Data Center/Cloud Integration

---

The various integrations for Data Center/Cloud focus on the automation of provisioning highly mobile end-systems like virtual machines or providing user information for virtual desktops. Depending on the capabilities of the 3rd party product, the automation can include the creation of virtual networks and VLAN configuration within the respective product.

• Citrix XenServer
• Citrix XenDesktop
• Microsoft Intune
• Google G Suite
• Microsoft System Center Virtual Machine Manager (SCVMM)
• Microsoft Hyper-V
• VMware vSphere
• VMware View

Citrix XenServer

The XenServer integration offers provisioning of virtual machines in the network as well as automating the creation of virtual networks based on end-system access groups. In addition, data within ExtremeCloud IQ Site Engine is enriched for each end-system and conversely made available within XenCenter (=management tool for XenServer environments).

Module Configuration

Service Configuration	Description
Username	Username used to connect to the XenServer’s web service. Read/Write/Execute permissions required.
Password	Password used to connect to the XenServer’s web service.
XenCenter Webservice URL	Web service url of the XenSever
XenCenter Server IP	IP address of the XenServer.

 

General Module Configuration
Poll interval in seconds	Number of seconds between connections to the XenServer.
Module log level	Verbosity of the module. Logs are stored in ExtremeCloud IQ Site Engine.log file.
Module enabled	Whether or not the module is enabled.
Push update to remote service	If this is set to “true”, data from other modules will be pushed to the service.
Update local data from remote service	If this is set to “true”, data from the remote service will be used to update the internal end-system table.
Default end-system group:	The default end-system group name to use if it is not set dynamically.
Enable Data Persistence	Enabling this option will force the module to store end-system, end-system group and VLAN data to a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted.

 

Service Specific Configuration
Custom field to use	The custom field within Extreme Control to update the information for end-systems retrieved from XEN (valid values: 1-4).
Outgoing data format	The format of the Extreme Control data (like last seen time, switch IP, switch port, etc.) that is written to the description fields of the VMs within XEN. You can customize the appearance and what information you want to include/exclude from there.
Format of the incoming data	The format of the data that is received from XEN and written to the custom field.
Use global end-system groups	This feature enables the module to use the global end-system groups of the Extreme Connect. This will enable the XEN module to use the end-system groups retrieved from the Extreme Control module and assign XEN VMs to these end-system groups.
Network deletion	If this option is enabled, networks created by end-system groups will be deleted if the end-system group does not exist anymore or sync is disabled. Any connected VM will be rerouted to the Deletion Group below.
Deletion Group	If the “Network Deletion” feature is enabled, this setting will define the catchall network for VMs that have been connected to a XEN network after it has been deleted in ExtremeCloud IQ Site Engine. For example: If you have a XEN network “VM Test” that is managed by Extreme Connect and you delete the corresponding end-system group in ExtremeCloud IQ Site Engine, this feature will make sure that all VMs that are connected to “VM Test” will be disconnected from it and automatically reconnected to the XEN network defined with this setting. This feature is meant to provide a fallback network for all VMs that have been connected to Extreme Connect managed XEN networks.
Destroy NIC Bonds	If enabled, Extreme Connect will automatically destroy (remove) a bonding of 2 or more NICs on the Citrix XenServer in case the last network that used this bond has been removed using the ExtremeCloud IQ Site Engine group configuration. Example: Let’s assume you have created a new end-system group using multiple NICs with “nic=eth0:eth1”, Extreme Connect will create - A bond over eth0 + eth1 with a default naming schema and - A new external network connected to that bond named as your end-system group. Now you create a second end-system group also using the same NIC definition “nic=eth0:eth1”. This will only create a new external network connected to the already existing bond and called according to your end-system group. If you now delete (or set “sync=false”) one of these end-system groups, only the external Xen network will be removed, not the bond since it is in use by the other network. If you then also delete the other end-system group, the corresponding external network will be deleted and the bond between eth0 and eth1 will be destroyed.

Verification

1. Select a virtual machine.
2. Select the “General” tab on the right side of the screen.
3. At the top of the "General" tab there is a description field that will contain the corresponding data from ExtremeCloud IQ Site Engine. If this data is correct, then the integration is verified.

Citrix XenDesktop

The integration with XenDesktop is a one-way integration: information on virtual desktops is retrieved from XenDesktop and used within ExtremeControl but no data nor configuration is written from ExtremeControl towards XenDesktop.

Module Configuration

The table below describes the configuration options available for the XendDesktop OFConnect module (config file: XenDesktopHandler.xml)

Service Configuration	Description
Adapter IP	The IP address on which the Extreme XenDesktop adapter is running (this is configurable within the adapter’s config file). It should be running on the same IP as your XenDesktop server.
Adapter Port	The TCP port on which the Extreme XenDesktop adapter is running (this is configurable within the adapter’s config file).
Pre-Shared Key	The key used to encrypt traffic from and to the adapter running on the XenDesktop server. This must match the configured pre-shared key from the adapter’s config file.

 

General Module Configuration
Poll interval in seconds	The wait time between two polls. The module will contact the XenDesktop adapter and request the latest data on the VDI infrastructure, then wait for this interval to pass and then poll the adapter again.
Module log level	Verbosity of the module. Logs are stored in ExtremeCloud IQ Site Engine's server.log file.
Module enabled	Whether or not the module is enabled.
Update local data from remote service	If this is set to “true”, data from the remote service will be used to update the internal end-system table.
Default end-system group	The default end-system group name to use if it is not set dynamically.
Enable Data Persistence	Enabling this option will force the module to store end-system and end-system group data to a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted.

 

Service Specific Configuration
Custom field to use	The custom field within ExtremeCloud IQ Site Engine to update the information for end-systems retrieved from the adapter running on the XenDesktop server (valid values: 1-4).
Format of the incoming data	The format of the data that is received from the adapter running on the XenDesktop server and written to the custom field.

Adapter Installation

OFConnect retrieves data from the XenDesktop server using an adapter. This adapter needs to be installed and configured prior to enabling the corresponding module within OFConnect. The adapter consists of a Java executable file (.jar) and a configuration file. To install the adapter:

1. Install Windows .NET Framework 3.5 SP1 or above, Windows Powershell 2.0 and the latest Java Runtime Environment on the XenDesktop server.
2. Locate the file “Datacenter Manager XenDesktop Adapter.zip” on the Extreme Control server in the directory../jboss/server/default/deploy/fusion_jboss.war/XenPlugin/ (it can also be downloaded via browser at https://Extreme Control-IP:8443/fusion_jboss/XenPlugin/ Datacenter%20Manager%20XenDesktop%20Adapter.zip).
3. Copy the executable jar file (DCM_XENDESKTOP_ADAPTER_<version>.jar) and the configuration file (DCM_XENDESKTOP_ADAPTER.config) into a separate directory, created under “Program Files/Extreme Networks/XenDesktop Adapter” directly on the XenDesktop server.
4. Edit the configuration file according to your environment. The configuration file contains an explanation of all settings. You can also find them listed below.
5. Save and close the configuration file.
6. Start the adapter manually by opening a cmd shell or Powershell,
7. Navigate into the installation directory and use the following command: java –jar DCM_XENDESKTOP_ADAPTER_<version>.jar.
8. Check the log file to validate proper functionality.
9. Check the end-system list in ExtremeControl to see data for the XenDesktop virtual machines coming into the custom column you’ve configured within the XenDesktopHandler.xml config file.
10. After successfully verifying the integration, you will need to ensure that the DCM_XENDESKTOP_ADAPTER_1.00.jar file is getting started on Windows server startup automatically. Stop the adapter currently running within the cmd/Powershell window.
11. Configure the auto-start for the .jar file (this depends on your Windows Server version) and restart your XenDesktop server, when appropriate, in order to test the auto-start of the .jar file (you should see a java process running in the process tree).

Adapter Configuration

The table below lists the configuration options for the XenDesktop agent.

Configuration Option	Description
NETSIGHT_IP	The IP address of the ExtremeCloud IQ Site Engine server.
NETSIGHT_USERNAME	The username to authenticate against the ExtremeCloud IQ Site Engine server.
NETSIGHT_PASSWORD	The password to authenticate against the ExtremeCloud IQ Site Engine server.
LOG_LEVEL	Set the log level of the adapter to one of the following values: ERROR, WARN or DEBUG. If not set, the default will be WARN.
IP	IP address for the web service (=agent) to listen on.
PORT	TCP Port for the web service to listen on - must NOT be used by any other application on this server!
XENDESKTOP_SERVER	The host/DNS name of the XenDekstop Deliver Controller to connect to. So far this has only been tested with this adapter and the XD Deliver Controller running on the same server although remote connections might work as well. Example: XenDesktop5 or with FQDN: XenDesktop5.test.local.
PRE_SHARED_KEY	The pre-shared key used for the communication between the adapter and OFConnect. This must match the key entered when installing the OFConnect XenDesktop module.
IS_PRE_SHARED_KEY_ENCRYPTED	If set to 'false' the adapter assumes that the 'PRE_SHARED_KEY' configured above is not encrypted - on the first start the adapter will automatically encrypt the key and set this value to “true”. If you want to change this key at a later stage, change the key above, set this value back to 'false' and restart the adapter service.
ENABLE_PUSH_USER_TO_NETSIGHT	If set to "true" the adapter will use web service calls to ExtremeCloud IQ Site Engine to push the user name for each virtual desktop session to the corresponding end-system in ExtremeCloud IQ Site Engine/ExtremeControl. If configured properly in ExtremeControl, this will cause a re-authentication of the user on this virtual desktop and assign a user-based policy.
ENABLE_PUSH_DATA_TO_NETSIGHT	If set to "true" the adapter will push end-system data back to the corresponding module within OFConnect/ExtremeCloud IQ Site Engine. This will enable you to retrieve data on the virtual desktop within ExtremeCloud IQ Site Engine/OFConnect and display it within the end-system table inside of ExtremeControl

Verification

To verify proper functionality, validate the data within the custom field configured to use for the XenDesktop integration in your end-system list (in ExtremeControl).

You will only see the username being set accordingly if you enable the following option within the adapter’s config file: ENABLE_PUSH_USER_TO_NETSIGHT=true

You will only see the additional information (within the custom column that you’ve specified in your OFConnect XenDesktopHandler config file) if you’ve enabled the following option within the adapter’s config file:

ENABLE_PUSH_DATA_TO_NETSIGHT=true

Be aware that the username from XenDesktop can also be used to automatically assign a policy to each user as you could do with any 802.1X or Kerberos username. So make sure you’ve configured your rule set in ExtremeControl correctly before enabling this feature.

Microsoft Intune

IMPORTANT: Microsoft plans to deprecate support for the API calls this module requires. For details and the schedule, see https://learn.microsoft.com/en-us/mem/intune/protect/network-access-control-integrate.

The Microsoft Intune integration requires registering a Microsoft Azure application. The Azure application acts as a proxy to execute REST API calls on behalf of ExtremeConnect. This information is used in the Intune module tab.

Module Configuration

The table below lists the configuration options for the Intune agent.

Configuration Option	Description
Client ID:	Application client ID
Password:	Application client secret
Tenant:	Tenant ID to retrieve specific customer devices
Redirect URL:	URL where the user is redirected.
Code	Generated oAuth authorization code.

Service Configuration

The table below lists the configuration options for the Intune server.

Configuration Option	Description
Poll interval:	Time period between queries to the Intune NAC web service
End system group for managed business mobile devices:	ExtremeControl end-system group that corporate-owned devices belong to
End system group for managed personal mobile devices:	ExtremeControl end system group that personal devices belong to
Default end system group for managed mobile devices:	ExtremeControl end-system group that unknown devices belong to
Update Kerberos username:	Enables or disables the option to update end-system username
Update device type:	Enables or disables the option to update end-system device type
Notify user when quarantined:	Enables or disables the option to notify user when an end-system is quarantined based on assessment scoring
Enable assessment:	Enables or disables the option to use the ExtremeControl assessment agent

Register Azure Application

An Azure application is required to access Microsoft’s Intune NAC API. The application requires permission from an administrator to access device information from Intune.

1. Login the Azure portal https://portal.azure.com.
2. Select Azure services > App registrations.
3. Create a new application, select New registration.
4. On the Register an application page, enter the application name, type, and sign-on URL. The sign-on URL is the redirection page after the permissions are accepted. Select Register.
   
   The registration is created and displays on the App Registrations page.
5. From the App Registrations page, in the Connect row, note the Application (Client) ID that generated after the registration. This Application ID is used in the service configuration. In the following example, the Application ID is 4c88c31c-7c8e-4cc7-8949-abd4d0106b5c.
6. From the Display Name list, select Connect..
   
   The Connect details page displays.
7. From the left menu, select API permissions. One the API permissions page, select Add permission. From the Request API permissions dialog, select Microsoft Graph.
8. From the Microsoft Graph dialog, select Delegated Permissions > DeviceManagementManagedDevices. Enable DeviceManagementManagedDevices.Read.All and select Add Permissions.
9. From the Connect > API Permissions page, verify the permissions you created:
10. To generate the secret, from the left menu select Certificates and Secrets. Select New Client Secret. Edit the fields and select Add.
    
    In the following example, the description is Secret, the duration is expire in 2299, and the generated secret is /@T=mXIEhBQG2ODMhgDnxu[wle3p7Ha0. The generated secret is used in the service configuration. Note: The best practice is to configure the duration to a lower value, such as one or two years.
    
    To copy the key to the clipboard, use the clipboard icon. To delete the key, use the trash icon.
11. To generate the oAuth authorization code, create a special authentication URL with an administrator account using the following format:
    
    https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?client_id={client_application_id}&response_type=code&redirect_uri={redirect_URL}&response_mode=query&scope=openid%20offline_accessDeviceManagementManagedDevices.Read.All&state={random_value}
    
    Replace {tenant_id} with the tenant name used in the service configuration. In this example, the tenant is extremeconnect.onmicrosoft.com.
    
    Replace {client_application_id} with the application's ID used in the service configuration. In this example, the application ID is 4c88c31c-7c8e-4cc7-8948-abd4d0106b5c.
    
    Replace {redirect_URL} with the URL that was configured in the application. In this example, the URL is https://nms.demo.com:8443.
    
    Replace {random_value} with any random string. In this example, the string is 12345.
    
    Using the example values, the authorization URL with the application specific field is:
    
    https://login.microsoftonline.com/extremeconnect.onmicrosoft.com/oauth2/v2.0/authorize?client_id=4c88c31c-7c8e-4cc7-8948-abd4d0106b5c&response_type=code&redirect_uri=https://nms.demo.com:8443&response_mode=query&scope=openid offline_accessDeviceManagementManagedDevices.Read.All&state=12345
12. Open a browser, enter the URL and accept the authorization request.
    
13. After the request is accepted, the authorization code displays in the browser address field. Note the authorization code, which is the value between the code and state tags. The authorization code is used in the service configuration and expires in 10 minutes.
    
    In the example above, the full URL is as follows, with the authentication code in Bold text:
    
    https://nms.demo.com:8443/?code=OAQABAAIAAABHh4kmS_aKT5XrjzxRAtHzDDNMGhrNMMTkKyCFCYDJ0UNkr4ATgX8pRgOEA8Lo20Q73t5KZUe2b_pWA1XZal2yUJin53XrS_ozXlN2btRw4rbVVvAz9M5aLVXLg5VmHBYV0_86Fz2SdaKvOa017PDiN1JgvZHjXwLva6baxvBEpVj1a8e7Tw68AhOo8IEmRycDuCWN1mrLp_Z-C9XTIqqPrnrOFx9__nfSpcrb23ZF7Ak5kEPUE5Tp7JLPTFVlQpS99p4mbTZ26atey8cw439aO7uVopemFk8n2rfk_SHFSlIlPESkbjpYH6Oz8h53T6Q2UqiQLda2AYmX1qoJGEZbnAw65PdHHstK0PNX27bDry31zUD5CPOO7X76Q6_G6R91yqrWvu_Gq_N9moBIictsdVWxyb3dhKXIv3aMoBZkkurvfT8HDbS4lNsvNtqStJ5HWflnd5iCGbitMkD4LRl2zPmbnrvH5ItCFHvUhEeLsVQB_GYOsyyC6x264JizBI2vu9pPKT5Ch0Mc8zNsX7fYlOOgBTjdf15AaRV7sR2zqTSvFCuaeEr9RJAlmrnFjIfzBccEnnNWxunbT2Wo-4YKgnn2wLLX1wPr73iJpYVB6oUyiADJNtStVmlERDhaXoimPDieV8k4xfZrYIAA&state=12345&session_state=fdb2c5b8-a316-4646-99e9-c16c329aed5a
14. From ExtremeControl, select the service configuration to view the code, the authentication code is similar to the example.

Verification

1. Enroll the device with Microsoft Intune.
2. Connect to test SSID, and wait for the resynchronization poll to occur.
3. Verify the end system in ExtremeControl displays the device information from Intune.

Policy Configuration

To support the previous workflow, the device in unregistered state must use HTTPS to communicate with the Intune server and the Apple Push service with Apple.

Some configurations require downloading an agent to be registered by Intune, so Google Play and Apple App Store access must be provided. If this is the case, policies must be adapted to provide connectivity to the agent.

The following policies (or more generic ones) are needed to allow Intune registration:

1. Allow HTTPS to Microsoft Intune network.
2. Allow TCP 5223 to 17.0.0.0/8:TCP:5223, Apple Push service.
3. Allow TCP/UDP 5228 to 173.194.0.0/16, Google Play login.
4. Allow HTTPS to 74.125.0.0/16, Google Play Downloads.

Google G Suite

Combining the ExtremeControl solution with Google’s G Suite helps network and security administrators ensure that only registered Chrome OS devices are able to use the network and its resources. The solution also pulls extensive device data from G Suite and updates the end-systems in ExtremeControl to provide network administrators with a unique view of Chrome OS data within a single management interface.

The solution currently only support Chrome OS devices.

Module Configuration

The table below lists the configuration options for the Google GSuite agent.

Configuration Option	Description
Service Account ID:	Email address of the service account to use for authentication. You can find your service account ID within your Google API Manager project (https://console.developers.google.com/projectselector/apis/credentials?pli=1) where you configured/created your service account when you go into the account details. Example: gsuiteserviceaccount2@extreme-gsuite-test.iam.gserviceaccount.com
Service Account User:	Email address of a user account from your G Suite account / domain. This is used for Connect to know to which domain to connect to. Example: kurt@extremetest.net

Service Configuration

The table below lists the configuration options for the Google GSuite server.

Configuration Option	Description
Poll interval:	The time (in seconds) the module will wait after each run. For example, if you want to run the synchronization one time per hour you can configure ‘3600’ here.
Default end-system group for all devices from G Suite:	The default end-system group name where we assign all G Suite devices to in ExtremeControl. If you don't want end-systems from G Suite to be assigned to this default group, configure a group name which doesn't exist in ExtremeControl or disable the group assignment feature on the “Extreme Control” module. Default: Chrome Devices
Format of the incoming data for devices from G Suite:	Format of the data that gets stored in the custom data field. You can choose and combine any of the available variables: nwAdapterType, mac, annotatedAssetId, annotatedLocation, annotatedUser, recentUsers, currentUser, deviceId, etag, firmwareVersion, kind, lastEnrollmentTime, lastSync, model, notes, orderNumber, orgUnitPath, osVersion, platformVersion, serialNumber, status, supportEndDate, willAutoRenew. But be aware that G Suite might update the “lastSync” and “lastEnrollmentTime” values for each device very regularly and Connect is calling ExtremeCloud IQ Site Engine’s API to refresh that value in all end-systems custom fields. Depeding on your poll interval this might put a lot of stress onto the ExtremeCloud IQ Site Engine server and it is thus recommended to _NOT_ use these variables in large environments. It should only be used if the poll interval is very low (like a few times per day) and the number of end-systems isn’t too high (below 1000). Default: user=#currentUser#, recentUsers=#recentUsers#, annotatedUser=#annotatedUser#, adapterType=#nwAdapterType#; OS=#osVersion#, firmware=#firmwareVersion#
End-system group for decommissioned devices:	The default end-system group for devices which existed in G Suite but have been deleted. If you want to explicitly identify those devices and even authorize them differently (since they are no longer managed by G Suite anymore and that could pose a threat) you can configure the group they should automatically be moved to here and enable the corresponding feature below. Make sure you manually create this end-system group in ExtremeControl.
Remove device from other groups on decommission:	Enable this to move devices which have been deleted from G Suite to the ExtremeControl end-system group configured by the corresponding option above. If disabled, devices won't be automatically move to this group but rather stay with their existing group membership(s). Default: false
Delete custom data in EMC for decommissioned devices:	If a device is deleted in G Suite the end-system's custom data field in ExtremeCloud IQ Site Engine will be cleared as well. On the one hand this will keep your data clean in ExtremeControl, but it can also be helpful to see the (old) G Suite data for those end-systems which were managed by G Suite. Default: false
Overwrite the existing username with the one acquired from G Suite:	If set to "true" the username for devices retrieved from G Suite will overwrite the username which is already in ExtremeControl. If no username could be retrieved from G Suite for a given end-system, then no change is performed in ExtremeControl. Be aware that this might mess up existing NAC processes if you are already retrieving and using the username through some other mechanism like 802.1X or Kerberos snooping --> this will be overwritten! Default: false

Google APIs

You will need to create a service account in the Google APIs management site: https://console.developers.google.com

That service account provides Connect with a credentials that enables it to authenticate and authorize against the Google Admin SDK that is used to pull data from your G Suite domain.

1. Access the API Console Credentials page: https://console.developers.google.com/project/_/apis/credentials
2. Select your project (or create a new one) from the drop-down list.
3. On the Credentials page, select the Create credentials drop-down, then select Service account key.
4. From the Service account drop-down, select an existing service account or create a new one.
5. For Key type, select the P12 key option, then select Create. The file automatically downloads to your computer.
6. Rename the downloaded credentials file to “gSuiteCredentials.p12“ and copy it to your ExtremeCloud IQ Site Engine server (using WinSCP for example) to this location /usr/local/Extreme_Networks/NetSight/wildfly/standalone/configuration/connect/gSuiteCredentials.p12
7. Go into the details on your newly created Credentials and note down the “Client-ID” (number) [Symbol] this will be needed later on to authorize these credentials on your G Suite domain

Google Admin

If not already done, create a Google G Suite account and connect it with your domain. For test accounts, use: https://gsuite.google.com/signup/basic/welcome.

You will need to authorize the Extreme Connect application to provide it with access to your domain and two scopes. The basic process is described at https://developers.google.com/identity/protocols/OAuth2ServiceAccount?#delegatingauthority

To delegate domain-wide authority to a service account, first enable domain-wide delegation for an existing service account in the Service accounts page (https://console.developers.google.com/permissions /serviceaccounts) or create a new service account (https://developers.google.com/identity/protocols/OAuth2ServiceAccount?#creatinganaccount) with domain-wide delegation enabled.

Then, an administrator of the G Suite domain must complete the following steps:

1. Access the G Suite domain’s Admin console.
2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
3. Select Show more and then Advanced settings from the list of options.
4. Select Manage API client access in the Authentication section.
5. In the Client Name field, enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
6. In the One or More API Scopes field, enter the list of scopes that your application should be granted access.
7. Enter these two scopes for the API client that you authorize for Connect: https://www.googleapis.com/auth/admin.directory.device.chromeos, https://www.googleapis.com/auth/admin.directory.user.readonly

The first one enables Connect to view and manage your Chrome OS devices' metadata, and the second one enables Connect to view users on your domain.

8. Select Authorize.
9. Remember to enable “domain-wide authority delegation” as described in the link above.

User Privileges

Ensure that the configured user is configured to have at least the privileges to manage Chrome OS devices as shown below. This privilege is needed to retrieve data on Chrome OS devices.

Verification

You should verify that data from all devices managed by G Suite is imported to ExtremeControl. Navigate to the end-system table under the “Connect” tab and display the custom data field which you have configured for the G Suite module. You might need to make the corresponding column visible first. If you enabled the corresponding features you should also see the username retrieved from G Suite.

You can also verify whether all devices managed by G Suite have been assigned to configured end-system group in ExtremeControl (if you created such a group and configured it within the “G Suite” module).

Deleting G Suite Devices

To test this workflow, simply “de-provision” a device from G Suite and wait for the next Connect synchronization. Then verify that

1. This device’s custom field has been emptied (if this feature has been enabled in the config file).
2. This device is now member of the ExtremeControl end-system group for decommissioned devices (if this feature has been enabled).
3. This device does not appear in the end-system list that is displayed at the bottom of the Connect management web site (tab: G Suite). This means that the device has been deleted in the internal list as well.

