Deploying Virtual Appliances on VMware ESXi Through vCenter Using OVF File
VMware OVF packages are specifically offered for only Major releases, which are distinguished by version like 22.x. For minor releases naming convention is 22.xRx.x are subsequent updates within the same series. The key distinction between Major and Minor releases lies in the initial release of the series being categorized as Major, while subsequent updates are classified as Minor within the same
Follow these steps to deploy the virtual machine in the VMware inventory using an OVF template. Before beginning the procedure, ensure you download the zip file for the Ivanti Connect Secure Server from https://portal.ivanti.com/customer/product-downloads.
1.Right-click VMware Client inventory and select deploy OVF Template.
2.Select Local file and click on Upload Files.
3.Select the files as shown below from the downloaded zip file and click Next.
4.Provide a unique name for the virtual machine and select the desired folder and click Next.
5.Select the compute resource in which virtual machine needs to install. Click Next
6.Review the details and click Next.
7.Select the storage for the virtual machine to work properly and click Next.
8.Select the Networks configured for the connectivity and click Next.
9.These are the sample values, and we will be able to setup the network settings in Step 11.
10.Verify the details and click Next.
After clicking on Finish the Virtual machine installation will be carried out. After successful installation virtual machine will be available to access under selected inventory.
11. Click Launch Web Console and configure the network settings and username and password to login to ICS Server.
Once the setup is completed, you should be able to access the Ivanti connect secure server with the configured IP address.
Deploying Virtual Appliances on VMware ESXi Through vCenter Using OVF Properties
Overview of Deploying Virtual Appliances on VMware ESXi
VMware ESXi, like VMware ESXi, is a hypervisor that installs on top of a physical server and partitions it into multiple virtual machines. VMware ESXi does not contain the ESXi’s service console and thus is a smaller footprint.
When first powering on the Ivanti Connect Secure, an administrator must wait for the serial console to appear and manually configure the initial settings. In the case of multiple virtual machines, this process becomes too tedious and time-consuming.
When deploying on a VMware ESXi, the dependencies on a serial console and service console are removed. Ivanti Secure lets the administrator set up all initial configuration settings in one pass using a process based on the VMware Guest Customization feature.
With this approach:
1.You use a deployment script and OVF Tools to set up the initial configuration parameters.
2.ESXi passes these parameters into the VMware environment.
3.The virtual appliance retrieves the parameters from the VMware environment and configures the initial settings.
Using the Deployment Script to Define the Initial Configuration Parameters
A create-va.pl script is included in your ISA-V package and is used to deploy a virtual appliance connected to the VMware vCenter Server. This script can be run on any system that has Perl and VMware OVF Tools installed.
Configuration parameters can be passed to the script through a configuration file, command-line options, or a combination of the two. Command-line parameters are passed to the scripts using the following format:
- - paramname paramvalue
Type two hyphens without a space between them for the “- -” string. The space shown here is for visual purposes only.
A sample configuration file (va.conf) is provided as an example.
The following create-va.pl Parameters table lists the parameters for create-va.pl. Type two hyphens without a space between them for the “- -” string. The space shown here is for visual purposes only.
|
vCenter-Related Parameters |
|
|
- -vCenterServer |
Hostname or IP address of the vCenter Server. |
|
- -vCenterUsername |
Username for logging in to the VMware vCenter Server. |
|
- -vCenterPassword |
Password for logging in to the VMware vCenter Server. Special characters in the password must be escaped with a backslash (\). For example, secure123\$ |
|
- -datacenterName |
Data center under which the Cluster/ESXi Host is present or added. |
|
- -clusterorHostName |
Name of the VMware cluster where the virtual appliance is to be deployed.When deploying the virtual appliance in a cluster, this parameter must follow the format cluster-name/ESXi-server-name. For example, ESXi_5_cluster/mydev.pulsesecure.net. When deploying the virtual appliance in an ESXi server, this parameter must be following the format ESXI-server-name. For example, mydev.ivanti.net. |
|
- -datastore |
Name of the datastore where the virtual appliance is to be deployed. |
|
- -vaname |
Name of the virtual appliance to create. |
|
Ivanti Connect Secure Related Parameters |
|
|
- -vaIPAddress* |
IP address to assign to the internal port of the Ivanti Connect Secure virtual appliance. |
|
- -vaNetmask*
|
Netmask to assign to the internal port of the virtual appliance. |
|
- -vaGateway* |
Gateway to assign to the internal port of the virtual appliance. |
|
- -vaAdminUsername |
Username for the default administrator account for the virtual appliance. |
|
- -vaAdminPassword |
Password for the default administrator account for the virtual appliance. |
|
- -vaPrimaryDNS* |
IP address for the primary DNS server. |
|
- -vaSecondaryDNS* |
IP address for the secondary DNS server. |
|
- -vaDNSDomain* |
Domain name for the virtual appliance. |
|
- -vaWINSServer |
Windows Internet Name Service (WINS) hostname or IP address. |
|
- -vaCommonName |
Common name for the default device certificate. |
|
- -vaOrganization |
Organization for the default device certificate. |
|
- -vaRandomText |
Random text to use during certificate creation. If spaces are included in the random text, make sure the entire value is enclosed within double-quotes. For example, Ivanti Secure Your Net. |
|
- -vaDefaultVlan |
Specify Default VLAN ID for the internal interface. Default VLAN ID is an optional parameter. When this parameter is set, all the traffic on this interface subsequently will be tagged with the set VLAN ID and accept only incoming traffic with the same tag. Necessary changes are required on the connected switch port to handle bi-directional tagged traffic. |
|
v6 Parameters |
|
| vaNetworkStack |
It indicates network address configured during deployment. v4 : IPv4 addresses are allowed to configured. v6 : IPv6 addresses are allowed to configured. Both: IPv4 and IPv6 addresses are allowed to configured. |
| vaIPv6Address | Internal interface IPv6 address |
|
vaPrefix |
Internal interface IPv6 prefix length. |
|
vaIPv6Gateway |
Internal interface IPv6 gateway address. |
|
vaManagementIPv6Address |
Management interface IPv6 address |
|
vaManagementPrefix |
Management interface IPv6 prefix length. |
|
vaManagementIPv6Gateway |
Management interface IPv6 gateway address. |
|
vaExternalIPv6Address |
External interface IPv6 address |
|
vaExternalPrefix |
External interface IPv6 prefix length. |
|
vaExternalIPv6Gateway |
External interface IPv6 gateway address. |
|
Virtual Appliance-Related Parameters |
|
|
- -ovffile |
Path to the OVF file. |
|
- -configFile |
Name of configuration files containing parameters to pass to the create-va.pl script. Values specified on the command line override the ones specified in the configuration file. |
|
– -ExternalNetwork |
Virtual network in VMware vSwitch to map the external network of the virtual appliance. |
|
- -InternalNetwork |
Virtual network in VMware vSwitch to map the internal network of the virtual appliance. |
|
- -ManagementNetwork |
Virtual network in VMware vSwitch to map the management network of the virtual appliance. |
|
Virtual Appliance Management Port-Related Parameters |
|
|
- -vaManagementIPAddress* |
Management network IP address. |
|
- -vaManagementNetmask* |
Management network netmask address. |
|
- -vaManagementGateway* |
Management network gateway address. |
|
- -vaManagementDefaultVlan |
Specify Default VLAN ID for the management interface. Default VLAN ID is an optional parameter. When this parameter is set, all the traffic on this interface subsequently will be tagged with the set VLAN ID and accept only incoming traffic with the same tag. Necessary changes are required on the connected switch port to handle bi-directional tagged traffic |
|
- -vaManagementPortReconfigWithValueInVAppProperties |
Management port overwrite property. If set to 1, overwrite the management port-related parameters in the Ivanti Connect Secure with the ones defined here. See the Management Port Behavior While Deploying a Template table and Management Port Behavior During a New Deployment table. |
|
- -vaInternalPortReconfigWithValueInVAppProperties |
The internal port overwrite property. If set to 1, overwrite the virtual appliance’s internal port settings with the ones specified during deployment. See the Management Port Behavior While Deploying a Template table and the Management Port Behavior During a New Deployment table.
