Sometimes, due to environmental issues, a manual install of the NSX software on the Windows server is required.  When installing NSX on a Windows Physical Server, the install process also assumes that WINRM on the server will allow unencrypted connections.  Many environments only allow encrypted WINRM and this prevents the install from working.

NSX 4.2.x and below

NSX assumes that WINRM will allow unencrypted connections and if it is not available, the install fails.  Also, most customers do not include the IP of the server in the SAN of the certificate.  The UI install process only allows the use of IP, not FQDN, meaning the certificate cannot not be validated.

Two options to finish the install

1. Enable unencrypted WINRM for the duration of the install, and then disable it again.  The unencrypted connection is only required for the initial install
2. Manual install of the software and a manual join to the NSX Managers

Manual Install Procedure

1. Download the Windows Physical Server software
   1. Go to the Support Portal
   2. In the NSX pages, find NSX BM Server Module for Windows 2016/ 2019/ 2012R2 and download the install package
2. Install the package in the Windows Server
3. Enter the nsxcli command line in powershell
   1. cd 'C:\Program Files\VMware\NSX\nsx-cli\'
   2. .\nsxclibms.bat   
   3. NOTE: include the .\  so the command line looks in the local directory for the command
4. Find the thumbprint for the "api_listen_addr" certificate by running GET /api/v1/cluster/nodes
   1. Use a RESTAPI client, such as postman OR
   2. Run the following command from engineering mode on the NSX Manager
      1. curl -k -u admin -H "Content-Type:application/json" -X GET https://localhost/api/v1/cluster/nodes
   3. From the output, look for "api_listen_addr"  and copy out the thumbprint, which is located near the end of the section
      1.    "certificate_sha256_thumbprint" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
5. Join the Windows Server as a transport node 
   1. join management-plane xx.xx.xx.xx thumbprint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx username admin password yyyyyyyyyy
      1. xx.xx.xx.xx <--- IP of any NSX Manager or the VIP of the Managers
6. Now go back to the UI and perform the install.
   1. NSX will detect the server is already a transport node and will not try to install the software again.
   2. Next step will be to configure the Host Switch, like in a regular install from the GUI.
   3. Secure Workloads on Windows Server 2016/2019 Bare Metal Servers