VMware vCloud Air Service manual

vCloud Air Advanced Networking

Services Guide

vCloud Air

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN----00

vCloud Air Advanced Networking Services Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

Preface 5

Introducing Advanced Networking Services for vCloud Air 7

Upgrade an Edge Gateway to Advanced Networking Services 7

Statistics and Logs for Advanced Networking Services 11

Advanced Routing for vCloud Air 15

Specify Global Configuration 15

Add a Static Route 16

Configure BGP 17

Configure OSPF 18

Configure Route Redistribution 20

Certificate and Security Group Management 23

Certificate Management in vCloud Air 23

Generate a Certificate Signing Request 23

Configure a CA Signed Certificate 24

Configure a Self-Signed Certificate 25

Add a Certificate 25

Add a Certificate Revocation List 26

Security Objects in vCloud Air 26

Create an IP Address Group 26

Create a Service 27

Create a Service Group 27

VMware, Inc.

Network Security and Isolation 29

Types of Firewalls in vCloud Air 29

Edge Gateway Firewall 29

Firewall for Trust Groups 30

Manage Edge Gateway Firewall Rules 30

Add an Edge Gateway Firewall Rule 31

Edit an Edge Gateway Firewall Rule 33

Change the Order of a Gateway Firewall Rule 34

Manage Trust Groups Firewall Rules 35

Add a Trust Groups Firewall Rule 35

Edit a Trust Groups Firewall Rule 38

Load Balancing 39

Set Up Load Balancing 39

Configure the Load Balancer Service 40

vCloud Air Advanced Networking Services Guide

Create an Application Profile 40

Create a Service Monitor 43

Add a Server Pool 45

Add a Virtual Server 46

Add an Application Rule 47

Secure Access Using Virtual Private Networks 49

SSL VPN-Plus Overview 49

About Configuring SSL VPN-Plus 50

Configure Server Settings 51

Add an IP Pool 52

Add a Private Network 53

Add an Authentication Server 54

Add an Installation Package 56

Add an SSL VPN-Plus User 57

Add a Web Resource for SSL VPN-Plus Access 58

Edit Client Configuration 59

Add a Script 60

Edit the Default SSL VPN-Plus Settings 60

Customize the Portal Design 61

IPsec VPN Overview 61

About Setting up an IPsec VPN Connection 62

Specify Global IPsec VPN Configuration 62

Set up an IPsec VPN Connection to a Remote Site 63

IP Service Management: NAT and DHCP 67

Network Address Translation (NAT) 67

Add an SNAT or DNAT Rule 68

DHCP Service 69

Add a DHCP IP Pool 70

Add a DHCP Static Binding 70

Index 73

4 VMware, Inc.

Preface

The vCloud Air Advanced Networking Services Guide provides information about configuring networking for VMware® vCloud Air Advanced Networking Services, including how to configure dynamic routing, firewall rules, load balancing, and VPN access.

Intended Audience

This guide is intended for network administrators and virtual administrators who will be configuring networking in vCloud Air. The information is written for experienced administrators who are familiar with virtual machine technology and networking concepts.

Upgrade an Edge Gateway to Advanced Networking Services

Upgrade an edge gateway in your vCloud Air deployment to leverage the new Advanced Networking Services features and functionality.

You upgrade to Advanced Networking Services on a gateway-by-gateway basis. Meaning, you select which edge gateways to upgrade and during the upgrade process, you can continue to operate edge gateways leveraging the existing VMware network technology. See the vCloud Air Networking Guide for information.

VMware, Inc.

vCloud Air Advanced Networking Services Guide

When you upgrade an edge gateway to Advanced Networking Services, the edge gateway configuration is maintained through the upgrade; for example, if you configured firewall rules or load balancing, the edge gateway will maintain the firewall settings and be configured for load balancing after the upgrade.

NOTE After upgrading an edge gateway, you cannot revert the edge gateway to its previous state. Additionally, if you are an API user, the APIs change post-upgrade to enable the new features and functionality.

Prerequisites

To upgrade an edge gateway to Advanced Networking Services, you must meet these prerequisites:

You have a license for Advanced Networking Services. Contact your VMware Customer Success Team

representative for information. If you have not obtained a license, upgrading an edge gateway will not succeed.

You have subscribed to a vCloud Air Virtual Private Cloud or Dedicated Cloud subscription service

and have configured networking using the basic networking features.

Procedure

1 Go to https://vca.vmware.com and log in to vCloud Air using your user name and password.

The VMware vCloud Air services page appears.

2 Click the My Subscriptions tile.

The VMware vCloud Air Dashboard appears.

3 Click the Gateways tab and click the tile for the gateway you want to upgrade.

4 Click Manage in vCloud Director.

vCloud Director opens in a new browser tab and the Org VDC Networks tab is displayed.

5 Click the Edge Gateways tab.

The gateways located in the virtual data center appear.

6 Click the gateway that you want to upgrade, right click and select Convert to Advanced Networking.

The Convert to advanced networking dialog box appears. The dialog box provides information about upgrading to the new APIs for Advanced Networking Services.

NOTE If the option Convert to Advanced Networking is unavailable, this means that the edge gateway has already been upgraded or you do not have a license for this operation.

7 Click Yes to proceed with the upgrade.

The upgrade can take a few minutes to complete in vCloud Director.

Before you upgrade an edge gateway, the vCloud Air Web UI has the following functionality available for you to configure these basic networking functions:

8 VMware, Inc.

Chapter 1 Introducing Advanced Networking Services for vCloud Air

Figure 1‑1. vCloud Air Air Gateway Before Upgrade

After you upgrade an edge gateway, the networking functionality available in the vCloud Air Web UI changes.

Figure 1‑2. vCloud Air Gateway After Upgrade

After an upgrade, the tabs for configuring NAT and firewall rules are moved to thevCloud Director Web UI to match the NSX user experience. Click Manage in vCloud Director to navigate to the Advanced Networking Services UI where you configure those functions (and others) for your vCloud Air environment.

vCloud Air maintains your existing, pre-upgrade network configuration after the upgrade.

Log In and Navigate to Advanced Networking Services

You access the Advanced Networking Services Web UI on a per edge gateway basis. After you upgrade an edge gateway to Advanced Networking Services, have access to all the advanced networking features for that edge gateway.

You can still use the VMware vCloud Air Web UI to configure basic networking features for your VMware vCloud Air environment, such as creating networks, assigning virtual machines to networks, and allocating IP addresses to your edge gateways. See the vCloud Air Networking Guide for information about using the basic network features.

Prerequisites

To access Advanced Networking Services for an edge gateway, you must meet these prerequisites:

Sign into your vCloud Air subscription service by using a supported browser. See Supported Browsers

for vCloud Air in the vCloud Air User's Guide for information.

Have upgraded the edge gateway that you want to access to Advanced Networking Services. See

“Upgrade an Edge Gateway to Advanced Networking Services,” on page 7 for information.

VMware, Inc. 9

vCloud Air Advanced Networking Services Guide

Procedure

1 Go to https://vca.vmware.com and log in to vCloud Air using your user name and password.

If you are logging in to vCloud Air for the first time, see Sign In to vCloud Air in the vCloud Air User's Guide for information.

The VMware vCloud Air services page appears.

2 Click the My Subscriptions tile.

The VMware vCloud Air Dashboard appears.

3 Click the Gateways tab and click the tile for the gateway you want to mange.

4 Click Manage in vCloud Director.

vCloud Director opens in a new browser tab and the Org VDC Networks tab is displayed.

5 Click the Edge Gateways tab.

The gateways located in the virtual data center appear.

6 Select the gateway, right click and select Edge Gateway Services.

VMware vCloud Edge Gateway Services appears in a new browser tab. By default, the Dashboard tab is selected.

NOTE If the edge gateway has not been upgraded, selecting Edge Gateway Services displays the vCloud Director edge gateway UI. Additionally, when you right click and display the edge gateway menu, you see that the option Convert to Advanced Networking is available, indicating that the edge gateway has not been upgraded to Advanced Networking Services.

7 Select a tab to configure that advanced networking feature.

NOTE To access the Trust Group feature, navigate to the virtual data center and manage the firewall settings. See “Add a Trust Groups Firewall Rule,” on page 35 for information.

10 VMware, Inc.

Chapter 1 Introducing Advanced Networking Services for vCloud Air

Statistics and Logs for Advanced Networking Services

You can view statistics and access logs for the edge gateways deployed for Advanced Networking Services.

Statistics

Navigate to an edge gateway in vCloud Director, right click and select Edge Gateway Services. VMware vCloud Edge Gateway Services appears in a new browser tab. By default the Dashboard tab is selected. Statistics and status information are accessible from the following areas of Advanced Networking Services:

Dashboard

SSL VPN-Plus

IPsec VPN

Firewall Rules—Edge Gateway and Trust Groups

Dashboard

The Dashboard provides operational visibility for Advanced Networking Services. The Dashboard displays graphs for the traffic flowing through the interfaces of the selected edge gateway and connection statistics for the firewall and load balancer services.

NOTE For additional statistics and historical data, you can configure vRealize Operations to query more advanced data and historical metrics.

Select the period for which you want to view the statistics.

SSL VPN-Plus Dashboard

The dashboard displays the status of the service, number of active SSL VPN sessions, and session statistics and data flow details. Click Details next to Number of Active Sessions to view information about the concurrent connections to private networks behind the edge gateway.

VMware, Inc. 11

vCloud Air Advanced Networking Services Guide

Figure 1‑3. Statistics on the SSL VPN-Plus Dashboard

IPsec VPN

Click the IPSEC VPN tab > Show IPsec Statistics to display the status of the tunnel.

Firewall Rules

You can view statistics for edge gateway firewall rules and Trust Group firewall rules in the following ways:

1 Navigate to a Firewall tab:

For an edge gateway firewall rule, see “Log In and Navigate to Advanced Networking Services,”

on page 9.

For a Trust Group firewall rule, see “Add a Trust Groups Firewall Rule,” on page 35.

12 VMware, Inc.

Chapter 1 Introducing Advanced Networking Services for vCloud Air

On the Firewall tab, click

(column display icon) and select the Stats check box.

The page refreshes and the Stats column appears in the table.

Click (the stats icon) for a rule.

Figure 1‑4. Statistics for an Edge Gateway Firewall Rule

You can view the traffic related to the rule—traffic packets and size.

Figure 1‑5. Statistics for a Trust Group firewall rule

Logs

You can enable logging an edge gateway for all the major features in Advanced Networking Services:

Table 1‑1. How To Enable Logging Per Feature

Navigation for Feature Description

Firewall tab > Action cell of a rule and click ] > Log option

DHCP > DHCP Service Status > Enable logging check box

NAT > Add ( ) icon > Add DNAT Rule or Add SNAT Rule > Enable logging check box

Routing tab > Global Configuration > Dynamic Routing Configuration > Edit > Enable Logging check box

Load Balancer tab > Global Configuration > Edit > Logging

check box

IPSEC VPN tab > Logging Policy section > Enable logging check box

SSL VPN-Plus tab > Server Settings > Logging Policy > Change > Enable logging check box

SSL VPN-Plus tab > General Settings > Change > Enable logging check box

Logs all sessions matching this rule.

Logs the address translation.

Logs the traffic flow between the local subnet and peer subnet.

Maintains a log of the traffic passing through the SSL VPN gateway.

Collecting log data is a multi-step process:

1 Enable logging for the features for which you need log data as described in the table above.

VMware, Inc. 13

vCloud Air Advanced Networking Services Guide

2 Configure a syslog server to receive the log data. See Capturing vCloud Air Edge Gateway Data with

Syslog in the VMware vCloud Blog.

The logged data is accessible via your configured syslog server.

14 VMware, Inc.

Advanced Routing for vCloud Air 2

You can specify static and dynamic routing for each edge gateway in vCloud Air.

To enable dynamic routing, you can configure an edge gateway using the Border Gateway Protocol (BGP) or the Open Shortest Path First (OSPF) protocol.

This chapter includes the following topics:

“Specify Global Configuration,” on page 15

“Add a Static Route,” on page 16

“Configure BGP,” on page 17

“Configure OSPF,” on page 18

“Configure Route Redistribution,” on page 20

Specify Global Configuration

You can configure the default edge gateway for static routes and specify dynamic routing details for an edge gateway.

Procedure

VMware, Inc.

1 Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See “Log In and Navigate to Advanced Networking Services,” on page 9 for information.

2 Click the Routing tab and Global Configuration.

3 To enable Equal-cost multi-path routing (ECMP), click Enable next to ECMP.

ECMP is a routing strategy that allows next-hop packet forwarding to a single destination can occur over multiple best paths. These best paths can be added statically or as a result of metric calculations by dynamic routing protocols like OSPF or BGP. Multiple paths for static routes can be added by providing multiple next hops separated by commas in the Static Routes dialog box.

See “Add a Static Route,” on page 16 for information.

The edge gateway utilizes Linux network stack implementation, a roundrobin algorithm with a randomness component. After a next hop is selected for a particular source and destination IP address pair, the route cache stores the selected next hop. All packets for that flow go to the selected next hop. The default IPv4 route cache timeout is 300 seconds (gc_timeout). When an entry is inactive for this time, it is eligible to be removed from the route cache. The actual removal happens when the garbage collection timer activates (gc_interval = 60 seconds).

vCloud Air Advanced Networking Services Guide

4 To specify the default gateway, click Edit next to Default Gateway.

a Select an interface from which the next hop towards the destination network can be reached.

b Type the gateway IP address if required.

c Edit the MTU if required and type a description.

d Click Save.

5 To configure dynamic routing, click Edit next to Dynamic Routing Configuration.

NOTE If you have IPsec VPN configured in your environment, you should not use dynamic routing.

a Select the router ID.

The Router ID list displays the first uplink IP address of the edge gateway that pushes routes to the kernel for dynamic routing.

b Select Enable Logging to save logging information and select the log level.

c Click OK.

6 Click Publish Changes.

What to do next

To delete routing configuration, click Reset. This deletes all routing configurations (default, static, OSPF, and BGP configurations, as well as route redistribution).

Configure route redistribution. See “Configure Route Redistribution,” on page 20.

Configure dynamic routing. See the following topics:

“Configure BGP,” on page 17

“Configure OSPF,” on page 18

Add a Static Route

You can add a static route for a destination subnet or host.

Procedure

1 Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See “Log In and Navigate to Advanced Networking Services,” on page 9 for information.

2 Click the Routing tab and Static Routes.

Click the Add (

The Add Static Route dialog box appears.

4 Configure the following options for the static route:

Option Description

Network

Next Hop

Interface

) icon.

Type the Network in CIDR notation.

Type the IP address of the Next Hop.

The router must be able to directly reach the next hop.

When ECMP is enabled, you can type multiple next hops. See “Specify

Global Configuration,” on page 15 for information.

Select the interface on which you want to add a static route.

16 VMware, Inc.

Option Description

MTU

Description

5 Click OK.

What to do next

Configure a NAT rule for the static route. See “Add an SNAT or DNAT Rule,” on page 68 .

Add a firewall rule to allow traffic to traverse the static route. See the following topics:

“Add an Edge Gateway Firewall Rule,” on page 31

“Add a Trust Groups Firewall Rule,” on page 35

Configure BGP

You can configure Border Gateway Protocol for vCloud Air to exchange routes between your on-premises border devices and vCloud Air. BGP makes core routing decisions by using a table of IP networks or prefixes, which designate network reachability among multiple autonomous systems.

Chapter 2 Advanced Routing for vCloud Air

Edit the maximum transmission value for the data packets if required.

The MTU value cannot be higher than the MTU value set on the edge gateway interface. See “Specify Global Configuration,” on page 15 for information about he MTU set for the default edge gateway.

(Optional) Type a description for the static route.

The BGP border devices established a connection before any routing information is exchanged. After establishing the connection, the border devices exchange routes and synchronize their tables. Each border device sends keepalive messages to keep this relationship alive.

Procedure

1 Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See “Log In and Navigate to Advanced Networking Services,” on page 9 for information.

2 Click the Routing tab and BGP.

3 In BGP Configuration, complete the BGP options:

a Click Edit next to BGP Configuration.

b Click Enable BGP.

c For packet forwarding to be uninterrupted during restart of BGP services, select Enable Graceful

Restart.

d To allow the edge gateway to advertise itself as a default gateway to its peers, select Enable

Default Originate.

e Type a value (a globally unique number between 1-65534) for the Local AS.

vCloud Air assigns the local autonomous system (AS) number to the edge gateway you are configuring and advertises the local AS when the edge gateway peers with routers in other autonomous systems. The path of ASs that a route traverses is used as one metric when selecting the best path to a destination.

f Click OK.

4 In Neighbors, configure the routing neighbors:

Click the Add ( ) icon.

b Type the IP address of your on-premises border device that vCloud Air connect to.

VMware, Inc. 17

vCloud Air Advanced Networking Services Guide

c Type a value (a globally unique number between 1-65534) for the Remote AS.

vCloud Air assigns the remote AS number to the border device you are creating the connection for.

d If necessary, edit the default weight for the neighbor connection.

e If necessary, edit the default interval for the Keep Alive Time.

f If necessary, edit the default interval for the Hold Down Time.

