Skip navigation

Blog Posts

Total : 4,244

Blog Posts

1 2 Previous Next



FROM THE EDITORS VIRTUAL DESK
Hi everyone, yes we are now less than 2 weeks away from VMworld US 2019 in San Francisco. Have you used schedule builder and reserved the sessions you wish to attend? I always advise my customers to at least be on the waitlist for the sessions they want to attend but are already full in case the session size is expanded and possibly your waitlist becomes an attendance. In addition the same holds true for the special TAM Customer Central session, many of which have already had their capacity expanded in order to accommodate the demand.

This week we continue our VMworld coverage from TAM and Education as well as some tweets that may be of interest via the @VMwareTAM Twitter Account.

In the meantime, please enjoy this weeks newsletter, and chat to your VMware TAM/Sales team representative if you require any further information or feel free to email us at tamsource@vmware.com and we will do our best to answer your question or provide any assistance that we can.

I wish you all a fantastic week ahead and will be sending a final pre-VMworld update next week before the main event.

Virtually Yours
VMware TAM Team

Twitter | Facebook | Archive
-
@VMwareTAM Twitter - Tweets of the week
- We're excited to have Doug DeFrank @dougdefrank from HM Health Solutions presenting #HBI1464BUhttps://my.vmworld.com/widget/vmware/vmworld19us/us19catalog?search=HBI1464BU … at @vmworldUS with David Stamen @davidstamen! Their TAM Marc Haines @vmarchaines is proud to work with them! #VMworld

- NSBU is inviting @vmwaretam customers to a great event on Monday, Aug 26, 5-7PM during #VMworld: So you want to be an SRE? https://eventbrite.com/e/vmworld-panel-reception-architecting-it-operations-is-sre-in-your-future-tickets-68372860065 … We have two Google SRE Managers speaking!

- Test Drive vSphere Platinum! #VMware #VMwareTAM

- Hot off the press for @VMwareTAM customers attending #VMworld: A certain TAM Customer Central session on #PowerCLI has been added to the content catalog as a repeat, and as a bonus, it's not at super-early-o'clock either! Get registered for #TAM3212UR before this one fills up too

-----
TAM @ VMWORLD

TAM Customer Day - TAM Customer Day is Sunday, August 25, 2019 from 1:00 pm – 5:00 pm.  Join Ray O’Farrell as he moderates a panel discussion with Mark Lohmeyer and Craig McLuckie/Joe Beda, followed by the ever popular Specialist Roundtables, with 1-to-few access to VMware subject matter experts who will be covering 100+ top topics. Be sure to stay and join us for a drink to celebrate the 15th annual TAM Customer Day and meet VMware executives at the TAM Customer Day reception 5:00 pm - 6:00 pm.

TAM Customer Central – Join us in TAM Customer Central (TCC) all week for TAM customer exclusive Deep Dives on topics ranging from Cloud (Hybrid Cloud Management, VMware Cloud on AWS, Cross-Cloud Data Management and more) to Networking (for example, NSX-T Validated Designs) to vSphere (What’s Next?, SRM and more) to Digital Workspace and much more.  These sessions can be found in Schedule Builder, so sign up as the spaces fill up quickly.

When not attending one of the many Deep Dive sessions enjoy one-to-one interaction with our technology subject matter experts in TCC by attending Office Hours sessions for personalized technical guidance and best practices.  Make sure to visit the Demo Stations and Network and Security Specialists TAMs Table where you can see VMware technology in action and understand how your organization can benefit.
-----
EDUCATION NEWS
Learn and Earn Your Certification with Special VMworld 2019 Offers

VMworld will be taking place this year from August 25-29 at the Moscone Center, San Francsico.  If you are attending the event, we encourage to visit the VMware Education & Certification Lounge located on Level 3 – Moscone Center West.  Here are a few special offers and programs that you can add to your VMworld 2019 registration.  You can also take advantage of special discounts off select Live Online and On Demand courses.  Visit our site for a list of eligible courses and to register.

  • Save 20% off select Live Online trainings scheduled for the week of August 12
  • Save 25% off On Demand courses which let you train when and where it’s convenient for you
  • Save 50% off a Premium Subscription to the VMware Learning Zone (our 24/7 training hub)
  • Save 50% off VMware Certified Professional (VCP) and VMware Certified Advanced Professional (VCAP) certification exams as well as practice tests taken at VMworld.

Attending VMworld 2019?  Register for our Complementary VCDX Workshop.
VMware Education Services will be conducting a complementary VMware Certified Design Expert (VCDX) Workshop on Sunday, August 25.   The session will take place at San Francisco Marriott Marquis, Level B2, Golden Gate C1 Conference Room.  Festivities begin with lunch from 1:15 PM to 2:00 PM PDT and network with both current VCDXs and the program team. The VCDX Workshop will take place from 2:00 PM to 6:00 PM PDT.  This is a great way to prepare yourself for the VCDX certification exam.  Click here to register.
Register for *NEW* NSX-T Data Center V2.4 Training Courses
VMware NSX-T Data Center is focused on providing networking, security, automation, and operational simplicity for emerging application frameworks and architectures that have heterogeneous endpoint environments and technology stacks.  NSX-T Data Center supports cloud-native applications, bare metal workloads, multi-hypervisor environments, public clouds, and multiple clouds.  The latest NSX-T Data Center software release 2.4 is now available.  VMware Education Services is pleased to announce three new courses to help you maximize the power of your NSX-T Data Center instance.

  1. VMware NSX-T Data Center: Install, Configure, Manage [V2.4]: This five-day, fast-paced course provides comprehensive training on how to install, configure, and manage a VMware NSX-T™ Data Center environment. This course covers key NSX-T Data Center features and functionality offered in the NSX-T Data Center 2.4 release, including the overall infrastructure, logical switching, logical routing, networking and security services, micro-segmentation and firewalls. Access to a software-defined data center environment is provided through hands-on labs to reinforce the skills and concepts presented in the course.
  2. VMware NSX-T Data Center: Troubleshooting and Operations [V2.4]: This five-day, hands-on training course provides you with the advanced knowledge, skills, and tools to achieve competency in operating and troubleshooting the VMware NSX-T Data Center environment. In this course, you are introduced to workflows of various networking and security constructs along with several operational and troubleshooting tools that help managing and troubleshooting your NSX-T Data Center. In addition, you are presented with various types of technical problems, which you will identify, analyze, and solve through a systematic process.
  3. VMware NSX-T Data Center: Design [V2.4]: This five-day course provides comprehensive training on considerations and practices to design a VMware NSX-T Data Center™ environment as part of a software-defined data center strategy. This course prepares you with the skills to lead NSX-T Data Center design offered in the NSX-T Data Center 2.4 release, including design principles, processes, and frameworks.  You will gain a deeper understanding of NSX-T Data Center architecture and how this can be leveraged to create solutions to address the customer’s business needs.

NEWS AND DEVELOPMENTS FROM VMWARE

Open Source Blog

Network Virtualization Blog

vSphere Blog

Cloud management Blog

Cloud Native Blog

EUC Blog

Cloud Foundation Blog

EXTERNAL NEWS FROM 3RD PARTY BLOGGERS

Virtually Ghetto

ESX Virtualization

Cormac Hogan

Scott's Weblog

vSphere-land

NTPRO.NL

Virten.net

vinfrastructure

vSwitchZero

vNinja

VMExplorer

DISCLAIMER
While I do my best to publish unbiased information specifically related to VMware solutions there is always the possibility of blog posts that are unrelated, competitive or potentially conflicting that may creep into the newsletter. I apologize for this in advance if I offend anyone and do my best to ensure this does not happen. Please get in touch if you feel any inappropriate material has been published. All information in this newsletter is copyright of the original author. If you are an author and wish to no longer be used in this newsletter please get in touch.

© 2019 VMware Inc. All rights reserved.

 

FROM THE EDITORS VIRTUAL DESK
Hi everyone, well we are less than 1 month away from VMworld US and for TAM customers this is one of our premier event, alongside VMworld Europe. If you are a TAM customer please make sure you are in sync with your VMware TAM, with your corporate goals for the event. If this is your first VMworld, or possibly your first as a TAM customer, you should ensure you and your TAM are working together on a plan for VMworld that takes these goals into account. This is such a great event, it has so many facets, including the especially important TAM specific events such as TAM Customer Day as well as TAM Customer Central, which as a TAM customer you will have access to, and will enhance your experience even more while at VMworld.

 

Breaking news: Google Cloud and VMware Extend Strategic Partnership.
New solution will support VMware workloads running in GCP; empower customers’ hybrid and multi-cloud strategies
PALO ALTO, Calif. and MOUNTAIN VIEW, Calif., July 30, 2019 (GLOBE NEWSWIRE) -- Google Cloud and VMware Inc. (NYSE: VMW) today announce Google Cloud VMware Solution by CloudSimple, a new service that will allow organizations to run their VMware workloads in Google Cloud Platform (GCP), providing customers with choice and flexibility to run VMware workloads on-premises, in a hybrid architecture, or in the cloud. The solution will leverage VMware Cloud Foundation infrastructure software, deployed on GCP and designed and operated by CloudSimple, a VMware Cloud Verified partner. [Continue reading...]

 

So take the time to plan your VMworld strategy with your VMware TAM's help to maximize your VMworld experience in 2019 in San Francisco.

 

Virtually Yours
VMware TAM Team

Twitter | Facebook | Archive
-

 

NEWS AND DEVELOPMENTS FROM VMWARE

Open Source Blog

Network Virtualization Blog

vSphere Blog

Cloud management Blog

Cloud Native Blog

EUC Blog

vCloud Foundation Blog

EXTERNAL NEWS FROM 3RD PARTY BLOGGERS

Virtually Ghetto

ESX Virtualization

Cormac Hogan

Scott's Weblog

vSphere-land

NTPRO.NL

Virten.net

vinfrastructure

vSwitchZero

vNinja

VMExplorer


DISCLAIMER
While I do my best to publish unbiased information specifically related to VMware solutions there is always the possibility of blog posts that are unrelated, competitive or potentially conflicting that may creep into the newsletter. I apologize for this in advance if I offend anyone and do my best to ensure this does not happen. Please get in touch if you feel any inappropriate material has been published. All information in this newsletter is copyright of the original author. If you are an author and wish to no longer be used in this newsletter please get in touch.

© 2019 VMware Inc. All rights reserved.



