VMware on VMware: vRealize Log Insight

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für VMware on VMware: vRealize Log Insight
Feb 282017
 

How VMware IT Leverages vRealize Log Insight

VMware IT uses different tools, but VMware vRealize Log Insight really stands out for the way it helps VMware IT scale.

Managing the VMware private cloud is a big job. VMWare&#rsquo;s private cloud spans 6 data centers and more than 325,000 allocated VMs on more than 2,000 hosts.

Just like VMware&#rsquo;s customers, VMware IT needs visibility into the health of their environment. Log Insight was the right tool to help them scale, and understand the applications used to run their cloud services.

In the words of the VMWare OneCloud engineer Caleb Stephenson, &#rsquo;Log Insight has proven itself as a critical part of our management and monitoring infrastructure. It does log management across many different components that are critical to our infrastructure—from customer-facing applications, to infrastructure running large SAP instances, to the normal run-of-the-mill testing and development environments. It gives multiple teams the deep operational visibility we need with dashboards and analytics. And now we have proactive alerts that identify trends and events. That gives our support team an intuitive way to troubleshoot issues. In some cases we can even take action before an outage occurs. In the end it really helps us improve SLA performance for our customers.

It&#rsquo;s an unbeatable tool for Root Cause Analysis (RCA). In the past, RCA would take a lot longer… and without a quick way to capture logs, it was sometimes impossible. Now we have a simple, easy way to pursue RCA and share log snippets. &#rsquo;

 

Watch the Log Insight video here:

 

What is vRealize Log Insight?

vRealize Log Insight delivers Intelligent Log Management for infrastructure and applications across physical, virtual, and cloud environments. Log Insight enables administrators to connect to everything in their environment, e.g., OS, apps, storage, network devices, providing a single location to collect, store, and analyze logs at scale. Log Insight is highly scalable, designed to handle Big Data. Log Insight can digest any type of log data. Users do not need to think about it, they can just send their data to Log Insight.

 

How does vRealize Log Insight fit into Intelligent Operations and overall Cloud Management Platform (CMP)?

Log Insight comes with built-in knowledge and native support of vSphere and other VMware products, like VMware Horizon® with View, vRealize Operations and vRealize Automation™. Log Insight integrates with VMware vRealize Operations™ to bring unstructured and structured data together, for significantly enhanced end-to-end operations management.

Some Useful links:

  • VMware on VMware: http://www.vmware.com/company/vmware-on-vmware.html
  • Product documentation:https://vmware.com/support/pubs/log-insight-pubs.html
  • Log Insight community:http://loginsight.vmware.com/

Got questions? Leave a comment below.

 

The post VMware on VMware: vRealize Log Insight appeared first on VMware Cloud Management.

Feb 282017
 

Enterprises are becoming digital businesses and cloud is driving the transformation.

Join us at Cloud Expo 2017 to discover how we can accelerate your digital transformation journey by enabling you to master a software-defined approach to business and IT.

VMware Cross-Cloud Architecture allows your business to run, manage, connect, and secure any application on any cloud, with freedom and control. It empowers enterprises to secure their apps across clouds and devices in a common operating environment.

Click here to sign up for a meeting with us and find out more about how we can help you enable a cloud strategy that gives you total control.

While you&#rsquo;re at the event, make sure you don&#rsquo;t miss the following sessions:

  • Wednesday 15 March, 11:45–12:10, Keynote Theatre:

VMware Cloud Services CTO EMEA, Richard Munro, talks Reality-Based IT strategies and how these can modernise and improve the efficiency of your IT capability and your workforce– more than you realised was possible.

  • Wednesday 15 March, 14:25–14:50, Theatre:

Hear from Graham Crich, EMEA Director for Cloud and Service Provider Partners – VMware, as he talks to a vCAN Partner about their cloud customer cloud stories

Thursday 16 March, 10:30-10:55, Keynote Theatre:

&#rsquo;Clouds, Containers and more: The IT revolution is underway&#rdquo; with Ray O&#rsquo;Farrell, CTO VMware. In his session and Q&A, Ray will explore insights into the latest trends in tech, and look at how advances in software development, such as DevOps and Containers, are helping to turn possibility into reality.

  • Thursday 16 March, 11:45-12:10, Keynote Theatre:

&#rsquo;Delivering on Digital Transformation in a Multi-Cloud World&#rdquo; Join Ray O&#rsquo;Farrell and a panel of organisations currently undertaking transformative journeys, for a discussion exploring how to successfully navigate a multi-cloud world.

Join us to discover how VMware&#rsquo;s new Cross-Cloud Architecture provides customers with cloud freedom and control. If you haven&#rsquo;t already, you can register here.

Check out #CEE17 and @VMware_UK to follow us and find out more about this year&#rsquo;s event.

HCI Now On the Education Syllabus

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für HCI Now On the Education Syllabus
Feb 282017
 

Companies are realizing that data center modernization is the way of the future. Ventura County Community College District (VCCCD) is no different as schools and colleges around the world are embracing new data center technologies, like hyper-converged infrastructure (HCI), alongside traditional enterprises. VCCCD is a public education provider that offers a wide range of educational

The post HCI Now On the Education Syllabus appeared first on Virtual Blocks.

Download the New Network and Security with NSX SET

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für Download the New Network and Security with NSX SET
Feb 282017
 

This new Solution Enablement Toolkit (SET) includes valuable business assets (calculator, presentation, user instructions), Service Delivery Toolkit presentations on the most common use cases, and vCAT-SP whitepapers – in English and additional languages (ES, FR, DE, PTB, JP, CN).

The post Download the New Network and Security with NSX SET appeared first on Partner News.

Время пришло: «Виртуализация сети для чайников»

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für Время пришло: «Виртуализация сети для чайников»
Feb 282017
 

В настоящее время почти все корпоративные центры обработки данных виртуализировали существенную часть ресурсов серверов. Многие из них также приступают к виртуализации ресурсов хранилищ. Эти ИТ-организации осознают выгоду виртуализации: более эффективное использование ресурсов, повышение адаптивности ИТ, а также снижение капитальных иэксплуатационных расходов.

Но может ли эта выгода стать еще больше? Если сетевые ресурсы еще не виртуализированы, это означает неэффективное расходование финансовых средствс точки зрения потенциальной экономии на капитальных и эксплуатационных расходах, усиления безопасности центров обработки данных, а также повышения адаптивности бизнеса и ИТ.

Указанные преимущества виртуализации сети описываются в новой книге Виртуализация сети для чайников. Этот справочник, опубликованный издательством Wiley на средства VMware, представляет собой экспресс-курс по новому, виртуализированному подходу к сети, который является ключевым элементом развертывания программного ЦОД.

Книга написана простым и доступным языком; она разъясняет фундаментальные принципы виртуализации сетей, в том числе ее базовые понятия, ключевые технологические компоненты, сценарии использования, а также преимущества для бизнеса и ИТ. Проведите немного времени зачтением книги, и вы поймете, для чего нужна виртуализация сетей, как она может улучшить вашу жизнь и с чего следует начинать.

Доказывая пользу виртуализации сетей, эта книга объясняет, как устаревшие сетевые архитектуры ограничивают адаптивность бизнеса, упускают из виду угрозы безопасности иприводят к росту расходов на центры обработки данных. Описанные проблемы подводят к настоятельной необходимости отказаться от аппаратного подхода и перейти к виртуализации сетей.

Так что такое виртуализация сетей? В книге объясняется, как в процессе виртуализации сетей можно создавать, инициализировать и контролировать сети программными средствами, используя базовую физическую сеть как среду передачи пакетов. Виртуализация сетей воспроизводит все сетевые компоненты и возможности программными средствами. Проще говоря, она дает возможность эксплуатировать всю сеть целиком с помощью ПО.

