VMware Cloud Foundation 9 Offline Depot Installation and configuration
Introduction
For dark / disconnected VCF Deployments it has been quite a challenge for some time to import files to SDDC Manager and vRSLCM. This changed with the Offline Depot introduction in VCF 5.2 and got even better with VMware Cloud Foundation 9. In this release you can setup a Unified Offline Depot, hosting the install and update files for all components. The Unified Depot is a combination of UMDS and the VCF Download Tool (VCFDT), previously known as Offline Bundle Transfer Utility (OBTU).
The Unified Depot can be used during in the VCF Installer during deployment and afterwards for updates from SDDC Manager and VCF Operations Fleet.
A high level logical overview of the patch downloads
I have deployed a fresh VCF 9.0.0.0 environment with an Offline Depot and share my findings in this blog, separated by the following paragraphs.
- Webserver Installation and configuration
- Ubuntu setup
- Webserver (Apache) setup
- VCFDT and UMDS installation
- VCFDT configuration and downloads
- UMDS configuration and downloads
- VCF Installer configuration
- Post VCF deploy configuration of Offline Depot
- Appendix
- Troubleshooting
- Offline depot webserver directory tree
- vcfdt commands and options
Webserver installation and configuration
Ubuntu setup
I choose Ubuntu 22.04 (“Jammy Jellyfish”) as platform for the offline depot and deployed this from the current ova file from the Ubuntu Cloudimages repository [link]. During ova deployment you can only configure the hostname (fqdn) and configure a password which you are forced to change the first time you login. After this was completed, I followed the steps below.
- Configure Static IP Address
- Configure SSH
- Install packages and update the System
- Configure NFS Client and mount NFS share (optional)
- Install & Configure Apache
Configure static IP Address
To configure a static IP address, disable cloud-init networking by creating a file /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg
Content of the file:
network: {config: disabled}Create and edit a new Network configurationfile /etc/netplan/50-cloud-init.yaml with content:
network:
version: 2
renderer: networkd
ethernets:
ens192:
addresses:
- 172.16.1.115/24
nameservers:
addresses : [172.16.1.11, 172.16.1.12]
search: [infrajedi.local]
routes:
- to: default
via: 172.16.1.1Test/apply network configuration can be done with netplan command: netplan apply or by restarting networkd en resolved:
systemctl restart systemd-networkd.service
systemctl restart systemd-resolved.serviceConfigure hostname
During ova deployment, I have configured my hostname as depot9.infrajedi.local. You can check the hostname with one of the following commands: hostname, hostname -f, hostnamectl
If you want to change the hostname, you can use the hostnamectl command:
hostnamectl set-hostname depot9.infrajedi.localConfigure SSH
To make it possible to login with a username and password, edit the /etc/ssh/sshd_config file for the SSH service configuration. Change the below parameters as follows:
StrictModes no
PasswordAuthentication yesAdd the line:
ChallengeResponseAuthentication yesRestart the sshd service with command systemctl restart sshd
Test if you can ssh to the server with username ubuntu and the password you have configured.
Install tools and update the system
Install the jq (for json export) and nfs-common (if you use an NFS share on your depot server) packages and update the Ubuntu OS:
apt install jq
apt install nfs-common
apt update && apt upgradeWebserver (Apache) setup
Create webserver certificate
Generate a self-signed certificate for apache with the openssl command below (one line):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -subj "/CN=depot9.infrajedi.local" -keyout /etc/ssl/private/depot9.key -out /etc/ssl/certs/depot9.crtNote the location and filenames of the private key and certificate.
- Private key:
/etc/ssl/private/depot9.key - Certificate:
/etc/ssl/certs/depot9.crt
Optional: download / export the private key and certificate for later use on the VCF Installer and or SDDC Manager appliance.
Install Apache
Install the Apache webserver with the apt command:
apt install apache2Test the webpage in your browser (should show Ubuntu Apache2 Default Page).
Create a directory to store the offline depot files with the mkdir command:
mkdir -p /var/www/offline_depot
mkdir -p /var/www/offline_depot/umds-patch-storeNote: the name of the umds-patch-store directory is hardcoded!
To make the depot work with SDDC Manager, you have to setup basic authentication and create credentials. Add a basic auth user with the htpasswd command:
htpasswd -c /etc/apache2/.htpasswd vcfNote: I have chosen vcf as username, but it can be anything you prefer.
Create a configuration file /etc/apache2/sites-available/offline_depot.conf for the offline_depot website. Contents of the file:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@example.com
ServerName depot9.infrajedi.local
DocumentRoot /var/www/offline_depot
SSLEngine on
SSLCertificateFile /etc/ssl/certs/depot9.crt
SSLCertificateKeyFile /etc/ssl/private/depot9.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/offline_depot">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
<Directory "/var/www/offline_depot/umds-patch-store">
Require all granted
</Directory>
Alias /products/v1/bundles/lastupdatedtime /var/www/offline_depot/PROD2/vsan/hcl /lastupdatedtime.json
Alias /products/v1/bundles/all /var/www/offline_depot/PROD2/vsan/hcl/all.json
Alias /Compatibility/VxrailCompatibilityData.json /var/www/offline_depot/PROD2/e vo/vmw/Compatibility/VxrailCompatibilityData.json
</VirtualHost>
</IfModule>Note the 2 different Directory entries and references to the password and certificate files. The document root is /var/www/offline_depot . Different settings are used for this directory (requires basic authentication) and the /var/www/offline_depot/umds-patch-store directory (all granted)
Enable the offline_depot site and ssl module with commands:
a2enmod ssl
a2ensite offline_depotTest the apache configuration with command: apachectl configtest
Restart the apache service with command: systemctl restart apache2
Test the umds website in the browser: https://depot9.infrajedi.local/umds-patch-store
- -> Your browser should not show a popup (example below shows dir with content)
Test the offline-depot website in the browser: https://depot9.infrajedi.local
- -> Your browser should show a popup, requesting a username / password (as configured with the htpasswd command). Screenshot below shows popup and results with content (after downloading umds and VCF updates). You can also see the KB414456 files (see VCF Installer section).
Configure NFS Client and mount NFS share (optional)
This is an optional step if you want to store the depot files on a NFS share. I have create a share called vcf9depot on my NAS. Test if you can mount the NFS share to the offline depot website directory:
mount 192.168.1.20:/vcf9depot /var/www/offline_depotTo make the mount permanent edit add the mountpoint to the /etc/fstab file. Contents of the /etc/fstab file:
LABEL=cloudimg-rootfs / ext4 discard,errors=remount-ro 0 1
LABEL=UEFI /boot/efi vfat umask=0077 0 1
192.168.1.20:/vcf9depot /var/www/offline_depot nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0Note: for UMDS to work correctly, you may want to create the /var/www/offline_depot/umds-patch-store directory after mounting the share (so the umds-patch-store directory is created only on the NFS share)
VCF Download Tool and UMDS installation
VCFDT replaces the VCF Offline Bundle Transfer utility (OBTU). Download the vcf-download-tool-9.0.0.0100.24880038.tar.gz file from the Broadcom portal, copy to /home/ubuntu/vcfdt and extract the tar file. The VCFDT package includes the UMDS installation files (vmware-umds-distrib). Results:
Install UMDS from the /home/ubuntu/vcfdt/bin directory:
./vcf-download-tool umds installOutput:
Instructions for configuration and downloads follow below.
VCFDT configuration and downloads
Create a file /home/ubuntu/downloadtoken.txt (any name should go) and add the Broadcom download token in that file.
The VCF Download Tool has may parameters that can be used, but to download all VCF installation files for a specific version use:
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.0 --type=INSTALLOutput:
UMDS configuration and downloads
Configure the patch download location.
Note again the directory “umds-patch-store” under the webserver root directory.
./vcf-download-tool umds run -S --patch-store /var/www/offline_depot/umds-patch-store/Output:
*********Welcome to VMware Cloud Foundation Download Tool***********
Version: 9.0.0.0100.24880038
Setting up UMDS configuration
Directory for storing downloaded updates: /var/www/offline_depot/umds-patch-store/
Directory /var/lib/vmware-umds is no longer used as the patch store. You may want to delete its contents or move it to the new location /var/www/offline_depot/umds-patch-store/
**********************************************
Command SUCCEEDED
**********************************************
Log file: /home/ubuntu/vcfdt/log/vdt.logSet the download token
./vcf-download-tool umds run -S --add-entitlement-token abcDEFghi987123VMbc*********Welcome to VMware Cloud Foundation Download Tool***********
Version: 9.0.0.0100.24880038
Setting up UMDS configuration
**********************************************
Command SUCCEEDED
**********************************************Disable all ESX versions
./vcf-download-tool umds run -S --disable-hostOutput
*********Welcome to VMware Cloud Foundation Download Tool***********
Version: 9.0.0.0100.24880038
Setting up UMDS configuration
Host update downloads for platform esxio-8.0-INTL: Disabled
Host update downloads for platform esxio-9.0-INTL: Disabled
Host update downloads for platform esxio-9.0-INTL: Disabled
Host update downloads for platform embeddedEsx-7.0-INTL: Disabled
Host update downloads for platform embeddedEsx-8.0-INTL: Disabled
Host update downloads for platform embeddedEsx-9.0-INTL: Disabled
Host update downloads for platform embeddedEsx-9.0-INTL: Disabled
Host update downloads: Disabled
**********************************************
Command SUCCEEDED
**********************************************Enable only ESX 9 downloads:
./vcf-download-tool umds run -S -e embeddedEsx-9.0-INTL*********Welcome to VMware Cloud Foundation Download Tool***********
Version: 9.0.0.0100.24880038
Setting up UMDS configuration
Host update downloads for platform embeddedEsx-9.0-INTL: Enabled
Host update downloads for platform embeddedEsx-9.0-INTL: Enabled
**********************************************
Command SUCCEEDED
**********************************************Check final UMDS configuration
./vcf-download-tool umds run -G*********Welcome to VMware Cloud Foundation Download Tool***********
Version: 9.0.0.0100.24880038
Configured URLs
URL Type Removable URL
HOST NO https://dl.broadcom.com/abcDEFghi987123VMbc/PROD/COMP/ESX_HOST/main/vmw-depot-index.xml
HOST NO https://dl.broadcom.com/abcDEFghi987123VMbc/PROD/COMP/ESX_HOST/addon-main/vmw-depot-index.xml
HOST NO https://dl.broadcom.com/abcDEFghi987123VMbc/PROD/COMP/ESX_HOST/iovp-main/vmw-depot-index.xml
HOST NO https://dl.broadcom.com/abcDEFghi987123VMbc/PROD/COMP/ESX_HOST/vmtools-main/vmw-depot-index.xml
No Default URLs Configured
Patch store location : /var/www/offline_depot/umds-patch-store/
Export store location :
Proxy Server : Not configured
Host patch content download: enabled
Host Versions for which patch content will be downloaded:
embeddedEsx-9.0-INTL
embeddedEsx-9.0.0-INTL
Log file: /home/ubuntu/vcfdt/log/vdt.logDownload Updates
./vcf-download-tool umds run vmware-umds -DOutput
2025-11-11T21:19:19.622Z info vmware-downloadService[05565] [Originator@6876 sub=HostUpdateDepotManager] [patchDepotManager 2397] UMDS: The VVS consolidated ZIP file is written to: /var/www/offline_depot/umds-patch-store/vvs/vvs-consolidated-bundle.zip
**********************************************
Downloaded 172 updates, download size: 4515 MB.
Command SUCCEEDED
**********************************************VCF Installer configuration
I used the newer VCF 9.0.1.0 Installer, but to be able to deploy VCF 9.0.0.0, I had to follow [KB414456] – VCF 9.0.0 Deployment fails with VCF Installer 9.0.1. Otherwise you will run into an issue: “Failed Configure the vSphere cluster with error: NSX install image validation failed for NSX Version – 9.0.1.0.24952111”
Import webserver certificate to VCF Installer
With the Offline Depot installed and configured you can now point the VCF Installer to it. Unfortunately, there is no “accept certificate” option in the UI, so you have to import the offline depot certificate in the VCF Installer through SSH manually. See my previous [blogpost] on how to do that.
Configure VCF for Offline Depot after deployment
If the VCF Installer was deployed in the Management Cluster, Offline depot is automatically configured. However if you use the VCF Installer from outside the VCF Cluster, it stays as a standalone appliance and in this case you have to configure the Offline Depot in two places from VCF Operations.
The first location is in Fleet management, Lifecycle, VCF Management -> Depot Configuration.
The second location is in Fleet management, Lifecycle, VCF Instances, <VCF Instance) -> Depot Configuration. This is in fact the SDDC Manager appliance, which in my case is not the converted VCF Installer. Hence you need to import the depot certificate in SDDC Manager, as described in the paragraph above.
