Only an Operator Super user can perform Bastion Orchestrator configuration. The Bastion Orchestrator configuration involves configuring two Orchestrators as a Bastion pair.

Note: In this document, the term "Bastion Orchestrator" is used interchangeably with the term "Public Orchestrator", and the term "Production Orchestrator" is used interchangeably with the term "Private Orchestrator".

To create a Bastion pair using two Orchestrators, configure one Orchestrator as Public (Bastion) and another as Private (Production) by performing the following steps:

Prerequisites

  • Ensure you have two Orchestrators ready to be set up as a Bastion pair and you have set the session.options.enableBastionOrchestrator system property to True in both the Orchestrators. By default, this system property is set to False.
  • Ensure you have at least one Operator Super user created in the Production Orchestrator.

Procedure

  1. Configure one of the two Orchestrators as a Public Orchestrator.
    1. In a web browser, launch the Orchestrator application that needs to be configured as a Public Orchestrator, and login as an Operator user.
    2. Click the Orchestrator tab.
      The Bastion Orchestrator Configuration page appears.
    3. Under Orchestrator Role, select Public Orchestrator for the Bastion Role and enter the following configuration details:
      • Private Orchestrator Address - The IP address of the Production Orchestrator.
      • Private Orchestrator UUID - A Universal Unique Identifier value that is specified in the vco.uuid System Property of the Production Orchestrator.
      • Private Orchestrator Source IP - The NATed Source IP address of the Production Orchestrator.
    4. Click MAKE PUBLIC to make the Orchestrator as a Public Orchestrator.
    5. Click RECONFIGURE if you want to make any changes to the configuration details.
    6. Click LOG OUT if you want to log out of the Public Orchestrator.
  2. Configure the second Orchestrator as a Private Orchestrator.
    1. In a web browser, launch the Orchestrator application that needs to be configured as a Private Orchestrator, and login as an Operator user.
    2. In the Orchestrator UI, click Orchestrator.
      The Bastion Orchestrator Configuration page appears.
    3. Under Orchestrator Role, select Private Orchestrator for the Bastion Role and enter the following configuration details:
      • Public Orchestrator Address - The IP address of the Public (Bastion) Orchestrator.
      • Public Orchestrator UUID - A Universal Unique Identifier value that is specified in the vco.uuid System Property of the Public Orchestrator.
      • Operator SuperUser - From the drop-down list, select an Operator Super user to be staged along with this Bastion configuration. Once the Bastion connection is established between the Public and Private Orchestrators, only the Operator Super user who is staged in this step will gain emergency access to the Public Orchestrator.
        Note: VMware SD-WAN allows you to stage only one Operator Super user to the Public Orchestrator during the Bastion configuration, however; for troubleshooting purposes, you can stage multiple Operator users to Public Orchestrator after the Bastion is configured. To stage Operator users post-Bastion configuration, navigate to Administration > User Management > Users > Select a User > More > Stage to Bastion in the Production Orchestrator.
    4. Click TEST CONNECTIVITY to test the connection between Public and Private Orchestrators.
    5. Click MAKE PRIVATE.
      The connection between Public and Private Orchestrators is tested and if the connection is successful, the Bastion pairing is established between the two Orchestrators.
      Note: Unpairing of Public Orchestrator from the Production Orchestrator ( Return to Standalone Mode operation) is not supported in the 4.3.0 release.

Results

The Bastion Orchestrator configuration is complete, and both the Public and Private Orchestrators are configured as a Bastion pair. In the Bastion setup, only the configured Operator Super user can then access the Public Orchestrator in read-only mode.

What to do next

You can stage an Enterprise customer and Edges to Bastion Orchestrator. For steps, see Stage a SD-WAN Edge to Bastion Orchestrator.