Solved: Re: vShield Migration to new vCenter

GrantBrunton · ‎03-03-2016

Hi There

I'm planning an upgrade of our vSphere 5 environment to vSphere 6 by building a new vCenter/PSC architecture and then migrating our VM Hosts onto the new vCenters.

We use vCNS 5.1.2 which I've planned to migrate to vCNS 5.5.4 and migrate to the new environment.

In vCNS we have a vShield Manager and 12 vShield Edge appliances that manage isolated bubble environments with many firewall and NAT rules on each.

I have tested the process and migration including upgrading to vCNS 5.5.4 and migrating vShield Manager to the new vCenter and everything works fine.

The migrated vShield Edge appliances work perfectly and their firewall rules all continue to operate correctly.

The problem though is that when you go into vShield Manager it now has the new datacenters listed and if you click on the new datacenters there is no configuration in any of them.

This means I cannot modify the configuration of any of the vShield Edges so they are stuck with their existing rule set.

To test, I regsitered the vShield Manager back to the original vCenter and under the old datacenter I can see all of the Edges to configure them but of course it cannot update the settings on them because the physical appliances no longer exist in that environment.

So the question is, is there any way of moving the configuration that vShield Manager knows about so that it exists in the new Datacenter and can manage all of the Edges that were migrated?

For example, is it possible to edit the vShield Manager configuration database and change the datacenter references somehow so the configuration is at least visible from the new vCenter.

I'm really not looking forward to having to recreate all of these Edges since there are a lot of rules in them currently...

GrantBrunton · ‎05-24-2016

We have completed our upgrade and migration now and used a combination of processes.

Below is essentially the entire process used.

1) Upgraded existing vShield Manager and Edges to v5.5.4 (No impact to any running Edges)

2) Built a new vCenter 6.0 U2 environment

3) Built a new vShield Manager server connected to the new vCenter

4) Manually recreated new Edges on the new vShield Manager

- All of our Edges have basically identical rules so we configured all of the firewall and NAT rules on one edge and then transferred those rules to the remaining edges using the Rest API

5) Migrated all the ESXi 5.0/5.1 hosts to the new vCenter

- At this point all the Edges on the old vShield Manager continued to operate fully but were unable to be reconfigured since their configuration was stored in the old vCenter.

6) Upgraded or Rebuilt all ESXi hosts to 6.0

7) Shut down the old edges when able to plan outages and deployed a new edge from the new vShield Manager to replace them

- At this point we now have a fully managed Edge device deployed and operational that can be configured.

I raised a service call to try and get access to the vShield Manager database directly but they would not give me the credentials to use :smileyangry:

View solution in original post

GrantBrunton · ‎03-16-2016

The vShield Manager database can be backed up via the Manager interface which creates a file that is not plainly readable.

The descriptor that comes with it says BlueLane EM Database although I don't think that means much.

There must be some way to access the database but there doesn't seem to be any shell capability from the command line of the vShield Manager.

Even if I could read/edit the database backup to modify the data into a format that can be restored with the correct information that would be very useful.

However it doesn't seem like this forum gets very much attention at all so I'm not holding my breath...

MajorDMP · ‎04-19-2016

Greetings GrantBrunton,

I am facing a similar dilemma. We are currently running a 5.5 shop with vShield 5.5.4 with numerous Edge appliances for vlan FW/Connectivity. We need to upgrade to vSphere 6.0 but concerned about those Edge appliances. Like yourself, We need to able to modify those appliances in a vSphere 6 environment while we consider the vShield migration to NSX. I'd like to reach out to you and see if we can work together to resolve this issue.

Texiwill · ‎04-20-2016

Hello,

I upgraded everything to 6.0 from 5.5 and did not loose my vShield, so as long as you do things in the proper order it works quite well.

Check out these posts for the problems I faced and solutions: https://www.astroarch.com/?s=vSphere%20Upgrade%20Saga‌

You may want to start on this post: https://www.astroarch.com/2015/07/vsphere-upgrade-saga-6-0-upgrade-srm/

However, if you follow the proper order, upgrading to 6.0 is seamless and has no issues. VCNS still works, etc.

Best regards,

Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2016

Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

MajorDMP · ‎04-21-2016

Thanks for the Input. I am assuming after the migration to 6, you were able to still modify and deploy new Edge 5.5 appliances? This question is what I really would like to know.

GrantBrunton · ‎05-24-2016