Virtualisation Engineer
SSL VPN-Plus Service
You can run some troubleshooting commands from the command line of the Edge Services Gateway (ESG) that is hosting the SSL VPN-Plus service. SSH or open the console of the ESG.
The full command list available:
To check the SSL VPN service status:
Very quick post being filed under every day is a school day!
I deployed an Edge Service Gateway without ticking (or more specifically unticking) the Enable SSH button. Along comes some routing issue and I would really like to SSH onto the Edge and do a show ip route but I could not figure out how to enable SSH after the Edge is deployed. Much digging later the only way I could see is to open Networking and Security then browse to NSX Edges, highlight the Edge you want to enable SSH on and click Actions:
Once here click “Change CLI Credentials”:
Type in a password (you can reuse the existing password you set) and tick “Enable SSH”.
Job done!
What a pita this has been, the process is reasonably straight forward but trying to do this in a nested environment is a pain!! The settings below should be done of both ESGs (in my (hands on) lab I created two ESGs with a directly connected “Internal” Logical Switch and an “Internet” Logical Switch and used a DLR to act as the Internet Router.
Something like this:
10.10.100.0/24 >Site 1 ESG Internal (10.10.100.1) > Site 1 ESG Internet (10.10.10.1) > Internet DLR (10.10.10.254) > Internet DLR (20.20.20.254) > Site 2 ESG Internet (20.20.20.1) > Site 2 ESG Internal (20.20.200.1) > 20.20.200.0/24
Enable IPSec VPN Service
You must enable the IPSec VPN service for traffic to flow from the local subnet to the peer subnet
1. Log in to the vSphere Web Client.
2. Click Networking & Security and then click NSX Edges.
3. Double-click an NSX Edge.
4. Click the Manage tab and then click the VPN tab.
5. Click IPSec VPN.
SSL VPN-Plus Overview
With SSL VPN-Plus, remote users can connect securely to private networks behind a NSX Edge gateway. Remote users can access servers and applications in the private networks.
Add SSL VPN-Plus Server Settings
1. In the SSL VPN-Plus tab, select Server Settings from the left panel. Continue reading
Add a Security Tag
You can manually add a security tag and apply it to a virtual machine. This is especially useful when you are using a non-NETX solution in your environment and hence, cannot register the solution tags with NSX Manager.
1. Log in to the vSphere Web Client.
2. Click Networking & Security and then click NSX Managers.
3. Click an NSX Manager in the Name column and then click the Manage tab.
4. Click the Security Tags tab.
A security policy is a set of Endpoint, firewall, and network introspection services that can be applied to a security group. The order in which security policies are displayed is determined by the weight associated with the policy. By default, a new policy is assigned the highest weight so that it is at the top of the table. However, you can modify the default suggested weight to change the order assigned to the new policy.
NSX assigns a default weight (highest weight +1000) to the policy. For example, if the highest weight amongst the existing policy is 1200, the new policy is assigned a weight of 2200.
Security policies are applied according to their weight – a policy with the higher weight has precedence over a policy with a lower weight.
Procedure
1. Log in to the vSphere Web Client.
2. Click Networking & Security and then click Service Composer.
3. Click the Security Policies tab.
1. Log in to the vSphere Web Client.
2. Click Networking & Security and then click Service Composer.
3. Click the Security Groups tab and then click the Add Security Group icon.
Filtering firewall rules is reeeally straight forward!
Navigate to the DFW section of the Networking and Security Plugin then click of the filter buttons:
There are loads of options to filter with: Continue reading
This post will focus on create firewall rules that utilise Active Directory Groups, I’ve already covered who you integrate NSX with AD here so let’s get straight into creating a Security Group:
1. Select the NSX Manager, then click Manage, followed by Grouping Objects.
2. Click on Security Groups.
3. Click the green + sign to Add a Security Group. What I am going to do is create a dynamic group membership based on the AD Group by selecting Entity, Belongs to and then clicking the “Select Entity” button: Continue reading
Create Distributed Firewall Rule Sections
You can add a section to segregate firewall rules. For example, you may like to have the rules for sales and engineering departments in separate sections.
1. Log in to the vSphere Web Client.
2. Click Networking & Security and then click Firewall.
3. Ensure that you are in the General tab to add a section for L3 rules. Click the Ethernet tab to add a section for L2 rules.