FROM THE EDITORS VIRTUAL DESK
Hi everyone, from this week you will notice the newsletter schedule increase to a weekly cadence as we head towards VMworld US in San Francisco. There is always so much news to bring you and VMworld pre-conference news and information is always top of our list so take some time to review the newsletter each week. I always suggest that you discuss your VMworld goals with your VMware account team including your TAM and other relevant people to ensure that you get the most out of the event.

This week we also have some great updates and offers from our education team prior to and during VMworld so please take a read below and contact VMware or visit the referenced pages in the offers.

We also begin our TAM @ VMworld updates with information and must do items for our TAM customers attending VMworld this year.

I wish you all a fantastic week ahead and will bring you more news again in 1 weeks time so please look out for that.

Virtually Yours
VMware TAM Team

Twitter | Facebook | Archive
-
TAM @ VMWORLD
Where Battlebots, Robot Wars and IT Intersect [TAM3906U]
Are you a fan of BBC TV’s Robot Wars, or ABC’s Battlebots as well as a die-hard VMware fan …. Then we have the session for you as a TAM exclusive. Ed Hoppitt is VMware’s Director of Modern Apps and Cloud Native Platforms by day, and by night is the reigning World Champion from the hit BBC TV Series ‘Robot Wars’ as well as one of the stars of ABC’s ‘Battlebots’. This year the focus for his team at the moment is re-building and re-architecting the core of how his fighting robots work – focusing on using data, telemetry and software for a competitive advantage. Join Ed for a light-hearted discussion of the challenges of designing, building and running a 220lb combat robot and just how the world of DevOps, Agile Development and what he focusses on when trying to build robust, reliable platforms (so not that far away from IT it turns out after all).
SPEAKERS - Ed Hoppitt, Director - Modern Apps and Cloud Native Platforms , VMware

TAM Customer Day - TAM Customer Day is Sunday, August 25, 2019 from 1:00 pm – 5:00 pm.  Join Ray O’Farrell as he moderates a panel discussion with Mark Lohmeyer and Craig McLuckie/Joe Beda, followed by the ever popular Specialist Roundtables, with 1-to-few access to VMware subject matter experts who will be covering 100+ top topics. Be sure to stay and join us for a drink to celebrate the 15th annual TAM Customer Day and meet VMware executives at the TAM Customer Day reception 5:00 pm - 6:00 pm.

TAM Customer Central – Join us in TAM Customer Central (TCC) all week for TAM customer exclusive Deep Dives on topics ranging from Cloud (Hybrid Cloud Management, VMware Cloud on AWS, Cross-Cloud Data Management and more) to Networking (for example, NSX-T Validated Designs) to vSphere (What’s Next?, SRM and more) to Digital Workspace and much more.  These sessions can be found in Schedule Builder, so sign up as the spaces fill up quickly.

When not attending one of the many Deep Dive sessions enjoy one-to-one interaction with our technology subject matter experts in TCC by attending Office Hours sessions for personalized technical guidance and best practices.  Make sure to visit the Demo Stations and Network and Security Specialists TAMs Table where you can see VMware technology in action and understand how your organization can benefit.

EDUCATION NEWS
Learn and Earn Your Certification with Special VMworld 2019 Offers

VMworld will be taking place this year from August 25-29 at the Moscone Center, San Francsico.  If you are attending the event, we encourage to visit the VMware Education & Certification Lounge located on Level 3 – Moscone Center West.  Here are a few special offers and programs that you can add to your VMworld 2019 registration.  You can also take advantage of special discounts off select Live Online and On Demand courses.  Visit our site for a list of eligible courses and to register.

  • Save 20% off select Live Online trainings scheduled for the week of August 12
  • Save 25% off On Demand courses which let you train when and where it’s convenient for you
  • Save 50% off a Premium Subscription to the VMware Learning Zone (our 24/7 training hub)
  • Save 50% off VMware Certified Professional (VCP) and VMware Certified Advanced Professional (VCAP) certification exams as well as practice tests taken at VMworld.

Attending VMworld 2019?  Register for our Complementary VCDX Workshop.
VMware Education Services will be conducting a complementary VMware Certified Design Expert (VCDX) Workshop on Sunday, August 25.   The session will take place at San Francisco Marriott Marquis, Level B2, Golden Gate C1 Conference Room.  Festivities begin with lunch from 1:15 PM to 2:00 PM PDT and network with both current VCDXs and the program team. The VCDX Workshop will take place from 2:00 PM to 6:00 PM PDT.  This is a great way to prepare yourself for the VCDX certification exam.  Click here to register.

NEWS AND DEVELOPMENTS FROM VMWARE

Open Source Blog

Network Virtualization Blog

vSphere Blog

Cloud management Blog

Cloud Native Blog

EUC Blog

Cloud Foundation Blog

EXTERNAL NEWS FROM 3RD PARTY BLOGGERS

Virtually Ghetto

ESX Virtualization

Cormac Hogan

Scott's Weblog

vSphere-land

NTPRO.NL

Virten.net

vinfrastructure

vSwitchZero

vNinja

VMExplorer

DISCLAIMER
While I do my best to publish unbiased information specifically related to VMware solutions there is always the possibility of blog posts that are unrelated, competitive or potentially conflicting that may creep into the newsletter. I apologize for this in advance if I offend anyone and do my best to ensure this does not happen. Please get in touch if you feel any inappropriate material has been published. All information in this newsletter is copyright of the original author. If you are an author and wish to no longer be used in this newsletter please get in touch.

