External services include Active Directory, DHCP, DNS, NTP, SMTP Mail Relay, an FTP server, and certificate services.

Active Directory

This validated design uses Microsoft Active Directory (AD) for authentication and authorization to resources within the rainpole.local domain. You must ensure a domain controller is available in each ROBO location.

Table 1. Requirements for the Active Directory Service

Requirement

Domain Name

Description

Active Directory configuration

rainpole.local

Contains Domain Name System (DNS) server, time server, universal groups and service accounts.

Active Directory users and groups

All user accounts and groups from the Active Directory Users and Groups documentation must exist in the Active Directory before installing and configuring the ROBO SDDC.

Active Directory connectivity

All Active Directory domain controllers must be accessible by all management components within the consolidated pod.

DHCP

This validated design requires Dynamic Host Configuration Protocol (DHCP) support for the configuration of the VTEP (VXLAN) VMkernel ports on the ESXi hosts.

Table 2. DHCP Requirements

Requirement

Description

DHCP server

The subnets and associated VLANs that provide IPv4 transport for the VTEP (VXLAN) ESXi VMkernel ports must be configured for IPv4 address auto-assignment by using DHCP.

DNS

DNS is an important component for the operation of the ROBO SDDC.

Table 3. DNS Configuration Requirements

Requirement

Domain Instance

Description

DNS host entries

rainpole.local

Resides in the rainpole.local domain. 

Configure DNS zones with the following settings:

  • Dynamic updates for the zone set to Nonsecure and secure

  • Zone replication scope for the domain set to All DNS server in this forest.

  • Create all hosts listed in the DNS Names and IP Addresses in ROBO documentation.

If you configure the DNS servers properly, all nodes from the validated design are resolvable by FQDN as well as IP address.

NTP

All components within the ROBO SDDC must be synchronized against a common time by using the Network Time Protocol (NTP) on all nodes. Important components of the ROBO SDDC, such as, vCenter Single Sign-On, are sensitive to a time drift between distributed components. See Time Synchronization in ROBO.

Table 4. NTP Server Configuration Requirements

Requirement

Description

NTP

NTP source, for example, on a Layer 3 switch or router, must be available and accessible from all nodes of the ROBO SDDC.

Use the top of rack (ToR) switches as the NTP servers or the upstream physical router. These switches should synchronize with different upstream NTP servers and provide time synchronization capabilities within the ROBO SDDC.

As a best practice, make the NTP servers available under a friendly FQDN, for example, ntp.rainpole.local.

SMTP Mail Relay

Certain components of the SDDC send status messages to operators and end users by email.

Table 5. SMTP Server Requirements

Requirement

Description

SMTP mail relay

Open Mail Relay instance, which does not require user name-password authentication, must be reachable from each ROBO SDDC component over plain SMTP (no SSL/TLS encryption). As a best practice, limit the relay function to the IP range of the ROBO SDDC deployment.

Certificate Authority

The majority of the components of the ROBO SDDC require SSL certificates for secure operation. The certificates must be signed by an internal enterprise Certificate Authority (CA) or by a third-party commercial CA. In either case, the CA must be able to sign a Certificate Signing Request (CSR) and return the signed certificate. All endpoints within the enterprise must also trust the root CA of the CA.

Table 6. CA Requirements for Signing Certificates of Management Applications

Requirement

Description

Certificate Authority

CA must be able to ingest a Certificate Signing Request (CSR) from the ROBO SDDC components and issue a signed certificate.

For this validated design, use the Microsoft Windows Enterprise CA that is available in the Windows Server 2012 R2 operating system of a root domain controller. The domain controller must be configured with the Certificate Authority Service and the Certificate Authority Web Enrollment roles.

FTP Server

Dedicate space on a remote FTP server to save data backups for the NSX Manager instances.

Table 7. FTP Server Requirements

Requirement

Description

FTP server

Space for NSX Manager backups must be available on an FTP server. The server must support SFTP and FTP. The NSX Manager instances must have connection to the remote FTP server.

Windows Host Machine

Provide a Microsoft Windows virtual machine or physical server that works as an entry point to the data center. 

Table 8. Requirements for a Windows Host Machine

Requirement

Description

Windows host machine

Microsoft Windows virtual machine or physical server must be available to provide connection to the data center and store software downloads. The host must be connected to the external network and to the ESXi management network.