Vmware-Sd-Wan-Partner-Guide 5.1

VMware SD-WAN Partner
Guide
VMware SD-WAN 5.1
VMware SD-WAN Partner Guide
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2022 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
1 About VMware SD-WAN Partner Guide 7
2 What's New 8
3 Introduction 10
4 Supported Browsers 11
5 Log in to SD-WAN Orchestrator using SSO for Partner User 12
6 Monitor Partner Customers 14
7 Manage Partner Customers 16

Create New Partner Customer 17
Clone a Partner Customer 22
Activate Analytics for a New Customer 25
Activate Analytics for an Existing Customer 26
Activate Self-Healing for a New Customer 26
Activate Self-Healing for an Existing Customer 28
Configure Customers 29
Configure Service Access 35
Configure Partner Handoff 37
Configure Partner Customers with New Orchestrator UI 43
Configure Hand Off 52
Manage Partner Customers with New Orchestrator UI 57
Create New Partner Customer with New Orchestrator UI 59
8 Monitor Events 67
9 Manage Partner Admin Users 70

Create New Partner Admin 70
Configure Partner Admin Users 71
10 Roles 75
Functional Roles 75
Composite Roles 75
Manage Composite Roles 76
Create New Composite Roles 78
VMware, Inc. 3
Role Customization 80
Create New Customized Package 81
Upload Customized Package 85
Monitor Role Customization Events 86
List of Functional Role Privileges 86
11 User Management - Partner 90

Users 91
Add New User 92
Roles 94
Add Role 97
Service Permissions 99
New Permission 102
Authentication 104
Configure Azure Active Directory for Single Sign On 109
Configure Okta for Single Sign On 115
Configure OneLogin for Single Sign On 119
Configure PingIdentity for Single Sign On 123
Configure VMware CSP for Single Sign On 125
12 View Partner Information 129

View Partner Information with New Orchestrator UI 130
13 Partner Settings 131

Configure Partner Information 131
Configure Partner Authentication 132
Overview of Single Sign On 133
Configure Single Sign On for Partner User 134
Configure an IDP for Single Sign On 137
14 Edge Licensing 158

Manage Edge Licenses for Customers 159
Generate an Edge Licensing Report 160
Edge Licensing with New Orchestrator UI 161
Manage Edge Licenses for Customers with New Orchestrator UI 162
15 Edge Management with New Orchestrator UI 165
16 Access SD-WAN Edges Using Key-Based Authentication 168

Add SSH Key 169
Revoke SSH Keys 170
VMware, Inc. 4
Enable Secure Edge Access for an Enterprise 170

Secure Edge CLI Commands 171
Sample Outputs 174
17 Manage Gateway Pools and Gateways 177

Manage Gateway Pools 177
Create New Gateway Pool 178
Clone a Gateway Pool 179
Configure Gateway Pools 180
Manage Gateway Pools with New Orchestrator UI 182
Create New Gateway Pool with New Orchestrator UI 185
Clone a Gateway Pool with New Orchestrator UI 186
Configure Gateway Pools with New Orchestrator UI 187
Manage Gateways 190
Create New Gateway 192
Configure Gateways 194
Monitor Gateways 199
Manage Gateways with New Orchestrator UI 201
Create New Gateway with New Orchestrator UI 203
Configure Gateways with New Orchestrator UI 206
Monitor Gateways with New Orchestrator UI 212
SD-WAN Gateway Migration 214
SD-WAN Gateway Migration - Limitations 216
Migrate Quiesced Gateways 216
What to do When Switch Gateway Action Fails 218
Run Diagnostics for Gateways 218
Diagnostic Bundles for Gateways with New Orchestrator UI 220
Request Diagnostic Bundles for Gateways with New Orchestrator UI 220
Request Packet Capture Bundle for Gateways with New Orchestrator UI 223
18 Activate SD-WAN Edges Using Zero Touch Provisioning 226

Sign-Up for Zero Touch Provisioning 226
Assign Edges to Customers 227
Reassign an Edge to Another Customer 228
19 Activate SD-WAN Edges using Edge Auto-activation with New Orchestrator UI

230
Sign-Up for Edge Auto-activation with New Orchestrator UI 230
Assign Edges to Customers with New Orchestrator UI 231
Reassign an Edge to Another Customer with New Orchestrator UI 233
20 Activate SD-WAN Edges Using Email 234
VMware, Inc. 5
Send an Activation Email 234

Activate an Edge Device 236
Edge Activation using an iOS Device and an Ethernet Cable 237
Edge Activation using an Android Device and an Ethernet Cable 240
21 Request RMA Reactivation 243

Request RMA Reactivation Using Zero Touch Provisioning 243
Request RMA Reactivation Using Email 244
22 Install VMware Partner Gateway 246

Installation Overview 246
Minimum Hypervisor Hardware Requirements 247
SD-WAN Gateway Installation Procedures 252
Pre-Installation Considerations 253
Install SD-WAN Gateway 260
Post-Installation Tasks 275
Upgrade SD-WAN Gateway 283
Custom Configurations 284
NTP Configuration 284
OAM Interface and Static Routes 284
OAM - SR-IOV with vmxnet3 or SR-IOV with VIRTIO 286
Special Consideration When Using 802.1ad Encapsulation 287
SNMP Integration 287
Custom Firewall Rules 292
23 VMware Partner Gateway Upgrade and Migration 3.3.2 or 3.4 to 4.0 294
VMware, Inc. 6
About VMware SD-WAN Partner
Guide 1
®
The VMware SD-WAN™ (formerly known as VMware SD-WAN™ by VeloCloud ) Partner Guide
provides information about VMware SD-WAN Orchestrator including how to configure and
manage Customers who use the Orchestrator.
Intended Audience
This guide is intended for IT Partners of SD-WAN Orchestrator, who are familiar with the
Networking configurations and SD-WAN operations.
Beginning with Release 4.4.0, VMware SD-WAN is offered as part of VMware SASE. To access
SASE documentation for Cloud Web Security and Secure Access, along with Release Notes for
version 4.4.0 and later, see VMware SASE.
Here's a quick walkthrough of the user journey as a Partner super user:
1 Install SD-WAN Orchestrator
2 Configure SD-WAN Orchestrator Disaster Recovery
3 Install VMware Partner Gateway
4 Configure Partner Settings
5 Configure Partner Administrator
6 Configure Customers
7 Configure Profiles
8 Manage Edge Licensing
9 Activate Edges
10 Configure Gateways and Gateway Pools
11 Monitor Customers
12 Monitor and Troubleshoot Gateways
VMware, Inc. 7
What's New
2
What's New in Version 5.1.0
Feature Description
Configure MSP Users Self-Healing feature enables VMware SD-WAN Managed Service Provider (MSP) users to
for Self-Healing activate and configure Self-Healing capabilities at the Customer level. See .Activate Self-
Capabilities Healing for a New Customer and Activate Self-Healing for an Existing Customer.
Features/UI Pages You can now configure the following existing features using the New Orchestrator UI:
Migrated to New n View Partner Information with New Orchestrator UI
Orchestrator UI n Manage Gateways with New Orchestrator UI
n Manage Gateway Pools with New Orchestrator UI
n Request Diagnostic Bundles for Gateways with New Orchestrator UI
n Request Packet Capture Bundle for Gateways with New Orchestrator UI
n Configure Partner Customers with New Orchestrator UI
n Manage Partner Customers with New Orchestrator UI
n Chapter 11 User Management - Partner
n Edge Licensing with New Orchestrator UI
n Chapter 19 Activate SD-WAN Edges using Edge Auto-activation with New Orchestrator UI
Support for Unified User management and global settings that are shared across all Orchestrator services are
Administration of separated out from the SD-WAN service and grouped under Global Settings & Administration.
Orchestrator Services This allow the users to use any Orchestrator service to operate in standalone mode. See
Create New Composite Roles and Manage Composite Roles.
Platform and Modem Support for updating the Platform and Modem Firmware images are available for the
Firmware Updates following Edge device models:
n Platform Firmware images for 6X0 Edge device models and 3X00 Edge device models
(3400/3800/3810).
n Modem Firmware images for 510-LTE (Edge 510LTE-AE, Edge 510LTE-AP) and 610-LTE
(Edge 610LTE-AM, Edge 61LTE-RW).
For more information, see Create New Partner Customer
For a complete list of new and updated sections to the documentation for Administrators, see
VMware SD-WAN Administration Guide.
VMware, Inc. 8
Previous VMware SD-WAN Versions

To get product documentation for previous VMware SD-WAN versions, contact your VMware
representative.
VMware, Inc. 9
Introduction
3
As a Partner user, you can configure and manage the following:
n Partner Admin Users
n Partner Events
n Partner Settings
n Partner Authentication
n Enterprise Customers
Refer to VMware SD-WAN Administration Guide to become familiar with the core function of the
VMware used by an Enterprise IT Administrator for a customer.
VMware, Inc. 10
Supported Browsers
4
The SD-WAN Orchestrator supports the following browsers:
Browsers Qualified Browser Version
Google Chrome 77 – 79.0.3945.130
Mozilla Firefox 69.0.2 - 72.0.2
Microsoft Edge 42.17134.1.0- 44.18362.449.0
Apple Safari 12.1.2-13.0.3
Note For the best experience, VMware recommends Google Chrome or Mozilla Firefox.
Note Starting from VMware SD-WAN version 4.0.0, the support for Internet Explorer has been
deprecated.
VMware, Inc. 11
Log in to SD-WAN Orchestrator
using SSO for Partner User 5
Describes how to log in to SD-WAN Orchestrator using Single Sign On (SSO) as a Partner user.
Prerequisites
n Ensure you have configured the SSO authentication in SD-WAN Orchestrator. For more
information, see Configure Single Sign On for Partner User.
n Ensure you have set up roles, users, and OIDC application for the SSO in your preferred IDPs.
For more information, see Configure an IDP for Single Sign On.
Procedure
1 In a web browser, launch the SD-WAN Orchestrator application a Partner user.
The VMware SD-WAN Operations Console screen appears.
2 Click Sign In With Your Identity Provider.
VMware, Inc. 12
3 In the Enter your Organization Domain text box, enter the domain name used for the SSO
configuration and click Sign In.
The IDP configured for the SSO authenticates the user and redirects the user to the
configured SD-WAN Orchestrator URL.
Note
n Once the users log in to the SD-WAN Orchestrator using the SSO, they are not allowed to
login again as native users.
n The user can navigate to the Classic UI by clicking the Open Classic Orchestrator option
located at the top right of the UI screen.
VMware, Inc. 13
Monitor Partner Customers
6
As a Partner User, you can monitor the status of your Customers along with the Edges
connected to the Customers.
In the Partner portal, click Monitor Customers.
This screen shows the Edges and Links for all customers managed by this Partner. Selections can
be made to control the interval for updating the information.
In the Refresh Interval, you can either pause the monitoring or choose the time interval to refresh
the monitoring status.
The Monitor Customers page displays the following details:
Customers:
n Customers managed by the Partner.
n Number of Customers that are UP, DOWN, and UNACTIVATED. Click the number to view the
corresponding Customer details in the bottom panel.
n In the bottom panel, click the link to the Customer name to navigate to the Enterprise portal,
where you can view and configure other settings corresponding to the selected customer.
For more information see the VMware SD-WAN Administration Guide.
Edges:
n Edges associated with the Customers.
n Number of Edges that are DOWN, DEGRADED, CONNECTED, and UNACTIVATED. Click the
number to view the corresponding details of the Edges in the bottom panel.
VMware, Inc. 14
n In the bottom panel, place the mouse cursor on the Down Arrow displayed next to the
number of Edges, to view the details of each Edge. Click the link to the Edge name to
navigate to the Enterprise Monitoring portal, where you can view more details corresponding
to the selected Edge. For more information see the VMware SD-WAN Administration Guide.
You can also view the Customers and associated Edges using the new Orchestrator UI.
The new Orchestrator UI does not provide the option for Auto Refresh. You can refresh the
Window manually to view the current data.
VMware, Inc. 15
Manage Partner Customers
7
As a Partner Super user, you can manage the Partner Customers, configure the customer
capabilities and other customer settings using the Manage Customers tab in the Partner portal.
In the Partner portal, click Manage Customers > Actions to perform the following activities.
n New Customer: Creates a new customer. See Create New Partner Customer.
n Clone Customer: Creates a new customer, by cloning the existing configurations from the
selected customer. See Clone a Partner Customer.
n Modify Customer: Navigates to the System Settings in the Enterprise portal, where you
can configure other settings corresponding to the selected customer. You can also click a
customer name to navigate to the Enterprise portal. For more information see the VMware
SD-WAN Administration Guide.
n Delete Customer: Deletes the selected customers. Ensure that you have removed all the
Edges associated to the selected customer, before deleting the customer.
n Support Email: Selected Customer: Sends customer support messages to the selected
customer.
n Assign software image - Adds a software image for the selected customers.
Note This option is available only for Partner Customers with Edge Image Management
feature-enabled.
n Update Edge Image Management - Allows you to activate or deactivate the Edge Image
Management feature for the selected customers.
n Update Customer Alerts: Allows to activate or deactivate the alerts for the selected
customers.
n Export All Customers: Exports the details of all the customers in the Partner portal to a CSV
file. The default separator used is comma (,) and you can choose to edit the separator to any
other special character.
n Export Customer Edge Inventory - Exports the inventory details of all the Edges associated
with all the customers to a CSV file. The default separator used is comma (,) and you can
choose to edit the separator to any other special character.
This chapter includes the following topics:
VMware, Inc. 16
n Create New Partner Customer
n Clone a Partner Customer
n Activate Analytics for a New Customer
n Activate Analytics for an Existing Customer
n Activate Self-Healing for a New Customer
n Activate Self-Healing for an Existing Customer
n Configure Customers
n Configure Partner Customers with New Orchestrator UI
n Manage Partner Customers with New Orchestrator UI
Create New Partner Customer

In the Partner portal, you can create Partner customers and configure the customer settings.
Only Partner Super Users and Partner Standard Admins can create a new Partner customer.
Note An Operator Super user can temporarily deactivate creating new customers by setting
the system property session.options.disableCreateEnterprise to True. If this property is set to
True, the Partner Superusers and Partner Standard Admins cannot create new customers. If you
are not able to create a customer, contact your Operator to enable the option.
In the Partner portal, navigate to Manage Customers.
1 In the Customers page, click New Partner Customer or click Actions > New Customer.
2 In the New Customer window, enter the following details. You can also choose the Clone
from Customer option to clone the configurations from an existing customer. For more
information, see Clone a Partner Customer.
VMware, Inc. 17
VMware, Inc. 18
Customer Information
Option Description
Company Name Enter your company name
Domain Enter the domain name of your company
Account Number Enter a unique identifier for the customer
Partner Support Access This option is selected by default and grants access
to the Partner's Support team to view, configure, and
troubleshoot the Edges connected to the customer.
For security reasons, the Support cannot access or view
the user identifiable information.
VeloCloud Support Access This option is selected by default and grants access to the
VMware Support to view, configure, and troubleshoot the
Edges connected to the customer.
For security reasons, the Support cannot access or view
the user identifiable information.
VeloCloud User Management Access Select the checkbox to enable the VMware Support
to assist in user management. The user management
includes options to create users, reset password, and
configure other settings. In this case, the Support has
access to user identifiable information.
Street Address, City, State, Country, ZIP/Postcode Enter relevant address details in the respective fields.
Initial Admin Account

Option Description
Username Enter the user name in the [email protected] format.
Password Enter a password for the Administrator.
Confirm Re-enter the password.
First Name, Last Name, Phone, Mobile Phone Enter the details like name and phone number in the
appropriate fields.
Contact Email Enter the Email address. The alerts on service status are
sent to this Email address.
Customer Configuration
As a Partner Super user, you can manage the software images assigned to a Partner Customer
directly by selecting the relevant Image from the Software Images drop-down list.
You can allow a Partner Customer's Super user to manage the available list of software images
for the customer by enabling Manage Software Image.
VMware, Inc. 19
Option Description
Manage Software Image Select the checkbox if you want to allow a Partner
Customer's Super user to manage the software images
available for the customer.
Note If Manage Software Image is not enabled, then

you will be able to assign only one software image to the
Partner Customer.
Software/Firmware Images Click Add and in the Select Software/Firmware Images

pop-up window, select and assign the software/firmware
images from the available list for a Partner Customer and
select an image to be used as default.
Note The 5.1.0 release supports functionality to update

and manage Factory Default and Platform and Modem
Firmware for the following Edge devices:
n Firmware Platform images for 6X0 Edge
device models and 3X00 Edge device models
(3400/3800/3810)
n Firmware Modem images for 510-LTE (Edge 510LTE-
AE, Edge 510LTE-AP) and 610-LTE (Edge 610LTE-AM,
Edge 61LTE-RW)
n Factory images for all physical SD-WAN Edge devices
For more information about Firmware, see the following

sections in the VMware SD-WAN Operator Guide:
Firmware and Software Images with New Orchestrator UI
and Manage Operator Profiles.
Note This field appears when you enable Manage

Software Image.
After adding the images, you can modify the assigned list
of software images to the enterprise by clicking Modify
under Software Images.
Note You can remove an image assigned to a customer

only if the image is not currently used by any edge within
the Partner Customer.
VMware, Inc. 20
Service Configuration
You can choose the services that the customer can access along with the roles and permissions
available for the selected service.
Note If this section is not available for you, contact your Operator.
n SD-WAN - The customer can access the SD-WAN services. When you select this service, the
following option is available:
Option Description
Edge Licensing Click Add and in the Select Edge Licenses pop-up
window, select and assign the edge licenses from the
available list for the Partner Customer.
Note This option is available only when Edge Licensing

is enabled for the Partner user.
After adding the licenses, you can click Modify to add

or remove the licenses.
Note The license types can be used on multiple Edges.

It is recommended to provide your customers with
access to all types of licenses to match their edition
and region. For more information, see Chapter 14 Edge
Licensing.
n Edge Network Intelligence – You can select this option only when SD-WAN is selected.
When you select tis service, the Edge Network Intelligence Configuration is available. Enter
the maximum number of Edges that can be provisioned as Analytics Edge in the Nodes field.
By default, Unlimited is selected.
Note This option is available only when the Analytics feature is enabled on your SD-WAN
Orchestrator.
n Cloud Web Security – You can select this service only when a SASE PoP Gateway Pool is
selected. Cloud Web Security is a cloud hosted service that protects users and infrastructure
accessing SaaS and Internet applications. For more information, see the VMware Cloud Web
Security Configuration Guide.
n Secure Access – You can select this service only when a SASE PoP Gateway Pool is selected.
Secure Access solution combines the VMware SD-WAN and Workspace ONE services to
provide a consistent, optimal, and secure cloud application access through a network of
worldwide managed service nodes. For more information, see the VMware Secure Access
Configuration Guide.
n Global Settings - By default, Global Settings is selected. This Service Configuration provide
privileges to user management and settings that are shared across all services. You can
choose the services that the customer can access along with the Global Settings (roles and
permissions).
VMware, Inc. 21
Configure the following in the General Configuration section:
Option Description
Domain Enter the domain name to be used to enable Single Sign-

On (SSO) Authentication for the Orchestrator. This is also
required to activate Edge Network Intelligence for the
customer.
Gateway Pool Select an existing Gateway pool from the drop-down list.
For more information on Gateway pools, see Manage
Gateway Pools.
Click Create.
The new customer name is displayed in the Customers page. You can click the customer
name to navigate to the Enterprise portal and add configurations to the customer. For more
information, see Configure Customers and Enterprise Administration section of VMware SD-WAN
Administration Guide available at https://docs.vmware.com/en/VMware-SD-WAN/index.html.
Clone a Partner Customer

You can clone the configurations from an existing Partner customer and create a new Partner
customer with the cloned settings.
Only Partner Super Users and Partner Standard Admins can clone a Partner customer.
By default, the following configurations are cloned from the selected customer:
n Enterprise configuration profiles
n Enterprise network services and objects like:
n DNS services
n Private network names
n Network Segments
n Edge authentication scheme
n Address groups and Port groups
You cannot clone an enterprise if it consists of the following:
n Profile with Edge references like hubs, clusters, and so on
n Profile containing Partner Gateway References
n Cloud Security Service enabled
n Non SD-WAN Destinations
n VNF or VNF licenses
n Authentication services
n NetFlow objects like collectors or filters
VMware, Inc. 22
In the Partner portal, navigate to Manage Customers.
1 In the Customers page, select the customer you want to clone, and then click Actions > Clone
Customer.
2 In the New Customer window, enter the following details. You can also choose the New
Customer option to create a new customer without cloning the configurations from the
selected customer. See Create New Partner Customer.
VMware, Inc. 23
VMware, Inc. 24
3 Under Clone Configuration, you can configure the following details.
Table 7-1. Clone Configuration
Option Description
Template Customer By default, the selected customer is considered for the

cloning purpose. If required, you can choose a different
customer from the drop-down list.
If a customer or enterprise does not meet the
appropriate cloning conditions, as listed at the
beginning of this section, then it is not available in
the drop-down list. This list displays only the name of
customers that can be cloned.
Additional Clone Attributes In addition to the default cloned configurations, you can
select the following settings to be cloned, as required:
n Security Policy
n Alert Configuration
n Global Routing Preferences
n IAAS Subscriptions
4 Enter the Customer Information and Initial Admin Account details, as described in Create
New Partner Customer.
5 In the Customer Configuration section, the Software Image details are cloned from the
selected customer. If needed, you can modify the cloned configuration settings.
6 In the Service Configuration section, the configurations are cloned from the selected
customer. You can modify the parameters as required.
7 Click Create.
The new customer name is displayed in the Customers page. The customer is already
configured with the cloned settings. You can click the customer name to navigate to the
Enterprise portal and add or modify the configurations. For more information about customer
configurations and settings, see VMware SD-WAN Administration Guide available at VMware
SD-WAN Documentation.
Activate Analytics for a New Customer

When creating a new SD-WAN Partner customer, VMware SD-WAN Orchestrator allows Partner
Super Users and Partner Standard Admins to activate the Analytics functionality for the
customer. Analytics helps to collect data from different vantage points for each application
flow, which includes wireless controller, LAN switch, network services, VMware SD-WAN Edge,
VMware SD-WAN Hub, VMware SD-WAN Gateway, and application performance metrics. For
more information, see VMware Edge Network Intelligence Configuration Guide.
To activate Analytics for a new customer, see Create New Partner Customer.
VMware, Inc. 25
Prerequisites
For configuring the system properties, contact your Operator Super User.
Results
The new customer's name is displayed in the Customers screen. You can click on the customer
name to navigate to the Enterprise portal and add or modify Analytics configurations for the
customer.
Activate Analytics for an Existing Customer

VMware SD-WAN Orchestrator allows Partner Super Users and Partner Standard Admins to
activate Analytics for an existing Enterprise customer.
To activate Analytics for an existing customer, see Configure Service Access.
Prerequisites
Ensure that your Operator has setup the required system properties to activate Analytics.
Results
Analytics is activated for the selected customer. You can click on the customer name to navigate
to the Enterprise portal and add or modify Analytics configurations for the customer.
Activate Self-Healing for a New Customer

Self-Healing feature enables VMware SD-WAN Enterprise and Managed Service Provider (MSP)
users to activate and configure Self-Healing capabilities at the Customer, Profile, and Edge level.
To activate Self-Healing at the Customer level, ensure you have the following prerequisites:
n The VMware Edge Network Intelligence (Analytics) service is activated on the VMware SD-
WAN Orchestrator. For more information on how to activate the ENI service on SD-WAN
Orchestrator, contact your Operator Super User.
n The SD-WAN Orchestrator must be on 5.0.1.0 and the SD-WAN Edges must be running
a minimum of 4.3.1 code. You can review the software image installed on each edge by
navigating to Configure > Edges. The table on the Edges page will have a column that
displays Software version of Edge per customer.
When creating a new SD-WAN Partner customer, VMware SD-WAN Orchestrator allows Partner
Super Users and Partner Standard Admins to activate the Self-Healing functionality for the
customer.
To activate Self-Healing for a new customer, perform the following steps:
1 Log in to the SD-WAN Orchestrator as a Partner user.
2 Navigate to Customers & Partners > Manage Customers, and then click New Customer.
The New Customer page appears.
VMware, Inc. 26
3 Enter all the mandatory Customer information and Administrative account details and click
Next.
4 Under Services > Secure Access, select the SD-WAN and Edge Network Intelligence (ENI)
services that the Customer can access along with the roles and permissions available for the
selected service.
VMware, Inc. 27
5 Under the Edge Network Intelligence service section, select the Self Healing checkbox to
allow ENI to provide remediation recommendations to improve application performance.
By default, the Self-Healing feature is not activated for a customer. For more information,
see the Self-Healing Overview section in the VMware Edge Network Intelligence User Guide
published at https://docs.vmware.com/en/VMware-Edge-Network-Intelligence/index.html.
Note You can activate this service only when SD-WAN service is turned on.
Note This option is available only when the Analytics feature is enabled on your SD-WAN
Orchestrator. For more information, see the “Enable VMware Edge Network Intelligence
on a VMware SD-WAN Orchestrator” section in the VMware Edge Network Intelligence
Configuration Guide available at VMware SD-WAN Documentation.
6 Click Add Customer. The new Customer name is displayed on the Customers page. You can
click the Customer name to navigate to the Customer portal and configure Customer settings.
Once the Self-Healing feature is activated for a customer, VMware Edge Network Intelligence
(ENI) monitors and tracks the VMware SD-WAN network for systemic and application
performance issues across Edges provisioned under that customer. ENI then gathers data
regarding Self-Healing actions and triggers remediation recommendations to the users on the
SD-WAN side directly through the incident alert email.
Note Currently, only Manual remediation is supported by ENI. Automatic remediation support is
planned in future releases.
Activate Self-Healing for an Existing Customer

To activate Self-Healing for an existing customer, ensure you have the following prerequisites:
n The VMware Edge Network Intelligence (Analytics) service is activated on the VMware SD-
WAN Orchestrator. For more information on how to activate the ENI service on SD-WAN
Orchestrator, contact your Operator Super User.
n The SD-WAN Orchestrator must be on 5.0.1.0 and the SD-WAN Edges must be running
a minimum of 4.3.1 code. You can review the software image installed on each edge by
navigating to Configure > Edges. The table on the Edges page will have a column that
displays Software version of Edge per customer.
To activate Self-Healing for an existing Partner customer, perform the following steps:
1 Log in to the SD-WAN Orchestrator as a Partner user.
2 In the Partner portal, select a customer, and from the top header, click SD-WAN > Global
Settings.
3 From the left menu, click Customer Configuration.
The Service Configuration page appears.
VMware, Inc. 28
4 In the Edge Network Intelligence service section, click the Turn On button to activate the ENI
service.
Note You can activate this service only when SD-WAN service is turned on.
5 Click the Configure button. The Edge Network Intelligence Configuration pop-up window
appears.
6 Select the Self Healing checkbox to allow ENI to provide remediation recommendations to
improve application performance. By default, the Self-Healing feature is not activated for
the customer. For more information, see the Self-Healing Overview section in the VMware
Edge Network Intelligence User Guide published at https://docs.vmware.com/en/VMware-
Edge-Network-Intelligence/index.html.
7 Click the Update button.
Once the Self-Healing feature is activated for an existing customer, VMware Edge Network
Intelligence (ENI) monitors and tracks the VMware SD-WAN network for systemic and application
performance issues across Edges provisioned under that customer. ENI then gathers data
regarding Self-Healing actions and triggers remediation recommendations to the users on the
SD-WAN side directly through the incident alert email.
Note Currently, only Manual remediation is supported by ENI. Automatic remediation support is
planned in future releases.
Configure Customers
After creating a customer, configure the feature options and settings that the customer can
access. As a Partner Super User, you can choose the settings the partner customer can modify.
VMware, Inc. 29
When you create a new customer, you are redirected to the Customer Configuration page,
where you can configure the customer settings.
You can also navigate to the Configuration page from the Manage Customers page in the Partner
portal. Select the customer and click Actions > Modify or click the link to the customer.
In the customer or Enterprise portal, click Configure > Customer, and you can configure the
following settings.
VMware, Inc. 30
VMware, Inc. 31
Customer Capabilities
Only an Operator can activate or deactivate the capabilities. You can view the status of the
following capabilities. If you want to activate or deactivate any of the capabilities, contact your
Operator.
n Enable Enterprise Auth
n Enable Legacy Networks
n Enable Premium Service
n Enable Role Customization
n Enable Segmentation
n Enable Stateful Firewall.
n CoS Mapping
n Service Rate Limiting
Security Policy
When creating Edge-to-Edge IPSec tunnels, you can modify the security policy configuration
settings at the Customer Configuration level.
n Hash - By default, there is no authentication algorithm configured for the VPN header.
When you select the Turn off GCM checkbox, you can select one of the following as the
authentication algorithm for the VPN header, from the drop-down list:
n SHA 1
n SHA 256
n SHA 384
n SHA 512
n Encryption - AES 128-Galois/Counter Mode (GCM), AES 256-GCM, AES 128-Cipher Block
Chaining (CBC) and AES 256-CBC are the encryption algorithms modes used to provide
confidentiality. Select either AES 128 or AES 256 as the AES algorithms key size to encrypt
data. The default encryption algorithm mode is AES 128-GCM, when the Turn off GCM
checkbox is not selected.
n DH Group - Select the Diffie-Hellman (DH) Group algorithm to be used when exchanging a
pre-shared key. The DH Group sets the strength of the algorithm in bits. The supported DH
Groups are 2, 5, 14, 15, and 16. It is recommended to use DH Group 14.
n PFS - Select the Perfect Forward Secrecy (PFS) level for additional security. The supported
PFS levels are 2, 5, 14, 15, and 16. By default, PFS is deactivated.
n Turn off GCM - By default, AES 128-GCM is enabled. If required, select the checkbox to turn
off this mode, which in turn enables AES 128-CBC mode.
VMware, Inc. 32
n IPsec SA Lifetime - Time when Internet Security Protocol (IPSec) rekeying is initiated for
Edges. The minimum IPsec life time is 3 minutes and maximum is 480 minutes. The default
value is 480 minutes.
n IKE SA Lifetime - Time when Internet Key Exchange (IKE) rekeying is initiated for Edges. The
minimum IKE life time is 10 minutes and maximum is 1440 minutes. The default value is 1440
minutes.
Note It is recommended not to configure low life time values for IPsec (less than 10 minutes)
and IKE (less than 30 minutes) as it can cause traffic interruption in some deployments due to
rekeys. The low life time values can be used only for debugging purposes.
n Secure Default Route Override – Select the checkbox to ensure that the traffic from the
Edge is routed based on the Network Service configured for the Business Policy rule, even
when secure routing (either Static Route or BGP Route) is enabled on the Edge.
Note When you modify the security settings, the changes may cause interruptions to the
current services. In addition, these settings may reduce overall throughput and increase the time
required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel setup times
and recovery from Edge failure in a cluster.
Service Access
Choose the services the customer can access along with the roles and permissions available for
the selected service. See Configure Service Access.
Note If Edge Network Intelligence service is enabled for a customer, ensure not to select
the Self Healing checkbox as the Self Healing feature is not completely supported in the 5.0.0
release.
Gateway Pool
The current Gateway pool associated with the selected customer is displayed. If required, you
can choose a different Gateway pool from the available list.
If the Gateways available in the Gateway pool have been assigned with Partner Gateway role,
you can handoff the Gateways to partners. Select the Enable Partner Handoff to configure the
handoff options for the segments and Gateways. For more information, see Configure Partner
Handoff.
Maximum Segments
Displays the maximum number of segments configured by the Operator.
VMware, Inc. 33
OFC Cost Calculation

Displays whether Distributed Cost Calculation is enabled or not by the Operator. By default, the
Orchestrator is actively involved in learning the dynamic routes. Edges and Gateways rely on the
Orchestrator to calculate initial route preferences and return them to the Edge and Gateway. The
Distributed Cost Calculation feature enables to distribute the route cost calculation to the Edges
and Gateways.
For more information on Distributed Cost Calculation, refer to the Configure Distributed
Cost Calculation section in the VMware SD-WAN Operator Guide available at: https://
docs.vmware.com/en/VMware-SD-WAN/index.html.
Note To enable the Distributed Cost Calculation feature for your customers, contact the
support team.
Edge NFV
Displays whether the customers are allowed to deploy third party Virtual Network Functions
(VNF) on service ready Edge platforms.
Edge Image Management

Displays the current Software/Firmware Image associated with the selected Partner Customer.
As a Partner Super User, you can select and assign a different Software/Firmware Image from
the available list of software images for the customer, if needed.
If you want a Partner Customer to manage Edge software images then you have to enable
the Delegate Edge Software Image Management checkbox. Once you enable Delegate Edge
Software Image Management and click Save Changes, all the assigned software images for the
Partner Customer appears. Click Modify to add or remove a software image for the selected
customer.
Note You can remove an assigned image from a Partner Customer only if the image is not a
default image and it is not currently used by any edges within the Partner Customer.
For more information, see the Edge Software Image Management section in the VMware
SD-WAN Administration Guide available at https://docs.vmware.com/en/VMware-SD-WAN/
index.html.
Other Settings
This option is available only when you have the User Agreement feature activated by your
Operator. For the selected customer, you can change the user agreement default settings using
the following options:
n User Agreement Display - Select the relevant option from the list to override the default
display settings of the User Agreement. By default, the customer inherits the display mode
set in the System Properties.
VMware, Inc. 34
n User Agreement - Select the user agreement from the list that you want to display for the
customer. By default, the customer inherits the default user agreement.
After making changes to the configurations, click Save Changes.
Configure Service Access

The Service Access allows to configure the services that can be accessed by a customer.
To configure Service Access:
Procedure
1 In the Partner portal, navigate to Manage Customers.
2 Select a customer and click Actions > Modify or click the link to the customer.
3 In the Enterprise portal, click Configure > Customers.
VMware, Inc. 35
4 In the Customer Configuration page, the Service Access section displays the existing
services configured for the selected customer. If required, you can modify the settings.
n SD-WAN - The customer can access the SD-WAN services. When you select this service,
the following options are available:
Option Description
Default Edge Authentication Choose the default option to authenticate the Edges
associated to the customer, from the drop-down list.
n Certificate Deactivated: Edge uses a pre-shared
key mode of authentication.
n Certificate Acquire: This option is selected by
default and instructs the Edge to acquire a
certificate from the certificate authority of the
SD-WAN Orchestrator, by generating a key pair
and sending a certificate signing request to the
Orchestrator. Once acquired, the Edge uses the
certificate for authentication to the SD-WAN
Orchestrator and for establishment of VCMP
tunnels.
Note After acquiring the certificate, the option

can be updated to Certificate Required.
n Certificate Required: Edge uses the PKI
certificate. Operators can change the certificate
renewal time window for Edges using the system
property edge.certificate.renewal.window.
Edge Licensing The existing Edge Licenses are displayed. Click

Modify to add or remove the licenses.
Note The license types can be used on multiple

Edges. It is recommended to provide your customers
with access to all types of licenses to match their
edition and region.
VMware, Inc. 36
n Edge Network Intelligence – You can select this option only when SD-WAN is selected.
When you select this service, the Edge Network Intelligence Configuration is available.
Enter the maximum number of Edges that can be provisioned as Analytics Edge in the
Nodes field. By default, Unlimited is selected.
Note This option is available only when the Analytics feature is activated on your
SD-WAN Orchestrator.
If Edge Network Intelligence service is enabled for a customer, you can activate
Self-Healing capability at the Customer level by selecting the Self Healing checkbox.
For more information, see the Self-Healing Overview section in the VMware Edge
Network Intelligence User Guide published at https://docs.vmware.com/en/VMware-
Edge-Network-Intelligence/index.html.
Note Customers who do not have a Partner should contact [email protected]

with details such as Orchestrator URL and customer name.
n Cloud Web Security – You can select this service only when a SASE PoP Gateway
Pool is selected. Cloud Web Security is a cloud hosted service that protects users and
infrastructure accessing SaaS and Internet applications. For more information, see the
VMware Cloud Web Security Configuration Guide.
n Secure Access – You can select this service only when a SASE PoP Gateway Pool is
selected. Secure Access solution combines the VMware SD-WAN and Workspace ONE
services to provide a consistent, optimal, and secure cloud application access through a
network of worldwide managed service nodes. For more information, see the VMware
Secure Access Configuration Guide.
n Global Settings - By default, Global Settings is selected. This Service Configuration
provide privileges to user management and settings that are shared across all services.
You can choose the services that the customer can access along with the Global Settings
(roles and permissions).
In the General Configuration, enter the domain name to be used to activate Single Sign-On
(SSO) Authentication for the Orchestrator. This is also required to activate Edge Network
Intelligence for the customer.
5 Click Save Changes.
Configure Partner Handoff

You can configure a Gateway to handoff to Partners. The Gateway acts as a Partner Gateway
and you can configure the Hand off Interface, Static Routes, BGP, and other settings.
Ensure that the Gateway to be handed off is assigned with Partner Gateway Role. In the Partner
portal, click Gateways and click the link to an existing Gateway. In the Properties section of the
selected Gateway, you can enable the Partner Gateway role.
VMware, Inc. 37
To configure the handoff settings, go to the Customer Configuration page.
n In the Partner portal, click Manage Customers.
n Select the customer and click Actions > Modify or click the link to the customer.
n In the customer or Enterprise portal, click Configure > Customer.
n In the Customer Configuration, navigate to the Gateway Pool section and select the Enable
Partner Handoff checkbox.
Configure the following settings:
Customer BGP Priority

n Select Enable Community Mapping to set the Community attributes, which would be tagged
in the BGP advertised routes.
n The Community mapping is set to all the segments by default. If you want to configure the
Community attributes for a specific segment, choose Per Segment, and select the Segment
from the drop-down list.
VMware, Inc. 38
n Select Community Additive checkbox to enable the additive option associated with a
particular auto community configuration. This option preserves the incoming community
attributes for a prefix received from the overlay and appends the configured auto community
to the prefix, on the Partner Gateway. As a result, the MPLS PE side receives prefixes with all
the community attributes including the auto community attributes.
n Enter the Community attributes in the Community and Community 2 fields. Click the Plus(+)
Icon to add more community attributes.
Configure Hand Off

n By default, the handoff configuration is applied to all the Gateways. If you want to configure a
specific Gateway, choose Per Gateway and select the Gateway from the drop-down list.
n By default, the handoff configuration is applied to all the Segments. If you want to configure a
specific Segment, select the Segment from the drop-down list.
n For configuring all the Gateways, click the Edit option. If you have selected a particular
Gateway, click the Click here to configure link.
The Hand Off Details window appears and you can configure the options show in the image
below. See the table below for a description of the Hand Off Details options.
VMware, Inc. 39
Hand Off Details Description
Option Description
Hand Off Interface
Tag Type Choose the tag type which is the encapsulation in which
the Gateway hands off customer traffic to the Router. The
following are the types of tags available:
n None– Untagged. Choose this during single tenant
handoff or a handoff towards shared services VRF.
n 802.1q – Single VLAN tag.
n 802.1ad / QinQ(0x8100) / QinQ(0x9100) – Dual
VLAN tag.
VMware, Inc. 40
Option Description
Transport LAN VLAN This option is available only when you choose the tag
type as 802.1ad / QinQ(0x8100) / QinQ(0x9100). Choose
the type of tag to configure the transport VLANs.
C-Tag (Customer tag) Enter the Customer VLAN tag
S-Tag (Service tag) Enter the service-provider-defined VLAN tag
Local IP Address Enter the Local IP address for the logical Handoff
interface.
Use for Private Tunnels Select the checkbox so that private WAN links connect
to the private IP address of the Partner Gateway. If
private WAN connectivity is enabled on a Gateway, the
Orchestrator audits to ensure that the local IP address is
unique for each Gateway within an enterprise.
Advertise via BGP Select the checkbox to automatically advertise the private
WAN IP of the Partner Gateway through BGP. The
connectivity is provided using the existing Local IP
address.
Static Routes – Click the plus(+) Icon to add more routes.
Subnets Enter the IP address of the Static Route Subnet that the
Gateway should advertise to the Edge.
Cost Enter the cost to apply weightage on the routes. The

range is from 0 to 255.
Encrypt Select the checkbox to encrypt the traffic between Edge

and Gateway.
Hand off Select the handoff type as VLAN or NAT.
Description Optionally, enter a descriptive text for the static route.
BFD
Enable BFD Select the checkbox to enable BFD subscription for BGP
neighbors and to configure the BFD settings.
Peer Address Enter the IP address of the remote peer to initiate a BFD
session.
Local Address Enter a locally configured IP address for the peer listener.
This address is used to send the packets.
Detect Multiplier Enter the detection time multiplier. The remote

transmission interval is multiplied by this value to
determine the detection timer for connection loss. The
range is from 3 to 50 and the default value is 3.
Receive Interval Enter the minimum time interval, in milliseconds, at which

the system can receive the control packets from the BFD
peer. The range is from 300 to 60000 milliseconds and
the default value is 300 milliseconds.
VMware, Inc. 41
Option Description
Transmit Interval Enter the minimum time interval, in milliseconds, at which

the local system can send the BFD control packets. The
range is from 300 to 60000 milliseconds and the default
value is 300 milliseconds.
BGP
Enable BGP Select the checkbox to enable BGP and set up the BGP
configuration.
Customer ASN Enter the customer Autonomous System Number.
Neighbor IP Enter the IP address of the configured Neighbor network.
Neighbor-ASN Enter the ASN of the Neighbor network.
Secure BGP Routes Select the checkbox to enable encryption for data-
forwarding over BGP routes.
Max-hop Enter the number of maximum hops to enable multi-hop

for the BGP peers. The range is from 1 to 255 and the
default value is 1.
Note This field is available only for eBGP neighbors,

when the local ASN and the neighboring ASN are
different. With iBGP, when both ASNs are the same,
multi-hop is inherent by default and this field is not
configurable.
BGP Local IP Local IP address is the equivalent of a loopback IP

address. Enter an IP address that the BGP neighborships
can use as the source IP address for the outgoing
packets. If you do not enter any value, the IP address of
the Handoff Gateway is used as the source IP address.
Note For eBGP, this field is available only when Max-hop

count is more than 1. For iBGP, it is always available as
iBGP is inherently multi-hop.
Next Hop IP Enter the next-hop IP address which would be used by

BGP to reach the destination.
BGP Inbound/Outbound Filters – Click the plus(+) Icon to add more Filters.
Type (Match) Choose the type of the BGP attribute to be considered

for matching with the traffic flow. You can choose either
Prefix or Community.
Value Enter the value according to the BGP attribute selected as

Type.
Exact Match Select the checkbox for matching the attributes exactly.
Type (Action) Choose the action to be performed if the match is True.

You can either Permit or Deny the traffic.
VMware, Inc. 42
Option Description
Set You can set the values of the attributes for the routes
matching the filter criteria.
Choose from the following attributes, and enter the
corresponding values to be set for the matching routes:
n None – The attributes of the matching routes remain
the same.
n Local Preference
n Community – You can also enable the Community
Additive option.
n Metric
n AS-Path-Prepend
Route Summarization
Note Route Summarization is a feature that helps to keep overall routing manageable. This feature is available in the
5.1 release in the Classic Orchestrator UI only.
Subnet Enter the IP address.
AS Set Click the checkbox if applicable. Selecting the checkbox

allows the BGP routes to be received and processed even
if the Edge detects its own ASN in the AS-Path.
Summary Only Click the checkbox if applicable. Selecting the checkbox

allows only the summarized route to be sent.
BGP Optional Settings
Router ID Enter the Router ID to identify the BGP Router.
Keep Alive Enter the BGP Keep Alive time in seconds. The default
timer is 60 seconds.
Hold Timers Enter the BGP Hold time in seconds. The default timer is
180 seconds.
Turn off AS-PATH Carry Over Select the checkbox to turn off AS-PATH carry over,
which influences the outbound AS-PATH to make the L3-
routers prefer a path towards a PE. If you select this
option, ensure to tune your network to avoid routing
loops. It is recommended not to select this checkbox.
Click Update to save the settings. In addition, click Save Changes in the Customer Configuration
page to activate the settings.
Configure Partner Customers with New Orchestrator UI

After creating a Customer, configure the feature options and settings that the Customer can
access. As a Partner Super User, you can choose the settings the Partner Customer can modify.
When you create a new Customer, you are redirected to the Customer Configuration page,
where you can configure the Customer settings. You can also navigate to the Configuration page
by following the below steps:
VMware, Inc. 43
Procedure
1 In the Partner portal, select a Partner Customer, and from the top header, click SD-WAN >
Global Settings.
VMware, Inc. 44
2 From the left menu, click Customer Configuration. The following page is displayed:
VMware, Inc. 45
The Service Configuration section includes the following four services:
n SD-WAN
n Edge Network Intelligence
n Cloud Web Security
n Secure Access
Click the Turn On button to activate each service. Click the vertical ellipsis present at the
top right corner of each tile to turn off or configure the that service. You can also use the
Configure option present at the bottom right corner of each tile to configure the respective
service. Each tile displays the configuration summary.
Note When you select Turn off option, a pop-up window appears asking for your
confirmation. Select the check box and click Turn Off Service.
a SD-WAN: Clicking the Configure option displays the following pop-up window. Configure
the settings, and then click Update.
VMware, Inc. 46
Option Description
Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for
the Orchestrator. This is also required to activate Edge Network Intelligence for the
Customer.
Default Edge Choose the default option to authenticate the Edges associated to the Customer, from
Authentication the drop-down menu.
n Certificate Deactivated: Edge uses a pre-shared key mode of authentication.
n Certificate Acquire: This option is selected by default and instructs the Edge to
acquire a certificate from the certificate authority of the SD-WAN Orchestrator, by
generating a key pair and sending a certificate signing request to the Orchestrator.
Once acquired, the Edge uses the certificate for authentication to the SD-WAN
Orchestrator and for establishment of VCMP tunnels.
Note After acquiring the certificate, the option can be updated to Certificate
Required.
n Certificate Required: Edge uses the PKI certificate. You can change the
certificate renewal time window for Edges using the system property
edge.certificate.renewal.window.
Edge Licensing The existing Edge Licenses are displayed. Click Add to add or remove the licenses.
Note The license types can be used on multiple Edges. It is recommended to provide
your Customers with access to all types of licenses to match their edition and region.
For more information, see Edge Licensing with New Orchestrator UI.
Allow Customer to Select the check box if you want to allow an Enterprise Super User to manage the
Manage Software software images available for the Enterprise.
VMware, Inc. 47
Option Description
Operator Profile Select an Operator profile to be associated with the Customer from the available
drop-down menu. This field is not available if Allow Customer to Manage Software is
selected. For more information on Operator profiles, see the "Manage Operator Profiles
with New Orchestrator UI" section in the VMware SD-WAN Operator Guide available at
VMware SD-WAN Documentation.
Maximum Number Enter the maximum number of segments that can be configured. The valid range is 1 to
of Segments 16.The default value is 16.
b Edge Network Intelligence: Clicking the Configure option displays the following pop-up
window. Configure the settings, and then click Update.
Note You can select this option only when SD-WAN service is turned on.
Option Description
Domain Enter the domain name to be used to activate Single Sign On (SSO) authentication for the
Orchestrator. This is also required to activate Edge Network Intelligence for the Customer.
Analytics Nodes Enter the maximum number of Edges that can be provisioned as Analytics Nodes. By
default, Unlimited is selected.
Feature Access Select the Self Healing check box to allow the Edge Network Intelligence to provide
recommendations to improve performance.
VMware, Inc. 48
c Cloud Web Security: This service is available only when you select a Gateway Pool with
an activated Cloud Web Security role. Cloud Web Security is a cloud hosted service
that protects users and infrastructure accessing SaaS and Internet applications. For
more information, see the VMware Cloud Web Security Configuration Guide. Clicking the
Configure option displays the following pop-up window:
Select the required edition, and then click Update. Standard Edition includes URL filtering,
SSL inspection, Anti-virus, Authentication, Basic Sandbox, Inline CASB Visibility. Advanced
Edition includes URL filtering, SSL inspection, Anti-virus, Authentication, Basic Sandbox,
Inline CASB Visibility and Controls, Inline DLP Visibility and Controls
d Secure Access: This service is available only when you select a Gateway Pool with an
activated Cloud Web Security role. Secure Access solution combines the VMware SD-
WAN and Workspace ONE services to provide a consistent, optimal, and secure cloud
application access through a network of worldwide managed service nodes. For more
information, see the VMware Secure Access Configuration Guide. Clicking the Configure
option displays the following pop-up window:
Enter the maximum number of PoPs, and then click Update.
VMware, Inc. 49
3 Following are the additional configuration settings available on the Customer Configuration
page:
Option Description
Global
User Agreement Display Select either of the following from the drop-down
menu:
n Inherit
n Override to Hide
n Override to Show
Note
This field is available only when the system property

session.options.enableUserAgreements is set to True.
Feature Access Select the check box to allow the Customer to access
the selected feature.
Delegate Management To Customer Select the check box to allow the Customer to modify
the settings of the selected property.
Gateway Pool
Current Gateway Pool Select the Gateway pool from the drop-down menu.
Gateways in this Pool Displays the Gateway details in the current pool.
Partner Hand Off Activating this option displays the Configure Hand Off
section. For details, see Configure Hand Off.
Security Policy
Hash By default, there is no authentication algorithm

configured for the VPN header as AES-GCM is an
authenticated encryption algorithm. When you select
the Turn off GCM check box, you can select one of the
following as the authentication algorithm for the VPN
header, from the drop-down menu:
n SHA 1
n SHA 256
n SHA 384
n SHA 512
Encryption Select either AES 128 or AES 256 as the AES

algorithm's key size to encrypt data. The default
encryption algorithm mode is AES 128.
DH Group Select the Diffie-Hellman (DH) Group algorithm to be

used when exchanging a pre-shared key. The DH
Group sets the strength of the algorithm in bits. The
supported DH Groups are 2, 5, 14, 15, and 16. It is
recommended to use DH Group 14, which is the default
value.
VMware, Inc. 50
Option Description
PFS Select the Perfect Forward Secrecy (PFS) level for

additional security. The supported PFS levels are 2, 5,
14, 15, and 16. By default, PFS is deactivated.
Turn off GCM Select this check box to activate Hash and select an
authentication algorithm for the VPN header.
IPSec SA Lifetime Time(min) Time when Internet Security Protocol (IPSec) rekeying
is initiated for Edges. The minimum IPsec lifetime is 3
minutes and maximum IPsec lifetime is 480 minutes.
The default value is 480 minutes.
Note It is not recommended to configure low lifetime

value for IPsec (less than 10 minutes), as it can cause
traffic interruption in some deployments due to rekeys.
The low lifetime values are for debugging purposes
only.
IKE SA Lifetime(min) Time when Internet Key Exchange (IKE) rekeying is

initiated for Edges. The minimum IKE lifetime is 10
minutes and maximum IKE lifetime is 1440 minutes. The
default value is 1440 minutes.
Note It is not recommended to configure low lifetime

values IKE (less than 30 minutes), as it can cause traffic
interruption in some deployments due to rekeys. The
low lifetime values are for debugging purposes only.
Secure Default Route Override Select the check box so that the destination of traffic
matching a secure default route (either Static Route or
BGP Route) from a Partner Gateway can be overridden
using Business Policy.
Note For instructions on how to activate secure

routing on an Edge, refer to Configure Partner Handoff.
For more information about configuring a Network
Service for Business Policy rule, refer to the "Configure
Network Service for Business Policy Rule" in the
VMware SD-WAN Administration Guide available at
Edge Network Function Virtualization
Edge NFV Select this option to activate the ability to deploy VNFs
on Edges. After deploying one or more VNFs on Edges,
you cannot deactivate this option.
Security VNFs Select the relevant check boxes, to deploy the

corresponding security VNFs on Edges.
SD-WAN Settings
VMware, Inc. 51
Option Description
OFC Cost Calculation Select the required check box:

n Distributed Cost Calculation: Select this check
box to delegate route cost calculation to Edges/
Gateways.
Note This option is available only for the Edges/

Gateways with version 3.4.0 and later.
n Use NSD Policy: Select this check box to use
NSD policy for route cost calculation to Edges/
Gateways.
Note This option is available only for the Edges/

Gateways with version 4.2.0 and later.
Multiple-DSCP tags per Flow Path Calculation Select the check box to include the DSCP value as part
of flow look-up.
Note This field is available

only when the system property
session.options.enableFlowParametersConfig is set to
True.
Feature Access Select the Stateful Firewall check box to override the
Stateful Firewall settings activated on the Enterprise
Edge.
Note When you modify the Security Policy settings, the changes may cause interruptions to
the current services. In addition, these settings may reduce overall throughput and increase
the time required for VCMP tunnel setup, which may impact branch to branch dynamic tunnel
setup times and recovery from Edge failure in a cluster.
Configure Hand Off

This section is displayed only when the Partner Hand Off option is activated. Activate this option
by turning on the toggle button.
VMware, Inc. 52
Procedure
1 You can configure the following fields:
Option Description
Configure Hand Off By default, the handoff configuration is applied to all

the Gateways. If you want to configure a specific
Gateway, choose Per Gateway, and then select the
Gateway from the drop-down list.
Segment By default, Global Segment is selected, which means

that the handoff configuration is applied to all the
segments. If you want to configure a specific segment,
select the segment from the drop-down menu.
Hand Off Interface This section displays the values that are configured on
the Configure BGP and BFD page.
Customer BGP Priority Select the check box and configure the Community
Mapping details.
VMware, Inc. 53
2 Click Configure BGP and BFD link, located at the bottom of the Per Customer Hand Off -
Global Segment section, to display the following page:
VMware, Inc. 54
3 You can configure the following fields:
Option Description
Hand Off Tag
Tag Type Choose the tag type which is the encapsulation, in

which the Gateway hands off customer traffic to the
Router. The following are the types of tags available:
n None: Untagged. Choose this during single tenant
handoff or a handoff towards shared services VRF.
n 802.1Q: Single VLAN tag
n 802.1ad / QinQ(0x8100) / QinQ(0x9100): Dual
VLAN tag
Customer ASN Enter the Customer Autonomous System Number.
Hand Off Interface: You can configure the following settings for IPv4 and IPv6.
Local IP Address Enter the Local IP address for the logical Handoff
interface.
Use for Private Tunnels Select the check box so that private WAN links
connect to the private IP address of the Partner
Gateway. If private WAN connectivity is activated on
a Gateway, the Orchestrator audits to ensure that the
local IP address is unique for each Gateway within an
Enterprise.
Advertise Local IP Address via BGP Select the check box to automatically advertise the
private WAN IP of the Partner Gateway through BGP.
The connectivity is provided using the existing Local IP
address.
Static Routes: You can add, delete, or clone a static route.
Subnets Enter the IP address of the Static Route Subnet that the
Gateway should advertise to the Edge.

Encrypt Select the check box to encrypt the traffic between

Edge and Gateway.
Hand off Select the handoff type as either VLAN or NAT.
Description Enter a descriptive text for the static route. This field is
optional.
BFD: Turn the toggle button to On to activate this section.
Peer Address Enter the IP address of the remote peer to initiate a

BFD session.
Detect Multiplier Enter the detection time multiplier. The remote

transmission interval is multiplied by this value to
determine the detection timer for connection loss. The
VMware, Inc. 55
Option Description
Receive Interval Enter the minimum time interval, in milliseconds, at

which the system can receive the control packets
from the BFD peer. The range is from 300 to 60000
milliseconds.
Local Address Enter a locally configured IP address for the peer

listener. This address is used to send the packets.
Transmit Interval Enter the minimum time interval, in milliseconds, at

which the system can send the control packets from
the BFD peer. The range is from 300 to 60000
milliseconds.
BGP: Turn the toggle button to On to activate this section.
Neighbor IP Enter the IP address of the configured BGP neighbor

network.
Secure BGP Routes Select the check box to allow encryption for data-
forwarding over BGP routes.
Max-hop Enter the number of maximum hops to allow multi-hop

for the BGP peers. The range for Max-hop is from 1 to
255, and the default value is 1.
Note This field is available only for eBGP neighbors,

when the local ASN and the neighboring ASN are
different.
Next Hop IP Enter the next-hop IP address to be used by BGP to

reach the multi-hop BGP peer.
Note This option is available only for multi-hop eBGP

with Max-hop count greater than 1.
Neighbor-ASN Enter the Autonomous System Number of the Neighbor

network.
BGP Local IP Local IP address is the equivalent of a loopback

IP address. Enter an IP address that the BGP
neighborships can use as the source IP address for the
outgoing BGP packets. If you do not enter any value,
the IP address of the Hand Off Interface is used as the
source IP address.
BGP Inbound Filters Displays the BGP inbound filters.
BGP OutBound Filters Displays the BGP outbound filters.
BGP Optional Settings
BFD Select the checkbox to subscribe to the BFD session.
Router-ID Enter the Router ID to identify the BGP Router.
Keep Alive Enter the BGP Keep Alive time in seconds. The default
timer is 60 seconds.
VMware, Inc. 56
Option Description
Hold Timers Enter the BGP Hold time in seconds. The default timer is
180 seconds.
Turn off AS-PATH Carry Over Select the check box to turn off AS-PATH carry over,
which influences the outbound AS-PATH to make the
L3-routers prefer a path towards a PE. If you select this
option, ensure to tune your network to avoid routing
loops. It is recommended not to select this check box.
MD5 Auth Select the check box to activate BGP MD5

authentication. This option is used in a legacy network
or federal network, and is used as a security guard for
BGP peering.
MD5 Password Enter a password for MD5 authentication.
4 Click Update to save the settings.
Manage Partner Customers with New Orchestrator UI

The Manage Partner Customers option allows you to create new Customers, configure the
Customer capabilities, clone the existing configuration, and to configure other Customer settings.
As a Partner Super User, you can choose the settings that the Partner Customer can modify.
Procedure
1 In the Partner portal, go to Customers & Partners > Manage Partner Customers.
Note You can also navigate to this page from the Operator portal, by clicking the link under
the Partner column of a corresponding Customer. However, a Partner user does not have the
same privileges as that of an Operator.
VMware, Inc. 57
2 You can perform the following actions:
Option Description
Search Enter a search term to search for the matching text

across the table. Use the advanced search option to
narrow down the search results.
New Customer Click this option to add a new Customer. For more
information, see Create New Partner Customer with
New Orchestrator UI.
Clone Clones the existing configurations of the selected

Customer. You can select any of the additional clone
attributes.
Delete Deletes the selected Customers. Enter the number of

selected Customers in the pop-up window and click
Delete.
Note Ensure that you have removed all the Edges

associated with the selected Customer, before deleting
the Customer.
Stage to Bastion Click to stage a Customer to the Bastion Orchestrator.
Note Stage to Bastion and Unstage from Bastion options are

available only when the Bastion Orchestrator feature is activated using the
session.options.enableBastionOrchestrator system property.
For more information, see Bastion Orchestrator Configuration Guide available at https://
docs.vmware.com/en/VMware-SD-WAN/index.html.
3 Click More to perform the following actions:
Option Description
Unstage from Bastion Removes a Customer from the Bastion Orchestrator.
Send Support Email Sends customer support messages to the selected

Customer.
Assign Software/Firmware Image Click this option, and then select a Software/Firmware
image from the drop-down menu to be added to all the
selected Enterprises.
Note This option is available only for an Enterprise

with an activated Edge Image Management feature.
Update Edge Image Management Activates or deactivates the Edge Image Management
feature for the selected customers.
Update Operator Alerts Activates or deactivates the Operator alerts for the
selected Customers.
Update Customer Alerts Activates or deactivates the Customer alerts for the
selected Customers.
VMware, Inc. 58
Option Description
Export All Customers Exports the details of all the Customers in the Operator
portal to a CSV file. The default separator used is
comma (,) and you can choose to replace the separator
with any other special character.
Export Customers Edge Inventory Exports the inventory details of all the Edges
associated with all the Customers to a CSV file. The
default separator used is a comma (,).
4 Following are the other options available in the Manage Customers area:
Option Description
Columns Click this option and select the checkboxes to view the required columns.
Refresh Click this option to refresh the page.
Create New Partner Customer with New Orchestrator UI

In the Partner portal, you can create new Customers and configure the Customer settings.
You can temporarily deactivate creating new Customers, by setting the system property
session.options.disableCreateEnterpriseProxy to True. You can use this option when SD-
WAN Orchestrator exceeds the usage capacity.
Procedure
1 In the Partner portal, navigate to Customers & Partners > Manage Partner Customers, and
then click New Customer.
The New Customer page displays the following sections:
a Customer Information:
VMware, Inc. 59
Enter the details in the following fields and click Next.
Note The Next button is activated only when you enter all the mandatory details.
Option Description
Company Name Enter your company name.
Account Number Enter a unique identifier for the Customer.
New Partner Support Access Select the checkbox to allow the new Partner to
view, configure, and troubleshoot the Customer's
Edges.
SASE Support Access This checkbox is selected by default, and grants

access to the VMware Support to view, configure,
and troubleshoot the Edges connected to the
Customer.
For security reasons, the Support cannot access or
view the user identifiable information.
VMware, Inc. 60
Option Description
SASE User Management Access Select the checkbox to allow the VMware Support
to assist in User Management. The User Management
includes options to create users, reset password, and
configure other settings. In this case, the Support has
access to user identifiable information.
Location Enter relevant address details in the respective fields.
b Administrative Account:
Enter the details in the following fields and click Next.
Note The Next button is activated only when you enter all the mandatory details.
Option Description
Username Enter the username in the [email protected] format.
Password Enter a password for the Administrator.
Confirm Password Re-enter the password.
First Name Enter the first name.
VMware, Inc. 61
Option Description
Last Name Enter the last name.
Phone Enter a valid phone number.
Mobile Phone Enter a valid mobile number.
Contact Email Enter the email address. The alerts on service status
are sent to this email address.
c Services:
VMware, Inc. 62
Configure the following global settings:
VMware, Inc. 63
Option Description
Domain Enter the domain name to be used to enable Single

Sign On (SSO) authentication for the Orchestrator.
This is also required to activate Edge Network
Intelligence for the Customer.
Gateway Pool Select an existing Gateway pool from the drop-down

list. For more information, see Manage Gateway
Pools.
Feature Access You can select either Role Customization or

Premium Service, or both the checkboxes.
Allow Customer to Manage Software Select the checkbox if you want to allow an
Enterprise Super User to manage the software
images available for the Enterprise. Once selected,
the Software Image filed is displayed. Click Add
and in the Select Software/Firmware Images pop-
up window, select and assign the software/firmware
images from the available list for the Enterprise. Click
Done to add the selected images to the Software
Image list.
Note You can remove an assigned image from an

Enterprise, only if the image is not currently used by
any Edge within the Enterprise.
Operator Profile Select an Operator profile to be associated with

the Customer from the available drop-down list. This
field is not available if Allow Customer to Manage
Software is selected. For more information on
Operator profiles, see the "Manage Operator Profiles
with New Orchestrator UI" section in the VMware SD-
WAN Operator Guide available at VMware SD-WAN
Documentation.
VMware, Inc. 64
Service Access: This option is available above the global settings. You can choose the
services that the Customer can access along with the roles and permissions available for
the selected service.
Note This option is available only when the system property

session.options.enableServiceLicenses is set as True.
n SD-WAN - When you select this service, the following options are available:
Option Description
Default Edge Authentication Choose the default option to authenticate the

Edges associated with the Customer, from the
drop-down list.
n Certificate Deactivated: Edge uses a pre-
shared key mode of authentication.
default and instructs the Edge to acquire a
SD-WAN Orchestrator, by generating a key
pair and sending a certificate signing request
to the Orchestrator. Once acquired, the Edge
uses the certificate for authentication to the
SD-WAN Orchestrator and for establishment of
VCMP tunnels.

n Certificate Required: Edge uses the
PKI certificate. Operators can change
the certificate renewal time window
for Edges using the system property
edge.certificate.renewal.window.
Edge Licensing Click Add and in the Select Edge Licenses pop-up
window, select and assign the Edge licenses from
the available list for the Enterprise.
Note The license types can be used on

multiple Edges. It is recommended to provide
your customers with access to all types of
licenses to match their edition and region. For
more information, see Edge Licensing with New
Orchestrator UI.
VMware, Inc. 65
n Edge Network Intelligence: You can select this service only when SD-WAN is
selected. When you select this service, the following options are available:
Option Description
Nodes Enter the maximum number of Edges that can

be provisioned as Analytics Edge. By default,
Unlimited is selected.
Feature Access Select this checkbox to allow Edge Network

Intelligence to provide recommendations to
improve performance.
Note This option is available only when the Analytics feature is activated on your
SD-WAN Orchestrator. Use the following settings:
service.analytics.apiToken
service.analytics.analyticsEndpointDynamicIP
service.analytics.analyticsEndpointStaticIP
service.analytics.apiUrl
service.analytics.configEndpoint
n Cloud Web Security: You can select this service only when you select a Gateway
Pool with an activated Cloud Web Security role. Cloud Web Security is a
cloud hosted service that protects users and infrastructure accessing SaaS and
Internet applications. For more information, see the VMware Cloud Web Security
Configuration Guide.
n Secure Access: You can select this service only when you select a Gateway Pool with
an activated Cloud Web Security role. Secure Access solution combines the VMware
SD-WAN and Workspace ONE services to provide a consistent, optimal, and secure
cloud application access through a network of worldwide managed service nodes. For
more information, see the VMware Secure Access Configuration Guide.
2 Select the Add another Customer checkbox, or directly click Add Customer.
The new Customer name is displayed on the Customers page. You can click the Customer
name to navigate to the Enterprise portal and add configurations to the Customer. For more
information, see Configure Partner Customers with New Orchestrator UI
VMware, Inc. 66
Monitor Events
8
The Partner super user and Partner admin user can view the partner events.
In the Partner portal, click Events.
The page displays the recent events. You can click the link to the events to view more details.
VMware, Inc. 67
To view the older events, you can click the drop-down menu at the top of the page and choose
the duration from the list. Alternatively, you can also enter the start and end dates at the top of
the page to set a custom duration.
Note The Events Page displays a maximum of 2048 Events. To view specific Events, you can
use the Filter option.
Once you choose or setup the duration, the page displays the events triggered during the
selected period.
The page displays the following options:
n Search – Enter a term to search for a specific detail. Click the drop-down arrow to filter the
view by specific criteria. In the Filter, click the field next to Events to view the list of Partner
Events available and to filter by specific Events.
n Cols – Click and select the columns to be shown or hidden in the view.
n Reset View – Click to reset the view to default settings.
n Refresh – Click to refresh the details displayed with the most current data.
n CSV – Click to export all data to a file in CSV format.
You can also view the Partner events using the new Orchestrator UI.
n In the Partner portal, click Administration > Partner Events to view the events.
At the top of the page, you can choose a specific time period to view the details of events for the
selected duration.
VMware, Inc. 68
In the Search field, enter a term to search for specific details. Click the Filter Icon to filter the view
by a specific criteria. In the Filter, choose Event and click the drop-down arrow next to the field
to view the list of Partner Events available and to filter by specific Events.
Click the CSV option to download a report of the events in CSV format.
VMware, Inc. 69
Manage Partner Admin Users
9
The Admins page displays the existing partner admin users. A Partner Super User can create
new partner admin users with different role privileges and configure API tokens for each partner
admin.
In the Partner portal, click Admins.
Click Actions to perform the following activities:
n New Admin: Creates new partner admin users. See Create New Partner Admin.
n Modify Admin: Modifies the properties of the selected admin user. You can also click the link
to the username to modify the properties. See Configure Partner Admin Users.
n Password Reset: Sends an Email to the selected user with a link to reset the password.
n Delete Admin: Deletes the selected users.
n Create New Partner Admin
n Configure Partner Admin Users
Create New Partner Admin

A Partner Super User can create new partner admin users. The SSH Username is automatically
created for the user.
In the Partner portal, click Admins.
Procedure
1 You can create new admin users by clicking either New Admin, or Actions > New Admin .
VMware, Inc. 70
2 In the New Admin window, enter the following details:
a Enter the user details like username, password, Name, Email, and Phone numbers.
b If you have chosen the authentication mode as Native in Configure Partner

Authentication , then the type of the user is selected as Native. If you have chosen a
different authentication mode, you can choose the type of the user. If you choose the
user to be Non-Native, the password option is not available, as it is inherited from the
authentication mode.
c From the Access Level drop-down list, select one of the following options:
n Basic—Allows the user to perform certain basic debug operations such as ping,
tcpdump, pcap, remote diagnostics, and so on. This is the default value.
n Privileged—Grants the user root-level access to perform all basic debug operations
along with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown.
In addition, the user can access linux shell.
d Select the user role from the Account Role drop-down list. Once you select a role, the
Network and Security functions of the selected role, along with the description, are
displayed.
3 Click Create.
Results
The partner admin user details are displayed in the Admins page.
Configure Partner Admin Users

You can configure additional properties and create API tokens for a Partner Admin user.
VMware, Inc. 71
In the Partner portal, click Admins. To configure an Admin user, click the link to a username or
select the user and click Actions > Modify Admin.
The existing properties of the selected user are displayed and if required, you can add or modify
the following:
Status – By default, the status is in Enabled state. If you choose Not Enabled, the user is logged
out of all the active sessions.
Type – If you have chosen the Partner authentication mode as Native in Configure Partner
Authentication , then the type of the user is selected as Native. If you have chosen a different
authentication mode, you can choose the type of the user. If you choose the user to be Non-
Native, then you cannot reset the password or modify the user role.
Property – The existing details such as name, email-id, telephone number, and mobile number of
the user are displayed. If needed, you can modify the user details, set a new password, or reset
the existing password.
n To set a new password, you must enter the current password correctly in the Current
Password textbox and the password to be changed in New Password and Confirm Password
textboxes.
VMware, Inc. 72
n To reset the existing password, click Password Reset. An email is sent to the user with a link
to reset the password.
Edge Access - The SSH UserName and existing Access Level assigned to the user to access the
Edge are displayed. If required, you can choose a different Access Level for the user, however,
you cannot modify the SSH UserName. Ensure that you have Super User role to modify the
Access Level for the user. Choose one of the following options:
n Basic—Allows the user to perform certain basic debug operations such as ping, tcpdump,
pcap, remote diagnostics, and so on.
n Privileged—Grants the user root-level access to perform all basic debug operations along
with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown. In addition,
the user can access linux shell.
User Role – The existing type of the user role is displayed. If required, you can choose a different
role for the user. The role privileges change accordingly.
API Tokens
The users can access the Orchestrator APIs using tokens instead of session-based
authentication. As Partner Super User, you can manage the API tokens for your enterprise users.
You can create multiple API tokens for a user.
Configure API Tokens:
Any user can create tokens based on the privileges they have been assigned to their user roles,
except the Business Specialist users.
The users can perform the following actions, based on their roles:
n Enterprise users can Create, Download, and Revoke tokens for them.
n Partner Super users can manage tokens of Enterprise users, if the Enterprise user has
delegated user permissions to the Partner.
n Partner Super users can only create and revoke the tokens for other users.
n Users can download only their own tokens and cannot download other users' tokens.
To manage the API tokens:
n In the API Tokens section, click Actions > New API Token, to create a new token.
n In the New API Token window, enter a Name and Description for the token, and choose the
Lifetime from the drop-down menu.
VMware, Inc. 73
n Click Create and the new token is displayed in the API Tokens grid.
n Initially, the status of the token is displayed as Pending. To download the token, select
the token, and click Actions > Download API Token. The status changes to Enabled, which
means that the API token can be used for API access.
n To deactivate a token, select the token and click Actions > Revoke API Token. The status of
the token is displayed as Revoked.
n When the Lifetime of the token is over, the status changes to Expired state.
Only the user who is associated with a token can download it and after downloading, the ID of
the token alone is displayed. You can download a token only once.
After downloading the token, the user can send it as part of the Authorization Header of the
request to access the Orchestrator API.
The following example shows a sample snippet of the code to access an API.
curl -k -H "Authorization: Token <Token>"

-X POST https://vco/portal/
-d '{ "id": 1, "jsonrpc": "2.0", "method": "enterprise/getEnterpriseUsers", "params":
{ "enterpriseId": 1 }}'
After modifying the settings and API Tokens, click Save Changes.
Similarly, you can configure additional properties and create API tokens for Partner Customers.
For more information, see the 'Configure Admin Users' section in the VMware SD-WAN
Administration Guide.
VMware, Inc. 74
Roles
10
The Orchestrator consists of two types of roles. The roles are categorized as follows:
n Functional Roles – Defined as a set of privileges relevant to a functionality. These privileges

are used to carry a certain business process. For more information, see Functional Roles.
n Composite Roles – The functional roles from different categories can be grouped to form a
composite role. For more information, see Composite Roles.
n Functional Roles
n Composite Roles
n Role Customization
Functional Roles
Functional Roles are defined as a set of privileges relevant to a functionality.
A functional role can be tagged to one or more of the following services: Global Settings,
SD-WAN, Secure Access, Cloud Web Security. These are the group of privileges required by
a user to carry a certain business process. For example, a Customer support role in SD-WAN is a
functional role required by an SD-WAN user to carry out various support activities. Every service
defines such roles based on business functionality that they want to support. These roles are
categorized as Global Settings, SD-WAN, Secure Access, Cloud Web Security functional roles.
By default, the Orchestrator consists of different functional roles that consist of role privileges
based on the requirements. If required, you can customize the role privileges of the functional
roles. For more information, see Role Customization.
Composite Roles
Composite roles are a group of functional roles combined from different functional categories.
By default, the following composite roles are available:
VMware, Inc. 75
SD-WAN Functional Cloud Web Security Secure Access Global Settings

Composite Role Role Functional Role Functional Role Functional Role
Partner Standard SD-WAN Partner Cloud Web Security Secure Access Global Settings
Admin Admin Partner Admin Partner Admin Partner Admin
Partner Security SD-WAN Security Cloud Web Security Secure Access Global Settings
Admin Partner Admin Partner Admin Partner Admin Partner Admin
Partner Network SD-WAN Partner Cloud Web Security Secure Access Global Settings
Admin Admin Partner Read Only Partner Read Only Partner Admin
Partner Superuser Full Access Full Access Full Access Full Access
Partner Business SD-WAN Partner Global Settings

Specialist Business Partner Business
Partner Customer SD-WAN Partner Cloud Web Security Secure Access Global Settings
Support Support Partner Read Only Partner Read Only Partner Support
You can assign the above roles to a user, while creating a new Partner user. See Create New
Partner Admin.
You can also map the composite role while configuring Single Sign on. See Configure Single Sign
On for Partner User.
To view the existing composite roles along with the description for your Enterprises, see Manage
Composite Roles.
To create a custom composite role for your Enterprises, see Create New Composite Roles.
You can also customize the role privileges of the functional roles. For more information, see Role
Customization.
Manage Composite Roles

The Orchestrator consists of different functional roles. You can combine the functional roles from
these groups to create a composite role.
You can access the composite roles as follows:
n Once you log into the Orchestrator portal as an Operator user, the existing list of customers
is displayed in the Customers page. Click the link to a Customer to navigate to the Enterprise
portal.
n In the Enterprise portal, click Enterprise Applications > Global Settings.
VMware, Inc. 76
n The Roles window opens showing the list of existing roles for the selected Enterprise.
Note You can add, edit, or view the Composite roles only for an Enterprise user.
n You can perform the following activities in the Roles window:
n Add Role - Creates a new custom role. See Create New Composite Roles.
n Edit Role - Allows you to edit only the Custom roles. You cannot edit the default roles.
Also, you cannot edit or view the settings of a Super user.
n Clone Role – Creates a new custom role, by cloning the existing settings from the
selected role. You cannot clone the settings of a Super user.
VMware, Inc. 77
n Delete Role – Deletes the selected role. You can delete only custom composite roles.
If the role is associated with any user, ensure that you have removed all the users
associated with the selected role, before deleting the role.
n Download CSV – Downloads the details of the user roles into a file in CSV format.
n In addition, you can click the Open icon ">>" before the Role link to view more details about
the Composite role.
Create New Composite Roles

