The VMware Labs flings monthly for April 2021 – Easy deploy for AVI Loadbalancers & NSX Mobile!

So it feels like yesterday that I created the previous flings post but April flew by and it’s almost summer, time for some more bad weather over here in The Netherlands. I see a three new flings and ten who received an update. One of the new ones already has quite a long changelog with fixes!

New Releases

NSX Mobile

vRealize Orchestrator Parser

Easy Deploy for NSX Advanced Load Balancing

Updates

Virtual Machine Compute Optimizer

Community Networking Driver for ESXi

ESXi Arm Edition

vSphere HTML5 Web Client

Horizon Session Recording

vSphere Mobile Client

Workspace ONE Access Migration Tool

VMware OS Optimization Tool

SDDC Import/Export for VMware Cloud on AWS

VMware Event Broker Appliance

New Releases

[sta_anchor id=”nsxmob” /]

NSX Mobile

Are you an NSX admin? Do you spend major part of your work in monitoring the network and/or its security? Do you have the NSX web UI open on your laptop/desktop most of the day to make sure all the services are up and connectivity between systems is fine?

Carrying a laptop all the time with you could be quite challenging task, especially in situations like the current pandemic. However, your smartphone would be on you most of the time. NSX Mobile brings the ease of monitoring the networking and security right from your phone.

NSX Mobile complements the full-fledged NSX-T web UI by providing monitoring capabilities on the go. If you find something wrong, you can use the conventional web UI or ask someone else to investigate the matter immediately. Focus of the app is to provide instant notifications when something goes wrong and side by side ability to monitor the network & its security from a smartphone.

Features

  • Just install it & login with your NSX-T credentials to get started (make sure that the NSX version is 3.0+ and the NSX IP/domain name is reachable from your smartphone)
  • List and search all networking and security entities (e.g. Tier-0s, Network segments, Firewall Rules, etc.)
  • View alarms generated on NSX (e.g. CPU usage high OR a VPN failed to realize OR Intrusion detected in case if you have IDS firewall, etc.)
  • Push notifications – COMING SOON
  • Quick actions (enable/disable options wherever possible, actions on failures/alarms) – COMING SOON

[sta_anchor id=”vrop” /]

vRealize Orchestrator Parser

The vRealize Orchestrator Parser is a tool developed to extend the vRealize Build Tools Fling toolchain or to be used stand-alone with the Export Package to Folder option in native vRealize Orchestrator(vRO).

vRealize Orchestrator Parser parses vRO workflow XML files and extracts programming language code (Javascript, Python, Powershell, etc) and stores it as discrete files, that can then be checked into a source code control system, and or edited directly as discrete programming language source code from a traditional text-based source code editor, such as Visual Studio Code. These discrete files can also be consumed by other, third-party CI/CD systems like Maven and Jenkins. They can be edited, and they can be imported back into vRO workflow XML files. ‘Diffs’ and changes on the resulting code files are easily observed and tied to SCCS version numbers and releases, and can easily be merged and branched through normal software engineering development practices.

[sta_anchor id=”ednxcalb” /]

Easy Deploy for NSX Advanced Load Balancing

Easy Deploy for NSX Advanced Load Balancer (formerly Avi Networks) Fling is a virtual appliance that helps you deploy Avi in a handful of clicks!
This will enable you to leverage the power of multi-cloud application services platform that includes load balancing, web application firewall, container ingress, and application analytics across any cloud. No extensive knowledge required as it’s meant to make demo, training and proof-of-concept (POC) easy!

Features

  • A familiar VMware Clarity User Interface
  • Automatically deploy an Avi Controller and Avi Service Engines
  • Seamless integration with your VMware Cloud on AWS environment (with AVS and GCVE support coming soon!)
  • Option to deploy sample app that leverages Avi load balancing

For more information, read this blog post: New Fling: Easy Deploy for NSX Load Balancing a.k.a EasyAvi

Changelog

1.2.5

  • New Avi release supported – 20.1.5

1.2.4

  • Fixed SDDC conflict – what if you want to redeploy on the same sddc with another EasyAvi
  • Fixes “Output link /avi at the end does not work” issue
  • Destroy.sh – avoid TF error when trying to delete CL
  • Fixed “Typo in the outputs Advanced pplication Private IP Address”
  • Check for vCenter API connectivity before starting TF
  • Hide the button “DFW – Update NSX exclusion list with SE(s)”
  • Hide Domain Name field in the UI