|
|
Virtual Appliance External Interface Parameters |
|
|
- -vaExternalIPAddress* |
External network IP address. |
|
- -vaExternalNetmask* |
External network netmask address. |
|
- -vaExternalGateway* |
External network gateway address. |
|
- -vaExternalDefaultVlan |
Specify Default VLAN ID for the external interface. Default VLAN ID is an optional parameter. When this parameter is set, all the traffic on this interface subsequently will be tagged with the set VLAN ID and accept only incoming traffic with the same tag. Necessary changes are required on the connected switch port to handle bi-directional tagged traffic |
|
- -vaExternalPortReconfigWithValueInVAppProperties |
External port overwrite property. If set to 1, overwrite the external port-related parameters in Ivanti Connect Secure with the ones defined here. See External Port Behavior While Deploying a Template table and the External Port Behavior During a New Deployment table. |
|
New Parameters |
|
|
- - vaAcceptLicenseAgreement |
By default, this value is set to y. This specifies that admin has accepted the EULA. |
|
- -vaEnableLicenseServer |
Flag to specify if the Virtual Appliance has to come up as a Normal Virtual Appliance or a Virtual License Server. By default, this value is set to n. If set to y, then the Virtual Appliance would function as a Virtual License Server. |
|
- -enableRESTAPI |
By default, this value is set to n. When set to y, enables REST access for the admin user created as part of initial config. (Default option is set to disabled) |
Ivanti Connect Secure supports zero touch provisioning. This feature candetect and assign DHCP networking settings automatically at the Ivanti Connect Secure boot up. The Ivanti Connect Secure parameters should be set to null in order to fetch the networking configuration automatically from the DHCP server.
ICS presumes that IP leased from DHCP server is valid for a long time. Hence ICS does not request for DHCP renewals.
The Ivanti Connect Secure related parameters are used for the initial configuration of the virtual appliance. The script does not validate these parameters. If the values passed are not valid, the installation will stop at the location where a correct value needs to be provided. The administrator can connect to the virtual appliance using the VT or serial console to complete the initial setup.
The below table describes the new parameters that are added in the script file create-va.pl, which is included in your ISA-V package and these are applicable only for nSA-managed 9.x and ICS 22.x version.
|
Parameter |
Type |
Description |
|---|---|---|
|
registrationCode |
string |
The registration code, which is generated during the ICS gateway registration on nSA. Example: KyZR6YDL8 |
|
registrationFQDN |
string |
The registration FQDN name, which is generated during the ICS gateway registration on nSA. Example: sample.domain.com |
|
enableproxy |
string |
Default is set to n. |
|
proxyHost |
string |
The proxy server name. |
|
proxyPort |
integer |
The port number of the proxy server. Example: 8080 |
|
proxyUsername |
string |
The username of the proxy server. Example,:usr |
|
proxyPassword |
string |
The password of the proxy server. Example: pxx124 |
|
registerNetworkInterface |
string |
The interface through which the gateway registers with nSA. Example: external |
The Management Port Behavior While Deploying a Template table and the Internal Port Behavior While Deploying a Template table define the behavior based on options passed while deploying the template.
The following table contains data regarding the Management Port Behavior While Deploying a Template:
|
Management Port Overwrite Value |
Management Port Configuration Values |
Ivanti Connect Secure Behavior |
|---|---|---|
|
0 |
The management port IP address, netmask address and gateway address are valid values. |
Because managementPortReconfigWithValueInVAppProperties is 0, the management port-related parameters are retained and are not overwritten with values in the passed configuration. |
|
0 |
The management port IP address, netmask address and gateway address are not valid values. |
Because managementPortReconfigWithValueInVAppProperties is 0, the management port-related parameters are retained and are not overwritten with values in the passed configuration. |
|
1 |
The management port IP address, netmask address and gateway address are valid values. |
You can configure the management port with the new values passed while deploying. The existing cache value is overwritten with new values. |
|
1 |
The management port IP address, netmask address and gateway address are not valid values. |
During the boot process, the administrator is asked whether to configure the management port. Enter N to skip the management port configuration. Enter Y to specify valid values for the management port. |
The following table contains data regarding the Internal Port Behavior While Deploying a Template:
|
Internal Port Overwrite Value |
Internal Port Configuration |
Ivanti Connect Secure Behavior |
|---|---|---|
|
0 |
Valid or invalid configuration |
Do nothing. The internal port should already be set in the Ivanti Connect Secure. If the internal port is not configured, prompt the administrator to enter the internal port configuration. |
|
1 |
Valid configuration |
Use the new values passed while deploying and configure the internal port. |
|
1 |
Invalid configuration |
During the boot process, the administrator is asked whether to configure the internal port. Enter N to skip the internal port configuration. Enter Y to specify valid values for the internal port. |
The following table contains data regarding the External Port Behavior While Deploying a Template:
|
External Port Overwrite Value |
Management Port Configuration Values |
Ivanti Connect Secure Behavior |
|---|---|---|
|
0 |
The external port IP address, netmask address and gateway address are valid values. |
Because externalPortReconfigWithValueInVAppProperties is 0, the external port-related parameters are retained and are not overwritten with values in the passed configuration. |
|
0 |
The external port IP address, netmask address and gateway address are not valid values. |
Because externalPortReconfigWithValueInVAppProperties is 0, the external port-related parameters are retained and are not overwritten with values in the passed configuration. |
|
1 |
The external port IP address, netmask address and gateway address are valid values. |
You can configure the external port with the new values passed while deploying. The existing cache value is overwritten with new values. |
|
1 |
The external port IP address, netmask address and gateway address are not valid values. |
During the boot process, the administrator is asked whether to configure the external port. Enter N to skip the external port configuration. Enter Y to specify valid values for the management port. |
When deploying a new virtual appliance, the Ivanti Connect Secure does not contain any configuration. The behavior in this case is shown in the Management Port Behavior During a New Deployment table and the Internal Port Behavior During a New Deployment table.