Composite roles are a group of functional roles combined from different functional categories.
To create a new composite role:
Procedure
1 In the Enterprise portal, click Enterprise Applications > Global Settings.
The User Management page appears showing the list of existing roles for the selected
Enterprise.
2 In the Roles tab, click Add Role.
VMware, Inc. 78
3 In the Role Creation page that appears, enter the details for the new custom role as follows:
Note The Custom Role Creation section displays only functional roles for which the
customer has licenses.
Option Description
Role Name Enter a name for the new role
Description Enter a description for the role
Template Optionally, select an existing role as template from the

drop-down list. The functional roles of the selected
template are assigned to the new role.
Global Settings & Administration These functional roles provide privileges to user
management and global settings that are shared across
all services. You must mandatorily choose a Global
Settings & Administration functional role to create a
Composite role. By default, Global Settings Enterprise
Read Only role is selected.
VMware, Inc. 79
Option Description
SD-WAN These functional roles will give a user different levels

of privileges around SD-WAN configuration, monitoring,
and diagnostics. You can optionally choose a SD-WAN
function role. The default value is No Privileges.
Cloud Web Security These functional roles will give a user different levels of
privileges around Cloud Web Security features. You can
optionally choose a Cloud Web Security function role.
The default value is No Privileges.
Secure Access These functional roles will give a user different levels
of privileges around Secure Access features. You can
optionally choose a Secure Access function role. The
default value is No Privileges.
4 Click Save.
Results
The new custom role appears in the User Management > Roles page. Click the link to the custom
role to view the settings. You can click Edit Role to modify the settings.
Role Customization
SD-WAN Orchestrator consists of roles with different set of privileges. As a Partner Super
user, you can assign a pre-defined role to other Partner users and your Enterprise users. Role
Customization allows you to customize the existing set of privileges for the Functional roles.
You can customize only the Functional roles and not the Composite roles. When you customize
a Functional role, the changes would impact the Composite roles that consist of the customized
Functional role. For more information, see Functional Roles.
The Role customization is applied to the Functional roles as follows:
n The customizations done at the Enterprise level will override the customizations made at the
Partner level.
n Only when there are no customizations done at the Enterprise level, the customizations made
by the Partner are applied across the all the users in the Partner portal.
Only an Operator super user can enable the Role Customization for a Partner super user. If the
Role Customization option is not available for you, contact your Operator.
In the Partner portal, click Role Customization
You can perform the following operations:
n Show Current Privileges – Displays the current Functional role privileges. You can view the
privileges of all the Functional roles and download them in CSV format. For an Enterprise, it
displays the privileges of only functional roles for which the customer has licenses.
VMware, Inc. 80
n New Package – Enables to create a new package with customized role privileges. See Create
New Customized Package.
n Reset to System Default – Allows to reset the current role privileges to default settings. Only
the customized privileges applied to the Functional roles in the Partner portal are reset to
the default settings. If your customers have customized their Functional role privileges in the
Enterprise portal, those settings remain the same.
n Upload Package – Allows to upload a customized package. See Upload Customized Package.
n Clone Package – Enables to create a copy of the selected package.
n Modify Package – Enables to edit the customization settings in the selected package. You
can also click the link to the package to edit the settings.
n Delete Package – Removes the selected package. You cannot delete a package if it is
already in use.
n Apply Package – Applies the customization available in the selected package to the existing
Functional roles. This option modifies the role privileges only at the current level. If there are
customizations available at the Partner level or a lower level for the same role, then the lower
level takes precedence.
You can also click the Download Icon prior to the package name to download the package as a
JSON file.
Note Role customization packages are version dependent, and a package created on an
Orchestrator using an earlier software release will not be compatible with an Orchestrator using
a later release. For example, a role customization package created on an Orchestrator that is
running Release 3.4.x does not work properly if the Orchestrator is upgraded to a 4.x Release.
Also, a role customization package created on an Orchestrator running Release 3.4.x does not
work properly when the Orchestrator is upgraded to 4.x.x Release. In such cases, the user must
review and recreate the role customization package for the newer release to ensure proper
enforcement of all roles.
Create New Customized Package

You can create a customized package and apply the package to the existing Functional roles in
the SD-WAN Orchestrator.
Procedure
1 In the Partner portal, click Role Customization.
2 Click New Package.
VMware, Inc. 81
3 In the Role Customization Package Editor window, enter the following:
a Enter a Name and a Description for the new custom package.
b In the Roles pane, select a Functional role and click Remove Privileges to customize the
privileges for the selected role.
Note For an Enterprise, the Roles pane displays the privileges of only functional roles for
which the customer has licenses.
Note You can only add or remove Deny Privileges, that is take away privileges from the
system default. You cannot grant additional privileges to a role using this option.
In the Assign Privileges window, select the features from the Available Deny Privileges
and move them to the Selected Deny Privileges pane.
VMware, Inc. 82
Note You can assign only Deny privileges to the Functional roles.
Click OK.
4 Repeat assigning privileges to the Functional roles in the Role Customization Package Editor
window.
VMware, Inc. 83
5 Select the Show Modified checkbox to filter and view the customized privileges. The changes
to the privileges are highlighted in a different color.
6 Click Create. You can click CSV to download the Functional role privileges of selected role, in
a CSV format.
7 The new package details are displayed in the Role Customization Packages window.
8 To edit the privileges, click the link to the package or select the package and click Actions
> Modify Package. In the Role Customization Package Editor window that opens, add or
remove Deny Privileges to the Functional roles in the package and click OK.
What to do next
Select the customized package and click Actions > Apply Package to apply the customization
available in the selected package to the existing Functional roles across the SD-WAN
Orchestrator.
VMware, Inc. 84
You can edit the Deny privileges in an applied package whenever required. After modifying the
privileges in the Role Customization Package Editor window, click OK to save and apply the
changes to the Functional roles.
Note You can download the customized Functional role privileges as a JSON file and upload
the customized package to another Orchestrator. For more information, see Upload Customized
Package.
Upload Customized Package

You can upload a package with customized role privileges assigned to different set of Functional
roles in the SD-WAN Orchestrator.
You can download the already customized Functional role privileges as a package and upload
the package to another Orchestrator.
Procedure
1 In the Partner portal, click Role Customization.
2 Click the Download Icon prior to a package name, which downloads the package as a JSON
file.
3 Navigate to the Orchestrator to which you want to upload the customized package.
4 Click Actions > Upload Package.
5 Choose the JSON file you have downloaded, and the package is uploaded automatically.
6 The uploaded package is displayed in the Role Customization Packages window.
7 You can view the privileges in the uploaded package and add more Deny privileges. Click
the link to the package or select the package and click Actions > Modify Package. In the
Role Customization Package Editor window that opens, add or remove Deny privileges
to the Functional roles in the package and click OK. For more information on the Role
Customization Package Editor, see Create New Customized Package.
What to do next
Select the customized package and click Actions > Apply Package to apply the customization
available in the selected package to the existing Functional roles across the SD-WAN
Orchestrator.
VMware, Inc. 85
You can edit Deny privileges in an applied package whenever required. After modifying the
privileges in the Role Customization Package Editor window, click OK to save and apply the
changes to the Functional roles.
Monitor Role Customization Events

You can monitor the events related to changes in Role Customization.
In the Partner portal, click Events.
To view the events related to Role Customization, you can use the filter option. Click the drop-
down arrow next to the Search option and choose to filter by the Event column. The following
events are available for Role Customization:
n Role customization package cloned
n Role customization package deleted
n Role customization package updated
n Role customization package uploaded
n Role customization package was applied
n All role customization packages were removed from the system
The following image shows some of the Role Customization events.
List of Functional Role Privileges

This section describes the list of all functional role privileges available in the Orchestrator.
The following table lists all the role privileges available in the Partner portal.
VMware, Inc. 86
The columns in the table indicate the following:
n Allow Privilege – Do the roles have allow access?
n Deny Privilege – Do the roles have deny access?
n Customizable – Is the role privilege available for customization in the Role Customization
window?
Name of the Role Allow Deny

Feature Privilege Description Privilege Privilege Customizable
Manage Create Customer Grants ability to view and Yes No No

Customers manage Customers, from the
Partner or Operator level
Read Customer
Update Customer Yes Yes
Delete Customer No No
Manage Customer
Partner Events Create Partner Grants access to view Partner Yes No No

Event events
Read Partner Event Yes Yes
Update Partner No No
Event
Delete Partner
Event
Manage Partner
Event
Partner Admins Create Partner User Grants access to view Yes No No

and configure Partner
Read Partner User administrators Yes Yes
Update Partner No No
User
Delete Partner User
Manage Partner
User
Partner Admins > Create Partner Grants ability to view Yes No No

API Tokens Token and manage operator
authentication tokens
Read Partner Token
Update Partner
Token
Delete Partner
Token
Manage Partner
Token
VMware, Inc. 87

Role Create Role Grants access to manage role Yes No No

Customization Customization customization packages
Package
Read Role
Customization
Package
Update Role
Customization
Package
Delete Role
Customization
Package
Manage Role
Customization
Package
Partner Overview Update Partner Grants access to view and Yes No No

Partners
Partner Overview Read User Grants access to configure Yes No No

> Other Settings Agreement the customer user agreement
feature
Update User
Agreement
Partner Settings Read Partner Grants ability to view and Yes No No

Delegation edit the delegation of Partner
privileges to the Operator
Partner Settings Read Customer Grants ability to view and Yes Yes Yes
> General Delegation manage the delegation of
Information > privileges from the customer
Privacy Settings to Partners or the Operator
Update Customer No
Delegation
Partner Settings > Create Partner Grants ability to view and edit Yes No No
Authentication Authentication Partner authentication mode
and associated configuration
Read Partner
Authentication
Update Partner
Authentication
Delete Partner
Authentication
Manage Partner
Authentication
Partner Settings > Create Partner Grants ability to view Yes No No

Authentication > Token and manage operator
API Tokens authentication tokens
VMware, Inc. 88

Read Partner Token
Update Partner
Token
Delete Partner
Token
Manage Partner
Token
Edge Licensing Create License Grants ability to view and Yes No No

manage Edge licensing
Read License Yes Yes
Update License
Delete License No No
Manage License
Gateway Pools Create Gateway Grants ability to view and Yes Yes Yes
Gateways manage Gateways, from the
Gateway Read Gateway Partner or Operator level
Diagnostic
Update Gateway
bundles
Delete Gateway
Manage Gateway
View Tab Gateway Grants ability to view the No Yes Yes

List Gateway list tab
Gateway Download Gateway Grants ability to download No Yes Yes

Diagnostic Diagnostics Gateway Diagnostics
Bundles >
Download
Diagnostic
Bundles
VeloCloud Create Partner Grants ability to view and Yes No No

Support Access Delegation edit the delegation of Partner
Role privileges to the Operator
Read Partner
Delegation
Update Partner
Delegation
Delete Partner
Delegation
Manage Partner
Delegation
VMware, Inc. 89
User Management - Partner
11
The User Management feature allows you to manage users, their roles, service permissions, and
authentication.
As a Partner, you can access this feature from the Partner portal, by navigating to
Administration > User Management. The following screen is displayed:
The User Management window displays four tabs: Users, Roles, Service Permissions, and
Authentication.
For more information on each of these tabs, see:
n Users
n Roles
n Service Permissions
n Authentication
n Users
VMware, Inc. 90
n Roles
n Service Permissions
n Authentication
Users
As a Partner, you can view the list of existing users and their corresponding details. You can add,
modify, or delete a user. However, you cannot delete a default user.
To access the Users tab:
1 In the Partner portal, click Administration from the top menu.
2 From the left menu, click User Management, and then click the Users tab. The following
screen appears:
3 On the Users screen, you can perform the following activities:
Option Description
New User Creates a new user. For more information, see Add
New User.
Modify Allows you to modify the properties of the selected

Partner user. You can change the Activation State of
the selected Partner user. You can also modify the user
details by clicking the username link.
Delete Deletes the selected user. You cannot delete the

default users.
Download Click this option to download the details of all the users
into a file in CSV format.
VMware, Inc. 91
4 The following are the other options available in the Users tab:
Option Description
Search Enter a search term to search for the matching text across the table. Use the advanced search option
to narrow down the search results.
Columns Click and select the columns to be displayed or hidden on the page.
Refresh Click to refresh the page to display the most current data.
Add New User

In the Partner portal, you can add new users and configure the user settings. To add a new user,
perform the following steps:
Procedure
2 From the left menu, click User Management, and then click the Users tab.
VMware, Inc. 92
3 Click New User.
4 Enter the following details for the new user:
Note The Next button is activated only when you enter all the mandatory details in each
section.
VMware, Inc. 93
Option Description
General information Enter the required personal details of the user.
Role Select a role that you want to assign to the user. For
information on roles, see Roles.
Edge Access Choose one of the following options:

n Basic: Allows you to perform certain basic debug
operations such as ping, tcpdump, pcap, remote
diagnostics, and so on.
n Privileged: Grants you the root-level access to
perform all basic debug operations along with Edge
actions such as restart, deactivate, reboot, hard
reset, and shutdown. In addition, you can access
linux shell.
The default value is Basic.
5 Select the Add another user check box if you wish to create another user, and then click Add
User.
The new user appears in the User Management > Users page. Click the link to the user to
view or modify the details. As a Partner Administrator, you can manage the Roles, Service
Permissions, and API Tokens for the Partner users.
Note Partner Administrator should manually delete inactive Identity Provider (IdP) users
from the Orchestrator to prevent unauthorized access via API Token.
Roles
The Orchestrator consists of two types of roles. The roles are categorized as follows:
n Privileges – Privileges are a set of roles relevant to a functionality. A privilege can be tagged
to one or more of the following services: SD-WAN, Cloud Web Security, Secure Access, and
Global Settings. These are the group of privileges required by a user to carry out a certain
business process. For example, a Customer support role in SD-WAN is a privilege required by
an SD-WAN user to carry out various support activities. Every service defines such privileges
based on its supported business functionality.
n Roles – The privileges from various categories can be grouped to form a role. By default, the
following roles are available for a Partner user:
Cloud Web Security Secure Access Global Settings

Role SD-WAN Service Service Service Service
Partner Standard SD-WAN MSP Cloud Web Security Secure Access MSP Global Settings MSP
Admin Admin MSP Admin Admin Admin
Partner Security SD-WAN Security Cloud Web Security Secure Access MSP Global Settings MSP
Admin MSP Admin MSP Admin Admin Admin
Partner Network SD-WAN MSP Cloud Web Security Secure Access MSP Global Settings MSP
Admin Admin MSP Read Only Read Only Admin
VMware, Inc. 94
Cloud Web Security Secure Access Global Settings

Role SD-WAN Service Service Service Service
Partner Super user Full Access Full Access Full Access Full Access
Partner Business SD-WAN MSP - - Global Settings MSP

Specialist Business Business
Partner Customer SD-WAN MSP Cloud Web Security Secure Access MSP Global Settings MSP
Support Support MSP Read Only Read Only Support
If required, you can customize the role privileges. For more information, see Role
Customization.
As a Partner, you can view the list of existing standard roles and their corresponding
descriptions. You can add, edit, clone, or delete a new role. However, you cannot edit or delete a
default role.
To access the Roles tab:
2 From the left menu, click User Management, and then click the Roles tab. The following
screen appears:
3 On the Roles screen, you can perform the following activities:
Option Description
Add Role Creates a new custom role. For more information, see
Add Role.
Edit Allows you to edit only the custom roles. You cannot
edit the default roles. Also, you cannot edit or view the
settings of a Super user.
VMware, Inc. 95
Option Description
Clone Role Creates a new custom role, by cloning the existing

settings from the selected role. You cannot clone the
settings of a Super user.
Delete Role Deletes the selected role. You cannot delete the default
roles. You can delete only custom composite roles.
Ensure that you have removed all the users associated
with the selected role, before deleting the role.
Download CSV Downloads the details of the user roles into a file in CSV
format.
Note You can also access the Edit, Clone Role, and Delete Role options from the vertical
ellipsis of the selected Role.
4 Click the Open icon ">>" displayed before the Role link, to view more details about the
selected Role, as shown below:
5 Click the View Role link to view the privileges associated to the selected role for the following
services:
n Global Settings & Administration
n SD-WAN
n Secure Access
6 The following are the other options available in the Roles tab:
Option Description
Search Enter a search term to search for the matching text across the table. Use the advanced search option
to narrow down the search results.
VMware, Inc. 96
Add Role
To add a new role for a Partner, perform the following steps:
Procedure
2 From the left menu, click User Management, and then click the Roles tab.
VMware, Inc. 97
3 Click Add Role.
VMware, Inc. 98
4 Enter the following details for the new custom role:
Option Description
Role Details
Role Name Enter a name for the new role.
Role Description Enter a description for the role.
Template Optionally, select an existing role as template from the

drop-down list. The privileges of the selected template
are assigned to the new role.
Scope Select either Partner or Customer as the scope of

the role. The new role appears in all the accounts
for the selected user as a default role and cannot
be edited. Depending on the selected scope, the
privileges displayed in the Role Creation section, vary.
For example, if a Partner creates a role for a Customer,
it appears in the Customer's roles' list and can be edited
only by a Customer who has the required permissions.
Role Creation
Global Settings & Administration These privileges provide access to user management
and global settings that are shared across all services.
Choosing this privilege is mandatory. By default, Global
Settings MSP Support is selected.
SD-WAN These privileges provide the user with different levels

of access around SD-WAN configuration, monitoring,
and diagnostics. You can optionally choose an SD-WAN
privilege. The default value is No Privileges.
Cloud Web Security These privileges provide the user with different levels
of access around Cloud Web Security features. You can
optionally choose a Cloud Web Security privilege. The
default value is No Privileges.
Secure Access These privileges provide the user with different levels
of access around Secure Access features. You can
optionally choose a Secure Access function privilege.
The default value is No Privileges.
The new custom role appears in the User Management > Roles page of the user, depending
on the selected Scope. Click the link to the custom role to view the settings.
Service Permissions
Users can have different roles and every role can have a specific privilege bundle for every
service in the Orchestrator. As a Partner, you can assign a pre-defined role to a user. Service
Permissions feature allows you to customize the privilege bundles for various services.
VMware, Inc. 99
You can customize only the privilege bundles and not the roles. When you customize a privilege
bundle, the changes would impact the roles associated with it. For more information, see Roles.
The Service Permissions are applied to the privileges as follows:
n The customizations done at the Enterprise level override the Partner or Operator level
customizations.
n The customizations done at the Partner level override the Operator level customizations.
n Only when there are no customizations done at the Partner level or Enterprise level,
the customizations made by the Operator are applied globally across all users in the
Orchestrator.
To access the Service Permissions tab:
1 In the Partner Portal, click Administration from the top menu.
2 From the left menu, click User Management, and then click the Service Permissions tab. The
following screen appears:
VMware, Inc. 100

3 On the Service Permissions screen, you can perform the following activities:
Option Description
Service Select the service from the drop-down menu. The

available services are:
n All
n Global Settings
n SD-WAN
n Secure Access
n Edge Network Intelligence
n App Catalog
n MCS
The permissions available for the selected service are
displayed. By default, all the available permissions are
displayed.
New Permission Allows you to create a new permission. You can create
only one permission for a Privilege Bundle. For more
information, see New Permission.
Edit Allows you to edit the settings of the selected

permission. You can also click the link to the permission
to edit the settings.
Clone Allows you to create a copy of the selected permission.
Publish Permission Applies the customization available in the selected

package to the existing privilege. This option modifies
the privileges only at the current level. If there are
customizations available at the Operator level or a
lower level for the same role, then the lower level takes
precedence.
More Allows you to select from the following additional

options:
n Delete: Deletes the selected permission. You
cannot delete a permission if it is already in use.
n Download JSON: Downloads the list of permissions
into a file in JSON format.
n Upload Permission: Allows you to upload a JSON
file of a customized permission.
n Reset to System Default: Allows you to reset the
current published permissions to default settings.
Only the permissions applied to the privileges in
the Partner portal are reset to the default settings.
If Operators or Customers have customized their
privileges in the Partner or Enterprise portal, those
settings remain the same.
VMware, Inc. 101

4 The following are the other options available in the Service Permissions tab:
Option Description
Note The Role Associated column displays the Roles using the same Privilege Bundle.
New Permission
You can create a customized permission and apply the permission to the existing privilege in the
To add a new permission, perform the following steps:
Procedure
2 From the left menu, click User Management, and then click the Service Permissions tab.
VMware, Inc. 102

3 Click New Permission.
The following screen appears:
4 Enter the following details to create a new permission:
Option Description
Name Enter an appropriate name for the permission.
Description Enter a description. This field is optional.
Scope Select Partner or Customer as the scope. A Partner can

apply the permissions for Partners and Customers.
Service Select a service from the drop-down menu. The

services are populated depending on the selected
Scope.
VMware, Inc. 103

Option Description
Privilege Bundle Select a privilege bundle from the drop-down menu.

The privileges are populated depending on the
selected Service.
Privileges Displays the list of privileges based on the selected

Privilege Bundle. You can edit only those privileges
that are eligible for customization.
5 Click Download CSV to download the list of all privileges into a file in CSV format.
6 Click Save to save the new permission. Click Save and Apply to save and publish the
permission.
Note The Save and Save and Apply buttons are activated only when you modify the
permissions.
The new permission is displayed on the Service Permissions page.
Authentication
The Authentication feature allows you to set the authentication mode for a Partner and an
Enterprise user.
To access the Authentication tab:
2 From the left menu, click User Management, and then click the Authentication tab. The
following screen appears:
VMware, Inc. 104

Partner Authentication
Select one of the following Authentication modes:
n Local: This is the default option and does not require any additional configuration.
VMware, Inc. 105

n Single Sign-On: Single Sign-On (SSO) is a session and user authentication service that
allows SD-WAN Orchestrator users to log in to the SD-WAN Orchestrator with one set of
login credentials to access multiple applications. Integrating the SSO service with SD-WAN
Orchestrator improves the security of user authentication for SD-WAN Orchestrator users
and enables SD-WAN Orchestrator to authenticate users from other OpenID Connect (OIDC)-
based Identity Providers (IDPs).
To enable Single Sign On (SSO) for SD-WAN Orchestrator, you must configure an Identity
Provider (IDP) with details of SD-WAN Orchestrator. Currently, the following IDPs are
supported. Click each of the following links for step-by-step instructions to configure an
OpenID Connect (OIDC) application for SD-WAN Orchestrator in various IDPs:
n Configure Azure Active Directory for Single Sign On
n Configure Okta for Single Sign On
n Configure OneLogin for Single Sign On
n Configure PingIdentity for Single Sign On
n Configure VMware CSP for Single Sign On
You can configure the following options when you select the Authentication Mode as Single
Sign-on.
VMware, Inc. 106

Option Description
Identity Provider Template From the drop-down menu, select your preferred
Identity Provider (IDP) that you have configured for
Single Sign On.
Note You can also manually configure your own IDPs

by selecting Others from the drop-down menu.
Organization Id This field is available only when you select the VMware
CSP template. Enter the Organization ID provided by
the IDP in the format: /csp/gateway/am/api/orgs/<full
organization ID>. When you sign in to VMware CSP
VMware, Inc. 107

Option Description
console, you can view the organization ID you are

logged into by clicking on your username. A shortened
version of the ID is displayed under the organization
name. Click the ID to display the full organization ID.
OIDC well-known config URL Enter the OpenID Connect (OIDC) configuration URL
for your IDP. For example, the URL format for Okta
will be: https://{oauth-provider-url}/.well-known/
openid-configuration.
Issuer This field is auto-populated based on your selected IDP.
Authorization Endpoint This field is auto-populated based on your selected IDP.
Token Endpoint This field is auto-populated based on your selected IDP.
JSON Web KeySet URI This field is auto-populated based on your selected IDP.
User Information Endpoint This field is auto-populated based on your selected IDP.
Client ID Enter the client identifier provided by your IDP.
Client Secret Enter the client secret code provided by your IDP, that
is used by the client to exchange an authorization code
for a token.
Scopes This field is auto-populated based on your selected IDP.
Role Type Select either of the following two options:

n Use default role
n Use identity provider roles
Role Attribute Enter the name of the attribute set in the IDP to return
roles.
Partner Role Map Map the IDP-provided roles to each of the Partner user
roles.
Click Update to save the entered values. The SSO authentication setup is complete in the
SSH Keys
You can create only one SSH Key per user. Click the User Information icon located at the top
right of the screen, and then click My Account > SSH Keys to create an SSH Key.
As a Partner, you can also revoke an SSH Key.
Click the Refresh option to refresh the section to display the most current data.
For more information, see Add SSH Key.
Session Limits
Note To view this section, an Operator user must navigate to Orchestrator > System Properties,
and set the value of the system property session.options.enableSessionTracking to True.
VMware, Inc. 108

The following are the options available in this section:
Option Description
Concurrent logins Allows you to set a limit on concurrent logins per user.
By default, Unlimited is selected, indicating that unlimited
concurrent logins are allowed for the user.
Session limits for each role Allows you to set a limit on the number of concurrent
sessions based on user role. By default, Unlimited is
selected, indicating that unlimited sessions are allowed for
the role.
Note The roles that are already created by the Partner in

the Roles tab, are displayed in this section.
Click Update to save the selected values.
Configure Azure Active Directory for Single Sign On

To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory
(AzureAD) for Single Sign On (SSO), perform the steps on this procedure.
Prerequisites
Ensure you have an AzureAD account to sign in.
Procedure
1 Log in to your Microsoft Azure account as an Admin user.
The Microsoft Azure home screen appears.
VMware, Inc. 109

2 To create a new application:
a Search and select the Azure Active Directory service.
b Go to App registration > New registration.
The Register an application screen appears.
c In the Name field, enter the name for your SD-WAN Orchestrator application.
d In the Redirect URL field, enter the redirect URL that your SD-WAN Orchestrator
application uses as the callback endpoint.
In the SD-WAN Orchestrator application, at the bottom of the Configure Authentication

screen, you can find the redirect URL link. Ideally, the SD-WAN Orchestrator redirect URL
will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
VMware, Inc. 110

e Click Register.
Your SD-WAN Orchestrator application will be registered and displayed in the All
applications and Owned applications tabs. Make sure to note down the Client ID/
Application ID to be used during the SSO configuration in SD-WAN Orchestrator.
f Click Endpoints and copy the well-known OIDC configuration URL to be used during the
SSO configuration in SD-WAN Orchestrator.
g To create a client secret for your SD-WAN Orchestrator application, on the Owned
applications tab, click on your SD-WAN Orchestrator application.
h Go to Certificates & secrets > New client secret.
The Add a client secret screen appears.
i Provide details such as description and expiry value for the secret and click Add.
The client secret will be created for the application. Note down the new client secret
value to be used during the SSO configuration in SD-WAN Orchestrator.
j To configure permissions for your SD-WAN Orchestrator application, click on your SD-
WAN Orchestrator application and go to API permissions > Add a permission.
The Request API permissions screen appears.
VMware, Inc. 111

k Click Microsoft Graph and select Application permissions as the type of permission for
your application.
l Under Select permissions, from the Directory drop-down menu, select

Directory.Read.All and from the User drop-down menu, select User.Read.All.
m Click Add permissions.
VMware, Inc. 112

n To add and save roles in the manifest, click on your SD-WAN Orchestrator application
and from the application Overview screen, click Manifest.
A web-based manifest editor opens, allowing you to edit the manifest within the portal.
Optionally, you can select Download to edit the manifest locally, and then use Upload to
reapply it to your application.
o In the manifest, search for the appRoles array and add one or more role objects as shown
in the following example and click Save.
Note The value property from appRoles must be added to the Identity Provider Role
Name column of the Role Map table, located in the Authentication tab, in order to map
the roles correctly.
Sample role objects
{
"allowedMemberTypes": [
"User"
],
"description": "Standard Administrator who will have sufficient privilege
to manage resource",
"displayName": "Standard Admin",
"id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "standard"
},
{
"User"
],
"description": "Super Admin who will have the full privilege on SD-WAN
Orchestrator",
"displayName": "Super Admin",
"id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
"isEnabled": true,
VMware, Inc. 113

"lang": null,
"value": "superuser"
}
Note Make sure to set id to a newly generated Global Unique Identifier (GUID)
value. You can generate GUIDs online using web-based tools (for example, https://
www.guidgen.com/), or by running the following commands:
n Linux/OSX - uuidgen
n Windows - powershell [guid]::NewGuid()
3 To assign groups and users to your SD-WAN Orchestrator application:
a Go to Azure Active Directory > Enterprise applications.
b Search and select your SD-WAN Orchestrator application.
c Click Users and groups and assign users and groups to the application.
d Click Submit.
Results
You have completed setting up an OIDC-based application in AzureAD for SSO.
What to do next
Configure Single Sign On in SD-WAN Orchestrator.
VMware, Inc. 114

Configure Okta for Single Sign On

To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up
an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the steps
on this procedure.
Prerequisites
Ensure you have an Okta account to sign in.
Procedure
1 Log in to your Okta account as an Admin user.
The Okta home screen appears.
Note If you are in the Developer Console view, then you must switch to the Classic UI view
by selecting Classic UI from the Developer Console drop-down list.
a In the upper navigation bar, click Applications > Add Application.
The Add Application screen appears.
b Click Create New App.
The Create a New Application Integration dialog box appears.
c From the Platform drop-drop menu, select Web.
VMware, Inc. 115

d Select OpenID Connect as the Sign on method and click Create.
The Create OpenID Connect Integration screen appears.
e Under the General Settings area, in the Application name text box, enter the name for
your application.
f Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box,
enter the redirect URL that your SD-WAN Orchestrator application uses as the callback
endpoint.

g Click Save. The newly created application page appears.
VMware, Inc. 116

h On the General tab, click Edit and select Refresh Token for Allowed grant types, and click
Save.
Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO
configuration in SD-WAN Orchestrator.
i Click the Sign On tab and under the OpenID Connect ID Token area, click Edit.
j From the Groups claim type drop-down menu, select Expression. By default, Groups
claim type is set to Filter.
VMware, Inc. 117

k In the Groups claim expression textbox, enter the claim name that will be used in the
token, and an Okta input expression statement that evaluates the token.
l Click Save.
The application is setup in IDP. You can assign user groups and users to your SD-WAN
Orchestrator application.
VMware, Inc. 118

a Go to Application > Applications and click on your SD-WAN Orchestrator application link.
b On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or
Assign to People.
The Assign <Application Name> to Groups or Assign <Application Name> to People

dialog box appears.
c Click Assign next to available user groups or users you want to assign the SD-WAN
Orchestrator application and click Done.
The users or user groups assigned to the SD-WAN Orchestrator application will be
displayed.
Results
You have completed setting up an OIDC-based application in Okta for SSO.
What to do next
Configure OneLogin for Single Sign On

To set up an OpenID Connect (OIDC)-based application in OneLogin for Single Sign On (SSO),
perform the steps on this procedure.
Prerequisites
Ensure you have an OneLogin account to sign in.
VMware, Inc. 119

Procedure
1 Log in to your OneLogin account as an Admin user.
The OneLogin home screen appears.
a In the upper navigation bar, click Apps > Add Apps.
b In the Find Applications text box, search for “OpenId Connect” or “oidc” and then select
the OpenId Connect (OIDC) app.
The Add OpenId Connect (OIDC) screen appears.
c In the Display Name text box, enter the name for your application and click Save.
VMware, Inc. 120

d On the Configuration tab, enter the Login URL (auto-login URL for SSO) and the Redirect
URI that SD-WAN Orchestrator uses as the callback endpoint, and click Save.
n Login URL - The login URL will be in this format: https://<Orchestrator URL>/
<Domain>/ login/doEnterpriseSsoLogin. Where, <Domain> is the domain name of
your Enterprise that you must have already set up to enable SSO authentication for
the SD-WAN Orchestrator. You can get the Domain name from the Enterprise portal >
Administration > System Settings > General Information page.
n Redirect URI's - The SD-WAN Orchestrator redirect URL will be in this format: https://
<Orchestrator URL>/login/ssologin/openidCallback. In the SD-WAN Orchestrator
application, at the bottom of the Authentication screen, you can find the redirect
URL link.
e On the Parameters tab, under OpenId Connect (OIDC), double click Groups.
The Edit Field Groups popup appears.
f Configure User Roles with value “--No transform--(Single value output)” to be sent in
groups attribute and click Save.
g On the SSO tab, from the Application Type drop-down menu, select Web.
VMware, Inc. 121

h From the Authentication Method drop-down menu, select POST as the Token Endpoint
and click Save.
Also, note down the Client Credentials (Client ID and Client Secret) to be used during the
i On the Access tab, choose the roles that will be allowed to login and click Save.
3 To add roles and users to your SD-WAN Orchestrator application:
a Click Users > Users and select a user.
b On the Application tab, from the Roles drop-down menu, on the left, select a role to be
mapped to the user.
c Click Save Users.
Results
You have completed setting up an OIDC-based application in OneLogin for SSO.
What to do next
VMware, Inc. 122

Configure PingIdentity for Single Sign On

To set up an OpenID Connect (OIDC)-based application in PingIdentity for Single Sign On (SSO),
Prerequisites
Ensure you have a PingOne account to sign in.
Note Currently, SD-WAN Orchestrator supports PingOne as the Identity Partner (IDP); however,
any PingIdentity product supporting OIDC can be easily configured.
Procedure
1 Log in to your PingOne account as an Admin user.
The PingOne home screen appears.
VMware, Inc. 123

a In the upper navigation bar, click Applications.
b On the My Applications tab, select OIDC and then click Add Application.
The Add OIDC Application pop-up window appears.
c Provide basic details such as name, short description, and category for the application
and click Next.
d Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant

types and click Next.
Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to
be used during the SSO configuration in SD-WAN Orchestrator.
VMware, Inc. 124

e Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO
URL and Redirect URL and click Next.

screen, you can find the redirect URL link. Ideally, the SD-WAN Orchestrator redirect
URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The
Start SSO URL will be in this format: https://<Orchestrator URL>/<domain name>/login/
doEnterpriseSsoLogin.
f Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, click Add Attribute to add
additional user profile attributes.
g In the Attribute Name text box, enter group_membership and then select the Required
checkbox, and select Next.
Note The group_membership attribute is required to retrieve roles from PingOne.
h Under CONNECT SCOPES, select the scopes that can be requested for your SD-WAN
Orchestrator application during authentication and click Next.
i Under Attribute Mapping, map your identity repository attributes to the claims available
to your SD-WAN Orchestrator application.
Note The minimum required mappings for the integration to work are email,
given_name, family_name, phone_number, sub, and group_membership (mapped to
memberOf).
j Under Group Access, select all user groups that should have access to your SD-WAN
The application will be added to your account and will be available in the My Application
screen.
Results
You have completed setting up an OIDC-based application in PingOne for SSO.
What to do next
Configure VMware CSP for Single Sign On

To configure VMware Cloud Services Platform (CSP) for Single Sign On (SSO), perform the steps
on this procedure.
Prerequisites
Sign in to VMware CSP console (staging or production environment) with your VMware account
ID. If you are new to VMware Cloud and do not have a VMware account, you can create one
as you sign up. For more information, see How do I Sign up for VMware CSP section in Using
VMware Cloud documentation.
VMware, Inc. 125

Procedure
1 Contact the VMware Support Provider for receiving a Service invitation URL link to
register your SD-WAN Orchestrator application to VMware CSP. For information on how
to contact the Support Provider, see https://kb.vmware.com/s/article/53907 and https://
www.vmware.com/support/contacts/us_support.html.
The VMware Support Provider will create and share:
n a Service invitation URL that needs to be redeemed to your Customer organization
n a Service definition uuid and Service role name to be used for Role mapping in
Orchestrator
2 Redeem the Service invitation URL to your existing Customer Organization or create a new
Customer Organization by following the steps in the UI screen.
You need to be an Organization Owner to redeem the Service invitation URL to your existing
Customer Organization.
3 After redeeming the Service invitation, when you sign in to VMware CSP console, you can
view your application tile under My Services area in the VMware Cloud Services page.
The Organization you are logged into is displayed under your username on the menu
bar. Make a note of the Organization ID by clicking on your username, to be used during
Orchestrator configuration. A shortened version of the ID is displayed under the Organization
name. Click the ID to display the full Organization ID.
4 Log in to VMware CSP console and create an OAuth application. For steps, see Use OAuth
2.0 for Web Apps. Make sure to set Redirect URI to the URL displayed in Configure
Authentication screen in Orchestrator.
Once OAuth application is created in VMware CSP console, make a note of IDP integration
details such as Client ID and Client Secret. These details will be needed for SSO configuration
in Orchestrator.
5 Log in to your SD-WAN Orchestrator application as Super Admin user and configure SSO
using the IDP integration details as follows.
a Click Administration > System Settings
The System Settings screen appears.
b Click the General Information tab and in the Domain text box, enter the domain name for
your enterprise, if it is not already set.
Note To enable SSO authentication for the SD-WAN Orchestrator, you must set up the
domain name for your enterprise.
c Click the Authentication tab and from the Authentication Mode drop-down menu, select
SSO.
d From the Identity Provider template drop-down menu, select VMwareCSP.
VMware, Inc. 126

e In the Organization Id text box, enter the Organization ID (that you have noted down in
Step 3) in the following format: /csp/gateway/am/api/orgs/<full organization ID>.
f In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC)
configuration URL (https://console.cloud.vmware.com/csp/gateway/am/api/.well-known/
openid-configuration) for your IDP.
The SD-WAN Orchestrator application auto-populates endpoint details such as Issuer,

Authorization Endpoint, Token Endpoint, and User Information Endpoint for your IDP.
g In the Client Id text box, enter the client ID that you have noted down from the OAuth
application creation step.
h In the Client Secret text box, enter the client secret code that you have noted down from
the OAuth application creation step.
i To determine user’s role in SD-WAN Orchestrator, select either Use Default Role or Use
Identity Provider Roles.
j On selecting the Use Identity Provider Roles option, in the Role Attribute text box, enter
the name of the attribute set in the VMware CSP to return roles.
k In the Role Map area, map the VMwareCSP-provided roles to each of the SD-WAN
Orchestrator roles, separated by using commas.
Roles in VMware CSP will follow this format: external/<service definition uuid>/<service
role name mentioned during service template creation>. Use the same Service definition
uuid and Service role name that you have received from your Support Provider.
6 Click Save Changes to save the SSO configuration.
7 Click Test Configuration to validate the entered OpenID Connect (OIDC) configuration.
VMware, Inc. 127

The user is navigated to the VMware CSP website and allowed to enter the credentials. On
IDP verification and successful redirect to SD-WAN Orchestrator test call back, a successful
validation message will be displayed.
Results
You have completed integrating SD-WAN Orchestrator application in VMware CSP for SSO and
can access the SD-WAN Orchestrator application logging in to the VMware CSP console.
What to do next
n Within the organization, manage users by adding new users and assigning appropriate role
for the users. For more information, see the Identity & Access Management section in Using
VMware, Inc. 128

View Partner Information
12
As a Partner super user, you can view the Software/Firmware Images and Gateway Pools
assigned to you by your Operator.
In the Partner portal, click Overview to view the following information.
Available Software/Firmware Images
Displays the Software/Firmware images assigned to the partner by the Operator. You can assign
the software images to your Enterprise customers from this list.
Gateway Pool
Displays the Gateway pools assigned to the partner by the Operator. You can assign the
Gateway pools to your Enterprise customers from this list.
Note To assign the software images and Gateway pools to a customer, see Create New Partner
Customer and Configure Customers.
n View Partner Information with New Orchestrator UI
VMware, Inc. 129