© 2019 VMware Inc. All rights reserved.

Dear readers

As you are probably aware NSX-T use its own vSwitch called N-VDS. The N-VDS is primarily used to encapsulate and decapsulate GENEVE overlay traffic between NSX-T transport nodes along supporting the distributed Firewall (dFW) for micro-segmentation. The N-VDS requires its own dedicated pNIC interfaces. These pNIC cannot be shared with vSphere vSwitches (vDS or vSS). Each NSX-T transport node has in a typically NSX-T deployment one or two Tunnel End Points (TEPs) to terminate the GENEVE overlay traffic. The number of TEP is directly related to the attached Uplink Profile. In case you use an uplink teaming policy "failover", then only a single TEP is used. In case of a teaming policy "Load Balance Source" then you have for each physical NIC a TEP assigned. Such an "Load Balance Source" Uplink Profile is showed below and will be used for this lab exercise.

Screen Shot 2019-08-19 at 20.07.00.png

The mapping of the "Uplinks" is as follow:

  • ActiveUplink1 is the pNIC (vmnic2) connected to ToR switch NY-CAT3750G-A
  • ActiveUplink2 is the pNIC (vmnic3) connected to ToR switch NY-CAT3750G-B

 

Additionally, you could see the VLAN 150 to carry the GENEVE encapsulated traffic.

 

However, the N-VDS can also be used for VLAN-based segments. VLAN-based segments are very similar as vDS portgroups. In deployment, where your hosts has only two pNICs and both pNICs are used for the N-VDS (yes, for redundancy reason), you have to use VLAN-based segments to carry VmKernel interfaces (e.g. mgmt, vMotion or vSAN). When your VLAN-based segments are used to carry VMKernel interface traffic and you use an Uplink Profile as shown above, then it is difficult to figure out on which pNIC the VmKernel traffic is carried, as these traffic is following the default teaming policy, in our case "Load Balance Source". Please note, VLAN-based segments is not limited to VmKernel traffic, such segment can also carry regular virtual machine traffic.

 

There are often good reasons to do traffic steering to have a predicable traffic flow behavior, as example you would like to transport Management and vMotion VmKernel traffic under normal conditions (all physical links are up) on pNIC_A and vSAN on pNIC_B. One of the top two reasons are:

1.) predict the forwarding traffic pattern under normal conditions (all links are up) and align as example the VmKernel traffic with the active First Hop Gateway Protocol (e.g. HSRP)

2.) reduce ISL traffic between the two ToR Switches or ToR-to-Spine traffic for high load traffic (e.g. vSAN or vMotion) along with predictable and low latency traffic forwarding (assume as example you have 20 hosts in a single rack and all hosts use for vSAN the left ToR Switch, in such situation the ISL is not carrying vSAN traffic)

 

This is where NSX-T "VLAN Pinning" comes into the game. The term "VLAN Pinning" is in our NSX-T public documentation referred as "Named Teaming Policy". Actually I like the term "VLAN Pinning". In this lab exercise for this blog, I would like to show you how you could configure "VLAN Pinning". The physical lab setup looks like the diagram below:

Physical Host Representation-Version1.png

For this exercise is only host NY-ESX72A relevant. This host NY-ESX72A is attached to two Top of Rack (ToR) Layer 3 Switches, called NY-CAT3750G-A and NY-CAT3750G-B. As you see, this hosts has four pNICs (vmnic0...3). But only the pNIC vmnic2 and vmnic3 assigned to the N-VDS are relevant for this lab exercise. On the host NY-ESX72A, I have created three additional "artificial/dummy" VmKernel interfaces (vmk3, vmk4, vmk5). Each of the three VmKernel is assigned to a dedicated NSX-T VLAN-based segment. The diagram below shows the three VmKernel interfaces, all attached to a dedicated VLAN-based segment owned by the N-VDS (NY-NVDS) and the MAC address from vmk3 as example.

Screen Shot 2019-08-19 at 21.00.26.png

 

The simplified logical setup is shown below:

Logical Representation-default-teaming-Version1.png

 

 

From the NSX-T perspective we actually have configured three VLAN-based segments. These VLAN-based segments are created with the new policy UI/API.

NSX-T-VLAN-Segments-red-marked.png

The policy UI/API is the new interface since NSX-T 2.4.0 which is the preferred interface for the majority of NSX-T deployments. The "legacy" UI/API is still available and is visible in the UI under the tab "Advanced Networking & Security".

 

As already mentioned, the three VLAN-based segments use the default teaming policy (Load Balance Source), so the VMkernel traffic is distributed over the two pNIC (vmnic2 or vmnic3). Hence, we typically cannot predict, which of the ToR switches will learn the associated MAC address from the three individual VMkernel interfaces. Before we move forward and configure "VLAN Pinning", lets see how the three VmKernel traffic is distributed. One of the easiest way is to check the "MAC address" table for the two ToR switches for interface Gi1/0/10.

Screen Shot 2019-08-19 at 20.53.59.png

As you could see NY-CAT3750G-A is learning the MAC address from vmk3 (0050.5663.f4eb) only, whereas NY-CAT3750G-B is learning the MAC address from vmk4 (0050.5667.50eb) and vmk5 (0050.566d.410d). With the default teaming option "Load Balance Source", the administrator has actually no option to steer the traffic. Please ignore the two learned MAC addresses from VLAN 150, these are TEP MAC addresses.

 

Before we now configure VLAN Pinning, lets assume we would like that vmk3 and vmk4 are learnt on NY-CAT3750-A and vmk5 on the NY-CAT3750-B (when all links are up). We would like to use two new "Named Teaming Policies" with failover. The traffic flows should look like the diagram below --> dotted line means "standby link".

Logical Representation-vlan-pinning-teaming-Version1.png

The first step is to create two additionally "Named Teaming Policies". Please compare this diagram with the very first diagram above. Please be sure you use the identically names for the uplinks (ActiveUplink1 and ActiveUplink2) as for the default teaming policy.

Edit-Uplink-Profile.png

 

The second step is we need to make these two new "Named Teaming Policy" or the associated VLAN transport zone (TZ) available.

Edit-TZ-for-vlan-pinning.png

The third and last step is to edit the three VLAN-based segments according to your traffic steering policy. As you could see, we unfortunately need to edit the VLAN-based segments in the "legacy" "Advanced Networking & Security" UI section. We plan to support this editing option to be available in the new policy UI/API in one of the future NSX-T releases.

NY-VLAN-SEGMENT-90.png

NY-VLAN-SEGMENT-91.png

NY-VLAN-SEGMENT-92.png

As soon you edit the VLAN-based segments with the new "Named Teaming Policy", the ToR switches will immediately learn the MAC address from the associated physical interfaces.

The two ToR switches learn after applying "VLAN Pinning" through two new "Named Teaming Policy" in the following way:

Catalyst-MAC-table-with-vlan-pinning.png

As you could see NY-CAT3750G-A is learning now the MAC address from vmk3 and vmk4, whereas NY-CAT3750G-B is learning only the MAC address from vmk5.

Hope you had a little bit fun reading this NSX-T VLAN Pinning write-up.

 

 

Software Inventory:

vSphere version: 6.5.0, build 13635690

vCenter version: 6.5.0, build 10964411

NSX-T version: 2.4.1.0.0.13716575

 

Blog history

Version 1.0 - 19.08.2019 - first published version

asajm Enthusiast
vExpert

You Are the Champions in ASAJMMS's Blog

Posted by asajm Aug 17, 2019

So in the latest integration between Workspace ONE Access (aka. VMware Identity Manager) and Okta, we've added the device trust capabilities into the Okta Administration Portals.  I've noticed there has been some confusion on what this integration really does and why it's been added to the solution.

 

Which method should you use? In order to determine which method you should use we need to look at both options.

 

Lets walk through how the process worked previously:

 

  1. User goes to a SaaS Application
  2. The SaaS application will redirect the user to Okta
  3. Okta Routing Rules will proxy the SAML Authentication request to Workspace ONE access based on the predefined rules.
  4. Workspace ONE Access will determine if the device is managed (based on Mobile SSO/Certificate) and if the device is compliant (based on the enrolment in Workspace ONE UEM)
    1. If the device meets correct conditions (both Managed and Compliant) it will send a SAML Authentication Response back to Okta where any additional sign-on policies will be triggered and the user will be returned to the SaaS application.
    2. If the device does not meet the correct conditions (both Managed and Compliant) the user will most likely be displayed an "Access Denied" error with any appropriate "Compliance" messaging.

The benefit of this option is that it can provide a detailed explanation of why the authentication failed. We can also configure Workspace ONE Access to integrate with an MFA solution to step up the authentication.  The downside of using the existing method is that you need to configure authentication policies in both systems and the action to deny or MFA will apply to all application that Okta is routing to Workspace ONE Access.

 

Configuring Okta Device Trust

 

In the on going partnership between VMware and Okta, the strategy is to offload the authentication to Okta. This provides a strong value in configuring authentication policies in just one place.

 

Once you configure device trust in Okta, you have the ability to configure sign-on policies on a per app basis. This provides a lot of value as there are some applications that you would want to straight out deny access and some that might be okay as long as we did a step up authentication.

 

If you have configured a policy to DENY access, the user will be presented with the below message. They will have the ability to secure their device by enrolling in Workspace ONE UEM.

 

Let's walk through the steps required to set this up and we'll look under the covers of what is happening during the SAML exchange between the two systems.

 

First lets start in the Okta Portal,

 

First you need to enable Device Trust. Under Security -> Device Trust, click EDIT for either IOS or Android.

  1. Enable IOS Device Trust
  2. Select "VMware"
  3. Select "SAML-based (Workspace ONE UEM + vIDM)
  4. Click Next
  5. Select the correct Identity Provider
  6. Provide a name such as "Workspace ONE"
  7. Enter either your Web Enrolment Link or a linked to the appropriate app store to download the Workspace ONE Intelligent Hub.
  8. Click Save

 

Now we can modify our sign-on policies for our applications. In your application specific sign-on policy, add a rule for either "IOS/Android" and select your appropriate device trust option and the correct action (DENY or MFA).

 

Finally, we have to configure the Identity Provider to send the correct flags to Workspace ONE Access in order to trigger the Device Trust.

 

In Security -> Identity Providers, you need to enable the Device Trust Authentication Context.  (Note: This is under Advanced Settings). I'll explain shortly what this option is doing.

 

 

Configuring Workspace ONE Access for Okta Device Trust

 

We have to modify a couple setting in our Okta Application Source in order to support Okta Device Trust.

 

  1. Edit your Okta Application Source
  2. Under Configuration, expand Advanced Properties
  3. Enable Device SSO Response
  4. Enable Force AuthN Request. This setting will allow Workspace ONE to accept an ForceAuthN in a SAML AuthN request and process the Device Trust Authentication Context. There are some implications of enabling this setting. We'll discuss those later.
  5. Enable the Authentication Failure Notification. This setting will send a failure notification to Okta instead of display an error message on the Workspace ONE Access side.
  6. Click Next, Next, Save.

 

Understanding the SAML Exchange

 

When you make the changes above, the SAML messages between the two systems are modified.

 

When you configure the "Device Trust" authentication context in Okta, it will set a ForceAuthn flag = "True" in the AuthN request.

 

It will also add a device trust Authentication Context to the request:

 

Workspace ONE Access will respond to Okta with the Authentication Class Reference that was used to authenticate the user along with the Device Posture Check.  The Post Check returned will tell Okta whether the device is currently managed:

 

 

Implications of ForceAuthn

 

There are some important implications when using ForceAuthN in the Authentication Request.  There are some Authentication Methods that are not supported. The most prominent ones are "Device Compliance" and your 3rd Party IDP authentication methods.

 

If you are using the Okta Device Trust, this means that you can NOT use the "Device Compliance" authentication method in Workspace ONE Access.

 

 

Device Compliance vs Device Posture

 

This is a very important distinction and might have an impact on which option your chose to enable Device Trust. In the current implementation (configuring Mobile SSO/Cert + Device Compliance) in Workspace ONE Access, it will validate that the device is managed and it will check the compliancy of the device in Workspace ONE UEM.  In the initial release of Okta Device Trust, it will only check if the device is managed. Although this might seem like a big omission on the first release, depending on your compliance policies, you can imply that if a device is not compliant it will fail the posture check. (Removing MobileSSO profile on non-compliance).

 

Windows 10 and MacOS

 

In the first release of Okta Device Trust for Workspace ONE, they provided support for IOS and Android only. If you want Device Trust for Windows 10 and MacOS, you need to use the current method of configuring Cert + Device Compliance in Workspace ONE Access.

Although we want to to manage all of our deployed hosts inside a single subnet or VLAN, maybe in some situations there need to place many of hypervisor on other subnets / VLANs. So if there is a way for routing the vCenter traffic from it's gateway to them, there is no problem. Only the requirement traffics for initial management (incoming TCP 443 / both side TCP 902 / outgoing UDP 902) must be permitted within your gateway / router / firewall. But if it's not possible to do that because of some management or security considerations, so you can input all of the required routes inside the vCenter Server Shell. There is two ways to do that. One method is using "route add" command on shell access. For example:

# route add -net 10.10.10.0 netmask 255.255.255.0 gw 10.10.100.1 dev eth0 

Result of this method is not persistent and will be clean after VCSA restart, Then it's useful only for testing or temporary situations. But if you want to save it, the Second way is editing of file *.network (such as 10-eth0.network) in and path "/etc/systemd/network" add intended routes in this form:

[Routes]

Destination=10.10.20.0/24

Gateway=10.10.100.2

 

Remember to add each route line in separated [Routes] brackets, otherwise it's not working as you expected. Then restart the network interface:

# ifdown eth0 | ifup eth0

 

or restart the networkd with these commands:

# systemctl restart systemd-networkd

# service network restart

 

And now if you want to check the results, run:

# route -n

# ip route show

 

Without shell access if you only login to VCSA console, there is many CLI for routing check and config, so you can use of these.

To check them and how to use:

 

> routes.list --help

> routes.add --help

> routes.delete --help

> routes.test --help

 

Note I: There is another file here: "/etc/sysconfig/network/routes", if you view it's content, it will show only the system default gateway,

no more routes will be shown here.

Note II: If you want to add routing to your ESXi hosts, just do:

# esxcli network ip route ipv4 add -n 10.10.20.0/24 -g 10.10.100.2

 

Source of Content inside my personal blog: Undercity of Virtualization: Set Manual Routing for VCSA

nsxt-tshoot3a-1.png

If you are interested in NSX-T technology, this is one of the topics that explain the troubleshooting process

 

https://vswitchzero.com/2019/08/13/nsx-t-troubleshooting-scenario-3-solution/

67U3K8S-1-768x503.png

An interesting topic that summarizes the new features in the program vSAN 6.7 Update 3

Virtual Blocks: VMWare vSAN 6.7 Update 3 - What's New

asajm Enthusiast
vExpert

Free Courses from VMware in ASAJMMS's Blog

Posted by asajm Aug 14, 2019

best-VMWare-course-class-certification-training-online.jpg

Free Courses from VMware

 

 

 

((Golden Opportunity: Free Courses from VMware))

• vRealize Orchestrator for vRealize Automation [V6.1] Fundamentals:

–> http://bit.ly/2M8roMk

• VMware vRealize Automation Fundamentals:

–> http://bit.ly/2Kx9lwA

• VMware AirWatch Fundamentals:

–> http://bit.ly/2GXoKWb

• Software-Defined Data Center (SDDC) – Overview:

–> http://bit.ly/2M7S9Rl

• VMware vRealize Network Insight Fundamentals:

–> http://bit.ly/2OrTh4s

• Networking and Security Architecture with VMware NSX:

–> http://bit.ly/2Y8QktU

• VMware NSX: What’s New [V6.4]:

–> http://bit.ly/2GJbvZ4

If you want to get a VCAP 6-DCV certification, this theme will guide you simple

img_7398.jpg

     http://bit.ly/2KI6mS9

FireShot Screen Capture #009 - 'VMware Cloud Foundation comes to Google Cloud I Google Cloud Blog' - cloud_google_com.png

Google Cloud has said that their enterprise customers repeatedly tell them how important it is to get their priority workloads running in the cloud. These priority workloads include several commonly utilized enterprise solutions, like those offered by SAP and Oracle, and virtualization solutions from VMware.

 

On behalf of WP hacked help, we are excited to announce that Google Cloud will begin supporting VMware workloads. It’s another significant step as Google strives to better serve enterprise customers and its a step forward to a more secure infrastructure.

 

Both Google Cloud and VMware believe that customers want to run workloads in the cloud that works best for them. Google Cloud is committed to offering solutions that let their customers to do just that. Customers have asked them to provide broad support for VMware, and now with Google Cloud VMware Solution by CloudSimple, their customers will be able to run VMware vSphere-based workloads in GCP.

 

This brings customers a wide breadth of choices for how to run their VMware workloads in a hybrid deployment, from modern containerized applications with Anthos to VM-based applications with VMware in GCP.

 

“Our partnership with Google Cloud has always been about addressing customers’ needs, and we’re excited to extend the partnership to enable our mutual customers to run VMware workloads on VMware Cloud Foundation in Google Cloud Platform,” said Sanjay Poonen, chief operating officer, customer operations at VMware.

 

“With VMware on Google Cloud Platform, customers will be able to leverage all of the familiarity and investment protection of VMware tools and training as they execute on their cloud strategies, and rapidly bring new services to market and operate them seamlessly and more securely across a hybrid cloud environment.”

 

This new solution will leverage VMware software-defined data center (SDCC) technologies including VMware vSphere, NSX and vSAN software deployed on a platform administered by CloudSimple for GCP. This means customers will be able to migrate VMware workloads to a VMware SDDC running in GCP, benefiting from GCP strengths such as  performant, secure, global and scalable infrastructure and leading data analytics, AI and ML capabilities. Users will have full, native access to the full VMware stack including vCenter, vSAN and NSX-T.

 

Google Cloud will provide the first line of support, working closely with CloudSimple to help ensure customers receive a streamlined product support experience and that their business-critical applications are supported with the

 

SLAs that enterprise customers need.

 

This collaboration builds on a history of partnership with VMware. Over the course of our partnership, we’ve delivered integrated solutions including:

Google Cloud is committed to working closely with our partners to deliver the solutions and products customers need to solve business issues and innovate in new areas. In partnership with VMware, Google is committed to making Google Cloud the best place to run VMware workloads.

 

Google Cloud VMware Solution by CloudSimple will be available on the Google Cloud Marketplace later this year. Interested customers can sign up to receive updates here

In the third instalment of the Okta Integration with Workspace ONE, we are going to cover SCIM Provisioning from Okta to Workspace ONE.

 

NOTE: There is currently a known issue that will prevent you from enrolling a device with the Workspace ONE Intelligent Hub application using the Okta Unique Identifier. This should be fixed in the September time frame. However, if your UEM environment is CN135 the fix is already deployed.

 

If you follow these instructions, keep in mind that device enrollment will NOT work until this fix is in place.

 

These instructions will use a "CUSTOM" SCIM application. I will update this blog when the official WS1 application is released in OIN.

 

Please do not use in Production.

 

 

In the first release of this functionality, there will be a lot of manual steps. I fully expect a more seamless process in future releases.

 

This process will require some proficiency and knowledge in using Postman to manage identities in Workspace ONE Access (formerly known as VMware Identity Manager).  Please check out my blog on using Postman to Manage Workspace ONE Identities.

https://communities.vmware.com/blogs/steveIDM/2019/05/09/using-postman-to-manage-workspace-one-identities

Here is a high level overview of the process:

  1. Okta is configured to use Workspace ONE Provisioning Application
  2. Okta will SCIM the user to Workspace ONE Access
  3. The AirWatch Provisioning Adapter in Workspace ONE Access will provision the user to Workspace ONE UEM.

 

This blog will not going into detail on the provisioning to UEM. Please see the following blog on provisioning to UEM:

Workspace ONE - AirWatch Provisioning App

Step 1:  Create a Remote App Access Client

  1. Log into Workspace ONE Access
  2. Click on Catalog (Down Arrow) and then Settings
  3. Click on Remote App Access
  4. Click Create Client
  5. Select "Service Client Token"
  6. Enter a Client ID ie. OktaSCIM
  7. Expand Advanced
  8. Click Generate Shared Secret
  9. Update the Access Token TTL to something longer then the default. Note: If you choose 1 year, you will need to update the Okta configuration every year with a new bearer token.


