VMware Cloud Community
TheLittleOne
Enthusiast
Enthusiast

Deploy a proxy agent and worker in a different domain

Hi guys,

I have two domains one is my "production" and the other one my "test". In my production domain i have install the vra with two appliances two IAAS componets servers. In my production enviroment every works perfekt. Now I want to deploy a proxy agent and a worker in my test and connect it to my vra 7, is this possible without a trust of the domains? Does someone have a best practise guide for this or is it unsupported?

My enviroment:

Production:

-vCenter 6.0

-ESXi 5.5

-vra 7.0.1

Test:

vCenter 5.5

-ESXi 5.5

Reply
0 Kudos
15 Replies
GrantOrchardVMw
Commander
Commander

This will work. It uses certificates to validate communications, not username/password.

Grant

Grant http://grantorchard.com
Reply
0 Kudos
TheLittleOne
Enthusiast
Enthusiast

Hi GranOrchardVMware

if I try to connect the Model Manager Web Service Host, I get the error the remote server returned an error: (401) Unauthorized. Did I forget to import any certificates to the worker/agent server?

Reply
0 Kudos
TheLittleOne
Enthusiast
Enthusiast

No idea?

Reply
0 Kudos
GrantOrchardVMw
Commander
Commander

Sorry, was at a work conference so haven't been online.

Is this a 6 or 7 deployment?

Grant

Grant http://grantorchard.com
Reply
0 Kudos
TheLittleOne
Enthusiast
Enthusiast

No problem,

it is a vra7 deployment.

Reply
0 Kudos
TheLittleOne
Enthusiast
Enthusiast

No idea?

Reply
0 Kudos
firestartah
Virtuoso
Virtuoso

For the certitifcates are they VMware self signed? Make sure you have added the certiifcates from the Model Manager to the proxy agent and vice versa to allow trust. adding the root certitifcate to both should allow this trust

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful". Gregg http://thesaffageek.co.uk
Reply
0 Kudos
TheLittleOne
Enthusiast
Enthusiast

Hi firestartah,

to my enviroment, I have a production enviroment and a test enviroment, both have there own CA (so no VMware self signed certificates are used). The problem is testing the manager service host works fine and testing the model manager host fails but this is the same server but a different alias.

Can you help me to understand this please.

Reply
0 Kudos
firestartah
Virtuoso
Virtuoso

Foir the certificates did you add the alias' to the Subject Alternative Name field? Adding the root certitifcate to each side should then allow the trust between production and test.

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful". Gregg http://thesaffageek.co.uk
Reply
0 Kudos
TheLittleOne
Enthusiast
Enthusiast

Yes I add the alias to the subject alternative name.

Adding the 'production' root certificate to my worker/agent on the test enviroment and adding the 'test' root certifictate to my two IaaS Server on the production enviroment right?

Reply
0 Kudos
GrantOrchardVMw
Commander
Commander

To be clear, the common name also needs to be in the subject alternate or you will see this behaviour.

Grant

Grant http://grantorchard.com
Reply
0 Kudos
TheLittleOne
Enthusiast
Enthusiast

Yes the common name is also in the subject alternate name.

Reply
0 Kudos
RebeccaW
Enthusiast
Enthusiast

I'm having a similar issue. We have a vCenter in a different AD Domain and need to install a Proxy Agent to provision to that vCenter. We've installed that Proxy Agent server in the same domain as the vCenter and are trying to install the proxy agent. Getting the 401 when hitting Test for the Model Manager Web Service Host.

  1. Installed the 3rd Party obtained certificate for the Web onto the Proxy Agent server
  2. vRA is 7.3
  3. I do not believe these two AD domains have any trust between each other so the service account to run this Proxy Agent (as well as what we use to connect to the vCenter endpoint) is not the same one we use for our others.

Any Ideas? GrantOrchardVMware​ you mentioned it was just using certificates not the login.

Reply
0 Kudos
ehlomarcus
Contributor
Contributor

Hi

The assumption that the vSphere Proxy agent uses certificate for authorization is correct, but only in regards of the connection to Manager Service endpoint. Connection to the Repository on the Web endpoint still requires authentication by a user.

I solved both installation of the agent and connection to repository by using runas and some hidden command line for the VRMagent.exe

First I ran "runas /netonly /user:REMOTEDOMAIN\Useraccount cmd", then executed the setup exe and completed the installation.

Then I had to stop the windows service and then from a new command prompt run: "VRMagent.exe -Repo-SetCredetials -user SERVICEACCOUNT -password PASSWORD -domain REMOTEDOMAIN

Now it was possible to start the windows service again. Then you can enjoy running Inventory jobs etc on your Compute Resources and also deploy servers 🙂

//Marcus

RebeccaW
Enthusiast
Enthusiast

Thank you Marcus! Much appreciated.

That very nearly worked. The only issue I ran in to was UAC blacking out the install screen. If I temporarily got that disabled it would work. For now we have the agents on a system that is not in the same network as the vCenter but it is in the same domain as vRA and can deal with slower data collection. We will revisit later with the hosting team to get around UAC. 

Reply
0 Kudos