The following table contains data regarding the Management Port Behavior During a New Deployment:
|
Management Port Overwrite Value |
Management Port Configuration Values |
Ivanti Connect Secure Behavior |
|---|---|---|
|
0 |
The management port IP address, netmask address and gateway address are valid values. |
Valid management configuration is available. Configure the Ivanti Connect Secure with these values. |
|
0 |
The management port IP address, netmask address and gateway address are not valid values. |
Invalid management configuration is present. Do not configure the management port properties. |
|
1 |
The management port IP address, netmask address and gateway address are valid values. |
Valid management configuration is available. Configure the Ivanti Connect Secure with these values. The existing cache value is overwritten with new values. |
|
1 |
The management port IP address, netmask address and gateway address are not valid values. |
During the boot process, the administrator is asked whether to configure the management port. Enter N to skip the management port configuration. Enter Y to specify valid values for the management port. |
The following table contains data regarding the Internal Port Behavior During a New Deployment:
|
Internal Port Overwrite Value |
Internal Port Configuration |
Ivanti Connect Secure Behavior |
|---|---|---|
|
0 or 1 |
Valid configuration |
Configure the internal port based on the passed configuration values. |
|
0 or 1 |
Invalid configuration |
During the boot process, the administrator is asked whether to configure the internal port. |
The following table contains data regarding the External Port Behavior During a New Deployment:
|
External Port Overwrite Value |
External Port Configuration |
Ivanti Connect Secure Behavior |
|---|---|---|
|
0 |
The external port IP address, netmask address and gateway address are valid values. |
Valid external configuration is available. Configure the Ivanti Connect Secure with these values. |
|
0 |
The external port IP address, netmask address and gateway address are not valid values. |
Invalid external configuration is present. Do not configure the management port properties. |
|
1 |
The external port IP address, netmask address and gateway address are valid values. |
Valid external configuration is available. Configure the Ivanti Connect Secure with these values. The existing cache value is overwritten with new values. |
|
1 |
The external port IP address, netmask address and gateway address are not valid values. |
During the boot process, the administrator is asked whether to configure the external port. Enter N to skip the external port configuration. Enter Y to specify valid values for the external port. |
After running the create-va.pl script, you can use the VMware vSphere CLI vmware-cmd utility or the VMware vSphere Client to view the status. Once vSphere reports the system is ready, you can log in to the virtual appliance.
The vSphere Client may display a “VMware Tools not installed on this virtual machine” message. You can ignore this message. You do not have to install VMware Tools.
Example Output
The following example passes the IP address of the internal port through the command line and uses the va.conf configuration file for the values of all other parameters.
perl create-va.pl --configFile /root/user1/ovf_dir//va_config_files/vlan_tagging.conf --ipAddress 3.3.125.3 --extipAddress 2.2.125.3 --mgmtipAddress 10.209.125.3 --vaName 21_9R1_ISA-V_125_3 --ovffile /root/user1/ovf_dir//ISA-V-VMWARE-ICS-21.9R1-421.1/ISA-V-VMWARE-ICS-21.9R1-421.1-VT-medium.ovf
Your output will look similar to the following:
The following values are used for creating and configuring the VA
OVF File: /root/user1/ovf_dir//ISA-V-VMWARE-ICS-21.9R1-421.1/ISA-V-VMWARE-ICS-21.9R1-421.1-VT-medium.ovf
VA Name: 21_9R1_ISA-V_125_3
vCenter Server: test.testlab.testorg.net:443
vCenter Username: user1
vCenter Password: Test123\$
Datacenter Name: PBU-QA
Cluster / Host Name: PBU-QA-CLUSTER/pbuesx6.testlab.testorg.net
IP Address: 3.3.125.3
Netmask: 255.0.0.0
Gateway: 3.0.0.1
Default VLAN: 3
Management IP Address: 10.209.125.3
Management Netmask: 255.255.240.0
Management Gateway: 10.209.127.254
Management Default VLAN: -1
External IP Address: 2.2.125.3
External Netmask: 255.0.0.0
External Gateway: 2.0.0.1
External Default VLAN: 2
Reconfigure Internal Port with value in VAapp properties: 0
Reconfigure Management Port with value in VAapp properties: 0
Reconfigure External Port with value in VAapp properties: 0
Primary DNS: 1.1.1.1
Secondary DNS: 3.3.115.226
DNS Domains: test.testorg.net
WINS: 2.2.2.2
Admin Username: admin
Admin Password: Test123
Enable REST API: y
Common Name: abc.testorg.net
Organization: TestOrg
Ramdom Text: TestOrg_your_Net
Accept License Agreement: y
Enable Virtual License Server: n
ExternalNetwork Mapped to: "VLAN_TAGGING"
InternalNetwork Mapped to: "VLAN_TAGGING"
ManagementNetwork Mapped to: "PBU-QA-MGMT"
Command = ovftool --skipManifestCheck --name=21_9R1_ISA-V_125_3 --prop:vaIVEConfig="vaIPAddress=3.3.125.3;vaNetmask=255.0.0.0;vaGateway=3.0.0.1;vaDefaultVlan=3;vaManagementIPAddress=10.209.125.3 ;vaManagementNetmask=255.255.240.0;vaManagementGateway=10.209.127.254;vaManagementDefaultVlan=-1;vaInternalPortReconfigWithValueInVAppProperties=0;vaExternalIPAddress=2.2.125.3;vaExternalNetmask=255.0.0.0;vaExternalGateway=2.0.0.1;vaExternalDefaultVlan=2;vaExternalPortReconfigWithValueInVAppProperties=0;vaManagementPortReconfigWithValueInVAppProperties=0;vaPrimaryDNS=1.1.1.1;vaSecondaryDNS=3.3.115.226;vaDNSDomain=test.isecure.net;vaWINSServer=2.2.2.2;vaCommonName=abc.testorg.net;vaOrganization=TestOrg;vaRandomText=TestOrg_your_Net;vaAdminUsername=admin;vaAdminPassword=Test123;vaAcceptLicenseAgreement=y;vaEnableLicenseServer=n;vaAdminEnableREST=y " --net:ExternalNetwork="VLAN_TAGGING" --net:InternalNetwork="VLAN_TAGGING" --net:ManagementNetwork="PBU-QA-MGMT" --datastore=HP_iSCSI_02 --powerOn /root/user1/ovf_dir//ISA-V-VMWARE-ICS-21.9R1-421.1/ ISA-V-VMWARE-ICS-21.9R1-421.1-VT-medium.ovf vi://user1:Test123\[email protected]:443/PBU-QA/host/PBU-QA-CLUSTER/pbuesx6.testlab.testorg.net
Deploying VA. /root/user1 , /root/user1/ovf_dir//ISA-V-VMWARE-ICS-21.9R1-421.1/ISA-V-VMWARE-ICS-21.9R1-421.1-VT-medium.ovf.......
Status: Task completed
getguestinfo guestinfo.vaInitConfigStatus
Your output should look similar to this:
getguestinfo(guestinfo.vaInitConfigStatus) = Status: Success Log: Configuring VA settings from OVF; Initial network configuration complete; The self-signed digital certificate was successfully created; VA Initial Configuration completed successfully.
You can ignore the following message:
vmsvc[280]: [warning] [powerops] Unable to send the status RPC
This message appears when you are running Ivanti Connect Secure with ESXi 4.1U3 or ESXi4.x and you power off and then power up the virtual appliance.