Microsoft System Center Virtual Machine Manager (SCVMM)

The SCVMM integration offers provisioning of virtual machines into ExtremeControl end-system groups based on the virtual interfaces to which each VM is connected. Data within ExtremeCloud IQ Site Engine is enriched for each end-system and conversely made available within SCVMM. The VMM is a central Microsoft server that enables management of multiple Hyper-V servers from one console.

Note: The SCVMM server requires an adapter agent to be installed and configured prior to enabling the corresponding module within Extreme Connect. The adapter file is provided by Extreme Networks.

Module Configuration

The table below describes the configuration options available for the SCVMM OFConnect module (config file: SCVMMHandler.xml)

Service Configuration	Description
ADapter IP	IP Address of the Virtual Machine Manager adapter.
Adapter Port	Port where the Virtual Machine Manager adapter is listening on.
Pre-Shared Key	The pre-shared key used to communicate with the SCVMM adapter.

 

General Module Configuration
Poll interval in seconds	Number of seconds between connections to the adapter running on the SCVMM server.
Module loglevel	Verbosity of the module. Logs are stored in ExtremeCloud IQ Site Engine's server.log file.
Module enabled	Whether or not the module is enabled.
Push update to remote service	If this is set to “true”, data from other modules will be pushed to the service.
Update local data from remote service	If this is set to “true”, data from the remote service will be used to update the internal end-system table.
Default end-system group	The default end-system group name to use if it is not set dynamically.
Enable Data Persistence	Enabling this option will force the module to store end-system, end-system group and VLAN data to a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted.

 

Service Specific Configuration
Custom field to use	The custom field within ExtremeCloud IQ Site Engine to update the information for end-systems retrieved from the adapter running on the SCVMM server (valid values: 1-4).
Outgoing data format	The format of the ExtremeCloud IQ Site Engine data (like last seen time, switch IP, switch port, etc.) that is written to the description fields of the VMs within the SCVMM management console. You can customize the appearance and what information you want to include/exclude from there.
Format of the incoming data	The format of the data that is received from the adapter running on the SCVMM server and written to the custom field.
Use network name as end-system group	If this is set to true, the name of the portgroup /network will be used as the name for the end-system group (Note: Only data before the first _ will be used).

Adapter Installation

OFConnect is retrieving and setting datato/from a Virtual Machine Manager (VMM) server using an adapter. This adapter needs to be installed and configured prior to enabling the corresponding module within OFConnect. The adapter consists of a Java executable file (.jar) and a configuration file. To install the adapter:

1. Install the latest Java Runtime Environment, .NET framework and Windows Powershell 2.0 on the SCVMM server.
2. Acquire the file “Datacenter Manager SCVMM Adapter.zip” from GTAC or by contacting your local Extreme representative.
3. Copy the executable jar file (DCM_SCVMM_ADAPTER_<version>.jar) and the configuration file (DCM_SCVMM_ADAPTER.config) into a separate directory created under “Program Files/Extreme Networks/SCVMM Adapter” directly on the SCVMM server.
4. Edit the configuration file according to your environment. The configuration file contains an explanation of all settings and you can also find them listed below.
5. Save and close the configuration file.
6. Start the adapter manually first by opening a cmd shell or Powershell, navigate into the installation directory and use the following command: java –jar DCM_SCVMM_ADAPTER_<version>.jar.
7. Check the log file to validate proper functionality.
8. Check the end-system list in ExtremeControl to see data for the SCVMM virtual machines coming into the custom column you’ve configured within the SCVMMHandler.xml config file.
9. After you have successfully verified the integration, ensure that the DCM_ SCVMM _ADAPTER_<version>.jar file is getting started on Windows server startup automatically. Stop the adapter currently running within the cmd/Powershell window, configure the auto-start for the .jar file (this depends on your Windows Server version) and restart your SCVMM server when appropriate in order to test the auto-start of the .jar file (you should see a java process running in the process tree).

Adapter Configuration

The table below lists the configuration options for the SCVMM agent.

Configuration Option	Description
LOG_LEVEL	Set the log level of the adapter to one of the following values: ERROR, WARN or DEBUG. If not set, the default will be WARN.
IP	IP address for the web service (=agent) to listen on
PORT	TCP Port for the web service to listen on - must NOT be used by any other application on this server!
SCVMM_DLL	Location (path + file name) of Microsoft.SystemCenter.VirtualMachineManager.dll Example: C:\Program Files\Microsoft System Center Virtual Machine Manager 2008 R2\bin\Microsoft.SystemCenter.VirtualMachineManager.dll
PRE_SHARED_KEY	The pre-shared key used for the communication between the adapter and OFConnect. This must match the key entered when installing the OFConnect SCVMM module.
IS_PRE_SHARED_KEY_ENCRYPTED	If set to “false” the adapter assumes that the 'PRE_SHARED_KEY' configured above is not encrypted - on the first start the adapter will automatically encrypt the key and set this value to “true”. To change this key at a later stage, change the key above, set this value back to “false” and restart the adapter service
SCVMM_SERVER	The DNS name of the Virtual Machine Manager server to connect to. So far this has only been tested with this adapter and the VMM server running on the same server although remote connections might work as well.

Verification

Within the SCVMM management console, add the description field/column to the overview list of all VMs. You should see network related information retrieved from ExtremeCloud IQ Site Engine/ExtremeControl within this column as well as additional data from SCVMM within the end-system list in ExtremeControl.

