I downloaded VCSA 8.0 ISO from VMware.com and run the installer.
I choose Install.
1-Introduction
Note: The external Platform Services Controller deployment has been deprecated.
Note: Installing the vCenter Server is a two-stage process. The first stage involves deploying a new vCenter Server to the target ESXi host or a compute resource in the target vCenter Server. The second stage completes the setup of the deployed vCenter Server. Next
2- License agreement, click on the checkbox. Next
3- Specify the vCenter Server deployment target settings. The target is the ESXi host or vCenter Server will be deployed.
On this page, fill in all the blank fields, Next
Accept the certificate warning and click NEXT
4- Enter the new VM name for your VCSA 7.0 Update 3 and set the root password for it, NEXT
5- Select your deployment size, I choose Medium Size. NEXT
6- Select data store, you can select Thin or Thick disk mode, NEXT
7- Configure your network settings, NEXT
10- The installer will begin deploying the new VCSA according to the settings you provided. Finish
1- The second stage process. NEXT
2- Set your Time and NTP servers, and you can enable or Disable SSH access to vCenter Server.
3- You have two option2: 1-Create a new SS domain or 2-Join an existing SSO domain
4- You can now join VMware Customer Experience Improvement Program. This basically allows VMware to collect certain sanitized data from your environment, which could help with future releases.
5-Install – Stage 2
6- This process took about 45 minutes for me.
9- Login to the VCSA by the FQDN or IP address and proceed.
Hi, Today I would like to configure Multifactor Authentication for Horizon8 through Keycloak.
What is MFA?
Multifactor authentication (MFA) is a multistep account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
Which MFA Protocol Supports Horizon?
You can enable a Connection Server instance for RSA SecurID authentication or RADIUSauthentication by modifying Connection Server settings in Horizon Administrator.
Prerequisites
Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server.
1- For RSA SecurID authentication, export the sdconf.rec file for the Connection Server instance from RSA Authentication Manager. See the RSA Authentication Manager documentation.
2- For RADIUS authentication, follow the vendor’s configuration documentation. Make a note of the RADIUS server’s hostname or IP address, the port number on which it is listening for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2), and the shared secret. You will enter these values in Horizon Administrator. You can enter values for a primary and a secondary RADIUS authenticator.
Procedure
Log into Horizon Server, and select View Settings> Servers.
On the Connection Servers tab, select your connection server and click Edit.
On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced Authentication section, select RADIUS.
To force RADIUS usernames to match usernames in Active Directory, select Enforce 2-factor and Windows username matching.
If you select this option, users must use the same RADIUS username for Active Directory authentication. If you do not select this option, the names can be different.
For RADIUS authentication, complete the rest of the fields:
Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge.
If you select this check box, users will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication uses the Windows username and password. Users do not have to reenter the Windows username and password after RADIUS authentication.
From the Authenticator drop-down list, select Create New Authenticator and complete the page.
6. Click Add
Give a name for the Authenticator name field. This name is displayed when users want to log in. You can customize username and passcode labels.
7. Click nextGive your Keycloak Radius information
Hostname/Address: keycloak.khoshraftar.com\
Authentication Port: 1812
Accounting Port: 0
Set the Accounting port to 0 unless you want to enable RADIUS accounting. Set this port to a non-zero number only if your RADIUS server supports collecting accounting data. If the RADIUS server does not support accounting messages, and you set this port to a nonzero number, the messages will be sent and ignored and retried a number of times, resulting in a delay in the authentication.
Accounting data can be used in order to bill users based on usage time and data. Accounting data can also be used for statistical purposes and for general network monitoring.
Authentication Type: PAP-CHAP-MSCAHP1-MSCHAP2
Shared Secret: ***********
Must same with your radius shared secret
If you specify a realm prefix string, the string is placed at the beginning of the username when it is sent to the RADIUS server. For example, if the username entered in Horizon Client is Mohammad and the realm prefix Khoshraftar\ is specified, the username khoshraftar\Mohammad is sent to the RADIUS server. Similarly, if you use the realm suffix, or postfix, string @khoshraftar.com, the username mohammad@khoshraftar.com is sent to the RADIUS server.
Click Next
8. Click OKto save your changes.
You do not need to restart the Connection Server service. The necessary configuration files are distributed automatically, and the configuration settings take effect immediately.
What is Keycloak?
Keycloak is an open-source identity and access management solution.
How to install Keycloak?
You can download Keyclock from here. But for this project, I need to Radius, radius is not on Keycloak default. So, you can config a manual radius from this link.
But, I want to write a simple configuration about keycloak radius in my blog.
I download a java base keycloak application from here.
I installed an Ubuntu server and install an openjdk 11 on it.
12. Under Manage–> Select Clients and Create client
13. Choice radius protocol from the drop-down menu and Fill in a Client ID
Note: This name must be the same as the authenticator name in the Horizon config in the previous section.
14. Click Next
15. Click Save
16. Click on the Users section and click Add Users
Note: If you want to log in with a password, leave the required user actions, Blank.
Click on Create and then click on the user that you created.
17. Click on the Set password button. Type your password and If you turn on Temporary you must change your password in the first login. I turn off it. And Save it.
Note: If you want to use an OTP, select Configure OTP from the menu
You go to step 17 and create a password for your user and then go to this page.
Hi, Today, I want to create an organization and organization VDC in the vCloud Director.
An Organization is the fundamental vCloud Director grouping that contains users, the vApps that they create, and the resources the vApps use. It is a top-level container in a cloud that contains one or more Organization Virtual Data Centers (Org VDCs) and Catalog entities. It owns all the virtual resources for a cloud instance and can have many Org VDCs.
An organization can be internal to your company providing the vCloud Director or to a customer organization that is using your Cloud Director.
Let’s start.
Step 1, I create an organization.
1- Log in to https://vCloud_IP/provider –> Resources –> Cloud Resources –> Organizations –> Click NEW
2- Enter a name and a full name for your organization.
1- Log in to https://vCloud_IP/provider –> Resources –> Cloud Resources –> Organizations VFCs –> Click NEW
2-Enter a Name and Select Enable the Organization VDC
3- Select the Organization that you would like to add this VDC
4- Select the Provider VDC
5- Select an allocation Model for this Organization VDC, I choose Pay-As-You-Go
Option
Description
Allocation pool
A percentage of the resources you allocate from the provider VDC are committed to the organization VDC. You can specify the percentage for both CPU and memory.
Pay-as-you-go
Resources are committed only when users create vApps in the organization VDC.
Reservation pool
All the resources you allocate are immediately committed to the organization VDC.
Flex
You can control the resource consumption at both the VDC and the individual virtual machine levels. The flex allocation model supports the capabilities of organization VDC compute policies. The flex allocation model supports all allocation configurations that are available in the other allocation models.
6- Configure the allocation settings
Option
Description
CPU Quota
The maximum amount of CPU consumption for this organization VDC.
CPU resources guaranteed
The percentage of CPU resources that you want to guarantee to a virtual machine running in this organization VDC. You can control the over-commitment of CPU resources by guaranteeing less than 100 percent. For an Allocation Pool allocation model, the percentage guarantee also determines what percentage of the CPU allocation is committed to this organization VDC.
vCPU Speed
The vCPU speed. Virtual machines running in the organization VDC are assigned this amount of GHz per vCPU.
Memory Quota
The maximum amount of memory consumption for this organization VDC.
Memory resources guaranteed
The percentage of memory resources that you want to guarantee to virtual machines running in the organization VDC. You can over-commit resources by guaranteeing less than 100 percent. For an Allocation Pool allocation model, the percentage guarantee also determines what percentage of the memory allocation is committed to this organization VDC.
Maximum number of VMs
The maximum number of virtual machines that can exist in the organization VDC.
7- Configure the storage settings for this organization VDC
Allocation Type: To limit the amount of the allocated storage capacity for a selected storage policy.
Default instantiation policy: To change the default storage policy.
Thin provisioning: To activate thin provisioning for virtual machines in the organization VDC.
Fast provisioning: To deactivate fast provisioning for virtual machines in the organization VDC.
8- Configure the Network Pool for this organization VDC
You can skip this level at this stage.
Note:
Organization VDCs that are backed by NSX-T Data Center only support Geneve network pools.
Hi, Today, I want to create a Provider VCD in the vCloud Director.
What is a provider VCD?
The provider VDC is an abstraction of a vSphere cluster or a resource pool.
A provider virtual data center (VDC) provides resources to a provider.
To make vSphere compute, memory, and storage resources available to vCloud Director, you create a provider VDC.
For network resources, a provider VDC can use NSX-T Data Center.
Note:
• Creating a provider VDC is a system administrator task. • The provider VDC can be created only from the provider portal. • Provider VDCs are linked to vCenter Server clusters or resource pools.
Prerequisite:
Create a resource pool in your vCenter server.
Let’s start.
1-Log into https://vCloud_IP/provider –> Resources –>Provider VDCs –> NEW
2- Enter a name and description for the new provider VCD.
3- Select a vCenter server to provide resource pools for this provider VDC.
4- Select the available resource pool that you created before in the vCenter server.
5- Select storage policies this provider VDC will offer.
6- Choose a network pool option for creating this provider VDC.
Hi, Today, I want to create a Network Pool in the vCloud Director.
What is Network Pool?
A network pool is a collection of isolated layer-2 network segments that you can use to create vApp networks and certain types of organization VDC networks on demand.
Network pools must be created before organization VDC networks and vApp networks. If they do not exist, the only network option available to an organization is the direct connection to an external network.
Only a system administrator can create a network pool.
Supported by:
Port Groups Backed
VLAN ID Backed
Geneve Backed (NSX-T Overlay Transport Zone)
VXLAN Backed (NSX-V)
Note:
Each organization VDC can have one Network Pool
Multiple organization VDC can share a Network Pool
With VCD 10.3, You can create a provider VDC without any Network Pools.
Let’s start.
1-Log into https://vCloud_IP/provider –> Resources –>Network Pools –> NEW
2- Enter a name and description for the new network pool.
3- Select Network Pool Type Geneve Backed
4- Select NSX-T Manager to provide the Geneve transport zone that this network pool will use.
5- Select your Transport Zone that you have created before in NSX-T console.
Hi, Today I decided to install vCloud Director 10.4.
What is vCloud Director?
VMware vCloud Director (VMware vCD) is a platform with multi-tenant support for managing software-defined data centers (SDDC) and providing infrastructure as a service (IaaS) to customers.
1- Make A record and reverse record for your vCloud Director.
2- NFS folder with full access permissions for the transfer file location
Install steps:
1- Select OVF, Enter a name, and select a compute resource for your virtual machine:
2- accept all License agreements
3-Select your deployment configuration
4- Select your Data Store
5-Select networks
Starting with version 9.7, the VMware Cloud Director appliance is deployed with two networks, eth0, and eth1, so that you can isolate the HTTP traffic from the database traffic. Different services listen to one or both of the corresponding network interfaces.
HTTP traffic and console traffic use eth0. The internal database traffic uses eth1. Note: The eth0 and eth1 networks must be placed on separate subnets.
A tier-0 gateway has downlink connections to tier-1 gateways and external connections to physical networks.
You can configure the HA (high availability) mode of a tier-0 gateway to be active-active or active-standby. The following services are only supported in active-standby mode:
NAT
Load balancing
Stateful firewall
VPN
Tier-0 and tier-1 gateways support the following addressing configurations for all interfaces (external interfaces, service interfaces, and downlinks) in both single-tier and multi-tiered topologies.
Note:
You can configure the tier-0 gateway to support EVPN (Ethernet VPN).
1- Go to the Networking –> Connectivity –> Tier-0 Gateways –> Add Gateway –> Click Add Tier-0 Gateway.
2- Enter a name for the gateway.
3- Select an HA (high availability) mode.
The default mode is active-active. In the active-active mode, traffic is load balanced across all members. In active-standby mode, all traffic is processed by an elected active member. If the active member fails, a new member is elected to be active.
4- If the HA mode is active-standby, select a failover mode.
Option
Description
Preemptive
If the preferred node fails and recovers, it will preempt its peer and become the active node. The peer will change its state to standby.
Non-preemptive
If the preferred node fails and recovers, it will check if its peer is the active node. If so, the preferred node will not preempt its peer and will be the standby node.
5- (Optional) Select an NSX Edge cluster.
6- (Optional) Click Additional Settings
In the Internal Transit Subnet field, enter a subnet. This is the subnet used for communication between components within this gateway. The default is 169.254.0.0/24.
In the T0-T1 Transit Subnets field, enter one or more subnets. These subnets are used for communication between this gateway and all tier-1 gateways that are linked to it. After you create this gateway and link a tier-1 gateway to it, you will see the actual IP address assigned to the link on the tier-0 gateway side and on the tier-1 gateway side. The address is displayed in Additional Settings > Router Links on the tier-0 gateway page and the tier-1 gateway page. The default is 100.64.0.0/16.
In the Forwarding Up Timer field, enter a time. The forwarding up timer defines the time in seconds that the router must wait before sending the up notification after the first BGP session is established. This timer (previously known as forwarding delay) minimizes downtime in case of fail-overs for active-active or active-standby configurations of logical routers on NSX Edge that use dynamic routing (BGP). It should be set to the number of seconds an external router (TOR) takes to advertise all the routes to this router after the first BGP/BFD session. The timer value should be directly proportional to the number of northbound dynamic routes that the router must learn. This timer should be set to 0 on single-edge node setups.
7- Click Route Distinguisher for VRF Gateways to configure a route distinguisher admin address. This is only needed for EVPN in Inline mode.
8- (Optional) Click EVPN Settings to configure EVPN.
Select an EVPN mode. The options are:
Inline – In this mode, EVPN handles both data plane and control plane traffic.
Route Server – Available only if this gateway’s HA mode is active-active. In this mode, EVPN handles control plane traffic only.
No EVPN
If EVPN mode is Inline, select an EVPN/VXLAN VNI pool or create a new pool by clicking the menu icon (3 dots).
If EVPN mode is Route Server, select an EVPN Tenant or create a new EVPN tenant by clicking the menu icon (3 dots).
In the EVPN Tunnel Endpoint field, click Set to add EVPN local tunnel endpoints. For the tunnel endpoint, select an Edge node and specify an IP address. Optionally, you can specify the MTU.
9- To configure route redistribution, click Route Redistribution and Set.
Select one or more of the sources:
Tier-0 subnets: Static Routes, NAT IP, IPsec Local IP, DNS Forwarder IP, EVPN TEP IP, Connected Interfaces & Segments. Under Connected Interfaces & Segments, you can select one or more of the following: Service Interface Subnet, External Interface Subnet, Loopback Interface Subnet, or Connected Segment.
Advertised tier-1 subnets: DNS Forwarder IP, Static Routes, LB VIP, NAT IP, LB SNAT IP, IPSec Local Endpoint, Connected Interfaces & Segments. Under Connected Interfaces & Segments, you can select Service Interface Subnet and/or Connected Segment.