Достоинство этой книги состоит в том, что она рассказывает о виртуализации сетей на языке, понятном любому специалисту в области ИТ. Более того, книга представляет собой справочник, поэтому нет необходимости читать ее подряд от начала до конца. Безусловно, ничто не мешает изучить ее целиком, поскольку она прекрасно читается. Но если ваше время ограничено, можно сразу перейти к интересующим вас разделам.

Так или иначе, вы поймете, для чего нужна виртуализация сетей и с чего следует начинать.

Хотите прочитать книгу? Щелкните здесь, чтобы скачать руководство «Виртуализация сети для чайников».

Дополнительные сведения:

  • Подробнее о виртуализации сети
  • Тестирование виртуализации сетей на практических занятиях
  • Подробнее об ускорении цифрового преобразования бизнеса
  • Читать книгу «Виртуализация 2.0 для чайников»

Ora è una realtà: “La Virtualizzazione della Rete for Dummies”

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für Ora è una realtà: “La Virtualizzazione della Rete for Dummies”
Feb 282017
 

Oggi quasi tutti i data center aziendali hanno virtualizzato una parte significativa delle loro risorse del server e una grossa percentuale è in procinto di virtualizzare anche le risorse di storage. Le organizzazioni IT sono sempre più consapevoli dei vantaggi apportati dalla virtualizzazione: migliore utilizzo delle risorse, maggiore agilità IT e costi di capitale e operativi inferiori.

Ma i vantaggi potrebbero essere ancora più numerosi? Se le organizzazioni non hanno ancora virtualizzato le loro risorse di rete, non stanno di fatto sfruttando fino in fondo tutte le opportunità di guadagno disponibili in termini di riduzione dei costi in conto capitale e operativi, maggiore sicurezza del data center e maggiore agilità IT e aziendale.

Sono solo alcuni dei vantaggi della virtualizzazione della rete analizzati nel nuovo libro La Virtualizzazione della Rete for Dummies”. Questo libro di consultazione, pubblicato da Wiley esponsorizzato da VMware, offre un corso accelerato sul nuovo approccio virtualizzato alla rete che costituisce un elemento essenziale del Software-Defined Data Center.

Con un linguaggio semplice e diretto, questo libro di veloce lettura illustra gli aspetti fondamentali della virtualizzazione della rete, inclusi i principi di base, i componenti chiave della tecnologia, i casi d’uso e i vantaggi per l’azienda e l’IT. Dai una scorsa al libro e scoprirai perché hai bisogno della virtualizzazione della rete, in che modo può migliorare la vita e quali passi intraprendere per iniziare.

Per perorare la causa della virtualizzazione della rete, questo libro spiega come le architetture di rete legacy limitino l’agilità aziendale, lasciando incontrollate le minacce alla sicurezza e facendo aumentare i costi dei data center. Da queste difficili realtà emerge un’unica esigenza importante: è ora di dire addio ai sistemi cablati del passato e di passare alle reti virtualizzate.

In che cosa consiste esattamente la virtualizzazione della rete? Il libro spiega che la virtualizzazione della rete crea reti virtuali, ne effettua il provisioning e le gestisce in modo programmatico, impiegando la rete fisica sottostante come semplice backplane per l’inoltro dei pacchetti. La virtualizzazione della rete replica tutti i componenti e le funzioni di rete nel software. In parole semplici, consente di eseguire l’intera rete nel software.

Un aspetto valido di questo libro è che racconta la storia della virtualizzazione della rete in termini comprensibili da chiunque lavori in un reparto IT. E ancor meglio, il libro è pensato come guida di consultazione, pertanto non è necessario che tu lo legga dall’inizio alla fine. Potresti però volerlo fare semplicemente perché il libro è interessante da leggere dalla prima all’ultima pagina. Tuttavia, se hai poco tempo, puoi saltare direttamente agli argomenti che ti interessano di più, proprio come faresti con una qualsiasi guida di consultazione.

In entrambi i casi potrai comprendere perché è necessario virtualizzare la rete e quali passi devi intraprendere per iniziare.

Vuoi continuare a leggere? Fai clic qui per scaricare la tua copia di “La Virtualizzazione della Rete for Dummies”.

Per saperne di più:

  • Scopri ulteriori informazioni sulla virtualizzazione della rete
  • Prova la virtualizzazione della rete con i nostri Hands-On Lab
  • Scopri come accelerare la trasformazione digitale
  • Leggi “Virtualization 2.0 For Dummies”

Il est arrivé : « La virtualisation du réseau pour les nuls »

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für Il est arrivé : « La virtualisation du réseau pour les nuls »
Feb 282017
 

Aujourd&#rsquo;hui, pratiquement tous les Data Centers d&#rsquo;entreprise ont virtualisé une bonne partie de leurs ressources de serveur et un grand nombre s&#rsquo;attaquent désormais à la virtualisation de leurs ressources de stockage. Ces départements informatiques ont conscience des avantages offerts par la virtualisation, notamment une meilleure utilisation des ressources, une flexibilité informatique renforcée et des coûts d&#rsquo;exploitation et d&#rsquo;investissement réduits.

Mais peut-il y en avoir d&#rsquo;autres? Si les entreprises n&#rsquo;ont pas encore virtualisé leurs ressources de réseau, elles se privent littéralement de sources de revenus liées notamment aux réductions potentielles des coûts d&#rsquo;investissement et d&#rsquo;exploitation, au renforcement de la sécurité du Data Center et à une plus grande flexibilité commerciale et informatique.

Ces avantages offerts par la virtualisation de réseau, ainsi que d&#rsquo;autres, sont décrits dans le nouveau guide «La virtualisation du réseau pour les nuls». Ce guide de référence, publié par Wiley et commandité par VMware, offre une formation accélérée sur la nouvelle approche virtualisée du réseau, élément essentiel pour le Software-Defined Data Center.

Dans un langage simple et direct, ce guide décrit rapidement les bases de la virtualisation de réseau, notamment ses principaux concepts, ses composants technologiques clé, ses cas d&#rsquo;utilisation et ses avantages commerciaux et informatiques. En seulement quelques minutes, vous comprendrez pourquoi vous avez besoin de la virtualisation de réseau, comment elle peut améliorer votre quotidien et ce dont vous avez besoin pour démarrer.

À l&#rsquo;aide d&#rsquo;arguments en faveur de la virtualisation de réseau, ce guide explique en quoi les architectures de réseau existantes ont une flexibilité limitée, laissent la part belle aux menaces de sécurité et accroissent les coûts du Data Center. Cette dure réalité dénote un seul besoin majeur: il est temps d&#rsquo;abandonner l&#rsquo;environnement câblé du passé pour entrer dans l&#rsquo;ère du réseau virtualisé.

En quoi consiste donc la «virtualisation de réseau»? Ce guide explique que la virtualisation de réseau permet de créer, provisionner et gérer par programmation les réseaux virtuels, en utilisant le réseau physique sous-jacent comme un simple mécanisme d&#rsquo;acheminement des paquets en arrière-plan. La virtualisation de réseau réplique tous les composants et toutes les fonctions du réseau dans des logiciels. Pour résumer, elle vous permet d&#rsquo;exécuter votre réseau sous une forme purement logicielle.

Avantage de ce guide, il raconte l&#rsquo;histoire de la virtualisation de réseau dans un langage compréhensible par quiconque travaille dans un magasin informatique. Qui plus est, il est rédigé sous forme de guide de référence. Il n&#rsquo;est dont pas nécessaire de le lire du début à la fin. Mais vous le lirez sans doute entièrement parce qu&#rsquo;il est intéressant tout du long. Cependant, si votre temps est limité, vous pouvez accéder directement aux thèmes qui vous intéressent, comme dans tout ouvrage de référence.

