Deploy the NSX Manager Virtual Appliance
Deploying NSX Manager is a straight forward task like deploying any other appliance from ova file. I have already covered the steps of deployment in one of my old post so I am not repeating the steps of deployment again.
Integrate the NSX Manager with vCenter Server
Once NSX Manager is deployed, next task is to integrate it with vCenter server. To do so, login to NSX Manager UI (https://NSX-FQDN) and from home page click on Manage vCenter Registration.
Under ‘NSX Management Service’, click on edit button for vCenter Server.
Specify vCenter Server IP/FQDN and credentials via which NSX will communicate with vCenter server. User account used can be vCenter server local administrator or a service account.
Important: If you are using a service account for NSX registration with vCenter, make sure that account is added to Administrators group in vCenter in advance before doing the registration.
Once you specify the vCenter credentials and hit OK, vCenter will present its SSL thumbprint. Click on Yes to accept it.
Once NSX manager is registered with vCenter server, you will see the status as connected and the last successful inventory sync time.
Configure Single Sign On for NSX Manager
Integrating the single sign on (SSO) service with NSX improves the security of user authentication for vCenter users and enables NSX to authenticate users from other identity services such as AD, NIS, and LDAP.
To integrate NSX with SSO, edit the ‘Lookup Service URL’ option.
Enter IP/FQDN of server where PSC is running. For PSC embedded vCenter, this will be IP address of vCenter server.
Specify the SSO credentials and hit OK.
Accept the PSC SSL thumbprint by clicking on Yes.
If your configuration is correct, you will see the lookup service status as connected.
Specify a Syslog Server
To configure syslog server settings, navigate to Manage > General > Syslog Server and hit edit button.
Specify IP/FQDN of syslog server and the port/protocol via which NSX manager will reach out to syslog server for forwarding NSX Manager logs. Hit OK to save the settings.
Implement and Configure NSX Controllers
Before deploying controllers, you have to make sure that your NSX Manager is licensed. In NSX Manager UI, you will not find any option to add NSX license and this needs to be done in vCenter Web Client.
Once NSX Manager is licensed, you can deploy the NSX controllers. Instructions for doing so are laid out here
Exclude VMs from Firewall Protection
When using NSX Distributed Firewall (DFW), VMware advises to use vCenter server from the firewall protection. As per VMware
NSX Manager and service virtual machines are automatically excluded from firewall protection. In addition, you should exclude the vCenter server and partner service virtual machines to allow traffic to flow freely.
To exclude a VM from firewall protection, navigate to Networking and Security > NSX Managers > Select your NSX Manager > Manage > Exclusion tab and click the + to add a virtual machine to exclude.
Select the VM under ‘Available Objects’ and move them to ‘Selected Objects’ list by clicking on -> button.
Mine is a brand new environment and workloads have not been deployed so it is showing empty list for me.
Important: If you add a new NIC card to a VM which you have excluded from DFW protection earlier, the DFW rules are enforced on the newly added NIC. To exclude the new vNIC you need to remove the entire VM from the Exclusions list and re-add to exclusion list.
And that’s it for this post.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing. Be sociable