1.2.3

  • Changed getMypublic.sh by beforeTf.sh

1.2.2

  •  Fix typo in outputs

1.2.1

  • Hide Public IP in outputs if empty

1.2.0

  • MD5 Checksum
  • Remove cat sddc.json from logs
  • Auto Apply
  • Auto routing to Step 3

1.1.0

  • Minor fixes

1.0.0

  • First Release

Updates

[sta_anchor id=”vmco” /]

Virtual Machine Compute Optimizer

The Virtual Machine Computer Optimizer (VMCO) is a Powershell script and module that uses the PowerCLI module to capture information about the Hosts and VMS running in your vSphere environment, and reports back on whether the VMs are configured optimally based on the Host CPU and memory. It will flag a VM as “TRUE” if it is optimized and “FALSE” if it is not. For non-optimized VMs, a recommendation is made that will keep the same number of vCPUs currently configured, with the optimal number of virtual cores and sockets.

Changelog

Version 3.0.0

  • Script will install or update the required modules (VMCO and PowerCLI). The script is now a single script that acts as the easy button to walk through the module installs, connecting to a vCenter, and exporting the results.

[sta_anchor id=”cndfesxi” /]

Community Networking Driver for ESXi

The Community Networking Driver for ESXi fling provides the user the ability to use usually not supported by ESXi.

Changelog

April 08, 2021 – v1.1

Net-Community-Driver_1.1.0.0-1vmw.700.1.0.15843807_17858744.zip
md5: 587d7d408184c90f6baf4204bb309171

  • Resolve issue when using Intel vPro which can cause ESXi PSOD

[sta_anchor id=”esxiae” /]

ESXi Arm Edition

ESXi on arm based system, nuf said!

Changelog

April 02, 2021 – v1.3

Note: Upgrade is NOT possible, only fresh installation is supported. If you select “Preserve VMFS” option, you can re-register your existing Virtual Machines.

  • Improved hardware compatibility (various bug fixes/enhancements)
  • Add support for Experimental Ampere Altra (single socket systems only) (please see Requirements for more details)
  • ACPI support for virtual machines
  • NVMe and PVSCSI boot support in vEFI
  • Workaround for ISO boot on some Arm servers
  • Address VMM crash with newer guest OSes and Neoverse N1-based systems
  • Improved guest interrupt controller virtualization
  • Improved (skeletal) PMU virtualization
  • Improved big endian VM support

Build 17839012
VMware-VMvisor-Installer-7.0.0-17839012.aarch64.iso

[sta_anchor id=”vhtml5wc” /]

vSphere HTML5 Web Client

Event though we have had the html5 web client around for a while they’re still using the html5 fling to test some new features!

Changelog

Fling 5.0 – build 15670023

Updated the instructions with the new location of some files and services for the HTML5 client fling v6.pdf

[sta_anchor id=”hsr” /]

Horizon Session Recording

The Horizon Session Recording tool allows for (on-demand) recording of Horizon sessions.

Changelog

Version 2.2.5

  • Added support for > Horizon 8.1

[sta_anchor id=”vmobc” /]

vSphere Mobile Client

Personally I don’t have a use for it but I do like the idea of being able to manage my vSphere from a mobile device using the vSphere Mobile Client.

Changelog

Version 2.2.0 Update:

New features:

  • Add filtering by severity options for Alarm and Events
  • Add windows key button in the virtual console keyboard for key combos

Improvements:

  • Improve VM console stability on device rotation
  • Add missing back button on the login pages
  • Update app logo icon and splash screens

Version 2.1.0 Update:

Improvements:

  • Compatibility with some ESXi versions using certain licenses has been improved. Operations should now work against those hosts.