The edge gateway uses the standard, default values for the keep alive timer (60 seconds) and the hold down timer. The default value for the hold down timer is 3xkeepalive or 180 seconds. Once peering between two neighbors is achieved, the edge gateway starts a hold down timer. Every keep alive message it receives from the neighbor resets the hold down timer to 0. If the edge gateway fails to receive three consecutive keep alive messages, so that the hold down timer reaches 180 seconds, the edge gateway considers the neighbor down and deletes the routes from this neighbor.

g In Password, type the authentication password.

Each segment sent on the connection between the neighbors is verified. MD5 authentication must be configured with the same password on both BGP neighbors, otherwise, the connection between them will not be made.

To specify route filtering from a neighbor using an prefix list, click the Add ( area and configure the following options:

) icon in the BGP Filters

CAUTION A "block all" rule is enforced at the end of the filters.

a Select the direction to indicate whether you are filtering traffic to or from the neighbor.

b Select the action to indicate whether you are allowing or denying traffic.

c Type the network in CIDR format that you want to filter to or from the neighbor.

d Type the IP prefixes that are to be filtered and click OK.

6 Click Publish Changes.

What to do next

Add a firewall rule that allows traffic to and from the remote border device in your on-premises data center. See “Add an Edge Gateway Firewall Rule,” on page 31 for information.

Configure BGP in your on-premises data center for the remote border device that vCloud Air is connecting to using the AS values and password you set in vCloud Air. These values must match on both sides of the connection.

Configure OSPF

The edge gateway supports OSPF, an interior gateway protocol that routes IP packets only within a single routing domain. Configure OSPF in vCloud Air to exchange routing information between edge gateways in vCloud Air.

Use OSPF to gather link state information from available routers and construct a topology map of the network. The topology determines the routing table presented to the Internet layer, which makes routing decisions based on the destination IP address found in IP packets.

OSPF routing policies provide a dynamic process of traffic load balancing between routes of equal cost. An OSPF network is divided into routing areas to optimize traffic flow and limit the size of routing tables. An area is a logical collection of OSPF networks, routers, and links that have the same area identification. Areas are identified by an Area ID.

18 VMware, Inc.

Chapter 2 Advanced Routing for vCloud Air

Prerequisites

A Router ID must have been selected. “Specify Global Configuration,” on page 15

Procedure

1 Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See “Log In and Navigate to Advanced Networking Services,” on page 9 for information.

2 Click the Routing tab and OSPF.

3 In OSPF Configuration, complete the OSPF options:

a Click Edit next to OSPF Configuration.

b Select Enable OSPF.

c For packet forwarding to be uninterrupted during restart of OSPF services, select Enable Graceful

Restart.

d To allow the edge gateway to advertise itself as a default gateway to its peers, select Enable

Default Originate.

e Click OK.

4 In Area Definitions, configure the OSPF areas:

a Delete the not-so-stubby area (NSSA) 51 that is configured by default.

Click the Add (

) icon.

c Type an area ID.

The edge gateway supports an area ID in the form of an IP address or decimal number.

d In Type, select Normal or NSSA.

NSSAs prevent the flooding of AS-external link-state advertisements (LSAs) into NSSAs. They rely on default routing to external destinations. Hence, NSSAs must be placed at the edge of an OSPF routing domain. NSSA can import external routes into the OSPF routing domain, thereby providing transit service to small routing domains that are not part of the OSPF routing domain.

e In Authentication, select Password or MD5 and type the password or MD5 key, respectively, for

the value.

Password: In this method of authentication, a password is included in the transmitted packet.

MD5: This authentication method uses MD5 (Message Digest type 5 ) encryption. An MD5

checksum is included in the transmitted packet.

5 In Area to Interface Mapping, map interfaces to areas by completing the following steps:

In Area Definitions, click the Add ( ) icon.

b From the vNIC drop-down list, select the interface that you want to map to the OSPF area. The

interface specifies the external network that both edge gateways are connected to.

c Type an Area ID. The edge gateway supports an area ID in the form of an IP address or decimal

number.

VMware, Inc. 19

vCloud Air Advanced Networking Services Guide

d (Optional) Select Ignore Interface MTU Settings to disable MTU mismatch detection on received

Database Descriptor (DBD) packets.