  10. Copy the shared secret. You will need this later.
  11. Click Add

 

Step 2:  Configure Postman to use your OAuth Token

 

Note: Depending on your version of Postman, these steps below might be slightly different.

 

  1. Open a new Tab in Postman
  2. In the authorization section, select "OAuth 2.0" as the type:
  3. Click Get New Access Token
  4. Provide a Token Name (ie. Workspace ONE)
  5. Under Grant Type, select "Client Credentials"
  6. "Under Access Token URL", enter https:[Tenant URL]/SAAS/auth/oauthtoken
  7. ie. https://dsas.vmwareidentity.com/SAAS/auth/oauthtoken
  8. Under Client ID, enter your Client ID from step 1.
  9. Under Secret, enter your secret from step 1.
  10. Under Scope, enter 'admin'
  11. Click Request Token
  12. On the left hand side, Select "Request Headers" and click "Preview Request".

  13. You should see a message saying headers were updated correctly:
  14. Click the Headers Tab and verify that the bearer token was added as a temporary header.
  15. If the bearer token was not added, return to the Authorization Tab and select your token from the available tokens drop down list and preview the request again.

 

Step 3:  Create an "Other" Directory for your Okta Users.

  1. Open a new Tab in Postman
  2. Add the Authorization Header as per the previous section.
  3. For the HTTP Method, select "POST"
  4. For the URL, enter: https://[TENANTURL]/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
    Replace the Tenant URL with your URL
    Replace the ID with the ID from the step 4 in this section.
    ie. https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/connectormanagement/directoryconfigs
  5. Set the Content-Type to "application/vnd.vmware.horizon.manager.connector.management.directory.other+json"
  6. Use the following as a sample and Click Send

 

{  
"type":"OTHER_DIRECTORY",  
"domains":["Okta"],  
"name":"Okta"  
}  

 

Copy the "userStoreId" that is returned by the above command.

 

Step 4:  Add the Workspace ONE SCIM Provisioning App in Okta

 

At the time of writing this blog, the Workspace ONE Provisioning APP is not published on the OIN.

 

In the meanwhile, I will document the steps to create on manually.

  1. Log into the Okta Admin Console
  2. Click on Applications -> Applications
  3. Search for the "SCIM 1.1 Test App (OAuth Bearer Token)" application
  4. Provide a Name for the application and check both "Do not display" checkboxes
  5. Click Next
  6. Click Done
  7. Click on Sign On
  8. Under application format, select Email prefix
    Note: This step is required to avoid an issue with using email addresses as usernames when deploying SCEP certificates in Workspace ONE UEM.
  9. Screen Shot 2019-08-13 at 3.58.43 PM.png
  10. Click on the Provisiong Tab and Click Configure API Integration
  11. Click Enable API Integration
  12. Enter the SCIM 1.1 Base URL in the following format: https://[tenant url]/SAAS/jersey/manager/api/scim
  13. Paste your bear token that was created in the earlier step with postman.
  14. Click Test API Credentials
  15. Ensure you have a "Success" before proceeding.
  16. Click Save
  17. Scroll down to the Attribute Mapping Section
  18. Delete the following attributes
    -entitlements
    -roles
  19. Click "Go to Profile Editor"
  20. Click "Add Attribute"
    1. Enter "internalUserType" as the Display name, Variable Name and External Name
    2. Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
    3. Select Attribute Required
    4. Save
  21. Click Add Attribute
    1. Enter "userStoreUuid" as the Display name, Variable Name and External Name
    2. Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
    3. Select Attribute Required
    4. Save
  22. Click Add Attribute
    1. Enter "userPrincipalName" as the Display name, Variable Name and External Name
    2. Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
    3. Select Attribute Required
    4. Save
  23. Click Add Attribute
    1. Enter "domain" as the Display name, Variable Name and External Name
    2. Enter "urn:scim:schemas:extension:workspace:1.0" as the External Namespace
    3. Select Attribute Required
    4. Save
  24. Click Add Attribute
    1. Enter "ws1_externalID" as the Display name, Variable Name
    2. Enter "externalID" as the External Name
    3. Enter "urn:scim:schemas:core:1.0" as the External Namespace
    4. Select Attribute Required
    5. Save
  25. Click on Mappings
  26. Click on the Okta to Workspace ONE SCIM Tab
  27. Scroll  down to the new attributes we created and map the attributes as per below:
    Okta User ProfileWorkspace ONE SCIM User Profile
    'PROVISIONED'internalUserType
    Enter the UserStoreID returned in Step 3userStoreUuid
    user.emailuserPrincipalName
    Enter the Domain Used in Step 3domain
    user.getInternalProperty("id")ws1_externalID
  28. Remove the mappings for displayName and locale
  29. Click Save Mappings
  30. Click Apply Updates Now
  31. Click on the Provisioning Tab again
  32. Click Edit and Enable Provisioning for Create Users and Deactivate Users. Note: Do not select update users
  33. Click Save
  34. Using a test user, assign the user the Workspace ONE SCIM application
  35. If you receive an error such as below you might need to un-map additional attributes.
1 2 Previous Next

Actions

Looking for a blog?

Can't find a specific blog? Try using the Blog page to browse and search blogs.