Page 3 of 4

Posted on

VMware NSX Role Based Access via Active Directory

Reading Time: 3 minutes

You may have noticed that your usual Active Directory user account (which might afford you full administrative access in vCenter) doesn’t get you very far when attempting to manage NSX for vSphere. This is by design, as NSX access is not governed or controlled by vCenter Server roles.

NSX utilises it’s own predefined security roles for role based access, all of which can be assigned to Active Directory Users and/or Security Groups. This is great for larger teams with clearly defined areas of demarcation and responsibilities, smaller teams of administrators and read-only support teams, and even one-off auditor visits.

In this post, I detail the procedure for implementing AD integration in VMware NSX for vSphere 6.4.2, however, the procedure is the same for NSX 6.X. Before we start, let’s take a look at the six NSX Security Roles:

NSX Security Roles

  • Auditor – Users in this role can only view system settings and auditing, events and reporting information and will not be able to make any configuration change.
  • Security Engineer – Users in this role can perform all security tasks, such as configuring policies and firewall rules. Users have read access to some networking features, but no access to host preparation and/or user account management.
  • Network Engineer – Users in this role can perform all networking tasks, such as routing, DHCP, bridging, etc. Users have read access to endpoint security features, but no access to other security features.
  • Security Administrator – Users in this role can configure security compliance policies in addition to viewing the reporting and auditing information in the system.
  • NSX Administrator – Users in this role can perform all tasks related to deployment and administration of this NSX Manager instance.
  • Enterprise Administrator (God Mode) – Users is this role can perform all tasks related to deployment and configuration of NSX products and administration of this NSX Manager instance.

Procedure

Please note, due to current feature parity differences between the vSphere Web Client (Flex) and vSphere Client (HTML 5), the below procedure will need to be performed utilising the vSphere Web Client (Flex).

1. Create your required AD Security Groups, naming accordingly.

Manage-NSX-via-Active-Directory-User-01

2. Log in to the vSphere Web Client (Flex) as administrator@vsphere.local.

3. Browse to Networking & Security > System > Users and Domains.

4. Via the Users tab, click the Add icon.

5. Select Specify a vCenter group and enter the AD Security Group name as per above AD Objects. When ready, click Next.

Manage-NSX-via-Active-Directory-User-02

6. Select the appropriate NSX Security Role to associate with the AD Security Group and click Finish.

Manage-NSX-via-Active-Directory-User-03

7. Repeat steps 4 – 6 until all required AD Security Groups have been added.

8. Confirm successful addition of all NSX Security Roles. At this point, you can assign further AD Users/Security Groups, disable or enable accordingly, and delete.

Manage-NSX-via-Active-Directory-User-04

9. Log in to either the vSphere Web Client or vSphere HTML5 Client as a user associated to one of the newly added AD Security Groups and test access. Below I detail an example of both Auditor and Enterprise Administrator roles.

Manage-NSX-via-Active-Directory-User-Auditor-Functionality
Here, the user is assigned the NSX Auditor Security Role.
Manage-NSX-via-Active-Directory-User-Auditor-Functionality
Here, the user is assigned the NSX Enterprise Administrator Security Role.

Further Reading

Posted on

New VMware NSX Guides Released

Reading Time: 2 minutes

Back in October 2017, VMware released a number of free NSX guides. A detailed overview of the releases can be found by clicking here. Just last week the NSX Guide Library was enhanced further thanks to the release of a number of new publications.  Regardless of whether you’re new to NSX or simply interested in topping up, if you work with NSX in any way, the VMware NSX Guide Library is essential reading.

Continue reading → New VMware NSX Guides Released

VMware NSX for vSphere 6.4.1 - One Click Upgrade
Posted on

VMware NSX for vSphere 6.4.1 – One Click Upgrade

Reading Time: 4 minutes

With the release of VMware NSX for vSphere 6.4.1 on May 24th 2018, interoperability/compatibility between VMware vSphere 6.7 and NSX was achieved. In addition to this, a number of nice new features were also included in the update.