Dans tous les cas, vous comprendrez pourquoi vous avez besoin de virtualiser votre réseau et ce dont vous avez besoin pour démarrer.

Vous souhaitez commencer la lecture? Cliquez ici pour télécharger votre exemplaire du guide «Network Virtualization For Dummies (La virtualisation du réseau pour les nuls) ».

Autres références:

  • En savoir plus sur la virtualisation du réseau.
  • Essayez la virtualisation de réseau dans le cadre d&#rsquo;un laboratoire d&#rsquo;essai pratique.
  • Découvrez comment accélérer la transformation numérique.
  • Découvrez le guide «Virtualization2.0 for Dummies».

Il est arrivé : « La virtualisation du réseau pour les nuls »

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für Il est arrivé : « La virtualisation du réseau pour les nuls »
Feb 282017
 

Aujourd&#rsquo;hui, pratiquement tous les Data Centers d&#rsquo;entreprise ont virtualisé une bonne partie de leurs ressources de serveur et un grand nombre s&#rsquo;attaquent désormais à la virtualisation de leurs ressources de stockage. Ces départements informatiques ont conscience des avantages offerts par la virtualisation, notamment une meilleure utilisation des ressources, une flexibilité informatique renforcée et des coûts d&#rsquo;exploitation et d&#rsquo;investissement réduits.

Mais peut-il y en avoir d&#rsquo;autres? Si les entreprises n&#rsquo;ont pas encore virtualisé leurs ressources de réseau, elles se privent littéralement de sources de revenus liées notamment aux réductions potentielles des coûts d&#rsquo;investissement et d&#rsquo;exploitation, au renforcement de la sécurité du Data Center et à une plus grande flexibilité commerciale et informatique.

Ces avantages offerts par la virtualisation de réseau, ainsi que d&#rsquo;autres, sont décrits dans le nouveau guide «La virtualisation du réseau pour les nuls». Ce guide de référence, publié par Wiley et commandité par VMware, offre une formation accélérée sur la nouvelle approche virtualisée du réseau, élément essentiel pour le Software-Defined Data Center.

Dans un langage simple et direct, ce guide décrit rapidement les bases de la virtualisation de réseau, notamment ses principaux concepts, ses composants technologiques clé, ses cas d&#rsquo;utilisation et ses avantages commerciaux et informatiques. En seulement quelques minutes, vous comprendrez pourquoi vous avez besoin de la virtualisation de réseau, comment elle peut améliorer votre quotidien et ce dont vous avez besoin pour démarrer.

À l&#rsquo;aide d&#rsquo;arguments en faveur de la virtualisation de réseau, ce guide explique en quoi les architectures de réseau existantes ont une flexibilité limitée, laissent la part belle aux menaces de sécurité et accroissent les coûts du Data Center. Cette dure réalité dénote un seul besoin majeur: il est temps d&#rsquo;abandonner l&#rsquo;environnement câblé du passé pour entrer dans l&#rsquo;ère du réseau virtualisé.

En quoi consiste donc la «virtualisation de réseau»? Ce guide explique que la virtualisation de réseau permet de créer, provisionner et gérer par programmation les réseaux virtuels, en utilisant le réseau physique sous-jacent comme un simple mécanisme d&#rsquo;acheminement des paquets en arrière-plan. La virtualisation de réseau réplique tous les composants et toutes les fonctions du réseau dans des logiciels. Pour résumer, elle vous permet d&#rsquo;exécuter votre réseau sous une forme purement logicielle.

Avantage de ce guide, il raconte l&#rsquo;histoire de la virtualisation de réseau dans un langage compréhensible par quiconque travaille dans un magasin informatique. Qui plus est, il est rédigé sous forme de guide de référence. Il n&#rsquo;est dont pas nécessaire de le lire du début à la fin. Mais vous le lirez sans doute entièrement parce qu&#rsquo;il est intéressant tout du long. Cependant, si votre temps est limité, vous pouvez accéder directement aux thèmes qui vous intéressent, comme dans tout ouvrage de référence.

Dans tous les cas, vous comprendrez pourquoi vous avez besoin de virtualiser votre réseau et ce dont vous avez besoin pour démarrer.

Vous souhaitez commencer la lecture? Cliquez ici pour télécharger votre exemplaire du guide «Network Virtualization For Dummies (La virtualisation du réseau pour les nuls) ».

Autres références:

  • En savoir plus sur la virtualisation du réseau.
  • Essayez la virtualisation de réseau dans le cadre d&#rsquo;un laboratoire d&#rsquo;essai pratique.
  • Découvrez comment accélérer la transformation numérique.
  • Découvrez le guide «Virtualization2.0 for Dummies».

Ya ha llegado: «Virtualización de red para Dummies»

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für Ya ha llegado: «Virtualización de red para Dummies»
Feb 282017
 

Hoy en día, casi todos los centros de datos de las empresas han virtualizado una parte considerable de sus recursos de servidor y un gran porcentaje está comenzando también a virtualizar sus recursos de almacenamiento. Estas organizaciones de TI se están dando cuenta de las ventajas que ofrece la virtualización, como una mejor utilización de los recursos, una mayor agilidad del entorno de TI y una reducción de los costes operativos y los gastos de propiedad.

Pero, ¿podrían ser esas ventajas incluso mayores? Si las organizaciones aún no han virtualizado sus recursos de red, están simplemente desperdiciando una oportunidad de ganar dinero en clave de ahorro potencial de los costes operativos y gastos de propiedad, de mayor seguridad en el centro de datos yde mayor agilidad en la empresa y el entorno de TI.

Estas son algunas de las ventajas de la virtualización de red que se abarcan en el nuevo libro «Virtualización de red para Dummies». Este libro de referencia, publicado por Wiley y patrocinado por VMware, ofrece un curso intensivo sobre el nuevo y virtualizado enfoque sobre la red, que es un componente fundamental para el centro de datos definido por software.

De manera sencilla, este libro de lectura rápida explica los fundamentos de la virtualización de red, loque incluye conceptos básicos, los principales componentes tecnológicos, casos de uso y los beneficios empresariales y del entorno de TI. Invierta un poco de tiempo en el libro y llegará a comprender por qué necesita una virtualización de red, cómo puede mejorar su vida y lo que necesita hacer para empezar.

Abogando por la virtualización de red, este libro explica cómo las arquitecturas de red tradicionales están limitando la agilidad empresarial, y dejan las amenazas de seguridad sin control e incrementan los costes del centro de datos. Estas duras realidades apuntan a una sola necesidad general: Es hora de dejar atrás el pasado estático y avanzar hacia la era de la red virtualizada.

Pero, ¿qué es exactamente una «virtualización de red»? El libro explica que la virtualización de red crea, aprovisiona y gestiona de forma programada redes virtuales, utilizando la red física subyacente como mero mecanismo de reenvío de paquetes. La virtualización de red replica todos los componentes y las funciones de red en el software. En pocas palabras, permite ejecutar toda la red en el software.

Una cosa buena acerca de este libro es que cuenta la historia de la virtualización de red en términos que cualquier persona que trabaje en una tienda de TI debería ser capaz de entender. Y mejor aún, el libro está escrito como una guía de referencia, por lo que no es necesario leerlo de principio a fin. Por supuesto, es posible que quiera hacerlo, ya que el libro en general es una buena lectura. Pero si no tiene mucho tiempo, puede ir directamente a los temas que más le interesen, al igual que lo haría con cualquier guía de referencia.

De cualquier manera, llegará a comprender por qué necesita virtualizar su red y qué debe hacer para empezar.

¿Desea seguir leyendo? Haga clic aquí para descargar una copia de «Virtualización de red para Dummies».

Más información:

  • Más información sobre la virtualización de red.
  • Pruebe por sí mismo la virtualización de red en nuestros laboratorios prácticos.
  • Descubra cómo acelerar su transformación digital.
  • Consulte «Virtualization 2.0 For Dummies».

