In this article, I will show you how to prepare your Windows 2016 bare metal server to be configured as an transport node in NSX-T and how to configure a NSX-T overlay segment on a Windows 2016 server bare metal server. By configuring your bare metal server as a transport node, you will be able to secure your workload with NSX-T.


  • The NSX kernel module for Windows Server 2016 bare metal – url
  • Ansible playbook version equal or greater than 2.5.0 (for Windows) or (for other platforms)
  • The BMS Ansible playbooks. (choose the branch that is compatible with your NSX-T version) – url
  • An overlay segment.
  • A Windows 2016 bare metal server with 4CPU and 16GB RAM.

Prepare the Windows 2016 bare metal server.

In order to secure a Windows 2016 bare metal server, we need to do some preparations. Let’s start by making sure that your Windows 2016 server is up-to-date. I experienced some strange behavior when I tried to add the bare metal server as a transport node in NSX-T. After upgrading the Windows 2016 server with the latest updates, I was able to successfully add the server as a transport node in NSX-T.

overlay build windows nsx-t
This was the build number of my Windows 2016 server

Install NSX-T Kernel module

We can now proceed with installing the NSX kernel module on the Windows Server 2016 bare metal server. Make sure to download NSX kernel module for Windows server 2016 with the same version of your NSX-T instance. Start the installation of the NSX kernel module by executing the .exe file.

overlay bare metal kernel module

Configure WinRM

We need to enable WinRM on the bare metal server to allow communication between third party software and hardware. VMware have already published a script to do so.

Open a Powershell prompt (run as administrator) and execute the following command:

wget -o ConfigureWinRMService.ps1

After successfully retrieving the Powershell script from the VMware GitHub, we can now execute the file to configure WinRM.

powershell.exe -ExecutionPolicy ByPass -File ConfigureWinRMService.ps1

According to the following documentation from VMware, we need to execute some manual WinRM commands to configure certain settings, but you can ignore that step because that has already been set by the ConfigureWinRMService.ps1 script.

Perform the following command to verify the configure WinRM listeners:

winrm e winrm/config/listener
configurewinrmservice.ps1 vkernelblog

Configure the bare metal server as a transport node in NSX-T

Create an uplink profile for the bare metal servers

Before we are going to add the bare metal server as a transport node, we need to create a new uplink profile that we are going to use for the bare metal servers.

The windows 2016 bare metal server is a VM in my test lab with 2 network adapters, one NIC in the management VLAN and the other one in a trunked portgroup.

nsx-t uplink profile
Note: In my test lab, tagging will be done on the uplink profile instead of the portgroup.

We can now proceed with adding the Windows 2016 bare metal server as transport node into NSX-T. In the NSX-T web GUI go to system –> Fabric –> Nodes and click on +ADD

add transport node
Click on +ADD

In the “Add Transport Node” wizard, add the required information from the Windows 2016 bare metal server and click on next.

bare metal transport node

On the next page of the “Add Transport Node” wizard, select the Transport Zone, Uplink Profile and IP Assignment and click on Next.

bare metal nsx-t windows 2016
nsx-t bug
Note: You might get the following error message in NSX-T when trying to populate the Physical NIC interface name:

NSX-T will start with preparing and configuring the Windows 2016 bare metal server. This could take a few minutes.

nsx-t bare metal overlay

If everything went fine, you will see success in the configuration state column. In Windows you will see that there are two extra NICs available that will be used for the VTEP and overlay network.

overlay windows nsx-t 2016

Configure the application interface with Ansible.

We will now configure the application interface with the Ansible playbooks that are available on GitHub. You need to have Ansible installed in your environment. In my case, I have Cygwin Terminal with Ansible installed, which I will run the Ansible playbooks with.

The only file you need to edit is the win_hosts file. You have 3 ways to configure the application interface.

  1. Static
    Enable static configuration on Application Interface;
  2. Dhcp
    Enable dhcp configuration on Application Interface;
  3. Migration
    This mode supports Management and Application sharing the same IP;
    Enable migration mode on Application Interface; Also named as “underlay mode” or “VLAN-0 mode”;

In my lab, I will use the static option to configure the application interface. In the example below, you will see a snippet of the win_hosts file. I defined the management IP of my bare metal server with the overlay segment name, IP address and netmask which it needs to have.

# host group for servers
[servers_static] ls_name=Mgmt-RegionA01-VXLAN static_ip= netmask=
ansible nsx-t
Running the Ansible playbook
ansible nsx-t overlay
The Ansible playbook task completed successfully

We are now going to verify the network configurations on the Windows 2016 bare metal server by running the following command:

Get-NetIPAddress | where-object{($_.AddressFamily -like "IPV4") -and ($_.InterfaceAlias -like "Eth*")}
windows nsx-t segment
We have three IP addresses as expected, one for the management, one for VTEP and one in the overlay segment.
ping nsx-t segment test
Pinging the gateway of my overlay segment.

Final words

You might not see your bare metal VTEP address in the transport node overview. According to VMware this is a bug in NSX-T. Another bug I ran into is that the routing table parameters in Ansible playbook were not working. So routing configurations must be manually configured on your bare metal server.

I hope that this article helps you a bit in securing your Windows 2016 bare metal server with NSX-T.