Version 2.0.0 Update:

New features:

  • Introduction of VMware Cloud with VMware on AWS. Access your cloud vCenter servers from within the mobile app.
  • VM details page: navigation to related objects now possible

Improvements:

  • Virtual Machine details page now loads faster when it’s powered off
  • Fixed an issue where the app would show two spinners when navigating between views

[sta_anchor id=”wsoneamt” /]

Workspace ONE Access Migration Tool

[sta_anchor id=”osot” /]

Workspace ONE Access Migration Tool helps ease migration of Apps from one WS1 Access tenant to another (on-premises to SaaS or SaaS to SaaS) and use cases that require mirroring one tenant to another (for setting up UAT from PROD or vice versa) by providing capabilities listed below

Changelog

Version 1.0.0.24

  • Migrate App Entitlements (groups only)
  • New Logo and UI branding
  • Bug fixes

VMware OS Optimization Tool

Optimize you must, use you should OSOT!

Changelog

April 5, b2003

  • Resolved bug where Windows Store Apps were being removed even though they were being selected to be kept. This included changing the filter condition for Remove All Windows built-in apps.

[sta_anchor id=”sddciefvcoaws” /]

SDDC Import/Export for VMware Cloud on AWS

The SDDC Import/Export for VMware Cloud on AWS tool enables you to save and restore your VMware Cloud on AWS (VMC) Software-Defined Data Center (SDDC) networking and security configuration.

Changelog

Version 1.4

  • New feature – on-prem NSX-T DFW configuration export, import into VMC on AWS
  • New feature – on-prem vCenter folder structure export, import into VMC on AWS
  • New feature – Indented JSON output for easier reading
  • Bugfix – Bumped minimum Python version to the actual requirement of 3.6
  • Bugfix – Fixed issue where the exception block of a try/except on GET calls errored

[sta_anchor id=”veba” /]

VMware Event Broker Appliance

The VMware Event Broker Appliance (VEBA) Fling enables customers to unlock the hidden potential of events in their SDDC to easily event-driven automation based on vCenter Server Events and take vCenter Server Events to the next level! Extending vSphere by easily triggering custom or prebuilt actions to deliver powerful integrations within your datacenter across public cloud has never been more easier before.

Changelog

https://www.virtuallyghetto.com/2021/04/vmware-event-broker-appliance-veba-v0-6-is-now-available.html

Installing Fortinet Fortigate VMX with VMware NSX-V

Recently I had to do an installation of Fortinet Fortigate VMX 6.* on a small cluster that already was running NSX. Since there is hardly any documentation on it besides an older pdf from Fortinet I decided to document my own following of that document.

Since my lab’s still on 6.5 I decided to do everything within the flash client of vCenter.

Disclaimer: I am not a Networking or Security professional so there’s a good chance I am not keeping to some standards in those worlds.

What you need

  • both Fortigate vmx ovf files with vmdk’s for version 6.*
  • Webserver with anonymous access for the deployment of the security vm’s
  • NSX already pre-installed

Setting up the VMX Manager

First you start with deploying the VMX Service Manager from vSphere. It’s important that note that there are two ovf files. One for the Service Manager and one for the Security VM. You need the FortiGate-VMX-Service-Manager.ovf first. During this deployment you need to select two networks. One for management and a sync network. The latter is for communication with the security vm’s only so can be non-routed. It is possible to have a dhcp server running in this vlan as long as it doesn’t provide a default gateway (Servers don’t like multiple gateways. capiche?). For the security vm’s the service manager is able to act as dhcp for the security vm’s. Since I use this vlan for more things I have dhcp running on my domain controller but will set a static ip on the service manager.

When the deployment has finished you can power the VM on and you need to open the console for some commands. Please note that I added the extra end’s to the commands compared to the manual.

Somehow they put the ip config in the ovf but that doesn’t work so you need to set it manually

config global
config system interface
edit mgmt
set ip <IP address for the MGMT interface > <subnet mask>
set allowaccess ping https ssh http
end
end

 

Now we need to configure the default gateway

config vdom
edit root
config router static
edit 0
set device mgmt
set gateway <IP address of gateway>
end
end

 

and configure dns ( I only have 1 dns host)

config global
config system dns
set primary <IPv4 address of DNS server>
set secondary <IPv4 address of DNS server>
end
end

 

So the basic configuration has been done and we should have access to the web interface by now. Just regular https on port 443. Default is admin without password.

If you want you can change the password now (recommended!!)