Ya ha llegado: «Virtualización de red para Dummies»

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für Ya ha llegado: «Virtualización de red para Dummies»
Feb 282017
 

Hoy en día, casi todos los centros de datos de las empresas han virtualizado una parte considerable de sus recursos de servidor y un gran porcentaje está comenzando también a virtualizar sus recursos de almacenamiento. Estas organizaciones de TI se están dando cuenta de las ventajas que ofrece la virtualización, como una mejor utilización de los recursos, una mayor agilidad del entorno de TI y una reducción de los costes operativos y los gastos de propiedad.

Pero, ¿podrían ser esas ventajas incluso mayores? Si las organizaciones aún no han virtualizado sus recursos de red, están simplemente desperdiciando una oportunidad de ganar dinero en clave de ahorro potencial de los costes operativos y gastos de propiedad, de mayor seguridad en el centro de datos yde mayor agilidad en la empresa y el entorno de TI.

Estas son algunas de las ventajas de la virtualización de red que se abarcan en el nuevo libro «Virtualización de red para Dummies». Este libro de referencia, publicado por Wiley y patrocinado por VMware, ofrece un curso intensivo sobre el nuevo y virtualizado enfoque sobre la red, que es un componente fundamental para el centro de datos definido por software.

De manera sencilla, este libro de lectura rápida explica los fundamentos de la virtualización de red, loque incluye conceptos básicos, los principales componentes tecnológicos, casos de uso y los beneficios empresariales y del entorno de TI. Invierta un poco de tiempo en el libro y llegará a comprender por qué necesita una virtualización de red, cómo puede mejorar su vida y lo que necesita hacer para empezar.

Abogando por la virtualización de red, este libro explica cómo las arquitecturas de red tradicionales están limitando la agilidad empresarial, y dejan las amenazas de seguridad sin control e incrementan los costes del centro de datos. Estas duras realidades apuntan a una sola necesidad general: Es hora de dejar atrás el pasado estático y avanzar hacia la era de la red virtualizada.

Pero, ¿qué es exactamente una «virtualización de red»? El libro explica que la virtualización de red crea, aprovisiona y gestiona de forma programada redes virtuales, utilizando la red física subyacente como mero mecanismo de reenvío de paquetes. La virtualización de red replica todos los componentes y las funciones de red en el software. En pocas palabras, permite ejecutar toda la red en el software.

Una cosa buena acerca de este libro es que cuenta la historia de la virtualización de red en términos que cualquier persona que trabaje en una tienda de TI debería ser capaz de entender. Y mejor aún, el libro está escrito como una guía de referencia, por lo que no es necesario leerlo de principio a fin. Por supuesto, es posible que quiera hacerlo, ya que el libro en general es una buena lectura. Pero si no tiene mucho tiempo, puede ir directamente a los temas que más le interesen, al igual que lo haría con cualquier guía de referencia.

De cualquier manera, llegará a comprender por qué necesita virtualizar su red y qué debe hacer para empezar.

¿Desea seguir leyendo? Haga clic aquí para descargar una copia de «Virtualización de red para Dummies».

Más información:

  • Más información sobre la virtualización de red.
  • Pruebe por sí mismo la virtualización de red en nuestros laboratorios prácticos.
  • Descubra cómo acelerar su transformación digital.
  • Consulte «Virtualization 2.0 For Dummies».

NSX, vSphere, and Virtual SAN Troubleshooting Trainings Now in the Learning Zone

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für NSX, vSphere, and Virtual SAN Troubleshooting Trainings Now in the Learning Zone
Feb 282017
 

This month in the Learning Zone was mainly focused on troubleshooting. From vSphere to NSX to Virtual SAN, a lot of ground was covered. Standard and Premium subscribers are able to access these cloud-based videos on demand, anytime.

  • Troubleshooting vSphere 6: Tips & Tricks
  • vSphere Core 4 Performance Troubleshooting & Root Cause Analysis: An Overview
  • Troubleshooting Virtual SAN 6.2
  • Advanced NSX Troubleshooting
  • VMware Enterprise Learning Subscription: A Complete Cloud-based Training Solution
  • vRealize Automation: Abstracting the vSphere Endpoint as a Cloud Resource

Subscribe to the Learning Zone today and follow the hashtag #NewInTheZone on Twitter to get instant updates on the latest videos!

The post NSX, vSphere, and Virtual SAN Troubleshooting Trainings Now in the Learning Zone appeared first on VMware Education & Certification.

VMware Horizon 7 True SSO: Advanced Features

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für VMware Horizon 7 True SSO: Advanced Features
Feb 282017
 

In a previous blog, we saw how to deploy VMware Horizon 7 True SSO in a lab environment. The diagram below is a recap of the deployment:

Now, let us discuss what to consider for deploying True SSO in a production environment. The discussion will only focus on the VMware Horizon Environment aspect of the above diagram.

VMware recommends deploying two VMware Enrollment Servers and two Microsoft Certificate Authorities (CA) for True SSO in a production environment. Configure these so that the Horizon Connection Server uses both VMware Enrollment Servers, and each VMware Enrollment Server uses both CAs.

Enrollment Server Deployment Scenarios

For each domain, we can configure two Enrollment Servers (primary and secondary) in a Horizon 7 environment. The 2 Enrollment Servers add redundancy which allows IT to conduct maintenance, upgrades etc. without any disruptions for end users.

By default, the Connection Server always prefers the primary Enrollment Server for generating certificates. The secondary Enrollment Server is used when the primary Enrollment Server is unresponsive or is in erroneous state. The Connection Server uses the primary Enrollment Server as soon as it recovers.

True SSO can also be configured for high availability. When configured, Connection Server distributes the load of generating Certificates by alternating between the two Enrollment Servers. If an Enrollment Server becomes unresponsive, the Connection Server routes all requests via the other one until it recovers.

For high availability, VMware recommends:

  • Co-host Enrollment Server with a CA on the same machine.
  • Configure Enrollment Server to prefer the local CA.
  • Configure Connection Server for load balance between the configured Enrollment Servers.

Configuration settings:

1. Configure Connection Server to load balance between two Enrollment Servers (requires editing LDAP).

  • Login to the console of a Connection Server on the POD and launch &#rsquo;ADSI Edit&#rdquo; from &#rsquo;Control Panel > Administrative Tools&#rdquo;
  • From menu, select &#rsquo;Action > Connect to&#rdquo;
  • Connection Settings:
    1. Connection Point: dc=vdi,dc=vmware,dc=int
    2. Computer: localhost:389
  • Expand the connection tree to &#rsquo;OU=Properties > OU=Global&#rdquo; and double click on the object named &#rsquo;CN=Common&#rdquo; on the right pane
  • From the properties window, find and double click the attribute named &#rsquo;pae-NameValuePair&#rdquo;
  • In the Multi-valued string editor window, add : &#rsquo;cs-view-certsso-enable-es-loadbalance=true&#rdquo;

2. Configure the Enrollment Server to prefer the local CA when co-hosted (requires editing registry).

  • Login to the console of an Enrollment Server
  • Registry location: HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service
  • Add Value Name: &#rsquo;PreferLocalCa&#rdquo;, Value data: &#rsquo;1&#rdquo;
  • Needs to be repeated for each Enrollment Server individually

True SSO in a Complex Domain Environment

VMware supports deploying True SSO in multi-domain environment provided they have two-way trust.

Let us take an example where we have two Domain trees (A & X) in the same forest.

Here we see two domain trees, Domain A and Domain X. Each of the domain trees has transitive trusts between all domains. Moreover, Domain A tree and Domain X tree have two-way, transitive trust relationship between each other.

VMware supports True SSO in this scenario, and the two Enrollment Servers can be placed at any domain.

Let us consider another example:

Here, we see two forests each containing its own domain trees. Moreover, the two forests have two-way, forest-level trust set up, as well.

VMware supports True SSO in this scenario, as well. Like before, the two Enrollment Servers can be placed within any domain of any forest.

More about domain and forest trusts can be found at technet.microsoft.com/en-us/library/cc770299.aspx.

Deployment Considerations

For best performance, it is important to plan the deployment of the CAs and the Enrollment Servers. For generating certificates, the Enrollment Server needs to communicate with the CA and the CA needs to communicate with the Domain Controller. Therefore, it is always a good idea to place the CA as close as possible to the Domain Controller. Likewise, place the Enrollment Server as close as possible to the CA. By placing them in close vicinity, we aim to reduce the network hops. As such, we will get optimal performance by co-hosting the CA and the Enrollment Server on the same VM.

When deploying Enrollment Servers and CAs, we would also need to consider administrational roles. If &#rsquo;Domain admin&#rdquo; or &#rsquo;CA admin&#rdquo; is responsible for managing the CAs and &#rsquo;View admin&#rdquo; is a separate role responsible for managing the View deployment, then we need to consider setting up CA and Enrollment Server on separate VMs, so each component is managed by the assigned roles.

Advanced Settings

Out-of-the-box settings will suit most users. If required, there are some advanced settings provided for admins.

  • Settings for Virtual Desktop: All the required settings are provided via VMware Horizon View Agent admin GPO template (vdm_agent.adm).
  • Settings for Enrollment Server: All the required registry are provided via registry and is created under: &#rsquo;HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service&#rdquo;.
  • Settings for Connection Server: All the required settings are provided via LDAP under attribute &#rsquo;pae-NameValuePair&#rdquo; as discussed in earlier section.
DescriptionSettings
This combination of settings adjusts the maximum time for generating a certificate on behalf of a user (includes retrying once on failure).

Typically, admins would want to tweak these settings when they find certificates arriving after SSO has timed out waiting for one.

All three settings need to be adjusted accordingly.

Typically, the values would be:

Enrollment Server < Connection Server < Virtual Desktop.

Certificate wait timeout

Default: 40 sec

Range: 10 secs – 120 secs

Virtual Desktop

(via GPO)

cs-view-certsso-certgen-timeout-sec

Default: 35 sec

Range: 10 sec – 60 sec

Connection Server

(via LDAP)

MaxSubmitRetryTime

Default: 25000 millisecond

Range: 9500 milliseconds – 59000 milliseconds

Enrollment Server

(via Registry)

The Enrollment Server caches details, like AD info, CAs, Templates, etc., about the Windows environment. By default, the Enrollment Server will attempt to access all domains. In a complex environment, you may want to limit the domains that the Enrollment Server monitors.

Below settings can be set as required

A. Automatically monitor the domains specified.

B. Do not automatically monitor the domains specified.

If a Connection Server references any of the listed domains via configuration, the Enrollment Server will try to connect to it and monitor.

C. Automatically monitor all domains in the forest.

D. Automatically monitor all explicitly trusting domains or domains with incoming trusts.

 

 

 

 

 

 

 

 

 

 

A. ConnectToDomains

Example: truesso.dom.int

 

B. ExcludeDomains

Example: truesso.dom.int

 

 

 

 

 

C. ConnectToDomainsInForest

Default: 1 (True)

Values: 0 (False) or positive number (True)

 

D. ConnectToTrustingDomains

Default: 1 (True)

Values: 0 (False) or positive number (True)

 

Enrollment Server

(via Registry)

At times, CAs may take an unusually long time while generating certificates. It is marked as &#rsquo;Degraded&#rdquo; by the Enrollment Server when that happens.

The Enrollment Server measures how long a CA takes to generate a certificate, and it is marked Degraded if it takes more than 1,500 milliseconds by default.

SubmitLatencyWarningTime

Default: 1500 milliseconds

Range: 500 milliseconds – 5000 milliseconds

Enrollment Server

(via Registry)

This setting allows admins to disable True SSO on any specific desktop.

Disable True SSO

 

Default: 0 (False)

 

Virtual Desktop

(via GPO)

This setting defines the minimum key size to be used for True SSO.

The generated Certificate is protected via public/private RSA key pair, which is securely stored on the Virtual Desktop.

This defines the minimum bar for the key size. For example, keys will have to be at least of the size defined by this value.

Minimum key size

 

Default: 1024

Range: 1024 – 8192

Virtual Desktop

(via GPO)

This setting specifies a list of key sizes.

When generating RSA key pair, the size must be defined in the list.

The list can hold a maximum of five sizes.

All sizes of keys that can be used.

 

Default: 2048

Example: 1024,2048,3072,4096,8192

Virtual Desktop

(via GPO)

This setting specifies the number of RSA key pairs that will be pre-created.

Generating RSA key pairs can be time consuming. Not to add to the logon time, we pre-create a number of key pairs and pick one from the cache when required for True SSO.

This setting is only valid on Remote Desktop Session Host (RDSH) environments.

Number of keys to pre-create

 

Default: 5

Range: 1 – 100

Virtual Desktop

(via GPO)

This setting specifies the duration a certificate needs to be valid to be considered to be re-used for True SSO.

A user may be disconnected from his or her session. If the user tries to connect back while the session is still active, he/she will reconnect to the session. While reconnecting, True SSO will log the user back into the desktop. Since a session already exists, True SSO will try to reuse the Certificate associated with the session provided it is still valid. The validity will be determined by determining if the certificate is at least valid for a duration defined by this setting ie. the expiration period is less than what is specified via this setting.

Minimum validity period required for a certificate.

 

Default: 10 minutes

Range: Minimum 5 minutes

Virtual Desktop

(via GPO)

Common Troubleshooting

We observe the following log lines in the Horizon Connection Server logs:

  • 2016-03-17T17:07:43.359Z WARN (0484-009C) <SocketAuthenticateThread> [MessageFrameWork] AuthCERTSSL: incoming issuer ‘4b81f0b2-baab-4273-bbff-48ac36f8bcaa.certsso.vdi.vmware.com’ cert is self signed but not in our store.
  • 2016-03-17T17:07:43.359Z WARN (0484-009C) <SocketAuthenticateThread> [MessageFrameWork] Unable to accept connection, authentication failed, reason=authCertSsl

Cause: This indicates that the &#rsquo;Enrollment Service Client Certificate&#rdquo; has not been copied from the Connection Server to Enrollment Server.

Resolution: Please deploy the &#rsquo;Enrollment Service Client Certificate&#rdquo; from the Connection Server to the Enrollment Server, so that the Enrollment Server can establish a secure connection between the two.

After setting up True SSO, it is advisable to check its status on the Horizon Connection Server administrator dashboard.

If everything is configured correctly and all components are working well, we would observer True SSO status as below on the Dashboard:

  • The domain for which True SSO is configured will be displayed under &#rsquo;True SSO,&#rdquo; and it will be green.
  • The trust relationship will be green under &#rsquo;Domains.&#rdquo;

Below is a list of issues that may disrupt True SSO:

1. Issue: The domain name is not displayed in the dashboard.

Cause: True SSO configuration information for that domain is missing or not setup correctly.

Resolution: Please verify that True SSO was configured correctly using the &#rsquo;vdmUtil&#rdquo; tool and/or reconfigure.

2. Issue: The domain name displayed in the dashboard under &#rsquo;True SSO&#rdquo; is not green.

Cause: True SSO configuration information may not be accurate, or some component required for True SSO to work is not working or setup correctly.

Resolution: True SSO status for a domain may indicate okay (green), error (red) or warning (amber) on the dashboard.

To diagnose a problem, admins can click on the domain name, which will pop up a dialog displaying a warning or error message relating to the issue.

The table below describes the meaning of various error/warning messages that can be displayed via the pop-up dialog:

Message DescriptionCategory
Failed to fetch True SSO health information.This message is displayed when no health information is available for the dashboard to display.

 

The most likely cause is Enrollment Server has not reported back any status updates as yet.

 

If this message lasts more than a minute, please verify the Enrollment Server is turned on and is reachable from the Connection Server.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connection Server to Enrollment Server Connection Status

The <FQDN> enrollment server cannot be contacted by the True SSO configuration service.This message is displayed if True SSO configuration information is not refreshed by the Connection Server for a long time.

 

In a Horizon POD environment, all Enrollment Servers receive True SSO configuration information from a single Connection Server and are also responsible to refresh it every minute.

 

This could happen if the specific connection server responsible for updating the configuration information lost connectivity to the reported Enrollment Server.

 

The <FQDN> enrollment server cannot be contacted to manage sessions on this connection server.This message is displayed if a Connection Server cannot connect to the Enrollment Server.

 

There is a known limitation in Horizon 7. Instead of being displayed for all Connection Servers in the POD, this info is only displayed for the Connection Server the admin has logged into.

 

To check connection status of all Connection Servers and Enrollment Servers, an admin would need to individually login to each connection server and check the status on the Dashboard.

 

This domain <Domain Name> does not exist on the <FQDN> enrollment server.This message is displayed if True SSO is configured for a domain but the Enrollment Server has not received any configuration information from the Connection Server as yet.

 

If this message lasts for more than a minute, please check all the Connection Servers in the POD are working as expected and supports True SSO.

 

 

 

 

 

 

 

 

 

 

Enrollment Server to Active Directory Connection Status

The <FQDN> enrollment server’s connection to the domain <Domain Name> is still being established.This message is displayed if True SSO is configured for the Domain, but the Enrollment Server is yet to connect to the Domain Controller.

 

If the message lasts for more than a minute, please verify the Enrollment Server has network connectivity, can resolve the name of the Domain and can reach the Domain Controller.

 

The <FQDN> enrollment server’s connection to the domain <Domain Name> is stopping or in a problematic state.This message is displayed if the Enrollment Server encounters problem reading PKI information from the Domain Controller.

 

Please check the specific Enrollment Server&#rsquo;s log file which will provide more info related to the specific Domain Controller.

 

It might be caused by:

a. Some issue with the Domain Controller itself.

b. DNS not being configured properly.

 

The <FQDN> enrollment server has not yet read the enrollment properties from a domain controller.This message could be displayed because

a. The Enrollment Server has not connected to the Domain Controller yet, as it is most likely just starting up.

b. It is a new domain and was just added to the environment. Therefore, the Enrollment Server has not connected to the Domain Controller, yet.

 

If this message lasts for more than a minute, please check the following:

a. The network connectivity might be extremely slow.

b. The Enrollment Server is having difficulties accessing the Domain Controller.

 

The <FQDN> enrollment server has read the enrollment properties at least once, but has not been able to reach a domain controller for some time.This message is displayed when the Enrollment Server cannot poll the Domain Controller for PKI-related environment changes.

 

An Enrollment Server reads the full PKI configuration from the Domain Controller when it connects to it for the first time and polls for incremental changes every two minutes.

 

This message may not indicate True SSO failure.

 

As longas the Certificate Authority servers are able to access the Domain Controller, the Enrollment Server will be able to issue Certificates for True SSO.

 

The <FQDN> enrollment server has read the enrollment properties at least once, but either has not been able to reach a domain controller for an extended time or another issue exists.This message is displayed if the Enrollment Server is not able to reach the Domain Controller for an extended period of time. During this time, the Enrollment Server will try to discover an alternative Domain Controller for that domain.

 

If a CA Server is able to access a Domain Controller, the Enrollment Server will still issue certificates for True SSO, else it will result in Enrollment Server failing to issue Certificates for True SSO.

 

A valid enrollment certificate for this domain’s<Domain Name> forest is not installed on the <FQDN> enrollment server, or it may have expired.This message is displayed when a valid Enrollment Certificate is missing for the domain from the Enrollment Server.

 

Most likely, the Enrollment Certificate is:

a. Not installed on the Enrollment Server.

b. Invalid or expired.

 

The Enrollment Certificate is issued by an Enterprise CA of the domain. On the Enrollment Server, the Certificate can be verified by:

a. Opening Certificate Management snap-in for the local computer store in MMC.

b. The Enrollment Certificate can be found in the &#rsquo;Personal&#rdquo; certificate container and can be verified it exists and is valid.

 

Alternatively, the Enrollment Server&#rsquo;s log file can provide additional information regarding the state of all the certificates that were located.

 

To resolve the issue, please follow the View Admin Guide and re-deploy the Enrollment Certificate on the Enrollment Server.

 

 

 

 

 

 

 

 

 

 

 

Enrollment Certificate Status

The template <Name> does not exist on the <FQDN> enrollment server domain.

This message is displayed if the Certificate Template configured to be used for True SSO is not setup correctly or the Template name was misspelled during True SSO configuration.

 

To resolve the issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA and check the configuration of True SSO using the &#rsquo;vdmUtil&#rdquo; tool

 

Certificate TemplateStatus
Certificates generated by this template can NOT be used to log on to WindowsThis message is displayed when the Certificate Template configured for True SSO is missing certain options required for it to work.

 

To resolve this issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA.

 

The template <Name> is smartcard logon enabled, but cannot be used.This message is displayed when the Certificate Template configured for True SSO is missing certain options required for it to work.

 

To resolve this issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA.

 

The certificate server <CN> of <CA> does not exist in the domain.

This message is displayed if the Common Name for the CA is not configured correctly.

 

Please verify that the Common Name (CN) specified for the CA in the True SSO configuration is accurate and is spelled correctly.

 

 

 

 

 

Certificate Server ConfigurationStatus

The certificate is not in the NTAuth (Enterprise) store.This message is displayed if the CA is not a member of the forest.

 

To resolve the issue, please manually add the CA Certificate to the NTAuth store of the forest in question.

 

The <FQDN> enrollment server is not connected to the certificate server <CN> of <CA>.This message is displayed if the Enrollment Server is not connected to the CA.

 

This might be a transitional state and may occur when the Enrollment Server has just started or the CA was recently added/configured for True SSO.

 

If the message lasts for more than a minute, it indicates that the Enrollment Server failed to connect to the CA.

 

To resolve the issue, please verify the Enrollment Server can resolve the name of the CA, check the network connectivity between the Enrollment Server and the CA and the system account for the Enrollment Server has permissions to access the CA.

 

Certificate Server ConnectionStatus
The <FQDN> enrollment server has connected to the certificate server <CN> of <CA>, but the certificate server is in a degraded state.This message is displayed if the CA has dramatically slowed down while issuing certificates.

 

If this message persists for extended time, please check if the CA or the Domain Controller(s) is overworked. Once the issue is resolved and the CA resumes as normal, this message will not be displayed.

 

The <FQDN> enrollment server can connect to the certificate server .<CN> of <CA>, but the service is unavailable.This message is displayed if the Enrollment Server is connected to the CA, but unable to issue any certificates for True SSO.

 

This is a transitional state and will update rapidly. If the CA does not recover or does not become able to issue certificates, the state will be updated to &#rsquo;Disconnected.&#rdquo;

 

To resolve the issue, please check the CA is up, the Enrollment Server can reach it and the CA is properly configured for True SSO.

 

3. After successfully setting up True SSO, we see logon attempts failing, and the following error is reported in the logs:

LogonUI] cred::ReportResult(): Reported authentication failure. Status=0xC00000BB (WinErr=50) and subStatus=0x00000000 (WinErr=0).

This is PKI environmental issue, preventing smartcard logon to be successful using
the certificates generated by the CA. The following steps should fix the issue. VMware recommends following one step at a time and then testing to see if the issue is fixed. If not, then proceed to the next.

1. In the majority of cases, this is due to a problem with the Domain Controller certificate and the resolution is to refresh it, or to install if not already present. The Domain Controller certificate must be generated using one of these templates: &#lsquo;Domain Controller&#rsquo;, &#lsquo;Domain Controller Authentication&#rsquo; or &#lsquo;Kerberos Authentication.&#rsquo; Only one of these should be present, we will refer to it as ‘Domain Controller certificate’ below. To refresh:

  1. Load the Certificates MMC and then target it at the computer account: &#lsquo;Start&#rsquo; -> &#lsquo;Run&#rsquo; -> &#lsquo;MMC&#rsquo; -> &#lsquo;File&#rsquo; -> &#lsquo;Add/Remove Snap-in&#rsquo; -> &#lsquo;Add&#rsquo; -> &#lsquo;Certificates&#rsquo; -> &#lsquo;Add&#rsquo; -> &#lsquo;Computer Account&#rsquo; -> &#lsquo;Next&#rsquo; -> &#lsquo;Finish&#rsquo; -> &#lsquo;Close&#rsquo; -> &#lsquo;OK&#rsquo;
  2. Expand: &#lsquo;Certificates (Local Computer)&#rsquo; -> &#lsquo;Personal&#rsquo; -> &#lsquo;Certificates&#rsquo;
  • Right click on the &#lsquo;Domain Controller certificate&#rsquo; -> &#lsquo;All tasks&#rsquo; ->&#lsquo;Renew/Request Certificate with New Key&#rsquo;
  • Restart Domain Controller.

2. Deploy the CA root certificate via the domain GPO to Trusted Root Certification Authorities. Perform this step on all domain that users may be logging on to using True SSO. Refer to microsoft.com/en-us/library/cc772491(v=ws.11).aspx.

3. Make sure the template used by True SSO does not have “Do not include revocation information in issued certificate” selected. Refer to vmware.com/euc/2016/04/true-sso-setting-up-in-a-lab.html section: Adjust the settings of various properties of the new template as marked in screenshot.

Conclusion

This concludes our blog post on what to consider for setting up True SSO in a production environment, as well as various configuration options. We also talked about domain/forest trust scenarios where VMware supports True SSO. Finally, we reviewed some advanced settings that might allow admins to tweak True SSO if it does not work as expected out of the box. We also reviewed troubleshooting guidelines for some common issues related to True SSO and discussed the various warning/error messages that can be displayed on the Dashboard for True SSO.

Because you liked this blog:

  • VMware Horizon 7 True SSO: Setting Up In a Lab
  • Automating Horizon 7 with VMware PowerCLI 6.5
  • Announcing the VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture Paper

The post VMware Horizon 7 True SSO: Advanced Features appeared first on VMware End-User Computing Blog.

VMware Horizon 7 True SSO: Advanced Features

 Allgemein, Knowledge Base, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für VMware Horizon 7 True SSO: Advanced Features
Feb 282017
 

In a previous blog, we saw how to deploy VMware Horizon 7 True SSO in a lab environment. The diagram below is a recap of the deployment:

Now, let us discuss what to consider for deploying True SSO in a production environment. The discussion will only focus on the VMware Horizon Environment aspect of the above diagram.

VMware recommends deploying two VMware Enrollment Servers and two Microsoft Certificate Authorities (CA) for True SSO in a production environment. Configure these so that the Horizon Connection Server uses both VMware Enrollment Servers, and each VMware Enrollment Server uses both CAs.

Enrollment Server Deployment Scenarios

For each domain, we can configure two Enrollment Servers (primary and secondary) in a Horizon 7 environment. The 2 Enrollment Servers add redundancy which allows IT to conduct maintenance, upgrades etc. without any disruptions for end users.

By default, the Connection Server always prefers the primary Enrollment Server for generating certificates. The secondary Enrollment Server is used when the primary Enrollment Server is unresponsive or is in erroneous state. The Connection Server uses the primary Enrollment Server as soon as it recovers.

True SSO can also be configured for high availability. When configured, Connection Server distributes the load of generating Certificates by alternating between the two Enrollment Servers. If an Enrollment Server becomes unresponsive, the Connection Server routes all requests via the other one until it recovers.

For high availability, VMware recommends:

  • Co-host Enrollment Server with a CA on the same machine.
  • Configure Enrollment Server to prefer the local CA.
  • Configure Connection Server for load balance between the configured Enrollment Servers.

Configuration settings:

1. Configure Connection Server to load balance between two Enrollment Servers (requires editing LDAP).

  • Login to the console of a Connection Server on the POD and launch &#rsquo;ADSI Edit&#rdquo; from &#rsquo;Control Panel > Administrative Tools&#rdquo;
  • From menu, select &#rsquo;Action > Connect to&#rdquo;
  • Connection Settings:
    1. Connection Point: dc=vdi,dc=vmware,dc=int
    2. Computer: localhost:389
  • Expand the connection tree to &#rsquo;OU=Properties > OU=Global&#rdquo; and double click on the object named &#rsquo;CN=Common&#rdquo; on the right pane
  • From the properties window, find and double click the attribute named &#rsquo;pae-NameValuePair&#rdquo;
  • In the Multi-valued string editor window, add : &#rsquo;cs-view-certsso-enable-es-loadbalance=true&#rdquo;

2. Configure the Enrollment Server to prefer the local CA when co-hosted (requires editing registry).

  • Login to the console of an Enrollment Server
  • Registry location: HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service
  • Add Value Name: &#rsquo;PreferLocalCa&#rdquo;, Value data: &#rsquo;1&#rdquo;
  • Needs to be repeated for each Enrollment Server individually

True SSO in a Complex Domain Environment

VMware supports deploying True SSO in multi-domain environment provided they have two-way trust.

Let us take an example where we have two Domain trees (A & X) in the same forest.

Here we see two domain trees, Domain A and Domain X. Each of the domain trees has transitive trusts between all domains. Moreover, Domain A tree and Domain X tree have two-way, transitive trust relationship between each other.

VMware supports True SSO in this scenario, and the two Enrollment Servers can be placed at any domain.

Let us consider another example:

Here, we see two forests each containing its own domain trees. Moreover, the two forests have two-way, forest-level trust set up, as well.

VMware supports True SSO in this scenario, as well. Like before, the two Enrollment Servers can be placed within any domain of any forest.

More about domain and forest trusts can be found at technet.microsoft.com/en-us/library/cc770299.aspx.

Deployment Considerations

For best performance, it is important to plan the deployment of the CAs and the Enrollment Servers. For generating certificates, the Enrollment Server needs to communicate with the CA and the CA needs to communicate with the Domain Controller. Therefore, it is always a good idea to place the CA as close as possible to the Domain Controller. Likewise, place the Enrollment Server as close as possible to the CA. By placing them in close vicinity, we aim to reduce the network hops. As such, we will get optimal performance by co-hosting the CA and the Enrollment Server on the same VM.

When deploying Enrollment Servers and CAs, we would also need to consider administrational roles. If &#rsquo;Domain admin&#rdquo; or &#rsquo;CA admin&#rdquo; is responsible for managing the CAs and &#rsquo;View admin&#rdquo; is a separate role responsible for managing the View deployment, then we need to consider setting up CA and Enrollment Server on separate VMs, so each component is managed by the assigned roles.

Advanced Settings

Out-of-the-box settings will suit most users. If required, there are some advanced settings provided for admins.

