Aug 29

Fix: VMSA-2016-0007.2 (NSX Security Vulnerability)

VMware has fixed the following new security advisory:

Advisory ID: VMSA-2016-0007.2
Synopsis: VMware NSX and vCNS product updates address a
critical information disclosure vulnerability
Issue date: 2016-06-09
Updated on: 2016-08-26
CVE number: CVE-2016-2079

1. Summary

VMware NSX and vCNS product updates address a critical
information disclosure vulnerability.

2. Relevant Releases

NSX 6.2 prior to 6.2.3
NSX 6.1 prior to 6.1.7
vCNS 5.5.4 prior to 5.5.4.3

3. Problem Description

a. VMware NSX and vCNS critical information disclosure vulnerability

VMware NSX and vCNS with SSL-VPN enabled contain a critical
input validation vulnerability. This issue may allow a remote
attacker to gain access to sensitive information.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2079 to this issue.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Product Version on Apply Patch
============ ========== ========== =============
NSX Edge 6.2 Any 6.2.4 *
NSX Edge 6.1 Any 6.1.7
vCNS Edge 5.5 Any 5.5.4.3

* Note: NSX Edge 6.2.3 which addresses CVE-2016-2079 is no longer
available for download. Customers are advised to update to NSX 6.2.4.

4. Solution

Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.

VMware NSX
Downloads:
https://www.vmware.com/go/download-nsx-vsphere

Documentation:
https://www.vmware.com/support/pubs/nsx_pubs.html

vCNS
Downloads:
https://www.vmware.com/go/download-vcd-ns

Documentation:
https://www.vmware.com/support/pubs/vshield_pubs.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2079

VMware Knowledge Base article 2006985
https://kb.vmware.com/kb/2006985

 

Aug 25

Alert: VMSA-2016-0013 – VMware Identity Manager and vRealize Automation updates address multiple security issues

VMware has released the following new security advisory:

 

Advisory ID: VMSA-2016-0013
Severity:    Important
Synopsis:    VMware Identity Manager and vRealize Automation updates address multiple
             security issues
Issue date:  2016-08-23
Updated on:  2016-08-23 (Initial Advisory)
CVE number:  CVE-2016-5335, CVE-2016-5336

1. Summary

   VMware Identity Manager and vRealize Automation updates address multiple security
   issues

2. Relevant Products

   VMware Identity Manager
   vRealize Automation

3. Problem Description

   a. VMware Identity Manager local privilege escalation vulnerability

   VMware Identity Manager and vRealize Automation both contain a vulnerability that
   may allow for a local privilege escalation. Exploitation of this issue may lead to
   an attacker with access to a low-privileged account to escalate their privileges to
   that of root.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved
   the identifier CVE-2016-5335 for this issue.

   Column 5 of the following table lists the action required to remediate the
   vulnerability in each release, if a solution is available.

                             Product   Running               Replace with/
   VMWare Product            Version   on        Severity    Apply Patch     Workaround
   =======================   =======   =======   =========   =============   ==========
   VMware Identity Manager   2.x       VA        Important   2.7             None
   vRealize Automation       7.0.x     VA        Important   7.1             None
   vRealize Automation       6.x       VA        N/A         not affected    N/A

   b. vRealize Automation remote code execution vulnerability

   vRealize Automation contains a vulnerability that may allow for remote code
   execution. Exploitation of this issue may lead to an attacker gaining access to a
   low-privileged account on the appliance.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved
   the identifier CVE-2016-5336 for this issue.

   Column 5 of the following table lists the action required to remediate the
   vulnerability in each release, if a solution is available.

                          Product   Running               Replace with/
   VMware Product         Version   on        Severity    Apply Patch     Workaround
   ====================   =======   =======   =========   =============   ==========
   vRealize Automation    7.0.x     VA        Important   7.1             KB2146585
   vRealize Automation    6.x       VA        N/A         not affected    N/A

4. Solution

   Please review the patch/release notes for your product and version and verify
   the checksum of your downloaded file.

   VMware Identity Manager 2.7
   Downloads and Documentation:
   https://my.vmware.com/en/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/2_7

   vRealize Automation 7.1
   Downloads and Documentation:
   
https://my.vmware.com/group/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_1#product_downloads

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5335
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5336
   https://kb.vmware.com/kb/2146585

- ------------------------------------------------------------------------

6. Change log

   2016-08-23 VMSA-2016-0013 Initial security advisory in conjunction with the
   release of vRealize Automation 7.1 on 2016-08-23.

