Monday, May 8, 2017

NSX Firewall Rules using Application Rule Manager (ARM)

Hi All,

Recently I was engaged in a project for NSX Brownfield deployment and the requirement was to migrate the citrix environment to VMware Horizon View desktops.

So the challenge we had was to find out what is in use by the Citrix VMs in the existing environment from the service/port perspective so it will be easier to find out the communication path between twoVMs (for test for now) but it can be scaled all the way to the cluster level if needs to.

So there are few ways this can be achieved and I will cover the same in the series of 3 parts.

1) Using ARM (Application Rule Manager) which will be covered in this post
2) Using vRNI (vRealize Network Insight) which will be the next post
3) Using LI (vRealize Log Insight) which will be the last post of this series

So lets get started.

We are running the latest NSX Manager version 6.3.1.

Now I assume that the readers are familiar with NSX Manager and other components of VMware vSphere as I will be using the terminologies quite frequently and also the acronyms of the same.

So once you go to Networking and Security and you need to click on Flow Monitoring to see the option of application Rule Manager

Im showing here the screen shot of the same.

Then you need to generate the flows by doing certain activities to invoke the traffic to use particular ports / services.

So now lets dig deeper in to ARM.

lets say I want to know the flows between two VMs so I will start with New Session and then give a name to the session.

Next option is to select the source and here you have only two options to choose from as a Object Type

1) Virtual Machine

2) vNIC

So I will go with VM and provide a name of the VM.

Thats the only thing you need to provide and once you click OK then it will start gathering the flows from the VM.

Now click Stop to finish collecting the flows and once you highlight any flows under the View Flows option then you will see two options under Actions.

So either you can hide records or you can create a Firewall Rule based on the flow captured.

After I selected Create Firewall Rule, then I will go to the tab "Firewall Rules" and check what rule is created.

So before you publish the rule you can modify the Rule with necessary details e,g Source, Destination, Service, Applied To, Action and Log.

You can create multiple sessions and just select the drop down to see/view specific Flow details about a particular session.

Name the session properly so you can see what you have captured. In the above screen shot as you can see I've given the name tst-h-ic-blk which I provided to find out the icmp block for horizon and the rule is test rule.

You can keep the name with the function of the VM/server you are going to create the firewall rule for, so it will be easier to understand take actions on the particular rule set.

Once you create the rule then you need to go the Firewall Rule tab and publish it and it will be immediately come in to the effect. Which you can verify under Firewall section on the left.

So as you can see, it will be added as a new Section to give the name to the rule properly so it will be meaningful.

If there are more than one service you can see in the flow then click on the small gear icon on the right besides the services and you can see all the services captured.

Now from the product use perspective this will be a trouble when you have to find out the traffic patterns on a large environment (having no other options of at the cluster level or host level options) so you have only one choice of finding out per VM basis and then go thro each flow collected and create the rule/s.

May be I can suggest a feature request to VMware about incorporating other options when dealing with multiple items and have a single option to create Firewall rule / rules based on the collected flows. This can be based on the at the Data Center/ Cluster Level which can be considered in aggregation of all the flows captured.

It will help the Admin of the environment to allow the default communication ports which got captured after running the flow capturing for enough duration which will allow to capture all possible traffic coming from X and going to Y or Z.

Hoping that in next version this improvement will get incorporated to ease the process of utilizing only ARM to recommend the rules and go with the same.

Hope this helps.

In Next post I will cover vRNI to find out how you can utilize the same to create Firewall Rule/s.

Please share and care.

Thanks for your time.

Monday, April 3, 2017

vMotion of NSX EDGE gotcha vMotion of NSX EDGE gotcha: Hi, Recently I was working on a brown field deployment of NSX and ran into an issue where we were not able to connect to the DHCP server ...

vMotion of NSX EDGE gotcha


Recently I was working on a brown field deployment of NSX and ran into an issue where we were not able to connect to the DHCP server from a Logical Switch (which means the VMs are not getting IP addresses from DHCP server) which was a key.

If we put the VM on a regular VDS dvportgroup it gets the DHCP IP correctly.

So we started looking in to the issue further and engage VMware GSS to look in to the issue.

During the troubleshooting we had to decide the location of Edge and try moving it to a different host to verify if its not hitting any uplink issue.

As we were using vCenter Web Client and as soon as we tried migrating (vMotion) it to another host and we were prompted with the NIC mapping page. Where we need to map each interface exists on the NSX Edge to a corresponding portgroup or dvportgroup. Now we have only limited number of portgroups/dvportgroups existed on the Cluster and we could not map all the internal interfaces (which gets created by default on the Edge appliance).

The source were listed as "None" so not sure where to map them.

So we ended up using the vSphere client to migrate the Edge appliance, and got migrated with no notification about mapping all the interfaces. Just select the destination ESXi host and hit "Finish", and we are done.

We were then moved into the next phase of troubleshooting but the above just put me in a dilemma that the behaviour of Web Client is a bug or is it by design.

Interested in getting the answer from VMware so that I can clarify that with the existing and future customers on why to use vSphere client and what is the alternate methods to use when the Fat/Thick client will completely got removed by VMware??

Please leave the comment and share this.

Thanks for your time.

Tuesday, January 3, 2017

vRA and SCCM Timeout Issue vRA and SCCM Timeout Issue: Hi, OK here I am again. Been away for few months working on various projects including vRA, vROPS, SRM, VIN, vRB etc.etc. And one of the...

vRA and SCCM Timeout Issue


OK here I am again. Been away for few months working on various projects including vRA, vROPS, SRM, VIN, vRB etc.etc. And one of them is MSB. Yes its a new term I've learned and worked on with one of the Federal client along with VMware NSBU. 

But here today I'm going to discuss about the timeout issue with vRA and SCCM deployment.

Now before we begin let me give you the overview of what we are dealing with.

In my recent project Im working with VMware on a vRA Distributed architecture with a little bit of vRB and also integrating the SCCM on which the client is heaving depending on for VM/s deployment. 

Mainly these are windows 2008 R2 Std and Windows 2012 R2 Std VMs. They are leveraging SCCM to do all major tasks such as putting patches, updates, updating AV signatures, putting legacy apps, some monitoring apps such as WhatsupGold and Logrhythm etc. etc.

So once the VM is built in vRA its been handed over to SCCM for further provisioning and there is a default time out setting in vRA which is only 15 minutes.

So as you can see the default setting for SCCM machine registration timeout is 5 minutes. So now
lets assume you are doing few tasks using SCCM e.g. Installing OS, putting patches, doing AV updates, putting legacy or custom applications or softwares etc. etc. then you need time to finish all those tasks in the background on SCCM side. With having 5 minutes timeout vRA wont know what is the status of the SCCM VM as the whole process may not be finished and the gugent might not be updating vRA with any status at all so you may see the process/task in vRA as its still running and not completed and eventually the task will fail as no signal received by vRA in time (which is 5 minutes). So to avoid that you need to increase that time out setting by enough time that you can finish the required tasks on SCCM side before hitting the timeout window of vRA. We had to keep it at 45 minutes (screen shot below) on a safer side which accounts few reboots of the OS along with other tasks listed above.

After doing the above change we were started receiving finished tasks in vRA successfully which were handled by SCCM then gugent updates vRA server with appropriate status.

I will cover the SCCM and vRA in one of my upcoming blogs very soon.

Hope this will help integrating SCCM and vRA.

Please share and care.

Thanks for your time.