NSX Manager provides a graphical user interface (GUI) and REST APIs for creating, configuring, and monitoring NSX-T Data Center components such as logical switches, logical routers, and firewalls.

NSX Manager provides a system view and is the management component of NSX-T Data Center.

For high availability, NSX-T Data Center supports a management cluster of three NSX Managers. For a production environment, deploying a management cluster is recommended. For a proof-of-concept environment, you can deploy a single NSX Manager.

NSX Manager Deployment, Platform, and Installation Requirements

The following table details the NSX Manager deployment, platform, and installation requirements

Requirements Description
Supported deployment methods
  • QCOW2
Supported platforms

See NSX Manager VM System Requirements.

On ESXi, it is recommended that the NSX Manager appliance be installed on shared storage.

IP address An NSX Manager must have a static IP address. You cannot change the IP address after installation.
NSX-T Data Center appliance password
  • At least 12 characters
  • At least one lower-case letter
  • At least one upper-case letter
  • At least one digit
  • At least one special character
  • At least five different characters
  • No dictionary words
  • No palindromes
  • More than four monotonic character sequence is not allowed
Hostname When installing NSX Manager, specify a hostname that does not contain invalid characters such as an underscore. If the hostname contains any invalid character, after deployment the hostname will be set to nsx-manager.

For more information about hostname restrictions, see https://tools.ietf.org/html/rfc952 and https://tools.ietf.org/html/rfc1123.

VMware Tools The NSX Manager VM running on ESXi has VMTools installed. Do not remove or upgrade VMTools.
  • Verify that the system requirements are met. See System Requirements.
  • Verify that the required ports are open. See Ports and Protocols.
  • Verify that a datastore is configured and accessible on the ESXi host.
  • Verify that you have the IP address and gateway, DNS server IP addresses, domain search list, and the NTP server IP address for the NSX Manager to use.
  • If you do not already have one, create the target VM port group network. Place the NSX-T Data Center appliances on a management VM network.

    If you have multiple management networks, you can add static routes to the other networks from the NSX-T Data Center appliance.

  • Plan your NSX Manager IPv4 or IPv6 IP addressing scheme.
OVF Privileges

Verify that you have adequate privileges to deploy an OVF template on the ESXi host.

A management tool that can deploy OVF templates, such as vCenter Server or the vSphere Client. The OVF deployment tool must support configuration options to allow for manual configuration.

OVF tool version must be 4.0 or later.

Client Plug-in

The Client Integration Plug-in must be installed.

Note: On an NSX Manager fresh install, reboot, or after an admin password change when prompted on first login, it might take several minutes for the NSX Manager to start.

NSX Manager Installation Scenarios

Important: When you install NSX Manager from an OVA or OVF file, either from vSphere Client or the command line, OVA/OVF property values such as user names, passwords, or IP addresses are not validated before the VM is powered on.
  • If you specify a user name for the admin or audit user, the name must be unique. If you specify the same name, it is ignored and the default names (admin and audit) is used.
  • If the password for the admin user does not meet the complexity requirements, you must log in to NSX Manager through SSH or at the console as the admin user with the password default. You are prompted to change the password.
  • If the password for the audit user does not meet the complexity requirements, the user account is disabled. To enable the account, log in to NSX Manager through SSH or at the console as the admin user and run the command set user audit to set the audit user's password (the current password is an empty string).
  • If the password for the root user does not meet the complexity requirements, you must log in to NSX Manager through SSH or at the console as root with the password vmware. You are prompted to change the password.
Caution: Changes made to the NSX-T Data Center while logged in with the root user credentials might cause system failure and potentially impact your network. You can only make changes using the root user credentials with the guidance of VMware Support team.
Note: The core services on the appliance do not start until a password with sufficient complexity is set.

After you deploy NSX Manager from an OVA file, you cannot change the VM's IP settings by powering off the VM and modifying the OVA settings from vCenter Server.

Configuring NSX Manager for Access by the DNS Server

By default, transport nodes access NSX Managers based on their IP addresses. However, this can be based also on the DNS names of the NSX Managers.

By enabling FQDN usage (DNS) on NSX Managers, the IP address of the Managers can change without affecting the transport nodes.

You enable FQDN usage by publishing the FQDNs of the NSX Managers.

Note: Enabling FQDN usage (DNS) on NSX Managers is required for multisite Lite and NSX NSX Cloud and deployments. (It is optional for all other deployment types.) See Multisite Deployment of NSX-T Data Center in the NSX-T Data Center Administration Guide and Installing NSX Cloud Components in this guide.

Publishing the FQDNs of the NSX Managers

After installing the NSX-T Data Center core components and CSM, to enable NAT using FQDN you would set up the entries for lookup and reverse lookup in the NSX-T DNS server in your deployment.

In addition, you must also enable publishing the NSX Manager FQDNs using the NSX-T API.

Example request: PUT https://<nsx-mgr>/api/v1/configs/management

  "publish_fqdns": true,
  "_revision": 0

Example response:

  "publish_fqdns": true,
  "_revision": 1

See the NSX-T Data Center API Guide for details.

Note: After publishing the FQDNs, validate access by the transport nodes as described in the next section.

Validating Access via FQDN by Transport Nodes

After publishing the FQDNs of the NSX Managers, verify that the transport nodes are successfully accessing the NSX Managers.

Using SSH, log into a transport node such as a hypervisor or Edge node, and run the get controllers CLI command.

Example response:
Controller IP    Port  SSL     Status       Is Physical Master   Session State    Controller FQDN    1235  enabled  connected   true                  up               nsxmgr.corp.com