Mar 31

VMware Horizon 7: Your High Performance, Ultra-Secure, Throwaway Laptop Is Waiting For You

Don’t you love it when your brand new laptop finally arrives – pristine, unspoiled by corrupted registry, malware, or app bloat.  It just hums along perfectly, lightning fast, super responsive, webinar register reminder buttonsnappy graphics.  All your apps are there, everything customized just the way you like it.  You’re in that state of computing bliss, silently judging your peers with their old clunky machines, staring at an hourglass.

Fast forward a couple months – what happened?  Your beautiful machine is now sluggish, taking forever to boot and login.  The graphics are laggy, no longer snappy.  Endless O/S notifications, prompting some required vulnerability patch. Now it’s just like everyone else’s.  Why can’t my corporate/PC life be more like my consumer/mobile life?

Too bad PC’s aren’t disposable, with IT serving up a fresh-out-of-the-box laptop experience to you every Monday.  Even better, every time you login!

Guess What We Built!

We’re changing the way IT looks at workspace services delivery.  In VMware Horizon 7, we’ve introduced a number of capabilities that are bringing the virtues of the mobile cloud to virtual desktops and apps, with greater speed, simplicity, performance, security, and service elasticity, than ever before.

Your Pristine, Tailor-Made, Disposable PC Is Waiting…

Picture1Just in Time Delivery with Instant Clone Technology is turning the traditional VDI provisioning model on its head.  Now, a booted-up parent VM can be “hot-cloned” to produce derivative desktop VM’s rapidly, leveraging the same disk and memory of the parent, with the clone starting in an already “booted-up” state.  This process bypasses the cycle time incurred with traditional cloning where several power cycle and reconfiguration calls are usually made.  When combined with VMware App Volumes and User Environment Manager, administrators can use Instant Clone Technology to rapidly spin up desktops for users that retain user customization and persona from session to session, even though the desktop itself is destroyed when the user logs out.  Virtual desktops benefit from the latest O/S and application patches automatically applied between user logins, without any disruptive recompose.  This capability is delivering customers the VDI nirvana of fully customized and personalized desktops, built on the economics and security of stateless, non-persistent desktops.

More Secure Than Ever Before with Smart Policies

If you’re a CIO or CISO, the top item on your “to-do” list is to “stay out of the headlines” ie: don’t fall victim to an insider-led breach.  While desktop and app virtualization helps protect data-at-rest by repatriating sensitive info to the datacenter, all those virtual desktops and apps are still prone to good (or bad) users doing bad (or stupid) things with them.  Smart Policies includes: 

  • Policy-Managed Client Features, which enables IT to use policy to define which specific Picture2security-impacting features, are accessible upon login. These include clipboard redirection, USB, printing, and client-drives.  All of these can be enforced contextually, based on role, evaluated at logon/logoff, disconnect/reconnect and at pre-determined refresh intervals for consistent application of policy across the entirety of the user experience.  For example, a user logging in from a network location consider unsecured, can be denied access to USB and printing. Additionally, PCoIP bandwidth profile settings allow IT to customize the user experience based on user context and location.
  • True SSO streamlines secure access to a Horizon desktop when users authenticate via VMware Identity Manager. A short-lived VMware Horizon virtual certificate is generated, enabling a password-free Windows login, bypassing the usual secondary login prompt users would encounter before getting to their desktop.  Want to see Smart Policies in action, check out this quick demo:
Picture3

VMware Horizon 7 Smart Policies Demo

Display Technology Purpose-Built For Mobile

Picture4We are excited to add Blast Extreme to our display protocol toolkit, alongside PCoIP and RDP.  Blast Extreme is network-friendly, leverages both TCP and UDP transports, powered by H.264 to get the best performance across more devices, and reduces CPU consumption resulting in less device power consumed for longer battery life.

With the addition of Blast Extreme, we now offer a multiprotocol swiss-army knife that allows IT to select the protocol that best fits their user workstyles, networking geography and client device preferences.  Supported by Blast Extreme and PCoIP is a multifaceted suite of client-side features ranging from printing to smartcards to multimedia and more, accessible on an ever-widening suite of VMware Horizon-optimized clients.

An additional benefit of Blast Extreme is how it’s further optimized for workloads running on Picture5NVIDIA GRID.  The combination of these technologies delivers a 1+1=3 effect. By leveraging NVIDIA GRID to offload encoding from the CPU and move it to the GPU, it frees up the CPU resources to run additional users per server with while simultaneously improving performance. In testing conducted by NVIDIA’s GRID Performance Engineering team, using ESRI ArcGIS Pro 1.1, 18% higher user density was achieved, along with a 6-13% increase in frame rate, with up to 51ms reduction in latency, and anywhere from 48-89% reduction in TCP bandwidth.  Clearly the combination of Blast Extreme with NVIDIA GRID is delivering better scalability, reduced TCO, and a high-performance user experience. For NVIDIA’s perspective on this, check out their blog post here.