View Partner Information with New Orchestrator UI

As a Partner user, you can only view the Software images and Gateway pools assigned to you by
your Operator.
To view the configured Partner information for a selected Partner:
1 Login to the Orchestrator as a Partner user.
2 In the new UI, click the Administration tab and go to Partner Configuration in the left
navigation pane.
The Partner Overview page with the following information appears for the selected Partner.
Field Description
Available Software Images Displays all the software images assigned to the Partner
by the Operator. You can assign the software images to
your Enterprise customers from this list.
Gateway Pool Displays the Gateway pools assigned to the Partner by

the Operator. You can assign the Gateway pools to your
Enterprise customers from this list.
VMware, Inc. 130

Partner Settings
13
The Settings option allows you to configure partner settings along with the authentication
details.
In the Partner portal, click Settings to configure the following:
n General Information– Configure the user details, configure privacy settings, and enter the
contact information. See Configure Partner Information.
n Authentication– Configure authentication mode and view the API tokens. See Configure
Partner Authentication .
n Configure Partner Information
n Configure Partner Authentication
Configure Partner Information

You can configure the partner information, privacy settings, and contact details for the partners
using General Information.
In the Partner portal, click Settings. You can configure the following in the General Information
tab.
VMware, Inc. 131

Privacy Settings – Select Grant Access to VeloCloud Support to grant access to the VMware
Support to view, configure, and troubleshoot the events and settings.
Table 13-1. General Information
Option Description
Name The existing username is displayed. If required, you can

modify the name.
Domain The existing domain name is displayed and you can

modify the domain, if required.
Description Enter a description for the customer.
Contact Info – The existing contact details are displayed in this section. If required, you can
modify the details.
Configure Partner Authentication

In the Authentication tab, you can setup the authentication mode for the partners and view the
existing API tokens.
In the Partner portal, click Settings > Authentication to configure the following:
VMware, Inc. 132

Partner Authentication – Choose one of the following from the Authentication Mode.
n NATIVE – This is the default authentication mode and you can login to the Partner portal with
the native username and password. This mode does not require any configuration.
n SSO – Single Sign On (SSO) is a session and user authentication service that allows the users
to log into the Partner portal with one set of login credentials to access multiple applications.
For more information, see Configure Single Sign On for Partner User.
API Tokens – You can access the Orchestrator APIs using token-based authentication,
irrespective of the authentication mode. You can view the existing API tokens in this section.
The Partner Super User or the User associated with an API token can revoke the token. Select
the token and click Actions > Revoke . To create and download the API tokens, see API Tokens.
Overview of Single Sign On

The SD-WAN Orchestrator supports a new type of user authentication called Single Sign On
(SSO) for all Orchestrator user types: Operator, Partner, and Enterprise.
Single Sign On (SSO) is a session and user authentication service that allows SD-WAN
Orchestrator users to log in to the SD-WAN Orchestrator with one set of login credentials to
access multiple applications. Integrating the SSO service with SD-WAN Orchestrator improves
the security of user authentication for SD-WAN Orchestrator users and enables SD-WAN
Orchestrator to authenticate users from other OpenID Connect (OIDC)-based Identity Providers
(IDPs). The following IDPs are currently supported:
n Okta
n OneLogin
n PingIdentity
n AzureAD
n VMwareCSP
VMware, Inc. 133

Configure Single Sign On for Partner User

To setup Single Sign On (SSO) authentication for Partner user, perform the steps on this
procedure.
Prerequisites
n Ensure you have the Partner super user permission.
n Before setting up the SSO authentication in SD-WAN Orchestrator, ensure you have set
up roles, users, and OpenID connect (OIDC) application for SD-WAN Orchestrator in your
preferred identity provider’s website. For more information, see Configure an IDP for Single
Sign On.
Procedure
1 Log in to the SD-WAN Orchestrator application as Partner super user, with your login
credentials.
2 Click Settings.
The Partner Settings screen appears.
3 Click the General Information tab and in the Domain text box, enter the domain name for
your partner, if it is not already set.
domain name for your partner.
VMware, Inc. 134

4 Click the Authentication tab and from the Authentication Mode drop-down menu, select
Single Sign-On.
5 From the Identity Provider template drop-down menu, select your preferred Identity
Provider (IDP) that you have configured for Single Sign On.
Note When you select VMwareCSP as your preferred IDP, ensure to provide your
Organization ID in the following format: /csp/gateway/am/api/orgs/<full organization ID>.
When you sign in to VMware CSP console, you can view the organization ID you are logged
into by clicking on your username. A shortened version of the ID is displayed under the
organization name. Click the ID to display the full organization ID.
You can also manually configure your own IDPs by selecting Others from the Identity
Provider template drop-down menu.
6 In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC) configuration
URL for your IDP. For example, the URL format for Okta will be: https://{oauth-provider-
url}/.well-known/openid-configuration.
VMware, Inc. 135

7 The SD-WAN Orchestrator application auto-populates endpoint details such as Issuer,

8 In the Client Id text box, enter the client identifier provided by your IDP.
9 In the Client Secret text box, enter the client secret code provided by your IDP, that is used
by the client to exchange an authorization code for a token.
10 To determine user’s role in SD-WAN Orchestrator, select one of the options:
n Use Default Role – Allows user to configure a static role as default by using the Default
Role text box that appears on selecting this option. The supported roles are: MSP
Superuser, MSP Standard Admin, MSP Support, and MSP Business.
Note In an SSO configuration setup, if Use Default Role option is selected and a default
user role is defined, then all the SSO user will be assigned the specified default role.
Instead of assigning a user with the default role, a Partner Super User can pre-register a
specific user as a Non-Native user and define a specific user role by using the Admins tab
in the Partner portal. For steps to configure a new Partner Administrator User, see Create
New Partner Admin.
n Use Identity Provider Roles – Uses the roles set up in the IDP.
11 On selecting the Use Identity Provider Roles option, in the Role Attribute text box, enter the
name of the attribute set in the IDP to return roles.
12 In the Role Map area, map the IDP-provided roles to each of the Partner user roles, separated
by using commas.
Roles in VMware CSP will follow this format: external/<service definition uuid>/<service role
name mentioned during service template creation>.
13 Update the allowed redirect URLs in OIDC provider website with SD-WAN Orchestrator URL
(https://<vco>/login/ssologin/openidCallback).
VMware, Inc. 136

The user is navigated to the IDP website and allowed to enter the credentials. On IDP
verification and successful redirect to SD-WAN Orchestrator test call back, a successful
Results
The SSO authentication setup is complete in SD-WAN Orchestrator.
What to do next
Chapter 5 Log in to SD-WAN Orchestrator using SSO for Partner User
Configure an IDP for Single Sign On

To enable Single Sign On (SSO) for SD-WAN Orchestrator, you must configure an Identity
Partner (IDP) with details of SD-WAN Orchestrator. Currently, the following IDPs are supported:
Okta, OneLogin, PingIdentity, AzureAD, and VMware CSP.
For step-by-step instructions to configure an OpenID Connect (OIDC) application for SD-WAN
Orchestrator in various IDPs, see:
n Configure Okta for Single Sign On
n Configure OneLogin for Single Sign On
n Configure PingIdentity for Single Sign On
n Configure Azure Active Directory for Single Sign On
n Configure VMware CSP for Single Sign On
Configure Okta for Single Sign On

To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up
an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the steps
on this procedure.
Prerequisites
Ensure you have an Okta account to sign in.
Procedure
1 Log in to your Okta account as an Admin user.
The Okta home screen appears.
Note If you are in the Developer Console view, then you must switch to the Classic UI view
by selecting Classic UI from the Developer Console drop-down list.
VMware, Inc. 137

a In the upper navigation bar, click Applications > Add Application.
The Add Application screen appears.
b Click Create New App.
The Create a New Application Integration dialog box appears.
c From the Platform drop-drop menu, select Web.
d Select OpenID Connect as the Sign on method and click Create.
The Create OpenID Connect Integration screen appears.
e Under the General Settings area, in the Application name text box, enter the name for
your application.
f Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box,
enter the redirect URL that your SD-WAN Orchestrator application uses as the callback
endpoint.

VMware, Inc. 138

g Click Save. The newly created application page appears.
h On the General tab, click Edit and select Refresh Token for Allowed grant types, and click
Save.
Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO
configuration in SD-WAN Orchestrator.
i Click the Sign On tab and under the OpenID Connect ID Token area, click Edit.
j From the Groups claim type drop-down menu, select Expression. By default, Groups
claim type is set to Filter.
VMware, Inc. 139

k In the Groups claim expression textbox, enter the claim name that will be used in the
token, and an Okta input expression statement that evaluates the token.
l Click Save.
The application is setup in IDP. You can assign user groups and users to your SD-WAN
Orchestrator application.
VMware, Inc. 140

a Go to Application > Applications and click on your SD-WAN Orchestrator application link.
b On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or
Assign to People.
The Assign <Application Name> to Groups or Assign <Application Name> to People

dialog box appears.
c Click Assign next to available user groups or users you want to assign the SD-WAN
The users or user groups assigned to the SD-WAN Orchestrator application will be
displayed.
Results
You have completed setting up an OIDC-based application in Okta for SSO.
What to do next
Create a New User Group in Okta

To create a new user group, perform the steps on this procedure.
Procedure
1 Click Directory > Groups.
2 Click Add Group.
The Add Group dialog box appears.
VMware, Inc. 141

3 Enter the group name and description for the group and click Save.
Create a New User in Okta

To add a new user, perform the steps on this procedure.
Procedure
1 Click Directory > People.
2 Click Add Person.
The Add Person dialog box appears.
3 Enter all the mandatory details such as first name, last name, and email ID of the user.
4 If you want to set the password, select Set by user from the Password drop-down menu and
enable Send user activation email now.
5 Click Save.
An activation link email will be sent your email ID. Click the link in the email to activate your
Okta user account.
Configure OneLogin for Single Sign On

To set up an OpenID Connect (OIDC)-based application in OneLogin for Single Sign On (SSO),
Prerequisites
Ensure you have an OneLogin account to sign in.
Procedure
1 Log in to your OneLogin account as an Admin user.
The OneLogin home screen appears.
VMware, Inc. 142

a In the upper navigation bar, click Apps > Add Apps.
b In the Find Applications text box, search for “OpenId Connect” or “oidc” and then select
the OpenId Connect (OIDC) app.
The Add OpenId Connect (OIDC) screen appears.
c In the Display Name text box, enter the name for your application and click Save.
VMware, Inc. 143

d On the Configuration tab, enter the Login URL (auto-login URL for SSO) and the Redirect
URI that SD-WAN Orchestrator uses as the callback endpoint, and click Save.
n Login URL - The login URL will be in this format: https://<Orchestrator URL>/
<Domain>/ login/doEnterpriseSsoLogin. Where, <Domain> is the domain name of
your Enterprise that you must have already set up to enable SSO authentication for
the SD-WAN Orchestrator. You can get the Domain name from the Enterprise portal >
Administration > System Settings > General Information page.
n Redirect URI's - The SD-WAN Orchestrator redirect URL will be in this format: https://
<Orchestrator URL>/login/ssologin/openidCallback. In the SD-WAN Orchestrator
application, at the bottom of the Authentication screen, you can find the redirect
URL link.
e On the Parameters tab, under OpenId Connect (OIDC), double click Groups.
The Edit Field Groups popup appears.
f Configure User Roles with value “--No transform--(Single value output)” to be sent in
groups attribute and click Save.
g On the SSO tab, from the Application Type drop-down menu, select Web.
VMware, Inc. 144

h From the Authentication Method drop-down menu, select POST as the Token Endpoint
and click Save.
Also, note down the Client Credentials (Client ID and Client Secret) to be used during the
i On the Access tab, choose the roles that will be allowed to login and click Save.
3 To add roles and users to your SD-WAN Orchestrator application:
a Click Users > Users and select a user.
b On the Application tab, from the Roles drop-down menu, on the left, select a role to be
mapped to the user.
c Click Save Users.
Results
You have completed setting up an OIDC-based application in OneLogin for SSO.
What to do next
VMware, Inc. 145

Create a New Role in OneLogin

To create a new role, perform the steps on this procedure.
Procedure
1 Click Users > Roles.
2 Click New Role.
3 Enter a name for the role.
When you first set up a role, the Applications tab displays all the apps in your company
catalog.
4 Click an application to select it and click Save to add the selected apps to the role.
Create a New User in OneLogin

To create a new user, perform the steps on this procedure.
Procedure
1 Click Users > Users > New User.
The New User screen appears
2 Enter all the mandatory details such as first name, last name, and email ID of the user and
click Save User.
Configure PingIdentity for Single Sign On

To set up an OpenID Connect (OIDC)-based application in PingIdentity for Single Sign On (SSO),
Prerequisites
Ensure you have a PingOne account to sign in.
Note Currently, SD-WAN Orchestrator supports PingOne as the Identity Partner (IDP); however,
any PingIdentity product supporting OIDC can be easily configured.
Procedure
1 Log in to your PingOne account as an Admin user.
The PingOne home screen appears.
VMware, Inc. 146

a In the upper navigation bar, click Applications.
b On the My Applications tab, select OIDC and then click Add Application.
The Add OIDC Application pop-up window appears.
c Provide basic details such as name, short description, and category for the application
and click Next.
d Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant

types and click Next.
Also, note down the Discovery URL and Client Credentials (Client ID and Client Secret) to
be used during the SSO configuration in SD-WAN Orchestrator.
VMware, Inc. 147

e Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO
URL and Redirect URL and click Next.

screen, you can find the redirect URL link. Ideally, the SD-WAN Orchestrator redirect
URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The
Start SSO URL will be in this format: https://<Orchestrator URL>/<domain name>/login/
doEnterpriseSsoLogin.
f Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, click Add Attribute to add
additional user profile attributes.
g In the Attribute Name text box, enter group_membership and then select the Required
checkbox, and select Next.
Note The group_membership attribute is required to retrieve roles from PingOne.
h Under CONNECT SCOPES, select the scopes that can be requested for your SD-WAN
Orchestrator application during authentication and click Next.
i Under Attribute Mapping, map your identity repository attributes to the claims available
to your SD-WAN Orchestrator application.
Note The minimum required mappings for the integration to work are email,
given_name, family_name, phone_number, sub, and group_membership (mapped to
memberOf).
j Under Group Access, select all user groups that should have access to your SD-WAN
The application will be added to your account and will be available in the My Application
screen.
Results
You have completed setting up an OIDC-based application in PingOne for SSO.
What to do next
Create a New User Group in PingIdentity

To create a new user group, perform the steps on this procedure.
Procedure
1 Click Users > User Directory.
2 On the Groups tab, click Add Group
The New Group screen appears.
3 In the Name text box, enter a name for the group and click Save.
VMware, Inc. 148

Create a New User in PingIdentity

To add a new user, perform the steps on this procedure.
Procedure
1 Click Users > User Directory.
2 On the Users tab, click the Add Users drop-down menu and select Create New User.
The User screen appears.
3 Enter all the mandatory details such as username, password, and email ID of the user.
4 Under Group Memberships, click Add.
The Add Group Membership pop-up window appears.
5 Search and add the user to a group and click Save.
Configure Azure Active Directory for Single Sign On

To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory
(AzureAD) for Single Sign On (SSO), perform the steps on this procedure.
Prerequisites
Ensure you have an AzureAD account to sign in.
Procedure
1 Log in to your Microsoft Azure account as an Admin user.
The Microsoft Azure home screen appears.
VMware, Inc. 149

a Search and select the Azure Active Directory service.
b Go to App registration > New registration.
The Register an application screen appears.
c In the Name field, enter the name for your SD-WAN Orchestrator application.
d In the Redirect URL field, enter the redirect URL that your SD-WAN Orchestrator
application uses as the callback endpoint.

VMware, Inc. 150

e Click Register.
Your SD-WAN Orchestrator application will be registered and displayed in the All
applications and Owned applications tabs. Make sure to note down the Client ID/
Application ID to be used during the SSO configuration in SD-WAN Orchestrator.
f Click Endpoints and copy the well-known OIDC configuration URL to be used during the
g To create a client secret for your SD-WAN Orchestrator application, on the Owned
applications tab, click on your SD-WAN Orchestrator application.
h Go to Certificates & secrets > New client secret.
The Add a client secret screen appears.
i Provide details such as description and expiry value for the secret and click Add.
The client secret will be created for the application. Note down the new client secret
value to be used during the SSO configuration in SD-WAN Orchestrator.
j To configure permissions for your SD-WAN Orchestrator application, click on your SD-
WAN Orchestrator application and go to API permissions > Add a permission.
The Request API permissions screen appears.
VMware, Inc. 151

k Click Microsoft Graph and select Application permissions as the type of permission for
your application.
l Under Select permissions, from the Directory drop-down menu, select

Directory.Read.All and from the User drop-down menu, select User.Read.All.
m Click Add permissions.
VMware, Inc. 152

n To add and save roles in the manifest, click on your SD-WAN Orchestrator application
and from the application Overview screen, click Manifest.
A web-based manifest editor opens, allowing you to edit the manifest within the portal.
Optionally, you can select Download to edit the manifest locally, and then use Upload to
reapply it to your application.
o In the manifest, search for the appRoles array and add one or more role objects as shown
in the following example and click Save.
Note The value property from appRoles must be added to the Identity Provider Role
Name column of the Role Map table, located in the Authentication tab, in order to map
the roles correctly.
Sample role objects
{
"User"
],
"description": "Standard Administrator who will have sufficient privilege
to manage resource",
"displayName": "Standard Admin",
"id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
"isEnabled": true,
"lang": null,
"value": "standard"
},
{
"User"
],
"description": "Super Admin who will have the full privilege on SD-WAN
Orchestrator",
"displayName": "Super Admin",
"id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
"isEnabled": true,
VMware, Inc. 153

"lang": null,
"value": "superuser"
}
Note Make sure to set id to a newly generated Global Unique Identifier (GUID)
value. You can generate GUIDs online using web-based tools (for example, https://
www.guidgen.com/), or by running the following commands:
n Linux/OSX - uuidgen
n Windows - powershell [guid]::NewGuid()
a Go to Azure Active Directory > Enterprise applications.
b Search and select your SD-WAN Orchestrator application.
c Click Users and groups and assign users and groups to the application.
d Click Submit.
Results
You have completed setting up an OIDC-based application in AzureAD for SSO.
What to do next
Create a New Guest User in AzureAD

To create a new guest user, perform the steps on this procedure.
VMware, Inc. 154

Procedure
1 Go to Azure Active Directory > Users > All users.
2 Click New guest user.
The New Guest User pop-up window appears.
3 In the Email address text box, enter the email address of the guest user and click Invite.
The guest user immediately receives a customizable invitation that lets them to sign into their
Access Panel.
4 Guest users in the directory can be assigned to apps or groups.
Configure VMware CSP for Single Sign On

To configure VMware Cloud Services Platform (CSP) for Single Sign On (SSO), perform the steps
on this procedure.
Prerequisites
Sign in to VMware CSP console (staging or production environment) with your VMware account
ID. If you are new to VMware Cloud and do not have a VMware account, you can create one
as you sign up. For more information, see How do I Sign up for VMware CSP section in Using
Procedure
1 Contact the VMware Support Provider for receiving a Service invitation URL link to
register your SD-WAN Orchestrator application to VMware CSP. For information on how
to contact the Support Provider, see https://kb.vmware.com/s/article/53907 and https://
www.vmware.com/support/contacts/us_support.html.
The VMware Support Provider will create and share:
n a Service invitation URL that needs to be redeemed to your Customer organization
n a Service definition uuid and Service role name to be used for Role mapping in
Orchestrator
2 Redeem the Service invitation URL to your existing Customer Organization or create a new
Customer Organization by following the steps in the UI screen.
You need to be an Organization Owner to redeem the Service invitation URL to your existing
Customer Organization.
3 After redeeming the Service invitation, when you sign in to VMware CSP console, you can
view your application tile under My Services area in the VMware Cloud Services page.
The Organization you are logged into is displayed under your username on the menu
bar. Make a note of the Organization ID by clicking on your username, to be used during
Orchestrator configuration. A shortened version of the ID is displayed under the Organization
name. Click the ID to display the full Organization ID.
VMware, Inc. 155

4 Log in to VMware CSP console and create an OAuth application. For steps, see Use OAuth
2.0 for Web Apps. Make sure to set Redirect URI to the URL displayed in Configure
Authentication screen in Orchestrator.
Once OAuth application is created in VMware CSP console, make a note of IDP integration
details such as Client ID and Client Secret. These details will be needed for SSO configuration
in Orchestrator.
5 Log in to your SD-WAN Orchestrator application as Super Admin user and configure SSO
using the IDP integration details as follows.
a Click Administration > System Settings
The System Settings screen appears.
b Click the General Information tab and in the Domain text box, enter the domain name for
your enterprise, if it is not already set.
domain name for your enterprise.
c Click the Authentication tab and from the Authentication Mode drop-down menu, select
SSO.
d From the Identity Provider template drop-down menu, select VMwareCSP.
e In the Organization Id text box, enter the Organization ID (that you have noted down in
Step 3) in the following format: /csp/gateway/am/api/orgs/<full organization ID>.
f In the OIDC well-known config URL text box, enter the OpenID Connect (OIDC)
configuration URL (https://console.cloud.vmware.com/csp/gateway/am/api/.well-known/
openid-configuration) for your IDP.
The SD-WAN Orchestrator application auto-populates endpoint details such as Issuer,

g In the Client Id text box, enter the client ID that you have noted down from the OAuth
application creation step.
h In the Client Secret text box, enter the client secret code that you have noted down from
the OAuth application creation step.
i To determine user’s role in SD-WAN Orchestrator, select either Use Default Role or Use
Identity Provider Roles.
j On selecting the Use Identity Provider Roles option, in the Role Attribute text box, enter
the name of the attribute set in the VMware CSP to return roles.
k In the Role Map area, map the VMwareCSP-provided roles to each of the SD-WAN
Orchestrator roles, separated by using commas.
Roles in VMware CSP will follow this format: external/<service definition uuid>/<service
role name mentioned during service template creation>. Use the same Service definition
uuid and Service role name that you have received from your Support Provider.
VMware, Inc. 156

The user is navigated to the VMware CSP website and allowed to enter the credentials. On
IDP verification and successful redirect to SD-WAN Orchestrator test call back, a successful
Results
You have completed integrating SD-WAN Orchestrator application in VMware CSP for SSO and
can access the SD-WAN Orchestrator application logging in to the VMware CSP console.
What to do next
n Within the organization, manage users by adding new users and assigning appropriate role
for the users. For more information, see the Identity & Access Management section in Using
VMware, Inc. 157

Edge Licensing
14
SD-WAN Orchestrator provides different types of Licenses for the Edges. Partner users can
manage and assign licenses to their Enterprise customers.
Only Operators can enable the Edge Licensing and assign the licenses to a Partner user. If the
Edge Licensing is not enabled for you, contact your Operator.
The Edge licenses are available with the following components:
Component Supported Attributes
Bandwidth 10M, 30M, 50M, 100M, 200M, 350M, 500M, 750M, 1G, 2G, 5G, 10G
Editions Standard, Enterprise, Premium
Region North America, Europe Middle East and Africa, Latin America, Asia Pacific
Term 12 months, 36 months, 60 months
An Operator can assign different types of Edge licenses from the 324 types of licenses available
with various combinations.
Apart from the above list, VMware offers a trial version of license with the following attributes:
Component Supported Attributes
Bandwidth 10 Gbps
Edition POC
Region North America, Europe Middle East and Africa, Asia Pacific and Latin America
Term 60 Months
Note You can assign the POC license to a customer as a trial. When required, you can upgrade
the license to any required Edition.
To manage the Edge licenses for Customers, see Manage Edge Licenses for Customers.
To assign the Edge licenses to Customers, see Create New Partner Customer.
To view and generate a report of available License types, see Generate an Edge Licensing
Report.
VMware, Inc. 158

To manage Edge Licensing using the New Orchestrator UI, see Edge Licensing with New
Orchestrator UI.
n Manage Edge Licenses for Customers
n Generate an Edge Licensing Report
n Edge Licensing with New Orchestrator UI
Manage Edge Licenses for Customers

A Partner user can manage the Edge Licenses and assign them to customers.
Procedure
1 In the Partner portal, click Manage Customers.
2 Click the link to a customer name to navigate to the Enterprise portal.
3 In the Enterprise portal, click Administration > Edge Licensing.
4 Click Manage Edge License.
5 In the Select Edge Licenses window, choose the relevant licenses based on the Bandwidth,
Term, Edition, and Region.
Note Apart from the existing licenses, VMware offers a trial version of license with the
Edition as POC. If you select a POC license, you cannot choose the other licenses.
6 Click OK.
Results
The selected licenses are displayed in the Edge Licensing window.
VMware, Inc. 159

If you have selected the POC license, you can click Upgrade Edge License to upgrade the license
to the next level. Choose Standard, Enterprise or Premium Edition from the list.
Note You cannot downgrade a License type to the previous Edition.
Click Report to generate a report of the licenses and the associated Edges in CSV format.
What to do next
When you create an Edge, you can choose and assign an Edge License from the list.
You can assign a license to an existing Edge:
n In the Enterprise portal, click Configure > Edges.
n To assign license to each Edge, click the link to the Edge and select the License in the Edge
Overview page. You can also select the Edge and click Actions > Assign Edge License to
assign the License.
n To assign a license to multiple Edges, select the appropriate Edges, click Actions > Assign
Edge License, and select the License.
Generate an Edge Licensing Report

Partner Superusers, Partner Standard Administrators, Partner Business Specialist, and Partner
Customer Support users can generate a report of the existing Edge licenses.
In the Partner portal, navigate to Edge Licensing.
VMware, Inc. 160

Click Report to generate a report of the licenses, associated customers, and Edges in CSV
format.
Edge Licensing with New Orchestrator UI

Only Operators can enable the Edge Licensing and assign the licenses to a Partner user. If the
Edge Licensing is not enabled for you, contact your Operator.
Procedure
1 In the Partner portal, from the top menu, click Edge Image Management, and then from the
left menu, click Edge Licensing.
VMware, Inc. 161

2 You can view the following options on this page:
Option Description
Search Enter a term to search for a matching text across the

table. You can click the advanced search option to use
filters to narrow down the search results.
Download Report Click this option to download a report of the licenses,

associated customers, and Edges in a CSV format.
Columns Click this option and select the columns to be displayed

in the table.
Refresh Click this option to refresh the displayed list of licenses.
3 Clicking the View link under the Partners assigned column, displays the Edge license details
of the selected Partner.
4 Clicking the View link under the Customers assigned column, displays the Edge license
details of the selected Customer.
What to do next
To manage Edge licensing for Customers with New Orchestrator UI, see Manage Edge Licenses
for Customers with New Orchestrator UI
Manage Edge Licenses for Customers with New Orchestrator UI

A Partner user can manage the Edge Licenses and assign them to customers using the New
Orchestrator UI.
Procedure
1 In the Partner portal, click Customers.
2 Click the link to a customer name to navigate to the Enterprise portal.
VMware, Inc. 162

3 In the Enterprise portal, click Settings > Edge Licensing.
4 Click Manage Edge Licensing.
5 In the Select Edge Licenses window, choose the relevant licenses based on the Bandwidth,
Term, Edition, and Region, and then move them to the Selected Edge Licenses pane.
Note Apart from the existing licenses, VMware offers a trial version of license with the
Edition as POC. If you select a POC license, you cannot choose the other licenses.
VMware, Inc. 163

6 Click Save. The selected licenses are displayed in the Edge Licensing window.
7 Click Download Report to generate a report of the licenses and the associated Edges in CSV
format.
What to do next
When you create an Edge, you can choose and assign an Edge License from the list.
You can assign a license to an existing Edge:
n In the Enterprise portal, click Configure > Edges.
n To assign license to each Edge, click the link to the Edge and select the License under the
Properties area in the Edge Overview page. You can also select the Edge and click Assign
Edge License to assign the license.
n To assign a license to multiple Edges, select the appropriate Edges, click Assign Edge
License, and select the license.
VMware, Inc. 164

Edge Management with New
Orchestrator UI 15
Edge Management allows you to configure Edge Authentication and Configuration Updates. You
can also select a default Software & Firmware Image.
1 In the Partner portal, from the top menu, click Settings, and then from the left menu, click
Edge Management.
2 You can configure the following options and click Save Changes.
Edge Authentication
VMware, Inc. 165

Option Description
Default Certificate Choose the default option to authenticate the Edges

associated to the Customer.
n Certificate Acquire: This option instructs the Edge
to acquire a certificate from the certificate authority
of the SD-WAN Orchestrator, by generating a key
pair and sending a certificate signing request to
the Orchestrator. Once acquired, the Edge uses
the certificate for authentication to the SD-WAN
Orchestrator and for the establishment of VCMP
tunnels.
Note Only after acquiring the certificate, the option

n Certificate Deactivated: This option instructs the Edge
to use a pre-shared key mode of authentication.
n Certificate Required: This option is selected by
default and it instructs the Edge to use the PKI
certificate. Operators can change the certificate
renewal time window for Edges using system
properties. For more information, contact your
Operator.
Note On clicking Save Changes, you are asked to

confirm if the selected Edge authentication setting is
applicable to all the impacted Edges or only the new
Edges. By default, Apply to all Edges check box is
selected.
Edge Authentication Click the Activate Secure Edge Access button to allow
the user to access Edges using Password-based or Key-
based authentication. You can activate this option only
once. But you can switch to either Password-based or
Key-based authentication any number of times.
Configuration Updates
Option Description
Disable Edge Configuration Updates By default, this option is activated. This option allows you
to actively push the configuration updates to Edges. Slide
the toggle button to turn it Off.
Enable Configuration Updates Post-Upgrade By default, this option is deactivated. This option
allows you to control when post-Orchestrator upgrade
configuration changes are applied to their Edges. Slide
the toggle button to turn it On.
Software & Firmware Images
VMware, Inc. 166

You can view the details of the listed images and select the default image.
Note
n To view this section, go to Global Settings > Customer Configuration > SD-WAN
Configuration, and then select the Allow Customer to manage software check box.
n Only an Operator can add, delete, or edit an image. For more information, see the topic
Platform Firmware and Factory Images with New Orchestrator UI, in the VMware SD-WAN
Operator Guide.
VMware, Inc. 167

Access SD-WAN Edges Using
Key-Based Authentication 16
This section provides details about how to enable key-based authentication, add SSH keys, and
access Edges in a more secure way.
The Secure Shell (SSH) key-based authentication is a secure and robust authentication method to
access VMware SD-WAN Edges. It provides a strong, encrypted verification and communication
process between users and Edges. The use of SSH keys bypasses the need to manually enter
login credentials and automates the secure access to Edges.
Note Both the Edge and the Orchestrator must be using Release 5.0.0 or later for this feature to
be available.
Note Users with Operator Business or Business Specialist account roles cannot access Edges
using key-based authentication.
Perform the following tasks to access Edges using key-based authentication:
1 Configure privileges for a user to access Edges in a secure manner. You can choose Basic or
Privileged access level for the user. You can configure the access level when you create a
new user and choose to modify it at a later point in time. Ensure that you have Super User
role to modify the access level for a user. See the following topics:
n Create New Partner Admin
n Configure Partner Admin Users
2 Generate a new pair of SSH keys or import an existing SSH key. See Add SSH Key.
3 Enable key-based authentication to access Edges. See Enable Secure Edge Access for an
Enterprise.
n Add SSH Key
n Revoke SSH Keys
n Enable Secure Edge Access for an Enterprise
n Secure Edge CLI Commands
VMware, Inc. 168

Add SSH Key

When using key-based authentication to access Edges, a pair of SSH keys are generated—Public
and Private.
The public key is stored in the database and is shared with the Edges. The private key is
downloaded to your computer, and you can use this key along with the SSH username to access
Edges. You can generate only one pair of SSH keys at a time. If you need to add a new pair
of SSH keys, you must delete the existing pair and then generate a new pair. If a previously
generated private key is lost, you cannot recover it from the Orchestrator. You must delete the
key and then add a new key to gain access. For details about how to delete SSH keys, see
Revoke SSH Keys.
Based on their roles, users can perform the following actions:
n All users, except users with Operator Business or Business Specialist account roles, can
create and revoke SSH keys for themselves.
n Operator Super users can manage SSH keys of other Operator users, Partner users, and
Enterprise users, if the Partner user and Enterprise user have delegated user permissions to
the Operator.
n Partner Super users can manage SSH keys of other Partner users and Enterprise users, if the
Enterprise user has delegated user permissions to the Partner.
n Enterprise Super users can manage the SSH keys of all the users within that Enterprise.
n Super users can only view and revoke the SSH keys for other users.
Note Enterprise and Partners customers without SD-WAN service access will not be able to
configure or view SSH keys related details.
To add a SSH key:
Procedure
1 In the Enterprise portal, click the User icon that appears at the top-right side of the Window.
The User Information panel appears.
2 Click Add SSH Key. The Add SSH Key pop-up window appears.
3 Select one of the following options to add the SSH key:
n Generate Key—Use this option to generate a new pair of public and private SSH keys. The
default file format in which the SSH key is generated is .pem. If you are using a Windows
operating system, ensure that you convert the file format from .pem to .ppk, and then
import the key. For instructions to convert .pem to .ppk, see Convert Pem to Ppk File
Using PuTTYgen.
n Import Key—Use this option to paste or enter the public key if you already have a pair of
SSH keys.
VMware, Inc. 169

4 In the PassPhrase field, you can choose to enter a unique passphrase to further safeguard
the private key stored on your computer.
Note This is an optional field and is available only if you have selected the Generate Key
option.
5 In the Duration drop-down list, select the number of days by when the SSH key must expire.
6 Click Add Key.
What to do next
Ensure that you enable secure Edge access for the Enterprise and switch the authentication
mode from Password-based to Key-based. See Enable Secure Edge Access for an Enterprise.
Revoke SSH Keys

Ensure that you have Super User role to delete the SSH keys for other users.
To revoke your SSH key:
1 In the Enterprise portal, click the User icon that appears at the top-right side of the window.
The User Information panel appears.
2 Click Revoke SSH Key.
To revoke the SSH keys of other Partner users:
1 In the Partner portal, go to Partner Settings > Authentication.
2 In the SSH Keys area, select the SSH usernames for which you want to delete the SSH keys.
3 Click Actions > Revoke SSH Key....
The SSH keys for a user are automatically deleted when:
n you change the user role to Operator Business or Business Specialist because these roles
cannot access Edges using key-based authentication.
n you delete a user from the Orchestrator.
Enable Secure Edge Access for an Enterprise

After adding the SSH key, you must switch the authentication mode from Password-based, which
is the default mode to Key-based to access Edges using the SSH username and SSH key. The
SSH username is automatically created when you create a new user.
To enable secure Edge access:
Procedure
1 In the Enterprise portal, go to Settings > Edge Management.
VMware, Inc. 170

2 Select the Enable Secure Edge Access check box to allow the user to access Edges
using Key-based authentication. Once you have activated Secure Edge Access, you cannot
deactivate it.
Note Only Operator users can enable secure Edge access for an Enterprise.
3 Click Switch to Key-Based Authentication and confirm your selection.
Note Ensure that you have Super User role to switch the authentication mode.
What to do next
Use the SSH keys to securely login to the Edge’s CLI and run the required commands. See Secure
Edge CLI Commands.
Secure Edge CLI Commands

Based on the Access Level configured, you can run the following CLI commands:
Note Run the help <command name> to view a brief description of the command.
Commands Description Access Level = Basic Access Level = Privileged
Interaction Commands
help Displays a list of available Yes Yes

commands.
pagination Paginates the output. Yes Yes
clear Clears the screen. Yes Yes
eof Exits the secure Edge CLI. Yes Yes
Debug Commands
edgeinfo Displays the Edge’s Yes Yes

hardware and firmware
information. For a sample
output of the command,
see edgeinfo.
seainfo Displays details about the Yes Yes

secure Edge access of
the user. For a sample
see seainfo.
ping, ping6 Pings a URL or an IP Yes Yes

address.
VMware, Inc. 171

tcpdump Displays TCP/IP and other Yes Yes

packets being transmitted
or received over a network
to which the Edge is
attached. For a sample
see tcpdump.
pcap Captures the packet data Yes Yes

pulled from the network
traffic and prints the data
to a file. For a sample
see pcap.
debug Runs the debug commands Yes Yes

for Edges. Run debug -h
to view a list of available
commands and options.
For a sample output of one
of the debug commands,
see debug.
diag Runs the remote Yes Yes

diagnostics commands.
Run diag -h to view a
list of available commands
and options. For a sample
output of one of the diag
commands, see diag.
ifstatus Fetches the status of all Yes Yes

interfaces. For a sample
see ifstatus.
VMware, Inc. 172

getwanconfig Fetches the configuration Yes Yes

details of all WAN
interfaces. Use the logical
names such as "GE3" or
"GE4" as arguments to
fetch the configuration
details of that interface.
Do not use the physical
names such as "ge3"
or "ge4" of the WAN
interfaces. For example,
run getwanconfig GE3
to view the configuration
details of the GE3
WAN interface. Run the
ifstatus command to
know the interface name
mappings. For a sample
see getwanconfig.
Configuration Command
setwanconfig Configures WAN interfaces Yes Yes

(wired interfaces only). Run
setwanconfig -h to view
configuration options.
Edge Actions Commands
deactivate Deactivates the Edges and No Yes

reapplies the initial default
configuration.
restart Restarts the SD-WAN No Yes

service.
reboot Reboots the Edge. No Yes
shutdown Powers off the Edge. No Yes
hardreset Deactivates the Edges, No Yes

restores the Edge’s default
configuration, and restores
original software version.
edged Activates or deactivates No Yes

the Edge processes.
restartdhcpserver Restarts the DHCP server. No Yes
Linux Shell Command
shell Takes you into the Linux No Yes

shell. Type exit to return
to the secure Edge CLI.
VMware, Inc. 173

Sample Outputs
This section provides the sample outputs of some of the commands that can be run in a secure
Edge CLI.
edgeinfo
o10test_velocloud_net:velocli> edgeinfo
Model: vmware
Serial: VMware-420efa0d2a6ccb35-9b9bee2f04f74b32
Build Version: 5.0.0
Build Date: 2021-12-07_20-17-40
Build rev: R500-20211207-MN-8f5954619c
Build Hash: 8f5954619c643360455d8ada8e49def34faa688d
seainfo
o10test_velocloud_net:velocli> seainfo
{
"rootlocked": false,
"seauserinfo": {
"o2super_velocloud_net": {
"expiry": 1641600000000,
"privilege": "BASIC"
}
}
}
tcpdump
o10test_velocloud_net:velocli> tcpdump -nnpi eth0 -c 10
reading from file -, link-type EN10MB (Ethernet)
09:45:12.297381 IP6 fd00:1:1:2::2.2426 > fd00:ff01:0:1::2.2426: UDP, length 21
09:45:12.300520 IP6 fd00:ff01:0:1::2.2426 > fd00:1:1:2::2.2426: UDP, length 21
pcap
o10test_velocloud_net:velocli> pcap -nnpi eth4 -c 10
The capture will be saved to file o10test_velocloud_net_2021-12-09_09-57-50.pcap
o10test_velocloud_net:velocli> tcpdump: listening on eth4, link-type EN10MB (Ethernet),
capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
VMware, Inc. 174

debug
o10test_velocloud_net:velocli> debug --dpdk_ports_dump
name port link ignore strip speed duplex autoneg driver
ge3 0 1 0 1 1000 1 1 igb
ge6 4 0 2 1 0 0 1 ixgbe
ge5 5 0 2 1 0 0 1 ixgbe
ge4 1 0 2 1 0 0 0 igb
sfp2 2 0 2 1 0 0 1 ixgbe
sfp1 3 0 2 1 0 0 1 ixgbe
net_vhost0 6 0 0 1 10000 1 0
net_vhost1 7 0 0 1 10000 1 0
diag
o10test_velocloud_net:velocli> diag ARP_DUMP --count 10
Stale Timeout: 2min | Dead Timeout: 25min | Cleanup Timeout: 240min
GE3
192.168.1.254 7c:12:61:70:2f:d0 ALIVE 1s
LAN-VLAN1
10.10.1.137 b2:84:f7:c1:d3:a5 ALIVE 34s
ifstatus
o10test:velocli> ifstatus
{
"deviceBoardName": "EDGE620-CPU",
"deviceInfo": [],
"edgeActivated": true,
"edgeSerial": "HRPGPK2",
"edgeSoftware": {
"buildNumber": "R500-20210821-DEV-301514018f\n",
"version": "5.0.0\n"
},
"edgedDisabled": false,
"interfaceStatus": {
"GE1": {
"autonegotiation": true,
"duplex": "Unknown! (255)",
"haActiveSerialNumber": "",
"haEnabled": false,
"haStandbySerialNumber": "",
"ifindex": 4,
"internet": false,
"ip": "",
"is_sfp": false,
"isp": "",
"linkDetected": false,
"logical_id": "",
"mac": "18:5a:58:1e:f9:22",
"netmask": "",
"physicalName": "ge1",
"reachabilityIp": "8.8.8.8",
VMware, Inc. 175

"service": false,
"speed": "Unkn",
"state": "DEAD",
"stats": {
"bpsOfBestPathRx": 0,
"bpsOfBestPathTx": 0
},
"type": "LAN"
},
"GE2": {
"autonegotiation": true,
"duplex": "Unknown! (255)",
"haActiveSerialNumber": "",
"haEnabled": false,
…
…
}
]
}
getwanconfig
o10test_velocloud_net:velocli> getwanconfig GE3
{
"details": {
"autonegotiation": "on",
"driver": "dpdk",
"duplex": "",
"gateway": "169.254.7.9",
"ip": "169.254.7.10",
"is_sfp": false,
"linkDetected": true,
"mac": "00:50:56:8e:46:de",
"netmask": "255.255.255.248",
"password": "",
"proto": "static",
"speed": "",
"username": "",
"v4Disable": false,
"v6Disable": false,
"v6Gateway": "fd00:1:1:1::1",
"v6Ip": "fd00:1:1:1::2",
"v6Prefixlen": 64,
"v6Proto": "static",
"vlanId": ""
},
"status": "OK"
}
VMware, Inc. 176

Manage Gateway Pools and
Gateways 17
VMware network consists of multiple service Gateways deployed at top tier network and cloud
data centers. The SD-WAN Gateway provides the advantage of cloud-delivered services and
optimized paths to all applications, branches, and data centers. Service providers can also deploy
their own Partner Gateways in their private cloud infrastructure.
n Manage Gateway Pools
n Manage Gateway Pools with New Orchestrator UI
n Manage Gateways
n Manage Gateways with New Orchestrator UI
n SD-WAN Gateway Migration
n Run Diagnostics for Gateways
n Diagnostic Bundles for Gateways with New Orchestrator UI
Manage Gateway Pools

The Gateway Pool is a group of Gateways.
Gateways can be organized into pools that are then assigned to a network. An unpopulated
default Gateway pool is available after you install SD-WAN Orchestrator. If required, you can
create additional Gateway Pools.
In the Partner portal, click Gateway Pools.
Note Your Operator should have provided you access to manage the Gateway Pools and
Gateways. If the Gateway Pools option is not available in your portal, contact your Operator.
The Gateway Pools window displays the existing Gateway pools with the following options:
view by a specific criteria.
VMware, Inc. 177

The Gateway Pools table displays the following details:
n Gateway Pool – Displays the name of the Gateway Pool.
n Gateways – Displays the number of Gateways available in the Gateway Pool.
n IP Version – Displays whether the Gateway Pool is enabled with IPv4 address or both the
IPv4 and IPv6 addresses.
n Customers – Displays the number of Enterprise Customers associated with the Gateway Pool.
n Partner Gateway – Displays the status of the Partner Gateway. The following are the
available options: None, Allow, and Partner Gateways.
n Managed Pool – Displays whether the Partner can manage the Gateway Pool.
n New Gateway Pool – Creates a new Gateway Pool. See Create New Gateway Pool.
n Clone Gateway Pool – Creates a new Gateway Pool, by cloning the existing configurations
from the selected Gateway Pool. See Clone a Gateway Pool.
n Delete Gateway Pool – Deletes the selected Gateway Pool. You cannot delete a Gateway
Pool that is already being used by an Enterprise Customer.
Create New Gateway Pool

In addition to the default Gateway Pool, you can create Gateway Pools and associate them with
Enterprise Customers.
VMware, Inc. 178

Procedure
1 In the Gateway Pools page, click Actions > New Gateway Pool.
2 In the New Gateway Pool window, configure the following details:
a Name – Enter a name for the new Gateway Pool.
b Description – Enter a description for the Gateway Pool.
c Partner Gateway Hand Off – This option determines the method to hand off the
Gateways to Partners. Choose one of the following options from the drop-down list:
n None – Select this option when Partner Gateway hand off is not required.
n Allow – Select this option when you want the Gateway Pool to support a mix of both
the Partner Gateways and Cloud Gateways.
n Only Partner Gateways – Select this option when edges in the Enterprise should not
be assigned with Cloud Gateways from the pool, and will only be assigned with the
Gateways that are set for the individual edge.
d Association Type – Choose one of the following address types with which the Gateway
Pool should be enabled.
n IPv4 – Allows to add IPv4 only Gateways.
n IPv4 and IPv6 – Allows to add Gateways with IPv4 and IPv6 addresses.
Note If you want to use Edges with IPv6 support, then choose IPv4 and IPv6.
3 Click Create.
What to do next
Configure the Gateway Pool by adding Gateways to the Pool. See Configure Gateway Pools.
Clone a Gateway Pool

You can clone the configurations from an existing Gateway Pool and create a new Gateway Pool
with the cloned settings.
VMware, Inc. 179

Procedure
1 In the Gateway Pools page, select the Gateway Pool that you want to clone and click Actions
> Clone Gateway Pool.
2 In the New Gateway Pool window, configure the following details:
The Gateway Pool clones the existing configuration from the selected Gateway Pool. If
required, you can modify the details. For more information on the options, see Create New
Gateway Pool.
3 After updating the details, click Create.
What to do next
Configure the Gateway Pool by adding Gateways to the Pool. See Configure Gateway Pools.
Configure Gateway Pools

After creating a Gateway Pool, you can add Gateways to the Pool and associate the Pool to an
Enterprise Customer.
Whenever you create a new Gateway Pool or clone a Pool, you are redirected to the Gateway
Pool Properties page to configure the properties of the Pool.
Note You can configure only a Gateway pool created by a Partner User or a Partner Managed
Gateway pool created by your Operator.
To configure an existing Gateway Pool:
Procedure
1 In the Partner portal, click Gateway Pools. In the Gateway Pools page, the existing Gateway
Pools are displayed.
2 Click the link to a Gateway Pool to configure the Pool.
VMware, Inc. 180

3 In the Gateway Pool Properties page, configure the following:
a In the Properties section, the existing Name, Description, Partner Gateway Hand Off
details, and the Association Type are displayed. If required, you can modify these details.
b In the Gateways In Pool section, click Manage to add Gateways to the Pool.
c In the Assign Gateways window that appears, move the required Gateways from the
Available pane to Assigned pane using the Arrows.
VMware, Inc. 181

Click OK.
4 The added Gateways are displayed in the window.
Results
The configured Gateway Pools are displayed in the Gateway Pools page.
What to do next
You can associate the Gateway Pool to an Enterprise Customer. The Edges available in the
Enterprise are connected to the Gateways available in the Pool.
Refer to the following links to associate the Gateway Pool:
n For a new customer, see Create New Partner Customer.
n For an existing customer, see Configure Customers.
Manage Gateway Pools with New Orchestrator UI

A Gateway Pool is a group of Gateways.
Gateways can be organized into pools that are then assigned to a network. An unpopulated
default Gateway pool is available after you install SD-WAN Orchestrator. If required, you can
create additional Gateway pools.
VMware, Inc. 182

As a Partner Super user and Partner Admin user, you can create, manage, download, and delete
Gateway pools created by a Partner user or a Partner Managed Gateway pools created by the
Operator.
Note The Gateway pools feature is not supported for Partner Business Specialist user and
Partner IT support user.
The New Gateway Pool and Download options are available only for Partners with Gateway
management access activated. If the Gateway management access is deactivated for a Partner,
then the Partner will have only read-only permission for the configured Gateway pools. To
request Gateway Management access, Partners must contact the Operator Super user.
To manage Gateway pools, perform the following steps:
1 Log into the Orchestrator as a Partner Super user or Admin user.
2 In the New Orchestrator UI, click the Gateway Management tab and go to Gateway Pools in
the left navigation pane.
The Gateway Pools page appears.
3 To search a specific Gateway pool, enter a relevant search text in the Search box. For
advanced search, click the filter icon next to the Search box to filter the results by specific
criteria.
4 The Map Distribution section is used for displaying the Gateways on a map. You can click the
+ and - buttons to zoom in and zoom out the map, respectively. In the Gateway Pools table,
if you have selected any Gateway pools then only the Gateways in the selected pools are
displayed on the map. Otherwise, all Gateways are displayed on the map.
VMware, Inc. 183

The Gateway Pools table displays the existing Gateway pools with the following details.
Field Description
Name Specifies the name of the Gateway pool.

When clicking on a Gateway pool link in the Name
column, the user gets redirected to the Gateway Pools
Overview page.
Gateways Specifies the number of Gateways available in the

Gateway pool.
When clicking on a Gateway link in the Gateways
column, the user gets redirected to the Gateway
Overview page.
IP Version Specifies whether the Gateway pool is enabled with IPv4

address or both the IPv4 and IPv6 addresses.
Note When assigning Gateways to the Gateway pool,

ensure that the IP address type of the Gateway matches
the IP address type of pool.
Customers Specifies the number of Enterprise Customers associated

with the Gateway pool.
When clicking on a Customer link in the Customers
column, a dialog opens with listed customers. If a user
clicks on a customer then the user gets redirected to the
Configure > Customer page.
Partner Gateway Specifies the status of the Partner Gateway. The

following are the available options:
n None - Use this option when Enterprises assigned to
this Gateway pool do not require Gateway Partner
handoffs.
n Allow - Use this option when the Gateway pool must
support both Partner Gateways and Cloud Gateways.
n Only (Partner Gateways) - Use this option when
Edges in the Enterprise should not be assigned Cloud
Gateways from the Gateway pool, but can use only
the Gateway-1 and Gateway-2 that are set for the
individual Edge.
Managed Pool Specifies if a Partner can manage the Gateway pool.
On the Gateway Pools page, you can perform the following activities:
n New Gateway Pool – Creates a new Gateway pool. See Create New Gateway Pool with
n Clone – Creates a new Gateway pool, by cloning the existing configurations from the
selected Gateway pool. See Clone a Gateway Pool with New Orchestrator UI.
n Download - Downloads the CSV file for all Gateway pools or the selected Gateway pool.
n Delete – Deletes the selected Gateway pool. You cannot delete a Gateway pool that is
already being used by an Enterprise Customer.
VMware, Inc. 184

n You can also configure the existing Gateway pools by clicking the name link of the
Gateway pool. See Configure Gateway Pools with New Orchestrator UI.
Create New Gateway Pool with New Orchestrator UI

In addition to the default Gateway pool, you can create new Gateway pools and associate them
with Enterprise Customers.
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateway Pools in the left
navigation pane.
2 Click New Gateway Pool.
3 In the New Gateway Pool dialog, configure the following details and click Create.
Field Description
Name Enter a name for the new Gateway pool.
Description Enter a description for the Gateway pool.
VMware, Inc. 185

Field Description
Partner Gateway Hand Off This option determines the method to hand off the
Gateways to Partners. Choose one of the following
options from the drop-down list:
n None – Select this option when Partner Gateway
hand off is not required.
n Allow – Select this option when you want the
Gateway pool to support a mix of both the Partner
Gateways and Cloud Gateways.
n Only Partner Gateways – Select this option when
Edges in the Enterprise should not be assigned
with Cloud Gateways from the pool, and will only
be assigned with the Gateways that are set for an
individual Edge.
IP Version Choose one of the following address types with which

the Gateway pool should be enabled:
n IPv4 – Allows to add IPv4 only Gateways.
n IPv4 and IPv6 – Allows to add Gateways with IPv4
and IPv6 addresses.
Note If you want to use Edges with IPv6 support, then

choose IPv4 and IPv6.
What to do next
n Configure the Gateway pool by adding Gateways to the pool. See Configure Gateway Pools
with New Orchestrator UI.
Clone a Gateway Pool with New Orchestrator UI

You can clone the configurations from an existing Gateway pool and create a new Gateway pool
with the cloned settings.
Procedure
navigation pane.
2 In the Gateway Pools table, select the Gateway pool that you want to clone and click Clone.
The New Gateway Pool dialog with the cloned settings appears.
VMware, Inc. 186

The Gateway pool clones the existing configuration from the selected Gateway pool. If
required, you can modify the details. For more information on the options, see Create New
Gateway Pool.
3 After updating the Gateway pool details, click Create.
What to do next
Configure the Gateway pool by adding Gateways to the pool. See Configure Gateway Pools with
Configure Gateway Pools with New Orchestrator UI

After creating a Gateway pool, you can add Gateways to the pool and associate the pool to an
Enterprise Customer.
Whenever you create a new Gateway pool or clone a pool, you are redirected to the Gateway
Pool Overview page to configure the properties of the pool.
Note You can configure only a Gateway pool created by a Partner User or a Partner Managed
Gateway pool created by your Operator.
To configure an existing Gateway pool:
VMware, Inc. 187

Procedure
navigation pane.
2 Click the name link to a Gateway pool that you want to configure.
3 Configure the following details for the Gateway pool:
a In the Properties section, the existing Name, Description, Partner Gateway Hand Off
details, and the Association Type are displayed. If required, you can modify these details.
b In the Gateways in Pool section, click Manage to add Gateways to the pool.
The Assign Gateways to Gateway pool dialog appears.
c In the Assign Gateways to Gateway pool dialog, move the required Gateways from the
Available pane to Assigned pane using the Arrows and click Update.
VMware, Inc. 188

4 The Gateways assigned to the selected Gateway pool are displayed as follows.
Results
The configured Gateway pools are displayed in the Gateway Pools page.
What to do next
You can associate the Gateway pool to an Enterprise Customer. The Edges available in the
Enterprise are connected to the Gateways available in the pool.
Refer to the following links to associate the Gateway pool:
n For a new customer, see Create New Partner Customer.
n For an existing customer, see Configure Customers.
VMware, Inc. 189

Manage Gateways
VMware SD-WAN Gateways are a distributed network of gateways, deployed around the world
or on-premises at service providers, provide scalability, redundancy and on-demand flexibility.
The SD-WAN Gateways optimize data paths to all applications, branches, and data centers along
with the ability to deliver network services to and from the cloud.
By default, the Gateways named as gateway-1 and gateway-2 are available when you install
SD-WAN Orchestrator. If required, you can create additional Gateways.
In the Partner portal, click Gateways.
The Gateways window displays the existing Gateways with the following options:
view by a specific criteria.
n CSV – Click to download the data in CSV format.
The Gateways table displays the following details.
VMware, Inc. 190

Column Description
Gateways Name of the Gateway
Status Reflects the success or failure of periodic heartbeats sent

by mgd to the Orchestrator and does not indicate the
status of the data and control plane. The following are the
possible statuses:
n Connected – Gateway is heart beating successfully to
the Orchestrator.
n Degraded – Orchestrator has not heard from the
Gateway for at least one minute.
n Offline – Orchestrator has not heard from the
Gateway for at least two minutes.
CPU Average CPU utilization of all the cores in the system at

the time of the last heartbeat.
Memory Percentage usage of the physical memory by

all processes in the system as reported by
psutil.phymem_usage at the time of the last heartbeat.
This is similar to estimating the percentage of memory
usage using the free command.
Edges Number of Edges connected to the Gateway at the time

of the last heartbeat.
Note Click View next to the number of Edges, to view

all the Edges assigned to the Gateway as well as their
online/offline status on the Orchestrator. This option does
not display the Edges that are actually connected to the
Gateway.
Service State The user-configured service state of the Gateway and

whether it is eligible to be assigned to new Edges.
Super Gateway The number of customers for which the Gateway has
been chosen as a Super Gateway, which is a common
route reflector for all Edges.
Secure VPN Gateway Displays whether Secure VPN Gateway has been enabled
on the Gateway, which allows the Gateway to be chosen
as an endpoint for initiating Non SD-WAN Destination
tunnels.
Partner Gateway Displays whether Partner Gateway has been enabled on

this Gateway, which allows the Gateway to be assigned
as a Partner Gateway for Edges.
Certificates If PKI is enabled, then you can view the generated

Certificates.
IP Address The public IP address that public WAN links of an Edge

use to connect to the Gateway. This IP address is used to
uniquely identify the Gateway. If the Gateway is enabled
to accommodate both IPv4 and IPv6 addresses, this
column displays both the IP addresses.
VMware, Inc. 191

Column Description
Pools Displays the list of Gateway Pools that contain the

Gateway.
Customers Displays the list of customers assigned with the Gateway.
Version Displays the version number of the software running on

the Gateway at the time of the last heartbeat.
Build The full string of the software running on the Gateway at

Location Location of the Gateway from GeoIP (by default) or as

manually entered by the user. This is used for geographic
assignment of the Gateway to Edges and should be
verified.
Managed Gateway Indicates whether the Gateway is eligible to be managed

by a Partner or can only be managed by the Operator.
Note The following options are available only for Partners with Gateway management access
activated. If Gateway management access is deactivated, partner has only read access and
cannot manage or configure gateways.
n New Gateway – Creates a new Gateway. See Create New Gateway.
n Delete Gateway – Deletes the selected Gateway. You cannot delete a Gateway that is
n Support Request – Redirects to instructions on how to file a support request.
Create New Gateway

In addition to the default Gateways, you can create Gateways and associate them with Enterprise
Customers.
To create a Gateway, perform the following steps.
Procedure
1 In the Partner portal, click Gateways.
2 In the Gateways page, click Actions > New Gateway.
VMware, Inc. 192

3 In the New Gateway window, configure the following details:
a Name – Enter a name for the new Gateway.
b IPv4 Address – Enter the IPv4 address of the Gateway.
c IPv6 Address – Enter the IPv6 address of the Gateway.
Note
n Once you have created a Gateway, you cannot modify the IP addresses.
n Release 4.3.x and 4.4.x support Greenfield deployment of Gateways for IPv6. If you
have upgraded a Gateway from a previous version earlier than 4.3.0, you cannot
configure the upgraded Gateway with the IPv6 address.
n Release 4.5.0 supports both the Greenfield and Brownfield deployment of Gateways
for IPv6. If you have upgraded a Gateway from a previous version earlier than 4.5.0,
you can dynamically configure IPv6 address for the Gateway.
n IPv4/IPv6 dual-stack mode is not supported for Bastion Orchestrator configuration.
d Service State – Select the service state of the Gateway from the drop-down list. The
following options are available:
n In Service: The Gateway is connected and available.
n Out of Service: The Gateway is not connected.
n Quiesced: The Gateway service is quiesced or paused. Select this state for backup or
maintenance purposes.
e Gateway Pool – Select the Gateway Pool from the drop-down list, to which the Gateway
would be assigned.
VMware, Inc. 193

f Authentication Mode – Select the authentication mode of the Gateway from the following
available options:
n Certificate Not Required: Gateway uses a pre-shared key mode of authentication.
n Certificate Acquire: This option is selected by default and instructs the Gateway to
acquire a certificate from the certificate authority of the SD-WAN Orchestrator, by
generating a key pair and sending a certificate signing request to the Orchestrator.
Once acquired, the Gateway uses the certificate for authentication to the SD-WAN
Orchestrator and for establishment of VCMP tunnels.
Note After acquiring the certificate, the option can be updated to Certificate
Required.
n Certificate Required: Gateway uses the PKI certificate.
g Contact Name – Enter the name of the Site Contact.
h Contact Email – Enter the Email ID of the Site Contact.
i Click Create.
Results
Once you create a new Gateway, you are redirected to the Configure Gateways page, where
you can configure additional settings for the newly created Gateway.
What to do next
To configure additional settings for the Gateway, see Configure Gateways.
Configure Gateways
You can configure the properties and other details of a Gateway in the Partner portal.
When you create a new Gateway, you are automatically redirected to the Configure Gateways
page.
To configure an existing Gateway:
Note You can configure only a Gateway created by a Partner User or a Partner Managed
Gateway created by your Operator.
Procedure
2 The Gateways page displays the list of available Gateways. Click the link to a Gateway. The
details of the selected Gateway are displayed in the Configure Gateways page.
VMware, Inc. 194

3 Configure the following in the Overview tab.
VMware, Inc. 195

Properties – In this section, the existing Name and Description of the selected Gateway are
displayed. If required, you can modify the information.
You can also configure the following additional details:
Option Description
Gateway Roles Select the following checkboxes, as required:

n Control Plane: Enables the Gateway to operate in
the Control plane and is selected by default.
n CDE: Enables the Gateway to operate in Cardholder
Data Environment (CDE) mode. Select this option to
assign the Gateway for customers who require to
transmit PCI traffic.
n Cloud Web Security - Enables a Partner User with
either a Superuser or Standard role to configure
a SD-WAN Gateway for a Cloud Web Security
(CWS) role. For more information, see VMware
SD-WAN Cloud Web Security Configuration Guide
published at https://docs.vmware.com/en/VMware-
Cloud-Web-Security/index.html.
n Data Plane: Enables the Gateway to operate in the
Data plane and is selected by default.
n Partner Gateway: Select the checkbox to allow the
Gateway to be assigned as a Partner Gateway
for Edges. If you select this option, configure
the additional settings in the Partner Gateway
(Advanced Handoff) Details section.
n Secure VPN Gateway: Select the option to use the
Gateway to establish an IPSec tunnel to a Non SD-
WAN Destination.
Service State Select the Service State of the Gateway from the
following available options:
n In Service: The Gateway is connected and available.
n Out of Service: The Gateway is not connected.
n Quiesced: The Gateway service is quiesced or
paused. Select this state for backup or maintenance
purposes.
Status Displays the status of the Gateway which reflects the

success or failure of periodic heartbeats sent to the
Orchestrator. The following are the available statuses:
n Connected: Gateway is heart beating successfully
to the Orchestrator.
n Degraded: Orchestrator has not heard from the
n Offline: Orchestrator has not heard from the
Connected Edges Displays the number of Edges connected to the

Gateway. This option is displayed only when the
Gateway is activated.
VMware, Inc. 196

Option Description
IP Address Displays the public IP address that public WAN links

of an Edge use to connect to the Gateway. This IP
address is used to uniquely identify the Gateway. If you
have configured the Gateway with both IPv4 and IPv6
addresses, this field displays both the IP addresses.
If you have created IPv4 only Gateway or if there
is an existing IPv4 Gateway upgraded from previous
versions, you can enter the IPv6 address to support
the dual stack. After you save the changes, the IPv6
address is not sent to the Edges immediately. You
can trigger the rebalance operation to push the IPv6
address to the customer and the associated Edges
manually or the IPv6 address is sent to the Edges
during the next Control Plane update.
Note Adding IPv6 address is a one-time activity and

once you save the changes, you cannot modify the IP
addresses.
Caution An incorrectly configured IPv6 address, when

pushed to Edges, might lead to failure of the IPv6
tunnelling to the IPv6 Gateway. In such cases, you need
to deactivate the Gateway and create a new one to
activate both the IPv4 and IPv6 addresses.
Gateway Authentication Mode Select the authentication mode of the Gateway from
the following available options:
n Certificate Deactivated: Gateway uses a pre-shared
key mode of authentication.
default and instructs the Gateway to acquire a
Orchestrator. Once acquired, the Gateway uses
tunnels.
Note After acquiring the certificate, the option can

be updated to Certificate Required.
VMware, Inc. 197

Option Description
n Certificate Required: Gateway uses the

the certificate renewal time window for
Gateways using the system property
gateway.certificate.renewal.window.
Note When Gateway certificate is revoked, the

Gateway does not receive certificate revocation list
(CRL) as it loses TLS connection immediately. Anyway,
the Gateway is still operable.
Note The current QuickSec design checks CRL time

validity. The CRL time validity must match with current
time of Edges for the CRL to have impact on new
established connection. To implement this, ensure to
update Orchestrator time properly to match with date
and time of Edges.
Partner Gateway (Advanced Handoff) Details – This section is available if you select the
Partner Gateway checkbox and you can configure the following settings:
Option Description
Static Routes – Specify the subnets or routes that the SD-WAN Gateway should advertise to the SD-WAN Edge.
This is global per SD-WAN Gateway and applies to ALL customers. With BGP, this section is used only if there is a
shared subnet that all customers need to access and if NAT handoff is required.
Remove the unused subnets from the Static Route list if you do not have any subnets that you need to advertise
to the SD-WAN Edge and have the handoff of type NAT.
You can click the IPv4 or IPv6 tab to configure the corresponding address type for the Subnets.
Subnets Enter the IPv4 or IPv6 address of the Static Route

Subnet that the Gateway should advertise to the Edge.

Encrypt Select the checkbox to encrypt the traffic between

Edge and Gateway.
ICMP Failover Probe – The SD-WAN Gateway uses ICMP probe to check for the reachability of a particular IP
address and notifies the SD-WAN Edge to failover to the secondary Gateway if the IP address is not reachable.
This option supports only IPv4 addresses.
VLAN Tagging Select the VLAN tag from the drop-down list to apply
to the ICMP probe packets. The following are the
available options:
n None – Untagged
n 802.1q – Single VLAN tag
VLAN tag
VMware, Inc. 198

Option Description
Destination IP address Enter the IP address to be pinged.
Frequency Enter the time interval, in seconds, to send the ping

request. The range is from 1 to 60 seconds.
Threshold Enter the number of times the ping replies can be

missed to mark the routes as unreachable. The range
is from 1 to 10.
ICMP Responder Enabled: Allows the SD-WAN Gateway to respond to the ICMP probe from the next hop router
when the tunnels are up. This option supports only IPv4 addresses.
IP address Enter the virtual IP address that will respond to the ping
requests.
Mode Select one of the following modes from the drop-down

list:
n Conditional – SD-WAN Gateway responds to the
ICMP request only when the service is up and when
at least one tunnel is up.
n Always – SD-WAN Gateway always responds to
the ICMP request from the peer.
Note The ICMP probe parameters are optional and recommended only if you want to
use ICMP to check the health of the SD-WAN Gateway. With BGP support on the Partner
Gateway, using ICMP probe for failover and route convergence is no longer required. For
more information on configuring BGP support and handoff settings for a Partner Gateway,
see Configure Partner Handoff .
Contact & Location – The existing contact details are displayed in this section. If required, you
can modify the information.
Syslog Settings – Beginning with the 4.5 release, Gateways can export NAT information via a
remote syslog server or via telegraf to the desired destination. For more information, see the
Configure NAT Entry Syslog for Gateways section in the VMware SD-WAN Operator Guide
published at https://docs.vmware.com/en/VMware-SD-WAN/index.html.
Cloud Web Security - This section allows you to configure the Generic Network Virtualization
Encapsulation (Geneve) endpoint IP address and Points-of-Presence (PoP) name for Cloud
Web Security, if the Cloud Web Security Gateway Role is enabled.
Customer Usage – This section displays the usage details of different types of Gateways
assigned to the customers.
Pool Membership – This section displays the details of the Gateway pools to which the
current Gateway is assigned.
4 After configuring the required details, click Save Changes.
Monitor Gateways
You can monitor the status and usage data of Gateways available in the Partner portal.
VMware, Inc. 199

To monitor the Gateways:
Procedure
2 The Gateways page displays the list of available Gateways.
3 Click the link to a Gateway. The details of the selected Gateway are displayed.
4 Click the Monitor tab to view the usage data of the selected Gateway.
Results
The Monitor tab of the selected Gateway displays the following details:
At the top of the page, you can choose a specific time period to view the details of the Gateway
for the selected duration.
The page displays graphical representation of usage details of the following parameters for the
period of selected time duration, along with the minimum, maximum, and average values.
n CPU Percentage – Percentage of usage of CPU.
VMware, Inc. 200

n Memory Usage – Percentage of usage of memory.
n Flow Counts – Count of traffic flow.
n Handoff Queue Drops – Total number of packets dropped from a queue since the Gateway
was last rebooted. Occasional drops are expected, usually caused by a large burst of traffic.
However, a consistent increase in handoff queue drops usually indicates a Gateway capacity
issue.
n Tunnel Count – Count of tunnel sessions for both the IPv4 and IPv6 addresses.
Hover the mouse on the graphs to view more details.
You can also view the details using the new Orchestrator UI. See Monitor Gateways with New
Orchestrator UI.
Manage Gateways with New Orchestrator UI

VMware SD-WAN Gateways are a distributed network of gateways, deployed around the world
or on-premises at service providers, provide scalability, redundancy and on-demand flexibility.
The SD-WAN Gateways optimize data paths to all applications, branches, and data centers along
with the ability to deliver network services to and from the cloud.
By default, the Gateways named as gateway-1 and gateway-2 are available when you install
SD-WAN Orchestrator. If required, you can create additional Gateways.
Partner Super user and Admin with Gateway management access activated can create, manage,
and delete Gateways created by a Partner or Partner managed Gateways created by an
Operator. The Partner IT support users can only view the configured Gateways.
If the Gateway management access is deactivated for a Partner, then the Partner will have only
read-only permission for the configured Gateways. To request Gateway Management access,
Partners must contact the Operator Super user.
Note The Gateways feature is not supported for the Partner Business Specialist user.
To manage Gateways, perform the following steps:
1 Log into the Orchestrator as a Partner Super user or Admin user.
2 In the New Orchestrator UI, click the Gateway Management tab and go to Gateways in the
left navigation pane.
The Gateways page appears.
VMware, Inc. 201

To search a specific Gateway, enter a relevant search text in the Search box. For advanced
search, click the filter icon next to the Search box to filter the results by specific criteria.
The Map Distribution section is used for displaying the Gateways on a map. You can click the +
and - buttons to zoom in and zoom out the map, respectively.
The Gateways table displays the existing Gateways with the following details.
Field Description
Name Name of the Gateway
Status Reflects the success or failure of periodic heartbeats sent

by mgd to the Orchestrator and does not indicate the
status of the data and control plane. The following are the
possible statuses:
n Connected – Gateway is heart beating successfully to
the Orchestrator.
n Degraded – Orchestrator has not heard from the
n Offline – Orchestrator has not heard from the
CPU Average CPU utilization of all the cores in the system at

Memory Percentage usage of the physical memory by

all processes in the system as reported by
psutil.phymem_usage at the time of the last heartbeat.
This is similar to estimating the percentage of memory
usage using the free command.
VMware, Inc. 202

Field Description
Edges Number of Edges connected to the Gateway at the time

of the last heartbeat.
Note Click View next to the number of Edges, to view

all the Edges assigned to the Gateway as well as their
online/offline status on the Orchestrator. This option does
not display the Edges that are actually connected to the
Gateway.
Service State The user-configured service state of the Gateway and

whether it is eligible to be assigned to new Edges.
IP Address The public IP address that public WAN links of an Edge

use to connect to the Gateway. This IP address is used to
uniquely identify the Gateway. If the Gateway is enabled
to accommodate both IPv4 and IPv6 addresses, this
column displays both the IP addresses.
Location Location of the Gateway from GeoIP (by default) or as

manually entered by the user. This is used for geographic
assignment of the Gateway to Edges and should be
verified.
On the Gateways page, you can perform the following activities:
n New Gateway – Creates a new Gateway. See Create New Gateway with New Orchestrator UI.
n Delete Gateway – Deletes the selected Gateway. You cannot delete a Gateway that is
n Support Request – Redirects to a Knowledge Base article that has instructions on how to file
a support request.
Create New Gateway with New Orchestrator UI

In addition to the default Gateways, you can create Gateways and associate them with Enterprise
Customers.
To create a Gateway, perform the following steps.
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateways in the left navigation
pane.
The Gateways page appears.
2 Click New Gateway.
The New Gateway dialog appears.
VMware, Inc. 203

3 In the New Gateway dialog, configure the following details:
Field Description
Name Enter a name for the new Gateway.
IPv4 Address Enter the IPv4 address of the Gateway.
IPv6 Address Enter the IPv6 address of the Gateway.
VMware, Inc. 204

Field Description
Service State Select the service state of the Gateway from the drop-
down list. The following options are available:
n In Service - The Gateway is connected and
available.
n Out of Service - The Gateway is not connected.
n Quiesced - The Gateway service is quiesced or
paused. Select this state for backup or maintenance
purposes.
Gateway Pool Select the Gateway Pool from the drop-down list, to
which the Gateway would be assigned.
Authentication Mode Select the authentication mode of the Gateway from

the following available options:
n Certificate Not Required - Gateway uses a pre-
n Certificate Acquire - This option is selected by
tunnels.
Note After acquiring the certificate, the option can

be updated to Certificate Required.
n Certificate Required - Gateway uses the PKI
certificate.
Contact Name Enter the name of the Site Contact.
Contact Email Enter the Email ID of the Site Contact.
Note
n Once you have created a Gateway, you cannot modify the IP addresses.
n Release 4.3.x and 4.4.x support Greenfield deployment of Gateways for IPv6. If you have
upgraded a Gateway from a previous version earlier than 4.3.0, you cannot configure the
upgraded Gateway with the IPv6 address.
n Release 4.5.0 supports both the Greenfield and Brownfield deployment of Gateways for
IPv6. If you have upgraded a Gateway from a previous version earlier than 4.5.0, you can
dynamically configure IPv6 address for the Gateway.
n IPv4/IPv6 dual-stack mode is not supported for Bastion Orchestrator configuration.
Results
Once you create a new Gateway, you are redirected to the Configure Gateways page, where
you can configure additional settings for the newly created Gateway.
VMware, Inc. 205

What to do next
To configure additional settings for the Gateway, see Configure Gateways with New Orchestrator
UI.
Configure Gateways with New Orchestrator UI

When you create a new Gateway, you are automatically redirected to the Configure Gateways
page, where you can configure the properties and other additional settings for the Gateway.
Note You can configure only a Gateway created by a Partner user or a Partner managed
Gateway created by your Operator.
To configure an existing Gateway:
Procedure
1 In the new UI, click the Gateway Management tab and go to Gateways in the left navigation
pane.
The Gateways page displays the list of available Gateways.
2 Click the link to a Gateway that needs to be configured for additional settings. The details of
the selected Gateway are displayed in the Configure > Gateways page.
VMware, Inc. 206

3 In the Overview tab, you can configure the following details:
VMware, Inc. 207

Field Description
Properties Displays the existing Name and Description of the

selected Gateway. If required, you can modify the
information.
You can also configure the Gateway Roles, as required:
n Data Plane - Enables the Gateway to operate in the
Data plane and is selected by default.
n Control Plane - Enables the Gateway to operate in
the Control plane and is selected by default.
n Secure VPN Gateway - Select the option to use the
Gateway to establish an IPSec tunnel to a Non SD-
WAN Destination.
n Partner Gateway - Select the checkbox to allow
the Gateway to be assigned as a Partner Gateway
for Edges. If you select this option, configure
the additional settings in the Partner Gateway
(Advanced Handoff) Details section.
n CDE - Enables the Gateway to operate in Cardholder
Data Environment (CDE) mode. Select this option to
assign the Gateway for customers who require to
transmit PCI traffic.
n Cloud-to-Cloud Interconnect - Select the option to
enable cloud-to-cloud-interconnect (CCI) tunnels on
the SD-WAN Gateways.
Note This Gateway Role option is shown

if the session.options.enableZscalerCci system
property is set to True.
n Cloud Web Security - Enables a Partner User with
either a Superuser or Standard role to configure
a SD-WAN Gateway for a Cloud Web Security
(CWS) role. For more information, see VMware
SD-WAN Cloud Web Security Configuration Guide
published at https://docs.vmware.com/en/VMware-
Cloud-Web-Security/index.html.
Status You can configure the following details:

n Status - Displays the status of the Gateway which
reflects the success or failure of periodic heartbeats
sent to the Orchestrator. The following are the
available statuses:
n Connected - Gateway is heart beating
successfully to the Orchestrator.
n Degraded - Orchestrator has not heard from the
n Offline - Orchestrator has not heard from the
VMware, Inc. 208

Field Description
n Service State - Select the Service State of the

Gateway from the following available options:
n In Service - The Gateway is connected, and
it is available for Primary or secondary tunnel
assignments. When the Service state of the
Gateway is switched from the 'Out Of Service'
to 'In Service' state, the Primary or Secondary
assignments, Super Gateways, Edge-to-Edge
routes are recalculated for each Enterprise using
the Gateway.
n Pending Service - The Gateway is connected,
and it is pending for tunnel assignments.
n Out of Service - The Gateway is not connected
or not available for any assignments. All the
existing assignments are removed.
n Quiesced - The Gateway service is quiesced or
paused. No new tunnels or NSD sites can be
added to the Gateway. However, the existing
assignments would still remain in the Gateway.
Select this state for backup or maintenance
purposes.
When the Service state is Quiesced, Orchestrator

provides a self-service migration functionality
that allows you to migrate from your existing
Gateway to a new Gateway without your
Operator’s support.
For more information, see Migrate Quiesced

Gateways.
Note Self-service migration is not supported on

Partner Gateways.
n Connected Edges - Displays the number of Edges
connected to the Gateway. This option is displayed
only when the Gateway is activated.
n Gateway Authentication Mode - Select the
authentication mode of the Gateway from the
following available options:
n Certificate Deactivated - Gateway uses a pre-
n Certificate Acquire - This option is selected by
tunnels.