You’ll see a dashboard similar to this but with an evaluation license.

If you click on FGTVMX License you’ll get a button to install the license.

Click on upload and click ok to install the license, the VMX Service Manager will reboot after this.

With this done we need to set some default settings under Global > System > Settings

Since I only have my Domain Controller for ntp I need to do this from the CLI

config global
config system ntp
set type custom
config ntpserver
edit 0
set server <IPv4 address of NTP server>
end
end
end

and the result

Connecting with NSX

Here we find one of the bigger changes with the manuals of the 5.* releases of Fortigate VMX.

The 6.* releases of Fortigate VMX already come with the NSX service installed so the only thing we need to do is register the VMware NSX SDN. This can be done under Global>Dashboard>Security Fabric> Fabric Connectors.

Fill in all the fields, the image location has to be an anonymous 🙁 webserver that has both the vmdk files and the ovf. Click on ok when you are done.

Now we need to edit the connector again to register the service. Select the NSX Connector and click on edit.

Hit the Add Service button and the service will be created for you (previously this had to be done from the cli)

If you now go to the Service Definitions in NSX it will show an Extra one called Fortigate_VMX or whatever you named it.

Configuring NSX for Fortigate VMX

Next thing to do is to create a service deployment. Click on add on the Service Deployment tab under Networking & Security > Installation and Upgrade.

Select the Fortigate service name

Select the cluster where you want to deploy Fortigate VMX

Select the datastore where the Service VM’s need to be placed, the correct portgroup and if you want to use dhcp or an ip pool for the service vm’s.

and finally click finish

NSX will now start deploying the service vm’s. Usually it creates a new resource pool for these but that somehow failed for me.

Next up is creating Security groups for the vm’s that we need to firewall. This is done in the service manager for NSX.

Click add

Choose a name

Choose a rule for when vm’s are a member of this group

I didn’t use the next 2

And hit finish

The group now consists of several of my VDI Desktops

Last but not least we need to create a redirection policy.

Under service composer > security policies click add

Choose a name

skip Guest introspection and firewall rules. Under Network Introspection click add

Choose a name and select the direction of the traffic that gets filtered within the group where this gets applied.

I created two service for all incoming traffic to my security groups and all outgoing.

click next & finish.

Now click on the newly created security policy

click Apply

Select the security group where you want to apply the policy, put it in selected objects and click apply.

With this traffic should be redirected to Fortigate VMX and the firewalling can be setup over there.

My Experience with the NSX 6.2 ICM On-Demand traning and the VCP-NV exam

For the people who are only interested in the result: today I passed the VCP-NV exam with 367 points. This after I followed the NSX Install, Configure, Manage (hence the ICM) On-Demand course in May. This training was provided through the Partner training funds that my employer TenICT/AnylinQ have been assigned by VMware.

About the NSX ICM On-Demand training.

For the people not familiar with the on-demand training possibilities from VMware: with these courses one has a month the time to follow a set of computer narrated lectures covering all the same subjects as the official classroom training provides. Besides this you have access to a digital book belonging to the training. You also have access to a lab environment during this month where you have to complete all the lab tasks during the training.

Personally, I prefer classroom training since this allows the trainer to deviate from the official training when possible or required. Think about explaining things in a bit different matter or diving deeper into some of the material. Also, the computer-generated voice gets boring pretty fast and the sound quality also went sub par during some of the chapters. Combine this with a price that is only a fraction lower than the official price and I wouldn’t really recommend it unless you have someone sponsoring it for you.

What the training did was provide a good base for the exam. After this it’s a question of reading blog posts, playing with it in the lab (or Hands on Labs) and maybe you might need to read a book.

About the exam

So I did the exam as almost usual at @TheAcademy in Eindhoven, The Netherlands. They have a new room setup since over a year that I hadn’t been into yet (doing SME jobs has its perks) equipped with what I believe to be 21″ full HD screens. While these don’t provide for a better experience for vcp exams they do for vcap’s so that’s good to know. There are 77 multiple choice questions and I had two hours to spend on these. This time I didn’t need, and I left the building after 45 minutes. I can read English just as fast or sometimes faster than my native Dutch. The questions where a bit easier than I expected so maybe that score of 367 should have been a bit higher.

What you need to know

  • What permission level is needed to know what (Enterprise admin, NSX Admin, Auditor, Security Admin)
  • Order of installing things or setting them up
  • Be able to read drawings to follow the packets
  • Be able to create those drawings in your head and follow the packets
  • Some basic command line stuff for example for the controller cluster (only that what can be found in the courseware!)
  • Know your Distributed switches and what they can do
  • VPN Types
  • Best practices
  • What vm/function related to NSX does what
  • Networking basics
  • Numbers & maximums i.e. how many of what can do what, what’s needed to do that, what numbers needs this to be, What’s the default number for this.

Study Materials Used

  • NSX ICM On-Demand training
  • the links in vmiss’s blog post here
  • The Official Cert guide. Be aware that the exam is for 6.2 and not the 6.1 of the book but most still applies.

Do I know NSX inside out now?

No, and do you want to know why? This exam only hits the top of the iceberg in NSX possibilities, for example it hardly touches any real configuration nor does it have a lot of load balancing or nerd knob settings. For those things you really need to have a lot more experience and do the vcap exam. I am not sure if I will be following that path but this training and exam at least gives me enough knowledge to break things in NSX.

And a Queen video for those still reading

The VMware Labs flings monthly for April 2018

It’s been a rather quiet month on the VMware flings front. No wonder with the vSphere 6.7 and other releases this month. Did you already test them? I have to say like vSphere 6.7 but it’s consider the numbering good as well, it wouldn’t have fit to be a 7.* release. One new fling with the PowerCLI for NSX-T Preview, two updated ones with the vSphere HTML5 Web Client and Cross vCenter VM Mobility – CLI. Another fling has gone GA in vSphere 6.7: VMFork for pyVmomi.

[sta_anchor id=”nsxtpowercli” unsan=”NSXTPowerCLI” /]

PowerCLI Preview for NSX-T

The one thing lacking for NSX-T was PowerCLI availability, this is solved with the release of the PowerCLI Preview for NSX-T fling. Please be aware that the fling still contains bugs and might even be considered an alpha release.

[sta_anchor id=”xvcvm” /]

Cross vCenter VM Mobility – CLI

Cross vCenter VM Mobility – CLI is the go to tool when you want to move vm’s between vCenter servers and don’t want to use the GUI fling. The versioning is a bit weird since we already had 1.6 and now they released 1.6.0.

Version 1.6.0

  • Relocate is failing with validation error “cln is missing”.

[sta_anchor id=”html5″ /]

vSphere HTML5 Web Client

Not sure what exact version of the html5 web client went into the vSphere 6.7 release but here you can find an overview of the functionality, don’t mind the url because the text clearly states it’s for 6.7. If you want an even more updated version or want to get used to it in vSphere 6.* then use the fling.

Fling 3.37 – Build 8313530

New Features

  • Add VM vApp option properties read-only view
  • SRIOV networking in clone wizard customize HW page

Improvements

  • Prevent the user from creating a GOSc spec with no specified timezone
  • Resize the migrate wizard to use the largest possible size based on VMware Clarity design standards

Bug Fixes

  • Drag and Drop VM to folder

 

 

NSX 6.2.3 release includes vShield license

Until now if you wanted agentless anti-malware but not owned full blown NSX you needed vShield that VMware had announced it to go EOL in september. As expected VMware announced today NSX 6.2.3 that includes a vshield License.Sadly it still only supports anti-malware so don’t expect a lot of ransomware protection to be done agentless.

The rest of the changes:

 

Changes introduced in NSX vSphere 6.2.3:

Logical Switching and Routing

NSX Hardware Layer 2 Gateway Integration: expands physical connectivity options by integrating 3rd-party hardware gateway switches into the NSX logical network

New VXLAN Port 4789 in NSX 6.2.3 and later: Before version 6.2.3, the default VXLAN UDP port number was 8472. See the NSX Upgrade Guide for details.

Networking and Edge Services

New Edge DHCP Options: DHCP Option 121 supports static route option, which is used for DHCP server to publish static routes to DHCP client; DHCP Options 66, 67, 150 supports DHCP options for PXE Boot; and DHCP Option 26 supports configuration of DHCP client network interface MTU by DHCP server.