As you can see, VMware Horizon 7 is a pivotal release in our end user computing journey, offering a completely re-imagined way of looking at workspace services delivery, security, scale, and user experience – all optimized for the mobile cloud.  In the coming days and weeks, look for additional blogs covered various pillar capabilities in VMware Horizon 7, as well as great technical boot camp content that will show you how to get started quickly.

Mar 31

Cross-VC NSX for Multi-site Solutions

The Cross-VC NSX feature introduced in VMware NSX 6.2, allows for NSX logical networking and security support across multiple vCenters. Logical switches (LS), distributed logical routers (DLR) and distributed firewall (DFW) can now be deployed across multiple vCenter domains. These Cross-VC NSX objects are called Universal objects. The universal objects are similar to distributed logical switches, routers, and firewall except they have global or universal scope, meaning they can span multiple vCenter instances. With Cross-VC NSX functionality, in addition to the prior local-scope single vCenter objects, users can implement Universal Logical Switches (ULS), Universal Distributed Logical Routers (UDLR), and Universal DFW (UDFW) across a multi-vCenter environment that can be within a single data center site or across multiple data center sites. In this post we’ll take a look at how we do this.

The benefits of supporting NSX networking and security across multiple vCenter domains as shown in Figure 1 below become immediately clear. Logical networking and security can be enabled for application workloads that span multiple vCenters domains or physical locations. For instance, VMs can now vMotion across vCenter boundaries with consistent security policy enforcement without having to manually modify/provision networking and security services. In essence, NSX control and automation is expanded across vCenter boundaries whether within or across data centers.

Figure 1:Cross-VC NSX Deployed Across Three Sites

Figure 1:Cross-VC NSX Deployed Across Three Sites

As prior, NSX 6.2 still maintains a 1:1 relationship between NSX Manager and vCenter server. However, with Cross-VC NSX, multiple vCenter servers are supported but each still maintains a 1:1 relationship with NSX Manager: one NSX Manager is in a primary role and the rest are in a secondary role. After assigning the primary role to the first NSX Manager, additional NSX Managers can be registered as secondary. Up to eight NSX Managers/vCenters are supported, with one NSX Manager being primary.

The Primary NSX Manager is used to deploy the Universal Control Cluster (UCC) in its local vCenter inventory/domain providing the control plane for the Cross-VC NSX environment. The Secondary NSX Managers do not have their own control cluster deployed in their local domain; instead, each vCenter domain/site and respective Secondary NSX Manager use the UCC at the primary site for both local and universal control plane and objects. Up to three controllers are supported; the UCC must be deployed into the inventory of the vCenter managed by the Primary NSX Manager.

As shown below in Figure 2, the Primary NSX Manager will use the Universal Synchronization Service (USS) to replicate only the universal objects to the Secondary NSX Managers. Note, the UCC resides only on the site of the Primary NSX Manager.

Figure 2: USS on Primary NSX Manager Replicates Universal Objects to Secondary NSX Managers

Figure 2: USS on Primary NSX Manager Replicates Universal Objects to Secondary NSX Managers

Cross-VC NSX also enhances NSX multi-site deployments. As shown in the example in Figure 3 below, NSX, leveraging the Cross-VC NSX functionality, is deployed across two sites. A separate vCenter domain is used for management where both the site 1 and site 2 respective vCenters and NSX Managers are deployed. Additionally, each site has its own vCenter deployed locally. Also note, in this design, a single Universal Control VM is deployed at site 1 and all workloads at both sites use site 1 for egress or North/South.

iBGP is used between the Universal Distributed Logical Router (UDLR) and Edge Services Gateway (ESG) and eBGP is used between the ESG and ToR switches/routers. Alternatively, OSPF could have been used. In this design, routing metric is used to control ingress/egress traffic. Setting BGP weight on the UDLR will influence which route workload traffic should take.

The Local Egress feature was also introduced in NSX 6.2 and can be used to implement localized egress or North/South at each site; this alternative deployment model can be useful for specific scenarios and will be discussed in a later post.

In this example, for simplicity of demonstration, only one ESG per site is used with both ESGs doing ECMP northbound. In a production environment multiple ESGs should be deployed at each site for additional resiliency.

Figure 3: Example Cross-VC NSX Deployment

Figure 3: Example Cross-VC NSX Deployment

Also deployed, but not shown in Figure 3 above is an external Platform Services Controller (PSC), which was introduced in vSphere 6.0; the PSC decouples infrastructure services such as Single Sign-On (SSO) from vCenter. Both vCenters connect to and leverage the external PSC which also allows for enhanced link mode allowing the user to manage multiple vCenters from one GUI as shown below in Figure 4; this also allows for easy vMotion via GUI from one vCenter domain to the other. For more information on PSC deployment, see the VMware vCenter Server 6.0 Deployment Guide.

Figure 4: PSC Introduced in vSphere 6.0 Allows for Enhanced Link Mode as Shown Here

Figure 4: PSC Introduced in vSphere 6.0 Allows for Enhanced Link Mode

Figure 5 below displays both NSX Managers in the setup; the NSX Manager at site 1, Palo Alto, is the Primary NSX Manager, and the NSX Manager at site 2, San Jose, is the Secondary NSX Manager. Also, in the NSX Controller nodes section, looking at the respective IP addresses, one can see there are only three NSX Controllers managed by the site 1 NSX Manager, however, configuration is shown for both sites which are using the same controllers.

Figure 5: Cross-VC NSX Deployed Across Two Sites with Primary and Secondary NSX Manager Configured

Figure 5: Cross-VC NSX Deployed Across Two Sites with Primary and Secondary NSX Manager Configured

Figure 6 demonstrates the vMotion of a VM, in this case VM Web Universal, from site 1 to site 2 across vCenter boundaries.

Figure 6: vMotioning 'Web Universal' VM From Site 1, Palo Alto to Site 2, San Jose

Figure 6: vMotioning ‘Web Universal’ VM From Site 1, Palo Alto to Site 2, San Jose

Figure 7 below shows the final confirmation before the vMotion of VM Web Universal from site 1 to site 2.

Figure 7: Confirming vMotion of 'Web Universal' VM to Site 2, San Jose

Figure 7: Confirming vMotion of ‘Web Universal’ VM From Site 1, Palo Alto to Site 2, San Jose

As can be seen from the screenshot below, the Web Universal VM has been vMotioned across vCenter boundaries from site 1, Palo Alto to site 2, San Jose. Note, the network adapter of the VM is attached to the Universal Web ULS with VNI 90000 which is spanning across both sites; thus, the networking configuration remains consistent and East/West and North/South connectivity is not affected.

Figure 8: 'Web Universal' VM Has Been Successfully vMotioned from Site 1, Palo Alto to Site 2, San Jose

Figure 8: ‘Web Universal’ VM Has Been Successfully vMotioned from Site 1, Palo Alto to Site 2, San Jose

In this deployment model, dynamic routing and respective routing metrics were used to control ingress/egress (appropriate metrics on the physical network also need to be configured). Figure 9 below shows BGP weight configured on the UDLR to prefer the route through ESG 1 at site 1.

Figure 9: BGP Weight Attribute Used to Prefer Routes to ESG 1 at Site 1

Figure 9: BGP Weight Attribute Used to Prefer Routes to ESG 1 at Site 1

As shown below, using the tracert command on the Windows VM after it has been vMotioned to site 2, one can see the site 1 ESG is still being used for egress or North/South traffic. The destination is a VM on the physical network attached to a VLAN backed port group. The result is as expected, as we set the BGP metric to always use the ESG at site 1 for egress until failover.

Figure 10: ‘Universal Web’ VM tracert Command Shows Route Through ESG 1 at Site 1 is Being Used for Egress

Figure 10: ‘Universal Web’ VM ‘tracert’ Command Shows Route Through ESG 1 at Site 1 is Being Used for Egress

The below screenshot shows that ESG 1 at site 1 has been manually shut down. Further below, we can now see the path from the Universal Web VM to the destination VM on the physical network has switched to use ESG 2 at site 2 as expected.

Figure 11: ESG 1 at Site 1 Has Been Manually Shut Down to Test Failover to ESG 2 at Site 2

Figure 11: ESG 1 at Site 1 Has Been Manually Shut Down to Test Failover to ESG 2 at Site 2

As shown below, using the tracert command on the Windows VM after the ESG 1 at site 1 has been shutdown, one can see the new route from the VM is through the site 2 ESG for egress or North/South traffic. This is expected, as we set the BGP weight metric higher for ESG 1 at site 1 so ESG 2 at site 2 will only be used upon failure of ESG 1.

