Tuesday, December 26, 2017

App Volumes Connection

Recently done a few Horizon Proof of Concept and encounter a connection issue with App Volumes.
Here is how I resolve the error message from App Volume agent "Virtualization is disabled".

Do note that this is based on version 2.12.

This error message encounter when your App Volumes agent is not able to communicate with App Volumes Manager.

During installation for the agent and manager, you can choose whether secure or not connection. You MUST choose the same type of connection. However if you have done this incorrectly, this is the problem that is often the problem.

Here will show you how you can first confirm the type of the connection are the same between the manager and agent, and change it if it is not.

Agent
To check if the SSL is enabled on the agent, head over to the VM that has agent installed, follow the instruction stated here.

Manager
For App Volumes manager, this is not as straightforward.
Refer to this document.

If you want to disable the secure connection, make sure you have the text paste in the file as documented above.

If you are using a self-signed certificate in a default installation and want to enable secure connection after installation on HTTP, you can follow this KB.

Tuesday, October 17, 2017

ESXi 6.5 U1 Host Client Login Issue

Today I did a fresh installation of ESXi 6.5 U1. During the installation, set up the root password.

After everything is working with IP address assigned, DNS and gateway, we started to try to access using the Host Client using IE 11.

Encounter this message "cannot complete login due to an incorrect user name or password". Thought that might have entered the wrong password. Type in a notepad and copy and paste. Same error message encountered on both servers.

Did some search but never encounter anyone having the same issue other than old post found on ESXi 6.0 with the old vSphere Client. Decide to try out one of the method.

Head right down to both server and use the DCUI and select Change Password option. Use back the same password.  Walah! Host Client works now.

Very strange behaviour. Apparently during installation seems like the host client didnt register the password.

Hope this help for those encountering the same issue.

Tuesday, October 10, 2017

VMware ROBO License

Recently there was some discussion over licensing in Facebook vExpert group.

One of the users questioned about licensing 3 hosts, each placed at one location. He wants to be able to do a snapshot and monitor the health of the ESXi host. He intends to add a fourth host in future. He was also told by the account executive that vSphere Essential cannot meet this requirement.

Let me explain some of the information which might be not clear enough.

vSphere Essential and Essential Plus kit is a bundle that comes with vCenter Server Essential (which is not available for sale) and vSphere Essential/Essential Plus licensing. ]vCenter Server Essential can only manage up to three ESXi servers. The vSphere Essential kit allows you to license up to 3 hosts or 6 CPUs whichever come first. But you cannot license more than 3 hosts even if each only has 1 CPU. This is because vCenter Essential can only manage up to 3 ESXi hosts. Also, the licensing would not allow you to manage using a vCenter Server Standard edition.

Check out the site here for comparison including ROBO licenses.

vSphere ROBO office comes in packs of 25 VMs. It has 2 editions namely, Standard and Advanced. Just check out the comparison above. You might find 25 VMs is quite a number, however, you are allowed to split the license to a smaller amount via the license portal. Meaning, you can deploy the vSphere ROBO license to multiple remote sites up to a maximum of 25 VMs per site which is declared as ROBO.

In this way, customers do not need to spend buying vSphere Essential/Essential plus which is the cheapest kit available, for a remote site. This helps many customers save on cost with vSphere ROBO licensing.

Hope this explains and give you a better understand how vSphere ROBO licensing is applicable and how to use it.


Tuesday, October 3, 2017

VMware vSAN 2017 Specialist

There are two specialist certifications release by VMware, namely vRealize Operations and vSAN.

Recently I took the attempt for vSAN Specialist Exam. Before we go into it, let see what is the requirement to take this exam.

You need to have a valid VCP 6.x on any track. No course requirement but the vSAN Deploy and Manage is recommended.

There is only a Digital Badge when you passed the exam and there is no certification for this exam.  The exam code is 2VB-601: VMware Specialist: vSAN 6.x Exam.

Do check out the exam guide. However, the guide does not indicate the exam time and the number of questions. Total questions were 60 from what I encounter and the time is similar to VCP about 240 mins. Cost for me is SGD363 (this might differ for other countries).

You are required to know everyone on vSAN from 6.0 to the latest now 6.6. Everything in these versions will be tested. It will be good to understand the concept and fundamentals of the technology as well all the features that have released since.