Increase in DHCP Pool, static binding limits: The following are the new limit numbers for various form factors: Compact: 2048; Large: 4096; Quad large: 4096; and X-large: 8192.

Edge Firewall adds SYN flood protection: Avoid service disruptions by enabling SYN flood protection for transit traffic. Feature is disabled by default, use the NSX REST API to enable it.

NSX Edge — On Demand Failover: Enables users to initiate on-demand failover when needed.

NSX Edge — Resource Reservation: Reserves CPU/Memory for NSX Edge during creation. Admin user can modify the CPU/Memory settings after NSX Edge deployment using REST API to configure VM appliances.

Change in NSX Edge Upgrade Behavior: Replacement NSX Edge VMs are deployed before upgrade or redeploy. The host must have sufficient resources for four NSX Edge VMs during the upgrade or redeploy of an Edge HA pair. Default value for TCP connection timeout is changed to 21600 seconds from the previous value of 3600 seconds.

Cross VC NSX — Universal Distributed Logical Router (DLR) Upgrade: Auto upgrade of Universal DLR on secondary NSX Manager, once upgraded on primary NSX Manager

Flexible SNAT / DNAT rule creation: vnicId no longer needed as an input parameter; removed requirement that the DNAT address must be the address of an NSX Edge VNIC.

NSX Edge VM (ESG, DLR) now shows both Live Location and Desired Location. NSX Manager and NSX APIs including GET api/4.0/edges//appliances now return configuredResourcePool and configuredDataStore in addition to current location.

Security Services

Distributed Firewall — TFTP ALG: enables use cases such as network boot for VMs.

Firewall — Granular Rule Filtering: simplifies troubleshooting by providing granular rule filters in UI, based on Source, Destination, Action, Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag, Service, Protocol.

Guest Introspection — Windows 10 support

SSL VPN Client — Mac OS El Capitan support

Service Composer — Performance Improvements: enables faster startup/reboot of NSX Manager by optimizing synchronization between security policy and firewall service, and disabling auto-save of firewall drafts by default.

Service Composer — Status Alarms: raises system alarm if security policy is out-of-sync, and takes specific actions based on alarm code to resolve issue.

Operations and Troubleshooting

NSX Dashboard: Simplifies troubleshooting by providing visibility into the overall health of NSX components in one central view.

Traceflow Enhancement — Network Introspection Services: Enhances ability to trace a packet from source to destination, by identifying whether packets were forwarded to 3rd-party network introspection services, and whether the packet comes back from the 3rd-party service VM or not.

SNMP Support: Configure SNMP traps for events from NSX Manager, NSX Controller, and Edge.

Logging is now enabled by default for SSL VPN and L2 VPN. The default log level is notice.

Firewall rules UI now displays configured IP protocols and TCP/UDP port numbers associated with services.

NSX Edge technical support logs have been enhanced to report memory consumption per process.

Central CLI Enhancements

Central CLI for Host Health: Shows host health status, with 30+ checks in one command (including network config, VXLAN config, resource utilization, etc.)

Central CLI for Packet Capture: Provides ability to capture packet on the host and transfer the capture file to user’s remote server. This eliminates the need to open up hypervisor access to network administrators, when troubleshooting logical network issues.

Technical support bundle per host: Gathers per-host logs and creates a bundle that can be saved and submitted to VMware technical support for assistance.

Licensing Enhancements

Change in default license & evaluation key distribution: default license upon install is “NSX for vShield Endpoint”, which enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only. Evaluation license keys can be requested through VMware sales.

License usage reporting: NSX license usage counts are displayed on NSX Manager’s Summary UI and also retrievable via API. NSX license usage counts will no longer be reported through vCenter licensing service.

Solution Interoperability

Customer Experience Improvement Program: NSX supports reporting system statistics via the VMware Customer Experience Improvement Program (CEIP). Participation is optional and is configured in the vSphere Web Client.

VMware vRealize Log Insight 3.3.2 for NSX provides intelligent log analytics for NSX, with monitoring and troubleshooting capabilities and customizable dashboards for network virtualization, flow analysis and alerts. This version accepts NSX Standard/Advanced/Enterprise edition license keys issued for NSX 6.2.2+.