Figure 12: ‘Universal Web’ VM tracert Command Shows Route Through ESG 2 at Site 2 is Being Used for Egress

Figure 12: ‘Universal Web’ VM ‘tracert’ Command Shows Route Through ESG 2 at Site 2 is Being Used for Egress

In this post, a deployment model using a single Universal Control VM deployed at site 1 and leveraging routing metric for failover was utilized to demonstrate a Cross-VC NSX deployment across two sites with active workloads at both sites and Active/Passive North/South. In a later post we’ll discuss an alternative deployment model with a similar topology using Local Egress to achieve Active/Active North/South. Additionally, Cross-VC NSX supports recovery of NSX components upon site failure and this will also be discussed in a later post.

 

Mar 31

vSphere HTML5 Web Client Fling – Getting Started

VMware announced the first step towards making a HTML5 Web Client a reality, the vSphere HTML5 Web Client Fling. This first release of the Fling will focus primarily on VM management, with more updates coming.  Here is a list of the features and operations available in this first release:

  • VM power operations
  • VM Edit Settings (simple CPU, Memory, Disk changes)
  • VM Console
  • VM and Host Summary pages
  • VM Migration (only to a Host)
  • Clone to Template/ VM
  • Create VM on a Host (limited)
  • Additional monitoring views: Performance charts, Tasks, Event
  • Global Views: Recent tasks, Alarms (view only)
  • Integrated Feedback Tool

The vSphere HTML5 Web Client Fling is a standalone appliance that can be deployed in your existing or new vSphere 6.0 and later environments in a transparent manner. The Fling does not make any changes to your existing vCenter or Platform Services Controller components. Nor does it affect any operations, such as the use of the current vSphere Web Client, as it is meant to run side by side. The Fling should be deployed with the following specifications and prerequisites in mind:

  • 2vCPU, 4GB of RAM, and 14GB of storage
  • Runs only on vSphere 6.0 or later
  • Recommended Browsers include Chrome, Firefox, and IE11. Other browsers may work, but have not been tested yet
  • Usable with either the vCenter Server Appliance (VCSA) or Windows
  • Enable SSH on your vCenter Server Appliance, temporarily needed only during the install process
  • Enable vCenter Server Appliance Bash Shell, temporarily needed to SCP configuration files from the Fling to the vCenter Server Appliance
    • shell.set --enable True
    • shell
    • chsh –s /bin/bash root

vSphere HTML5 Web Client VCSA Shell

vSphere HTML5 Web Client Fling Deployment

Prior to deploying the vSphere HTML5 web client Fling appliance verify all specifications are in place and prerequisites have been met. The Fling OVF can be deployed using either the vSphere 6.0 Web Client or Embedded Host Client. Go through the deploy OVF Template wizard, power on the the fling appliance and wait for the boot process to complete. When the Fling appliance is at the console screen, SSH using the login username root and password demova.

Note: when deploying with the vSphere client (aka C# or Thick client) an IP pool is required. This is taken care of for you when using the vSphere Web Client.

vSphere HTML5 Web Client IP Pools

Let’s go through the process of configuring the vSphere HTML5 Web Client Fling with both the vCenter Server Appliance and vCenter for Windows

Configuration with the vCenter Server Appliance

Step 1 

Run the following command to register the Fling appliance with vCenter Server Appliance:

/etc/init.d/vsphere-client configure --start yes --user root --vc <FQDN or IP Address of vCenter Server> --ntp <FQDN or IP Address of NTP server>

vSphere HTML5 Web Client VCSA Fig 1

Step 2

Continue the registration process by answering “Yes” to continue connecting and entering your vCenter Server Appliance password.

vSphere HTML5 Web Client VCSA Fig 2

During the registration process the following configuration files are created and copied from the vCenter Server Appliance to the vSphere HTML5 Web Client Fling: webclient.properties, ds.properties, and store.jks.  Making sure the vCenter Server Appliance bash shell is enabled allows for SCP to copy these configuration files over to the Fling Appliance. Finally, the registration script is starting the web server, also installing any packages and plugins needed.

vSphere HTML5 Web Client VCSA Fig 3

Configuration with vCenter for Windows

As stated earlier the vSphere HTML5 Web Client Fling also works with vCenter 6.0 for Windows. The process is similar to the vCenter Server Appliance. In this release of the Fling there is more manual configuration that is done on the Windows side, but this will be more automated in a future release of the Fling.  This configuration was done running vCenter 6.0 on Windows Server 2012 R2, but other versions of windows may also work.

 Step 1

Visit the vSphere HTML5 Web Client Fling site download the Fling OVA and the server-configure.bat. Deploy the Fling appliance and power on.

vSphere HTML5 Web Client Windows Fig 1

Step 2

On your vCenter Windows server Run the server-configure.bat as administrator or with an account that has local administrator rights. The same configuration files created on the vCenter Server Appliance (webclient.properties, ds.properties, store.jks) are also created on Windows.

