How to Update vCenter 7.0 Virtual Appliance

The process of patching vCenter appliance has been become a lot easier in recent years. Keeping vCenter fully up to date is important for stability and security.

In this post we will go through the process of patching for vCenter 7.0 to the latest version using the GUI connecting to the internet. You can also update using command line or by downloading and mounting the ISO image.

First we need to logon to the admin management console.

https://vcenter.domain.local:5480

Use the root logon that was configure when setting up the appliance.

First steps is to confirm there is a valid backup of the appliance.

Click backup now.

There is an issue with vCenter 6.7U2 and above where it fails on SMB with SMB location is invalid if SMBv1 is disabled. So if you get that error you can just enabled SMBv1 temporarily or enabled OpenSSH on Windows to allow SSH connection which is what I would do in production.

Once completed the backup should kick off.

I also usually take a snapshot as that is the quickest recover option.

Once we have a back up, we can now continue with the updating the appliance. The current version of the appliance is 7.0.0.10100.

Go to Update and click check updates

Once the check is completed select the latest patch. Select either stage only or stage and install if you want the update to be installed straight away. The version we will be updating to is 7.0.1.00200.

Accept the end user agreement.

This will run a pre-check on vCenter before the upgrade will continue. Once no issue are found put in the administrator’s password.

Tick the box to confirm that a backup has been completed.

The install will now start and can take a hour or so to complete.

During the upgrade there will be outages to vCenter while services restart.

a

vCenter should now be update to the latest version.

VMware vRealize Log Insight Adding Windows Servers

In the last post we went through querying logs using the different filter options and how to create a dashboard using the queries in vRealize Log Insight (vRLI).

Part 1: VMware vRealize Log Insight Install and Configure – TheSleepyAdmins

Part 2: VMware vRealize Log Insight AD Authentication and Role Based Access – TheSleepyAdmins

Part 3: VMware vRealize Log Insight Query Logs and Creating Dashboards – TheSleepyAdmins

In this post we will go through adding a Windows server agent and adding the content pack

To add a server we need to download the agent by logging on to vRLI > Administration > Agents and click on download log insight agent.

Select the required agent to be downloaded.

Once downloaded copy the installer to the server and run.

Enter in the FQDN or IP address for the vRLI server is not already there and click install.

To install the agent using command line the below can be used just need to update the path and msi file name.

Path to msi\VMware-Log-Insight-Agent-8.2.0-16776561_*.msi /quiet

You can also add some command line switches to change the default install

Path to msi\VMware-Log-Insight-Agent-8.2.0-16776561_*.msi SERVERHOST=LAB-vRLI.thesleepyadmin.local LIAGENT_AUTOUPDATE=yes /quiet /lxv* vRLI_Agent_install.log

Command-line Options for vRealize Log Insight Agent Installation on Linux (vmware.com)

Once installed, the agent should now show under the agent tab in vRLI.

Next we need to add the Windows content pack to vRLI, Go to Content Packs and search for Microsoft Windows

Click on the content pack and install

Now that the content pack is added, we can copy the Microsoft – Windows to a new group so that its assigned to Windows agents.

Select copy template

Give the Agent group a name and description

Once copied you can change the settings if required or turn off some events if there not required, in this we will be leaving them as default.

Add a filter so that the Windows servers are added to the agent group. This can be done by Hostname, IP, OS or version.

Click save new group to finish.

It can take a little while for the agent configuration to update and for events to start being sent.

Once they do start to send events you should see the counters update.

We can now go to Interactive Analytics and query the events logs.

If there are different application specific events logs that need to be added they can be added to the existing group or a different agent group can be created.

To add addtional event logs to the existing agent group, go back to the agent group.

Go to build and on Windows Event Log click new.

Give the Windows Event Log a name

Copy the event log name from Windows event viewer and put this under Windows Event Log Channel in vRLI.

Click save agent group.

Now once a task is run the events should now show in vRLI.

This concluded the series on vRealize Log Insight, going through this shows that log insight is a good tool for centrally managing and monitoring system logs and events and can be used for VMware, Windows and Linux servers. Hope that this series of post have been helpful.

VMware vRealize Log Insight Query Logs and Creating Dashboards

In the previous post we went through setting up AD Authentication and role based access in vRealize Log Insight (vRLI).

Part 1: VMware vRealize Log Insight Install and Configure – TheSleepyAdmins

Part 2: VMware vRealize Log Insight AD Authentication and Role Based Access – TheSleepyAdmins

In this post we will be going through querying logs and creating a Dashboard.

vRealize Log Insight collects, imports, and analyzes logs to help with troubleshooting problems with systems, services, and applications.

You can search and filter log events on the Interactive Analytics tab, Logs can be queried using different filters like text, timestamp, source, fields and Regular Expressions

TypeDescription
TimestampThe time when the event occurred
SourceWhere the event originated. This could be the originator of the syslog messages such as an ESXi host or a forwarder such as a syslog aggregation.
TextThe raw text of the event.
FieldsA name-value pair extracted from the event. Fields are delivered to the server as static fields only when an agent uses the CFAPI protocol.

Below is the user guide for vRLI

Using vRealize Log Insight – vRealize Log Insight 8.2 (vmware.com)

First we will be going through querying logs.

Open vRLI > Interactive Analytics, This will show all logs to query use the Add filter button

In the below we are going to query any hosts that have disconnected over the last 48 hours. Below are the two filters I used for the host disconnections.

vmw_vc_alarm_status contains Red

vmw_vc_alarm_type contains host connection and power state

We create a table view for events. Below is for snapshots taken in the last 48 hours , we can then add additional information by clicking on time series button and adding group by fields.

vmc_vc_task_type contains create virtual machine snapshot and virtualmachine.createsnapshot

I wanted to add the users that created the snapshot, source and VM name.

This image has an empty alt attribute; its file name is image-188.png

There are a lot of different event types that can be queried and it will all depend on what event’s you are looking for.

Next we will create a dashboard with a few different queries. To create a new dashboard go to Dashboards > New Dashboard

Give the Dashboard a name and select if it should be shared with all users.

Create a filter and click Add to Dashboard

Give the filter a name

If there are any existing filters that are currently in any other dashboard they can be cloned to your custom dashboard by clicking on the the gear icon and selecting clone, then select your custom dashboard.

Once all the required queries are added to the dashboard we can go to My Dashboards to view.

In the next post we will go through adding a Windows agent and adding the content pack for Windows.

VMware vRealize Log Insight AD Authentication and Role Based Access

In the previous post we went through installing and the initial configuration for vRealize log Insight (vRLI).

Part 1: VMware vRealize Log Insight Install and Configure – TheSleepyAdmins

In this post we will go through the steps required to enabled Active Directory (AD) Authentication integration and setting up role based access groups.

This will allow for central management by using AD for users to access using there domain accounts and access permission to be based of AD group membership.

First step is to configure the AD authentication integration.

Logon to the log insight management console > Administration

Once under Administration go to integration > Authentication Configuration > Active Directory

Add in the AD details, I would generally create a AD service account for each LDAP service as it allows me to manage what account are being used for what service (The account should only need domain users rights and be set to deny interactive log for security).

I would also use Require SSL to encrypt the LDAP connection if your DC has a SSL cert that can be used, if not use standard port 389.

Next we need to go to Administration > Management > Access Control

To view Roles click on the role tab

The below are the default User roles, The default roles are fine for me so I wont be create any custom roles just assign the current roles using AD groups.

Below is each role and the description

OptionDescription
UserUsers can access the full functionality of vRealize Log Insight. You can view log events, run queries to search and filter logs, import content packs into their own user space, add alert queries, and manage your own user accounts to change a password or email address. Users do not have access to the administration options, cannot share content with other users, cannot modify the accounts of other users, and cannot install a content pack from the Marketplace. However, you can import a content pack into your own user space which is visible only to you.
Dashboard UserDashboard users can only use the Dashboards page of vRealize Log Insight.
View Only AdminView Admin users can view Admin information, have full User access, and can edit Shared content.
Super AdminSuper Admin users can access the full functionality of vRealize Log Insight, can administer vRealize Log Insight, and can manage the accounts of all other users.

Next we need to create groups in AD that will be used to allow access. I have create an Admin, Dashboard and Read only groups.

Last step is to add the group to vRLI, Go back to Administration > Management > Access Control and click on New Group.

Add in the group name and select the role to be assigned.

Once all groups are added we can test by adding a user to the group and confirming there access.

This image has an empty alt attribute; its file name is image-177.png

Open a new browser session and open the vRLI web management address and select Active Directory as the identify source.

The user account should be able to logon but only have a limited view compared to a full Admin.

Dashboards:

Administration:

In the next post we will go through querying logs and creating a dashboards.

VMware vRealize Log Insight Install and Configure

In the next few post we will be going through deploying and configuring vRealize Log Insight (vRLI).

Log Insight is a tool from VMware than can be used for log analytics, log management for both infrastructure / application and help with troubleshooting.

I have been looking at deploying this in production so though I would setup in my lab and see how it works and if it would be usefully to deploy in our production environment.

Below is the link to the minimum requirements for vRLI

Minimum Requirements (vmware.com)

Hardware Requirements

Below is the the required hardware depending the size selected

Preset SizeLog Ingest RateVirtual CPUsMemoryIOPSSyslog Connections (Active TCP Connections)Events per Second
Extra Small6 GB/day24 GB7520400
Small30 GB/day48 GB5001002000
Medium75 GB/day816 GB10002505000
Large225 GB/day1632 GB150075015,000

Network Port Requirements

The following network ports must be externally accessible

PortProtocol
22/TCPSSH
80/TCPHTTP
443/TCPHTTPS
514/UDP, 514/TCPSyslog
1514/TCPSyslog ingestion via SSL only
9000/TCPvRealize Log Insight Ingestion API
9543/TCPvRealize Log Insight Ingestion API (SSL)

Once all the requirement are checked we can start to deploy the appliance.

First step is to download the appliance OVA below is the link to the current

vRealize Log Insight | Log Analysis Tool | VMware

Create a new VM from VMware web client and upload the OVA file.

Select a datastore

This image has an empty alt attribute; its file name is image-1.png

Accept the license agreement

Select a network, deployment type and disk provisioning

Add in the hostname, IP address, gateway, DNS server and root password.

Review the setting to confirm all the settings are correct

The appliance will start to deploy

Once the install has finished it should show the DCUI, with the IP / hostname that was assigned during the deployment

Next we have to configure Log insight. Open a browser and either put in the DNS name if created or IP that was assigned to the appliance.

Click start new deployment

Set Admin credentials and email address.

Next screen will ask to put in a license, I will be using a trial license so this will only last for 60 days

Set the NTP settings.

Configure SMTP settings as required. To test if all settings are correct use the send test mail

Click finish to complete the install.

Next we will configure the vSphere integration.

Add in the vCenter details, click test connection to confirm the details are correct

Save vCenter configuration details.

vCenter server will now show and the collection status should show as collecting

In the next post we will go through configure AD integration and using the log insight dashboards.

Upgrading from vCenter Server Appliance 6.7 to 7.0

In this post we will be going through upgrading from VCSA 6.7 to 7.0. Keeping your appliance at the latest version will give access to new features, feature improvements and security fixes.

When upgrading a VCSA there will be a new appliance VM created. The database and configuration from the existing appliance will be copied during the upgrade process.

Currently in my LAB vCenter Appliance is running 6.7 Update 3l.

Before upgrading to any newer version of VMware it important to check that all products that connect to vCenter (Backup, Reporting or Monitoring tools) all support the latest release.

To check for VMware products you can use the VMware interoperability matrix link below.

VMware Product Interoperability Matrices

This can also be used to view the upgrade path as if you are running 6.0 version of vCenter there is not a direct upgrade to 7.0 and will require a two step upgrade.

There is also a sequence on which products should be upgrade. See below link.

Update sequence for vSphere 7.0 and its compatible VMware products (78221)

For third party (non-VMware) products you will need to check the product support page to verify if the versions are supports with vCenter 7.0

Once everything is confirmed as supported we can go ahead with the upgrade.

First download the 7.0 ISO file from VMware.

Download VMware vSphere – My VMware

Before attempting an upgrade make sure that there is a backup of the appliance that can be used to restore incase of any issue during the upgrade. The source appliance shouldn’t be changed but I would recommend a backup just to be extra safe.

Once download mount the ISO to Windows and go to the \vcsa-ui-installer\win32\ and double click on installer.exe

Select Upgrade

Follow the upgrade wizard

Accept the end user license agreement

Next step needs the vCenter details and the ESXi host or vCenter logons details where the appliance is running. (The hostname of the vCenter was case sensitive and I was getting the below error when using all lower case.)

If a certificate warning appears accept to continue

Give the appliance a name (if you want to re use the existing name the change the current appliances name to something different or there will be an error show when clicking next to continue with the upgrade.)

Select the deployment size

select the datastore

Assign a temporary IP address that will be used while copying data

Review the settings and if all looks to be correct click finish to start the upgrade.

The appliance should now start to deploy

After the deployment of the appliance completes, the next step is to run the configuration stage. This will copy the configuration and data from the existing appliance. Once completed the old appliance will be shutdown.

Click continue to start stage 2 of the upgrade

Click next

There will be a pre-req check done before the upgrade can continue. If there are any errors the upgrade wont be able to procced.

Select the data that will be copied

select if you want to join the customer experience improvement program

Review the settings and tick I have backed up the source vCenter server

Click finish and there will be a warning that the source vCenter will be shutdown

The copy and importing of data can take more than an hour to complete.

Once the upgrade has completed the old appliance should be shutdown and the new appliance running vCenter 7.0 should have all data and configuration copied.

When we logon to the vCenter appliance it will now running 7.0.0

Last step is to verify that all management tools work as excepted after the upgrade.

Configure UnityVSA on VMware 6.7

In the previous post we went thorough configuring and setting up the UnityVSA.

Deploying EMC UnityVSA on VMware ESXi 6.7 – TheSleepyAdmins

In this post we will configure the iSCSI initiators, connecting vCenter to the UnityVSA and configure iSCSI LUN that will be used as shared storage between a LAB virtual ESXi hosts.

First step was to create the iSCSI VMKernal adapter on the ESXi host to allow connection to the Unity.

Logon to vCenter, go to the required host > configure > VMKernel adapters and click Add Networking

Select VMKernel Network Adapter

This image has an empty alt attribute; its file name is image-89.png

Follow the wizard to create the new VMKernal adapter ( I am using the same IP range as my host as this is just a LAB setup but in production this should be a separate physical network)

Next we need to configure the storage adapter, go back to configure > Storage Adapters and click Add Software Adapter

Next we need to configure the adapter settings to point to the SAN in this case the UnityVSA IP.

Once added the adapter will recommend a rescan, we haven’t configure any LUN’s yet so I will do the rescan after that.

Next we need to configure the VMware access and LUN’s on the Unity.

Logon to the web management console > go to VMware > vCenters and click the + button to add the vCenter server

Add in vCenter details, click find and select the required hosts

I wont be creating a VASA provider so I left that un-ticked and completed the wizard

The hosts and vCenter should now show in the Unity console

This image has an empty alt attribute; its file name is image-107.png

Once the host and initiators are added the last step is to configure the LUN’s. This can either be done using block or can be done using VMware storage integration.

If using the VMware integration it will automatically add the datastore to VMware using VMware API’s.

Creating a block LUN is basically the same steps only it doesn’t automate the creation of the Datastore in VMware so in this post we will be using the VMware integration for provisioning LUN’s.

Go to Storage > VMware > Datastores and Click the + button to add

Select block and the VMFS version

Give the datastore a name (This will also be the name that is assigned to the Datastore in VMware)

Select the pool to be used and size of the LUN

Add the hosts that will be configured to access the LUN

I wont be taking snapshots or replication the LUN so I left them un-ticked and complete the wizard

The LUN should now start to be created

There will also be task in VMware showing the Unity starting the rescan of the host HBA’s

If we now check the datastores in VMware the new datastore should show.

VMware and the UnityVSA are now configured and additional LUN can be added to allow for vMotion testing and to setup a cluster as if it where using shared storage.

Deploying EMC UnityVSA on VMware ESXi 6.7

I have been using virtual SAN appliance in my labs for a few years as it is the easiest way to configure shared storage for my LAB cluster and as I don’t have a NAS or another external storage device available.

EMC have a version based on there Unity array and this is the same version we us in production so I wanted to configure this as my virtual SAN.

In the next few posts we will go through configuring a UnityVSA and setting up so that it can present iSCSI LUN’s to VMware.

To download the OVA use the below link, the current version 5.0.3

Data Storage Management Software Downloads | Dell Technologies US

Create a new VM and select deploy using an ova

Select the required datastore

Select the appropriate network

Assign a static IP

This image has an empty alt attribute; its file name is image-66.png

Complete the VM deployment wizard.

The VM will now start to deploy.

Once the appliance was deployed there was no network connectivity and I had to run the intial configuration command.

To connect I used the VMware console. The default logon for the admin account is Password123# but this didn’t work for the console logon.

I had to use service for both the usersname and password.

To configure the IP run the below command.

svc_initial_config -4 “IPAddress Subnet defualtGateway”

I was then able to connect to the Unity Management console. To logon use the default admin/Password123#

Next follow the initial configuration wizard

set the DNS and NTP

Once at the licenses page, we will need the system UUID to be able to register from a trial licenses. The get license didnt work for me so i use

https://www.dellemc.com/en-us/auth/elmeval.htm

Next we configure the storage pools, I added some additional drivers to the VSA to be used as storage pools

Follow the wizard to create the storage pool

This image has an empty alt attribute; its file name is image-98.png

I wont be configure alerts or proxy servers so I leave them as default values.

Next we configure the iSCSI interfaces, these will be used to connect to the ESXi host later

I wont be configuring a NAS server either so will leave that as default also

Finish the configuration

The UnityVSA should now be configured and show simlar to the below.

In the next post we will go through configuring the LUN’s and connecting to vCenter.

Set Custom SSL Certificate on VMware vCenter 6.7 Appliance using Windows CA

In this post we will go through generating and applying a custom SSL cert for VMware vCenter 6.7 Appliance.

When VCSA is installed it generates a self singed cert which cause users to get a cert error when connecting. I used the below VMware doc when setting up the cert.

Replace Machine SSL Certificate with Custom Certificate (vmware.com)

I have already configure a Windows CA so this or another CA will be a requirement before creating the cert.

Before attempting this in production make a backup or take a snapshot to allow quick recovery in case of any issues.

To generate the cert signing request (CSR) , we will use the certificate-manager CLI

To connect I enable SSH on the appliance.

Then used putty client to connect.

First I created a folder that will be used to export the CSR and private key.

Once created we can then run certificate manager using the below.

/usr/lib/vmware-vmca/bin/certificate-manager

We want to replace the Machine certificate with custom cert so select option 1.

Enter the users name and password and select option 1 to generate CSR.

put in the require information below are the fields and values

FieldValue
Countryuse your own country 
NamevCenter FQDN 
OrganizationUse your own company name
OrgUnituse your own 
Stateown state
IPAddressvCenter IP Address 
HostnamevCenter FQDN 
VMCA NamevCenter FQDN 

Once the CSR has been created,

use a client like WinSCP to connect to vCenter and go to the specified folder above in my case this was the cert folder and copy the CSR file.

Now go to your CA to submit the CSR, I will be using the web enrolment.

Click on request a certificate

Click on submit an advanced certificate request.

Click submit a certificate request.

Open the CSR file using notepad and copy the txt

Paste the txt in to the saved request box and select the template I created a custom template for web servers.

Once submitted you should get the option to download the cert selected base 64 encoded as this is required by vCenter.

Once downloaded, upload the cert back to vCenter using WinSCP

Launch certificate manager again and select option 1 but then option 2 to import the custom cert.

/usr/lib/vmware-vmca/bin/certificate-manager

Enter in the details cert file that will be used for vCenter, the private key that was issued with the CSR request and the CA cert file.

You should now the service being updated.

Once completed vCenter should now be using the custom SSL cert.

Azure Application Proxy SSO Integrated Windows Authentication

Today I was setting up Integrated Windows Authentication single sign on for an Azure Application proxy that connects to an internal Apache web application.

We had already configured the application for SSO internally.

Below is the link to the Kerberos SSO for Azure App Proxy

Kerberos-based single sign-on (SSO) in Azure Active Directory with Application Proxy | Microsoft Docs

Prerequisites

Before you get started with single sign-on for IWA applications, make sure your environment is ready with the following settings and configurations:

  • Your apps, like SharePoint Web apps, are set to use Integrated Windows Authentication. For more information, see Enable Support for Kerberos Authentication.
  • All your apps have Service Principal Names.
  • The server running the Connector and the server running the app are domain joined and part of the same domain or trusting domains.
  • The server running the Connector has access to read the TokenGroupsGlobalAndUniversal attribute for users.

First step was to confirm that there was an SPN configured for the Application. Since this is a web application we will use http for the serviceclass.

setspn -Q http/webapp.domain.local

If the SPN isn’t configured use setspn to register.

setspn -A http/webapp.domain.local computername

The next step is to configure the delegation on the Azure application proxy connector server.

Go to the server object in AD, open the properties and go to delegation.

Click add and select the computer or user account that has the SPN that will be used and select the service.

The last step that I had to do was add the server to Windows Authorization Access Group so that the connector could have read access to TokenGroupsGlobalAndUniversal users attribute in AD.

When I didn’t have the server in this group I was getting SPN issues.

Next we need to configure SSO in Azure Enterprise app. Logon to Azure

Azure Active Directory > Enterprise applications > App

Select Single sign-on and Windows Integrated Authentication

Put in the internal SPN that was configured earlier and set the delegated login, Our app uses samaccount name so I used On-premises SAM account name.

Once the above is completed close all open session to Office 365 / Azure AD and re-signed in to the external URL for the application proxy and the application should now signed in using SSO without have put in credentials a second time.