Updated guide for deploying Gateway using Microsoft VMM Tech Preview 4
Published Feb 16 2019 03:17 AM 797 Views
First published on TECHNET on Feb 29, 2016
NOTE This information is no longer current. For the latest information on this topic, see Deploy and manage a Software Defined Network (SDN) infrastructure in the VMM fabric .


This article helps you evaluate the Software Defined Networking (SDN) features in Windows Server 2016 Technical Preview and Virtual Machine Manager 2016 Technology Preview 4. In particular, this topic is focused on scenarios that incorporate Gateway with VMM Technical Preview 4.

Gateway is a data path element in SDN that enables GRE based S2S connectivity between two autonomous systems. For our scenario here specifically, Gateway enables site-to-site VPN connectivity between remote tenant networks and your datacenter using Generic Routing Encapsulation (GRE).

In combination with Software Load Balancing (SLB), Gateway can also be used for point-to-site VPN gateway connectivity so that your tenants’ administrators can access their resources on your datacenter from anywhere.


Make sure you have performed following steps before deploying Gateway.

Deploy Network Controller

This document assumes that you already have Network Controller onboarded into VMM management. If you have Network Controller deployed in your set up, you will have basic compute and network infrastructure in place to proceed for Gateway deployment.

For more details on requirement related to different Hosts, virtual machines, Logical Networks, Subnets, IP Pools, and switches, please refer to Network Controller deployment guide here .

If you haven’t deployed Network Controller as yet, please refer to the Network Controller guide above and come back to this section after deploying Network Controller.

Deploy Software Load Balancer

Although it’s not required that you deploy Software Load Balancer before proceeding to deploy Gateway, for the purpose of simplicity and preview validation, we recommend that you deploy and onboard SLB before proceeding further in this document. Having SLB deployed along with Gateway will enable you to validate the IPSec connection types.

For more details on requirements related to different hosts, virtual machines, logical networks, subnets, IP pools and switches, please refer to the SLB deployment guide here .

If you haven’t deployed Software Load Balancer as yet, please refer to the SLB deployment guide above and come back to this section after deploying Network Controller.

Prepare an SSL Certificate

The Gateway service template requires that an SSL certificate is prepared prior to import. You should already have these certificates ready as part of Network Controller deployment. To revisit steps on how to prepare SSL certificates click here . You should right click on this SSL certificate created earlier during Network Controller deployment and export it without a password in .CER format. This certificate will be later placed inside the NCCertificate.CR folder, details for which are included in the later sections.

Setting it up

This section covers the setup required for deploying the Gateway virtual machine.

Topology overview

The topology consists of four physical hosts, one Network Controller virtual machine, two tenant virtual machines, one Gateway virtual machine, one SLB MUX virtual machine and optionally one Router – BGP peer virtual machine. Most of these hosts and virtual machines would already be configured as part of Network Controller deployment.

You will need to deploy one additional VM for Gateway.

All the virtual machines require an operating system VHD. You can download the Windows Server 2016 Technical Preview ISO image from here .

Logical Networks

In addition to the Management, Back End, Front End and Public IP network that you already have configured, you will need the following network to deploy Gateway:
Network Name Subnet Mask VLAN ID on trunk Gateway Reservations (examples)
VIP : Subnet for GRE VIPs. 27 NA

Active Directory and DNS must also be available and reachable from this subnet.

Creating the GRE VIP logical network required for Gateway Deployment

You need an IP address pool for private VIPs and to assign virtual IP address to GRE endpoints. We will create a GRE VIP Logical network in order to specify IP address pool for GRE endpoints.
Create a GRE VIP Logical network
The GRE VIP network is a subnet that exists solely for defining VIPs that will be assigned to Gateway virtual machines running on your SDN fabric. This network does not need to be preconfigured in your physical switches or router and need not have a VLAN assigned.

  1. Start the Create Logical Network Wizard .

  2. Type a name and optional description for this network and click Next .

  3. On the Settings page, ensure you select One Connected Network . Optionally, you can also check Create a VM network with the same name box to allow virtual machines to access this logical network directly and the Managed by the Network Controller box then click Next .

  4. On the Network Site panel, add the network site information for your VIP subnet. This should include the Host Group and subnet information for your VIP network.

  5. Review the Summary information and complete the Logical Network wizard.

Create an IP pool for GRE VIP addresses
TIP While creating IP address pools for NC managed networks, you MUST use a value for Starting IP Address that is at least 4 IP addresses into the address range for the IP subnet. The Network Controller uses the first three IP addresses of the network range. For example, if your IP subnet is, you should use as your starting IP address.

  1. Right-click the GRE VIP logical network in VMM and select Create IP Pool from the drop down menu.

  2. Provide a name and optional description for the IP Pool and ensure that the VIP network is selected for the logical network. Click Next .

  3. Accept the default network site and click Next .

  4. Choose a starting and ending IP address for your range that contains the entire address range of your GRE VIP subnet.

  5. In the IP addresses reserved for load balancer VIPs box, type the entire IP addresses range in the subnet. This should match the range you used for starting and ending IP addresses.

  6. You do not need to provide gateway, DNS or WINS information as this pool is used to allocate IP addresses for VIPs only via the Network Controller, so skip these screens by clicking Next .

  7. Review the summary information and complete the wizard.

To deploy the logical switch to Edge host
You will already have an SDN logical switch available in your set up as part of Network Controller and SLB deployment.