In this article we will upgrade a 6.4.0 (build 7564187) lab environment to 6.4.1 (build 8599035) utilising the One Click upgrade process.

Continue reading → VMware NSX for vSphere 6.4.1 – One Click Upgrade

201804_Editing_Protected_VMs_in_vCenter_01
Posted on

Editing Protected VMs in vSphere

Reading Time: 3 minutes

By design, there are certain virtual machines and/or appliances within vSphere which are protected to prevent editing (this can include NSX Controllers, Edges, Logical Routers, etc.) In a live/production environment, you’d not normally care about editing these appliances, however, in a lab environment (especially one where resource is tight), reducing memory and/or CPU allocation can help a lot. As such, this article will cover the process of removing the lock on protected VM in vSphere, in order to enable editing.

The scenario: a customer needs to reduce the resource allocation of an NSX Controller, however, due to the VM in question being protected/locked, editing the VM’s resources is not possible via UI or PowerCLI.

The process of removing this lock is quick and easy, however, we first need to identify the virtual machine’s Managed Object Reference (moRef ID). Please note, VMware do not support or recommend this procedure in any way.  As such, this procedure should not be implemented in a production environment.

Continue reading → Editing Protected VMs in vSphere

vRealize Log Insight Logo
Posted on

VMware vRealize Log Insight: Part 2 – VMware NSX Integration via Content Packs

Reading Time: 4 minutes

In Part 1 of this series we covered the simple installation and configuration of VMware vRealize Log Insight. In Part 2 we will cover how we can further configure and customise Log Insight via Content Packs in order to leverage further logging capabilities.

As mentioned in Part 1, one of the caveats of utilising this ‘free’ version of Log Insight (or more aptly, the 25 OSI license available to all vCenter Server licensees), is the ability to use VMware-only Content Packs. This is far from a bad thing and, as a result, enables us to integrate with other VMware products including NSX, Horizon, SRM, etc. In this article we will focus on the former product.

Continue reading → VMware vRealize Log Insight: Part 2 – VMware NSX Integration via Content Packs

Posted on

NSX Manager – Replacing the SSL Certificate

Reading Time: 3 minutes

Applying a new SSL certificate to your NSX Manager really couldn’t be easier and, as the NSX Manager is part of a wider, security orientated product, we might as well do things properly and apply one!

First of all, and if already not in place, we’ll need to create a new Microsoft CA Template for SSL in vSphere. To do this, please take a look at VMware KB article 2112009. The procedure itself is a simple one, and I make reference below to a vSphere 6.x SSL certificate template, so it’s worth pointing out. This template was created using the aforementioned VMware KB.

To replace the NSX Manager SSL certificate, and to cert against your CA of choice, simply follow the below process.

Continue reading → NSX Manager – Replacing the SSL Certificate

Posted on

Computer World Define Tomorrow Huddle

Reading Time: 3 minutes

Last Friday I had the privilege of attending the exclusive, and first ever Define Tomorrow Huddle, hosted at the amazing Aerospace Bristol (home of the historic last flight Concorde) by the fantastic team at Computer World Group. The Huddle featured demos from three brilliant sponsors, including Rubrik, Bitdefender and Zerto, all of whom gave a true deep dive of fantastic technologies and solutions.

Continue reading → Computer World Define Tomorrow Huddle

VMware NSX Presentation
Posted on

2017, The Final Quarter

Reading Time: 2 minutes

It’s been a busy few weeks (when does ‘busy’ stop being ‘busy’ and just become ‘BAU’?), and with the final quarter upon us, I’m working to complete the last of our projects and implementations, and there aren’t many on my list bigger than a major data centre migration.

One item from the list I’m excited about is our in-house training. Compared with other projects, technical designs, or R&D, internal training can sometimes be seen as a secondary concern, however, rather than simply handing over a solution to an operational support team, I’m a huge fan of getting every member of the team around a table to discuss, challenge, and question the solution, the designs, and the technology. Specifically, myself and colleagues within our Technical Operations team (made up of both Infrastructure and Network Architects) will regularly provide internal training and/or overview sessions to both business owners and technical teams, as well as deep dives into the technologies we either have in development or the designs and implementations we are transitioning into live service.

At this time of year, it’s nice to step back and try not to take things for granted. It’s a real privilege to be able to work with such great partners, technologies (VMware NSX, Horizon, Pure Storage), our colleagues, and being part of a team that’s so passionate about the solutions we design and deploy; ultimately enabling the business to support both our users and members. Thanks to such projects and technologies we have been able to enhance security and automation within the SDDC, provide micro segmentation of critical workloads, and deliver anything services and applications wherever the’re located.

VMware NSX Presentation

VMware NSX Guides
Posted on

VMware NSX Guides

Reading Time: 2 minutes

VMware NSX Guides

If you’ve somehow managed to miss these brilliant (and free) VMware NSX guides, then worry not, as here are the links in all their glory. I cannot praise these books enough. Simply brilliant (and free!)

VMware NSX Micro-segmentation Day 1, by Wade Holmes

In Day 1, Wade Holmes details the migration away from a perimeter-orientated approach, to that of a micro-segmented architecture. VMware NSX enables organisations to utilise enhanced security functionality, whilst visualising traffic within the software-defined data centre.

VMware NSX Micro-segmentation Day 1, by Wade HolmesVMware NSX Micro-segmentation Day 1, by Wade Holmes

VMware NSX Micro-segmentation Day 2, by Geoff Wilmington

In Day 2, Geoff Wilmington complements the first guide by delving deeper into micro-segmentation, and details the process of both building and planning an architecture best suited to your applications. Also touched on are the additional tools such as VMware Log Insight, Application Rule Manager, and vRealize Network Insight.

From a personal point of view, the process of planning the migration of applications into NSX was a little daunting during my own implementation, and this guide has been simply invaluable.

VMware NSX Micro-segmentation Day 2, by Geoff WilmingtonVMware NSX Micro-segmentation Day 2, by Geoff Wilmington

Operationalizing VMware NSX, by Kevin Lees

In Operationalizing VMware NSX, Kevin Lees discusses how best to bring VMware NSX into ‘business as usual’. Both monitoring and troubleshooting are covered, and insights into team structures and cultures, team roles and responsibilities, etc., are provided. Unlike the ‘how-to’ style of the first two books, this third guide provides a fantastic insight into how NSX can be brought into service.

Operationalizing VMware NSX, by Kevin LeesOperationalizing VMware NSX, by Kevin Lees

Automating NSX for vSphere with PowerNSX, by Anthony Burke

Lastly, Automating NSX for vSphere with PowerNSX by Anthony Burke will be a firm favourite for all PowerShell fans wanting to get down and dirty with NSX.

Automating NSX for vSphere with PowerNSX, by Anthony BurkeAutomating NSX for vSphere with PowerNSX, by Anthony Burke

Posted on

VMware vCNS 5.5.4 to NSX 6.2.5 Upgrade

Reading Time: 6 minutes

VMware vCNS to NSX Upgrade

I’m a fan of upgrades that ‘just work’, but rarely do they run without a few unforeseens jumping out at you. Reading the VMware Upgrading VMware vCNS 5.5.x to NSX 6.2.x (2144620), I was surprised to see just five upgrade areas. Five? Really?? As this is a business critical system (and one with the potential of being able to turn a long day into an even longer day were things to go awry), I was a little sceptical, however, the vCNS to NSX upgrade process really is that easy.

VMware recommend the below implementation path when upgrading to NSX from vCNS, and if you’re not utilising any advanced features such as the vCNS Edges, you can cut this process down to just the first three steps.

  1. vCNS/NSX Manager
  2. Host Clusters and Virtual switches/wires
  3. vShield App (replaced by NSX Distributed Firewall)
  4. vShield Edge
  5. vShield Endpoint

Stick with me, I know you think I’m lying…

Scenario

So, a requirement exists whereby I need to replace a VMware vCNS 5.5.4 environment with VMware NSX 6.2.5 due to the former going end-of-life in Q4 2016. As I see it, I have two options; a) install NSX and migrate the vCNS workload to the new compute hardware, or b) upgrade vCNS in-place. As there aren’t any spare hosts lying around, the option will see us progressing with the in-place upgrade.

