcac.
b. Log in using the following credentials.

Setting Value

User name administrator

Password vra_administrator_password

© 2016 VMware, Inc. All rights reserved.

Page 451 of 545

 VMware Validated Design Deployment Guide for Region A

Navigate to Administration > Email Servers and click New.

In the New Email Server dialog box, select Email - Inbound and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 452 of 545

 VMware Validated Design Deployment Guide for Region A

On the New Inbound Email page, specify the following values, click Test Connection to verify
that the settings are correct, and click OK.

Setting Value

Name Rainpole-Inbound

Security Deselected

Protocol IMAP

Server Name email.rainpole.local

Server Port 143

Folder Name INBOX

Processed Email Deselected

User Name [email protected]

Password vra_administrator_password

Email Address [email protected]

On the Email Servers page, click New to configure the outbound server settings.
In the New Email Server dialog box, select Email - Outbound and click OK.
On the New Outbound Email page, specify the following values, click Test Connection to verify
that the settings are correct, and click OK.

Setting Value

Name Rainpole-Outbound

© 2016 VMware, Inc. All rights reserved.

Page 453 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Server Name email.rainpole.local

Server Port 25

Encryption Method None

Authentication Selected

User Name [email protected]

Password vra_administrator_password

Sender Address [email protected]

5.6 vRealize Orchestrator Installation in Region A

VMware vRealize Orchestrator is a platform that provides a library of extensible workflows to allow
you to create and run automated, configurable processes to manage the VMware vSphere
infrastructure as well as other VMware and third-party technologies. Orchestrator is composed of
three distinct layers: an orchestration platform that provides the common features required for an
orchestration tool, a plug-in architecture to integrate control of subsystems, and a library of workflows.
Orchestrator is an open platform that can be extended with new plug-ins and libraries, and can be
integrated into larger architectures through a REST API.
 Install vRealize Orchestrator in Region A
 Integrate vRealize Orchestrator with vRealize Automation in Region A

5.6.1 Install vRealize Orchestrator in Region A

Deploy and configure two vRealize Orchestrator appliances to provide the SDDC foundation
orchestration engine.
Install and configure the multi-node plug-in to provide disaster recovery capability through vRealize
Orchestrator content replication.

© 2016 VMware, Inc. All rights reserved.

Page 454 of 545

 VMware Validated Design Deployment Guide for Region A

Prerequisites
 Verify that you have successfully generated a CA-Signed certificate for vRealize Orchestrator.
See Generate Certificates for the Cloud Management Platform (Region A).
 Verify that you have created an empty SQL Server database for vRealize Orchestrator. See
Create a SQL Server Database for vRealize Orchestrator (Region A).
 Verify that you have downloaded the NSX Plug-in for vRealize Orchestrator .vmoapp file.
Procedure
 Deploy the vRealize Orchestrator Virtual Appliances in Region A
 Configure the Certificate for vRealize Orchestrator in Region A
 Configure NTP for vRealize Orchestrator in Region A
 Install the NSX Plugin for vRealize Orchestrator in Region A
 Configure Component Registry Authentication for vRealize Orchestrator Host A in Region A
 Configure the vRealize Orchestrator Cluster in Region A
 Configure Component Registry Authentication for vRealize Orchestrator Host B in Region A
 Add Compute vCenter Server Instance to vRealize Orchestrator in Region A

5.6.1.1. Deploy the vRealize Orchestrator Virtual Appliances in Region A

You deploy two vRealize Orchestrator virtual appliances. Perform this procedure twice to deploy the
two appliances by using the respective values for the different hosts.

vRealize Orchestrater Appliance IP Address Virtual Machine

Host A 192.168.11.63 vra01vro01a.rainpole.local

Host B 192.168.11.64 vra01vro01b.rainpole.local

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. In a Web browser, go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-
client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server instance.

Right-click mgmt01vc01.sfo01.rainpole.local and select Deploy OVF Template.
On the Select source page, browse to the vRealize Orchestrator .ova file on your local machine,
and click Next.
On the Review Details page click Next.

© 2016 VMware, Inc. All rights reserved.

Page 455 of 545

 VMware Validated Design Deployment Guide for Region A

On the Accept License Agreements page, accept the end user license agreements and click
Next.
On the Select name and folder page, enter the following information for the host that you deploy
and click Next.

Setting Value for Host A Value for Host B

Name vra01vro01a.rainpole.local vra01vro01b.rainpole.local

Select a folder or data center vRA01 vRA01

On the Select a Resource page, select cluster SFO01-Mgmt01. Click Next

On the Select storage page, select the datastore.
a. From the Select virtual disk format drop-down menu, select Thin Provision.
b. From the VM Storage Policy drop-down menu, select Virtual SAN Default Storage Policy.
c. From the datastore table, select the SFO01A-VSAN01-MGMT01 Virtual SAN datastore and
click Next.
On the Setup networks page, select the distributed port group on the distributed switch that ends
with Mgmt-xRegion01-VXLAN and click Next.
On the Customize template page, select the following values and click Next.

Setting Value for Host A Value for Host B

Initial Root Password hostA_root_pwd hostB_root_pwd

Initial configuration interface hostA_GUI_pwd hostB_GUI_pwd!

password

Enable SSH service in the appliance Selected Selected

Hostname vra01vro01a.rainpole.local vra01vro01b.rainpole.local

Default Gateway 192.168.11.1 192.168.11.1

Domain Name rainpole.local rainpole.local

Domain Search Path rainpole.local rainpole.local

DNS server 172.16.11.5,172.17.11.5 172.16.11.5,172.17.11.5

Network 1 IP address 192.168.11.63 192.168.11.64

Network 1 Netmask 255.255.255.0 255.255.255.0

On the Ready to complete page, review the configuration settings, check Power on the
appliance after deployment and click Finish.
Repeat the procedure for Host B.

© 2016 VMware, Inc. All rights reserved.

Page 456 of 545

 VMware Validated Design Deployment Guide for Region A

5.6.1.2. Configure the Certificate for vRealize Orchestrator in Region A

Import the previously generated certificates for vRealize Orchestrator from the vRealize Orchestrator
Control Center. You must import the certificates on both of the vRealize Orchestrator virtual
machines.
For more information about the generation process, see Generate Certificates for the Cloud
Management Platform in Region A.

Host Virtual Machine

Host A https://vra01vro01a.rainpole.local:8283/vco-controlcenter

Host B https://vra01vro01b.rainpole.local:8283/vco-controlcenter

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to https://vra01vr01a.rainpole.local:8283/vco-
config.
b. Log in using the following credentials.

Setting Value

User name vmware

Password hostA_root_password

From the Home page, under Manage, click Certificates.

Click the Orchestrator Server SSL Certificate tab, and click Import > Import from a PEM-
encoded file.
Browse to the vrealize-full.pem file in the vro folder on your local machine.
In the Key Password text box, enter the vro_vrealize_full_pem_pass password that you
entered during the generation process of the certificate for vRealize Orchestrator and click
Import.
Restart the vRealize Orchestrator appliance for the changes to take effect.
a. From the Home page, under Manage, click Startup Options.
b. On the Startup Options page, click Restart.
Repeat the procedure for the second vRealize Orchestrator virtual appliance
vra01vro01b.rainpole.local.

5.6.1.3. Configure NTP for vRealize Orchestrator in Region A

Configure the network time protocol (NTP) for the vRealize Orchestrator appliances from the virtual
appliance management interface (VAMI).
Repeat this procedure on both vRealize Orchestrator virtual appliances.

Host Virtual Machine

Host A https://vra01vro01a.rainpole.local:5480

© 2016 VMware, Inc. All rights reserved.

Page 457 of 545

 VMware Validated Design Deployment Guide for Region A

Host B https://vra01vro01b.rainpole.local:5480

Procedure
Log in to vRealize Orchestrator Appliance management console.
a. Open a Web browser and go to https://vra01vro01a.rainpole.local:5480.
b. Log in using the following credentials.

Setting Value

User name root

Password hostA_root_password

Configure the appliance to use a time server.

a. Click the Admin tab, and click Time Settings.
b. Under Time Settings, set Time Sync Mode to Use Time Server.
c. Click the Add icon to enter a new time server.
d. In the Time Server text box, enter ntp.sfo01.rainpole.local.
e. Click the Add icon to enter another time server.
f. In the second Time Server text box, enter ntp.lax01.rainpole.local and click Save
Settings.

Repeat this procedure on the other vRealize Orchestrator appliance

vra01vro01b.rainpole.local.

© 2016 VMware, Inc. All rights reserved.

Page 458 of 545

 VMware Validated Design Deployment Guide for Region A

5.6.1.4. Install the NSX Plugin for vRealize Orchestrator in Region A

Install the NSX Plugin for vRealize Orchestrator for each vRealize Orchestrator virtual appliance that
will be part of your vRealize Orchestrator cluster.
Perform the procedure twice to configure the NSX Plugin for both vRealize Orchestrator virtual
appliances.

Host Virtual Machine vRealize Orchestrator confguration page

Host A vra01vro01a.rainpole.local https://vra01vro01a.rainpole.local:8283/vco-

controlcenter

Host B vra01vro01b.rainpole.local https://vra01vro01b.rainpole.local:8283/vco-

controlcenter

Procedure
Log in to the vRealize Orchestrator Control Center.
a. Open a Web browser and go to https://vra01vro01a.rainpole.local:8283/vco-
controlcenter.
b. Log in using the following credentials.

Setting Value

User name root

Password hostA_root_password

Install the NSX Plug-in for vRealize Orchestrator.

a. From the Home page, under Plug-Ins, click Manage Plug-Ins.
b. Browse to the NSX Plug-in for vRealize Orchestrator .vmoapp file on your local machine, and
click Install.
c. After the plug-in file loads in the vRealize Control Center, accept the EULA and click Install.
Wait for confirmation that the plug-in to installed successfully.
Restart the vRealize Orchestrator appliance for the changes to take effect.
a. Click Home and under Manage, click Startup Options.
b. On the Startup Options page, click Restart.
Repeat the procedure for the second vRealize Orchestrator virtual appliance
vra01vro01b.rainpole.local.

5.6.1.5. Configure Component Registry Authentication for vRealize Orchestrator in Region A

After you install the NSX plugin, you configure component registry authentication with vRealize
Automation for vRealize Orchestrator.
Use component registry authentication mode when configuring vRealize Orchestrator as an external
Orchestrator with a vRealize Automation system. This enables the usage of Single Sign-On
authentication through vRealize Automation.

© 2016 VMware, Inc. All rights reserved.

Page 459 of 545

 VMware Validated Design Deployment Guide for Region A

Procedure
Log in to the vRealize Orchestrator Control Center.
a. Open a Web browser and go to https://vra01vr01a.rainpole.local:8283/vco-
controlcenter.
b. Log in using the following credentials.

Setting Value

User name root

Password hostA_root_password

Configure vRealize Automation as a vRealize Orchestrator authentication provider.

a. On the Home page, under Manage, click Configure Authentication Provider.
b. On the Authentication Provider tab, select vRealize Automation from the Authentication
mode drop-down menu.
c. Enter vra01svr01.rainpole.local in the Host address text box and click Connect.

d. Click Accept Certificate, enter the following credentials of the vRealize Automation
administrator account, and click Register.

Setting Value

User name administrator

Password vra_administrator_password

© 2016 VMware, Inc. All rights reserved.

Page 460 of 545

 VMware Validated Design Deployment Guide for Region A

Configure Licenses Selected

Default Tenant Rainpole

e. In the Admin group text box, enter vRO and click Search.
f. From the drop-down menu, select rainpole.local\ug-vROAdmins and click Save Changes.

Restart the vRealize Orchestrator appliance for the changes to take effect.
a. Click Home and under Manage, click Startup Options.
b. On the Startup Options page, click Restart.

© 2016 VMware, Inc. All rights reserved.

Page 461 of 545

 VMware Validated Design Deployment Guide for Region A

Test user administrative rights in vRealize Orchestrator.

a. Click Home and under Manage, click Configure Authentication Provider.
b. On the Test Login tab, enter the following credentials and click Test.

Setting Value

User name svc-vra

Password svc-vra_password

A green banner with the following text appears: "Info: The user has administrative rights in
vRealize Orchestrator" that confirms that configuration is successful.

5.6.1.6. Configure the vRealize Orchestrator Cluster Mode in Region A

An essential component of all services offered by the SDDC is high availability to the end user. To
increase the availability of vRealize Orchestrator, configure a vRealize Orchestrator cluster. A
vRealize Orchestrator cluster is a collection of two or more vRealize Orchestrator server instances
that share a database.
 Generate the vRealize Orchestrator Certificate in Region A
 Configure the SQL Server Database for vRealize Orchestrator in Region A
 Configure vRealize Orchestrator Cluster Mode in Region A

5.6.1.6.1. Generate the vRealize Orchestrator Certificate in Region A

vRealize Orchestrator uses two certificates. One of the certificates was previously created using an
external Certificate Authority. In this procedure you create a second, self-signed certificate which is
used by the appliance to sign workflow packages.

You perform these steps only on Host A. When you set up clustering for Host A and Host B, the
certificate is copied to Host B.

© 2016 VMware, Inc. All rights reserved.

Page 462 of 545

 VMware Validated Design Deployment Guide for Region A

Procedure
Log in to the vRealize Orchestrator Control Center.
a. Open a Web browser and go to https://vra01vr01a.rainpole.local:8283/vco-
controlcenter.
b. Log in using the following credentials.

Setting Value

User name root

Password hostA_root_password

On the Home page, under Manage click Certificates.

Click the Package Signing Certificate tab, and click Generate.
In the Generate a new Package Signing Certificate page, specify the following settings and
click Generate.

Setting Value

Signature Algorithm SHA512withRSA

Common Name vra01vro01.rainpole.local

Organization Rainpole

Organizational Unit Engineering

Country Code US

© 2016 VMware, Inc. All rights reserved.

Page 463 of 545

 VMware Validated Design Deployment Guide for Region A

Wait for confirmation that the certificate generates successfully.

Restart the vRealize Orchestrator appliance for the changes to take effect.
a. Click Home and under Manage, click Startup Options.
b. On the Startup Options page, click Restart.

5.6.1.6.2. Configure the SQL Server Database for vRealize Orchestrator in Region A
To create a vRealize Orchestrator cluster, you must configure your deployment to use a shared
database that accepts multiple connections. A shared database can accept connections from different
vRealize Orchestrator instances.
Perform the procedure twice to configure the SQL Server database for both vRealize Orchestrator
appliances.

Host Virtual Machine vRealize Orchestrator confguration page

Host A vra01vro01a.rainpole.local https://vra01vro01a.rainpole.local:8283/vco-

controlcenter

Host B vra01vro01b.rainpole.local https://vra01vro01b.rainpole.local:8283/vco-

controlcenter

Procedure
Log in to the vRealize Orchestrator Control Center.
a. Open a Web browser and go to https://vra01vro01a.rainpole.local:8283/vco-
controlcenter.

© 2016 VMware, Inc. All rights reserved.

Page 464 of 545

 VMware Validated Design Deployment Guide for Region A

b. Log in using the following credentials.

Setting Value

User name root

Password hostA_root_password

Configure the SQL Server Database.

a. On the Home page, under Database, click Configure Database.
b. Enter the following settings to configure the database and click Save Changes.
Leave the Instance (if any) text box empty if your SQL Server database was installed by
using the default server instance name.

Setting Value

Database Type SQLServer

Server address vra01mssql01.rainpole.local:1433

Use SSL Deselected

Database Name VRODB-01

User name svc-vro

Password svc_vro_password

Domain rainpole.local

Use Windows authentication mode (NTLMv2) Selected

© 2016 VMware, Inc. All rights reserved.

Page 465 of 545

 VMware Validated Design Deployment Guide for Region A

c. Click Save Changes.

Repeat the procedure for the second vRealize Orchestrator appliance
vra01vro01b.rainpole.local.

5.6.1.6.3. Configure vRealize Orchestrator Cluster Mode in Region A

The final step in cluster setup is configuration of the cluster mode.
Procedure
Log in to the vRealize Orchestrator Control Center.
a. Open a Web browser and go to https://vra01vro01a.rainpole.local:8283/vco-
controlcenter.
b. Log in using the following credentials.

Setting Value

User name root

Password hostA_root_password

Configure the vRealize Orchestrator cluster mode.

a. On the Home page, click Manage, and click Orchestrator Node Settings.
b. In the Number of active nodes text box, enter 2, and click Save.
c. Click Home, click Manage, and click Join Node To Cluster.
d. On the Join Node To Cluster page, enter the following values and click Join to join the
second vRealize Orchestrator appliance to the cluster.

© 2016 VMware, Inc. All rights reserved.

Page 466 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Hostname vra01vro01b.rainpole.local

User name root

Password hostB_root_pwd

Restart the vRealize Orchestrator appliance for the changes to take effect.
a. Click Home and under Manage, click Startup Options.
b. On the Startup Options page, click Restart.

5.6.1.7. Configure Component Registry Authentication for vRealize Orchestrator Host B in

Region A
After you install the NSX plugin, you can configure component registry authentication with vRealize
Automation for vRealize Orchestrator.
When you use component registry authentication mode, you integrate with the vRealize Automation
Single Sign-On authentication setup. You can set this up when configuring vRealize Orchestrator as
an external Orchestrator with a vRealize Automation system.

Note For the second host on the cluster (host B), you configure the component registration after
you set up the cluster.

Procedure
Log in to the vRealize Orchestrator Control Center.
a. Open a Web browser and go to https://vra01vr01b.rainpole.local:8283/vco-
controlcenter.

© 2016 VMware, Inc. All rights reserved.

Page 467 of 545

 VMware Validated Design Deployment Guide for Region A

b. Log in using the following credentials.

Setting Value

User name root

Password hostB_root_password

Configure vRealize Automation as a vRealize Orchestrator authentication provider.

a. On the Home page, under Manage, click Configure Authentication Provider.
b. On the Authentication Provider tab, select vRealize Automation from the Authentication
mode drop-down menu.
c. Enter vra01svr01.rainpole.local in the Host address text box and click Connect.

d. Click Accept Certificate, enter the vRealize Automation administration information, and click
Register.

Setting Value

User name administrator

Password vra_administrator_password

Configure Licenses Selected

Default Tenant Rainpole

© 2016 VMware, Inc. All rights reserved.

Page 468 of 545

 VMware Validated Design Deployment Guide for Region A

e. In the Admin group text box, enter vRO and click Search.
f. From the drop-down menu, select rainpole.local\ug-vROAdmins and click Save Changes.

Restart the vRealize Orchestrator appliance for the changes to take effect.
a. Click Home and under Manage, click Startup Options.
b. On the Startup Options page, click Restart.
Test user administrative rights in vRealize Orchestrator.
a. Click Home and under Manage, click Configure Authentication Provider.
b. On the Test Login tab, enter the following credentials and click Test.

Setting Value

User name svc-vra

© 2016 VMware, Inc. All rights reserved.

Page 469 of 545

 VMware Validated Design Deployment Guide for Region A

Password svc-vra_password

A green banner with the following text appears: "Info: The user has administrative rights in
vRealize Orchestrator" that confirms that configuration is successful.

5.6.1.8. Add Compute vCenter Server Instance to vRealize Orchestrator in Region A

Add each vCenter Server instance that contributes resources to vRealize Automation and that uses
vRealize Orchestrator workflows to vRealize Orchestrator to allow vCenter Server and vRealize
Orchestrator to communicate.
Prerequisites
Install Java SE Development Kit that is required to run the vRealize Orchestrator Client.
Procedure
Log in to the vRealize Orchestrator Client.
a. Open a Web browser and go to https://vra01vro01a.rainpole.local:8281 and
click Start Orchestrator Client.
b. On the VMware vRealize Orchestrator login page, log in to the vRealize Orchestrator Host
A by using the following values.

Setting Value

Host name vra01vro01a.rainpole.local:8281

User name svc-vra

Password svc-vra_password

In the left pane, click Workflows, and navigate to Library > vCenter > Configuration.
a. Right-click the Add a vCenter Server instance workflow and click Start Workflow.

© 2016 VMware, Inc. All rights reserved.

Page 470 of 545

 VMware Validated Design Deployment Guide for Region A

b. On the Set the vCenter Server Instance page, configure the following settings and click
Next.

Setting Value

IP or hostname of the vCenter Server instance to add comp01vc01.sfo01.rainpole.local

HTTPS port of the vCenter Server instance 443

Location of SDK that you use to connect /sdk

Will you orchestrate this instance Yes

Do you want to ignore certificate warnings Yes

c. On the Set the connection properties page, configure the following settings, and click
Submit.

Setting Value

Use a session per user No

vCenter Server user name [email protected]

vCenter Server user password svc-vro_password

© 2016 VMware, Inc. All rights reserved.

Page 471 of 545

 VMware Validated Design Deployment Guide for Region A

Verify that the workflow completed successfully, click the Inventory tab and expand vCenter
Server.
You see the vCenter Server instance that you just added.

5.6.2 Integrate vRealize Orchestrator with vRealize Automation

Set up the vRealize Automation solution to work with the external vRealize Orchestrator instance.
 Configure vRealize Orchestrator Server in Region A
 Create a vRealize Orchestrator Endpoint in Region A

5.6.2.1. Configure vRealize Orchestrator Server in Region A

When you use vRealize Automation workflows to call vRealize Orchestrator workflows, you must
configure the vRealize Orchestrator as an endpoint.
Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go to https://vra01svr01.rainpole.local/vcac.
b. Log in using the following credentials.

Setting Value

User name administrator

Password vra_administrator_password

Click Advanced Services > Server Configuration.

On the Server Configuration page, select the Use an external Orchestrator server radio
button, enter the following settings, and click Test Connection.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 472 of 545

 VMware Validated Design Deployment Guide for Region A

Name vra01vro01.rainpole.local

Host vra01vro01.rainpole.local

Port 8281

Authentication Single-Sign On

Click Update to save the settings and click OK to accept the warning message that appears.
If configuration is successful, confirmation message for successful configuration appears.

5.6.2.2. Create a vRealize Orchestrator Endpoint in Region A

IaaS administrators are responsible for creating the endpoints that allow vRealize Automation to
communicate with your infrastructure. You create a vRealize Orchestrator endpoint for use by Realize
Automation to communicate workflows.
Procedure
Log in to the Rainpole Infrastructure Service Portal.
a. Open a Web browser and go to
https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac_tenantadmin_password

Domain rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 473 of 545

 VMware Validated Design Deployment Guide for Region A

Select Infrastructure > Endpoints > Credentials.

Click New to create a credential for the Realize Orchestrator administrator by using the following
settings, and click Save

Setting Value

Name vRO Admin

Description Administrator of vra01vro01

User Name [email protected]

Password svc_vra_password

Create a new endpoint for vRealize Orchestrator.

a. Select Infrastructure > Endpoints > Endpoints.
b. Click New > Orchestration > vRealize Orchestrator, enter the following settings, and click
New to add custom property.

Setting Value

Name vra01vro01.rainpole.local

Address https://vra01vro01.rainpole.local:8281/vco

Credentials vRO Admin

c. Enter the following settings for the custom property, click Save, and click OK.

Setting Value

Name VMware.VCenterOrchestrator.Priority

Value 1

© 2016 VMware, Inc. All rights reserved.

Page 474 of 545

 VMware Validated Design Deployment Guide for Region A

Encrypted Deselected

Start the data collection for the newly created endpoint.

a. Hover the vRealize Orchestrator endpoint in the Endpoints list and click Data Collection.

b. Click Start to begin the vRealize Orchestrator data collection process.

Wait several minutes for the data collection process to complete.
c. Click Refresh to verify that the data collection was successful.
When a status message about successful data collection appears, configuration is successful.

© 2016 VMware, Inc. All rights reserved.

Page 475 of 545

 VMware Validated Design Deployment Guide for Region A

5.7 vRealize Business Installation in Region A

vRealize Business is an IT financial management tool that provides transparency and control over the
costs and quality of IT services, enabling alignment with the business and acceleration of IT
transformation.
Install vRealize Business and integrate it with vRealize Automation to continuously monitor the cost of
each individual Virtual Machine and the cost of their datacenter.
 Deploy the vRealize Business Virtual Appliances in Region A
 Patch the vRealize Business Server Virtual Appliance in Region A
 Configure SSL Certificate for vRealize Business Server in Region A
 Configure NTP for vRealize Business in Region A
 Integrate vRealize Business with vRealize Automation in Region A
 Register the vRealize Business Data Collector with the Server in Region A
 Connect vRealize Business with the Compute vCenter Server in Region A

5.7.1 Deploy the vRealize Business Virtual Appliances in Region A

VMware vRealize Business for Cloud provides capabilities that allow users to gain greater visibility
into financial aspects of their cloud infrastructure and let them optimize and improve these operations.
You deploy two instances of vRealize Business, a Server and a Data Collector. Repeat this procedure
twice to deploy the two appliances.

Setting Values for Server Values for Data Collector

Hostname vrb01svr01.rainpole.local vrb01col01.sfo01.rainpole.local

IP address 192.168.11.66 192.168.31.54

Name vra01bus01.rainpole.local vra01buc01.sfo01.rainpole.local

Select a folder or vRA01 vRA01IAS

datacenter

© 2016 VMware, Inc. All rights reserved.

Page 476 of 545

 VMware Validated Design Deployment Guide for Region A

Network Mgmt-xRegion01-VXLAN Mgmt-RegionA01-VXLAN

(192.168.11.x) (192.168.31.x)

Cluster SFO01-Mgmt01 SFO01-Mgmt01

VM Storage Policy Virtual SAN Default Storage Policy Virtual SAN Default Storage Policy

Datastore SFO01A-VSAN01-MGMT01 SFO01A-VSAN01-MGMT01

Enter password vrb_server_root_password vrb_collector_root_password

Currency USD USD

Enable Server Selected Deselected

Enable SSH service in Selected Deselected

the appliance

Customer Experience Selected Selected

Improvement Program

Default gateway 192.168.11.1 192.168.31.1

Domain Name rainpole.local sfo01.rainpole.local

Domain Search Path rainpole.local sfo01.rainpole.local

Domain Name Servers 172.16.11.4,172.17.11.4 172.16.11.4,172.16.11.5

Network 1 IP Address 192.168.11.66 192.168.31.54

Network 1 Netmask 255.255.255.0 255.255.255.0

Procedure
Log into vCenter Server using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to the mgmt01vc01.sfo01.rainpole.local vCenter Server object.

Right-click the mgmt01vc01.sfo01.rainpole.local object and select Deploy OVF Template.

© 2016 VMware, Inc. All rights reserved.

Page 477 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select source page, select Local file, browse to the location of the vRealize Business
virtual appliance .ova file on your file system, and click Next.

On the Review details page, examine the virtual appliance details, such as product, version,
download and disk size, and click Next.
On the Accept License Agreements page, accept the end user license agreements and click
Next.
On the Select name and folder page, enter the following information, and click Next.

Setting Value

Name vrb01svr01.rainpole.local

Select a folder or vRA01

datacenter

On the Select a Resource page, select cluster SFO01-Mgmt01. Click Next

© 2016 VMware, Inc. All rights reserved.

Page 478 of 545

 VMware Validated Design Deployment Guide for Region A

On the Select storage page, select the datastore.

a. Select Virtual SAN Default Storage Policy from the VM Storage Policy drop-down menu.
b. From the datastore table, select the SFO01A-VSAN01-MGMT01 Virtual SAN datastore and
click Next.

On the Setup networks page, select the distributed port group that ends with Mgmt-
xRegion01-VXLAN from the Destination drop-down menu and click Next.

On the Customize template page, configure the following values and click Next.

Setting Value

Enter password vrb_server_root_password

Currency USD

Enable Server Selected

Enable SSH service in the appliance Selected

© 2016 VMware, Inc. All rights reserved.

Page 479 of 545

 VMware Validated Design Deployment Guide for Region A

Customer Experience Improvement Program Selected

Default gateway 192.168.11.1

Domain Name rainpole.local

Domain Search Path rainpole.local

Domain Name Servers 172.20.11.4,172.21.11.4

Network 1 IP Address 192.168.11.66

Network 1 Netmask 255.255.255.0

On the Ready to complete page, review the configuration settings you specifed, select Power
on after deployment, and click Finish
Repeat the procedure to deploy the vRealize Business Data Collector
vra01buc01.sfo01.rainpole.local.

5.7.2 Patch the vRealize Business Server Virtual Appliance in Region A

Apply a mandatory patch after vRealize Business is deployed. This patch provides fixes to multiple
issues in the vRealize Business for Cloud 7.0.1 release.
For information about the patch, see the VMware knowledge base article
https://kb.vmware.com/kb/2145122.
Prerequisites
 Download the vRBC_server_701EP.zip patch file from the vRealize Business Product Download
page and place it in the tmp folder of the vra01bus01.rainpole.local virtual appliance.

© 2016 VMware, Inc. All rights reserved.

Page 480 of 545

 VMware Validated Design Deployment Guide for Region A

Procedure
Log in to the vRealize Business server by using a Secure Shell (SSH) client.
a. Open an SSH connection to the virtual machine vra01bus01.rainpole.local.
b. Log in using the following credentials.

Setting Value

User name root

Password vrb_server_root_password

Verify that all services are up and running.

monit summary
Navigate to the tmp directory where the patch file is.
cd /tmp
Extract the archived file.
unzip vRBC_server_701Patch.zip
Navigate to the unzipped directory.
cd vRBC_server_701EP
Apply the patch.
sh apply-hot-patch
Wait for the patch to apply and verify that the services are running.
monit summary

5.7.3 Configure SSL Certificate for vRealize Business Server in Region A

Import the previously generated certificates for vRealize Business from the vRealize Business
Appliance management console.
Prerequisite
 Verify that you have access to the vRealize Business certificates that you generated in Generate
Certificates for the Cloud Management Platform in Region A.
Procedure
Log in to the vRealize Business Server appliance management console.
a. Open a Web browser and go to https://vra01bus01.rainpole.local:5480.
b. Log in using the following credentials.

Setting Value

User name root

© 2016 VMware, Inc. All rights reserved.

Page 481 of 545

 VMware Validated Design Deployment Guide for Region A

Password vrb_server_root_password

Click the Administration tab and click SSL.

On the Replace SSL Certificate page, enter the values from the previously generated certificate
for vRealize Business, and click Replace Certificate.
In the vrb folder that you created earlier during certificate generation, use the vrealize.key
file for the Private Key and the vrealize.pem file for all certificates.

Setting Value

Choose mode Import PEM encoded Certificate

RSA Private Key (.pem) ------BEGIN RSA PRIVATE KEY-----private_key_value-----END

RSA PRIVATE KEY-----

Certificate(s) (.pem) -----BEGIN CERTIFICATE-----Server_certificate_value-----END

CERTIFICATE-----
-----BEGIN CERTIFICATE-----Intermediate_CA_certificate_value---
--END CERTIFICATE-----
-----BEGIN CERTIFICATE-----Root_CA_certificate_value-----END
CERTIFICATE-----

Private Key vrb_cert_passphrase

Passphrase

Verify that certificate changed successfully.

© 2016 VMware, Inc. All rights reserved.

Page 482 of 545

 VMware Validated Design Deployment Guide for Region A

A success message appears that informs you that the SSL certificate was successfully
configured.

Note If the common Name text box displays a wrong common name, ignore it.

Click the System tab and click Reboot for the changes to take effect.

5.7.4 Configure NTP for vRealize Business in Region A

Configure the network time protocol (NTP) on both vRealize business appliances from the virtual
appliance management interface (VAMI).
Perform the procedure on both vRealize Business Server and vRealize Business Data Collector
virtual appliances.

Host VAMI URL

Server https://vra01bus01.rainpole.local:5480

Data Collector https://vra01buc01.sfo01.rainpole.local:5480

Procedure
Log in to the vRealize Business Server virtual appliance management interface.
a. Open a Web browser and go to https://vra01bus01.rainpole.local:5480.
b. Log in using the following credentials.

Setting Value

User name root

© 2016 VMware, Inc. All rights reserved.

Page 483 of 545

 VMware Validated Design Deployment Guide for Region A

Password vrb_server_root_password

Configure the appliance to use a time server.

a. Click the Administration tab and click Time Settings.
b. On the Time Settings page, enter the following settings and click Save Settings.

