Preventing Administrator Account Lockout in NSX-T with Integrations

As an administrator, it’s crucial to ensure that your NSX-T environment remains secure and accessible at all times. However, if you have integrations with NSX-T that use the admin account and have not updated the administrator password in these integrations and in NSX-T, you may find that the admin account gets locked out after five consecutive failed login attempts. This can cause significant downtime and hinder your ability to manage your environment effectively. In this blog post, we’ll explore how to prevent the admin account from getting locked out in such scenarios by adding the endpoints utilizing NSX-T with their IP addresses to the lockout_immune_addresses list.

Understanding Lockout Immune Addresses

Before we dive into the solution, it’s essential to understand what lockout immune addresses are and why they’re important. In NSX-T, the lockout_immune_addresses feature allows you to specify a list of IP addresses that will not be subject to account lockouts. This means that even if the admin account is locked out due to five consecutive failed login attempts, endpoints with IP addresses listed in the lockout immune addresses list will still be able to access the environment without any issues.

Adding Endpoints to Lockout Immune Addresses List

To add endpoints utilizing NSX-T with their IP addresses to the lockout immune addresses list, you can use the NSX API with tools like Postman Client. Here’s a step-by-step guide on how to do this:

1. Start the Postman client and select the Authorization tab.

2. Enter the information for the admin account and password using Basic Auth.

3. On the Headers tab, set Content-Type: application/json.

4. Use the GET method with the URL against the NSX-T manager with the API to retrieve the lockout immune addresses list. The URL should be: <https:///api/v1/cluster/api-service>

5. After a successful response, copy the full body answer and edit it to add the endpoints’ IP addresses to the list.

6. Send the new security configuration to the local manager using the Postman PUT method.

Confirming Successful Response

Once you’ve added the endpoints to the lockout immune addresses list, it’s essential to confirm a successful response. To do this, follow these steps:

1. Send the new HTTP request using the Postman PUT method.

2. Confirm a successful response (“status: 200 OK”).

Conclusion

In conclusion, adding endpoints utilizing NSX-T with their IP addresses to the lockout immune addresses list can help prevent the admin account from getting locked out due to five consecutive failed login attempts. By following the steps outlined in this blog post, you can ensure that your environment remains secure and accessible at all times. Remember to update the administrator password in any integrations using the admin account to avoid any potential security risks.

About the Author

Jimmy Mankowitz is a seasoned IT professional with expertise in VMware NSX-T and Cloud Foundation Deployment. He has recently passed the certification for VMware by Broadcom Certified Specialist – VMware Cloud Foundation Deployment 2024 and has a deep understanding of the latest NSX-T features and best practices.