Note: The script assumes vCenter was installed using the default path. Modify the install path in the script to your vCenter path.

vSphere HTML5 Web Client Windows Fig 6

Note: If you run the server-configuration.bat without administrator rights you will receive errors and the correct files are not created.

vSphere HTML5 Web Client Windows Fig 2

Step 3

SSH into the vSphere HTML5 Web Client Fling appliance and create the necessary directories for the configuration files:

  • mkdir /etc/vmware/vsphere-client/
  • mkdir /etc/vmware/vsphere-client/config/
  • mkdir /etc/vmware/vsphere-client/vsphere-client/

vSphere HTML5 Web Client Windows Fig 3

Once the directories are created, copy and place the configuration files in the corresponding directory.

Note: In this example WinSCP was used to copy the configuration files to their directories on the Fling Appliance.

  • /etc/vmware/vsphere-client/store.jks
  • /etc/vmware/vsphere-client/config/ds.properties
  • /etc/vmware/vsphere-client/vsphere-client/webclient.properties

vSphere HTML5 Web Client Windows Fig 4

Step 4

To add NTP server(s) run the following command on the Fling appliance

/etc/init.d/vsphere-client configure ntp_servers <IP address of NTP server(s)>

Note: It’s important to keep time in sync between vCenter and the Fling appliance.

vSphere HTML5 Web Client Windows Fig 7

Step 5

Start the vSphere HTML5 Web Client web server /etc/init.d/vsphere-client start

vSphere HTML5 Web Client Windows Fig 5

Accessing the HTML5 Client

Once the vSphere HTML5 Client Web server is started go to:

https://<IP address or FDQN of the HTML5 Web Client appliance>:9443/ui

HTML5 Client login with auth

The login screen should look familiar! You’re now officially logged in the new vSphere HTML5 Web Client. There are a few things I would like to point out:

  • Logon load time improved, takes 5-6 seconds.
  • Faster overall speed and response time.
  • Search is now in the top center of the page.
  • Smiley face in the upper right hand corner is the feedback tool.
  • Tabs have been simplified.
  • Clicking on the word “vSphere Client” in the upper left takes you home.

vSphere HTML5 Web Client Windows Fig 8

One important feature is the smiley face in the upper right hand corner. While it looks really innocent, it does actually serve a purpose. It’s your gateway to engineering, or we’ll call it the feedback tool. This is your chance to provide valuable input and help shape your future client.

vSphere HTML5 Web Client Feedback Tool

Troubleshooting

Here are a few things to validate incase you run into any issues on the way:

  • Use the following command to check the status of the vSphere Client Web Server service

/etc/init.d/vsphere-client status

vSphere HTML5 Web Client Troublshooting Fig 1

  • Other commands include stop, start, and restart
  • Verify SSH is enabled on the vCenter Server Appliance
  • Validate time is in sync between the vSphere HTML5 Web Client Fling Appliance and vCenter Server
  • Make sure the vCenter Server Appliance Bash Shell is enabled

vSphere HTML5 Web Client VCSA Error

  • If using custom certificates, use the FQDN of the vCenter server during the initial registration

HTML5 technology is not new to VMware. The Platform Services Controller UI (6.0 U1) and the Embedded Host Client (6.0 U2), both fully support HTML5. Take the vSphere HTML5 Web Client Fling for a test drive and provide feedback – this is your HTML5 client, help shape its future

:)

Feb 23

Alert: New VMware Security Advisory VMSA-2016-0002

Today VMware has released the following new security advisory:

New


VMSA-2016-0002

The advisory documents remediation and workarounds for a critical security issue in the glibc library, CVE-2015-7547.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

Additional Informations:

Feb 12

VMware announces vRealize Log Insight 3.3

Log Insight is a log aggregation, management and analisys tool, that VMware first introduced in 2013 and now is fiercely competing against Splunk.
Today the company announced Log Insight 3.3 that will be released shortly.



Among the new capabilities you can find:

  • Multiple VIPs with Tags that now allow to tag incoming traffic
  • Webhooks sent by both system and user alerts
  • Enhanced vSphere Integration which mainly covers new tagging capabilities for vCenter Servers and ESXi hosts
  • Additional OVF properties which includes DNS searchpath and DNS domain
  • New Parsers that includes LTSV (Labeled Tab-Separated Values), Regex and Syslog
  • IPv6 Support
  • copytruncate Support from logrotate
  • Windows 10 Support
  • A set of new APIs including Authentication API, Query API and a new Importer Utility

Log Insight 3.3 will also include in TP an Agent Configuration Builder, pure IPv6 support for the Virtual Appliance and a new set of Configuration APIs.