Note, configuration of NSX, as well as integration with AD Security Groups, will be covered in a future post.

Prerequisites

Okay, so there are some prerequisites (when would there not be?) Before initiating the upgrade process, you will need to ensure the below checklist has been completed:

  1. Physical network must be configured with a minimum MTU of 1600 due to the VXLAN overlay.
  2. As the NSX vSwitch is based upon vSphere Distributed Switches (vDS), if you’re currently running standard virtual switches, you’ll need to migrate to vDS first.
  3. Your backups have run successfully
  4. Snapshots of both vCenter and vCNS Manager have been taken
  5. vCNS Manager – e1000 network adapter replaced with a VMXNET3 adapter
  6. vCNS Manager – configured with at least 16GB RAM
  7. vCNS Manager – Tech Support Bundle created
  8. Download the relevant vCNS to NSX Upgrade Bundle

Upgrade vCNS 5.5.4 to NSX 6.2.5

1. First of all, we will need to download the Upgrade Bundle from VMware. Login to your MyVMware account and download.

2. Next, log into vCNS Manager, and browse to Settings & Reports > Updates.

3. Click Upload Upgrade Bundle, and upload the bundle we downloaded in Step 1.

4. Once uploaded, review the version details, and click Install.

5. When requested, click Confirm Install, and monitor the progress as per the below screenshots.

6. Monitor the reboot process via the appliance’s console and, once complete, we can proceed.

7. Following the reboot, browse to the previous vCNS Manager FQDN (https://server_name.domain.local), and you will be presented with the new NSX Manager. Note, the default admin credentials will have changed as part of the upgrade process:

  • Username – admin
  • Password – default

8. Login using the new credentials and ensure the NSX Management Service is running before proceeding. Note, this is a lab environment, hence the 4GB RAM.

9. Browse to Manage > NSX Management Service. In the Lookup Server URL section, configure by clicking Edit.

10. For this lab environment, I am configuring the lookup service to utilise vSphere SSO which, in this instance, integrates with my vCenter Server.

11. When prompted, accept the SSL certificate.

12. Ensure the Status for both Lookup Server URL and vCenter Server shows Connected.

13. After logging in to the vSphere Web Client as administrator@vsphere.local (we’ll configure NSX users and groups via Active Directory in a later post), you’ll now be able to see the new Networking & Security tab.

14. As this procedure details the upgrade process of vCNS to NSX, browsing to Networking & Security > Firewall, you will happily see that all vCNS Firewall rules have been retained.

At this point we will need to apply licensing, upgrade the ESXi host VIBs, and upgrade the vCNS Firewall to the new NSX Distributed Firewall. Until this takes place, any/all firewall amendments will not be seen by the ESXi hosts.

Licensing

1. Using the vSphere Web Client, browse to Administration > Licensing > Licenses, click Add (+).

2. When prompted, enter your license keys, and click Next. 

3. Confirm your license key information, amend the names where required, click Next.

4. Review your license information and click Finish.

5. Browse to Administration > Licenses > Assets > Solutions, and assign the new license by clicking the Assign icon.

6. Select the newly added license, and click OK.

Host Preparation

1. Browse to Networking & Security > Installation > Host Preparation.

2. Select the cluster you wish to upgrade, and click Actions > Upgrade.

3. As part of the upgrade process, note the below tasks as hosts and VMs are reconfigured.

4. Once the Host Preparation is complete, you will be requested to finalise the upgrade from vShield App Firewall to NSX Distributed Firewall. When prompted, click Upgrade.

5. After the migration has finished, browse to Networking & Security > Service Definitions, and remove the now legacy vShield-App-Service.

6. If you have any Edges in play, simply browse to NSX Edges, right-click the Edge in question, and choose Upgrade Version.

This concludes the upgrade of VMware vCloud Networking & Security 5.5.4 to VMware NSX 6.2.5. In a future post, we will cover the configuration of NSX itself, as well as the management of NSX via AD Groups.