Overview in vCenter
SDDC Manager is automatically added as Download Source for vCenter Lifecycle Manager. SDDC Manager runs UMDS to pull from the offline depot. The url vCenter is configured with is https://sddcmanagerfqdn/vmware/vcf/umds/patch-store/hostupdate/__hostupdate20-consolidated-index__.xml
Appendix
Troubleshooting
Besides the basic network connectivity troubleshooting between offline depot and SDDC Manager and vCenter, you can check these specific logs:
On SDDC Manager: If the Offline Depot in SDDC Manager is configured and the SDDC Manager Download Source is not working, check the logfile /var/log/vmware/vmware-updatemgr/umds/vmware-downloadService.log
If you see any errors, verify the url with a simple wget to get additional information for troubleshooting.
Another approach would be to have a look at the access.log on the Apache webserver to see what is being tried to get downloaded from SDDC Manager. See an example here (where 172.16.11.160 is the SDDC Manager):
172.16.11.160 - - [12/Nov/2025:10:14:39 +0000] "GET /umds-patch-store/hostupdate/vmw/VMW-ESXi-9-IOVP-cumulative_metadata.zip HTTP/1.1" 200 38729 "-" "-"
172.16.11.160 - - [12/Nov/2025:10:14:39 +0000] "GET /umds-patch-store/hostupdate/vmw/vmw-ESXi-9-vmtools-13.0-metadata.zip HTTP/1.1" 200 32945 "-" "-"
172.16.11.160 - - [12/Nov/2025:10:14:40 +0000] "GET /umds-patch-store/hostupdate/vmw/vmw-ESXi-9.0-metadata.zip HTTP/1.1" 200 1498495 "-" "-"
172.16.11.160 - - [12/Nov/2025:10:14:41 +0000] "GET /umds-patch-store/vvs/vvs-consolidated-bundle.zip HTTP/1.1" 200 1264376 "-" "-"On vCenter: vCenter should be automatically configured to retrieve ESX updates from SDDC Manager. Check the /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log file for any issues. You can trigger a download from SDDC Manager, by clicking “Sync Updates” in vSphere Lifecycle Manager (vLCM). You may also want to check if the preconfigured internet download sources are disabled.
Offline depot webserver directory tree
tree command from /var/www/offline_depot (Containing 9.0.0.0 Installation and 9.0.1.0 Installation and upgrade binaries)
.
├── PROD
│ ├── COMP
│ │ ├── ESX_HOST
│ │ │ ├── VMware-VMvisor-Installer-9.0.0.0.24755229.x86_64.iso
│ │ │ └── VMware-VMvisor-Installer-9.0.1.0.24957456.x86_64.iso
│ │ ├── NSX_T_MANAGER
│ │ │ ├── VMware-NSX-T-9.0.0.0.24733065.vlcp
│ │ │ ├── VMware-NSX-T-9.0.1.0.24952114.vlcp
│ │ │ ├── VMware-NSX-upgrade-bundle-9.0.1.0.0.24952111-pre-check.pub
│ │ │ ├── VMware-NSX-upgrade-bundle-9.0.1.0.0.24952111.mub
│ │ │ ├── nsx-unified-appliance-9.0.0.0.24733065.ova
│ │ │ └── nsx-unified-appliance-9.0.1.0.24952114.ova
│ │ ├── SDDC_MANAGER_VCF
│ │ │ ├── Compatibility
│ │ │ │ └── VmwareCompatibilityData.json
│ │ │ ├── VCF-SDDC-Manager-Appliance-9.0.0.0.24703748.ova
│ │ │ ├── VCF-SDDC-Manager-Appliance-9.0.1.0.24962180.ova
│ │ │ └── VCF-SDDC-Manager-Appliance-Upgrade-9.0.1.0.24962180.tar
│ │ ├── VCENTER
│ │ │ ├── VMware-VCSA-all-9.0.0.0.24755230.iso
│ │ │ ├── VMware-VCSA-all-9.0.1.0.24957454.iso
│ │ │ ├── VMware-vCenter-Server-Appliance-9.0.1.0.24957454-updaterepo.zip
│ │ │ └── VMware-vCenter-Server-Appliance-9.0.1.0.24957454_OVF10.ova
│ │ ├── VCFDT
│ │ │ ├── vcf-download-tool-9.0.0.0100.24880038.tar.gz
│ │ │ └── vcf-download-tool-9.0.1.0.24962179.tar.gz
│ │ ├── VCF_OPS_CLOUD_PROXY
│ │ │ ├── Operations-Cloud-Proxy-9.0.0.0.24695833.ova
│ │ │ └── Operations-Cloud-Proxy-9.0.1.0.24960349.ova
│ │ ├── VIDB
│ │ │ ├── vidb-external-9.0.0.0.24695128.tar
│ │ │ └── vidb-external-9.0.1.0.24941398.tar
│ │ ├── VMRC
│ │ ├── VMTOOLS
│ │ ├── VRA
│ │ │ └── vmsp-vcfa-combined-9.0.1.0.24965341.tar
│ │ ├── VRLI
│ │ │ ├── Operations-Logs-Appliance-9.0.0.0.24695810.ova
│ │ │ ├── Operations-Logs-Appliance-9.0.1.0.24960345.ova
│ │ │ └── Operations-Logs-Appliance-9.0.1.0.24960345.pak
│ │ ├── VRO
│ │ │ ├── O11N_VA-9.0.0.0.24674408.ova
│ │ │ └── O11N_VA-9.0.1.0.24923009.ova
│ │ ├── VROPS
│ │ │ ├── Operations-Appliance-9.0.0.0.24695812.ova
│ │ │ ├── Operations-Appliance-9.0.1.0.24960351.ova
│ │ │ └── Operations-Upgrade-9.0.1.0.24960352.pak
│ │ └── VRSLCM
│ │ ├── VCF-OPS-Lifecycle-Manager-9.0.1.0.24960371.patch
│ │ ├── VCF-OPS-Lifecycle-Manager-Appliance-9.0.0.0.24695816.ova
│ │ └── VCF-OPS-Lifecycle-Manager-Appliance-9.0.1.0.24960371.ova
│ ├── metadata
│ │ ├── manifest
│ │ │ └── v1
│ │ │ ├── vcfManifest.json
│ │ └── productVersionCatalog
│ │ └── v1
│ │ ├── productVersionCatalog.json
│ │ └── productVersionCatalog.sig
│ └── vsan
│ └── hcl
│ └── lastupdatedtime.json
├── umds-patch-store
│ ├── hostupdate
│ │ ├── CIS
│ │ ├── DEL
│ │ ├── HPE
│ │ └── vmw
│ ├── version.txt
│ └── vvs
│ └── vvs-consolidated-bundle.zip
vcfdt commands and parameters
From /home/ubuntu/vcfdt/bin/
List all available bundles (Install and upgrades) for VCF 9.0.1./vcf-download-tool binaries list --depot-download-token-file=/home/ubuntu/downloadtoken.txt --vcf-version=9.0.1
List all available Install bundles for VCF 9.0.1./vcf-download-tool binaries list --depot-download-token-file=/home/ubuntu/downloadtoken.txt --vcf-version=9.0.1 --type=INSTALL
List all available Patch (upgrade) bundles for VCF 9.0.1./vcf-download-tool binaries list --depot-download-token-file=/home/ubuntu/downloadtoken.txt --vcf-version=9.0.1 --type=UPGRADE
Download only SDDC Manager Upgrade bundle./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=SDDC_MANAGER_VCF
Download only Upgrade Bundles for components that are managed through SDDC Manager (ESX, vCenter, NSX, SDDC Manager)./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --lifecycle-managed-by=SDDC_MANAGER_VCF
Download only Upgrade Bundles for components that are managed through VRSLCM (VIDB, VROPS, VRA, VRLI, VRSLCM, VRNI)./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --lifecycle-managed-by=VRSLCM
Download only Upgrade Bundles for self-managed components (VRO, HCX, VSAN FILE SERVICE, VMTOOLS, VCFDT)./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --lifecycle-managed-by=self
Download separate component bundles
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=VROPS
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=VCF_OPS_CLOUD_PROXY
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=VRSLCM
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=VCENTER
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=VRLI
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=NSX_T_MANAGER
./vcf-download-tool binaries download --depot-download-token-file=/home/ubuntu/downloadtoken.txt --depot-store=/var/www/offline_depot --vcf-version=9.0.1 --type=UPGRADE --component=VIDB
References
KB Articles
327186 – Public URL list for SDDC Manager
Documentation
VCF Download Tool Update Manager Download Service (UMDS) Commands
