VMware Cloud Community
Jauneorange972
Enthusiast
Enthusiast
‎06-13-2019 01:39 AM
Jump to solution

vCAV 3.0 & vCD 9.7 / public portal vCAV

Hello guys,

We are testing vCAV 3.0 in order to migrate or protect VMs from on premise to vCD.

So on premise site, when configuring the tenant appliance , setting the FQDN for the public api endoint for vCAC is not working "timeout has occured" , instead setting directly the public ip , it works.

By the way, connecting directly from the browser on the endpoint of the vCAV with FQDN is not working "time out", direct ip it works.

The hostname on the tunnel appliance is the FQDN used for the endpoint vCAV, and we have import a wildcertifcat. 

Our lab is working , failover and DR are working perfectly, but something is not working well with the FQDN, in production it is better to use FQDN. 

Guys have any ideas ?

Best regards

0 Kudos
1 Solution

Accepted Solutions
Jauneorange972
Enthusiast
Enthusiast
‎06-14-2019 05:16 AM
Jump to solution

Just find out the solution !

To summarize:

          - On CRM appliance, set the hostname as the FQDN public (without the suffix dns) + import the wildcard certificate + set the public ip on the public api endoint (not the FQDN)

          - On tunnel and replicator appliance , no need to import the wildcard

Thx to you Daniel, with your support i could solved the issue.

View solution in original post

0 Kudos
5 Replies
paluszekd
VMware Employee
VMware Employee
‎06-13-2019 08:27 AM
Jump to solution

Hi Jauneorange972

On the provider side, what is configured as the API endpoint? If you have a DNAT rule, this must match the external port. Moreover, after setting this configuration, the vCAv services must be restarted to take in affect.

I wrote up the provider deployment strategy here: https://www.paluszek.com/wp/2019/04/08/overview-of-vmware-vcloud-availability-3-0-provider-deploymen...

As for the cert, the only cert that needs to be replaced is at the Cloud Replication Management (CRM) appliance - applying a cert on the tunnel or replicator is optional. With wildcard certs, please ensure you only apply it to the CRM (or issue distinct certs for each service appliance). This might sound counterintuitive, but the tunnel does not terminate or initiate the SSL sessions, it just routes it to the CRM.

Hope this helps, happy vCAv'ing. Smiley Happy

-Daniel

0 Kudos
Jauneorange972
Enthusiast
Enthusiast
‎06-14-2019 12:39 AM
Jump to solution

Hi,

On the provider site (vCD), api endpoint is configured with the FQDN (pointing to a public IP, reverse is done). I have a DNAT also rule, from outside ==> FQDN:443 ==>  Tunnelappliance:8048 (tunnel appliance: private ip in DMZ).

Yeah, i have already read your bible Smiley Happy, thx , it helps a lot.

I will try what you suggest me.

Thx. 

0 Kudos
Jauneorange972
Enthusiast
Enthusiast
‎06-14-2019 04:44 AM
Jump to solution

I have imported the wildcard *.domain.com in the CRM, and regenerate the certificate on the tunnel and replicator appliance in order to set back to default, all the 3 vms have been rebooted and services restarted ==> still have this weird issue, and trying to use the FQDN. 

On the CRM appliance, do i need to set the hostname as configured in the FQDN for the public endpoint ? For the moment, only the tunnel appliance have the hostname set to FQDN public.

I have opened a SR ticket by away.

0 Kudos
Jauneorange972
Enthusiast
Enthusiast
‎06-14-2019 05:16 AM
Jump to solution

Just find out the solution !

To summarize:

          - On CRM appliance, set the hostname as the FQDN public (without the suffix dns) + import the wildcard certificate + set the public ip on the public api endoint (not the FQDN)

          - On tunnel and replicator appliance , no need to import the wildcard

Thx to you Daniel, with your support i could solved the issue.

0 Kudos
paluszekd
VMware Employee
VMware Employee
‎06-14-2019 05:43 AM
Jump to solution

Yeah, hostname must match. Glad to hear!

0 Kudos