Setting Value

Time Sync. Mode Use Time Server

Time Server #1 ntp.sfo01.rainpole.local

Time Server #2 ntp.lax01.rainpole.local

Repeat the procedure on the vRealize Business Data Collector virtual appliance
vra01buc01.sfo01.rainpole.local.

5.7.5 Integrate vRealize Business with vRealize Automation in Region A

To prepare vRealize Business for use, you must register the vRealize Business Server to vRealize
Automation by using the management interface.
Procedure
Log in to the vRealize Business Server virtual appliance management interface.
a. Open a Web browser and go to https://vra01bus01.rainpole.local:5480.
b. Log in using the following credentials.

Setting Value

User name root

Password vrb_server_root_password

© 2016 VMware, Inc. All rights reserved.

Page 484 of 545

 VMware Validated Design Deployment Guide for Region A

Navigate to the vRealize Automation tab and enter the following credentials to register with
vRealize Automation server.

Setting Value

Hostname vra01svr01.rainpole.local

SSO Default Tenant Rainpole

SSO Admin User Administrator

SSO Admin Password vra_administrator_password

Accept "vRealize Automation" certificate Deselected

Click Register to connect to vRealize Automation and get its certificate.

Wait until the SSO status changes to The certificate of "vRealize Automation" is
not trusted. Please view and accept to register.
Click the View "vRealize Automation" certificate link to download the vRealize
Automation Certificate.
Select the Accept "vRealize Automation" certificate check box, and click Register
again.
SSO Status changes to Connected to vRealize Automation.

5.7.6 Register the vRealize Business Data Collector with the Server in Region
A
After vRealize Business is integrated with vRealize Automation connect the two appliances of
vRealize Business.
Because a tenant is configured in vRealize Automation, registration of the vRealize Business Data
Collector appliance with the Server is performed by using the following procedure:
 Grant an added role to the tenant admin, enter product license key, and generate a one-time
key from vRealize Automation.
 Register the Data Collector to the vRealize Business Server.

© 2016 VMware, Inc. All rights reserved.

Page 485 of 545

 VMware Validated Design Deployment Guide for Region A

Procedure
Log in to vRealize Automation as a tenant admin.
a. Open a Web browser and go to
https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name ITAC-TenantAdmin

Password TenantAdmin_password

Domain rainpole.local

Navigate to Administration > Users & Groups > Directory Users & Groups.
In the search text box, enter ug-ITAC-TenantAdmins.

Click the ug-ITAC-TenantAdmins group to edit its settings.

On the Edit Group page, in the Add Roles to this Group list, select the Business Management
Administrator role to add this role and click Finish.

Log out, and log in again by using the same credentials.

© 2016 VMware, Inc. All rights reserved.

Page 486 of 545

 VMware Validated Design Deployment Guide for Region A

Assign a license to the vRealize Business solution.

a. Click the Business Management tab.
b. Under License, enter your serial number for vRealize Business, and click Save.
Generate a one-time use key for connecting the two vRealize Business appliances.
a. Navigate to Administration > Business Management.
b. Expand the Manage Data Collector > Remote Data Collection section.
c. Click Generate a new one time use key.
d. Save the one time use key as you need it at a later stage.

Log in to the vRealize Business Data Collector console.

a. Open a Web browser and go to
https://vra01buc01.sfo01.rainpole.local:9443/dc-ui.
b. Log in using the following credentials.

Setting Value

User name root

Password vrb_server_root_password

Register the Data Collector with the vRealize Business Server.

a. Expand the Registration with the vRealize Business Server section.
b. Enter the following values and click Register.
After you click Register, a warning message appears that informs you that the certificate is
not trusted.

© 2016 VMware, Inc. All rights reserved.

Page 487 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Enter the vRB Server Url https://vra01bus01.rainpole.local

Enter the One Time Key one_time_use_key

c. Click Install and click OK.

5.7.7 Connect vRealize Business with the Compute vCenter Server in Region
A
vRealize Business requires communication with the Compute vCenter Server to collect data from the
entire cluster. You perform this operation by using the vRealize Business Data Collector console.
Procedure
Log in to the vRealize Business Data Collector console.
a. Open a Web browser and go to
https://vra01buc01.sfo01.rainpole.local:9443/dc-ui.
b. Log in using the following credentials.

Setting Value

User name root

© 2016 VMware, Inc. All rights reserved.

Page 488 of 545

 VMware Validated Design Deployment Guide for Region A

Password vrb_server_root_password

Click Manage Private Cloud Connections, select vCenter Server, and click the Add icon.
In the Add vCenter Server Connection dialog box, enter the following settings, and click Save.

Setting Value

Name comp01vc01.sfo01.rainpole.local

vCenter Server comp01vc01.sfo01.rainpole.local

Username [email protected]

Password svc_vra_password

In the SSL Certificate warning dialog box, click Install.

In the Success dialog box, click OK.

5.8 Cloud Management Platform Post-Installation Tasks

After vRealize Automation and vRealize Orchestrator have been deployed, anti-affinity rules must be
created to enable HA protection for both services. Health monitors must be enabled to monitor the
health status of individual servers. The snapshots created during the vRealize Automation installation
must also be deleted.
 Create Anti-Affinity Rules for vRealize Automation and vRealize Orchestrator Virtual Machines in
Region A
 Enable Load Balancer Health Monitoring in Region A
 Clean-up the vRealize Automation VMs Snapshots in Region A

5.8.1 Create Anti-Affinity Rules for vRealize Automation and vRealize

Orchestrator Virtual Machines in Region A
After deploying the vRealize Automation and vRealize Orchestrator appliances, set up anti-affinity
rules.

© 2016 VMware, Inc. All rights reserved.

Page 489 of 545

 VMware Validated Design Deployment Guide for Region A

A VM-Host anti-affinity (or affinity) rule specifies a relationship between a group of virtual machines
and a group of hosts. Anti-affinity rules force specified virtual machines to remain apart during failover
actions, and are a requirement for high availability.
Perform the procedure six times to create six unique anti-affinity rules.
Table 12. Anti-affinity Rules for the Cloud Management Platform

Name Type Member

vra-svr Separate Virtual Machines vra01svr01a.rainpole.local, vra01svr01b.rainpole.local

vra-iws Separate Virtual Machines vra01iws01a.rainpole.local, vra01iws01b.rainpole.local

vra-ims Separate Virtual Machines vra01ims01a.rainpole.local, vra01ims01b.rainpole.local

vra-dem Separate Virtual Machines vra01dem01.rainpole.local, vra01dem02.rainpole.local

vra-ias Separate Virtual Machines vra01ias01.sfo01.rainpole.local,

vra01ias02.sfo01.rainpole.local

vra-vro Separate Virtual Machines vra01vro01a.rainpole.local, vra01vro01b.rainpole.local

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

From the Home page, click Hosts and Clusters.

Under mgmt01vc01.sfo01.rainpole.local, click SFO01, and click SFO01-Mgmt01.
Click the Manage tab, click Settings, and under Configuration, select VM/Host Rules.

© 2016 VMware, Inc. All rights reserved.

Page 490 of 545

 VMware Validated Design Deployment Guide for Region A

Under VM/Host Rules, click Add to create a virtual machine anti-affinity rule.
In the Edit VM/Host Rule dialog box, specify the first rule for the vRealize Automation virtual
appliances.
a. In the Name text box, enter vra-svr.
b. Select the Enable rule check box.
c. Select Separate Virtual Machines, from the Type drop-down menu.
d. Click Add, select the vra01svr01a.rainpole.local and vra01svr01b.rainpole.local virtual
machines, click OK, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 491 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat the procedure to configure the remaining anti-affinity rules.

5.8.2 Enable Load Balancer Health Monitors in Region A

Enable the health checks for the load balancer SFOMGMT-LB01 that you previously disabled to
proceed with the configuration of vRealize Automation.
Perform the procedure multiple times to configure health monitor and enable the second member for
the server pools as described in the following table.

Pool Name Monitor Enable Pool Member

vra-svr-443 vra-svr-443-monitor vra01svr01b

vra-svr-8444 vra-svr-443-monitor -

vra-iaas-web-443 vra-iaas-web-443-monitor vra01iws01b

vra-iaas-mgr-443 vra-iaas-mgr-443-monitor vra01ims01b

vra-vro-8281 vra-vro-8281-monitor vra01vro01b

Procedure
Log in to vCenter Server with the vSphere Web Client.

© 2016 VMware, Inc. All rights reserved.

Page 492 of 545

 VMware Validated Design Deployment Guide for Region A

a. Using a Web browser go to https://mgmt01vc01.sfo01.rainpole.local/vsphere-

client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

In the Navigator, click Networking & Security, and select NSX Edges.
Select 172.16.11.65 from the NSX Manager drop-down menu, and double-click SFOMGMT-LB01
to edit its settings.
Click the Manage tab, click Load Balancer, and select Pools.
From the pools table, select the vra-svr-443 server pool, and click Edit.
In the Edit Pool dialog box, configure the monitor, and enable the member that is not enabled.
a. From the Monitors drop-down menu, select vra-svr-443-monitor.
b. From the Members table, select vra01svr01b and click Edit.
c. In the Edit Member dialog box, select the Enable Member check box, click OK, and click
OK.

Repeat the procedure to configure health monitor and enable the second member for the
remaining server pools.

5.8.3 Clean-up the vRealize Automation VMs Snapshots in Region A

You made snapshots of each vRealize virtual machine during the vRealize Automation installation
process. After a successful installation, delete these snapshots.
Procedure

© 2016 VMware, Inc. All rights reserved.

Page 493 of 545

 VMware Validated Design Deployment Guide for Region A

Log in to vCenter Server by using the vSphere Web Client.

a. Open a Web browser and go to
https://mgmt01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

From the Home page, click VMs and Templates.

In the Navigator, expand the mgmt01vc01.sfo01.rainpole.local > SFO01 > VRA01 folder.
Right-click the vra01dem01.rainpole.local VM and select Snapshots > Manage Snapshots.
a. Select the Prior to vRA IaaS Component Installation snapshot and click Delete.
b. Confirm the deletion and click Close.
Repeat the procedure to remove the snapshots of the remaining vRealize Automation VMs.

Virtual Machines vCenter Server Folder

vra01svr01a.rainpole.local VRA01

vra01svr01b.rainpole.local VRA01

vra01iws01a.rainpole.local VRA01

vra01iws01b.rainpole.local VRA01

vra01ims01a.rainpole.local VRA01

vra01ims01b.rainpole.local VRA01

vra01dem01.rainpole.local VRA01

vra01dem02.rainpole.local VRA01

vra01ias01.sfo01.rainpole.local VRA01

vra01ias02.sfo01.rainpole.local VRA01

5.9 Content Library Configuration in Region A

Content libraries are container objects for VM templates, vApp templates, and other types of files.
vSphere administrators can use the templates in the library to deploy virtual machines and vApps in
the vSphere inventory. Sharing templates and files across multiple vCenter Server instances in same
or different locations brings out consistency, compliance, efficiency, and automation in deploying
workloads at scale.
You create and manage a content library from a single vCenter Server instance, but you can share
the library items to other vCenter Server instances if HTTP(S) traffic is allowed between them.

© 2016 VMware, Inc. All rights reserved.

Page 494 of 545

 VMware Validated Design Deployment Guide for Region A

 Configure a Content Library in the First Compute vCenter Server Instance in Region A
 Import the Virtual Machine Template OVF Files in Region A

5.9.1 Configure a Content Library in the First Compute vCenter Server

Instance in Region A
Create a content library and populate it with templates that you can use to deploy virtual machines in
your environment. Content libraries let you synchronize templates among different vCenter Servers so
that all of the templates in your environment are consistent.
There is only one Compute vCenter Server in this VMware validated design but if you deploy more
instances for the compute cluster, they can also use the content library that you configure.
Procedure
1. Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Use the following credentials to log in.

Setting Value

User name [email protected]

Password vsphere_admin_password

2. From the Home page, click Content Libraries, and click the Create new library icon.
The New Library wizard opens.
3. On the Name page, specify the following settings and click Next.

Setting Value

Name SFO01-ContentLib01

vCenter Server comp01vc01.sfo01.rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 495 of 545

 VMware Validated Design Deployment Guide for Region A

4. On the Configure library page, specify the following settings, and click Next.

Setting Value

Local content library Selected

Publish content library externally Selected

Password ContentLib01_password

5. On the Add storage page, click the Select a datastore radio button, select the SFO01A-NFS01-
VRALIB01 datastore to store the content library, and click Next.

6. On the Ready to complete page, click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 496 of 545

 VMware Validated Design Deployment Guide for Region A

5.9.2 Import the Virtual Machine Template OVF Files in Region A

Import OVF packages that you previously prepared to use as a template for deploying virtual
machines.The virtual machine templates you add to the content library are used as vRealize
Automation blueprints.

VM Template Name Guest OS

redhat6-enterprise-64 Red Hat Enterprise Server 6 (64-bit)

windows-2012r2-64 Windows Server 2012 R2 (64-bit)

windows-2012r2-64-sql2012 Windows Server 2012 R2 (64-bit)

Prerequisites
 Verify that you have prepared the OVF templates, as specified in the Virtual Machine Template
Specifications section.
Procedure
1. Log in to the vCenter Server using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Use the following credentials to log in.

Setting Value

User name [email protected]

Password vsphere_admin_password

2. From the Home page, click Content Libraries, and click the Objects tab.

3. Right-click the content library SFO01-ContentLib01 and select Import Items.

4. In the Import Library Item dialog box, specify the settings for the first template.
a. As a Source file, select the Red Hat Enterprise Server 6 .ovf file.
b. In the Item name text box, enter redhat6-enterprise-64.
c. In the Notes text box, enter Red Hat Enterprise Server 6 (64-bit) as description
and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 497 of 545

 VMware Validated Design Deployment Guide for Region A

5. Repeat the procedure to import the remaining virtual machine templates.

© 2016 VMware, Inc. All rights reserved.

Page 498 of 545

 VMware Validated Design Deployment Guide for Region A

5.10 Tenant Content Creation

In order to provision virtual machines in the Compute vCenter, the tenant must be configured to utilize
compute resources within vCenter Server.
Prerequisites
 Verify that a vCenter Server compute cluster has been deployed and configured. See "Deploy and
Configure the Compute and Edge Clusters Components in Region A."
 Verify that an NSX instance has been configured for use by the vCenter Server compute cluster.
See "Deploy and Configure the Compute and Edge Clusters NSX Instance in Region A."
 Proxy agents have been deployed.

 Create Logical Switches for Business Groups in Region A

 Configure User Roles in vRealize Automation in Region A
 Create Fabric Groups in Region A
 Create Machine Prefixes in Region A
 Create Business Groups in Region A
 Create Reservation Policies in Region A
 Create a vSphere Endpoint in vRealize Automation in Region A
 Add Compute Resources to a Fabric Group in Region A
 Create External Network Profiles in Region A
 Create Reservations for the Compute Cluster in Region A
 Create Reservations for the Edge Cluster in Region A
 Create Customization Specifications in Compute vCenter Server in Region A
 Create Virtual Machines Using VM Templates in the Content Library in Region A
 Convert the Virtual Machine to a VM Template in Region A
 Configure Single Machine Blueprints in Region A

5.10.1 Create Logical Switches for Business Groups in Region A

For each vCenter Server compute instance, you create three logical switches for each business group
which simulate networks for the web, database, and application tiers.
You repeat this procedure six times to create six logical switches. The "Logical Switch Names and
Descriptions" table lists the logical switch names, and the business group and tier to which you assign
each switch.
Table 13. Logical Switch Names and Descriptions

Logical Switch Description

Production-Web-VXLAN Logical switch for Web tier of Production Business Group

Production-DB-VXLAN Logical switch for Database tier of Production Business Group

Production-App-VXLAN Logical switch for Application tier of Production Business Group

© 2016 VMware, Inc. All rights reserved.

Page 499 of 545

 VMware Validated Design Deployment Guide for Region A

Development-Web-XLAN Logical switch for Web tier of Development Business Group

Development-DB-VXLAN Logical switch for Database tier of Development Business

Group

Development-App-VXLAN Logical switch for Application tier of Development Business

Group

Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go
to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Create a logical switch.

a. Click Networking & Security.
b. In the Navigator, select Logical Switches.
c. From the NSX Manager drop-down menu, select 172.16.11.66 as the NSX Manager.
d. Click the New Logical Switch icon.
The New Logical Switch dialog box appears.
e. In the New Logical Switch dialog box, enter the following settings, and click OK.

Setting Value

Name Production-Web-VXLAN

Description Logical switch for Web tier of Production Business Group

Transport Zone Comp Universal Transport Zone

Replication Mode Hybrid

Enable IP Discovery Selected

Enable MAC Learning Deselected

© 2016 VMware, Inc. All rights reserved.

Page 500 of 545

 VMware Validated Design Deployment Guide for Region A

f. Repeat this procedure to create the remaining logical switches.

5.10.2 Configure User Roles in vRealize Automation in Region A

Roles are privileges that you associate with users to determine what tasks they can perform. Based
on their responsibilities, individuals might have one or more roles associated with their user account.
All user roles are assigned within the context of a specific tenant. However, some roles in the default
tenant can manage system-wide configuration settings that apply to multiple tenants.
Assign roles to the ug-ITAC-TenantAdmins and ug-ITAC-TenantArchitects users and
groups.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name ITAC-LocalRainpoleAdmin

Password itac-localrainpoleadmin_password

Domain vsphere.local

Click the Administration tab.

Navigate to Users & Groups > Directory Users and Groups .
Enter ug-ITAC-TenantAdmins in the search box and press Enter.
The ug-ITAC-TenantAdmins group name displays in the Name field.

© 2016 VMware, Inc. All rights reserved.

Page 501 of 545

 VMware Validated Design Deployment Guide for Region A

Click the user group name ug-ITAC-TenantAdmins.

In the Add Roles to this Group item list, select the Approval Administrator, Infrastructure
Architect, Software Architect, Tenant Administrator, and XaaS Architect check boxes, and
click Finish.

Enter ug-ITAC-TenantArchitects in the Tenant Administrators search box and press

Enter.
The ug-ITAC-TenantArchitects group name displays in the Name field.
Click the user group name ug-ITAC-TenantArchitects.
In the Add Roles to this Group item list, select the Software Architect check box, and click
Finish.

5.10.3 Create Fabric Groups in Region A

IaaS administrators can organize virtualization compute resources and cloud endpoints into fabric
groups by type and intent. One or more fabric administrators manage the resources in each fabric
group. Fabric administrators are responsible for creating reservations on the compute resources in
their groups to allocate fabric to specific business groups. Fabric groups are created in a specific
tenant, but their resources can be made available to users who belong to business groups in all
tenants.
Procedure

© 2016 VMware, Inc. All rights reserved.

Page 502 of 545

 VMware Validated Design Deployment Guide for Region A

Log in to the vRealize Automation Rainpole portal.

a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Select to Infrastructure > Endpoints > Fabric Groups.

Click New Fabric Group, enter the following settings and click OK.

Note You have not yet configured a vCenter Endpoint, so no compute resource is currently
available for you to select. You will configure the vCenter Endpoint when you add a compute
vCenter to vRealize Automation.

Setting Value

Name SFO Fabric Group

Fabric administrators [email protected]

Log out of the vRealize Automation portal.

© 2016 VMware, Inc. All rights reserved.

Page 503 of 545

 VMware Validated Design Deployment Guide for Region A

5.10.4 Create Machine Prefixes in Region A

As a fabric administrator, you create machine prefixes that are used to create names for machines
provisioned through vRealize Automation. Tenant administrators and business group managers select
these machine prefixes and assign them to provisioned machines through blueprints and business
group defaults.
Machine prefixes are shared across all tenants. Every business group has a default machine prefix.
Every blueprint must have a machine prefix or use the group default prefix. Fabric administrators are
responsible for managing machine prefixes. A prefix consists of a base name to be followed by a
counter of a specified number of digits. When the digits are all used, vRealize Automation rolls back
to the first number.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Select Infrastructure > Administration > Machine Prefixes.

Click the New icon to create a default machine prefix for the Production group using the
following settings and click the Save icon.

Setting Value

Machine Prefix Prod-

Number of Digits 5

Next Number 1

Click the New icon to create a default machine prefix for the Development group using the
following settings and click the Save icon.

Setting Value

Machine Prefix Dev-

Number of Digits 5

Next Number 1

© 2016 VMware, Inc. All rights reserved.

Page 504 of 545

 VMware Validated Design Deployment Guide for Region A

5.10.5 Create Business Groups in Region A

Tenant administrators create business groups to associate a set of services and resources to a set of
users, that often correspond to a line of business, department, or other organizational unit. Users
must belong to a business group to request machines.
For this implementation create two business groups, the Production business group and the
Development business group.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Administration > Users and Groups > Business Groups.

Click the New icon.
On the General tab, enter the following values and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 505 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Name Production

Send Manager emails to [email protected]

On the Members tab, enter [email protected] in the Group manager

role text box, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 506 of 545

 VMware Validated Design Deployment Guide for Region A

On the Infrastructure tab, select Prod- from the Default machine prefix drop-down menu, and
click Finish.

Click the New icon.

On the General tab, configure the following values, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 507 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Value

Name Development

Send Manager emails to [email protected]

On the Members tab, enter [email protected] in the Group manager

role text box, and click Next.

© 2016 VMware, Inc. All rights reserved.

Page 508 of 545

 VMware Validated Design Deployment Guide for Region A

On the Infrastructure tab, select Dev- from the Default machine prefix drop-down menu, and
click Finish.

© 2016 VMware, Inc. All rights reserved.

Page 509 of 545

 VMware Validated Design Deployment Guide for Region A

5.10.6 Create Reservation Policies in Region A

You use reservation policies to group similar reservations together. Create the reservation policy tag
first, then add the policy to reservations to allow a tenant administrator or business group manager to
use the reservation policy in a blueprint.
When you request a machine, it can be provisioned on any reservation of the appropriate type that
has sufficient capacity for the machine. You can apply a reservation policy to a blueprint to restrict the
machines provisioned from that blueprint to a subset of available reservations. A reservation policy is
often used to collect resources into groups for different service levels, or to make a specific type of
resource easily available for a particular purpose. You can add multiple reservations to a reservation
policy, but a reservation can belong to only one policy. You can assign a single reservation policy to
more than one blueprint. A blueprint can have only one reservation policy. A reservation policy can
include reservations of different types, but only reservations that match the blueprint type are
considered when selecting a reservation for a particular request.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Infrastructure > Reservation > Reservation Polices.

Click the New icon, configure the following settings, and click the Save icon.

Setting Value

Name SFO-Production-Policy

Description Reservation policy for Production Business Group in SFO

Click the New icon, configure the following settings, and click the Save icon.

Setting Value

Name SFO-Development-Policy

Description Reservation policy for Development Business Group in SFO

Click the New icon, configure the following settings, and click the Save icon.

Setting Value

© 2016 VMware, Inc. All rights reserved.

Page 510 of 545

 VMware Validated Design Deployment Guide for Region A

Name SFO-Edge-Policy

Description Reservation policy for Edge Cluster Group in SFO

5.10.7 Create a vSphere Endpoint in vRealize Automation in Region A

To allow vRealize Automation to manage the infrastructure, IaaS administrators create endpoints and
configure user-credentials for those endpoints. When you create a vSphere Endpoint, vRealize
Automation can to communicate with the vSphere environment and discover compute resources that
are managed by vCenter Server, collect data, and provision machines.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

© 2016 VMware, Inc. All rights reserved.

Page 511 of 545

 VMware Validated Design Deployment Guide for Region A

Navigate to Infrastructure > Endpoints > Credentials and click New.

On the Credentials page, configure the vRealize Automation credential for the administrator of
comp01vc01.sfo01.rainpole.local with the following settings, and click Save.

Setting Value

Name comp01vc01sfo01 admin

Description administrator of comp01vc01.sfo01.rainpole.local

User Name [email protected]

Password svc_vra_password

Remain on the Credentials page and click New once again.

Configure the NSX administrator credentials of comp01vc01.sfo01.rainpole.local with the
following settings, and click Save.

Setting Value

Name comp01nsxm01sfo01 admin

Description administrator of NSX system comp01nsxm01.sfo01.rainpole.local

User Name [email protected]

Password svc_vra_password

© 2016 VMware, Inc. All rights reserved.

Page 512 of 545

 VMware Validated Design Deployment Guide for Region A

Navigate to Infrastructure > Endpoints > Endpoints and click New > Virtual > vSphere
(vCenter).
On the New Endpoint - vSphere (vCenter) page, create a vSphere Endpoint with the following
settings, and click OK.

Note The vSphere Endpoint Name must be identical to the name that you used to install the proxy
agent. See Install IaaS vSphere Proxy Agents.

Setting Value

Name comp01vc01.sfo01.rainpole.local

Address https://comp01vc01.sfo01.rainpole.local/sdk

Credentials comp01vc01sfo01 admin

Specify manager for network and security Select

platform

NSX Address https://comp01nsxm01.sfo01.rainpole.local

NSX Credentials comp01nsxm01sfo01 admin

© 2016 VMware, Inc. All rights reserved.

Page 513 of 545

 VMware Validated Design Deployment Guide for Region A

5.10.8 Add Compute Resources to a Fabric Group in Region A

You allocate compute resources to fabric groups so that vRealize Automation can use the resources
in that compute resource for that fabric group when provisioning virtual machines.
Repeat this procedure twice to perform data collection for both the compute and edge clusters.

Cluster Type Cluster Name

Compute cluster SFO01-Comp01

Edge cluster SFO01-Edge01

Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go to
https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Infrastructure > End Points > Fabric Groups.

In the Name column, hover the mouse pointer over the fabric group name SFO Fabric Group,
and click Edit.

On the Edit Fabric Group page, select both SFO01-Comp01 (compute cluster) and SFO01-
Edge01 (edge cluster) from the Compute Resources table, and click OK.

Note It may take sevral minutes for vRealize Automation to connect to the Compute vCenter Server
system and associated clusters. If you are still not able to see the compute and edge clusters
after sufficient time has passed, try to restart both proxy agent services in the virtual
machines vra01ias01.sfo01.rainpole.local and
vra01ias02.sfo01.rainpole.local.

© 2016 VMware, Inc. All rights reserved.

Page 514 of 545

 VMware Validated Design Deployment Guide for Region A

Navigate to Infrastructure > Computer Resources > Compute Resources.

In the Compute Resource column, hover the mouse pointer over the compute cluster SFO01-
Comp01, and click Data Collection.

Wait for the data collection process to complete and verify that the Status for both Inventory and
Network and Security Inventory shows Succeeded.

© 2016 VMware, Inc. All rights reserved.

Page 515 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat this procedure to perfrom data collection for the SFO01-Edge01 edge cluster.

5.10.9 Create External Network Profiles in Region A

Before members of a business group can request virtual machines, fabric administrators must create
network profiles to define the subnet and routing configuration for those virtual machines. Each
network profile is configured for a specific network port group or virtual network to specify IP address
and routing configuration for virtual machines provisioned to that network.
Repeat this procedure six times to create the following external network profiles.
 Ext-Net-Profile-Production-App
 Ext-Net-Profile-Production-DB
 Ext-Net-Profile-Production-Web
 Ext-Net-Profile-Development-App
 Ext-Net-Profile-Development-DB
 Ext-Net-Profile-Development-Web

Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.

© 2016 VMware, Inc. All rights reserved.

Page 516 of 545

 VMware Validated Design Deployment Guide for Region A

b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Infrastructure > Reservations > Network Profiles and click New > External.
On the New Network Profile - External page, enter the following values for the profile you are
creating on the General tab.

Production Group External Network Profile Values

Setting Production Web Value Production DB Value Production App Value

Name Ext-Net-Profile-Production- Ext-Net-Profile-Production- Ext-Net-Profile-Production-

Web DB App

Description External Network profile for External Network profile for External Network profile for
Web Tier of Production DB Tier of Production App Tier of Production
Business Group Business Group Business Group

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 172.11.10.1 172.11.11.1 172.11.12.1

Primary DNS 172.16.11.5 172.16.11.5 172.16.11.5

Secondary DNS 172.17.11.5 172.17.11.5 172.17.11.5

DNS suffix sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local

DNS search suffix sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local

Development Group External Network Profile Values

© 2016 VMware, Inc. All rights reserved.

Page 517 of 545

 VMware Validated Design Deployment Guide for Region A

Setting Development Web Value Development DB Value Development App Value

Name Ext-Net-Profile-Development- Ext-Net-Profile- Ext-Net-Profile-

Web Development-DB Development-App

Description External Network profile for External Network profile for External Network profile for
Web Tier of Development DB Tier of Development App Tier of Development
Business Group Business Group Business Group

Subnet mask 255.255.255.0 255.255.255.0 255.255.255.0

Gateway 172.12.10.1 172.12.11.1 172.12.12.1

Primary DNS 172.16.11.5 172.16.11.5 172.16.11.5

Secondary DNS 172.17.11.5 172.17.11.5 172.17.11.5

DNS suffix sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local

DNS search suffix sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local

Click the IP Ranges tab.

© 2016 VMware, Inc. All rights reserved.

Page 518 of 545

 VMware Validated Design Deployment Guide for Region A

On the IP Ranges tab, click the New button, enter the following values for the profile you are
creating, and click OK.

Production Business IP Range Values

Setting Production Web Value Production DB Value Prodcution App Value

Name Production-Web Production-DB Production-App

Description Static IP range for Web Tier Static IP range for DB Tier Static IP range for App Tier
of Production Group of Production Group of Production Group

Starting IP address 172.11.10.20 172.11.11.20 172.11.12.20

Ending IP address 172.11.10.250 172.11.11.250 172.11.12.250

Development Business IP Range Values

Setting Development Web Value Development DB Value Development App Value

Name Development-Web Development-DB Development-App

Description Static IP range for Web Tier Static IP range for DB Tier Static IP range for App Tier
of Development Group of Development Group of Development Group

Starting IP address 172.12.10.20 172.12.11.20 172.12.12.20

Ending IP address 172.12.10.250 172.12.11.250 172.12.12.250

Verify that all the static IP addresses are added to the profile and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 519 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat this procedure to create additional external network profiles.

When all of the network profiles have been added, the Network Profiles page will display six
profiles as shown below.

5.10.10 Create a Reservation for the Compute Cluster in Region A

Before members of a business group can request machines, fabric administrators must allocate
resources to them by creating a reservation. Each reservation is configured for a specific business
group to grant them access to request machines on a specified compute resource.

© 2016 VMware, Inc. All rights reserved.

Page 520 of 545

 VMware Validated Design Deployment Guide for Region A

Perform this procedure twice to create reservations for both the Production and Development
business groups.

Group Name

Production SFO01-Comp01-Prod-Res01

Development SFO01-Comp01-Dev-Res01

Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Infrastructure > Reservations > Reservations and click New > Virtual > vSphere.
On the New Reservation - vSphere page, click the General tab, and configure the following
values.

Setting Production Group Value Development Group Value

Name SFO01-Comp01-Prod-Res01 SFO01-Comp01-Dev-Res01

Tenant rainpole rainpole

Business Group Production Development

Reservation Policy SFO-Production-Policy SFO-Development-Policy

Priority 100 100

Enabled This Reservation Selected Selected

© 2016 VMware, Inc. All rights reserved.

Page 521 of 545

 VMware Validated Design Deployment Guide for Region A

On the New Reservation - vSphere page, click the Resources tab.

a. Select SFO01-Comp01 (comp01vc01.sfo01.rainpole.local) from the Compute Resource
drop-down menu.
b. Enter 200 in the This Reservation column of the Memory table.
c. In the Storage table, select the SFO01A-NFS01-VRALIB01 check box, enter 4000 in the
This Reservation Reserved text box, and 1 the Priority text box. Click OK.

© 2016 VMware, Inc. All rights reserved.

Page 522 of 545

 VMware Validated Design Deployment Guide for Region A

On the New Reservation - vSphere page, click the Network tab.

On the Network tab, select the network path check boxes listed in the table below from the
Network Paths list, and select the corresponding network profile from the Network Profile drop-
down menu for the business group whose reservation you are configuring.

Production Business Group

Production Network Path Production Group Network Profile

vxw-dvs-xxxxx-Production-Web-VXLAN Ext-Net-Profile-Production-Web

vxw-dvs-xxxxx-Production-DB-VXLAN Ext-Net-Profile-Production-DB

vxw-dvs-xxxxx-Production-App-VXLAN Ext-Net-Profile-Production-App

Development Business Group

Development Network Path Development Group Network Profile

vxw-dvs-xxxxx-Development-Web-VXLAN Ext-Net-Profile-Development-Web

vxw-dvs-xxxxx-Development-DB-VXLAN Ext-Net-Profile-Development-DB

vxw-dvs-xxxxx-Development-App-VXLAN Ext-Net-Profile-Development-App

Click OK to save the reservation.

© 2016 VMware, Inc. All rights reserved.

Page 523 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat this procedure to create a reservation for the Development Business Group.
Use the same memory and storage configuration settings for both reservations.

5.10.11 Create a Reservation for the Edge Cluster in Region A

Before members of a business group can request virtual machines, fabric administrators must
allocate resources to that business group by creating a reservation. Each reservation is configured for
a specific business group to grant them access to request virtual machines on a specified compute
resource.
Perform this procedure twice to create reservations for both the Production and Development
business groups.

Group Name

Production SFO01-Edge01-Prod-Res01

Development SFO01-Edge01-Dev-Res01

Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Infrastructure > Reservations > Reservations and click New > Virtual > vSphere.
On the New Reservation - vSphere page, click the General tab, and configure the following
values for your business group.

Setting Production Group Value Development Group Value

Name SFO01-Edge01-Prod-Res01 SFO01-Edge01-Dev-Res01

Tenant rainpole rainpole

Business Group Production Development

Reservation Policy SFO-Edge-Policy SFO-Edge-Policy

© 2016 VMware, Inc. All rights reserved.

Page 524 of 545

 VMware Validated Design Deployment Guide for Region A

Priority 100 100

Enabled This Reservation Selected Selected

On the New Reservation - vSphere page, click the Resources tab.

a. Select SFO01-Edge01 (comp01vc01.sfo01.rainpole.local) from the Compute Resource
drop-down menu.
b. Enter 200 in the This Reservation column of the Memory table.
c. In the Storage table, select the SFO01A-VSAN01-EDGE01 check box, enter 1000 in the
This Reservation Reserved text box, and 1 the Priority text box. Click OK.

© 2016 VMware, Inc. All rights reserved.

Page 525 of 545

 VMware Validated Design Deployment Guide for Region A

On the New Reservation - vSphere page, click the Network tab.

On the Network tab, select the network path check boxes listed in the table below from the
Network Paths list, and select the corresponding network profile from the Network Profile drop-
down menu for the business group whose reservation you are configuring.

Production Business Group

Production Network Path Production Group Network Profile

vxw-dvs-xxxxx-Production-Web-VXLAN Ext-Net-Profile-Production-Web

vxw-dvs-xxxxx-Production-DB-VXLAN Ext-Net-Profile-Production-DB

vxw-dvs-xxxxx-Production-App-VXLAN Ext-Net-Profile-Production-App

Development Business Group

Development Network Path Development Group Network Profile

vxw-dvs-xxxxx-Development-Web-VXLAN Ext-Net-Profile-Development-Web

vxw-dvs-xxxxx-Development-DB-VXLAN Ext-Net-Profile-Development-DB

vxw-dvs-xxxxx-Development-App-VXLAN Ext-Net-Profile-Development-App

© 2016 VMware, Inc. All rights reserved.

Page 526 of 545

 VMware Validated Design Deployment Guide for Region A

Click OK to save the reservation.

Repeat the procedure to create a reservation for the Development Business Group.

5.10.12 Create Customization Specifications in Compute vCenter Server in

Region A
Create two customization specifications, one for Linux and one for Windows, for use by the virtual
machines you will deploy. Customization specifications are XML files that contain system
configuration settings for the guest operating systems used by virtual machines. When you apply a
specification to a guest operating system during virtual machine cloning or deployment, you prevent
conflicts that might result if you deploy virtual machines with identical settings, such as duplicate
computer names.
You will later use the customization specifications you create when you create blueprints for use with
vRealize Automation.

5.10.12.1. Create a Customization Specification for Linux in Region A

Create a Linux guest operating system specification that you can apply when you create blueprints for
use with vRealize Automation. This customization specification can be used to customize virtual
machine guest operating systems when provisioning new virtual machines from vRealize Automation.
Procedure
Log in to vCenter Server using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

© 2016 VMware, Inc. All rights reserved.

Page 527 of 545

 VMware Validated Design Deployment Guide for Region A

Navigate to Home > Monitoring > Customization Specification Manager

Select the vCenter Server comp01vc01.sfo01.rainpole.local from the drop-down menu.
Click the Create a new specification icon.
The Guest Customization wizard appears.
On the Specify Properties page, select Linux from the Target VM Operating System drop-
down menu, enter itac-linux-custom-spec for the specification name, and click Next.
On the Set Computer Name page, select Use the virtual machine name, enter
sfo01.rainpole.local in the Domain Name text box, and click Next.
On the Time Zone page, specify the time zone as shown in the table below for the virtual
machine, and click Next.

Setting Value

Area America

Location Los Angles

Hardware Clock Set To Local Time

On the Configure Network page, click Next.

On the Enter DNS and domain settings page, leave the default settings, and click Next.
Click Finish to save your changes.
The customization specification that you created is listed in the Customization Specification
Manager.

5.10.12.2. Create a Customization Specification for Windows in Region A

Create a Windows guest operating system specification that you can apply when you create
blueprints for use with vRealize Automation. This customization specification can be used to
customize virtual machine guest operating systems when provisioning new virtual machines from
vRealize Automation.
Procedure
Log in to vCenter Server by using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

Navigate to Home > Monitoring > Customization Specification Manager.

Select the vCenter Server comp01vc01.sfo01.rainpole.local from the drop-down menu.

© 2016 VMware, Inc. All rights reserved.

Page 528 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Create a new specification icon.

The Guest Customization wizard appears.
On the Specify Properties page, select Windows from the Target VM Operating System drop-
down menu, enter itac-windows-joindomain-custom-spec for the specification name, and
click Next.
On the Set Registration Information page, enter Rainpole for the virtual machine owner’s
name and organization, and click Next.
On the Set Computer Name page, select Use the virtual machine name, and click Next.
The operating system uses this name to identify itself on the network.
On the Enter Windows License page, provide licensing information for the Windows operating
system, enter the volume_license_key, and click Next.
Specify the administrator password for use with the virtual machine, and click Next.
On the Time Zone page, select (GMT-08:00) Pacific Time(US & Canada), and click Next.
On the Run Once page, click Next.
On the Configure Network page, click Next.
On the Set Workgroup or Domain page, select Windows Server Domain, configure the
following settings, and click Next.

Setting Value

Domain sfo01.rainpole.local

User name SFO01\administrator

Password admin_pwd

On the Set Operating System Options page, select Generate New Security ID (SID), and click
Next.
Click Finish to save your changes.
The customization specification that you created is listed in the Customization Specification
Manager.

5.10.13 Create Virtual Machines Using VM Templates in the Content Library in

Region A
vRealize Automation cannot directly access virtual machine templates in the content library. You must
create a virtual machine using the virtual machine templates in the content library, then convert the
template in vCenter Server. Perform this procedure on all vCenter Servers compute clusters you add
to vRealize Automation, including the first vCenter Server compute instance.
Repeat this procedure three times for each of the VM Templates in the content library. The table
below lists the VM Templates and the guest OS each template uses to create a virtual machine.

VM Template Name Guest OS

redhat6-enterprise-64 Red Hat Enterprise Server 6 (64-bit)

© 2016 VMware, Inc. All rights reserved.

Page 529 of 545

 VMware Validated Design Deployment Guide for Region A

VM Template Name Guest OS

windows-2012r2-64 Windows Server 2012 R2 (64-bit)

windows-2012r2-64-sql2012 Windows Server 2012 R2 (64-bit)

Procedure
1. Log in to the vCenter Server using the vSphere Web Client.
a. Open a Web browser and go to https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

Password vsphere_admin_password

2. Navigate to Home > VMs and Templates.

3. Expand the comp01vc01.sfo01.rainpole.local vCenter Server.
4. Right-click the SFO01 data center object and select New Folder > New VM and Template
Folder.
5. Create a folder and label it VM Templates.

6. Navigate to Home > Content Libraries.

7. Click SFO01-ContentLib01 > Templates.
8. Right-click the VM Template and select New VM from This Template.
The New Virtual Machine from Content Library wizard opens.

© 2016 VMware, Inc. All rights reserved.

Page 530 of 545

 VMware Validated Design Deployment Guide for Region A

9. In the Select name and location page, use the same template name.

Note Use the same template name to create a common service catalog that works across
different vCenter Server instances within your datacenter environment.

10. Select VM Templates as the folder for this virtual machine, and click Next.

11. On the Select a resource page, select the compute cluster you want to deploy the virtual
machine to.
Important: Do not select an Edge Cluster.
12. On the Review details page, verify the template details and click Next.
13. On the Select storage page, select the SFO01A-NFS01-VRALIB01 datastore and Thin
Provisioning form the Select virtual disk format drop-down menu.

© 2016 VMware, Inc. All rights reserved.

Page 531 of 545

 VMware Validated Design Deployment Guide for Region A

14. On the Select networks dialog, select VM Network for the Destination Network, and click Next.

Note vRealize Automation will change the network according to the blueprint configuration.

15. On the Ready to complete page, review the configurations you made for the virtual machine, and
click Finish.
A new task for creating the virtual machine appears in the Recent Tasks pane. After the task is
complete, the new virtual machine is created.
16. Repeat this procedure for all of the VM Templates in the content library.

5.10.14 Convert the Virtual Machine to a VM Template in Region A

You can convert a virtual machine directly to a template instead of making a copy by cloning.

VM Template Name Guest OS

redhat6-enterprise-64 Red Hat Enterprise Server 6 (64-bit)

windows-2012r2-64 Windows Server 2012 R2 (64-bit)

windows-2012r2-64-sql2012 Windows Server 2012 R2 (64-bit)

Procedure
1. Log in to the vCenter Server using the vSphere Web Client.
a. Open a Web browser and go to
https://comp01vc01.sfo01.rainpole.local/vsphere-client.
b. Log in using the following credentials.

Setting Value

User name [email protected]

© 2016 VMware, Inc. All rights reserved.

Page 532 of 545

 VMware Validated Design Deployment Guide for Region A

Password vsphere_admin_password

2. Navigate to Home > VMs and Templates.

3. In the Navigator pane, expand comp01vc01.sfo01.rainpole.local > SFO > VM Templates.
4. Right-click the redhat6-enterprise-64 virtual machine located in the VM Templates folder, and
select Template > Convert to Template.
5. Click Yes to confirm the template conversion.
6. Repeat this procedure for all of the VM Templates in the content library, verifying that each VM
Template appears in the VM Templates folder.