Feb 10

VMware Horizon 7: Your High Performance, Ultra-Secure, Throwaway Laptop Is Waiting For You

By Tony Paikeday, senior product line manager, End-User Computing, VMware

Don’t you love it when your brand new laptop finally arrives – pristine, unspoiled by corrupted registry, malware, or app bloat.  It just hums along perfectly, lightning fast, super responsive, snappy graphics.  All your apps are there, everything customized just the way you like it.  You’re in that state of computing bliss, silently judging your peers with their old clunky machines, staring at an hourglass.

Fast forward a couple months – what happened?  Your beautiful machine is now sluggish, taking forever to boot and login.  The graphics are laggy, no longer snappy.  Endless O/S notifications, prompting some required vulnerability patch. Now it’s just like everyone else’s.  Why can’t my corporate/PC life be more like my consumer/mobile life?

Too bad PC’s aren’t disposable, with IT serving up a fresh-out-of-the-box laptop experience to you every Monday.  Even better, every time you login!

Guess What We Built!

We’re changing the way IT looks at workspace services delivery.  In VMware Horizon 7, we’ve introduced a number of capabilities that are bringing the virtues of the mobile cloud to virtual desktops and apps, with greater speed, simplicity, performance, security, and service elasticity, than ever before.

Your Pristine, Tailor-Made, Disposable PC Is Waiting…

Picture1Just in Time Delivery with Instant Clone Technology is turning the traditional VDI provisioning model on its head.  Now, a booted-up parent VM can be “hot-cloned” to produce derivative desktop VM’s rapidly, leveraging the same disk and memory of the parent, with the clone starting in an already “booted-up” state.  This process bypasses the cycle time incurred with traditional cloning where several power cycle and reconfiguration calls are usually made.  When combined with VMware App Volumes and User Environment Manager, administrators can use Instant Clone Technology to rapidly spin up desktops for users that retain user customization and persona from session to session, even though the desktop itself is destroyed when the user logs out.  Virtual desktops benefit from the latest O/S and application patches automatically applied between user logins, without any disruptive recompose.  This capability is delivering customers the VDI nirvana of fully customized and personalized desktops, built on the economics and security of stateless, non-persistent desktops.

More Secure Than Ever Before with Smart Policies

If you’re a CIO or CISO, the top item on your “to-do” list is to “stay out of the headlines” ie: don’t fall victim to an insider-led breach.  While desktop and app virtualization helps protect data-at-rest by repatriating sensitive info to the datacenter, all those virtual desktops and apps are still prone to good (or bad) users doing bad (or stupid) things with them.  Smart Policies includes: 

  • Policy-Managed Client Features, which enables IT to use policy to define which specific Picture2security-impacting features, are accessible upon login. These include clipboard redirection, USB, printing, and client-drives.  All of these can be enforced contextually, based on role, evaluated at logon/logoff, disconnect/reconnect and at pre-determined refresh intervals for consistent application of policy across the entirety of the user experience.  For example, a user logging in from a network location consider unsecured, can be denied access to USB and printing. Additionally, PCoIP bandwidth profile settings allow IT to customize the user experience based on user context and location.
  • True SSO streamlines secure access to a Horizon desktop when users authenticate via VMware Identity Manager. A short-lived VMware Horizon virtual certificate is generated, enabling a password-free Windows login, bypassing the usual secondary login prompt users would encounter before getting to their desktop.  Want to see Smart Policies in action, check out this quick demo:
Picture3

VMware Horizon 7 Smart Policies Demo

Display Technology Purpose-Built For Mobile

Picture4We are excited to add Blast Extreme to our display protocol toolkit, alongside PCoIP and RDP.  Blast Extreme is network-friendly, leverages both TCP and UDP transports, powered by H.264 to get the best performance across more devices, and reduces CPU consumption resulting in less device power consumed for longer battery life.

With the addition of Blast Extreme, we now offer a multiprotocol swiss-army knife that allows IT to select the protocol that best fits their user workstyles, networking geography and client device preferences.  Supported by Blast Extreme and PCoIP is a multifaceted suite of client-side features ranging from printing to smartcards to multimedia and more, accessible on an ever-widening suite of VMware Horizon-optimized clients.

An additional benefit of Blast Extreme is how it’s further optimized for workloads running on Picture5NVIDIA GRID.  The combination of these technologies delivers a 1+1=3 effect. By leveraging NVIDIA GRID to offload encoding from the CPU and move it to the GPU, it frees up the CPU resources to run additional users per server with while simultaneously improving performance. In testing conducted by NVIDIA’s GRID Performance Engineering team, using ESRI ArcGIS Pro 1.1, 18% higher user density was achieved, along with a 6-13% increase in frame rate, with up to 51ms reduction in latency, and anywhere from 48-89% reduction in TCP bandwidth.  Clearly the combination of Blast Extreme with NVIDIA GRID is delivering better scalability, reduced TCO, and a high-performance user experience. For NVIDIA’s perspective on this, checkout their blog post here.

As you can see, VMware Horizon 7 is a pivotal release in our end user computing journey, offering a completely re-imagined way of looking at workspace services delivery, security, scale, and user experience – all optimized for the mobile cloud.  In the coming days and weeks, look for additional blogs covered various pillar capabilities in VMware Horizon 7, as well as great technical boot camp content that will show you how to get started quickly.

Feb 01

Release: VMware vRealize Operations Manager 6.2

VMware vRealize Operations Manager 6.2 Release Notes | 28 Jan 2016 | Build 3445568

What’s New?

vRealize Operations Manager 6.2 is the latest release of the VMware integrated vRealize Operations Suite. Updates cover all major areas of the product including installation, configuration, licensing, alerting, dashboards, reports, and policies. This release introduces the following enhancements.

  • Enhanced Distributed Resource Scheduler (DRS) Integration
    vRealize Operations now offers enhanced integration with the vCenter Distributed Resource Scheduler (DRS) when making and executing workload placement recommendations. The vRealize Operations Manager analytics determine cross-cluster placement opportunities, while vCenter Distributed Resource Scheduler determines the best destination within clusters. The enhanced integration uses all DRS rules, constraints, and enterprise-class capabilities.

 

  • New Workload Utilization Dashboard
    The Workload Utilization Dashboard enables you to see the object workload utilization for Cluster, DataCenter, and Custom DataCenter containers. The new dashboard incorporates an updated Utilization widget, capable of operating in either a capacity or workload utilization mode.

 

  • Ability to Import Single Sign-On Users
    As an Administrator, you can now add and authorize new users for vRealize Operations Manager by importing them from a Single Sign-On source.

 

  • Telemetry Enablement on Upgrade
    This release includes a one-time dialog after you upgrade that allows you to participate in the VMware Customer Experience Improvement Program. This program collects anonymous product configuration and usage data to enhance future versions of vRealize Operations.

 

  • Portable Licensing
    The portable licensing feature adds the ability for customers to license use of the product in vSphere as well as non-vSphere environments.

For more information on each of these features see vRealize Operations Manager 6.2

Jan 31

New paper on Virtualizing SAP on vSphere on All Flash Storage

SAP HANA is the preferred database for all future SAP applications. Columnar databases and the in memory capabilities of SAP HANA make it an excellent platform for all SAP applications. Virtualized SAP HANA (SAP HANA) provides significant advantages over Physical HANA implementations by providing flexibility and agility in operating a HANA environment

SAP HANA environments have a large memory footprint with the majority of data in memory. The changes to the memory are constantly being replicated to disk and there can be significant disk activity on the system in spurts. In addition when the system is restarted or there is any high availability event there is a massive requirement for data that needs to be quickly loaded into memory from disk. Due to these reasons, there is a requirement in HANA to have a highly performant IO subsystem. All Flash Storage can be a great asset if used as shared storage for virtualized HANA implementations as they can provide excellent IO performance. This paper looks at the benefits of using virtualization that is backed by All Flash storage for SAP HANA.

Another challenge in SAP HANA environments is the large memory requirement for the HW. In the real world, not all data needs to be in memory. By reducing the amount of data resident in memory there are many potential benefits from a cost and efficiency perspective. SAP HANA since SPS09 has introduced dynamic tiering that can help optimize memory utilization and move the less actively used data to extended tables on disk. In addition SAP HANA SPS10 provides capabilities for multi-tenant capabilities combined with dynamic tiering.

The new paper Virtualizing SAP HANA leveraging All Flash Storage seeks to explore use cases for SAP HANA on All Flash storage to improve performance, optimize memory usage and increase RTO through efficient backup and recovery. We will explore the use of SAP HANA on All Flash storage for the following use cases:

A. Improved performance for data load into virtualized HANA.

B. Optimized write back Performance during regular operations.

C. Streamlined back and recovery for HANA data

D. Dynamic Tiering to reduce memory footprint with warm data on Flash

Source:

This entry was posted in Uncategorized on January 29, 2016 by Mohan Potheri.

Older posts «

%d bloggers like this: