VMware NSX 6.2.4 released

So after the huge cock-up with 6.2.3, VMware have turned around a new version of NSX in a matter of weeks to fix all the bugs!


Of major concern was the whole HA issue that meant DLR nodes got stuck in a ‘split-brain’ mode after 24 days of operations – and every 24 days after that! It also didn’t help that the previous version was causing VMs to lose network connectivity if the pMAC of the DLR was the MAC address in the default gateway.

Anyways, hopefully all the bugs have been ironed out and the new release is more stable!

Release Notes can be found here.

For some of my customers, the release of 6.2.4 brings back the vShield Endpoint management support which is great given vCNS and vShield Manager is going end of general support on the 19th Sept!

For more info about this, read my previous blog entry: NSX 6.2.3 Released – support for vShield Endpoint Management

NSX 6.2.3 Released – support for vShield Endpoint Management

As most people are aware, VMware pulled their support for vCloud Network & Security (and with that vShield Manager) earlier this year and a lot of my customers have been wondering what’s going to happen to their vShield Endpoint deployments (for agentless AV). It was strange that VMware announced the EoA for vCNS without really announcing it’s successor – although that said, most of us already had an inkling that NSX Manager would probably pick up the management of vShield Endpoint.

NSX 6.2.3 was released in June (as always to limited/no fanfare) and with this release was the announcement that NSX now supports the management of vShield Endpoint (now renamed NSX Guest Introspection). Customers who purchased vSphere with vShield Endpoint (pretty much all versions, Essentials Plus and above) are now able to download NSX Manager from their My VMware portal, under the vSphere product – download site. The license that comes embedded in NSX Manager 6.2.3 includes an unlimited capacity NSX for vShield Endpoint license key. To ensure customers do not use any other unlicensed NSX features (For example VXLAN, DFW, Edge services), the license key will have hard enforcement to prevent NSX host preparation and block Edge creation.

VMware NSX for vSphere provides NSX Guest Introspection, which provides all features of vShield Endpoint and support for additional service categories like vulnerability management, IDS/IPS using the in-guest thin agent.

vCloud Networking and Security Manager version 5.5 is supported until September 2016 after which customers will need to upgrade to NSX Manager in order to continue with vShield Endpoint support (Technical Guidance will still be available for vCNS till March 2017).

More information on the procedures for upgrading from vCNS 5.5.x to NSX 6.2.x can be found here: http://pubs.vmware.com/NSX-62/index.jsp#com.vmware.nsx.upgrade.doc/GUID-D2CDB014-39D8-48CC-9733-981308249F52.html or at this VMware KB: https://kb.vmware.com/kb/2144620

The process of upgrading can be summarised as follows:

  1. Upgrade vShield Manager to NSX Manager.
  2. Deploy NSX Controller cluster (update Transport Zones and Logical Switches).
  3. Install the new VIBs on ESXi hosts in the cluster (virtual wires are renamed as logical switches).
  4. Upgrade vShield App to NSX Distributed Firewall – configuration is migrated across.
  5. Upgrade vShield Edge devices to NSX Edge devices – configuration is migrated across.
  6. Upgrade vShield Endpoint to NSX Guest Introspection

Note that for upgrade to work, each function must be on version 5.5.

NSX 6.2.3 Release Notes: http://pubs.vmware.com/Release_Notes/en/nsx/6.2.3/releasenotes_nsx_vsphere_623.html

Installing vShield Endpoint (vCNS Mgr 5.5.4-3)

Very quick blog entry as I’m busy tying up loose ends before jetting off on my summer hols….

It’s pretty easy to install vShield Endpoint as it’s a wizard-based OVA deployment. I’m not going to step through the process as it’s very simple (plus the install guide explains it very well). Once that’s done log into the console and run ‘setup’ to configure the IP address and DNS information.

After that, it’s a case of logging into vShield Manager and connecting to vCenter Server.

Once connected to the vCenter, you should see your datacenter and hosts in a hierarchical tree on the left menu. Select each host and installed vShield Endpoint.

vShield Installation guide: http://www.vmware.com/pdf/vshield_55_install.pdf

However, I did encounter a few issues (due to prior deployments which hadn’t been cleaned up properly).

Error 1: VMKernel Portgroup present on incorrect vSwitchvcns1
This occurred because the hosts had a previous vSwitch labelled vmservice-vswitch, but the VMkernel port vmservice-vmknic-pg resided on a different vSwitch (previous deployment). To correct this I had to delete the old VMkernel port and recreate it on the correct vmservice-vswitch.

Error 2: VirtualMachine Portgroup present on incorrect vSwitch

vcns2Again this was due to a mis-configuration on a previous deployment! What should happen is once you’ve setup the vmservice-vswitch and created the vmservice-vmknic-pg portgroup and VMkernel port, the installer will create a new portgroup on that vSwitch called vmservice-vshield-pg. Like before, this was residing on the wrong vSwitch.

In the end I just deleted the wrong vSwitch and started again by creating the vmservice-vswitch and the vmservice-vmknic-pg. After that the installation of vShield Endpoint went swimmingly!


Which goes to show that cleaning up an old deployment within your demo environment can sometimes be very handy! =)


vShield Endpoint with vSphere 6.0 – Explaining the confusion around the product range!

So I had a customer ask me what was going on with vShield Edge and vCloud Networking & Security, and whether the products are still available or has NSX replaced them…. and what is with this vShield Endpoint feature?

Anyways, after explaining my take on vShield and vCNS I decided to do a bit more digging into vShield Endpoint and why there has been so much confusion with the product range regarding licensing, support, and availability of the products!

I came across this great blog post by Josh Townsend which pretty much explains the history behind vShield, vCNS and NSX and also talks about how you can deploy vShield Endpoint. Rather than me regurgitating what he wrote, I’ll advise you to definitely click through to his blog and have a read! Hopefully all will become clear!


Creating a Load Balancer in vCloud Director 5.1

So as promised, today I’m going to blog about how to manually create a load balancer service on an edge gateway within vCloud Director.

I’m assuming here that you know all about Edge Gateways and how to create them, so will by-pass that info – if you don’t know then VMware has a simple to follow video on creating a gateway: http://www.youtube.com/watch?v=v9XOOFhvDBk

(Note: with 5.1 you can now setup an edge gateway to run in HA mode – basically providing a secondary gateway device that can seamlessly take over if the primary gateway dies! Also worth noting is the multiple interfaces you can configure – now 10 are supported – and VXLAN support… for more info check out the release notes: http://www.vmware.com/support/vshield/doc/releasenotes_vshield_51.html. BTW, the latest version of vShield is 5.1.2).

So on an edge gateway within your Organisation vDC (virtual Data Centre), you can setup several gateway features (or services):

  • DHCP
  • NAT
  • Firewall
  • Static Routing
  • VPN
  • Load Balancing

I won’t go into each one otherwise this will end up being an extremely long post. For more info have a look at VMware’s video: http://www.youtube.com/watch?v=elG1zxGHheg

Creating a Load Balancer service on the edge gateway is a pretty simple process. The two main attributes that need to be configured are:

  • “Pool Servers” – which basically contains all the servers that you wish to load balance, as well as the protocol you wish to balance over.
  • “Virtual Servers” – this is basically where you assign a VIP (virtual IP) to the load balancer, determine which “Pool” of servers you wish to assign it to, and which protocols you wish to enable.

Step 1 – Configuring Load Balancer Service

When you navigate to the Edge Gateway tab within the Org vDC, right-click on the edge gateway you wish to configure and select “Edge Gateway Services”. This will pop up a window which allows you to configure all the services available on that gateway. In our case we’re configuring the Load Balancer, so click on that tab.


Step 2 – Configure Pool Servers

The first thing you need to do is configure the Pool Servers, it’s no use configuring the Virtual Servers as one of its requirements is that you assign the Virtual Server to a Pool….. Click on Add to bring up the Add Load Balancer Member Pool window.

Here you will just enter a Name for the Pool and a description. Try and use an unique and useful name (eg. <vApp Name>-LB-Pool) that helps to identify the Pool, this is because each load balancer service can have multiple pools and it could get confusing if you end up calling every pool “LBPoolxx”.


Next up is choosing what services/protocols are to be load balanced. One of the new things with vShield 5.1 (or vCloud Network and Security 5.1) is the ability to load balance over HTTPS and generic TCP connections (previous versions only allowed HTTP). Which is GREAT as you can now use an Edge gateway within vCenter Server to load balance vCloud Director cells!! (More on this another time).

So select the services you wish to balance and then decide what balancing methods you wish to use.

Here’s a quick rundown of balancing methods:

  • IP_HASH – This basically means the load balancer selects a server based on a hash of the source and destination IP address of each packet.
  • LEAST_CONN – This distributes the connection requests based on the number of connections already on the pool-member server. Basically new connections are sent to the server with the fewest connections! However, this does not take into consideration the amount of traffic being handled by that server. Usually great for load balancing long sessions (LDAP, SQL) but not that great for short sessions (like HTTP)
  • ROUND_ROBIN – Probably the most common algorithm to use (especially when the servers have equal processing capabilities), it allows equal distribution of traffic amongst the pool servers regardless of the number of connections (or response time). Basically each server in the pool is used in turn according to the weight assigned to it. Although be careful using this if you have servers in the pool with different capabilities as you may end up with servers receiving more requests than they can process. =)
  • URI – (Taken from vShield admin guide – tbh, I’ve never used URI as a method)The left part of the URI (before the question mark) is hashed and divided by the total weight of the running servers. The result designates which server will receive the request. This ensures that a URI is always directed to the same server as long as no server goes up or down.

Anyways, keeping it simple we can choose just to balance HTTP over Port 80 using a Round Robin algorithm. =)


Next we configure Health-checking. A health check checks that all servers in the pool are alive and answering queries. Usually the parameters I tend to use are the default ones configured.

  • Interval – Interval in secs at which a server is pinged.
  • Timeout – Time in secs within which a response from the server must be received.
  • Health Threshold – Number of consecutive successful health checks before a server is declared operational.
  • Unhealth Threshold – Number of consecutive unsuccessful health checks before a server is declared dead

It’s worth noting that with the default settings, I believe a server would be flagged as down after 60secs (3x timeout + 3x Interval – correct me if I’m wrong!). Obviously you can tune this to whatever you want. Just be aware that the worst thing to do is set the Timeout to 1 second as this can cause all sorts of issues because if a server did not respond to a ping within a second, it would be marked as a missed response!

Likewise setting the Unhealth Threshold to 1 would be inappropriate as that means if a server missed 1 response it would be flagged as down.

URI for HTTP service is basically where the load balancer queries to see if the server is up. Usually this is set to “/”, but if you wish to be smart then you can create a static web page to use on each server. Usually a “200 OK” response means a healthy status, a “4xx or 5xx” would usually mean you have a problem.


Next up is adding the servers you wish to load balance into the pool. Simply enter the IP address of the server, it’s weighting (indicates the ratio of how many requests are sent to this server), and the services and ports to be load balanced.


Once you’ve finished adding all the servers to the pool, click Next and Finish at the summary page.

Step 3 – Configure Virtual Servers

Once the Pool Servers has been defined, click on Virtual Servers tab and the Add button.

Again, like when you created the Pool, I suggest using an unique and useful name for the Virtual Server. =)

When creating the Virtual Server, you need to choose which network to apply it on, usually this would be the Org vDC network.

Specify the IP address to use as the load balancer VIP and then which Pool you wish to assign to be load balanced. Finally select the services you wish to load balance, ensure the ‘Enabled’ box is checked on both the services and the Virtual Server and click OK.


Give it about 30secs to reconfigure the edge gateway and there you go….. a working (hopefully) load balancer service on your Edge Gateway!

Simples…… =)

Next blog entry will discuss how we tie the vCenter Orchestrator Load Balancer Actions to our manual process!

Back to Blogging……

So I know I said I wasn’t going to blog much in the coming weeks, but giving the fact that my jury service has been cancelled next week (court case was cancelled so Jury was dismissed due to no other court cases running) and also the fact that my current work project has been cancelled (client cancelled the contract with my company), I pretty much have quite a bit of free time!

Not to mention that I had a sleepless night as all I could think about was that I NEED to blog some of the stuff that’s floating around my head regarding VMware – just so I can put my brain at rest!

So hopefully in the upcoming weeks, I intend to blog about the experiences I’ve had over the past couple of months touching upon:

  • Changing the SSL certificates of VMware products (away from the self-signed VMware ones to a CA certified one).
  • Transact-SQL scripts for creating databases for VMware products.
  • Loadbalancing workflow that I wrote recently to automate the deployment of a loadbalancer in vCD (and hope to generalise so that others can use it).

That should basically fill out my blog for a couple of weeks due to the vast amount of information to get down on paper (or in this case on screen).

First up tomorrow (yes, procrastination doesn’t disappear even when you have some free time!) will be a brief look at how you manually setup a loadbalancer within vCD, and then hopefully I can delve into how the vCO actions can be used for each manual step and what I’ve learnt.

Oh, and as for the job hunting part….. I’m quite thankful that at the moment it seems recruitment agents are calling me up rather than me desperately calling them up! I’m positive that I will be able to find another role that will allow me to continue my VMware journey! (and if you’re a potential employer, or recruitment agent reading this – please contact me if you have any opportunities of interest!)