Microsoft Hyper-V

The Hyper-V integration offers provisioning of virtual machines into ExtremeControl end-system groups based on the virtual interfaces to which each VM is connected. Data within Access Control engine is enriched for each end-system and conversely made available within Hyper-V. When integrating with multiple Hyper-V servers you can either add each of those servers as a new entry within this module’s config (list of services/agents to connect to) or use the integration with System Center Virtual Machine Manager.

Note: The Hyper-V server requires an adapter agent to be installed and configured prior to enabling the corresponding module within Extreme Connect. The adapter file is provided by Extreme Networks.

Module Configuration

The table below describes the configuration options available for the Hyper-V OFConnect module (config file: HyperVHandler.xml)

Service Configuration	Description
Adapter IP	IP Address of the Hyper-V adapter.
Adapter Port	Port where the Hyper-V adapter is listening on.
Pre-Shared Key	The pre-shared key used to communicate with the Hyper-V adapter.

 

General Module Configuration
Poll Interval in seconds	Number of seconds between connections to the adapter running on the Hyper-V server.
Module loglevel	Verbosity of the module. Logs are stored in ExtremeControl engine's server.log file.
Module Enabled	Whether or not the module is enabled.
Push update to remote service	If this is set to “true”, data from other modules will be pushed to the service.
Update local data from remote service	If this is set to “true”, data from the remote service will be used to update the internal end-system table.
Default end-system group	The default end-system group name to use if it is not set dynamically.
Enable Data Persistence	Enabling this option will force the module to store end-system, end-system group and VLAN data to a file after each cycle. If this option is disabled, the module will forget all data after a service restart, but in order to clean already existing data, the corresponding .dat files have to be deleted.

 

Service Specific Configuration
Custom field to use	The custom field within ExtremeControl engine to update the information for end-systems retrieved from the adapter running on the Hyper-V server (valid values: 1-4).
Outgoing data format	The format of the ExtremeControl engine data (like last seen time, switch IP, switch port, etc.) that is written to the description fields of the VMs within the Hyper-V management console. You can customize the appearance and what information you want to include/exclude from there.
Format of the incoming data	The format of the data that is received from the adapter running on the Hyper-V server and written to the custom field.
Use network name as end-system group	If this is set to “true”, the name of the portgroup /network will be used as the name for the end-system group (Note: Only data before the first _ will be used).

Adapter Installation

Connect retrieves and sets data from and to a Hyper-V server using an adapter. This adapter needs to be installed and configured prior to enabling the corresponding module within ExtremeCloud IQ Site Engine. The adapter consists of a Java executable file (.jar) and a configuration file and uses a Powershell module as a prerequisite. To install the adapter manually:

1. The adapter utilizes a Powershell module that needs to be downloaded and installed prior to installing the adapter. Download the module here: http://pshyperv.codeplex.com/releases/view/62842#DownloadId=219013
2. Right-click the zip file and UNBLOCK.
3. Copy the zip file to the following location: C:\Windows\System32\WindowsPowerShell\v1.0\Modules
4. Unzip and install the HyperV module using the “install.cmd” file.
5. Bring up Powershell and enter "Set-ExecutionPolicy Unrestricted"
6. Run the command “Import-Module HyperV” and make sure that no errors occur. If this doesn’t load the module you can insert the folder “<folderwhereyouunzippedthedownloadedfile>\Hyper-V” into your PATH environment variable so Windows knows from where to load the module.
7. As a final test run “get-command -module HyperV” and check if this prints out the available Hyper-V commands.
8. Install the latest Java Runtime Environment.
9. Create a dedicated folder (example: “C:\Program Files\Extreme Networks\HyperV Adapter”) and copy the two files (DCM_HYPERV_ADAPTER_<version>.jar and DCM_HYPERV_ADAPTER.config) into it
10. Edit the configuration file DCM_HYPERV_ADAPTER.config according to your environment.
11. You are now ready to start the adapter by double-clicking the file DCM_HYPERV_ADAPTER.jar or running it within a shell using “java –jar DCM_HYPERV_ADAPTER.jar”. Verify the log file that should have been created in the same folder where the jar file is located. The adapter is automatically started when the Windows Server starts up.
12. Repeat these steps on all Hyper-V servers that you want to integrate with ExtremeCloud IQ Site Engine.

Adapter Configuration

The table below lists the configuration options for the Hyper-V agent.

Configuration Option	Description
LOG_LEVEL	Set the log level of the adapter to one of the following values: ERROR, WARN or DEBUG. If not set, the default will be WARN.
IP	IP address for the web service (=agent) to listen on.
PORT	TCP Port for the web service to listen on - must NOT be used by any other application on this server.
PRE_SHARED_KEY	The pre-shared key used for the communication between the adapter and OFConnect. This must match the key entered when installing the OFConnect Hyper-V module.
IS_PRE_SHARED_KEY_ENCRYPTED	If set to 'false' the adapter assumes that the 'PRE_SHARED_KEY' configured above is not encrypted - on the first start the adapter will automatically encrypt the key and set this value to 'true'. If you want to change this key at a later stage, change the key above, set this value back to 'false' and restart the adapter service.

Verification

Within the Hyper-V management console, select a virtual machine. You should see the corresponding data from ExtremeCloud IQ Site Engine in the “Notes” field on the bottom of the page.

VMware vSphere

The Vmware vSphere integration offers provisioning of virtual machines in the network as well as automating the creation of virtual networks based on end-system access groups. In addition, data within ExtremeCloud IQ Site Engine is enriched for each end-system and conversely made available within vSphere.

Module Configuration

Configuration Option	Description
Username	Username used to connect to the vSphere web service. Read/Write/Execute permissions required.
Password	Password used to connect to the vSphere web service.
VMware Webservice URL	Web service URL of the VMware vSphere server.
Module enabled	Enables and Disables Module.

• Outgoing data format: The format of the Extreme Control data (like last seen time, switch IP, switch port, etc.) that is written to the description fields of the VMs within VMware or XEN. You can customize the appearance and what information you want to include/exclude from there. Hint: For the VMware vSphere client the annotation field is limited in size. The default outgoing format is very close to the maximum string length for this field. If you want to add additional information to this field consider replacing it with some of the existing default value.
• Format of the incoming data: The format of the data that is coming from VMware or XEN and that is written to the custom field.
• Create Private VLAN Entries: If set to false, the Datacenter manager will not automatically create any pVLAN entries on dvSwitches even if you configured any. This feature is disabled per default and needs to be enabled manually if needed.
• Create Portgroups from End-system Groups: If set to true, the Datacenter manager will automatically create new portgroups within VMware based on the Extreme ExtremeControl engine end-system groups and your other configuration.
• Update Portgroup VLAN IDs: Only useful if the setting above is set to true. If you change the “vlan=XXXX” value within an end-system group this setting will automatically also change your portgroup VLAN IDs accordingly.
• Use Global End-system Groups: Only if this is set to true, the VMware module will have access to the global end-system groups that are provided by the Extreme Control module within the main module. This is necessary if you want to automatically create portgroups based on ExtremeControl end-system groups.
• Enable NAC Plugin: Using this option, the automatic ExtremeControl engine Plugin Extension registration can be disabled.
• NAC Plugin URL: The URL of the configuration file for the Extreme Datacenter manager plugin for VMware. This is used by vCenter server to tell any connecting vCenter clients from where to download the Extreme plugin.
• Enable Custom Attributes: En-/Disables the creation and updates of Custom Attributes for vCenter Servers.
• Custom Attributes Data Format: This text field enables the configuration of Custom Attributes for vCenter Servers. Connect will create and update these attributes for each VM and enable for searching and sorting for this data within vCenter. Each attribute has to be configured on a single line and follow the format: NAME=VALUE where NAME is the name of the Custom Attribute and VALUE is a free text that can utilize all variables that are available in the “Outgoing data format” option. If a VM should use more than one network interface, the data for each variable is presented as “NIC1DATA/NIC2DATA/…”.
• Deletion Group: Name of the portgroup that a VM will be redirected to if it's current endsystem group is deleted.
• Port Group Import: Enables the automatic creation of endsystemgroups in Extreme Control based on port groups. The port group name will be used for the endsystem group. Be aware that the delimiter also applies here. In the default configuration, the text after the last delimiter will be truncated from the name.
  
  i.e. MyPortGroup_VLAN1_dvSwitch0 will be imported as MyPortGroup_VLAN1 in Extreme Control. VLAN IDs will be updated if they change.
• Automatic Enforce after import: Enables the automatic enforcement of all appliances and the policy domain (only for extended import) if a portgroup was imported.
• Extended PortGroup Import: Also creates an ExtremeControl Configuration and policy profiles during PortGroup Import. Requires the options for ExtremeControl Configuration, Policy Domain and Forward as Tagged also to be defined. Be aware that the truncated port group name will also be used as the VLAN name and must adhere to naming limitations.
• Enable PortGroup Import Removal: Delete the ExtremeControl Configuration and/or End-System Group if the portgroup is deleted.

Stop then start the ExtremeCloud IQ Site Engine services (refer to Extreme Connect Installation section for instructions).

Verification

Within the vSphere Client, select a virtual machine and then on the “Summary” tab on the right side. At the bottom of this tab there should be an annotations field that should contain the corresponding data from ExtremeCloud IQ Site Engine (for example, information on the switch port and switch IP to which this VM is physically connected).

VMware View

The integration of VMware View does not require any special tool or software to integrate. The virtual desktops need to be configured to use 802.1x and users have to use the View Client to access those desktops via PCoIP in order to enable user-based authentication. Any Extreme switch with a reasonable amount of multi-user authentication capacity is suitable to authenticate each virtual desktop individually and apply a policy based on the username.

In addition to that, standard Extreme Connect operation can be used to provision a ExtremeControl rule for the connected portgroup of each VM, if user authentication via 802.1x is not available.

See the VMware View VDI documentation for further information regarding the setup procedure.

---

Related Information

For information on related help topics:

• ExtremeConnect Overview