Hi guys,
I have two domains one is my "production" and the other one my "test". In my production domain i have install the vra with two appliances two IAAS componets servers. In my production enviroment every works perfekt. Now I want to deploy a proxy agent and a worker in my test and connect it to my vra 7, is this possible without a trust of the domains? Does someone have a best practise guide for this or is it unsupported?
My enviroment:
Production:
-vCenter 6.0
-ESXi 5.5
-vra 7.0.1
Test:
vCenter 5.5
-ESXi 5.5
This will work. It uses certificates to validate communications, not username/password.
Grant
No idea?
Sorry, was at a work conference so haven't been online.
Is this a 6 or 7 deployment?
Grant
No problem,
it is a vra7 deployment.
No idea?
For the certitifcates are they VMware self signed? Make sure you have added the certiifcates from the Model Manager to the proxy agent and vice versa to allow trust. adding the root certitifcate to both should allow this trust
Hi firestartah,
to my enviroment, I have a production enviroment and a test enviroment, both have there own CA (so no VMware self signed certificates are used). The problem is testing the manager service host works fine and testing the model manager host fails but this is the same server but a different alias.
Can you help me to understand this please.
Foir the certificates did you add the alias' to the Subject Alternative Name field? Adding the root certitifcate to each side should then allow the trust between production and test.
Yes I add the alias to the subject alternative name.
Adding the 'production' root certificate to my worker/agent on the test enviroment and adding the 'test' root certifictate to my two IaaS Server on the production enviroment right?
To be clear, the common name also needs to be in the subject alternate or you will see this behaviour.
Grant
I'm having a similar issue. We have a vCenter in a different AD Domain and need to install a Proxy Agent to provision to that vCenter. We've installed that Proxy Agent server in the same domain as the vCenter and are trying to install the proxy agent. Getting the 401 when hitting Test for the Model Manager Web Service Host.
Any Ideas? GrantOrchardVMware you mentioned it was just using certificates not the login.
Hi
The assumption that the vSphere Proxy agent uses certificate for authorization is correct, but only in regards of the connection to Manager Service endpoint. Connection to the Repository on the Web endpoint still requires authentication by a user.
I solved both installation of the agent and connection to repository by using runas and some hidden command line for the VRMagent.exe
First I ran "runas /netonly /user:REMOTEDOMAIN\Useraccount cmd", then executed the setup exe and completed the installation.
Then I had to stop the windows service and then from a new command prompt run: "VRMagent.exe -Repo-SetCredetials -user SERVICEACCOUNT -password PASSWORD -domain REMOTEDOMAIN
Now it was possible to start the windows service again. Then you can enjoy running Inventory jobs etc on your Compute Resources and also deploy servers 🙂
//Marcus
Thank you Marcus! Much appreciated.
That very nearly worked. The only issue I ran in to was UAC blacking out the install screen. If I temporarily got that disabled it would work. For now we have the agents on a system that is not in the same network as the vCenter but it is in the same domain as vRA and can deal with slower data collection. We will revisit later with the hosting team to get around UAC.