This is the next part of my multi-part series on setting up SAML Authentication using the VMware Workspace ONE Access product. If you missed my earlier posts, you can review them here:
- Part 1: Preparation
- Part 1.5: Database Changes
- Part 2: Primary Node Deployment and Config
- Part 3: Load Balancer Configuration
- Part 4: SSL Configuration
- Part 5: Deploy Additional Nodes (OPTIONAL)
- Part 6: Configure Workspace ONE Access Connector
- Part 7: Configure NSX-T SAML Configuration
This entry is provided mostly for completeness rather than use within my #HomeLab. My original design was to use 3 nodes in a cluster. Looking at some resource constraints that occurred over this past summer, I decided to just go with a single node. This simplifies my configuration, minimizes the VMs that need to bring online as well as eliminates intended error messages.
Note: There is a rather important footnote in the VMware documentation that comes *after* they walk through the cloning process: Finish the configuration of the node before you clone it. In other words, if you choose to create a cluster for the Workspace ONE Access appliance, you need to skip to the next section first, then come back to this step.
The first step will be to configure the Workspace ONE Access URL to one that your Load Balancer will front to the cluster. This is done within the Workspace ONE Access setup console, https://fqdn:8443/cfg. Login with the admin password you used when you installed the appliance. Once in the setup console, select the “Workspace ONE Access FQDN” menu option on the left hand side:
Update the FQDN to the new load-balanced FQDN your cluster will use and click “Save”. In the image above, I changed the address from the hostname of the Workspace ONE Access appliance (https://dwsa1.darkhonor.net) to the load-balanced URL (https://dwsa.darkhonor.net).
Once this process is complete, you’re ready to clone the Appliance and create your cluster. You will do this process one at a time to minimize IP address conflicts. Login to you vSphere client. You will need to power-off the current appliance before you clone it. Once it is powered off, right click and select “Clone…”. You will be walked through the process by a wizard.
Give the new clone a name and a location. I kept all three nodes in the “DMZ” folder to help me keep track of what should be where. Click “Next”.
Choose a host or cluster to clone to. If you have shared storage available to a cluster, it is recommended to go that route. It will allow DRS (if enabled) to work appropriately to ensure you have sufficient redundancy and resources available. Click “Next”.
This is where you choose the storage. In my case, I only have on-host storage. My #HomeLab has a ways to go before I can start working with shared storage. You can also specify whether you want the appliance to be “Thin Provisioned” or “Thick Provisioned”. Since this is a #HomeLab environment without a lot of users, “Thin Provisioned” is fine. If your site will be hit with a larger user-base, you may want to go with “Thick Provisioned” to decrease performance hits later. Click “Next”.
I left these as-is and just clicked “Next”. You will want to ensure “Customize the operating system” is unchecked. The important options are on the next screen.
This is where you specify the new IP address and other key settings for the cloned appliance. These will need to be unique for your network. In addition, VMware recommends all Workspace ONE Access nodes within a single cluster are on the same network to reduce potential communications issues. Once you have your settings set, click “Next”.
Verify all of the settings are correct. If so, click “Finish” and vSphere will start the clone process.
While this is going through the cloning process, you will need to make sure your DNS is configured to allow both the IP address and hostname to be resolved.
Once the cloning process is complete, do not turn the VM on right away. You will need to verify a couple items on the vApp configuration beforehand. Select the new VM in the vSphere window. Select the “Configure” tab and then “vApp Options”. In the “Properties” section at the bottom, verify the DNS, IP Address, and Host Name (FQDN) options are all correct for the new appliance.
Once all are set, go ahead and power on the original appliance. Wait until it is fully up and running, then power on the new cloned appliance. This is an important step to ensure the cluster is created appropriately. Wait until the blue login screen appears in the “Console” tab.
The process to configure the Elasticsearch cluster will take several minutes to complete. In order to monitor the status, you will open a console window for the VM and select the “Login” option. You will be directed to a command line login. Login with the “root” user.
Once you’re logged in, run the following command the get the status of the cluster:
curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'
If all goes well and the second node is up and running, you should see something similar to this:
The key line you are looking to be updated is the “number_of_nodes” and “number_of_data_nodes” fields. They should equal “2” since you just added a second node. Once this shows up, you can add this new node to your NSX-T Load Balancer Server Pool using the steps outlined here.
If you had completed the next step and have a Connector created to sync with Active Directory, you will need to configure your new cloned appliances accordingly. I will not go into this now. The documentation on the specific steps can be found here.
Repeat this process for your third node. Once complete, you will have a highly-available Workspace ONE Access cluster that your users can use.
I know this one has been a long time coming. I’ve had a lot of issues with power and cooling this summer. Living where we do, power consumption is definitely punished by the electric company. Let me know your thoughts. As I said earlier, I ended up not using this configuration since it wasn’t really necessary for my use-case and reduced server capacity over the summer. As we head into Winter, I may explore this option again.