VMware, Inc. 209

Field Description
n Certificate Required - Gateway uses the

the certificate renewal time window for
Gateways using the system property
gateway.certificate.renewal.window.
Note When Gateway certificate is revoked, the

Gateway does not receive certificate revocation
list (CRL) as it loses TLS connection immediately.
Anyway, the Gateway is still operable.
Note The current QuickSec design checks CRL

time validity. The CRL time validity must match with
current time of Edges for the CRL to have impact
on new established connection. To implement this,
ensure to update Orchestrator time properly to
match with date and time of Edges.
n IP Address - Displays the public IP address that
public WAN links of an Edge use to connect to the
Gateway. This IP address is used to uniquely identify
the Gateway. If you have configured the Gateway
with both IPv4 and IPv6 addresses, this field displays
both the IP addresses.
If you have created IPv4 only Gateway or if there

is an existing IPv4 Gateway upgraded from previous
versions, you can enter the IPv6 address to support
the dual stack. After you save the changes, the IPv6
address is not sent to the Edges immediately. You
can trigger the rebalance operation to push the IPv6
address to the customer and the associated Edges
manually or the IPv6 address is sent to the Edges
during the next Control Plane update.
Note Adding IPv6 address is a one-time activity and

once you save the changes, you cannot modify the
IP addresses.
Caution An incorrectly configured IPv6 address,

when pushed to Edges, might lead to failure of
the IPv6 tunnelling to the IPv6 Gateway. In such
cases, you need to deactivate the Gateway and
create a new one to activate both the IPv4 and IPv6
addresses.
Contact & Location Displays the existing contact details. If required, you can
modify the information.
Syslog Settings Beginning with the 4.5 release, Gateways can export
NAT information via a remote syslog server or via
telegraf to the desired destination. For more information,
see the Configure NAT Entry Syslog for Gateways
section in the VMware SD-WAN Operator Guide
published at https://docs.vmware.com/en/VMware-SD-
WAN/index.html.
VMware, Inc. 210

Field Description
Customer Usage Displays the usage details of different types of Gateways

assigned to the customers.
Pool Membership Displays the details of the Gateway pools to which the
current Gateway is assigned.
Partner Gateway (Advanced Handoff) Details This section is available only if you select the Partner
Gateway checkbox. You can configure advanced handoff
settings for the Partner Gateway. For more information,
see the Partner Gateway (Advanced Handoff) Details
section below.
Cloud Web Security This section allows you to configure the Generic
Network Virtualization Encapsulation (Geneve) endpoint
IP address and Points-of-Presence (PoP) name for Cloud
Web Security, if the Cloud Web Security Gateway Role is
enabled.
Partner Gateway (Advanced Handoff) Details
You can configure the following advanced handoff settings for the Partner Gateway:
Option Description
Static Routes | Subnets – Specify the subnets or routes that the SD-WAN Gateway should advertise to the
SD-WAN Edge. This is global per SD-WAN Gateway and applies to ALL customers. With BGP, this section is used
only if there is a shared subnet that all customers need to access and if NAT handoff is required.
Remove the unused subnets from the Static Route list if you do not have any subnets that you need to advertise
to the SD-WAN Edge and have the handoff of type NAT.
You can click the IPv4 or IPv6 tab to configure the corresponding address type for the Subnets.
Subnets Enter the IPv4 or IPv6 address of the Static Route

Subnet that the Gateway should advertise to the Edge.

Encrypt Select the checkbox to encrypt the traffic between

Edge and Gateway.
ICMP Probes and Ping Responders Settings
ICMP Failover Probe – The SD-WAN Gateway uses ICMP probe to check for the reachability of a particular IP
address and notifies the SD-WAN Edge to failover to the secondary Gateway if the IP address is not reachable.
This option supports only IPv4 addresses.
VLAN Tagging Select the VLAN tag from the drop-down list to apply
to the ICMP probe packets. The following are the
available options:
n None – Untagged
n 802.1q – Single VLAN tag
VLAN tag
VMware, Inc. 211

Option Description
Destination IP address Enter the IP address to be pinged.
Frequency Enter the time interval, in seconds, to send the ping

request. The range is from 1 to 60 seconds.
Threshold Enter the number of times the ping replies can be

missed to mark the routes as unreachable. The range
is from 1 to 10.
ICMP Responder - Allows the SD-WAN Gateway to respond to the ICMP probe from the next hop router when the
tunnels are up. This option supports only IPv4 addresses.
IP address Enter the virtual IP address that will respond to the ping
requests.
Mode Select one of the following modes from the drop-down

list:
n Conditional – SD-WAN Gateway responds to the
ICMP request only when the service is up and when
at least one tunnel is up.
n Always – SD-WAN Gateway always responds to
the ICMP request from the peer.
Note The ICMP probe parameters are optional and recommended only if you want to
use ICMP to check the health of the SD-WAN Gateway. With BGP support on the Partner
Gateway, using ICMP probe for failover and route convergence is no longer required. For
more information on configuring BGP support and handoff settings for a Partner Gateway,
see Configure Partner Handoff .
4 After configuring the required details, click Save Changes.
Monitor Gateways with New Orchestrator UI

You can monitor the status and network usage data of SD-WAN Gateways available in the
Partner portal.
To monitor the SD-WAN Gateways:
Procedure
1 In the Partner portal, Click Gateway Management > Gateways.
2 The Gateways page displays the list of available Gateways.
VMware, Inc. 212

3 Click Map Distribution to expand and view the locations of the Gateways in the Map. By
default, this view is collapsed.
4 You can also click the arrows prior to each SD-WAN Gateways name to view more details.
The page displays the following details:
n Name – Name of the SD-WAN Gateways.
n Status – Current status of the SD-WAN Gateways. The status may be one of the
following: Connected, Degraded, Never Activated, Not in Use, Offline, Out of Service,
or Quiesced.
n CPU – Percentage of CPU utilization by the SD-WAN Gateways.
n Memory – Percentage of memory utilization by the SD-WAN Gateways.
n Edges – Number of SD-WAN Edges connected to the SD-WAN Gateways.
n Service State – Service state of the SD-WAN Gateways. The state may be one of the
following: Historical, In Service, Out of Service, Pending Service, or Quiesced.
n IP Address – The IP Address of the SD-WAN Gateways.
n Location – Location of the SD-WAN Gateways.
5 In the Search field, enter a term to search for specific details. Click the Filter icon to filter the
view by a specific criterion.
6 Click the CSV option to download a report of the SD-WAN Gateways in the CSV format.
7 Click the link to a SD-WAN Gateway to view the details of the selected SD-WAN Gateway.
The Overview tab displays the properties, status, location, customer usage, and SD-WAN
Gateway Pool of the selected SD-WAN Gateway.
Note You can only view the details of the selected Gateway, using this tab. To configure the
options, navigate to the Gateways page in the Partner portal.
VMware, Inc. 213

8 Click the Monitor tab to view the usage details of the selected SD-WAN Gateways.
At the top of the page, you can choose a specific time period to view the details of the
Gateway for the selected duration.
The page displays graphical representation of usage details of the following parameters for
the period of selected time duration, along with the minimum, maximum, and average values.
n CPU Percentage – Percentage of usage of CPU.
n Memory Usage – Percentage of usage of memory.
n Flow Counts – Count of traffic flow.
n Handoff Queue Drops – Total number of packets dropped from a queue since the
Gateway was last rebooted. Occasional drops are expected, usually caused by a large
burst of traffic. However, a consistent increase in handoff queue drops usually indicates a
Gateway capacity issue.
n Tunnel Count – Count of tunnel sessions for both the IPv4 and IPv6 addresses.
Hover the mouse on the graphs to view more details.
SD-WAN Gateway Migration

VMware SD-WAN Orchestrator provides a self-service migration functionality that allows you to
migrate from your existing Gateway to a new Gateway without your Operator’s support.
Gateway migration may be required in the following scenarios:
n Achieve operational efficiency.
n Decommission old Gateways.
VMware, Inc. 214

Gateways are configured with specific roles. For example, a Gateway with data plane role is used
to forward data plane traffic from source to destination. Similarly, a Gateway with Control Plane
role is called a Super Gateway and is assigned to an Enterprise. Edges within the Enterprise
are connected to the Super Gateway. Also, there is a Gateway with Secure VPN role that is
used to establish an IPSec tunnel to a Non SD-WAN destination (NSD). The migration steps may
vary based on the role configured for the Gateway. For more information about the Gateway
roles, see the “Configure Gateways” section in the VMware SD-WAN Operator Guide available at
The following figure illustrates the migration process of the Secure VPN Gateway:
In this example, an SD-WAN Edge is connected to an NSD through a Secure VPN Gateway,
VCG1. The VCG1 Gateway is planned to be decommissioned. Before decommissioning, a new
Gateway, VCG2 is created. It is assigned with the same role and attached to the same Gateway
pool as VCG1 so that VCG2 can be considered as a replacement to VCG1. The service state of
VCG1 is changed to Quiesced. No new tunnels or NSDs can be added to VCG1. However, the
existing assignments remain in VCG1. Configuration changes with respect to the IP address of
VCG2 are made in the NSD, an IPSec tunnel is established between VCG2 and NSD, and the
traffic is switched from VCG1 to VCG2. After confirming that VCG1 is empty, it is decommissioned.
Following is the high-level workflow of Secure VPN Gateway migration based on the User roles:
VMware, Inc. 215

SD-WAN Gateway Migration - Limitations

Keep in mind the following limitations when you migrate your Gateways:
n Self-service migration is not supported on Partner Gateways.
n There will be a minimum service disruption based on the time taken to switch NSDs from
the quiesced Gateway to the new Gateway and to rebalance the Edges connected to the
quiesced Gateway.
n If the NSD is configured with redundant Gateways and one of the Gateway is quiesced, the
redundant Gateway cannot be the replacement Gateway for the quiesced Gateway.
Migrate Quiesced Gateways

Operators send notification emails about Gateway migration to Administrators with Super User
privileges. Plan your migration based on the notification email that you receive from your
Operator. You can migrate your quiesced Gateways using the new Orchestrator UI only.
To avoid any service disruption, ensure that you migrate to the new Gateway within the
Migration Deadline mentioned in the notification email.
To migrate from a quiesced Gateway to a new Gateway, VMware recommends you to use the
new Orchestrator UI only:
Prerequisites
Before you migrate the Edges and NSDs from the quiesced Gateway to the new Gateway,
ensure that you schedule a maintenance window as traffic may be disrupted during migration.
VMware, Inc. 216

Procedure
1 In the Enterprise portal of the new UI, go to Settings > Gateway Migration. The list of
quiesced Gateways appears.
2 Click Start for the quiesced Gateway from which you want to migrate to the new Gateway.
3 Make the required configuration to all the NSDs that are configured through the quiesced
Gateway.
a Click the View IKE IPSec link to view a sample configuration for the NSD. Copy the
template and customize it to suit your deployment.
b Add the IP address of the new Gateway to each NSD configured for the quiesced
Gateway.
For example, if you have configured an NSD for AWS, you must add the IP address of the
new Gateway in the NSD configuration in the AWS instance.
c After making the configuration changes to all the NSDs, select the The listed NSD site(s)
have been configured check box, and then click Next.
Note The Configure NSD Site(s) option is not available for NSDs configured automatically as
well as for Gateways with Data Plane role that are not attached to any NSDs.
4 Select each NSD and click Switch Gateway to switch the traffic from the quiesced Gateway to
the new Gateway.
a In the Switch Gateway pop-up window, select the The NSD site has been configured
check box to confirm that you have made the required configuration changes to the NSD.
Note This confirmation is not applicable for NSDs configured automatically.
b Click Switch Gateway.
It may take few minutes to verify the tunnel status. The IP address of the quiesced
Gateway is replaced with the IP address of the new Gateway so that the traffic switches
to the new Gateway. The Migration Status changes to "NSD Tunnels are up and running".
If the Switch Gateway action fails, see What to do When Switch Gateway Action Fails.
c Click Next.
Note The Switch Gateway option is not available for Gateways with Data Plane role that
are not attached to any NSDs.
5 Rebalance either all Edges or the required Edges that are connected to the quiesced
Gateway so that the Edges get reassigned to the new Gateway.
6 Click Finish to complete the Gateway migration.
VMware, Inc. 217

Results
Go to the Gateway Migration page to review the migration steps, if required. The Gateways that
have been migrated remain in this page until the Migration Deadline assigned for the quiesced
Gateway. After the Migration Deadline, you can view the history of migration events in the
Monitor > Events page.
What to do When Switch Gateway Action Fails

During the Gateway migration, when the Switch Gateway action for an NSD fails, perform the
following steps to troubleshoot the issue:
Procedure
1 In the Enterprise portal, launch the new Orchestrator UI, and then go to the Gateway
Migration page. For instruction to navigate to this page, see Migrate Quiesced Gateways.
2 Under the Switch Gateways step of the Migration Wizard, select the NSD for which the
Switch Gateway action failed, and then click Retry Tunnel Verification.
The tunnel status is verified again to see if the Migration Status changes to "NSD Tunnels are
up and running".
If the Migration Status does not change and the Switch Gateway action fails again for the
NSD, select the NSD, and then click Undo Switch Gateway.
All configuration changes to the NSD are reverted to the original settings.
3 Click Switch Gateway again to replace the IP address of the quiesced Gateway with that of
the new Gateway and thereby switch the traffic to the new Gateway.
4 Rebalance the Gateway and complete the migration.
What to do next
Click View Events in the Gateway Migration page to view the history of migration events in the
Monitor > Events page.
Run Diagnostics for Gateways

Diagnostic bundles allow users to collect all the configuration files and log files from a specific
VMware SD-WAN Gateway into a consolidated zipped file. The data available in the diagnostic
bundles can be used for troubleshooting the SD-WAN Gateways.
Both the Partner super user and Partner admin user can run the diagnostics for partner managed
Gateways. You can request and view diagnostic bundle only for Gateway created by a Partner
user or a Partner Managed Gateway created by the Operator.
In the Partner portal, click Gateway Diagnostic Bundles.
To generate a Diagnostic bundle:
1 Click Request Diagnostic Bundle.
VMware, Inc. 218

2 In the Request Diagnostic Bundle window, configure the following:
n Target – Select the target Gateway from the drop-down list. The data is collected from
the selected Partner Gateway.
n Reason for Generation – Optionally, you can enter your reason for generating the bundle.
n If required, click the Advanced button. The Core Limit drop-down list is displayed and
you can choose a value from the list. The Core Limit is used to reduce the size of the
uploaded bundle when the Internet connectivity is experiencing issues.
3 Click Submit.
The Gateway Diagnostic Bundles window displays the details of the bundles generated, along
with the status.
To download a generated bundle, click the Complete link or select the bundle and click Actions >
Download Diagnostic Bundles. The bundle is downloaded as a ZIP file.
Note The Request Diagnostic Bundle option is available only for Partners with Gateway
management access activated. If the Gateway management access is deactivated, then Partners
can only view the generated Diagnostic bundles. They cannot request a new Diagnostic bundle
and cannot download the generated bundle.
The completed bundles get deleted automatically on the date displayed in the Cleanup Date
column. You can click the link to the Cleanup Date to modify the Date.
VMware, Inc. 219

In the Update Cleanup Date window, choose the date on which the selected Bundle would be
deleted.
If you want to retain the Bundle, select the Keep Forever checkbox, so that the Bundle does not
get deleted automatically.
To delete a bundle manually, select the bundle and click Actions > Delete Diagnostic Bundles.
Diagnostic Bundles for Gateways with New Orchestrator UI

Run diagnostics for Gateways to collect diagnostic bundles and packet capture files for
troubleshooting purpose.
n Request Diagnostic Bundles for Gateways with New Orchestrator UI
n Request Packet Capture Bundle for Gateways with New Orchestrator UI
Request Diagnostic Bundles for Gateways with New Orchestrator UI

Diagnostic bundles allow users to collect all the configuration files and log files from a specific
VMware SD-WAN Gateway into a consolidated zipped file. The data available in the diagnostic
bundles can be used for troubleshooting the SD-WAN Gateways.
and delete diagnostic bundles only for Gateway created by a Partner or a Partner managed
Gateway created by your Operator. The Partner IT support users can only view the generated
Diagnostic bundles and download the CSV file.
Note The Diagnostic bundles feature is not supported for Partner Business Specialist user.
Request Diagnostic Bundle

To generate a new Diagnostic bundle:
1 In the new UI, click the Gateway Management tab and select Diagnostic Bundles in the left
navigation pane.
VMware, Inc. 220

The Diagnostic Bundles page appears with the existing diagnostic bundles.
2 To generate a new Diagnostic bundle, click Request Diagnostic Bundle.
3 In the Request Diagnostic Bundle dialog, configure the following details and click Submit.
Table 17-1.
Field Description
Target Select the target Gateway from the drop-down list. The
data is collected from the selected Gateway.
Reason for Generation Optionally, you can enter your reason for generating
the bundle.
Core Limit Select a Core Limit value from the drop-down, which is
used to reduce the size of the uploaded bundle when
the Internet connectivity is experiencing issues.
Note The Request Diagnostic Bundle and Download Bundle options are available only for
Partners with Gateway management access activated. If the Gateway management access is
deactivated for a Partner, then the Partner can only view the generated Diagnostic bundles
and download only the CSV file, but cannot request a new Diagnostic bundle or download
the generated bundle. To request Gateway Management access, Partners should contact the
Operator Super user.
The Diagnostic Bundles page displays the details of the bundle being generated, along with the
status.
To search a specific diagnostic bundle, enter a relevant search text in the Search box. For
advanced search, click the filter icon next to the Search box to filter the results by specific
criteria.
VMware, Inc. 221

Download Diagnostic Bundle

You can download the generated Diagnostic bundles to troubleshoot an Edge.
To download a generated bundle, click the link next to Complete in the Request Status column or
select the bundle and click Download Bundle. The bundle is downloaded as a ZIP file.
You can send the downloaded bundle to a VMware Support representative for debugging the
data.
Delete Diagnostic Bundle

The completed bundles get deleted automatically on the date displayed in the Cleanup Date
column. You can click the link to the Cleanup Date or choose the bundle and click More > Update
Cleanup Date to modify the Date.
VMware, Inc. 222

In the Update Cleanup Date dialog, choose the date on which the selected Bundle would be
deleted.
If you want to retain the Bundle, select the Keep Forever checkbox, so that the Bundle does not
get deleted automatically.
To delete a bundle manually, select the bundle and click Delete.
Request Packet Capture Bundle for Gateways with New Orchestrator

UI
The Packet Capture bundle collects the packets data of a network. These files are used in
analyzing the network characteristics. You can use the data for debugging the network traffic
and determining network status.
and delete Packet Capture (PCAP) bundles only for Gateway created by a Partner or a Partner
managed Gateway created by your Operator. The Partner IT support users can only view the
generated PCAP bundles and download the CSV file.
Note The Diagnostic bundles feature is not supported for Partner Business Specialist user.
To generate a PCAP bundle:
1 In the new UI, click the Gateway Management tab and select Diagnostic Bundles in the left
navigation pane.
The Diagnostic Bundles page appears with the existing diagnostic bundles.
2 To generate a new PCAP bundle, click Request PCAP Bundle.
3 In the Request PCAP Bundle dialog, configure the following details and click Generate.
VMware, Inc. 223

Field Description
Target Choose the target Gateway from the drop-down list.

The packets are collected from the selected Gateway.
Connectivity Choose an Interface or an Edge ID from the drop-down

list. The packets are collected on the selected Interface
or Edge associated to the Gateway.
Duration Choose the time in seconds. The packets are collected

for the selected duration. The default value is 5
seconds.
Reason for Generation Optionally, you can enter your reason for generating
the bundle.
VMware, Inc. 224

Field Description
PCAP Filters You can define PCAP filters by which you want to
control the PCAP data to be generated by choosing the
following options:
n IP1 - Enter an IPv4 address, or IPv6 address, or
Subnet mask.
n IP2 - Enter an IPv4 address, or IPv6 address, or
Subnet mask.
n IP1:Port1 - Enter a Port ID associated with IP1.
n IP2:Port2 - Enter a Port ID associated with IP2.
n Protocol - Select a protocol from the list.
Note If you choose to use the PCAP filtering capability

then you must define at least one filter.
Advanced Filters You can define free form filters by which you want to
control the PCAP data to be generated.
Note The Request Diagnostic Bundle and Request PCAP Bundle options are available
only for Partners with Gateway management access activated. If the Gateway management
access is deactivated for a Partner, then the Partner can only view the generated Diagnostic
bundles and download only the CSV file, but cannot request a new Diagnostic or PCAP
bundle or download the generated bundle. To request Gateway Management access,
Partners should contact the Operator Super user.
The Diagnostic Bundles page displays the details of the PCAP bundle being generated, along
with the status.
4 To download a generated bundle, click the link next to Complete in the Request Status
column or select the bundle and click Download Bundle. The bundle is downloaded as a ZIP
file.
5 The completed bundles get deleted automatically on the date displayed in the Cleanup Date
column. You can click the link to the Cleanup Date or choose the bundle and click More >
Update Cleanup Date to modify the Date.
6 To delete a bundle manually, select the bundle and click Delete.
VMware, Inc. 225

Activate SD-WAN Edges Using
Zero Touch Provisioning 18
Zero Touch Provisioning allows you to activate Edges by powering on the Edges and connecting
them to the Internet.
This method eliminates the need of an activation link. Using this feature, the Service Provider can
preconfigure the Edges and have them shipped to the customers. The customers just need to
power-on the Edges and connect the cables to the internet to activate the Edges.
This method of Edge activation is also useful when the person at the remote site is unable to
connect a laptop/tablet/ phone to the SD-WAN Edge, and therefore cannot use an email or
cannot click an activation code/URL.
Note
n Zero Touch Provisioning supports Edge models: 510, 510 LTE, 6x0, and 3xx0.
n For Zero Touch Provisioning push activation to work, use the Orchestrator software version
4.3.0 or later.
As a Partner user, complete the following tasks to activate Edges using Zero Touch Provisioning:
n Sign-Up for Zero Touch Provisioning
n Assign Edges to Customers
n Sign-Up for Zero Touch Provisioning
n Assign Edges to Customers
Sign-Up for Zero Touch Provisioning

To sign-up for Zero Touch Provisioning:
Prerequisites
As a Partner user, ensure that you have a valid Partner Relationship Management Identifier (PRM
ID), received at the time of registering with VMware. If you do not have a valid PRM ID, contact
VMware Partner Connect. Outbound internet connectivity via DHCP is required to complete the
push activation successfully.
VMware, Inc. 226

Procedure
1 Log in to SD-WAN Orchestrator, and then go to Settings > General Information.
2 Scroll down to the Zero Touch Provisioning Sign Up area, and then in the PRM ID field, enter
the Partner Relationship Management Identifier.
3 Click Submit.
Results
You can view the Edge inventory in the Pending Assignment tab only after the successful
validation of PRM ID. The validation process may take up to a maximum of 1 week. To view the
Edge inventory, go to Zero Touch Provisioning > Pending Assignment.
Note Only the Edges that were shipped to you after the successful completion of the sign-up
process appear in the Pending Assignment tab. Ensure that the PRM ID assigned to you is used
in all your future orders so that the inventory is reflected correctly.
What to do next
You must assign the Edges to customers and then assign profile and license to Edges. For
instructions, refer to Assign Edges to Customers.
Assign Edges to Customers

To assign Edges to customers:
Prerequisites
Ensure that you have signed-up for Zero Touch Provisioning so that you can view the list of
Edges in the Edge Inventory page. For instructions, refer to Sign-Up for Zero Touch Provisioning.
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Zero Touch Provisioning > Pending
Assignment. A list of Edge inventory with Serial number and Model appears.
VMware, Inc. 227

2 Select all the Edges that you want to assign to customers, and then click Actions > Assign To
Customer…. The Edge Inventory Assignment modal popup appears.
3 From the Customer drop-down list, select the customer to whom you want to assign the
Edges.
4 From the Profile and Edge License drop-down lists, select the required profile and license
that you want to assign to all Edges in the inventory.
You can choose to override these settings for a specific Edge by selecting the appropriate
profile and license in the table.
5 Click OK.
Results
The Edges for which you have assigned a customer, a profile and a license appears in the
Assigned tab. The Inventory State for the assigned Edges will be Assigned to Customer and the
Edge State will be Pending.
What to do next
When your customer powers-on the assigned physical Edges and connects them to the internet,
the Edges are redirected to the SD-WAN Orchestrator where they are automatically activated.
After an Edge is activated, the Edge State in the Assigned tab changes from Pending to
Activated.
Reassign an Edge to Another Customer

You can reassign an Edge to another customer before the Edge is activated.
VMware, Inc. 228

If you choose to reassign an Edge that is already activated, you must deactivate the Edge, and
then reassign the Edge to another customer. For instructions about how to deactivate an Edge,
refer to Remote Actions. Once you deactivate the Edge, the Edge state changes to Offline. You
can now reassign the Edge to another customer.
To reassign an Edge to another customer:
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Zero Touch Provisioning > Assigned.
2 Select the Edge that you want to reassign, and then click Actions > Reassign.... The Edge
Inventory Assignment modal popup appears.
3 From the Customer drop-down list, select the customer to whom you want to reassign the
Edge.
that you want to assign to the Edge.
5 Click OK.
Results
Though the Edge is reassigned to the new customer, a corresponding entry would still be
available in the Configure > Edges page of the customer to whom the Edge was originally
assigned. Select the logical Edge entry, and then click Actions > Delete Edge to manually delete
the entry.
VMware, Inc. 229

Activate SD-WAN Edges using
Edge Auto-activation with New
Orchestrator UI
19
Edge Auto-activation allows you to activate Edges by powering on the Edges and connecting
them to the Internet, using the New Orchestrator UI.
This method eliminates the need of an activation link. Using this feature, the Service Provider can
preconfigure the Edges and have them shipped to the customers. The customers just need to
power-on the Edges and connect the cables to the internet to activate the Edges.
This method of Edge activation is also useful when the person at the remote site is unable
to connect a laptop/tablet/phone to the SD-WAN Edge, and therefore cannot use an email or
cannot click an activation code/URL.
Note
n Edge Auto-activation supports Edge models: 510, 510 LTE, 6x0, and 3xx0.
n For Edge Auto-activation to work, use the Orchestrator software version 4.3.0 or later.
As a Partner user, complete the following tasks to activate Edges using Edge Auto-activation:
n Sign-Up for Edge Auto-activation with New Orchestrator UI
n Assign Edges to Customers with New Orchestrator UI
n Sign-Up for Edge Auto-activation with New Orchestrator UI
n Assign Edges to Customers with New Orchestrator UI
Sign-Up for Edge Auto-activation with New Orchestrator UI

To sign-up for Edge Auto-activation:
Prerequisites
n As a Partner user, ensure that you have a valid Partner Relationship Management Identifier
(PRM ID), received at the time of registering with VMware. If you do not have a valid PRM ID,
contact VMware Partner Connect.
n Outbound internet connectivity via DHCP is required to complete the push activation
successfully.
VMware, Inc. 230

Procedure
1 Log in to SD-WAN Orchestrator, and then go to Edge Management > Edge Auto-activation.
2 On the Edge Auto-activation page, enter the PRM ID.
3 Click Submit.
Note You are required to enter the PRM ID only when you login for the first time. You can
view the Edge inventory in the Available Inventory tab only after the successful validation of
PRM ID. The validation process may take up to 3 to 5 days. If you enter an incorrect PRM ID,
you must contact the customer support team to get it changed.
What to do next
Only the Edges that were shipped to you after the successful completion of the sign-up process
appear in the Available Inventory tab. Ensure that the PRM ID assigned to you is used in all
your future orders so that the inventory is reflected correctly. You must assign the Edges to
customers, and then assign profile and license to Edges. For instructions, refer to Assign Edges
to Customers with New Orchestrator UI.
Assign Edges to Customers with New Orchestrator UI

To assign Edges to customers:
Prerequisites
Ensure that you have signed-up for Edge Auto-activation so that you can view the list of Edges
in the Available Inventory page. For instructions, refer to Sign-Up for Edge Auto-activation with
Procedure
A list of Edge inventory with Serial number and Model appears.
VMware, Inc. 231

2 Select all the Edges that you want to assign to customers, and then click Assign To
Customer. The Edge Assignment window appears.
3 From the Customer drop-down list, select the customer to whom you want to assign the
Edges.
that you want to assign to all Edges in the inventory.
Note You can choose to override these settings for a specific Edge by selecting the
appropriate profile and license in the table.
5 Click Assign.
The Edges for which you have assigned a customer, a profile and a license, appear in the
Assigned Inventory tab. The Inventory State for the assigned Edges is displayed as Assigned
to Customer and the Edge State is displayed as Pending.
6 Following are the additional options available on the Edge Auto-activation page:
Option Description
Search Enter a search term to be searched across the items

in the table. Use the advanced search option for more
filters.
Download CSV Click to download the list of Edges in an excel format.
Columns Click this option and select the checkboxes to view the
required columns.
Refresh Click this option to refresh the table properties.
VMware, Inc. 232

What to do next
When your customer powers-on the assigned physical Edges and connects them to the internet,
the Edges are redirected to the SD-WAN Orchestrator, where they are automatically activated.
After an Edge is activated, the Edge State in the Assigned Inventory tab changes from Pending
to Activated.
Reassign an Edge to Another Customer with New Orchestrator UI

You can reassign an Edge to another customer before the Edge is activated.
If you choose to reassign an Edge that is already activated, you must deactivate the Edge, and
then reassign the Edge to another customer. For instructions about how to deactivate an Edge,
refer to Remote Actions. Once you deactivate the Edge, the Edge state changes to Offline. You
can now reassign the Edge to another customer.
To reassign an Edge to another customer:
Procedure
Click Assigned Inventory tab.
2 Select the Edge that you want to reassign, and then click Reassign. The Edge Reassignment
window appears.
3 From the Customer drop-down list, select the customer to whom you want to reassign the
Edge.
that you want to assign to the Edge.
5 Click Reassign.
Results
Though the Edge is reassigned to the new customer, a corresponding entry would still be
available in the Configure > Edges page of the customer to whom the Edge was originally
assigned. Select the logical Edge entry, and then click Delete to manually delete the entry.
VMware, Inc. 233

Activate SD-WAN Edges Using
Email 20
In this method, the SD-WAN Edge is shipped to the customer site with a factory-default
configuration. Prior to activation, the SD-WAN Edge contains no configuration or credentials to
connect to the enterprise network.
Complete the following steps to activate Edges using the Email method:
1 Send an Activation Email. The administrator initiates the activation process by sending an
activation procedure email to the person that will install the Edge, typically a Site Contact. For
more information, refer to Send an Activation Email
2 Activate the Edge Device. The individual following the instructions in the activation procedure
email will activate the Edge device. For more information, refer to Activate an Edge Device.
n Send an Activation Email
n Activate an Edge Device
Send an Activation Email

The process of activating the SD-WAN Edge begins with the initiation of an activation procedure
email that is sent to the Site Contact by the IT Admin.
To send the activation procedure Email:
1 Go to Configure > Edges from the Orchestrator.
2 Select the SD-WAN Edge you want to activate. The Edge Overview Tab window appears.
3 As an optional step, in the Properties area, enter the serial number of the SD-WAN Edge that
will be activated in the Serial Number text field. Serial numbers are case sensitive, so make
sure that “VC” is capitalized.
Note This step is optional. However, if specified, the serial number must match the activated
SD-WAN Edge.
4 Click the Send Activation Email button to send the activation email to the Site Contact.
VMware, Inc. 234

5 The Send Activation Email pop-up window appears. It describes the steps for the Site
Contact to complete to activate the SD-WAN Edge device.
Note
n For the SD-WAN Edge 510 LTE device, the Activation Email consists of Cellular Settings
like SIM PIN, Network, APN, and User name.
n For the 610, 620, 640, 680, and 610 LTE devices with SFP that are configured with
ADSL2/VDSL2, the Activation Email consists of configuration settings like Profile, PVC,
VPC, and so on.
VMware, Inc. 235

6 Click the Send button to send the activation procedure email to the Site Contact.
Note The above procedure sends the activation Email with IPv4 address in the activation
link. You can send the activation link with IPv4 or IPv6 or both addresses using the new
Orchestrator UI. See the "Send Edge Activation Email with new Orchestrator UI" section in the
VMware SD-WAN Administration Guide published at https://docs.vmware.com/en/VMware-SD-
WAN/index.html.
Remote Diagnostics for 510 LTE and 6X0 Devices:
n If you configure the SD-WAN Edge 510 LTE device, you can run the “LTE Modem
Information” diagnostic test for troubleshooting purposes. The LTE Modem Information
diagnostic test will retrieve diagnostic information, such as signal strength, connection
information, etc..
n The DSL Status diagnostic test is available only for the 610, 620, 640, and 680 devices.
Running this test will show the DSL status, which includes information such as Mode
(Standard or DSL), Profile, xDSL Mode, and so on.
For information on how to run a diagnostic test, see the VMware SD-WAN Administration Guide.
Activate an Edge Device

The Site Contact performs the steps outlined in the Edge activation procedure email.
In general, the Site Contact completes the following steps:
1 Connect the Edge to a power source and insert any WAN link cables or USB modems for
Internet connectivity.
2 Connect a personal computer or mobile device (with access to the activation email) to your
Edge by one of two methods:
Note The connected personal computer or mobile device cannot directly access the public
internet through the Edge device until it is activated.
a Find and connect to the Wi-Fi network that looks like velocloud- followed by three more
letters/numbers (for example, velocloud-01c) with the password vcsecret.
Note Refer to the Wi-Fi SSID from the Edge device. The default Wi-Fi is vc-wifi. The
Edge activation email provides instructions for using one or more Wi-Fi connections.
VMware, Inc. 236

b If the Edge is not Wi-Fi capable (for example, a 6x0N model or a 3x00 model), use an
Ethernet cable to connect to either an Ethernet-equipped computer or a mobile device
with an Ethernet adapter to one of the Edge’s LAN ports.
Note For more information about using either an iOS or Android mobile device with an
Ethernet adapter to activate an Edge, refer to the below sections:
n Edge Activation using an iOS Device and an Ethernet Cable
n Edge Activation using an Android Device and an Ethernet Cable
3 Click the hyperlink in the email to activate the Edge.
During the Edge activation, the activation status screen appears on your connected device.
The Edge downloads the configuration and software from the SD-WAN Orchestrator and
reboots multiple times to apply the software update (If the Edge has a front LED status light,
that light would blink and change colors multiple times during the activation process).
Once the Edge activation process successfully completes, the Edge is ready for service (if
the Edge has a front LED status light, the light would show as solid green). Once an Edge is
activated, it is “useable” for routing network traffic. In addition, more advanced functions such as
monitoring, testing, and troubleshooting are also available.
Edge Activation using an iOS Device and an Ethernet Cable

There are multiple ways to activate a VMware SD-WAN Edge. It is recommended to use the
Zero Touch Provisioning push activation whenever possible. Alternatively, you can use the email
activation (pull activation) method using an iOS device and an Ethernet cable.
Prerequisites
The components required for this procedure are:
n iPhone/iPad with email access
n Ethernet adapter suitable for phone or tablet
Note The example used here is an Edge 540 and an iPhone 12 Pro Max. You can use other Edge
and iPhone/iPad models too.
Procedure
1 Complete the Edge configuration on the Orchestrator software. For details, refer to the
Configure Edge Device section in the VMware SD-WAN Administration Guide.
VMware, Inc. 237

2 Navigate to Configure > Edges > Edge Overview tab, and then click the Send Activation
Email button.
3 Enter the email address of the person activating the Edge, and then click Send.
4 Power up the Edge, and then connect it to an available internet connection using an Ethernet
cable.
Note Refer to Edge Activation Guides to check details of the model you are installing to
determine the correct port.
5 Connect an Ethernet adapter to your phone, and then connect the Edge’s LAN port to the
Ethernet adapter.
Note The Edge is configured by default to acquire a DHCP IP address from the ISP on the
WAN (uplink). The Edge also assigns a DHCP address to the phone connected to the LAN
port. When the WAN connection is fully operational, the cloud LED on the front of the Edge
turns green.
VMware, Inc. 238

6 In your iOS device, go to Settings > Ethernet. Select the appropriate interface. Under the
IPv4 Address, select Configure IP as Automatic.
7 Open the activation email from your phone, and then click the activation link displayed at the
bottom of the screen to activate your Edge. The following screenshot is an example.
8 You can see the activation progress on your phone screen. Once complete, Activation
successful message is displayed.
VMware, Inc. 239

Results
Your Edge device is now activated.
Edge Activation using an Android Device and an Ethernet Cable

The procedure below describes the Edge email activation (pull activation) using an Android
device and an Ethernet cable.
Prerequisites
The components required for this procedure are:
n Android phone with email access
n Ethernet adapter suitable for the phone
Note The example used here is an Edge 610 and a Samsung Galaxy S10+ smartphone. You can
use other Edge and Android phone models too.
Procedure
1 Complete the Edge configuration on the Orchestrator software. For details, refer to the
Configure Edge Device section in the VMware SD-WAN Administration Guide.
2 Navigate to Configure > Edges > Edge Overview tab, and then click the Send Activation
Email button.
VMware, Inc. 240

3 Enter the email address of the person activating the Edge, and then click Send.
4 Power up the Edge, and then connect it to an available internet connection using an Ethernet
cable.
Note Refer to Edge Activation Guides to check details of the model you are installing to
determine the correct port.
5 Connect an Ethernet adapter to your phone, and then connect the Edge’s LAN port to the
Ethernet adapter.
Note The Edge is configured by default to acquire a DHCP IP address from the ISP on the
WAN (uplink). The Edge also assigns a DHCP address to the phone connected to the LAN
port. When the WAN connection is fully operational, the cloud LED on the front of the Edge
turns green.
VMware, Inc. 241

6 Open the activation email from your phone, and then click the activation link displayed at the
bottom of the screen to activate your Edge. The following screenshot is an example.
7 You can see the activation progress on your phone screen. Once complete, Activation
successful message is displayed.
Results
Your Edge device is now activated.
VMware, Inc. 242

Request RMA Reactivation
21
Initiate a Return Merchandise Authorization (RMA) request either to return the existing Edge or to
replace an Edge.
There are several scenarios that require an Edge RMA reactivation. Following are the two most
common scenarios:
n Replace an Edge due to a malfunction—A typical scenario that requires an Edge RMA
reactivation occurs when a malfunctioned Edge of the same model needs replacement. For
example, a customer needs to replace a 520 Edge model with another 520 Edge model.
n Upgrade an Edge hardware model—Another common scenario that requires an Edge RMA
reactivation is when you want to replace an Edge with a different model. Usually this is due to
a scaling issue in which you have outgrown the capacity of the current Edge.
Note RMA reactivation request is allowed only for activated Edges.
You can initiate the RMA reactivation request using one of the following methods:
n Request RMA Reactivation Using Zero Touch Provisioning
n Request RMA Reactivation Using Email
n Request RMA Reactivation Using Zero Touch Provisioning
n Request RMA Reactivation Using Email
Request RMA Reactivation Using Zero Touch Provisioning

To request RMA reactivation using Zero Touch Provisioning:
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Configure > Edges.
2 Click the Edge that you want to replace. The Edge Overview page appears.
VMware, Inc. 243

3 Scroll down to the RMA Reactivation area, and then click Request Reactivation to generate a
new activation key. The status of the Edge changes to Reactivation Pending mode.
Note The reactivation key is valid for one month only. When the key expires, a warning
message is displayed. To generate a new key, click Generate New Activation Key.
4 In the RMA Serial Number field, enter the serial number of the new Edge that is to be
activated.
5 From the RMA Model drop-down list, select the hardware model of the new Edge that is to
be activated.
Note If the Serial Number and the hardware model do not match the new Edge that is to be
activated, the activation fails.
6 Click Update.
The status of the new Edge changes to Reactivation Pending and the status of the old Edge
changes to RMA Requested. To view the Edge State, go to Administration > Zero Touch
Provisioning > Assigned.
7 Complete the following tasks to activate the new Edge:
a Disconnect the old Edge from the power and network.
b Connect the new Edge to the power and network. Ensure that the Edge is connected to
the Internet.
Results
The new Edge is redirected to the SD-WAN Orchestrator where it is automatically activated. The
status of the new Edge changes to Activated.
What to do next
Return the old Edge to VMware so that the logical entry for the old Edge with the state RMA
Requested gets removed from the Administration > Zero Touch Provisioning > Assigned page.
Request RMA Reactivation Using Email

To request RMA reactivation using email:
Prerequisites
Procedure
1 Log in to SD-WAN Orchestrator, and then go to Configure > Edges.
2 Click the Edge that you want to replace. The Edge Overview page appears.
VMware, Inc. 244

3 Scroll down to the RMA Reactivation area, and then click Request Reactivation to generate a
new activation key. The status of the Edge changes to Reactivation Pending mode.
Note The reactivation key is valid for one month only. When the key expires, a warning
message is displayed. To generate a new key, click Generate New Activation Key.
4 Click Send Activation Email to initiate the Edge activation Email with instructions. The Email
consists of the instructions along with the activation URL. The URL displays the Activation key
and the IP address of the SD-WAN Orchestrator.
5 Complete the following tasks to activate the new Edge:
a Disconnect the old Edge from the power and network.
b Connect the new Edge to the power and network. Ensure that the Edge is connected to
the Internet.
c Follow the activation instructions in the email. Click the activation link in the email to
activate the Edge.
Results
The Edge downloads the configuration and software from the SD-WAN Orchestrator and gets
activated.
What to do next
VMware, Inc. 245

Install VMware Partner Gateway
22
This document describes the steps needed to install and deploy VMware SD-WAN Gateway
as a Partner Gateway. It also covers how to configure the VRF/VLAN and BGP configuration
necessary on the SD-WAN Orchestrator.
n Installation Overview
n Minimum Hypervisor Hardware Requirements
n SD-WAN Gateway Installation Procedures
n Post-Installation Tasks
n Upgrade SD-WAN Gateway
n Custom Configurations
n SNMP Integration
n Custom Firewall Rules
Installation Overview
This section provides an overview of VMware Partner Gateway installation.
About Partner Gateways

Partner Gateways are Gateways tailored to an on-premise operation in which the Gateway is
installed and deployed with two interfaces.
n One interface is facing the private and/or public WAN network and is dedicated to receiving
VCMP encapsulated traffic from the remote edges, as well as standard IPsec traffic from Non
SD-WAN Destinations.
n Another interface is facing the datacenter and provides access to resources or networks
attached to a PE router, which the Partner Gateway is connected to. The PE router typically
affords access to shared managed services that are extended to the branches, or access to a
private (MPLS / IP-VPN) core network in which individual customers are separated.
The following distributions are provided:
VMware, Inc. 246

Provided Description Example
VMware Gateway OVA package. velocloud-vcg-X.X.X-GA.ova
KVM Gateway qcow2 disk image. velocloud-vcg-X.X.X-GA.qcow2
Minimum Hypervisor Hardware Requirements

The SD-WAN Gateway runs on a standard hypervisor (KVM or VMware ESXi).
Minimum Server Requirements

To run the hypervisor:
n CPU: Intel XEON (10 cores minimum to run a single 8-core gateway VM) with minimum clock
speed of 2.0 Ghz is required to achieve maximum performance.
n ESXi vmxnet3 network scheduling functions must have 2 cores reserved per Gateway
virtual machine (VM), regardless of the number of cores assigned to the Gateway.
n Example: Assume there is a 24-core server running ESXi+vmxnet3. You can deploy 2
- (8 core) Gateways. i.e. 2 gateways multiplied by 8 cores requires 16 cores reserved
for gateway application and leaves 8 free cores. By using the formula above, in order
to support these two Gateways running at peak performance scale the ESXi/vmxnet3
system requires an additional 4 cores (two cores for each of the two Gateways
deployed). That is a total of 20 cores required to run 2 gateways on a 24 core system.
Note When using SR-IOV, the network scheduling function is offloaded to the pNIC
to achieve higher performance. However, the hypervisor must still perform other
scheduling functions like CPU, memory, NUMA allocation management. It is required
to always keep two free cores for hypervisor usage.
n The CPU must support and enable the following instruction sets: AES-NI, SSSE3, SSE4,
RDTSC, RDSEED, RDRAND, AVX/AVX2/AVX512.
n A minimum of 4GB free RAM must be available to the server system aside from the memory
assigned to the PGW VMs. One Gateway VM requires 16GB RAM, or 32GB RAM if certificate-
based authentication is enabled.
n Minimum of 150GB magnetic or SSD based, persistent disk volume (One Gateway VM
requires 64GB or 96GB Disk Volume, if certificate-based authentication is enabled).
n Minimum required IOPS performance: 200 IOPS.
n Minimum 1x10Ge network interface ports and 2 ports is preferred when enabling the Gateway
partner hand-off interface (1Ge NICs are supported, but will bottleneck performance).
The physical NIC cards supporting SR-IOV are Intel 82599/82599ES and Intel X710/XL710
chipsets. (See the ‘Enable SR-IOV’ guide).
Note SR-IOV does not support NIC bonding. For redundant uplinks, use ESXi vSwitch.
VMware, Inc. 247

n VMware SD-WAN Gateway is a data-plane intensive workload that requires dedicated CPU
cycles to ensure optimal performance and reliability. Meeting these defined settings are
required to ensure the Gateway VM is not oversubscribing the underlying hardware and
causing actions that can destabilize the Gateway service (e.g. NUMA boundary crossing,
memory, and/or vCPU oversubscription).
n Ensure that the SD-WAN Partner Gateway VM and the resources used to support it fit within
a NUMA node.
n When possible, strive for complete vertical alignment between network interfaces, memory,
physical CPUs, and virtual machines to a single NUMA node.
n Note Configure the host BIOS settings as follows:
- Hyper-threading - Turned off
- Power Savings - Turned off
- CPU Turbo - Enabled
- AES-NI - Enabled
- NUMA Node Interleaving - Turned off
Example Server Specifications

NIC Chipset Hardware Specification
Intel 82599/82599ES HP DL380G9 http://www.hp.com/hpinfo/newsroom/press_kits/2014/ComputeEra/

HP_ProLiantDL380_DataSheet.pdf
Intel X710/XL710 Dell PowerEdge https://www.dell.com/en-us/work/shop/povw/poweredge-r640

R640 n CPU Model and Cores - Dual Socket Intel(R) Xeon(R) Gold 5218 CPU @
2.30GHz with 16 cores each
n Memory - 384 GB RAM
Intel X710/XL710 Supermicro https://www.supermicro.com/en/products/system/1U/6018/SYS-6018U-

SYS-6018U- TRTP_.cfm
TRTP+ n CPU Model and Cores - Dual Socket Intel(R) Xeon(R) CPU E5-2630 v4 @
2.20GHz with 10 Cores each
n Memory - 256 GB RAM
Required NIC Specifications for SR-IOV Support

Host Driver for Host Driver for ESXi
Hardware Manufacturer Firmware Version Ubuntu 18.04 6.7
Dual Port Intel Corporation Ethernet Controller 7.0 2.10.19.30 1.8.6 and 1.10.9.0
XL710 for 40GbE QSFP+
Dual Port Intel Corporation Ethernet Controller 7.0 2.10.19.30 1.8.6 and 1.10.9.0
X710 for 10GbE SFP+
VMware, Inc. 248

Host Driver for Host Driver for ESXi

Hardware Manufacturer Firmware Version Ubuntu 18.04 6.7
Quad Port Intel Corporation Ethernet 7.0 2.10.19.30 1.8.6 and 1.10.9.0
Controller X710 for 10GbE SFP+
Dell rNDC X710/350 card nvm 7.10 and FW 2.10.19.30 1.8.6 and 1.10.9.0
19.0.12
Supported Hypervisor Versions

Hypervisor Supported Versions
VMware n Intel 82599/82599ES - ESXi 6.7 U3 up to ESXi 7.0. To use SR-IOV, the vCenter and the vSphere
Enterprise Plus license are required.
n Intel X710/XL710 - ESXi 6.7 with VMware vSphere Web Client 6.7.0 up to ESXi 7.0 with VMware
vSphere Web Client 7.0.
KVM n Intel 82599/82599ES - Ubuntu 16.04 LTS and Ubuntu 18.04 LTS
n Intel X710/XL710 - Ubuntu 16.04 LTS and Ubuntu 18.04 LTS
Important The installation of Intel i40e host driver version 2.10.19.30 on an Ubuntu 18.04 LTS
server may result in compilation errors. Should this occur, the customer is advised to patch the
host driver.
SD-WAN Gateway Virtual Machine (VM) Specification

For VMware, the OVA already specifies the minimum virtual hardware specification. For KVM, an
example XML file is provided. The minimum virtual hardware specifications are:
n If using VMware ESXi:
n Latency Sensitivity must be set to 'High'.
n Procedure (Adjust Latency Sensitivity)
a Browse to the virtual machine in the vSphere Client.
1 To find a virtual machine, select a data center, folder, cluster, resource pool, or
host.
2 Click the VMs tab.
b Right-click the virtual machine, and click Edit Settings.
c Click VM Options and click Advanced.
d Select a setting from the Latency Sensitivity drop-down menu.
e Click OK.
n CPU reservation set to 100% .
n CPU shares set to high.
n CPU Limit must be set to Unlimited.
VMware, Inc. 249

n 8 vCPUs (4vCPUs are supported but expect lower performance).
Important All vCPU cores should be mapped to the same socket with the Cores per
Socket parameter set to either 8 with 8 vCPUs, or 4 where 4 vCPUs are used.
Note Hyper-threading must be deactivated to achieve maximum performance.
n Procedure for Allocate CPU Resources:
a Click Virtual Machines in the VMware Host Client inventory.
b Right-click a virtual machine from the list and select Edit settings from the pop-up
menu.
c On the Virtual Hardware tab, expand CPU, and allocate CPU capacity for the
virtual machine.
Option Description
Reservation Guaranteed CPU allocation for this virtual machine.
Limit Upper limit for this virtual machine’s CPU

allocation. Select Unlimited to specify no upper
limit.
Shares CPU shares for this virtual machine in relation

to the parent’s total. Sibling virtual machines
share resources according to their relative
share values bounded by the reservation and
limit. Select Low, Normal, or High, which specify
share values respectively in a 1:2:4 ratio.
Select Custom to give each virtual machine a
specific number of shares, which express a
proportional weight.
n CPU affinity must be enabled. Follow the steps below.
1 In the vSphere Web Client go to the VM Settings tab.
2 Choose the Options tab and click Advanced General >Configuration Parameters .
3 Add entries for numa.nodeAffinity=0, 1, ..., where 0 and 1 are the processor socket
numbers.
n vNIC must be of type 'vmxnet3' (or SR-IOV, see SR-IOV section for support details).
n Minimum of any one of the following vNICs:
n The First vNIC is the public (outside) interface, which must be an untagged interface.
n The Second vNIC is optional and acts as the private (inside) interface that can support
VLAN tagging dot1q and Q-in-Q. This interface typically faces the PE router or L3
switch.
n Optional vNIC (if a separate management/OAM interface is required).
VMware, Inc. 250

n Memory reservation is set to ‘maximum.’
n 16GB of memory (32GB RAM is required when enabling certificate-based

authentication).
n 64 GB of virtual disk (96GB disk is required when enabling certificate- based

authentication).
Note VMware uses the above defined settings to obtain scale and performance
numbers. Settings that do not align to the above requirements are not tested by VMware
and can yield unpredictable performance and scale results
n If using KVM:
n vNIC must be of 'Linux Bridge' type. (SR-IOV is required for high performance, see SR-IOV
section for support details).
n 8 vCPUs (4vCPUs are supported but expect lower performance).
Important All vCPU cores should be mapped to the same socket with the Cores per
Socket parameter set to either 8 with 8 vCPUs, or 4 where 4 vCPUs are used.
Note Hyper-threading must be deactivated to achieve maximum performance.
n 16GB of memory (32GB RAM is required when enabling certificate- based authentication)
n Minimum of any one of the following vNICs:
n The First vNIC is the public (outside) interface, which must be an untagged interface.
n The Second vNIC is optional and acts as the private (inside) interface that can support
VLAN tagging dot1q and Q-in-Q. This interface typically faces the PE router or L3
switch.
n Optional vNIC (if a separate management/OAM interface is required).
n 64 GB of virtual disk (96GB disk is required when enabling certificate- based

authentication).
Firewall/NAT Requirements
Note These requirements apply if the SD-WAN Gateway is deployed behind a Firewall and/or
NAT device.
n The firewall needs to allow outbound traffic from the SD-WAN Gateway to TCP/443 (for
communication with SD-WAN Orchestrator).
n The firewall needs to allow inbound traffic from the Internet to UDP/2426 (VCMP), UDP/
4500, and UDP/500. If NAT is not used, then the firewall needs to also allow IP/50 (ESP).
n If NAT is used, the above ports must be translated to an externally reachable IP address. Both
the 1:1 NAT and port translations are supported.
VMware, Inc. 251

Git Repository with Templates and Samples

The following Git repository contains templates and samples.
git clone https://bitbucket.org/velocloud/deployment.git
Note For more information, refer to the VMware SD-WAN Performance and Scale Datasheet
published at the Partner Connect Portal. To access the datasheet, you must log into the Partner
Connect Portal using your Partner credentials (username and password).
Use of DPDK on SD-WAN Gateways

To improve packet throughput performance, SD-WAN Gateways take advantage of Data Plane
Development Kit (DPDK) technology. DPDK is a set of data plane libraries and drivers provided
by Intel for offloading TCP packet processing from the operating system kernel to processes
running in user space and results in higher packet throughput. For more details, see https://
www.dpdk.org/.
On VMware hosted Gateways and Partner Gateways, DPDK is used on interfaces that manage
data plane traffic and is not used on interfaces reserved for management plane traffic. For
example, on a typical VMware hosted Gateway, eth0 is used for management plane traffic and
would not use DPDK. In contrast, eth1, eth2, and eth3 are used for data plane traffic and use
DPDK.
SD-WAN Gateway Installation Procedures

This section describes the SD-WAN Gateway installation procedures.
In general, installing the SD-WAN Gateway involves the following steps:
1 Create SD-WAN Gateway on SD-WAN Orchestrator and make a note of the activation key.
2 Configure SD-WAN Gateway on SD-WAN Orchestrator.
3 Create the cloud-init file.
4 Create the VM in VMware or KVM.
5 Boot the SD-WAN Gateway VM and ensure the SD-WAN Gateway cloud-init initializes
properly. At this stage, the SD-WAN Gateway should already activate itself against the SD-
WAN Orchestrator.
6 Verify connectivity and deactivate cloud-init.
Important
n SD-WAN Gateway supports both the virtual switch and SR-IOV. This guide specifies the
SR-IOV as an optional configuration step.
VMware, Inc. 252

Pre-Installation Considerations
The VMware Partner Gateway provides different configuration options. A worksheet should be
prepared before the installation of the Gateway.
Worksheet
SD-WAN Gateway n Version
n OVA/QCOW2 file location
n Activation Key
n SD-WAN Orchestrator (IP ADDRESS/vco-fqdn-hostname)
n Hostname
Hypervisor Address/Cluster name
Storage Root volume datastore (>40GB recommended)
CPU Allocation CPU Allocation for KVM/VMware.
Installation Selections DPDK—This is optional and enabled by default for higher throughput. If you choose to
deactivate DPDK, contact VMware Customer Support.
OAM Network n DHCP

n OAM IPv4 Address
n OAM IPv4 Netmask
n DNS server - primary
n DNS server - secondary
n Static Routes
ETH0 – Internet n IPv4 Address

Facing Network n IPv4 Netmask
n IPv4 Default gateway
Handoff (ETH1) - n MGMT VRF IPv4 Address

Network n MGMT VRF IPv4 Netmask
n MGMT VRF IPv4 Default gateway
n Handoff (QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad)
n C-TAG
n S-TAG
VMware, Inc. 253

Console access n Console_Password

n SSH:
n Enabled (yes/no)
n SSH public key
NTP n Public NTP:

n server 0.ubuntu.pool.ntp.org
n Internal NTP server - 1
n Internal NTP server - 2
SD-WAN Gateway Section

Most of the SD-WAN Gateway section is self-explanatory.
SD-WAN Gateway n Version - Should be same or lower than SD-WAN Orchestrator

n OVA/QCOW2 file location - Plan ahead the file location and disk allocation
n Activation Key
n SD-WAN Orchestrator (IP ADDRESS/vco-fqdn-hostname)
n Hostname - Valid Linux Hostname “RFC 1123”
Creating a Gateway and Getting the Activation Key

1 Go to Operator > Gateway Pool and create a new SD-WAN Gateway pool. For running SD-
WAN Gateway in the Service Provider network, check the Allow Partner Gateway checkbox.
This will enable the option to include the partner gateway in this gateway pool.
2 Go to Operator > Gateway and create a new gateway and assign it to the pool. The IP
address of the gateway entered here must match the public IP address of the gateway. If
unsure, you can run curl ipinfo.io/ip from the SD-WAN Gateway which will return the
public IP of the SD-WAN Gateway.
VMware, Inc. 254

3 Make a note of the activation key and add it to the worksheet.
Enable Partner Gateway Mode

1 Go to Operator > Gateways and select the SD-WAN Gateway. Check the Partner Gateway
checkbox to enable the Partner Gateway.
VMware, Inc. 255

VMware, Inc. 256

There are additional parameters that can be configured. The most common are the following:
n Advertise 0.0.0.0/0 with no encrypt – This option will enable the Partner Gateway to
advertise a path to Cloud traffic for the SAAS Application. Since the Encrypt Flag is off, it
will be up to the customer configuration on the business policy to use this path or not.
n The second recommend option is to advertise the SD-WAN Orchestrator IP as a /32 with
encrypt.
This will force the traffic that is sent from the Edge to the SD-WAN Orchestrator to take
the Gateway Path. This is recommended since it introduces predictability to the behavior
that the SD-WAN Edge takes to reach the SD-WAN Orchestrator.
Networking
Important The following procedure and screenshots focus on the most common deployment,
which is the 2-ARM installation for the Gateway. The addition of an OAM network is considered in
the section titled, OAM Interface and Static Routes.
The diagram above is a representation of the SD-WAN Gateway in a 2-ARM deployment. In this
example, we assume eth0 is the interface facing the public network (Internet) and eth1 is the
interface facing the internal network (handoff or VRF interface).
Note A Management VRF is created on the SD-WAN Gateway and is used to send a periodic
ARP refresh to the default gateway IP to check that the handoff interface is physically up and
speed ups the failover time. It is recommended that a dedicated VRF is set up on the PE router
for this purpose. Optionally, the same management VRF can also be used by the PE router to
send an IP SLA probe to the SD-WAN Gateway to check for SD-WAN Gateway status (SD-WAN
Gateway has a stateful ICMP responder that will respond to ping only when its service is up).If
a dedicated Management VRF is not set up, then you can use one of the customer VRFs as a
Management VRF, although this is not recommended.
For the Internet Facing network, you only need the basic network configuration.
ETH0 – Internet Facing Network n IPv4_Address

n IPv4_Netmask
n IPv4_Default_gateway
n DNS_server_primary
n DNS_server_secondary
VMware, Inc. 257

For the Handoff interface, you must know which type of handoff you want to configure and the
Handoff configuration for the Management VRF.
ETH1 – HANDOFF Network n MGMT_IPv4_Address

n MGMT_IPv4_Netmask
n MGMT_IPv4_Default gateway
n DNS_Server_Primary
n DNS_Server_Secondary
n Handoff (QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad)
n C_TAG_FOR_MGMT_VRF
n S_TAG_FOR_MGMT_VRF
Console Access
Console access n Console_Password
n SSH:
n Enabled (yes/no)
n SSH public key
In order to access the Gateway, a console password and/or an SSH public key must be created.
Cloud-Init Creation
The configuration options for the gateway that we defined in the worksheet are used in the
cloud-init configuration. The cloud-init config is composed of two main configuration files, the
metadata file and the user-data file. The meta-data contains the network configuration for the
Gateway, and the user-data contains the Gateway Software configuration. This file provides
information that identifies the instance of the SD-WAN Gateway being installed.
Below are the templates for both meta_data and user_data files. Network-config can be omitted
and network interfaces will be configured via DHCP by default.
Fill the templates with the information in the worksheet. All #_VARIABLE_# must be replaced,
and check any #ACTION#
Important The template assumes you are using static configuration for the interfaces. It also
assumes that you are either using SR-IOV for all interfaces or none. For more information, see
OAM - SR-IOV with vmxnet3 or SR-IOV with VIRTIO.
meta-data file:
instance-id: #_Hostname_#
local-hostname: #_Hostname_#
VMware, Inc. 258

network-config file (leading spaces are important!)
Note The network-config examples below describe configuring the virtual machine with two
network interfaces, eth0 and eth1, with static IP addresses. eth0 is the primary interface with a
default route and a metric of 1. eth1 is the secondary interface with a default route and a metric of
13. The system will be configured with password authentication for the default user (vcadmin). In
addition, the SSH authorized key will be added for the vcadmin user. The SD-WAN Gateway will
be automatically activated to the SD-WAN Orchestrator with the provided activation_code.
version: 2
ethernets:
eth0:
addresses:
- #_IPv4_Address_/mask#
gateway4: #_IPv4_Gateway_#
nameservers:
addresses:
- #_DNS_server_primary_#
- #_DNS_server_secondary_#
search: []
routes:
- to: 0.0.0.0/0
via: #_IPv4_Gateway_#
metric: 1
eth1:
addresses:
- #_MGMT_IPv4_Address_/Mask#
gateway4: 192.168.152.1
nameservers:
addresses:
search: []
routes:
- to: 0.0.0.0/0
via: #_MGMT_IPv4_Gateway_#
metric: 13
user-data file:
#cloud-config
hostname: #_Hostname_#
password: #_Console_Password_#
chpasswd: {expire: False}
ssh_pwauth: True
ssh_authorized_keys:
- #_SSH_public_Key_#
velocloud:
vcg:
vco: #_VCO_#
activation_code: #_Activation_Key#
vco_ignore_cert_errors: false
VMware, Inc. 259

The default username for the password that is configured in the user-data file is 'vcadmin'. Use
this default username to login to the SD-WAN Gateway for the first time.
Important Always validate user-data and metadata, using http://www.yamllint.com/ network-

config should also be a valid network configuration (https://cloudinit.readthedocs.io/en/19.4/
topics/network-config.html). Sometimes when working with the Windows/Mac copy paste
feature, there is an issue of introducing Smart Quotes which can corrupt the files. Run the
following command to make sure you are smart quote free.
sed s/[”“]/'"'/g /tmp/user-data > /tmp/user-data_new
Create ISO File

Once you have completed your files, they need to be packaged into an ISO image. This ISO
image is used as a virtual configuration CD with the virtual machine. This ISO image, called
vcg01-cidata.iso, is created with the following command on a Linux system:
genisoimage -output vcg01-cidata.iso -volid cidata -joliet -rock user-data meta-data network-
config
If you are on a MAC OSX, use the command below instead:
mkisofs -output vcg01-cidata.iso -volid cidata -joliet -rock {user-data,meta-data,network-

config}
This ISO file which we will call #CLOUD_INIT_ISO_FILE# is going to be used in both OVA and
VMware installations.
Install SD-WAN Gateway

You can install SD-WAN Gateway on VMware and KVM.
Prerequisites
KVM provides multiple ways to provide networking to virtual machines. VMware recommends the
following options:
n SR-IOV
n Linux Bridge
n OpenVSwitch Bridge
If you decide to use SR-IOV mode, enable SR-IOV on KVM and VMware. For steps, see:
n Enable SR-IOV on KVM
n Enable SR-IOV on VMware
To install SD-WAN Gateway:
n On KVM, see Install SD-WAN Gateway on KVM.
VMware, Inc. 260

n On VMware, see Install SD-WAN Gateway on VMware.
Enable SR-IOV on VMware

Enabling SR-IOV on VMware is an optional configuration.
Prerequisites
This requires a specific NIC card. The following chipsets are certified by VMware to work with the
SD-WAN Gateway.
n Intel 82599/82599ES
n Intel X710/XL710
Note Before using the Intel X710/XL710 cards in SR-IOV mode on VMware, make sure the
supported Firmware and Driver versions described in the Deployment Prerequisites section are
installed correctly.
To enable SR-IOV on VMware:
1 Make sure that your NIC card supports SR-IOV. Check the VMware Hardware
Compatibility List (HCL) at https://www.vmware.com/resources/compatibility/search.php?
deviceCategory=io
Brand Name: Intel
I/O Device Type: Network
Features: SR-IOV
The following VMware KB article provides details of how to enable SR-IOV on the supported
NIC: https://kb.vmware.com/s/article/2038739
2 Once you have a support NIC card, go to the specific VMware host, select the Configure tab,
and then choose Physical adapters.
VMware, Inc. 261

3 Select Edit Settings. Change Status to Enabled and specify the number of virtual functions
required. This number varies by the type of NIC card.
4 Reboot the hypervisor.
5 If SR-IOV is successfully enabled, the number of Virtual Functions (VFs) will show under the
particular NIC after ESXi reboots.
Install SD-WAN Gateway on VMware

Describes how to install the SD-WAN Gateway OVA on VMware.
Note This deployment is tested on ESXi versions 6.7, 6.7U3, and 7.0.
Important When you are done with the OVA installation, do not start the VM until you have the
cloud-init iso file and mount as CD-ROM to the SD-WAN Gateway VM. Otherwise, you will need
to re-deploy the VM again.
If you decide to use SR-IOV mode, then you can optionally enable SR-IOV on VMware. To enable
the SR-IOV on VMware, see Enable SR-IOV on VMware.
To install the SD-WAN Gateway OVA on VMware:
1 Select the ESXi host, go to Actions, and then Deploy OVF Template. Select the SD-WAN
Gateway OVA file provided by VMware and click Next.
VMware, Inc. 262

Review the template details in Step 4 (Review details) of the Deploy OVA/OVF Template
wizard as shown in the image below.
2 For the Select networks step, the OVA comes with two pre-defined networks (vNICs).
vNIC Description
Inside This is the vNIC facing the PE router and is used for handoff traffic to the MPLS PE or L3 switch.
This vNIC is normally bound to a port group that does a VLAN pass-through (VLAN=4095 in vswitch
configuration).
Outside This is the vNIC facing the Internet. This vNIC expects a non-tagged L2 frame and is normally bound to a
different port group from the Inside vNIC.
3 For the Customize template step, do not change anything. This is when you use vApp to
configure the VM. We will not use vApp in this example. Click Next to continue with deploying
the OVA.
VMware, Inc. 263

4 Once the VM is successfully deployed, return to the VM and click Edit Settings . Two vNICs
are created with adapter type = vmxnet3.
5 (Optional for SR-IOV) This step is required only if you plan to use SR-IOV. Because the OVA
by default creates the two vNICs as vmxnet3, we will need to remove the two vNICs and
re-add them as SR-IOV.
VMware, Inc. 264

When adding the two new SR-IOV vNICs, use the same port group as the original two
vmxnet3 vNICs. Make sure the Adapter Type is SR-IOV passthrough. Select the correct
physical port to use and set the Guest OS MTU Change to Allow. After you add the two
vNICs, click OK.
6 As SD-WAN Gateway is a real-time application, you need to configure the

Latency Sensitivity to High. For more information about how to configure the
VM for real-time application, see https://www.vmware.com/content/dam/digitalmarketing/
vmware/en/pdf/techpaper/latency-sensitive-perf-vsphere55-white-paper.pdf.
VMware, Inc. 265

7 Refer to Cloud-init Creation. The Cloud-init file is packaged as a CD-ROM (iso) file. You need
to mount this file as a CD-ROM.
Note You must upload this file to the datastore.
8 Start the VM.
Enable SR-IOV on KVM

To enable the SR-IOV mode on KVM, perform the following steps.
Prerequisites
This requires a specific NIC card. The following chipsets are certified by VMware to work with the
SD-WAN Gateway and SD-WAN Edge.
n Intel 82599/82599ES
VMware, Inc. 266

n Intel X710/XL710
Note Before using the Intel X710/XL710 cards in SR-IOV mode on KVM, make sure the
supported Firmware and Driver versions specified in the Deployment Prerequisites section are
installed correctly.
Note SR-IOV mode is not supported if the KVM Virtual Edge is deployed with a High-Availability
topology. For High-Availability deployments, ensure that SR-IOV is not enabled for that KVM
Edge pair.
To enable SR-IOV on KVM:
1 Enable SR-IOV in BIOS. This will be dependent on your BIOS. Login to the BIOS console and
look for SR-IOV Support/DMA. You can verify support on the prompt by checking that Intel
has the correct CPU flag.
cat /proc/cpuinfo | grep vmx
2 Add the options on Bboot (in /etc/default/grub).
GRUB_CMDLINE_LINUX="intel_iommu=on"
a Run the following commands: update-grub and update-initramfs -u.
b Reboot
c Make sure iommu is enabled.
velocloud@KVMperf3:~$ dmesg | grep -i IOMMU

[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-3.13.0-107-generic root=/dev/mapper/qa--
multiboot--002--vg-root ro intel_iommu=on splash quiet vt.handoff=7
[ 0.000000] Kernel command line: BOOT_IMAGE=/vmlinuz-3.13.0-107-generic root=/dev/
mapper/qa--multiboot--002--vg-root ro intel_iommu=on splash quiet vt.handoff=7
[ 0.000000] Intel-IOMMU: enabled
….
velocloud@KVMperf3:~$
3 Based on the NIC chipset used, add a driver as follows:
n For the Intel 82599/82599ES cards in SR-IOV mode:
1 Download and install ixgbe driver from the Intel website.
2 Configure ixgbe config (tar and sudo make install).
velocloud@KVMperf1:~$ cat /etc/modprobe.d/ixgbe.conf
VMware, Inc. 267

3 If the ixgbe config file does not exist, you must create the file as follows.
options ixgbe max_vfs=32,32

options ixgbe allow_unsupported_sfp=1
options ixgbe MDD=0,0
blacklist ixgbevf
4 Run the update-initramfs -u command and reboot the Server.
5 Use the modinfo command to verify if the installation is successful.
velocloud@KVMperf1:~$ modinfo ixgbe and ip link

filename: /lib/modules/4.4.0-62-generic/updates/drivers/net/ethernet/intel/ixgbe/
ixgbe.ko
version: 5.0.4
license: GPL
description: Intel(R) 10GbE PCI Express Linux Network Driver
author: Intel Corporation, <[email protected]>
srcversion: BA7E024DFE57A92C4F1DC93
n For the Intel X710/XL710 cards in SR-IOV mode:
1 Download and install i40e driver from the Intel website.
2 Create the Virtual Functions (VFs).
echo 4 > /sys/class/net/device name/device/sriov_numvfs
3 To make the VFs persistent after a reboot, add the command from the previous step
to the "/etc/rc.d/rc.local" file.
4 Deactivate the VF driver.
echo “blacklist i40evf” >> /etc/modprobe.d/blacklist.conf
5 Run the update-initramfs -u command and reboot the Server.
Validating SR-IOV (Optional)

You can quickly verify if your host machine has SR-IOV enabled by using the following command:
lspci | grep -i Ethernet
Verify if you have Virtual Functions:
01:10.0 Ethernet controller: Intel Corporation 82599 Ethernet Controller Virtual Function(rev
01)
Install SD-WAN Gateway on KVM

Describes how to install the SD-WAN Gateway qcow on KVM.
Note This deployment is tested on KVM Ubuntu 16.04 and 18.04.
VMware, Inc. 268

Pre-Installation Considerations
KVM provides multiple ways to provide networking to virtual machines. The networking in
libvirt should be provisioned before the VM configuration. There are multiple ways to configure
networking in KVM. For a full configuration of options on how to configure Networks on libvirt,
see the following link:
https://libvirt.org/formatnetwork.html
From the full list of options, VMware recommends the following modes:
n SR-IOV (This mode is required for the SD-WAN Gateway to deliver the maximum throughput
specified by VMware)
n OpenVSwitch Bridge
If you decide to use SR-IOV mode, enable SR-IOV on KVM. To enable the SR-IOV on KVM, see
Enable SR-IOV on KVM.
SD-WAN Gateway Installation Steps on KVM

1 Copy the QCOW and the Cloud-init files created in the Cloud-Init Creation section to a new
empty directory.
2 Create the Network interfaces that you are going to use for the device.
Using SR-IOV: The following is a sample network interface template specific to Intel X710/
XL710 NIC cards using SR-IOV.
<interface type='hostdev' managed='yes'>

<mac address='52:54:00:79:19:3d'/>
<driver name='vfio'/>
<source>
<address type='pci' domain='0x0000' bus='0x83' slot='0x0a' function='0x0'/>
</source>
<model type='virtio'/>
</interface>
Using OpenVSwitch: The following are the sample templates of a network interface using
OpenVSwitch.
git ./vcg/templates/KVM_NETWORKING_SAMPLES/template_outside_openvswitch.xml
<?xml version="1.0" encoding="UTF-8"?>

<network>
<name>public_interface</name>

<model type="virtio" />
<forward mode="bridge" />
<bridge name="publicinterface" />
<virtualport type="openvswitch" />
<vlan trunk="yes">
<tag id="50" />

VMware, Inc. 269

<tag id="51" />


</vlan>
</network>
Create a network for inside_interface:
git ./vcg/templates/KVM_NETWORKING_SAMPLES/template_inside_openvswitch.xml
<network>
<name>inside_interface</name> 
<forward mode="bridge"/>
<bridge name="insideinterface"/>
<virtualport type='openvswitch'></virtualport>
<vlan trunk='yes'></vlan>
<tag id='200'/> <!—Define all the VLANS for this Bridge -->
</network>
If you are using OpenVSwitch mode, then you have to verify if the basic networks are
created and active before launching the VM.
Note This validation step is not applicable for SR-IOV mode as you do not create any
network before the VM is launched.
3 Edit the VM XML file. There are multiple ways to create a Virtual Machine in KVM. You can
define the VM in an XML file and create it using libvirt, using the sample VM XML template
specific to OpenVSwitch mode and SR-IOV mode.
vi my_vm.xml
The following is a sample template of a VM which uses OpenVSwitch interfaces. Use this
template by making edits, wherever applicable.

<domain type="kvm">
<name>#domain_name#</name>
<memory unit="KiB">8388608</memory>
<currentMemory unit="KiB">8388608</currentMemory>
<vcpu>8</vcpu>
<cputune>
<vcpupin vcpu="0" cpuset="0" />
VMware, Inc. 270


</cputune>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type>hvm</type>
</os>
<features>
<acpi />
<apic />
<pae />
</features>
<cpu mode="host-passthrough" />
<clock offset="utc" />
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm-spice</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="qcow2" />
<source file="#folder#/#qcow_root#" />
<target dev="hda" bus="ide" />
<alias name="ide0-0-0" />
<address type="drive" controller="0" bus="0" target="0" unit="0" />
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw" />
<source file="#folder#/#Cloud_ INIT_ ISO#" />
<target dev="sdb" bus="sata" />
<readonly />
<alias name="sata1-0-0" />
</disk>
<controller type="usb" index="0">
<alias name="usb0" />
<address type="pci" domain="0x0000" bus="0x00" slot="0x01" function="0x2" />
</controller>
<controller type="pci" index="0" model="pci-root">
<alias name="pci.0" />
</controller>
<controller type="ide" index="0">
<alias name="ide0" />
</controller>
<interface type="network">
<source network="public_interface" />
<vlan>
VMware, Inc. 271

<tag id="#public_vlan#" />

</vlan>
<alias name="hostdev1" />
</interface>
<interface type="network">
<source network="inside_interface" />
<alias name="hostdev2" />
</interface>
<serial type="pty">
<source path="/dev/pts/3" />
<target port="0" />
<alias name="serial0" />
</serial>
<console type="pty" tty="/dev/pts/3">
<target type="serial" port="0" />
</console>
<memballoon model="none" />
</devices>
<seclabel type="none" />
</domain>
The following is a sample template of a VM which uses SR-IOV interfaces. Use this template
by making edits, wherever applicable.

