Adding a static route to a vCenter Server with multiple Network Interface Cards (NICs)

For a Disaster Recovery (DR) site, I designed a separate isolated VMware Horizon environment. The Center Server has an external (eth0) and internal (eth1) IP address. The external connection is for management and restoring production VMs to the DR environment. The internal connection is for Horizon infrastructure components that need to accesst to the vCenter Server such as a VMware Horizon Server and VMware App Volumes. |This looks simplified as follows:

There must be a static route to the Horizon subnet because the Horizon Connection Servers and VMware App Volumes integrate with the vCenter Server.

Here are the steps outlined to create such an environment:

  • The first thing after deploying a new vCenter Server is adding an extra NIC (VMXNET3). The steps are explained in the following article: KB2147155
  • Add the NIC to the correct internal PortGroup
  • Open the VAMI interface (https://<IP_Address>:5480) of the vCenter Server and add the IP configuration of eth1 (NIC1).

  • Enable SSH in the VAMI interface (Access – Edit – Enable SSH login)
  • Make an SSH session to vCenter Server and log-in with root and the correct password
  • Enter “shell” to launch the BASH shell
  • Browse to the following location:
cd /etc/systemd/network
  • There are two files available (10-eth0.network and 10-eth1.network). The 10-eth0.network represents eth0 and looks like:
[Match]
Name=eth0

[Network]
Gateway=10.2.145.249
Address=10.2.145.202/24
DHCP=no

[DHCP]
UseDNS=false
  • The 10-eth1.network file represents eth1 and looks like this.
[Match]
Name=eth1
[Network]
Address=192.168.0.102/24
DHCP=no
[DHCP]
UseDNS=false
  • Add a static route by adding the [Route] section of this file.
[Match]
Name=eth1
[Network]
Address=192.168.0.102/24
DHCP=no
[DHCP]
UseDNS=false

[Route]
Gateway=192.168.0.1
Destination=10.21.9.0/24
  • Restart the network services
systemctl restart systemd-networkd.service
  • Check if the route is added with the route -n command:
root@vcdr01 [ /etc/systemd/network ]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.2.145.249 0.0.0.0 UG 0 0 0 eth0
10.2.145.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.21.9.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
  • Test with the ping command from the vCenter Server if you can reach the Horizon infra components in the subnet.

 

Firefox does not trusts vCenter signed CA certificates

For a vCenter Server environment I replaced the default SSL certificates with CA signed SSL certificates. The Platform Service Controller (PSC) is configured as VMCA subordinate CA. When opening the vSphere Web/HTML5 Client, Firefox displays the following warning: Your connection is not secure.

This is because Firefox does not trust root certificates in the Windows certificate store. Since Firefox 49 a new option is included which allows Firefox to trust root certificates. This option is not enabled by default.

The following steps illustrate how to configure Firefox to use the Windows certificate store:

  • Open Firefox
  • In the address bar type: about:config
  • Accept the warning
  • Navigate to Preference name: security.enterprise_roots.enabled 
  • Set the value to:  true

Firefox now trust the root certificates in the Windows certificate store.

 

Deploy an OVA/OVF fails with certificate error

When trying to deploy an OVA/OVF with the vSphere Web Client the following error is displayed:

The operation failed for an undetermined reason. Typically this problem occurs due to certificates that the browser does not trust. If you are using self-signed or custom certificates, open the URL below in a new browser tab and accept the certificate, then retry the operation.

This error occurs with vSphere 6.5 because the certificates are not trusted. The self-signed certificates are used and are not added to the trusted root certification store.

To deploy a OVF/OVA to the vCenter Server appliance trusted root CA must be added to the certificate store. The following steps will work with Chrome and Internet Explorer:

  • Open the vCenter URL: https://vcenter-FQDN

  • Select the “Download trusted root CA certificates” and save the archive(ZIP) file
  • Extract the archive (ZIP)

  • Start – Run – MMC
  • File – Add Snap-ins – Certificates – Computer Account – Local  computer
  • Open Trusted Root Certification Authories – Certificates
  • Import the two *.crt certificates

  • Close the browser and re-open the browser and navigate to the vCenter Server using the FQDN.
  • Now the URL is marked as secure (green lock) and you’re able to import the OVA/OVF