This Document is created based on the below vSphere and NSX-T product versions.

• vSphere: 6.7
• NSX-T: NSX-T for Data Center

VMware NSX-T Data Center
VMware vCenter Server 6.7

Following are the steps that we need to perform to configure the Platform Service Controller High Availability for Management vCenter Server with NSX-T Load Balancer.

1. Deploy PSC01 and connect to MGMT VLAN port.
2. Deploy PSC02 & connect to MGMT VLAN port and join into existing domain by pointing to PSC01 (same site and domain)
3. Deploy vCenter Server by pointing to PSC01 and then configure Cluster, vSAN and DVS networking. Migrate the VM Network from vSS to vDS.
4. Deploy and configure NSX-T Manager, Controllers, Edges (two) and other logical components.
5. Deploy and configure the Load Balancer for PSC’s with NSX-T bridge topology.

Prerequisites

• Set the MTU to 1600 for the vDS where the PSC & vCenter VMs are connected (MGMT VLAN port on DVS).
• NSX-T Manager is up and running.
• NSX-T Controllers are installed and configured.
• NSX Edges are installed and configured (two nodes)
• ESXi host (separate host) is installed and configured for Bridge cluster. (PSC & vCenter VMs should not run on this host)
• Configured Transport zones (overlay and vlan backed), uplink profile and transport nodes (Edge’s and ESXi host).
• Configure Edge cluster with two Edge Nodes.

Bridge Topology:

Background story to choose Bridge Topology for LB configuration: The objective is to deploy PSC’s, vCenter and LB VIP on the same VLAN backed network and then configure the HA for both PSC’s by using NSX-T load balancer. But the NSX-T 2.2 does not support LB configuration when the Server (PSC’s), Client (vCenter) and LB VIP running on the same VLAN backed network because the LB is running on Tier-1 router and Tier-1 cannot be connected to a VLAN backed network.
To achieve this limitation, use the below Bridge topology and configure the L2-Bridge between Overlay Logical switch and VLAN backed network.

Configure Bridge with NSX-T

1. In the NSX Manager UI, navigate to Fabric > Configuration > Bridges.
2. Give the bridge cluster a name.
3. Select a transport zone for the bridge cluster. The transport zone must be of type overlay, not VLAN.
4. From the Available column, select transport nodes and click the right arrow to move them to the Selected column.

Create and configure Logical Switch (overlay)

1. Navigate to Switching and click on “+ADD”
2. From “Add new Logical switch” wizard, provide the Logical switch name and select the “Overlay” transport zone & keep the default values and then click on “ADD”
3. On the switch configuration page, select Related > Bridge Clusters.
4. Click ATTACH, select a bridge cluster, and enter a VLAN ID.

Create and configure Tier-1 Router

1. In the NSX Manager UI, Select Routing from the navigation panel.
2. Click Add and select Tier-1 Router.
3. Assign a name for the logical router.
4. (Optional) Select a tier-0 logical router to connect to this tier-1 logical router. If you do not yet have any tier-0 logical routers configured, you can leave this field blank for now and edit the router configuration later.
5. Select an edge cluster to connect to this tier-1 logical router.
6. Click Save.

Add Downlink Ports for the Tier-1 Logical Router

1. Click the tier-1 logical router link to create ports.
2. Click the Configuration tab.
3. Click Add under the Logical Router Ports section.
4. Assign a name for the logical router port.
5. Select Type as “Downlink”
6. Select the Logical switch from drop down which is created in previous steps
7. Enter the router port IP address in CIDR notation. (Since the logical switch is configured with bridge, Assign IP from the MGMT VLAN IP range)
8. For example, the IP address can be 172.16.10.1/24.
9. Keep the remaining default settings.
10. Click Save

Create and configure Tier-0 Router:

1. Select Routing from the navigation panel.
2. Click Add to create a tier-0 logical router.
3. Select Tier-0 Router from the drop-down menu.
4. Assign a name for the tier-0 logical router.
5. Select an existing edge cluster from the drop-down menu to back this tier-0 logical router.
6. Optional) Select a high-availability mode.
7. Click Save.

Attach Tier-0 and Tier-1

1. Select Routing from the navigation panel.
2. Select the tier-1 logical router.
3. From the Actions -> click on “Connect to Tier-0 Router”.
4. Select the tier-0 logical router from the drop-down menu and click on “Connect”.

Configure an Uplink interface / port to Tier-0 Router

1. Create a VLAN backed logical switch.
   1. Navigate to Switching and click on “+ADD”
   2. From “Add new Logical switch” wizard, provide the Logical switch name and select the “VLAN backed” transport zone & assign VLAN ID as “0” and then click on “ADD”
2. Connect a Tier-0 Logical Router to a VLAN Logical Switch
   1. Select Routing from the navigation panel.
   2. Select the tier-0 logical router.
   3. From the Configuration tab, add a new logical router port.
   4. Type a name for the port, such as uplink.
   5. Select the Uplink type.
   6. Select an edge transport node.
   7. Select a VLAN logical switch.
   8. Type an IP address in CIDR. (Assign any dummy IP here eg 172.168.16.1/24)

Create and Configure Load Balancer

1. From your browser, log in to an NSX Manager.
2. Select Load Balancer > Add.
3. Enter a name and a description for the load balancer.
4. Select the load balancer virtual server size and click “OK”

Attach the newly created load balancer to a Tier-1 logical router

1. Select the load balancer and click Actions > Attach to a Logical Router.
2. Select an existing Tier-1 logical router from the drop-down menu. The Tier-1router must be in the Active-Standby mode.
3. Click OK.

Create a Health Monitor

1. Navigate to Load Balancing -> Server Pools -> Active Health Monitors.
2. Click “+ADD” to create a health monitor.
3. Monitor Properties:
   Provide Name: “TCP”, select “LbTcpMonitor”
   Health check protocol: “LbTcpMonitor”
   Monitor Port: 443
4. Click next and then finish.

Add a Server Pool for Load Balancing

1. Navigate to Load Balancing > Server Pools > Server Pools -> Click on “ADD”
2. General Properties -> Provide the Pool Name and select ROUND_ROBIN for Load Balancing Algorithm and click Next.
3. SNAT Translation -> Translation Mode as “Auto Map” and click Next
4. Pool Members:
   1. Select the Static option in the Membership Type.
   2. Under Static Membership, click ADD to add the pool members (PSC’s)
   3. Enter the Member name and the IP of PSC1. Ensure that the state is set to Enabled.
   4. Click ADD again to add the second member.
   5. Enter the Member name and the IP of PSC2. Ensure that the state is set to Enabled.
5. Click Next and select TCP for Active Health Monitor.
6. Click Finish.

Configure Virtual Server

1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
2. Navigate to Load Balancing > Virtual Servers > Virtual Servers and click ADD.
3. General Properties:
   • Provide Name for Virtual server
   • Application Type: Select Layer 4 and then select “TCP” from drop down.
   • Application Profile: select “nsx-default-lb-fast-tcp-profile”
4. Click Next
5. Virtual Server Identifiers:
   • IP Address: provide the IP address for Virtual server.
   • Port: 443, 389, 636, 2012, 2014, 2020
6. Click Next.
7. Server Pool: Select the Server Pool which is created in previous step.
8. Load Balancing Profiles: select “nsx-default-source-ip-persistence-profile” for Source IP.

Configure Route Advertisement on a Tier-1 Logical Router

1. From your browser, log in to an NSX Manager
2. Select Routing and Click a tier-1 logical router.
3. Select Route Advertisement from the Routing drop-down menu.
4. Enable route advertisement by clicking Edit and making sure the Status button is Enabled
5. Change to “Yes” for all the routes
6. Click on “Save”

Configure Static route on PSC VMs

NSX-T Load balancer will use 100.64.#.# to perform the health check for Server Pool members(PSC’s). But there is no route for 100.64.#.# network on Server Pool members(PSC’s), So the LB will not be able to reach servers and it fail to perform the health check.

Please use the below command to add the static route on both the PSC’s.

SSH to both the PSC’s and execute the below commands on both the PSC’s.

# ip route add 192.168.201.22 via 192.168.201.32 dev eth0 Replace 192.168.201.22 with Virtual Server IP. Replace 192.168.201.32 with Tier-1 Down link Port IP. # ip route add 100.##.##.1 via 192.168.201.32 dev eth0 Replace 100.##.##.1 with Tier-1 “LinkedPort_Tier-0” port IP. Replace 192.168.201.32 with Tier-1 Down link Port IP.

But the above configuration is not persistent when the PSC got rebooted. Please use the below procedure to make persistent routes on both the PSC’s.

1. SSH to both the PSC’s and change the directory.
   
   # cd /etc/systemd/network/
    
2. Add below highlighted new sections at the bottom of the file using vi editor:
   
   # vi 10-eth0.network
   [Match]
   Name=eth0
   [Network]
   Gateway=192.168.201.253
   Address=192.168.201.26/24
   DHCP=no
   [DHCP]
   UseDNS=false
   [Route]
   Gateway=192.168.201.32
   Destination=192.168.201.22
   [Route]
   Gateway=192.168.201.32
   Destination=100.##.##.1

3. Restart the service.

After Configuring the Load Balancer by using NSX -T, please perform the below tasks to confirm that the LB is accessible from PSC’s and LB IP/FQDN is re directing to PSC home page when accessing from browser.

1. SSH to both PSC’s (PSC01 and PSC02) and execute the below openssl command with Load Balancer IP / FQDN.
   
   openssl s_client -connect test-psclb.example.com:443
   
   You see output similar to:
   
   # openssl s_client -connect test-psclb.example.com:443
   CONNECTED(00000003)
   depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = test.example.com, OU = VMware Engineering
   verify return:1
   depth=0 CN = test.example.com, C = US
   verify return:1
   ---
   Certificate chain
   0 s:/CN=test-psc1.example.com/C=US
   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=test-psc1.example.com/OU=VMware Engineering
   ---
   Server certificate
   -----BEGIN CERTIFICATE-----
   ...
   -----END CERTIFICATE-----
   subject=/CN=test-psc1.example.com/C=US
   issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=test-psc1.example.com/OU=VMware Engineering
   ---
   No client certificate CA names sent
   Peer signing digest: SHA512
   Server Temp Key: ECDH, P-256, 256 bits
   ---
   SSL handshake has read 1515 bytes and written 433 bytes
   ---
   New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
   Server public key is 2048 bit
   Secure Renegotiation IS supported
   Compression: NONE
   Expansion: NONE
   No ALPN negotiated
   SSL-Session:
   Protocol : TLSv1.2
   Cipher : ECDHE-RSA-AES256-GCM-SHA384
   Session-ID:
   Session-ID-ctx:
   Master-Key: ##########################################################################################
   Key-Arg : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   Start Time: 1526024218
   Timeout : 300 (sec)
   Verify return code: 0 (ok)

2. From browser, try to access the Load Balancer IP / FQDN, URL: https://test-psclb.nfvra1.com, should be able to access and display the PSC home page.

If the above two steps are working as expected please proceed the below next tasks.

Preparing a certificate for PSC's

1. Access PSC1 node from SSH and execute the below commands:
   
   # mkdir /certs
   # cd /certs/

2. Create a file by using the below command and copy the below content and modify the DNS entries.
   
   # vi psc_ha_csr_cfg.cfg
   [ req ]
   distinguished_name = req_distinguished_name
   encrypt_key = no
   prompt = no
   string_mask = nombstr
   req_extensions = v3_req
   [ v3_req ]
   basicConstraints = CA:false
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   subjectAltName = DNS:test-psc1.example.com, DNS:test-psc2.example.com, DNS:test-psclb.example.com
   
   [ req_distinguished_name ]
   countryName = US
   stateOrProvinceName = CA
   localityName = Palo Alto
   0.organizationName = VMware
   organizationalUnitName= NFV
   commonName = test-psclb.example.com

3. Generate a Certificate Signing request and Private Key
   
   # openssl req -new -nodes -out /certs/psc-ha-vip.csr -newkey rsa:2048 -keyout /certs/psc-ha-vip.key -config /certs/psc_ha_csr_cfg.cfg
   
   Generate a certificate from VMCA
   # openssl x509 -req -days 3650 -in /certs/psc-ha-vip.csr -out /certs/psc-ha-vip.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile /certs/psc_ha_csr_cfg.cfg
   
   # cp /var/lib/vmware/vmca/root.cer /certs/cachain.crt

4. Validate the certificate
   • Verify that the Subject CN value is the correct Load Balanced FQDN.
   • Verify that all PSC FQDNs and Load Balanced FQDN are present in the DNS value
     
     # openssl x509 -in /certs/psc-ha-vip.crt -noout -text

Replacing the default Machine SSL Certificate

1. Launch the Certificate-Manager and select Option 1, then select sub Option 2.
   
   # /usr/lib/vmware-vmca/bin/certificate-manager
   
   Provide the paths to the psc-ha-vip.crt, psc-ha-vip.key and cachain.crt files created in the previous section.
   
   Please provide valid custom certificate for Machine SSL.
   
   File : /certs/psc-ha-vip.crt
   Please provide valid custom key for Machine SSL.
   
   File : /certs/psc-ha-vip.key
   Please provide the signing certificate of the Machine SSL certificate
   
   File : /certs/cachain.crt

2. Copy the /certs folder from PSC1 to PSC2
   
   From PSC1 # scp -r /certs/ root@PSC2 IP:/

3. Repeat above step (a) for PSC2.

Run the PSC HA 6.5 Scripts

updateSSOConfig.py:

Important: Ensure you perform this step on all PSCs(PSC1 & PSC2) participating in the HA instance.

# cd /usr/lib/vmware-sso/bin
# python updateSSOConfig.py --lb-fqdn=test-psclb.nfvra1.com

updateLsEndpoint.py:

Important: You only need to perform this step on a single PSC node. (peform on PSC1)

# cd /usr/lib/vmware-sso/bin

Run the updateLsEndpoint.py script, passing in your Load Balanced FQDN, Administrator User name and Administrator Password as variables.

# python UpdateLsEndpoint.py --lb-fqdn=test-psclb.example.com [email protected] --password=<password>

Validate PSC HA 6.7

1. Run the following command to return the Site ID
   
   # python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url http://localhost:7080/lookupservice/sdk 2> /dev/null

2. Run the following command to list the cs.identity endpoints, passing in the site name recorded in the previous section
   
   # python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site psc-lb --type cs.license 2> /dev/null | grep URL
   
   Note: A total of 8 cs.license endpoints should be updated with the PSC HA VIP (4 per PSC).

3. Verify the cs.identity endpoints. Run the following command to list the cs.identity endpoints, passing in the site name recorded earlier.
   
   # python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site psc-lb --type cs.identity 2> /dev/null | grep URL
   
   Note: A total of 16 cs.identity endpoints should be updated with the PSC HA VIP (8 per PSC).

Repoint vCenter Server from PSC01 FQDN to PSC LB FQDN.

1. Run the following commands from vCenter server to repoint the vCenter from PSC01 to the PSC LB VIP FQDN.
   
   # /usr/lib/vmware-vmafd/bin/vmafd-cli set-dc-name --server-name localhost --dc-name psc-ha-vip.example.com
    
2. Restart Services:
   
   # service-control --stop --all
   
   # service-control --start --all