Now you can proceed to deploy Gateway using VMM Service Template.
Download the service template
First, you need to download the Gateway service template from here and extract the contents to a folder on a local computer. You need to copy the contents to a folder on your VMM server or a file share that your VMM server has access to.
Add template resources to the VMM library
Before you import the Gateway service template you need to do the following:

NOTE You can skip these steps if you have already configured Software Load Balancer and have EdgeDeployment.CR and NCCertificate.CR imported in the library.

  1. Copy the .CER certificate that you previously created for the Network Controller to the NCCertificate.CR folder.

  2. Add the custom NCCertificate.CR and EdgeDeployment.CR custom resources to the VMM library.

Import the service template

  1. In VMM, navigate to Library .

  2. In the top of the left pane, in the Templates section, select Service Templates .

  3. In the ribbon at the top, click Import Template .

  4. Browse to your service template directory, select the EdgeServiceTemplate.1.0.xml file and click Next .

  5. This service template uses the following virtual machine configuration parameters. Update the parameters to reflect the configuration of your environment.

Configuration parameters:
Resource type Resource name and description
Library Resources Resource name : win_server.vhd

Description : Windows Server Virtual Hard Disk. Format can only be VHD.Prepare a VHD image from the earlier downloaded ISO image. You can use the same VHD which you have prepared for the Network Controller virtual machine.


Resource name : NCCertificate.cr

Description : A custom library resource that contains the trusted root certificate (.CER) for the Network Controller. This will be used for secure communications between the Network Controller and the Gateway instances.Map to the NCCertificate.cr library resource in your VMM library.


Resource Name : EdgeDeployment.cr

Description : A custom library resource that contains an SSL Certificate in .PFX format and the scripts required to install and configure RRAS.

Select the EdgeDeployment.cr library resource that you prepared earlier and imported into you VMM library.

6. Click Next .
7. On the Summary page, click Import .

Configure the deployment
To configure the deployment, complete the following:

1. Select the EdgeServiceTemplate service template and click Configure Deployment to begin. Type a name and choose a destination for the service instance. The destination must map to a Host Group that contains the hosts configured previously for Gateway deployment purpose.

2. In the Network Settings section, you must map the networks as follows:

Network Setting Value
Management Network Map this to your Management VM network

3. Click OK .

4. After you are done with mapping the destination and network settings, Click OK .

5. The Deploy Service dialog appears. It is normal for the virtual machine instances to initially be red. Click Refresh Preview to automatically find suitable hosts (from the destination you mapped earlier) for the virtual machine. This can be can be done manually if needed.

6. On the left side of the Configure Deployment window, there are a number of settings that you must configure. The table below summarizes each field:

Setting Requirement Description
AdminAccount Required Select a Run As account in your environment which will be used as the local Administrator on the Gateway virtual machines. The user name should be .\Administrator
Management Network Required Choose the Management VM Network that you created for host management.
SelfSignedConfiguration Required If you are using a self-signed certificate you created yourself, set this value to True . If you are using a certificate that has been assigned by an Enterprise CA or external Root CA, set this value to False .
MgmtDomainAccount Required Select a Run As account in your environment that will be used to prepare the Network Controller. This user must be a member of the management security group, specified below, which has privileges to manage the network controller.
MgmtDomainAccountName Required This must be the full username (including domain name) of the Run as account mapped to MgmtDomainAccount.Example: contoso\Username.

The domain username will be added to the Administrators group during deployment.

MgmtDomainAccountPassword Required Password for the management Run As account mapped to MgmtDomainAccount.
MgmtDomainFQDN Required Fully qualified domain name for the Active directory domain that the network controller virtual machines will join.Example: Contoso.com

Deploy the Gateway service
After you configure these settings, you can click Deploy Service to begin the service deployment job. Deployment times will vary depending on your hardware but are typically between 30 and 60 minutes. When the service deployment job has completed, verify that your service appears in the VMM console by completing the following:

  1. Open the VMs and Services workspace.

  2. Click Services in the ribbon.

  3. Verify that your Gateway service instance appears in the VM Network Information for Services window.

  4. Right-click the Gateway service and select Properties from the menu.

  5. Verify that the state is Deployed .

Configure the Gateway Manager Role
Now that the service is deployed, you can configure its properties.

  1. Open the Fabric workspace.

  2. Click Network Service to display the list of network services installed.

  3. Right-click your network controller service and select Properties .

  4. Click the Services tab and select the Gateway Manager role in the services panel.

  5. Find the Associated Service field under Service information and click Browse .

  6. Select the Gateway service instance you created earlier and click OK .

  7. Select Run As account that will be used by Network Controller to access Gateway VMs.

  8. In IPv4 frontend subnet , select the front end subnet that you have created (It is the Transit subnet).

  9. In GRE VIP subnet , select the VIP subnet that you created above.

  10. In Public IPv4 pool , select the Public IP Pool.

  11. For Public IPv4 address , provide an IP address from the above pool.

  12. Configure the Gateway capacity in the Gateway Capacity field.

  13. Configure the number of reserved nodes for back-up in Nodes for reserved for failures field .

  14. Click OK .

You should see that the jobs below have passed successfully in VMM’s job space:

The Service instance that you deployed is now associated with the Gateway Manager role, and you should see the Gateway virtual machine instance listed under the Gateway Manager role:

Configure and validate Gateway connection types

Once you have deployed Gateway using the Virtual Machine Manager template, you can configure a GRE tunnel and validate Gateway deployment with this tunnel.

To validate GRE connection tunnel:

  1. Choose one of the tenant virtual machines that has GRE tunneling enabled.

  2. Ensure that this virtual machine can ping the edge router IP with the CA IP address.

Manish Jha, Program Manager
Version history
Last update:
‎Mar 11 2019 10:29 AM
Updated by: