Installing vCenter Internal CA signed SSL Certificates

This post will walk through the process of replacing the default self-signed certificates in vCenter with SSL certificates signed by your own internal Certificate Authority (CA). In previous versions of vSphere the certificate replacement procedure was so complex that many administrators ignored it completely. Now with the certificate tool improvements in vSphere 6.x, and the ever increasing security threat of todays digital world, applying SSL certificates takes on an enhanced significance for verifying servers, solutions, and users are who they say they are.

The procedure outlined below is specific to installing Microsoft intermediate CA signed certificates on VCSA 6.5 with embedded PSC, protecting us against man in the middle attacks with a secure connection which we can see in the screenshot below. From v6.0 onwards the VMware Certificate Authority (VMCA) was also introduced, for more information on using the VMCA see this blog post, or to read how to use the VMCA as an intermediate CA see here. VMware documentation for replacing self-signed certificates can be reviewed from this KB article.

Trusted_vSphere

Before beginning the replacement certificate process ensure you have a good backup, and snapshot of the VCSA. The following links are the official VMware guides and this blog post provides a good overview of the certificates we’re actually going to be replacing. Replacing default certificates with CA signed SSL certificates in vSphere 6.x (2111219)Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277)How to replace the vSphere 6.x Solution User certs with CA signed certs (2112278).

Generate CSR

The first thing we need to do is generate a Certificate Signing Request (CSR). Open an SSH connection to the VCSA using an SSH client such as Putty, and login as root – if you need to enable SSH you can do so from the VAMI (https://vCenterIPorFQDN:5480) under Access; enable both SSH Login and Bash Shell. Run the following command to open the VMware built in Certificate Manager tool:

/usr/lib/vmware-vmca/bin/certificate-manager

Cert_Tool_1

Select the appropriate option. In this case we first want to replace the machine SSL certificate with a custom certificate, option 1. When prompted enter the SSO administrator username and password. Enter 1 again to generate certificate signing request(s) and Key(s) for machine SSL certificate, and enter the output directory. In the example below we are using the /tmp directory. Fill in the required values for the certool.cfg file.

Cert_Tool_2

The CSR and key are generated in the location specified. Change the shell to /bin/bash using chsh -s "/bin/bash" root and open an SCP connection to the VCSA using WinSCP. Copy the vmca_issued_csr.csr file to your local machine, you can use Notepad to view the contents of the file. Leave the WinSCP session open as we’ll need it to copy the certificate chain back to the VCSA.

Request Certificate

The next step is to use the CSR to request a certificate from your internal Certificate Authority (official KB here). A Microsoft CA template needs creating with the settings specified here (official KB here) before requesting the certs. Once this is done open a web browser to the Microsoft Certificate Services page (normally https://CAServer/certsrv) and select Request a Certificate.

Internal_CA_1

Then we want to Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. The next page allows us to enter the CSR generated earlier to request a certificate with the pre-configured vSphere 6.5 certificate template.

Internal_CA_2

Click Submit and then select Base 64 encoded and Download certificate and Download certificate chain. A .cer file will be downloaded, I have renamed this machine_name_ssl.cer, and a .p7b. Double click the .p7b file to open in certmgr, locate and right click the root certificate, select All Tasks, Export. Export the root certificate in Base-64 encoded X.509 (.CER) format, in this example I have named the file Root64.cer. Using WinSCP copy the machine and root certificate files to the VCSA.

Install Certificate

Go back to Certificate Manager and enter 1 to continue to importing custom certificate(s) and key(s) for machine SSL certificate. Enter the file for the machine SSL certificate we copied, I have used /tmp/machine_name_ssl.cer. Enter the associated custom key that was generated with the CSR request, in this case /tmp/vmca_issued_key.key. Finally, enter the signing certificate of the machine SSL certificate, in this case /tmp/Root64.cer. When prompted enter y to replace the default machine SSL certificate with the custom certificate.

Cert_Tool_3

The certificate will now be installed, when finished a success message will be displayed. If certificate installation fails at 0% see this KB article.

Cert_Tool_4

To verify the machine certificate open a web browser to the vCenter FQDN, the connection will now show secure. Depending on the browser used you can view the certificate properties to verify it is correct, alternatively browse to https://vCenterFQDN/psc and log in with an SSO administrator account. Open Certificate Management and Machine Certificates, select the installed machine certificate and click Show Details, verify the certificate properties are correct.

Certificate_Management

Solution User Certificates

Repeat the steps above for the solution user certificates (official KB here). Replacing the solution user certificates may break some external plugins, such as SRM, in which case you should review this KB article for corrective action. To recap: /usr/lib/vmware-vmca/bin/certificate-manager. This time select option 5 replace solution user certificates with custom certificates. Generate the CSRs and keys, you will notice that for the solution user certs 4 CSR and key files are created; machine, vsphere-webclient, vpxd, and vpxd-extension.

Cert_Tool_5

Using WinSCP copy the files to your local machine and repeat the certificate request process from the Microsoft Certificate Services page. Copy the new certificates to the VCSA and repeat the install process. Solution User certificates can be viewed on the PSC web interface under Certificate Management, Solution User Certificates.

Solution_User_Management

Upgrading to vCenter Server 6.5 Update 1

VMware have released the first major update to vSphere 6.5. This post will walk through how to update the vCenter Server Appliance (VCSA) from 6.5 to 6.5 U1. The new features in the latest release are listed here. The official VMware blog goes into further detail here, and of course the release notes cover the important technical information here.

Prior to updating vCenter ensure you have verified the compatibility of any third party products such as backups, anti-virus, monitoring, etc. Also cross-check the compatibility of other VMware products using the Product Interoperability Matrix. Since we are updating vCenter Server 6.5 to 6.5 U1 I am assuming the usual pre-requisites such as FQDN resolution, time synchronization, relevant ports open, etc. are already in place, and all hosts are running at least ESXi version 5.5. For more information on the requirements for vCenter Server 6.5, or if you are upgrading from an earlier version, the following posts may be of use:

Before beginning the update process take a backup and snapshot of the vCenter Server Appliance. There is downtime during the update but this is minimal – around 10 mins to update and reboot using an ISO as an update source, when using the online repository the update time may vary depending on your internet connection.

VAMI Update

The easiest way of updating the vCenter Server is through the VAMI (vCenter Server Appliance Management Interface). Browse to https://vCenter:5480, where vCenter is the FQDN or IP address of the vCenter Server. Log in as the root user.

VAMI1

Select the Update option from the navigator.

VAMI2

Click the Check Updates drop-down. If the VCSA has internet access then select Check Repository to pull the update direct from the VMware online repository.

If the VCSA does not have internet access, or you’d prefer to provide the patch manually then download the relevant patch from VMware here (in this case VMware-vCenter-Server-Appliance-6.5.0.10000-5973321-patch-FP.iso) and attach the ISO to the CD/DVD drive of the VCSA in the virtual machine settings. Back in the VAMI update page select the Check Updates drop-down and click Check CDROM.

VAMI3

Details of the available update from either the online repository or attached ISO are displayed. Click Install Updates.

VAMI4

Accept the EULA and click Install to begin the installation.

VAMI5

When the update process has completed click OK. From an attached ISO the installation took around 5 minutes.

VAMI7

The updated version and release date should now be displayed in the current version details. Finally, to complete the upgrade reboot the vCenter Server Appliance. Select Summary from the navigator and click Reboot.

VAMI8

CLI Update

Alternatively the vCenter Server Appliance can be updated from the command line. Again, either using the online repository or by downloading the patch from VMware here (VMware-vCenter-Server-Appliance-6.5.0.10000-5973321-patch-FP.iso or latest version) and attaching the ISO to the CD/DVD drive of the VCSA in the virtual machine settings. For more information on patching the vCenter Server Appliance using the appliance shell see this section of VMware docs.

Log in to the vCenter Server appliance as root. First stage the patches from your chosen source using either:

  • software-packages stage --iso --acceptEulas stages software packages from ISO and accepts EULA.
  •  software-packages stage --url --acceptEulas stages software packages from the default VMware online repository and accepts EULA.

Next, review the staged packages, install the update, and reboot the VCSA.

  • software-packages list --staged lists the details of the staged software package.
  • software-packages install --staged installs the staged software package.
  • shutdown reboot -r update reboots the VCSA where ‘update’ is the reboot reason. Use -d to add a delay.