Personally, I felt that the exam is not too easy or was it too tough to fail. It really targets at someone who has an understanding of vSAN to a certain level. If you are merely just reading feature functions and not knowing how vSAN really works, then this exam will be tough for you.

Once you passed, you will receive a notice the very next day with your Digital Badge like mine.

Good luck to those attempting.

Wednesday, September 20, 2017

vRealize Suite Lifecycle Manager 1.0

Something got a release note today known as vRealize Suite Lifecycle Manager 1.0.  What is this software about?

VMware has a bundle known as vCloud Suite.  Just a breakdown what is in vCloud Suite/
vCloud Suite is a comprises of two things: vRealize Suite + vSphere Enterprise Plus.

vRealize Suite (depending on Editions) will consist of some or all of the below:
  • vRealize Automation
  • vRealize Business
  • vRealize Operations Manager
  • vRealize Log Insight

vSphere (depending on edition) will consist of some or all of the below:
  • vCenter Standard (purchase separately)
  • ESXi
  • vSphere Replication
  • vSphere Data Protection (last major edition)
  • vSphere Big Data Extension

Looking at the above, you start to see that installing and managing the upgrade will be a big tedious process.  Lots of planning and double and triple check the compatibility matrix.

So here comes vRealize Suite Lifecycle Manager.  This handles the deployment and patching the vRealize Suite components that you own.  For your Day 0 to Day 2 tasks which can relieve admins a ton of work. Assuming that the infrastructure; vSphere, vSAN, NSX is already deployed.

Check out this blog on vRSLCM. Go to download it here.

Tuesday, September 19, 2017

Questions on vSphere Enterprise Edition

Recently, I get a lot of questions regarding vSphere Enterprise Edition and some confusion around it.

The reason of these questions because VMware announced the end of availability (EOA) of vSphere Enterprise Edition on 9th Feb.  What this means that if you want to purchase vSphere Enterprise, this will no longer be available, you are left with only 3 options; vSphere Standard, vSphere Enterprise Plus or vSphere with Operations Management Enterprise Plus (vSOM) (excluding all those small kits e.g. vSphere Essentials, etc.).

What will happen to vSphere Enterprise in terms of support?
Support will still be valid until March 2020 as long support and maintenance is still valid.

Can I upgrade/downgrade my existing vSphere Enterprise to a valid edition?
You can only upgrade but not downgrade.  In this case, you can only move up to vSphere Enterprise Plus or vSphere with Operations Management Enterprise Plus (vSOM).

Am currently on vSphere 6.0 Enterprise or below, can I still upgrade to 6.5 since there is not Enterprise Edition?
Yes, you can still upgrade your license in the license portal as long you are on valid subscription.  What you will get is vSphere 6.5 Enterprise Edition.  Although this edition is not sold, for existing customer that perform an upgrade, they will still see this edition.

Moving forward if I purchase new vSphere, it will be of a different edition, can I mix them in the same cluster?
You can mix different editions of vSphere in the same cluster. However, the lowest edition features will be used.  It is always strongly recommended to have the same edition in the same cluster to avoid losing features or have issues due to mixed of editions.

Saturday, September 16, 2017

VMware Security Advisories

If you are new to VMware or not aware, VMware has a Security Advisories page that publishes any new vulnerabilities found in any of its products, including VMware Fusion and Workstation.

In fact, to keep yourself updated, it is good to subscribe for such new notices.  Just head over to the page to subscribe.

Just yesterday, 15th Sept, there is a critical vulnerability notice which affects ESXi 6.5 (not the Update 1).

Always good to stay up to date and apply such critical patches as soon as you can.

Tuesday, September 5, 2017

VMware License Is Latest Version What If I Needed a version Behind Or More?

I get this so often and decide to just clear this up.

In any ISV or software vendors where you purchase their software, the license received will always be the latest.  This applies the same for any VMware products.

You won't want to purchase something from the market to find that it was 1 year ago right?

So what if your environment is running an older version and you just acquire new licenses which are a newer version than yours when you want to scale?

Don't worry, you can always go to your VMware license portal and select a number of licenses that you want to downgrade to.  The version available is the Products version that is still supported.

You can also upgrade your older version of the product to the later or latest version as long your licenses are still under Support & Subscription (SnS).

At the time of writing, using vSphere version 5.5 is still supported so the lowest version will be 5.5.  This also to give you a reminder, never to run an out of support version of any software in your environment as you will not be able to scale and have no support at the same time.

Thursday, August 31, 2017

VMWorld 2017 Updates

Catch up with all these articles with the announcement page.

Day 1

VMware Cloud on AWS
It is now LIVE!
https://www.vmware.com/company/news/releases/vmw-newsfeed.VMware-and-AWS-Announce-Initial-Availability-of-VMware-Cloud-on-AWS.2184706.html

AppDefense
Beyond what NSX provide you with micro-segmentation, today with AppDefense you will be able to identify and realize misbehavior in your VM and action on them if you have NSX for distributed enforcement.
https://blogs.vmware.com/networkvirtualization/2017/08/introducing-vmware-appdefense-expanding-beyond-micro-segmentation-threat-detection-response.html

NSX-T 2.0
Extension of supporting VM and containers alike and AWS workloads.  Ability to support vSphere and KVM.
https://blogs.vmware.com/networkvirtualization/2017/08/nsx-t-2-0.html/


OpenStack 4.0
Multiple vCenter Servers and containers support is one of the key release feature.
https://blogs.vmware.com/openstack/vmware-integrated-openstack-4-0/


Simplified Management of VMware Cloud on AWS with vRealize Operations
Extend ability to use vRealize Operations to monitor VMware Cloud on AWS.
https://blogs.vmware.com/management/2017/08/simplified-management-vmware-cloud-aws-vrealize-operations.html

vRealize Network Insight 3.5
Three things that are included are integration with IPFIX, a new NSX Edge Dashboard and PCI Compliance dashboard.
https://blogs.vmware.com/management/2017/08/vrealize-network-insight-3-5.html

vCloud Director 9.0
New HTML5 for end user to consume services.  Migration tool for moving workload between on-prem and off-prem.
https://blogs.vmware.com/vcloud/2017/08/vmware-announces-new-vcloud-director-9-0.html


Day 2

VMware & Pivotal Collaboration with Google Cloud Kubernetes to Enterprise
https://www.vmware.com/company/news/releases/vmw-newsfeed.VMware-and-Pivotal-Launch-Pivotal-Container-Service-(PKS)-and-Collaborate-with-Google-Cloud-to-Bring-Kubernetes-to-Enterprise-Customers.2184911.html

New Workspace One
https://www.vmware.com/company/news/releases/vmw-newsfeed.VMware-Delivers-Industry-First-Unified-End-User-Experience,-Management-and-Security-Solution-for-All-Endpoint-Platforms.2184896.html
https://blogs.vmware.com/euc/2017/08/vmware-vision-digital-workspace-analytics.html

VMware Horizon
New features and improvement on Horizon View and AppVolume with UEM.
https://blogs.vmware.com/euc/2017/08/vmware-horizon-7-3-sneak-peek.html
https://blogs.vmware.com/euc/2017/08/horizon-managing-virtual-desktops-apps.html






Thursday, August 24, 2017

VMware Certified Advanced Professional 6.5 - Data Center Virtualization Released

Yes the VCAP6.5-DCV has been released on 7th Aug 2017.  I was fortunate to be part of the exam creation, and experience the process to understand how much effort and time is put into creating an exam, is never simple.

You can find out the requirement to take this exam. Do read the exam guide to make sure you are up to the level to take this exam.

The exam is targeted at an advanced level that is someone who has the experience above VCP.  I have seen many try to attempt this exam and failed right after their VCP exam.  There is a different for a reason.  Some have attended the recommended vSphere Design Workshop and mention the exam is not covering what is covered in the workshop.

Do note that this is a certification exam and it is to assess your level of expertise and not your memorize work on a particular course like what we study in schools.  In all certification exams, it is to test on your know how and knowledge level.

This year, there is a catch, unlike the past version 5.x certification.  If you check out the requirement, you would need VCP6.5-DCV in order to take VCAP6.5-DCV.  It seems that VMware Certification classifies vSphere 6.5 as a major release rather than a minor release.

For those who just passed your renewed your VCP by taking VCP6.0, you are not allowed to take VCAP6.5-DCV.  If you do like to take VCAP6.5-DCV, you will need to pass your VCP6.5-DCV-Delta exam.

I am sure this will create some questions from the ground.  Am not sure the reason behind this but it could be that there are just too many changes between vSphere 6.0 and vSphere 6.5.

Let just hope that VCAP6.0-DCV will still be available 2 years from the last availability of VCP6.0-DCV since tester can still use a VCAP to upgrade within his 2 years of passing VCP.

Thursday, August 17, 2017

vExpert 2017 Second Half Announcement

The vExpert 2017 second half list is released. There is 105 new vExpert for 2017 on top of the existing 1471 which was previously announced.

Once again congrats to the new vExpert 2017 and hope to see each and everyone again next year.

Check out some of your benefit from the vExpert community forum and if you are heading to VMworld 2017, do check out some of the sponsor booth listed.

Tuesday, August 8, 2017

VMware Thinapp Support for Windows 10

Recently I was tasked to do a demo on Thinapp.  I have a Windows XP SP3 32bit running with Thinapp version 4.x.

I did some thinapp on Internet Explore 7, 8 and 9.  Everything was working fine.

Next I spin off a Windows 10 64bit VM and try to run these Internet Explorer thinapp'ed and I got the error below:


Did a Google search and came across information that Windows 10 can only support Internet Explorer 8 and above which I find that weird since Thinapp should be able to support to run as it's a packaged container.

Eventually, I chanced upon Thinapp release notes to discover it only support Windows 10 in version 5.2.0 and 5.2.2 recently support Windows 10 Anniversary Update.  How silly of me not checking out my Thinapp version.

Upon updating my Thinapp on my Windows XP VM and using relink to update my Thinapp Package in the bin, it is now able to run in Windows 10.  Yes, I do not have to run through the prescan and post scan all over with relink.  Check out this KB to see how to relink help in updating your thinapp'ed binary package.

Also for Internet Explorer 8 and above, you might want to check out this KB to include two DLLs into the package when compiling in case it doesn't run on Windows 10.

Now I can run all multiple versions of Internet Explorer from 6 to 8 all in Windows 10.


Tuesday, July 18, 2017

vRealize Suite with App Monitoring Clarification

Recently got into a requirement from a customer that a need for using vRealize Operations as a centralized monitoring and pulling in the metrics from other apps.  This would need to cover physical and VMware virtual environment.

The first thing that came to my mind was to use vSphere Enterprise Plus and utilize the old vRealize Operations Insight which comprises of vRealize Operations and Log Insight.  However, this bundle has EOA as stated here.

That was a bummer.  As cost is a big issue, we cannot just quote vCloud Suite (vCS) Enterprise where vRealize Operations Enterprise is provided and App Monitoring will be covered.  However, there are many components in it which my customer will not be using and cost does not justify it (though it would be nice for me :) but bad for my customer's pocket).

Just for those who ain't aware vCloud Suite just consists of vRealize Suite + vSphere Enterprise Plus.  The editions of vCloud Suite is in line with vRealize Suite.

So I took a look at vRealize Suite editions here.


Here you see that vRealize Operations Advanced was contained in all editions of vRealize Suite (vRS).  The only difference was the vRealize Operations Application Monitoring (Add-On).

Doing a quick check, there is such an Add-On for vRealize Suite Standard and Advanced Editions as stated in the fine print at the bottom of the diagram.

This solves my issue here.  In order for a customer who needs vRealize Operations Standard/Advanced and still requires App Monitoring, they can utilize vRealize Suite Standard/Advanced with the VMware vRealize Operations 6 Application Monitoring Add-On.  What this really does is enable vRealize Operations to Enterprise.

If you go to Blue Medora, and click on any of the applications management pack, in the requirement it would state requires vRealize Operations Enterprise.

That covers the virtual environment then you would ask what about physical environment?  Well, the good thing here is vCloud Suite consist of vRealize Suite.  vRealize Suite licensing is in Portable License Unit (PLU) which can be used in VMware virtual environment as per CPU or for the non-VMare environment (for my case physical servers) to 15 OSIs as documented last time here.

Given the flexibility, my customer can use vRealize Suite Standard for their physical environment and when they are ready to virtualize them, they can then convert it to CPU licensing due to the PLU flexibility.  Now I find this flexibility fit in very well.

Tuesday, July 4, 2017

vSAN Witness Licensing

With vSAN 6.2, the support for ROBO site been introduced.  There have been lots of questions regarding how do we license the witness in a more effective manner.  Some of the thought in using vSphere ROBO licenses, vSphere Essentials licenses, and even free ESXi hypervisor.

Here this article is to explain the do-able methods that have not been very clear.  Before we start, check out the vSAN 6.5 Licensing Guide.

First of all the common way to place the vSAN Witness are normally in a vSphere cluster.  So this cluster is already licensed.  It doesn't matter if its the lowest Essential Edition to Enterprise Plus Edition.  So if you like to run this even using a vSphere ROBO license, this can be done since ROBO is meant for a small site, not more than 25 VMs.  Do take note that, using vSphere ROBO, you will not be able to power on more than 25 VMs (assuming your license is 25VMs pack and has not been divided).  You cannot combine the license.  Even if you have a lot of hosts, you still cannot power on beyond 25 VMs as this is a hard limit.

Now to explain, the vSAN Witness is a virtual appliance, vApp.  It is actually a virtual ESXi server. It itself is a virtual machine so it can run on any hypervisor.  Even the free ESXi hypervisor.

Can we run the vSAN Witness as a physical host?  The answer is yes, however, it is not licensed so you would need to license it even though it is not managed by vCenter.  The reason is simple as it will be given support under vSAN licensing.  By putting as a physical server, you just make it even able to host other VM other than as a witness.  In such, the normal vSphere license would apply.

In summary, I would recommend to host it in the cheapest form using the free ESXi hypervisor to save on cost if you do not have an existing vSphere cluster to host it.

Thursday, June 8, 2017

vExpert 2017 Round 2 with vExpert NSX and vSAN

The 2nd round of applying to be a vExpert 2017 starts now.  Sign it now and awarded for your personal contribution to the VMware community.

Recently there is a separate specific NSX and vSAN vExpert. So if you are focusing on vSAN or NSX, do sign them up here respectively; vSAN and NSX.

If you are unsure whether you meet to be accredited with vExpert, there is no harm trying.  The details of the area you can be in are all listed in the vExpert 2017 sign up page above.


While you are reading this, the top vBlog 2017 voting has started.  Do help do your part and vote.  If you find my blog useful spare some time and look at number 88.

Once again thank you and good luck for your application.

Tuesday, May 9, 2017

Understand Your OEM Support

Previously I have talked about the difference between an Open and OEM licensing here.   Why OEM license are cheaper in general since they are provided by OEM vendor instead of direct from the Principle.  This applies not to just software but also hardware although I used software as a subject in writing.

Following on the different support structure contact point between Open and OEM licensing here. Support are typically directly from OEM rather than from the original Principle vendor of the hardware of software.

Question why would OEM support cost cheaper than Principle support or why Principle support is more expensive than OEM support?  Is it because the Principle owns the product (software/hardware) that makes it more expensive?

There are several reasons why OEM is less expensive if you do a study.  Below is what I have observed:

1) Principle vendor owns the product, in such, it cost more.  OEM vendors use their own support and only to a certain level will they have support from Principle which makes the cost less expensive from OEM.

2) Typically you have a certain type of support level.  A basic eight by five support or a production support where you are covered 24 by 7.  This support is directly provided either from Principle vendor if you purchase the product directly from them or from OEM vendor who sold you their support.

3) From OEM vendor who sold their support to the customer, the support level is between the customer and the OEM vendors.  Assuming a customer purchase a production support from the OEM vendor, they will receive 24/7 support response from them.  However, there is another contract which is between the OEM vendor and the principle vendor.  This contract also has a support level. Assuming if an OEM vendor has only a basic support with the Principle vendor who they OEM'ed the product from, even though you have a Production Support level with the OEM vendor, your issue requires the Principle vendor, will be constraint by the contract between OEM vendor and the Principle Vendor.

Let see this example:
  • You have a production support (24 by 7) from your OEM vendor for a hardware from Vendor A.
  • Vendor A has a basic support (next business day) from the Principle vendor.
  • You log a case with Vendor A on Friday, you receive a response from Vendor A.
  • Your issue requires Vendor A to escalate to the Principle vendor, at the backend, Vendor A would log a case with Principle vendor.
  • The contact is basic support between Vendor A and OEM vendor, in such, Principle vendor will only response to Vendor A on Monday.
  • Vendor A will response to you only when they receive the response from Principle Vendor.

What have you seen from here?  Vendor A can only response to you the next step only when Principle vendor response.  During this period even with a 24/7 support with OEM vendor, you are still constraint to a basic support (next business day) answer.  For an issue that requires OEM vendor to escalate to Principle vendor, you would suffer this delay.

That is also a reason for a decision making what type of licensing or purchase you should make when purchasing a software or hardware that is OEM'ed was mention in my original post explaining the OEM use case.

So should you have OEM hardware or software in a production environment or a UAT environment boils down what kind of service level you require for that specific environment.  The higher the service level, the lower the risk and also means the higher the cost.  Nothing comes cheaper without a caveat.  As an architect/consultant, you need to make that decision.

Hope this post allows you to understand this difference and apply the right purchase for whatever case you are looking at.

Friday, April 21, 2017

New Certification Release: VMware VCP 6.5-DCV

Few months back, I wrote on how you can enrol to help in contributing VMware certification exams. If you are interested do just head over and sign up.

Now, VMware has announce the availability of VCP 6.5 for Data Center Virtualization.  This include the full exam with foundations and the delta exam.

It was lots of effort to get this exam going live and been part of developing the exam, hope that what we ask for are the required knowledge based on the product and your experience.

To those taking or renewing your certification, all the best.  Follow the blueprint as always and understand what you need to know and understand what you need to improve on.

Good Luck!

Tuesday, April 18, 2017

VMware Discontinuation of 3rd Party vSwitch Program for vSphere

Starting from vSphere 6.5 Update 1 and next major release, VMware will discontinue 3rd party vSwitch Program.  A kb that has stated this is found here.

3rd party vSwitches including Cisco Nexus 1000V, Cisco VM-FEX, Cisco AVS, HPE 5900v and IBM DVS 5000v.

VMware has release a migration tool which can be found here.

A blog post of what is the strategy forward in terms of virtual switch on vSphere is mentioned here which include virtual Standard Switch (vSS) and virtual Distributed Switch (vDS) and Open Virtual Switch (OVS).

For customer who are on 3rd party virtual switch, you might have to change back with your vendor for your support in future vSphere version.  Understand Cisco has mention to their customer that they will continue to support the use of Nexus 1000V.

Thursday, April 6, 2017

The Death of vSphere Data Protection

VMware today announce the end availability of vSphere Data Protection (VDP) here.  vSphere 6.5 will be the last version of VDP provided.

Abit of history, VDP was included since vSphere 5.0 to replace VMware Data Recovery (VDR).

For existing VDP deployment, please check the respective version end of general support here.  Customer can continue to use any backup solution that utilize vSphere Storage APIs – Data Protection framework (VADP).

Since VDP is an OEM from Dell-EMC Avamar, the closest product is Avamar Virtual Edition. Customers are recommended to take advantage of a Dell-EMC special migration offer to transition VDP VM protection to Dell-EMC Avamar Virtual Addition.  Check this with your local Dell-EMC team and read about it here.

Friday, March 31, 2017

VMware Threat Exploit Found During Pwn2Own Event

The threat was first discovered on Workstation during Pwn2Own hacking event.  With further investigation, it is now found possible on ESXi 6.0U1 and above.

Do check out the VMware Security Advisories here.  The patches are all available currently.

Read about the how this was found during Pwn2Own event on the blog post here.

Tuesday, March 21, 2017

VMware Certification Exam Price Increase

If you have been following the exam news that has been release, starting from 1st April, the price of the exams for all level starting from Foundation, Associate, Professional, Advanced Professional and Expert have all increased.  You can read up the official post here.

I will skip the Foundation and Associate exam since these are just entry level exams.

Looking at Professional (VCP), Advanced Professional (VCAP) and Expert (VCDX), each has increased from $225 to $250, $400 to $450 and $300 + $900 to $995 + $3,000 respectively.  If you look at it its a gradually increase in tier except for the Expert level which one would think twice attempting with an increase over 130%.  With this increased, this exam will be a company sponsored exam moving forward and not meant for one to self sponsor himself at close to $5,000.  Though these prices are affecting the developed countries.

Not sure why the move but it seems like VMware it controlling the number of people attaining VCDX and keeping that title exclusive for now.  The attempt of these exams will definitely decrease drastically especially for VCDX.

If you are keen to pursue any of the exams above, do sign up fast before 1st Apr by voucher or registeration of interest before the hefty price adds on you.

Wednesday, March 8, 2017

VMware vSphere 6.5 Security Questions

Been to many customers and have many questions on how our vSphere 6.5 Security enhancement does and how different is it from others.

So to clear some of the questions and also the articles that are available below will provide more details.

A good place to start is read up this VMware blog post by Mike Foley.  This post detail the new UEFI for ESXi and for VMs and on VM Encryption.  Let us break down some questions that are asked often or unclear:

1) Does all OSes support UEFI?
Modern versions of OS like Microsoft Windows 2012, RedHat 5 and Suse Linux Enterprise 11 SP2 and above .  Unless we are talking about older OS that are dependent on BIOS.

2) Who provide the UEFI firmware?
The hardware server vendors that allows OS or hypervisor to be installed on to be boot from.  Hypervisor or virtualization software vendor that allows running of virtual machine to boot from.

3) How can we prevent BIOs, hypervisor and OS been compromise?
The use of UEFI is to ensure digital signature are in placed and verified.  In such, any attempt to modify these, will not be accepted in by ESXi or OS.  So caveat here is all drivers or files need to have digital certificates and not unknown.  This is very common when you try to install certain drivers especially in Windows, and you can just choose Ignore.  With UEFI boot, it cannot be done anymore.  For ESXi, upon Secure UEFI boot, it will fail to boot if any digital certificate is compromise.  So installing an unknown driver even if you ever manage to force it in, will require a reboot and that reboot will fail to boot.  What you will see is PSOD (Purple Screen of Death).

4) Are certificates provided by VMware?
No.  VMware been eco-partners system friendly, has always been leveraging on customers' investment.  Using VM Encryption requires using existing KMS that is support KMIP 1.1.  Which is good since VMware isn't really a security company with IP that are in that field.  It's better to have the expert do the work.

5) Does it encrypt only the data disk or the OS?
VM encryption been the first release is very well thought.  It encrypts the VM as a whole.  Using powerCLI as stated here, you can have even more control and granularity.  You can choose to encrypt one VMDK but not the other.  Or just the VM files not the VMDKs.  You can also enable CryptoSafe mode on ESXi even though you are not having any VM encryption so to have core dumps been encrypted.

6) Is there an agent and only support certain OS?
No agent is required and this is OS dependent and OS will not be aware since vSphere is doing VM encryption and not OS encryption.  In fact, any OS that is supported by vSphere can be encrypted.  How cool is that?  However, you can still leverage on partners like SafeNet, Hytrust, CloudLink, etc. to do OS encryption within the VM to further secure your data.

7) Can we use physical TPM on ESXi?
Yes, you can use TPM on vSphere but that is just securing the boot up process of ESXi.  Currently ESXi only support up to TPM 1.2.  Comparing to UEFI, the different here is TPM is not backward compatible.  So you will need to make sure all your server hardware support the same TPM version. Not a very good idea isn't it?

8) Does vSphere support virtual TPM?
No. vSphere 6.5 does not have a virtual TPM feature.  As similar to the above, this will encounter a dependency on something e.g. Host Guardian Service Infrastructure for Hyper-V 2016.  vSphere uses Secure UEFI where no such setup requirement is needed.  To change new HGS require some effort with caveats, refer to this article.

9) How easy is it if I need to change the KMS?
Do read the article on PowerCLI, VM encryption allows you to change KMS easily without having to decrypt the whole VM and encrypt again.  This is the fact that the Key Encryption Key (KEK) from KMS is used to encrypt the Data Encryption Key (DEK), in the process of changing, all you need is to decrypt the DEK and encrypt with the new KEK from new KMS.

10) Can we use more than one KMS if we have different workload or requirements?
Yes.  As stated in the PowerCLI post, you can even have different VMDK using different KMS in the same VM!  The control is in your hands.

11) What kind of performance are we talking about on VM encryption?
Refer to this whitepaper.   VM Encryption is leveraging the latest Intel processor technology, AES-NI to accelerate in enabling the encryption process.   The keys generated on ESXi are XTS-AES-256 keys.

12) Can vSphere support disable of TLS 1.0?
Yes.  In vSphere 6.5, there is a TLS Reconfiguration Utility.  By default, vSphere comes with TLS 1.0, 1.1 and 1.2 enabled.  With this tool, you can disable TLS 1.0.  Then you will ask what about vSphere 6.0?  Well in vSphere 6.0 Update 3, the tool is already released.

13) What is the limitation for VM security thus far?
vSphere Replication as of today is still not supported.  So implementing any VM that is on Encryption cannot leverage on vSphere Replication.  This is true for within the cluster or across to another vCenter cluster.
Certain VM files like VMX is not completely encrypted as there are still solution on the market which are not using vSphere API to call for information but read directly from VMX file.  Encrypting it will make these solution breaks.

If you have more questions, do post them in the comments so I can answer that in my best effort.

Thursday, February 9, 2017

VMware vExpert 2017 Announced!

Congrats to all vExpert 2017 announced earlier today here.  This year we have 1471 of vExperts.  This is growing year after year.  As stated, for those who signed up for it but was not granted this title, you may email vexpert@vmware.com to seek guidance what you are missing.

As for those who have missed the application, you can watched out for it between May and June 2017.

Am grad am still staying this accreditation since I started in 2012.  This marked my 6th year.  So for those who are just starting, good work.  For those who are retaining, there isn't much effort needed, all you got to do is pen down their knowledge for sharing or even just sharing it with a simple text in twitter or share a post.



Tuesday, January 3, 2017

VMware VCIX Certification Clarification

I got lot of ask and question regarding the new VCIX certification from VMware.

So how do I get qualified?
What do I need to do?
Do I need to upgrade VCP first?
I am confused which VCAP to take as I have already had one?

The proper way to get to VCIX certification is stated here.
The scenarios for VCP certification is stated here.

So in the past, passing a VCAP allows you to upgrade your VCP.  However, with the expiry program and VCP certification article above on inheritance, only the expiry of existing VCP will be extended. No inheritance of VCP when passing a VCAP of the same track.

Example:
Hold VCP5-DCV, passing VCAP6-DCV Design, does not upgrade VCP5-DCV to VCP6-DCV.  Only VCP5-DCV expiry period is further extended.


In order to attempt VCDX of any track, you will need to attain VCIX for that track.  Below is how you can attain your VCIX using Data Center Virtualization track as a scenario.

Scenarios:
For one who has valid VCP5-DCV, VCAP5-DCV Deploy (work the other way around with Design exam)
  1. Upgrade VCAP5-DCV by taking VCAP6-DCV Design > VCIX6-DCV, VCP5-DCV expiry renewed 2 years.
  2. To renew VCIX6-DCV, take VCAP7-DCV Design or Deploy >VCIX7-DCV, VCP5-DCV expiry renewed 2 years.
  3. To take VCDXn-DCV, attained VCIXn-DCV.
What happens when one has an Expired VCP5-DCV?  Based on 1-3 above,
1) Upgrade VCIX, VCP5-DCV expired
2) Upgrade VCIX, VCP5-DCV expired
3) VCIX attained, VCP5-DCV expired

What does it mean when VCP is expired?
You can continue to renew your VCAP and above however if you wish to cross track for another certification, you will need to pass the VCP for that track through the proper official way by taking the course and passing the track for VCP.

What if my VCP has not expired?
You can attempt the VCP across other tracks.  This is even so if your VCP version is few version behind.

Example only assuming version exist:
VCP5-DCV still valid.  Attempt VCP-7-DCV, VCP7-DTM, VCP7-Cloud, VCP7-NV


Conclusion
I would recommend not to expire your VCP to keep your options open.  By renewing, you can attempt different track for VCP or go for VCAP for the VCP track you own.  This keeps you relevant and opens up new opportunities for yourself.

Always check for updates at VMware Education Blog.


Note: The above is accurate that time of writing.

VMUG Singapore by VMware and HPE

If you are in Singapore, do remember to register for VMUG Singapore event sponsored by VMware and HPE. Look for the event details here . ...