5.10.15 Configure Single Machine Blueprints in Region A

Virtual machine blueprints determine a machine’s attributes, the manner in which it is provisioned,
and its policy and management settings.
 Create a Service Catalog in Region A
 Create Entitlements for Business Groups in Region A
 Create a Single Machine Blueprint in Region A
 Configure Entitlements of Blueprints in Region A

5.10.15.1. Create a Service Catalog in Region A

A service catalog provides a common interface for consumers of IT services to request services, track
their requests, and manage their provisioned service items.
Procedure
Log in to the vRealize Automation Rainpole portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Infrastructure > Reservations > Network Profiles and click New > External.
The New Service page appears.
In the New Service page, configure the following settings, and click OK.

Setting Value

Name SFO Service Catalog

© 2016 VMware, Inc. All rights reserved.

Page 533 of 545

 VMware Validated Design Deployment Guide for Region A

Description Default setting (blank)

Status Active

Icon Default setting (blank)

Status Default setting (blank)

Hours Default setting (blank)

Owner Default setting (blank)

Support Team Default setting (blank)

Change Window Default setting (blank)

5.10.15.2. Create Entitlements for Business Groups in Region A

You add a service, catalog item, or action to an entitlement, allowing the users and groups identified
in the entitlement to request provisionable items in the service catalog. The entitlement allows
members of a particular business group (for example, the Production business group) to use the
blueprint. Without the entitlement, users cannot use the blueprint.
Repeat this procedure twice to create entitlements for both the Production and Development business
groups.

Entitlement Name Status Business Group User and Groups

Prod-SingleVM-Entitlement Active Production ug-ITAC-TenantAdmins

Dev-SingleVM-Entitlement Active Development ug-ITAC-TenantAdmins

Procedure

© 2016 VMware, Inc. All rights reserved.

Page 534 of 545

 VMware Validated Design Deployment Guide for Region A

Log in to the vRealize Automation Rainpole portal.

a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Click the Administration tab, and click Catalog Management > Entitlement.
Click New.
The New Entitlement page appears.
On the New Entitlement page, select the Details tab, configure the following values, and click
Next.

Note After you enter the Users & Groups label ug-ITAC-TenantAdmins, it changes in the display,
as shown in the screen shot below.

Setting Production Value Development Value

Name Prod-SingleVM-Entitlement Dev-SingleVM-Entitlement

Description Default setting (blank) Default setting (blank)

Expiration Date Default setting (blank) Default setting (blank)

Status Active Active

Business Group Production Business Group Development Business Group

Users & Groups ug-ITAC-TenantAdmins ug-ITAC-TenantAdmins

Click the Items & Approvals tab.

a. Click the Add Action icon on the Entitlement Actions page, and add the following actions.

© 2016 VMware, Inc. All rights reserved.

Page 535 of 545

 VMware Validated Design Deployment Guide for Region A

o Connect using RDP (Machine)

o Power Cycle (Machine)
o Power Off (Machine)
o Power On (Machine)
o Reboot (Machine)
o Shutdown (Machine)
b. Click Finish.

Repeat this procedure to create an entitlement for the Development business group. Use the
same Entitled Actions as for the Production business group.

5.10.15.3. Create a Single Machine Blueprint in Region A

Create a blueprint for cloning the WIN2K12R2-OVF virtual machine using the specified resources on
the Compute vCenter Server. Tenants can later use this blueprint for automatic provisioning. A
blueprint is the complete specification for a virtual, cloud, or physical machine. Blueprints determine a
machine's attributes, the manner in which it is provisioned, and its policy and management settings.
Repeat this procedure to create six blueprints.

Blueprint Name VM Template Reservation Service Add to

Policy Catalog Entitlement

Windows Server 2012 windows-2012r2-64 SFO-Production- SFO Service Prod-SingleVM-

R2 - SFO Prod (comp01vc01.sfo01.rainpole. Policy Catalog Entitlement
local)

Windows Server 2012 windows-2012r2-64 SFO- SFO Service Dev-SingleVM-

R2 - SFO Dev (comp01vc01.sfo01.rainpole. Development- Catalog Entitlement
local) Policy

Windows Server 2012 windows-2012r2-64- SFO-Production- SFO Service Prod-SingleVM-

R2 With SQL2012 - sql2012(comp01vc01.sfo01.r Policy Catalog Entitlement
SFO Prod ainpole.local)

Windows Server 2012 windows-2012r2-64- SFO- SFO Service Dev-SingleVM-

R2 With SQL2012 - sql2012(comp01vc01.sfo01.r Development- Catalog Entitlement
SFO Dev ainpole.local) Policy

© 2016 VMware, Inc. All rights reserved.

Page 536 of 545

 VMware Validated Design Deployment Guide for Region A

Blueprint Name VM Template Reservation Service Add to

Policy Catalog Entitlement

Redhat Enterprise redhat6-enterprise- SFO-Production- SFO Service Prod-SingleVM-

Linux 6 - SFO Prod 64(comp01vc01.sfo01.rainpo PolicySFO- Catalog Entitlement
le.local) Production-Policy

Redhat Enterprise redhat6-enterprise- SFO- SFO Service Dev-SingleVM-

Linux 6 - SFO Dev 64(comp01vc01.sfo01.rainpo Development- Catalog Entitlement
le.local) Policy

Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Navigate to Design > Blueprints.

Click New.
On the New Blueprint dialog box, configure the following settings on the General tab and click
OK.

Setting Value

Name Windows Server 2012 R2 - SFO Prod

Archive (days) 15

Minimum 30

Maximum 270

© 2016 VMware, Inc. All rights reserved.

Page 537 of 545

 VMware Validated Design Deployment Guide for Region A

Select and drag vSphere Machine icon to Design Canvas.

Click the General tab, configure the following settings, and click Save

Setting Value

ID Default setting (vSphere_Machine_1)

Description Default setting (blank)

Display location on request Deselected

Reservation policy SFO-Production-Policy

Machine Prefix Default setting (blank)

© 2016 VMware, Inc. All rights reserved.

Page 538 of 545

 VMware Validated Design Deployment Guide for Region A

Minimum Default setting (blank)

Maximum Default setting (blank)

Click the Build Information tab, configure the following settings, and click Save.

Setting Value

Blueprint type Server

Action Clone

Provisioning workflow CloneWorkflow

Clone from windows-2012r2-64 template

Customization spec itac-windows-joindomain-custom-spec

© 2016 VMware, Inc. All rights reserved.

Page 539 of 545

 VMware Validated Design Deployment Guide for Region A

Click the Machine Resources tab, configure the following settings, and click Save.

Setting Minimum Maximum

CPU 2 4

Memory (MB) 4096 16384

Storage Default setting (blank) Default setting (60)

Click the Storage tab, configure the following settings, and click Save.

Setting Minimum Maximum

© 2016 VMware, Inc. All rights reserved.

Page 540 of 545

 VMware Validated Design Deployment Guide for Region A

Storage (GB) 40 60

Click the Network tab.

a. Select Network & Security in the Categories section to display the list of available network
and security components.
b. Select the Existing Network component and drag it onto the design canvas.
c. Click in the Existing network text box and select the Ext-Net-Profile-Production-Web
network profile.
d. Click Save.

e. Select vSphere_machine properties from the Design Canvas.

© 2016 VMware, Inc. All rights reserved.

Page 541 of 545

 VMware Validated Design Deployment Guide for Region A

f. Select the Network tab, click New, and configure the following settings.

Setting Value

Network ExtNetProfileProductionWeb

Assignment Type Static IP

Address 172.21.11.123

g. Click Save.
h. Click Finish to save Blueprint successfully.
Select the blueprint and click Publish.

Repeat this procedure to create additional blueprints.

5.10.15.4. Configure Entitlements of Blueprints in Region A

You entitle users to the actions and items that belong to the service catalog by associating each
blueprint with an entitlement.
Repeat this procedure to associate the six blueprints with their entitlement.

© 2016 VMware, Inc. All rights reserved.

Page 542 of 545

 VMware Validated Design Deployment Guide for Region A

Blueprint Name VM Template Reservation Service Add to

Policy Catalog Entitlement

Windows Server 2012 windows-2012r2-64 SFO-Production- SFO Service Prod-SingleVM-

R2 - SFO Prod (comp01vc01.sfo01.rainpole. Policy Catalog Entitlement
local)

Windows Server 2012 windows-2012r2-64 SFO- SFO Service Dev-SingleVM-

R2 - SFO Dev (comp01vc01.sfo01.rainpole. Development- Catalog Entitlement
local) Policy

Windows Server 2012 windows-2012r2-64- SFO-Production- SFO Service Prod-SingleVM-

R2 With SQL2012 - sql2012(comp01vc01.sfo01.r Policy Catalog Entitlement
SFO Prod ainpole.local)

Windows Server 2012 windows-2012r2-64- SFO- SFO Service Dev-SingleVM-

R2 With SQL2012 - sql2012(comp01vc01.sfo01.r Development- Catalog Entitlement
SFO Dev ainpole.local) Policy

Redhat Enterprise redhat6-enterprise- SFO-Production- SFO Service Prod-SingleVM-

Linux 6 - SFO Prod 64(comp01vc01.sfo01.rainpo PolicySFO- Catalog Entitlement
le.local) Production-Policy

Redhat Enterprise redhat6-enterprise- SFO- SFO Service Dev-SingleVM-

Linux 6 - SFO Dev 64(comp01vc01.sfo01.rainpo Development- Catalog Entitlement
le.local) Policy

Procedure
Log in to the vRealize Automation portal.
a. Open a Web browser and go
to https://vra01svr01.rainpole.local/vcac/org/rainpole.
b. Log in using the following credentials.

Setting Value

User name itac-tenantadmin

Password itac-tenantadmin_password

Domain rainpole.local

Select the Administration tab and navigate to Catalog Management > Catalog Items.
On the Configure Catalog Items pane, select the Windows Server 2012 R2 - SFO Prod
blueprint in the Catalog Items list and click Configure.
On the General tab of the Configure Catalog Items dialog box, select SFO Service Catalog
from the Service drop-down menu, and click OK.

© 2016 VMware, Inc. All rights reserved.

Page 543 of 545

 VMware Validated Design Deployment Guide for Region A

Associate the blueprint with the Prod-SingleVM-Entitlement and Dev-SingleVM-Entitlement

entitlements.
a. Click Entitlements and select Prod-SingleVM-Entitlement.
The Edit Entitlement pane appears.
b. Select the Items & Approvals tab and add the Windows Server 2012 R2 - SFO Prod
blueprint to the Entitled Catalog Items list.
c. Click Finish.
d. Repeat this step for the Dev-SingleVM-Entitlement entitlement.

Select the Catalog tab and verify that the blueprint is listed in the Service Catalog.

© 2016 VMware, Inc. All rights reserved.

Page 544 of 545

 VMware Validated Design Deployment Guide for Region A

Repeat this procedure to associate all of the blueprints with their entitlement.

© 2016 VMware, Inc. All rights reserved.

Page 545 of 545