CLI4

Reconfiguring vCenter Server for External PSC

An external Platform Services Controller (PSC) can provide scalability and high availability across sites. A vCenter Server initially deployed with an embedded PSC can be reconfigured to use an external PSC by following the steps outlined below. Multiple external Platform Services Controllers can be deployed and an environment can be mixed between the appliance and Windows versions of vCenter Server and PSC.

externalpsc

Considerations

  • The vCenter Server must be running at least version 6.0 Update 1.
  • The process involves the installation of an external PSC as a new target for vCenter Server. The PSC must be in the same Single Sign-On site and domain as the vCenter Server.
  • Ensure you have good backups of your vCenter Server. If the vCenter Server is virtual take a snapshot before starting the process, likewise after deploying the new PSC take a snapshot.
  • If the process fails for any reason revert back to the snapshots.
  • An external PSC deployment model cannot be converted into an embedded PSC.
  • If vCenter HA is enabled then disable and reconfigure after the process is complete. For more information see Configuring vCenter 6.5 High Availability.
  • The commands outlined below are the same for the vCenter Server Appliance and Windows vCenter Server, unless specified. Take into account the following environmental variables:
    • For Windows all commands should be run as an administrator in an elevated command prompt.
    • For the appliance use the root account for all commands, enable BASH and launch the shell by running shell.set -enabled True followed by shell.

Process

The first step is to determine the Single Sign-On site by running the following commands on the vCenter Server: vCenter Server Appliance: /usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost. Windows vCenter Server: "C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli" get-site-name --server-name localhost.

Make a note of the SSO site. Next deploy the new external Platform Services Controller, if you require assistance with this see the Deploying an External Platform Services Controller post. The new PSC must be configured with the same Single Sign-On site and domain as the vCenter Server you want to reconfigure.

joindomain

joinsite

Once the external PSC is up and running go back to the vCenter Server. Confirm the Platform Services Controller services are running, for Windows first navigate to the correct directory by using:

cd "C:\Program Files\VMware\vCenter Server\bin".

For both the appliance and Windows versions run the following command:

service-control --status --all

Check that the VMware License Service, VMware Identity Management Service, VMware Security Token Service, VMware Certificate Service, and VMware Directory Services are running.

cmd

To reconfigure the vCenter Server to use the new PSC use the following command, replacing newpsc with the IP or FQDN (case sensitive) of the new PSC, username, domainname, and password with the relevant SSO domain and user details.

cmsso-util reconfigure --repoint-psc newpsc --username username --domain-name domainname --passwd password

If the external PSC is configured to use a custom port then add [--dc-port port] where port is the port number. Check the configuration results.

results

Confirm the vCenter is accessible by logging in to the vSphere web client. The process is complete, if you disabled vCenter HA then you can now go ahead and reconfigure.

Deploying an External Platform Services Controller

This post will walk through the process of deploying an external Platform Services Controller (PSC) appliance. The PSC was introduced with vSphere 6.0 to deal with infrastructure services such as Single Sign-On, Certificate Authority, and licensing.  For more information on the Platform Services Controller review this KB.

The PSC can be either embedded within the vCenter Server, or external to allow scale out for larger environments. When deciding if an embedded or external PSC is appropriate review the vCenter Server deployment models here. The external PSC can be installed as a virtual appliance, or installed on a Windows server (virtual or physical). Environments can be mixed, for example a PSC virtual appliance can be deployed where a physical Windows vCenter currently exists. You may also want to review the following posts:

Installation Process

Downloaded the VMware vCenter Server Appliance here: v6.0, v6.5.

Mount the ISO on your computer. The VCSA 6.5 installer is compatible with Mac, Linux, and Windows. Browse to the corresponding directory for your operating system, e.g. \vcsa-ui-installer\win32. Right click Installer and select Run as administrator. As we are installing a new instance click Install.

psc1

On the welcome page click Next. Accept the license agreement and click Next.

psc3

For the deployment type we need to select Platform Services Controller under the External Platform Services Controller heading. Click Next.

psc4

Enter details of the vCenter or ESXi host where the appliance will be deployed, click Next.

psc5

Select a location for the virtual appliance and click Next.

psc6

Select the compute resource for the virtual appliance and click Next.

psc7

Enter a name for the virtual appliance and configure the root password, click Next.

psc8

Select the storage to use and click Next.

psc9

Select the VM network to use and configure the network settings, click Next.

psc10

Review the deploy Platform Services Controller summary page and click Finish. The Platform Services Controller appliance will now be deployed.

stage2

In stage 2 we configure the new appliance, click Next.

config

Configure the NTP server(s) and click Next.

config1

The SSO configuration page is where we determine if the PSC should be joined to an existing SSO domain or if you are creating a new SSO domain. Enter the SSO domain details and click Next.

config2

Tick or untick the Customer Experience Improvement Program and click Next.

config3

On the summary page click Finish and Ok. The PSC virtual appliance will now be configured.

config4

Once complete we can access the Platform Services Controller in 2 different ways. For the appliance management portal browse to https://IP:5480 where IP is the IP or FQDN of the virtual appliance. Login with the root account.

root

Here we can configure settings specific to the virtual appliance, such as networking, SSH, syslog, etc.

root2

To access the user interface browse to https://IP/psc where IP is the IP or FQDN of the virtual appliance. Login with the administrator@vsphere.local account created or defined in the installation wizard.

psc

Here we can configure Platform Services Controller related settings, such as permissions, certificates, etc. To join the PSC to an Active Directory domain browse to Appliance Settings, and Manage. Under Active Directory click Join.

domain

The Platform Services Controller has now been deployed and configured. Multiple PSC instances can be placed behind a load balancer to provide High Availability, as outlined in this KB.

vSphere 6.5 Content Libraries

I was aware of Content Libraries when the feature was released in vSphere 6.0, although I didn’t make use of it. I found this article by Jon Kensy which gives a really good review on the usability of Content Libraries in vSphere 6.0, however there have been improvements since then. In this post we’ll take a look at Content Libraries in vSphere 6.5, which has additional features including the option to mount an ISO from a Content Library, update existing templates, and apply guest OS Customisation Specifications during VM deployments. If Content Libraries reside on VCSA then we can also make use of vCenter HA, and native Backup and Restore, both new to v6.5.

In the steps below we will create a publisher library, add some content, and then create a subscription library on a different vCenter Server. You can learn more about Content Libraries in the vSphere 6.5 Documentation Centre.

contentlibrary

Create Publisher Library

The vCenter Server where the Content Library will be updated is assigned the publisher role. Log into the vSphere web client of the vCenter Server to deploy the publisher library, from the home page select Content Libraries.

contentlibrary1

From the Objects tab click the icon with the green plus symbol to create a new library. The new library wizard will open. Enter a name, and description if required. Select the vCenter Server to be the publisher and click Next.

contentlibrary2

Select Local content library. To allow other vCenter Servers to subscribe select Publish content library externally (this can be done later if required). If you want to add a password to the library tick Enable authentication. Click Next to continue.

contentlibrary3

Select the storage where the library will reside, click Next.

contentlibrary4

Review the details on the summary page and click Finish. The Content Library has been created.

contentlibrary5

Add Content

With the new Content Library selected, browse the different tabs. Configure allows us to publish the library for other vCenter Servers, and password protect if required. The subscription URL is also listed, which is needed to add a subscription library on a different vCenter Server.

The Templates tab is self explanatory and lists the templates stored in the Content Library. Templates can be imported or created from an existing virtual machine or template in the inventory. To create a template from a virtual machine right click and select Clone, Clone to Template in Library.

clone

A new template will be created. For existing templates you can right click and choose Clone to Library.

existingtemplate

Now from the Content Library we can right click the template and select New VM from This Template. The usual deploy virtual machine from template wizard opens, here we also have the option to customise the guest OS with a Customisation Specification.

template

Using the Other Types tab files such as ISO or OVA can be added. Once an ISO is imported it can be mounted to a virtual machine direct from the Content Library.

iso

Create Subscription Library

Additional vCenter Servers which will pull content from the publisher are assigned the subscription role. Log into the vSphere web client of the vCenter Server to subscribe to the library, from the home page select Content Libraries.

contentlibrary1

From the Objects tab click the icon with the green plus symbol to create a new library. The new library wizard will open. Enter a name, and description if required. Select the vCenter Server to be the subscriber and click Next.

contentlibrary2

Select Subscribed content library. Enter the Subscription URL provided by the publisher library. If authentication is required then select the appropriate tick box. You should also decide whether to download all the content now, or download on demand. Obviously the latter will use less storage capacity however access to library items will be slower. When you’re ready click Next.

subscription

Select the storage where the library will reside, click Next.

storage

Review the details on the summary page and click Finish. The Content Library has been added. From the drop-down Actions menu you can manually synchronise the library, edit, rename, or delete.

VMware Snapshot Overview

This post will talk about how VMware snapshots work, what they should and should not be used for, and provide a demonstration. A snapshot preserves the state and data of a virtual machine from a specific point in time. You can create multiple snapshots to save the virtual machine in different stages of a work process. Snapshots are managed using Snapshot Manager in the vSphere web client, or with PowerCLI. You should not manually alter any of the snapshot files as this may compromise the disk chain, with potential for data loss.

What happens when I take a snapshot?

When you take a snapshot of a virtual machine a number of files are created; a new delta disk (or child disk) is created for each attached disk, in vmdk format. The delta disks follow a naming convention and sequence of vmname-000001.vmdk, vmname-000002.vmdk and so on. These files are stored with the base vmdk by default. Any changes to the virtual machine are written to the delta file(s), preserving the base vmdk file. Think of this delta file as a change log, representing the difference between the current state and the state at the time the snapshot was taken. A .vmsd file is created to store the virtual machine snapshot information defining the relationships between child disks. A .vmsn file and corresponding .vmem file is created if the active state of the virtual machine memory is included in the snapshot. These configuration files are all stored in the virtual machine directory.

snap3

When should I use a snapshot?

Use a snapshot as a short term restore point when performing changes such as updating software versions or for testing software or configuration with unknown effects. You can create multiple snapshots of a virtual machine; VMware recommend no more than 32 snapshots in a chain, however best practise for performance is to keep it low, i.e. 2-3 snapshots.

Do not use a snapshot as a backup. Although it provides a restore point a snapshot relies on the base disk(s), without this the snapshot files are worthless. If you need a restore point for more than a few days then consider other options such as traditional backup, or cloning the virtual machine. According to vSphere best practises a single snapshot should not be used for more than 24 – 72 hours. There are a number of factors that determine how long a snapshot can be kept, such as the amount of changed data, and how the application will react to rolling back to a previous point in time. Some disk types and configurations are not supported by snapshots, you can see a full list of limitations here.

What are the risks of using a snapshot?

The more changes that are made within the virtual machine the more data is written to the delta file. This means the delta file grows quickly and in theory can grow as large as the virtual disk itself if the guest operating system writes to every block of the virtual disk. This is why snapshots are strictly a short term solution. Ensure there is sufficient space in the datastore to accommodate snapshots, if the datastore fills up any virtual machines residing in that datastore will be suspended.

How do I take a snaphot?

From the vSphere web client right click the virtual machine to snapshot, select Snapshots, and Take Snapshot. Note that vCenter Server is not a requirement, snapshots are also supported through the local ESXi host web UI.

snap1

Enter a name and description for the snapshot. The contents of the virtual machines memory are included in the snapshot by default, retaining the live state of the virtual machine. If you do not capture the memory state, then the virtual machine files require quiescing, otherwise should the virtual machine be reverted to a previous state; then the disks are crash consistent. The exception to this is taking a snapshot of a powered off virtual machine, as it is not possible to capture the memory state, or quiesce the file system.

snap2

To view active snapshots locate the virtual machine in the vSphere web client and select the Snapshot tab. Snapshots are listed in order with ‘you are here’ representing the current state, at the end of the snapshot chain.

snap4

It is possible to exclude disks by changing the disk mode to independent, covered here. However please use this option with care as it may have other implications. For example if your backup software uses snapshots as part of the backup process then setting independent disks may inadvertently exclude these disks from backups.

 How do I revert back to a snapshot?

Select the snapshot you want to revert back to, and click the revert icon in the top left of the snapshot menu. The icon dialog reads ‘revert the VM to the state it was in when the snapshot was taken’.

snap4

Review the confirmation message. The virtual machine state and data will be reverted back to the point in time when the selected snapshot was taken. The current state of the virtual machine (changes made since the snapshot was taken) will be lost unless you have taken a further snapshot. Click Yes to continue.

snap5

If you have multiple snapshots you will see the ‘you are here’ marker move to the point in the chain you have reverted to. Snapshots taken after this point are still valid and can be reverted to if required. After you have reverted to a snapshot you are happy with you need to save, or commit, the state of the virtual machine. More on this below.

snap6

How do I keep the state of the virtual machine?

When you keep the current state of the virtual machine the delta disks are merged with the base disks, committing the changes and the current state of the virtual machine. This is done by using the delete snapshot options in Snapshot Manager.

  • Delete All – deletes all snapshots from the virtual machine. This merges the delta disk(s) with the base disk(s) to save, or commit, the virtual machine data and configuration at the current point in time. If you have reverted to a snapshot you still need to delete all snapshots to start writing to the base disk again.
  • Delete – deletes individual snapshots from a chain; writing disk changes since the previous snapshot to the parent snapshot delta disk. If only a single snapshot exists then deleting this snapshot is the same as a Delete All for multiple snapshots; the VM state is committed and data is written to the base disk as normal.

Right click the virtual machine in the vSphere web client and select Snapshots, Manage Snapshots. From the All Actions menu select Delete Snapshot to delete the selected snapshot, or Delete All Snapshots. In this example we are deleting all snapshots, so click Yes to confirm.

snap7

All snapshots are now removed and the current state of the virtual machine is committed to the base disk. Any changes made from here on in are written to the base disk as normal, unless another snapshot is taken.

snap8

What is snapshot consolidation?

Snapshot consolidation is useful if a Delete or Delete All operation fails; for example if a large number of snapshots exist on a virtual machine with high I/O, or if a third party tool such as backup software utilising snapshots is unable to delete redundant delta disks. Using the consolidate option removes any redundant delta disks to improve virtual machine performance and save storage space. This is done by combining the delta disks with the base disk(s) without violating a data dependency, the active state of the virtual machine does not change.

To determine if a virtual machine requires consolidation browse to the vCenter Server, cluster, or host level in the vSphere web client and click the VMs tab. Right click anywhere in the column headers and select Show/Hide Columns. Tick Needs Consolidation and click Ok.

snap9

If a virtual machine requires consolidation right click and select Snapshots, Consolidate. There is also a default alarm defined at vCenter level for virtual machine consolidation needed.

snap10

From vSphere 6 onwards the snapshot consolidation process was improved. You can read more about the specifics, and testing, in this blog post by Luca Dell’Oca.

The snapshot functions described in this post can also be managed using PowerCLI, this blog post by Anne Jan Elsinga covers the commands you’ll need.

vSphere Data Protection Install Guide

This post will walk through the installation of vSphere Data Protection (VDP) 6.1.3; a vSphere integrated backup and recovery solution. Data Protection is based on EMC Avamar deduplication backup and recovery software, and can also integrate with EMC Data Domain for scalability. In addition to full virtual machine backups vSphere Data Protection offers file level restores, application level backup and restores,  backup data replication to remote sites, and reporting. An emergency host level restore feature has been added for situations where the vCenter Server or web interface is unavailable. For more information on the features available to vSphere Data Protection 6.1.x see this technical overview.

Design Considerations

  • vSphere Data Protection is deployed as an OVA template.
  • The virtual appliance can be deployed with the following configurations:
    • 0.5 TB backup datastore, 873 GB disk space, 4 vCPU, 4 GB memory.
    • 1 TB backup datastore, 1600 GB disk space, 4 vCPU, 4 GB memory.
    • 2 TB backup datastore, 3 TB disk space, 4 vCPU, 4 GB memory.
    • 4 TB backup datastore, 6 TB disk space, 4 vCPU, 8 GB memory.
    • 6 TB backup datastore, 9 TB disk space, 4 vCPU, 10 GB memory.
    • 8 TB backup datastore, 12 TB disk space, 4 vCPU, 12 GB memory.
  • The backup datastore can be extended after deployment, up to the maximum size of 8 TB per appliance.
  • For assistance with sizing the appliance for your environment see pages 27 and 28 of the vSphere Data Protection Administratrion Guide.
  • To avoid block size limitations the appliance should be deployed to VMFS5 or later.
  • Each vCenter Server supports up to 20 vSphere Data Protection appliances.
  • Each vSphere Data Protection appliance supports up to 400 virtual machines however…
  • The amount of virtual machines each appliance typically supports is 150 – 200. This is dependent on factors such as the virtual machine size, the amount of changed data, and the date retention period.
  • By default Data Protection can backup machines utilising SAN, NAS, or VSAN datastores.
  • For hosts using DAS, or hosts in remote locations, external proxies can be deployed as virtual appliances from the VDP UI.
  • Up to 8 proxies can be deployed per vSphere Data Protection appliance.
  • Review the vSphere Data Protection 6.1.x Release Notes and vSphere Data Protection Administratrion Guide.

Requirements

  • The table below lists the supported vCenter Server versions for 6.1 variations of vSphere Data Protection.

vdp

  • If you are using vCenter 5.5 U3 with Data Protection 6.1, 6.1.1, or 6.1.2, see this kb.
  • All variations of Data Protection 6.1.x support ESXi 5.1 through to ESXi 6.0 U2. For ESXi 6.5 version 6.1.3 of Data Protection should be used.
  • To check compatibility with any other VMware products see the Product Interoperability Matrix.
  • Editions of vSphere Essentials Plus and above (or vSphere with Operations Management / vCloud Suite) include licensing for vSphere Data Protection.
  • FQDN resolution must be in place. A forward and reverse DNS entry needs manually adding.
  • A static IP address is required for the VDP appliance and any additional proxy appliances.
  • The vCenter Server and attached ESXi hosts must be configured with an NTP server. The VDP appliance pulls the time configuration from vSphere.
  • The following disk types are unsupported: independent, RDM independent (virtual compatibility mode), and RDM physical compatibility mode.
  • Each virtual machine to be backed up should be running VMware Tools and hardware v7 or above.

Install VDP

Download the VMware vSphere Data Protection OVA here. The ISO is used for upgrades. Browse to the vSphere web client and right click the cluster where the virtual appliance will reside. Click Deploy OVF Template. Browse to the downloaded OVA file and click Next.

dp1

Review the OVF template details and click Next.

dp2

Accept the EULA and click Next.

dp3

Enter a name for the virtual appliance and select a location, click Next.

dp4

Select the datastore for the virtual appliance and click Next. Select the VM network to use and click Next.

dp5

Enter the network settings for the virtual appliance. Review the summary page, tick the Power on after deployment box and click Finish.

dp6

Configure VDP

DNS values for forward and reverse lookup must be in place for the configuration wizard. Manually add a DNS host record for the IP address of the virtual appliance and the desired host name and domain.

After deployment browse to https:\\:8543/vdp-configure, where is the IP address or FQDN of the vSphere Data Protection appliance. Log in with the root default password changeme.

vdp1

The configuration wizard will load, click Next.

vdp2

Enter a host name and domain for the appliance. The network settings are auto- populated, click Next. If DNS forward and reverse lookup values are not in place the wizard will fail at this point.

vdp3

Select a time zone and click Next.

vdp4

Configure a new root password for the virtual appliance and click Next.

vdp5

Enter the vCenter Server details and click Test Connection. If successful click Next.

vdp6

Select the size of the datastore to create for backup data, click Next.

vdp7

Select the storage to use and the provisioning type, click Next. Accept the default CPU and memory allocations and click Next.

vdp8

Select or leave the Customer Experience Improvement Program check box and click Next.

vdp9

Select whether or not to run performance analysis on the storage configuration. The performance analysis tests the read, write, and seek speeds of the underlying storage. Once ready click Next to apply the changes. Click Yes to confirm. The virtual appliance will now be reconfigured and rebooted.

vdp10

This process can take around 15 minutes depending on your infrastructure. When the appliance is back online a VDP icon will be added to the home page of the vSphere web client, default alarms are also added.

vdp13

To view and change settings related to the virtual appliance you can log back into https:\\:8543/vdp-configure, where is the IP address or FQDN of the vSphere Data Protection appliance.

vdp12

The installation is now complete and you can begin scheduling backup jobs using the Create Backup Job wizard.

vdp14