<domain type="kvm">
<name>#domain_name#</name>
<memory unit="KiB">8388608</memory>
<currentMemory unit="KiB">8388608</currentMemory>
<vcpu>8</vcpu>
<cputune>
</cputune>
<resource>
<partition>/machine</partition>
</resource>
<os>
<type>hvm</type>
</os>
<features>
<acpi />
<apic />
<pae />
</features>
VMware, Inc. 272

<cpu mode="host-passthrough" />

<clock offset="utc" />
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/kvm-spice</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="qcow2" />
<source file="#folder#/#qcow_root#" />
<target dev="hda" bus="ide" />
<alias name="ide0-0-0" />
</disk>
<disk type="file" device="cdrom">
<driver name="qemu" type="raw" />
<source file="#folder#/#Cloud_ INIT_ ISO#" />
<target dev="sdb" bus="sata" />
<readonly />
<alias name="sata1-0-0" />
</disk>
<controller type="usb" index="0">
<alias name="usb0" />
</controller>
<controller type="pci" index="0" model="pci-root">
<alias name="pci.0" />
</controller>
<controller type="ide" index="0">
<alias name="ide0" />
</controller>
<mac address='52:54:00:79:19:3d'/>
<source>
</source>
</interface>
<mac address='52:54:00:74:69:4d'/>
<source>
</source>
</interface>
<serial type="pty">
<target port="0" />
</serial>
<console type="pty" tty="/dev/pts/3">
VMware, Inc. 273


<target type="serial" port="0" />
</console>
<memballoon model="none" />
</devices>
<seclabel type="none" />
</domain>
4 Launch the VM by performing the following steps:
a Ensure you have the following three files in your directory as shown in the following
sample screenshot:
n qcow file - vcg-root
n cloud-init - vcg-test.iso
n Domain XML file that defines the VM - test_vcg.xml, where test_vcg is the domain
name.)
b Define VM.
velocloud@KVMperf2:/tmp/VeloCloudGateway$ virsh define test_vcg.xml

Domain test_vcg defined from test_vcg.xml
c Set VM to autostart.
velocloud@KVMperf2:/tmp/VeloCloudGateway$ virsh autostart test_vcg
d Start VM.
velocloud@KVMperf2:/tmp/VeloCloudGateway$ virsh start test_vcg
5 If you are using SR-IOV mode, after launching the VM, set the following on the Virtual
Functions (VFs) used:
a Set the spoofcheck off.
ip link set eth1 vf 0 spoofchk off
b Set the Trusted mode on.
ip link set dev eth1 vf 0 trust on
VMware, Inc. 274

c Set the VLAN, if required.
ip link set eth1 vf 0 vlan 3500
Note The Virtual Functions configuration step is not applicable for OpenVSwitch (OVS)
mode.
6 Console into the VM.
virsh list
Id Name State
----------------------------------------------------
25 test_vcg running
velocloud@KVMperf2$ virsh console 25
Connected to domain test_vcg
Escape character is ^]
Special Consideration for KVM Host
n Deactivate GRO (Generic Receive Offload) on physical interfaces (to avoid unnecessary re-
fragmentation in SD-WAN Gateway).
ethtool –K <interface> gro off tx off
n Deactivate CPU C-states (power states affect real-time performance). Typically, this can be
done as part of kernel boot options by appending processor.max_cstate=1 or just deactivate
in the BIOS.
n For production deployment, vCPUs must be pinned to the instance. No oversubscription on

the cores should be allowed to take place.
Post-Installation Tasks
This section describes post-installation and installation verification steps.
If everything worked as expected in the installation, you can now login to the VM.
1 If everything works as expected, you should see the login prompt on the console. You should
see the prompt name as specified in cloud-init.
VMware, Inc. 275

2 You can also refer to /run/cloud-init/result.json. If you see the message below, it is
likely that the cloud init runs successfully.
3 Verify that the Gateway is registered with SD-WAN Orchestrator.
4 Verify Outside Connectivity.
5 Verify that the MGMT VRF is responding to ARPs.
VMware, Inc. 276

6 Optional: Deactivate cloud-init so it does not run on every boot.
Note If you have deployed OVA on VMware vSphere with vAPP properties, you must
deactivate cloud-init prior to upgrading to versions 4.0.1 or 4.1.0. This is to ensure that the
customization settings such as network configuration or password are not lost during the
upgrade.
touch /etc/cloud/cloud-init.disabled
7 Associate the new gateway pool with the customer.
VMware, Inc. 277

VMware, Inc. 278

8 Associate the Gateway with an Edge.
9 Verify that the Edge is able to establish a tunnel with the Gateway on the Internet side. From
the VMware SD-WAN Orchestrator, go to Monitor > Edges > Overview.
From the VMware SD-WAN Orchestrator, go to Test & Troubleshoot > Remote Diagnostics >
[Edge] > List Paths, and click Run to view the list of active paths.
10 Configure the Handoff interface.
VMware, Inc. 279

11 Verify that the BGP session is up.
12 Change the network configuration.
Network configuration files are located under /etc/netplan.
Example network configuration (whitespace is important!) - /etc/netplan/50-cloud-init.yaml:
network:
version: 2
ethernets:
eth0:
addresses:
- 192.168.151.253/24
gateway4: 192.168.151.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
search: []
routes:
- to: 192.168.0.0/16
via: 192.168.151.254
metric: 100
eth1:
addresses:
- 192.168.152.251/24
gateway4: 192.168.152.1
VMware, Inc. 280

nameservers:
addresses:
- 8.8.8.8
search: []
Important: when cloud-init is enabled, network configuration is regenerated on every boot. In

order to make changes to location configuration, deactivate cloud-init or deactivate cloud-init
network configuration component:
echo 'network: {config: disabled}' > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
Configure Handoff Interface in Dataplane

VMware SD-WAN Gateway Network Configuration
In the example featuring figure below (VRF/VLAN Hand Off to PE), we assume eth0 is the
interface facing the public network (Internet) and eth1 is the interface facing the internal network
(customer VRF through the PE).BGP peering configuration is managed on the VCO on a per
customer/VRF basis under “Configure > Customer”. Note that the IP address of each VRF is
configurable per customer. The IP address of the management VRF inherits the IP address
configured on the SD-WAN Gateway interface in Linux.
A management VRF is created on the SD-WAN Gateway and is used to send periodic ARP
refresh to the default Gateway IP to determine the next-hop MAC. It is recommended that a
dedicated VRF is set up on the PE router for this purpose. The same management VRF can also
be used by the PE router to send IP SLA probe to the SD-WAN Gateway to check for SD-WAN
Gateway status (SD-WAN Gateway has stateful ICMP responder that will respond to ping only
when its service is up). BGP Peering is not required on the Management VRF. If a Management
VRF is not set up, then you can use one of the customer VRFs as Management VRF, although this
is not recommended.
Step 1: Edit the /etc/config/gatewayd and specify the correct VCMP and WAN interface. VCMP
interface is the public interface that terminates the overlay tunnels. The WAN interface in this
context is the handoff interface.
"vcmp.interfaces":[
"eth0"
],
(..snip..)
VMware, Inc. 281

"wan": [
"eth1"
],
Step 2: Configure the Management VRF. This VRF is used by the SD-WAN Gateway to ARP
for next-hop MAC (PE router). The same next-hop MAC will be used by all the VRFs created
by the SD-WAN Gateway. You need to configure the Management VRF parameter in /etc/config/
gatewayd.
The Management VRF is the same VRF used by the PE router to send IP SLA probe to. The
SD-WAN Gateway only responds to the ICMP probe if the service is up and if there are edges
connected to it. Below table explains each parameter that needs to be defined. This example has
Management VRF on the 802.1q VLAN ID of 1000.
mode QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad
c_tag C-Tag value for QinQ encapsulation or 802.1Q VLAN ID

for802.1Q encapsulation
s_tag S-Tag value for QinQ encapsulation
interface Handoff interface, typically eth1
"vrf_vlan": {
"tag_info": [
{
"resp_mode": 0,
"proxy_arp": 0,
"c_tag": 1000,
"mode": "802.1Q",
"interface": "eth1",
"s_tag": 0
}
]
},
Step 3: Edit the /etc/config/gatewayd-tunnel to include both interfaces in the wan parameter.
Save the change.
wan="eth0 eth1"
Remove Blocked Subnets
By default, the SD-WAN Gateway blocks traffic to 10.0.0.0/8 and 172.16.0.0/14. We will need to
remove them before using this SD-WAN Gateway because we expect SD-WAN Gateway to be
sending traffic to private subnets as well. If you do not edit this file, when you try to send traffic
to blocked subnets, you will find the following messages in /var/log/gwd.log
2015-12-18T12:49:55.639 ERR [NET] proto_ip_recv_handler:494 Dropping packet destined for

10.10.150.254, which is a blocked subnet.
VMware, Inc. 282

10.10.150.254, which is a blocked subnet. [message repeated 48 times]

Step 1: On SD-WAN Gateway, edit /opt/vc/etc/vc_blocked_subnets.jsonfile. You will find that this
file first has the following.
[
{
"network_addr": "10.0.0.0",
"subnet_mask": "255.0.0.0"
},
{
"network_addr": "172.16.0.0",
"subnet_mask": "255.255.0.0"
}
]
Step 2: Remove the two networks. The file should look like below after editing. Save the change.
[
]
Step 3: Restart the SD-WAN Gateway process by sudo /opt/vc/bin/vc_procmon restart.
Upgrade SD-WAN Gateway

This section describes how to upgrade a SD-WAN Gateway installation.
Important: This procedure will not work for upgrading a Gateway image version from 3.x to
4.x due to a significant platform changes. Upgrading from a 3.x to 4.x image will require a new
Gateway deployment and reactivation. Please refer to Chapter 23 VMware Partner Gateway
Upgrade and Migration 3.3.2 or 3.4 to 4.0for upgrade information.
Note Currently, VMware does not support downgrading for the VMware SD-WAN Orchestrator
and VMware SD-WAN Gateway. So before upgrading the SD-WAN Orchestrator or SD-WAN
Gateway, VMware recommends you backup the system prior to upgrade for easy recovery in
the event the upgrade is not successfully completed.
Authenticate Software Update Package Via Digital Signature

The software installer in the SD-WAN Orchestrator version 4.3.0 and higher now has the ability to
authenticate the software update package using a digital signature.
Prior to upgrading to a newer version of the software, make sure the public key exists to verify
the package. The known public key location to verify signature is as follows, /var/lib/velocloud/
software_update/keys/software.key. Alternatively, the key can be provided on the command line
using --pubkey parameter.
VMware, Inc. 283

The current release public key is:
-----BEGIN PUBLIC KEY-----

MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEqCuQHDuoVkYG6j6++wBMAnowJr5uUQXE
b/iKcTbCZky4lBlUWkjR/zucLgNdyOuotQAOHwT689WHPOnhuQo13+IQIeCBXRdG
EX50zfkkqXQhFYNORPqCke+cqF0Wd4xD
-----END PUBLIC KEY-----
If the key is missing or the signature cannot be verified, the Operator will be notified that the
package is untrusted with an option to proceed or not proceed.
To skip verification, use "--untrusted" parameter.
If running in batch mode or not on the terminal, the installation is aborted unless the "--untrusted"
option is specified on the command line.
By default, the installer will run in interactive mode and may issue prompts. For automated
scripts, use --batch parameter to suppress prompts.
Upgrade Procedures
To upgrade a SD-WAN Gateway installation:
1 Download the SD-WAN Gateway update package.
2 Upload the image to the SD-WAN Gateway system (using, for example, the scp command).
Copy the image to the following location on the system:
/var/lib/velocloud/software_update/vcg_update.tar
3 Connect to the SD-WAN Gateway console and run:
sudo /opt/vc/bin/vcg_software_update
Custom Configurations
This section describes custom configurations.
NTP Configuration
NTP configuration involves editing the /etc/ntpd.conf file.
OAM Interface and Static Routes

If Gateways are to be deployed with an OAM interface, complete the following steps.
1 Add an additional interface to the VM (ETH2).
VMware: If a dedicated VNIC for Management/OAM is desired, add another vNIC of type
vmxnet3. You must repeat the previous step, which is to click OK and then Edit Settings
again so you can make a note of the vNIC MAC address.
VMware, Inc. 284

KVM: If a dedicated VNIC for Management/OAM is desired, make sure you have a libvirt
network named oam-network. Then add the following lines to your XML VM structure:
…..
</controller>
<interface type='network'>
<source network='public_interface'/>
<vlan><tag id='#public_vlan#'/></vlan>
<alias name='hostdev1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x11' function='0x0'/>
</interface>
<source network='inside_interface'/>
</interface>
<source network='oam_interface'/>
<vlan><tag id='#oam_vlan#'/></vlan>
</interface>
<serial type='pty'>
<source path='/dev/pts/3'/>
<target port='0'/>
<alias name='serial0'/>
</serial>
2 Configure the network-config file with the additional interface.
version: 2
ethernets:
VMware, Inc. 285

eth0:
addresses:
- #_IPv4_Address_/mask#
mac_address: #_mac_Address_#
gateway4: #_IPv4_Gateway_#
nameservers:
addresses:
search: []
routes:
- to: 0.0.0.0/0
via: #_IPv4_Gateway_#
metric: 1
eth1:
addresses:
- #_MGMT_IPv4_Address_/Mask#
mac_address: #_MGMT_mac_Address_#
nameservers:
addresses:
search: []
routes:
- to: 0.0.0.0/0
via: #_MGMT_IPv4_Gateway_#
metric: 13
eth2:
addresses:
- #_OAM_IPv4_Address_/Mask#
nameservers:
addresses:
search: []
routes:
- to: 10.0.0.0/8
via: #_OAM_IPv4_Gateway_#
- to: 192.168.0.0/16
via: #_OAM_IPv4_Gateway_#
OAM - SR-IOV with vmxnet3 or SR-IOV with VIRTIO

It is possible in some installations to mix and match and provide different interface types for the
Gateway. This generally happens if you have an OAM without SR-IOV. This custom configuration
requires additional steps since this causes the interfaces to come up out of order.
Record the MAC address of each interface.
VMWare: After creating the machine, go to Edit Settings and copy the Mac address.
VMware, Inc. 286

KVM: After defining the VM, run the following command:
Special Consideration When Using 802.1ad Encapsulation

It seems certain that 802.1ad devices do not populate the outer tag EtherType with 0x88A8.
Special change is required in user data to interoperate with these devices.
Assuming a Management VRF is configured with S-Tag: 20 and C-Tag: 100, edit the vrf_vlan
section in / etc/ config/ gatewayd as follows. Also, define resp_mode to 1 so that the SD-WAN
Gateway will relax its check to allow Ethernet frames that have incorrect EtherType of 0x8100 in
the outer header.
SNMP Integration
This section describes how to configure SNMP integration.
For more information on SNMP configuration, see Net-SNMP documentation. To configure SNMP
integration:
1 Edit /etc/snmp/snmpd.conf.
VMware, Inc. 287

2 Add the following lines to the config file with source IP address of the systems that will be
connecting to SNMP service. You can configure using either SNMPv2c or SNMPv3.
n The following example will configure access to all counters from localhost via community
string vc-vcg and from 10.0.0.0/8 with community string myentprisecommunity using
SNMPv2c version.
agentAddress udp:161
# com2sec sec.name source community
com2sec local localhost vc-vcg
com2sec myenterprise 10.0.0.0/8 myentprisecommunity# group access.name sec.model
sec.name
group rogroup v2c local
group rogroup v2c myenterpriseview all included .1 80
# access access.name context sec.model sec.level match read write notif
access rogroup "" any noauth exact all none none#sysLocation Sitting on the Dock of
the Bay
#sysContact Me <[email protected]>sysServices 72master agentx#
# Process Monitoring
## At least one 'gwd' process
proc gwd
# At least one 'mgd' process
proc mgd#
# Disk Monitoring
#
# 100MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 100000
disk /var 5%
includeAllDisks 10%#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
Note In the above example, the process gwd comprises entire Data and Control Plane
of the Gateway. The Management Plane Daemon (mgd) is responsible for communication
with the Orchestrator. This process is kept isolated from gwd so that in the incident of
a total failure of the gwd process, the Orchestrator is still reachable for configuration
changes or software updates required to resolve the failure.
n The following example shows configuration using SNMPv3 version.
vcadmin:~$ cat /etc/snmp/snmpd.conf

###############################################################################
#
# EXAMPLE.conf:
# An example configuration file for configuring the Net-SNMP agent ('snmpd')
# See the 'snmpd.conf(5)' man page for details
#
# Some entries are deliberately commented out, and will need to be explicitly
activated
#
###############################################################################
VMware, Inc. 288

#
# AGENT BEHAVIOUR
#
# Listen for connections from the local system only

# agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# Note that these particular settings don't actually belong here.
# They should be copied to the file /var/lib/snmp/snmpd.conf
# and the passwords changed, before being uncommented in that file *only*.
# Then restart the agent
# createUser authOnlyUser MD5 "remember to change this password"
# createUser authPrivUser SHA "remember to change this one too" DES
# createUser internalUser MD5 "this is only ever used internally, but still change
the password"
# If you also change the usernames (which might be sensible),

# then remember to update the other occurances in this example config file to match.
###############################################################################
#
# ACCESS CONTROL
#
# system + hrSystem groups only

view systemonly included .1.3.6.1.4.1.45346
# Full access from the local host

# rocommunity public localhost
# Default access to basic system info
rocommunity public default -V systemonly
# Full access from an example network

# Adjust this network address to match your local settings, change the community
string,
# and check the 'agentAddress' setting above
rocommunity secret 10.0.0.0/16
# Full read-only access for SNMPv3

rouser authOnlyUser
# Full write access for encrypted requests
# Remember to activate the 'createUser' lines above
rwuser authPrivUser priv
# It's no longer typically necessary to use the full 'com2sec/group/access'

configuration
# r[ow]user and r[ow]community, together with suitable views, should cover most
VMware, Inc. 289

requirements
###############################################################################
#
# SYSTEM INFORMATION
#
# Note that setting these values here, results in the corresponding MIB objects being
'read-only'
# See snmpd.conf(5) for more details
sysLocation Bay
sysContact [email protected]
# Application + End-to-End layers
sysServices 72
#
# Process Monitoring
#
# At least one 'mountd' process
proc mountd
# No more than 4 'ntalkd' processes - 0 is OK

proc ntalkd 4
# At least one 'sendmail' process, but no more than 10

proc sendmail 10 1
# Walk the UCD-SNMP-MIB::prTable to see the resulting output

# Note that this table will be empty if there are no "proc" entries in the snmpd.conf
file
#
# Disk Monitoring
#
# 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk / 10000
disk /var 5%
includeAllDisks 10%
# Walk the UCD-SNMP-MIB::dskTable to see the resulting output

# Note that this table will be empty if there are no "disk" entries in the snmpd.conf
file
#
# System Load
#
# Unacceptable 1-, 5-, and 15-minute load averages
load 12 10 5
# Walk the UCD-SNMP-MIB::laTable to see the resulting output

# Note that this table *will* be populated, even without a "load" entry in the
snmpd.conf file
###############################################################################
VMware, Inc. 290

#
# ACTIVE MONITORING
#
# send SNMPv1 traps
trapsink localhost public
# send SNMPv2c traps
trap2sink localhost public
# send SNMPv2c INFORMs
informsink localhost public
# Note that you typically only want *one* of these three lines
# Uncommenting two (or all three) will result in multiple copies of each notification.
#
# Event MIB - automatically generate alerts
#
# Remember to activate the 'createUser' lines above
iquerySecName internalUser
rouser internalUser
# generate traps on UCD error conditions
defaultMonitors yes
# generate traps on linkUp/Down
linkUpDownNotifications yes
###############################################################################
#
# EXTENDING THE AGENT
#
# Arbitrary extension commands
#
extend test1 /bin/echo Hello, world!
extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3 /bin/sh /tmp/shtest
# Note that this last entry requires the script '/tmp/shtest' to be created first,
# containing the same three shell commands, before the line is uncommented
# Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table

# and nsExtendOutput2Table) to see the resulting output
# Note that the "extend" directive supercedes the previous "exec" and "sh" directives
# However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
# as well as the fuller results in the above tables.
#
# "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255 /bin/sh PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255 /usr/bin/perl PREFIX/local/passtest.pl
rocommunity velocloud localhost

#pass .1.3.6.1.4.1.45346 /opt/vc/bin/snmpagent.py veloGateway
pass_persist .1.3.6.1.4.1.45346 /opt/vc/bin/snmpagent.py veloGateway
VMware, Inc. 291

# Note that this requires one of the two 'passtest' scripts to be installed first,
# before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
# and are not installed automatically.
# Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output
#
# AgentX Sub-agents
#
# Run as an AgentX master agent
master agentx
# Listen for network connections (from localhost)
# rather than the default named socket /var/agentx/master
3 Edit /etc/iptables/rules.v4. Add the following lines to the config with the source IP of
the systems that will be connecting to SNMP service:
# WARNING: only add targeted rules for addresses and ports

# do not add blanket drop or accept rules since Gateway will append its own rules
# and that may prevent it from functioning properly
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --source 127.0.0.1 --dport 161 -m comment --comment "allow SNMP
port" -j ACCEPT
-A INPUT -p udp -m udp --source 10.0.0.0/8 --dport 161 -m comment --comment "allow SNMP
port" -j ACCEPT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
4 Restart snmp and iptables services:
service snmpd restart

service iptables-persistent restart
service vc_process_monitor restart
Custom Firewall Rules

This section describes how to modify custom firewall rules.
To modify local firewall rules, edit the following file: /etc/iptables/rules.v4
Important Add only targeted rules for addresses and ports. Do not add blanket drop or
accept rules. SD-WAN Gateway will append its own rules to the table and, because the rules
are evaluated in order, that may prevent Gateway software from functioning properly.
*filter
:INPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --source 127.0.0.1 --dport 161 -m comment --comment "allow SNMP port"
-j ACCEPT
VMware, Inc. 292

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]
COMMIT
Restart netfilter service:
service netfilter-persistent restart

service vc_process_monitor restart
VMware, Inc. 293

VMware Partner Gateway
Upgrade and Migration 3.3.2 or
3.4 to 4.0
23
This document provides instructions on how to upgrade the VMware Partner Gateway from the
3.3.2 or 3.4 release to the 4.0 release.
The SD-WAN Gateway appliance includes the following changes in the 4.0 release:
n A new system disk layout based on LVM to allow more flexibility in volume management
n A new kernel version
n New and upgraded base OS packages
n Improved security hardening based on Center for Internet Security benchmarks
The SD-WAN Gateway appliance includes the following system changes in the 4.0 release:
n ifupdown has been deprecated in favor of https://netplan.io/

n ifup and ifdown are no longer available
n Network configuration is now in /etc/netplan vs /etc/network/
n etc/network/ifup.d and /etc/network/ifdown.d no longer work. Network-dispatcher

locations should be used /usr/lib/networkd-dispatcher (dormant.d, no-carrier.d, off.d,
routable.d)
n Substantial changes to cloud-init. Cloud-init deployment scripts must be reviewed and tested
for compatibility
n net-tools (ifconfig, netstat, etc) are considered “deprecated” and may be removed in the
future versions
Network Configuration
ifupdown has been deprecated in favor of https://netplan.io/. Network configuration has moved
from /etc/network to /etc/netplan.
Example network configuration (whitespace is important!) - /etc/netplan/50-cloud-init.yaml:
network:
version: 2
ethernets:
eth0:
VMware, Inc. 294

addresses:
- 192.168.151.253/24
gateway4: 192.168.151.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
search: []
routes:
- to: 192.168.0.0/16
via: 192.168.151.254
metric: 100
eth1:
addresses:
- 192.168.152.251/24
gateway4: 192.168.152.1
nameservers:
addresses:
- 8.8.8.8
search: []
Network configuration is regenerated on every boot. To make changes to the location

configuration, deactivate the Cloud-init network configuration.
echo 'network: {config: disabled}' > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
Cloud-init
Cloud-init was upgraded to version 20.2. More information on Cloud-init can be found here:
https://cloudinit.readthedocs.io/en/stable/index.html
Example 1: Simple
meta-data:
instance-id: vcg1
local-hostname: vcg1
user-data:
#cloud-config
hostname: vcg1
password: Velocloud123
ssh_pwauth: True
Example 2: New-style network configuration (network-config file)
VMware, Inc. 295

meta-data:
instance-id: vcg1
local-hostname: vcg1
user-data:
#cloud-config
hostname: vcg1
password: Velocloud123
ssh_pwauth: True
ssh_authorized_keys:
- ssh-rsa … rsa-key
velocloud:
vcg:
vco: demo.velocloud.net
activation_code: F54F-GG4S-XGFI
vco_ignore_cert_errors: false
runcmd:
- 'echo “Welcome to VeloCloud”'
network-config Example 1:
version: 2
ethernets:
eth0:
addresses:
- 192.168.152.55/24
gateway4: 192.168.152.1
nameservers:
addresses:
- 192.168.152.1
eth1:
addresses:
- 192.168.151.55/24
gateway4: 192.168.151.1
nameservers:
addresses:
- 192.168.151.1
network-config Example 2:
VMware, Inc. 296

NOTE: If multiple interfaces are present on the Gateway and need an interface to be selected as
a preferred interface for the default gateway, the below configuration (with the metric value) can
be used to select the correct interface.
version: 2
ethernets:
eth0:
addresses: [192.168.82.1/24]
eth1:
addresses: [70.150.1.1/24]
routes:
- {metric: 1, to: 0.0.0.0/0, via: 70.150.1.254}
eth2:
addresses: [70.155.1.1/24]
routes:
- {metric: 2, to: 0.0.0.0/0, via: 70.155.1.254}
Net-tools
Net-tools utilities like ifconfig, netstat, route, etc. are considered “deprecated.” Net-tools
suggested replacements are shown in the table below. These commands only display information
for the Linux Host and not for the SD-WAN Overlay Network. NOTE: For more information, type:
man ip.
Old Net-tool Utilities New Corresponding Net-tool Utilities
arp ip n (ip neighbor)
ifconfig ip a (ip addr), ip link, ip -s (ip -stats)
nameif ip link, ifrename
netstat ss, ip route (for netstat-r), ip -s link (for netstat -i), ip

maddr (for netstat-g)
route ip r (ip route)
Sample Command Output for Net-tool Utilities
The sample output is confirmation that the command is successful. Sample command outputs for
ip n (ip neighbor), ip a (ipaddr), and ip link are shown below.
ip n (ip neighbor):
root@SS-gateway-1:~# ip n
192.168.0.100 dev eth2 lladdr 00:50:56:84:85:d4 REACHABLE
192.168.0.250 dev eth2 lladdr 00:50:56:84:97:66 REACHABLE
13.1.1.2 dev eth0 lladdr 00:50:56:84:e7:fa REACHABLE
root@SS-gateway-1:~#
VMware, Inc. 297

ip a (ipaddr):
root@SS-gateway-1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 4096
link/ether 00:50:56:84:a0:09 brd ff:ff:ff:ff:ff:ff
inet 13.1.1.1/24 brd 13.1.1.255 scope global eth0
inet6 fe80::250:56ff:fe84:a009/64 scope link
link/ether 00:50:56:84:a6:ab brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:fe84:a6ab/64 scope link
link/ether 00:50:56:84:bc:75 brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:56ff:fe84:bc75/64 scope link
6: gwd1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN
group default qlen 4096
link/none
inet 169.254.129.1/32 scope global gwd1
inet6 fe80::27d5:9e46:e7f7:7198/64 scope link stable-privacy
ip link
root@SS-gateway-1:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group
default qlen 4096
link/ether 00:50:56:84:a0:09 brd ff:ff:ff:ff:ff:ff
default qlen 1000
link/ether 00:50:56:84:a6:ab brd ff:ff:ff:ff:ff:ff
default qlen 1000
link/ether 00:50:56:84:bc:75 brd ff:ff:ff:ff:ff:ff
VMware, Inc. 298

6: gwd1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode

DEFAULT group default qlen 4096
link/none
Upgrade Considerations
Note The below steps are based on the assumption that you want to keep the same IP
address and SD-WAN Gateway name for the new SD-WAN Gateway deployed in the 4.0 release.
However, if you want to create a new SD-WAN Gateway with a different IP address and, you can
follow the new SD-WAN Gateway procedures.
Due to substantial changes to the disk layout and system files, an in-place upgrade is not
possible from older releases to the 4.0 release. The migration will require deploying new 4.0
SD-WAN Gateway systems and decommissioning systems running older code.
For VPN SD-WAN Gateways or NAT SD-WAN Gateways with well-known public IP addresses,
adhere to the following procedure below if the public IP of the SD-WAN Gateway must be
preserved.
Procedure: (VNP or NAT SD-WAN Gateways with Well-Known Public IP Addresses)
1 Launch the new SD-WAN Gateway system based on the 4.0 release image. Refer to the
deployment guide for your platform for more information (Gateway Installation Procedures).
2 Shutdown the old SD-WAN Gateway system. (Bring down the old SD-WAN Gateway VM
(either by running the “sudo poweroff” command on the CLI console, or by powering off
from the available Hypervisor options).
3 Migrate the public IP to the new system: update the NAT record to point to the new SD-WAN
Gateway system, or configure the public IP on the new SD-WAN Gateway network interface.
Deploy the new Gateway with the Cloud-int examples given above using the same IP address
as the previous SD-WAN Gateway.
4 Obtain the activation key from the existing SD-WAN Gateway record in the SD-WAN
Orchestrator (as described in the steps below).
a From the SD-WAN Orchestrator, select Gateways from the left navigation panel.
b From the Gateways screen, click a SD-WAN Gateway to select it.
c From the screen of the chosen SD-WAN Gateway, click the down arrow next to the
SD-WAN Gateway name to open the information box.
d The Activation Key is located at the bottom of the information box, as shown in the image
below.
VMware, Inc. 299

5 Set the following system property “gateway.activation.validate.deviceId” to False, as shown

in the image below. Refer to the System Properties section in the VMware SD-WAN Operator
Guide, if necessary for more information.
VMware, Inc. 300

6 Re-activate the new SD-WAN Gateway system: from the CLI console run:
“sudo /opt/vc/bin/activate.py -s <vco_address> <activation_code>”
7 Restore the following system property “gateway.activation.validate.deviceId” to the original

value (if necessary).
The SD-WAN Gateway is now registered and ready to receive a connection from the Edges.
Note The SD-WAN Gateway reactivation can be performed via Cloud-int, as described in the
User Data section in this document.
Activation Example Output
root@gateway/opt/vc# /opt/vc/bin/activate.py FLM6-CSV6-REJS-XFR5 -i -s 169.254.8.2
Activation successful, VCO overridden back to 169.254.8.2 root@SS1-gateway-2:/opt/vc#
SD-WAN Gateways Without Well-known Public IPs

This section is only for SD-WAN Gateways without a well-known public IP, such as, VPN SD-WAN
Gateways. If this scenario applies, follow the procedure below.
Procedure: (SD-WAN Gateways Without Well-known Public IPs)
1 Launch a new SD-WAN Gateway system. Refer to the deployment guide for your platform if
necessary (Gateway Installation Procedures).
2 Activate a new SD-WAN Gateway system.
3 Add new SD-WAN Gateway to the SD-WAN Orchestrator SD-WAN Gateway pool. Refer to
"Gateway Management" section in the VMware SD-WAN Operator Guide for more details.
a The SD-WAN Gateway is now registered and ready to receive a connection from the
Edges.
4 Remove the old SD-WAN Gateway from SD-WAN Orchestrator SD-WAN Gateway pool.
Refer to the "Gateway Management" section in VMware SD-WAN Operator Guide for more
information.
5 Decommission the old SD-WAN Gateway VM. (Remove the SD-WAN Gateway record from
the SD-WAN Orchestrator and decommission the VM instance).
VMware, Inc. 301

Obtaining Gateway Activation Key Via API

To deploy using the API Method, use the following: “network/getNetworkGateways”
Sample response:
{"jsonrpc":"2.0","result":[{"id":1, "activationKey":"69PX-YHY2-N5PZ-G3UW …
Configure Handoff Interface in Dataplane

VMware SD-WAN Gateway Network Configuration
In the example featuring figure below (VRF/VLAN Hand Off to PE), we assume eth0 is the
interface facing the public network (Internet) and eth1 is the interface facing the internal network
(customer VRF through the PE). BGP peering configuration is managed on the VCO on a per
customer/VRF basis under “Configure > Customer”. Note that the IP address of each VRF is
configurable per customer. The IP address of the management VRF inherits the IP address
configured on the SD-WAN Gateway interface in Linux.
A management VRF is created on the SD-WAN Gateway and is used to send periodic ARP
refresh to the default Gateway IP to determine the next-hop MAC. It is recommended that a
dedicated VRF is set up on the PE router for this purpose. The same management VRF can also
be used by the PE router to send IP SLA probe to the SD-WAN Gateway to check for SD-WAN
Gateway status (SD-WAN Gateway has stateful ICMP responder that will respond to ping only
when its service is up). BGP Peering is not required on the Management VRF. If a Management
VRF is not set up, then you can use one of the customer VRFs as Management VRF, although this
is not recommended.
Step 1: Edit the /etc/config/gatewayd and specify the correct VCMP and WAN interface. VCMP
interface is the public interface that terminates the overlay tunnels. The WAN interface in this
context is the handoff interface.
"vcmp.interfaces":[
"eth0"
],
(..snip..)
VMware, Inc. 302

"wan": [
"eth1"
],
Step 2: Configure the Management VRF. This VRF is used by the SD-WAN Gateway to ARP
for next-hop MAC (PE router). The same next-hop MAC will be used by all the VRFs created
by the SD-WAN Gateway. You need to configure the Management VRF parameter in /etc/config/
gatewayd.
The Management VRF is the same VRF used by the PE router to send IP SLA probe to. The
SD-WAN Gateway only responds to the ICMP probe if the service is up and if there are edges
connected to it. Below table explains each parameter that needs to be defined. This example has
Management VRF on the 802.1q VLAN ID of 1000.
mode QinQ (0x8100), QinQ (0x9100), none, 802.1Q, 802.1ad
c_tag C-Tag value for QinQ encapsulation or 802.1Q VLAN ID

for802.1Q encapsulation
s_tag S-Tag value for QinQ encapsulation
interface Handoff interface, typically eth1
"vrf_vlan": {
"tag_info": [
{
"resp_mode": 0,
"proxy_arp": 0,
"c_tag": 1000,
"mode": "802.1Q",
"interface": "eth1",
"s_tag": 0
}
]
},
Step 3: Edit the /etc/config/gatewayd-tunnel to include both interfaces in the wan parameter.
Save the change.
wan="eth0 eth1"
Remove Blocked Subnets
By default, the SD-WAN Gateway blocks traffic to 10.0.0.0/8 and 172.16.0.0/14. We will need to
remove them before using this SD-WAN Gateway because we expect SD-WAN Gateway to be
sending traffic to private subnets as well. If you do not edit this file, when you try to send traffic
to blocked subnets, you will find the following messages in /var/log/gwd.log

VMware, Inc. 303

10.10.150.254, which is a blocked subnet. [message repeated 48 times]

Step 1: On SD-WAN Gateway, edit /opt/vc/etc/vc_blocked_subnets.jsonfile. You will find that this
file first has the following.
[
{
"network_addr": "10.0.0.0",
"subnet_mask": "255.0.0.0"
},
{
"network_addr": "172.16.0.0",
"subnet_mask": "255.255.0.0"
}
]
Step 2: Remove the two networks. The file should look like below after editing. Save the change.
[
]
Step 3: Restart the SD-WAN Gateway process by sudo /opt/vc/bin/vc_procmon restart.
VMware, Inc. 304

Vmware-Sd-Wan-Partner-Guide 5.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vmware-Sd-Wan-Partner-Guide 5.1

Uploaded by

Copyright:

Available Formats

VMware SD-WAN Partner

1 About VMware SD-WAN Partner Guide 7

5 Log in to SD-WAN Orchestrator using SSO for Partner User 12

6 Monitor Partner Customers 14

7 Manage Partner Customers 16

9 Manage Partner Admin Users 70

11 User Management - Partner 90

12 View Partner Information 129

13 Partner Settings 131

14 Edge Licensing 158

15 Edge Management with New Orchestrator UI 165

16 Access SD-WAN Edges Using Key-Based Authentication 168

Enable Secure Edge Access for an Enterprise 170

17 Manage Gateway Pools and Gateways 177

18 Activate SD-WAN Edges Using Zero Touch Provisioning 226

19 Activate SD-WAN Edges using Edge Auto-activation with New Orchestrator UI

20 Activate SD-WAN Edges Using Email 234

Send an Activation Email 234

21 Request RMA Reactivation 243

22 Install VMware Partner Gateway 246

Here's a quick walkthrough of the user journey as a Partner super user:

1 Install SD-WAN Orchestrator

2 Configure SD-WAN Orchestrator Disaster Recovery

3 Install VMware Partner Gateway

4 Configure Partner Settings

5 Configure Partner Administrator

8 Manage Edge Licensing

10 Configure Gateways and Gateway Pools

12 Monitor and Troubleshoot Gateways

Previous VMware SD-WAN Versions

n Partner Admin Users

Browsers Qualified Browser Version

Google Chrome 77 – 79.0.3945.130

Mozilla Firefox 69.0.2 - 72.0.2

Microsoft Edge 42.17134.1.0- 44.18362.449.0

Apple Safari 12.1.2-13.0.3

1 In a web browser, launch the SD-WAN Orchestrator application a Partner user.

The VMware SD-WAN Operations Console screen appears.

2 Click Sign In With Your Identity Provider.

In the Partner portal, click Monitor Customers.

The Monitor Customers page displays the following details:

n Customers managed by the Partner.

n Edges associated with the Customers.

This chapter includes the following topics:

n Create New Partner Customer

n Clone a Partner Customer

n Activate Analytics for a New Customer

n Activate Analytics for an Existing Customer

n Activate Self-Healing for a New Customer

n Activate Self-Healing for an Existing Customer

n Configure Partner Customers with New Orchestrator UI

n Manage Partner Customers with New Orchestrator UI

Create New Partner Customer

In the Partner portal, navigate to Manage Customers.

Company Name Enter your company name

Domain Enter the domain name of your company

Account Number Enter a unique identifier for the customer

Initial Admin Account

Username Enter the user name in the [email protected] format.

Password Enter a password for the Administrator.

Confirm Re-enter the password.

Note If Manage Software Image is not enabled, then

Software/Firmware Images Click Add and in the Select Software/Firmware Images