When configuring OSPF, routers connected to the same shared subnet should have the same MTU setting. However, you can force OSPF neighbors to establish a session even when their interface MTU settings do not match. Use caution when selecting this setting because it can lead to packet drops and cause the adjacency to reset repeatedly.

e (Optional) Expand the Advanced section and complete the following options.

NOTE vCloud Air provides a default value for each option. You can accept these default values or edit them for your environment.

Option Description

Hello Interval

Dead Interval

Priority

Cost

6 Click Publish Changes.

Specifies the default interval between hello packets that are sent on the interface.

Specifies the default interval during which at least one hello packet must be received from a neighbor before the router declares that neighbor down.

Specifies the default priority of the interface. The interface with the highest priority is the designated router.

Specifies the default overhead required to send packets across that interface. The cost of an interface is inversely proportional to the bandwidth of that interface. The larger the bandwidth, the smaller the cost.

What to do next

Add a firewall rule that allows traffic between the edge gateways in vCloud Air that you are configuring OSPF routing for. See “Add an Edge Gateway Firewall Rule,” on page 31 for information.

Configure OSPF on the other edge gateways in vCloud Air that you want to exchange routing information with.

Configure Route Redistribution

By default, routers share routes with other routers running the same protocol. In a multi-protocol environment, you must configure route redistribution for cross-protocol route sharing.

Procedure

1 Log in to vCloud Air and navigate to the vCloud Edge Gateway Services UI.

See “Log In and Navigate to Advanced Networking Services,” on page 9 for information.

2 Click the Routing tab and Route Redistribution.

3 Click Edit next to Route Redistribution Status.

4 Select the protocols for which you want to enable route redistribution and click OK.

5 To add an IP prefix, perform the following steps:

Click the Add (

b Type a name and the IP address of the network.

) icon in IP Prefixes.

c Click OK.

20 VMware, Inc.

Chapter 2 Advanced Routing for vCloud Air

6 To specify redistribution criteria for the IP prefix, complete the following steps:

Click the Add ( ) icon in Route Redistribution table.

b In Learner Protocol, select the protocol that learns routes from other protocols.

c In Allow Learning from, select the types of networks from which routes can be learned.

d In Action, select whether to permit or deny redistribution from the selected types of networks.

e Click OK.

7 Click Publish Changes.

VMware, Inc. 21

vCloud Air Advanced Networking Services Guide

22 VMware, Inc.

Certificate and Security Group

Management 3

Advanced Networking Services provides functionality to manage certificates for use with SSL VPN-Plus and IPsec VPN tunnels.

Additionally, Advanced Networking Services enables use of grouping objects for use in creating firewall rules and load balancer server pools.

This chapter includes the following topics:

“Certificate Management in vCloud Air,” on page 23

“Security Objects in vCloud Air,” on page 26

Certificate Management in vCloud Air

The edge gateway in vCloud Air supports self-signed certificates, certificates signed by a Certification Authority (CA), and certificates generated and signed by a CA.

About Using Certificates with vCloud Air

In Advanced Networking Services, you can manage certificates for the following vCloud Air features:

IPsec VPN tunnels from your on-premises data center to vCloud Air

SSL VPN-Plus connections to private networks and web resources deployed in vCloud Air

The virtual servers and pools servers configured for load balancing in vCloud Air

How to Use Client Certificates

You can create a client certificate through a CAI command or REST call. You can then distribute this certificate to your remote users, who can install the certificate on their web browser.

The main benefit of implementing client certificates is that a reference client certificate for each remote user can be stored and checked against the client certificate presented by the remote user. To prevent future connections from a certain user, you can delete the reference certificate from the security server's list of client certificates. Deleting the certificate denies connections from that user.

Generate a Certificate Signing Request

Before you can order a signed certificate from a CA or create a self-signed certificate, you must generate a Certificate Signing Request (CSR) for your edge gateway.

A CSR is an encoded file that you need to generate on an edge gateway that needs an SSL certificate. Using a CSR standardizes the way that companies send their public keys along with information that identifies their company names and domain names.

VMware, Inc.

+ 51 hidden pages

VMware vCloud Air Service manual

Contents

Preface

Upgrade an Edge Gateway to Advanced Networking Services

Log In and Navigate to Advanced Networking Services

Statistics and Logs for Advanced Networking Services

Advanced Routing for vCloud Air 2

Specify Global Configuration

Add a Static Route

Configure BGP

Configure OSPF

Configure Route Redistribution

Certificate Management in vCloud Air

Generate a Certificate Signing Request