  • Settings for Virtual Desktop: All the required settings are provided via VMware Horizon View Agent admin GPO template (vdm_agent.adm).
  • Settings for Enrollment Server: All the required registry are provided via registry and is created under: &#rsquo;HKLM\SOFTWARE\VMware, Inc.\VMware VDM\Enrollment Service&#rdquo;.
  • Settings for Connection Server: All the required settings are provided via LDAP under attribute &#rsquo;pae-NameValuePair&#rdquo; as discussed in earlier section.
DescriptionSettings
This combination of settings adjusts the maximum time for generating a certificate on behalf of a user (includes retrying once on failure).

Typically, admins would want to tweak these settings when they find certificates arriving after SSO has timed out waiting for one.

All three settings need to be adjusted accordingly.

Typically, the values would be:

Enrollment Server < Connection Server < Virtual Desktop.

Certificate wait timeout

Default: 40 sec

Range: 10 secs – 120 secs

Virtual Desktop

(via GPO)

cs-view-certsso-certgen-timeout-sec

Default: 35 sec

Range: 10 sec – 60 sec

Connection Server

(via LDAP)

MaxSubmitRetryTime

Default: 25000 millisecond

Range: 9500 milliseconds – 59000 milliseconds

Enrollment Server

(via Registry)

The Enrollment Server caches details, like AD info, CAs, Templates, etc., about the Windows environment. By default, the Enrollment Server will attempt to access all domains. In a complex environment, you may want to limit the domains that the Enrollment Server monitors.

Below settings can be set as required

A. Automatically monitor the domains specified.

B. Do not automatically monitor the domains specified.

If a Connection Server references any of the listed domains via configuration, the Enrollment Server will try to connect to it and monitor.

C. Automatically monitor all domains in the forest.

D. Automatically monitor all explicitly trusting domains or domains with incoming trusts.

 

 

 

 

 

 

 

 

 

 

A. ConnectToDomains

Example: truesso.dom.int

 

B. ExcludeDomains

Example: truesso.dom.int

 

 

 

 

 

C. ConnectToDomainsInForest

Default: 1 (True)

Values: 0 (False) or positive number (True)

 

D. ConnectToTrustingDomains

Default: 1 (True)

Values: 0 (False) or positive number (True)

 

Enrollment Server

(via Registry)

At times, CAs may take an unusually long time while generating certificates. It is marked as &#rsquo;Degraded&#rdquo; by the Enrollment Server when that happens.

The Enrollment Server measures how long a CA takes to generate a certificate, and it is marked Degraded if it takes more than 1,500 milliseconds by default.

SubmitLatencyWarningTime

Default: 1500 milliseconds

Range: 500 milliseconds – 5000 milliseconds

Enrollment Server

(via Registry)

This setting allows admins to disable True SSO on any specific desktop.

Disable True SSO

 

Default: 0 (False)

 

Virtual Desktop

(via GPO)

This setting defines the minimum key size to be used for True SSO.

The generated Certificate is protected via public/private RSA key pair, which is securely stored on the Virtual Desktop.

This defines the minimum bar for the key size. For example, keys will have to be at least of the size defined by this value.

Minimum key size

 

Default: 1024

Range: 1024 – 8192

Virtual Desktop

(via GPO)

This setting specifies a list of key sizes.

When generating RSA key pair, the size must be defined in the list.

The list can hold a maximum of five sizes.

All sizes of keys that can be used.

 

Default: 2048

Example: 1024,2048,3072,4096,8192

Virtual Desktop

(via GPO)

This setting specifies the number of RSA key pairs that will be pre-created.

Generating RSA key pairs can be time consuming. Not to add to the logon time, we pre-create a number of key pairs and pick one from the cache when required for True SSO.

This setting is only valid on Remote Desktop Session Host (RDSH) environments.

Number of keys to pre-create

 

Default: 5

Range: 1 – 100

Virtual Desktop

(via GPO)

This setting specifies the duration a certificate needs to be valid to be considered to be re-used for True SSO.

A user may be disconnected from his or her session. If the user tries to connect back while the session is still active, he/she will reconnect to the session. While reconnecting, True SSO will log the user back into the desktop. Since a session already exists, True SSO will try to reuse the Certificate associated with the session provided it is still valid. The validity will be determined by determining if the certificate is at least valid for a duration defined by this setting ie. the expiration period is less than what is specified via this setting.

Minimum validity period required for a certificate.

 

Default: 10 minutes

Range: Minimum 5 minutes

Virtual Desktop

(via GPO)

Common Troubleshooting

We observe the following log lines in the Horizon Connection Server logs:

  • 2016-03-17T17:07:43.359Z WARN (0484-009C) <SocketAuthenticateThread> [MessageFrameWork] AuthCERTSSL: incoming issuer ‘4b81f0b2-baab-4273-bbff-48ac36f8bcaa.certsso.vdi.vmware.com’ cert is self signed but not in our store.
  • 2016-03-17T17:07:43.359Z WARN (0484-009C) <SocketAuthenticateThread> [MessageFrameWork] Unable to accept connection, authentication failed, reason=authCertSsl

Cause: This indicates that the &#rsquo;Enrollment Service Client Certificate&#rdquo; has not been copied from the Connection Server to Enrollment Server.

Resolution: Please deploy the &#rsquo;Enrollment Service Client Certificate&#rdquo; from the Connection Server to the Enrollment Server, so that the Enrollment Server can establish a secure connection between the two.

After setting up True SSO, it is advisable to check its status on the Horizon Connection Server administrator dashboard.

If everything is configured correctly and all components are working well, we would observer True SSO status as below on the Dashboard:

  • The domain for which True SSO is configured will be displayed under &#rsquo;True SSO,&#rdquo; and it will be green.
  • The trust relationship will be green under &#rsquo;Domains.&#rdquo;

Below is a list of issues that may disrupt True SSO:

1. Issue: The domain name is not displayed in the dashboard.

Cause: True SSO configuration information for that domain is missing or not setup correctly.

Resolution: Please verify that True SSO was configured correctly using the &#rsquo;vdmUtil&#rdquo; tool and/or reconfigure.

2. Issue: The domain name displayed in the dashboard under &#rsquo;True SSO&#rdquo; is not green.

Cause: True SSO configuration information may not be accurate, or some component required for True SSO to work is not working or setup correctly.

Resolution: True SSO status for a domain may indicate okay (green), error (red) or warning (amber) on the dashboard.

To diagnose a problem, admins can click on the domain name, which will pop up a dialog displaying a warning or error message relating to the issue.

The table below describes the meaning of various error/warning messages that can be displayed via the pop-up dialog:

Message DescriptionCategory
Failed to fetch True SSO health information.This message is displayed when no health information is available for the dashboard to display.

 

The most likely cause is Enrollment Server has not reported back any status updates as yet.

 

If this message lasts more than a minute, please verify the Enrollment Server is turned on and is reachable from the Connection Server.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Connection Server to Enrollment Server Connection Status

The <FQDN> enrollment server cannot be contacted by the True SSO configuration service.This message is displayed if True SSO configuration information is not refreshed by the Connection Server for a long time.

 

In a Horizon POD environment, all Enrollment Servers receive True SSO configuration information from a single Connection Server and are also responsible to refresh it every minute.

 

This could happen if the specific connection server responsible for updating the configuration information lost connectivity to the reported Enrollment Server.

 

The <FQDN> enrollment server cannot be contacted to manage sessions on this connection server.This message is displayed if a Connection Server cannot connect to the Enrollment Server.

 

There is a known limitation in Horizon 7. Instead of being displayed for all Connection Servers in the POD, this info is only displayed for the Connection Server the admin has logged into.

 

To check connection status of all Connection Servers and Enrollment Servers, an admin would need to individually login to each connection server and check the status on the Dashboard.

 

This domain <Domain Name> does not exist on the <FQDN> enrollment server.This message is displayed if True SSO is configured for a domain but the Enrollment Server has not received any configuration information from the Connection Server as yet.

 

If this message lasts for more than a minute, please check all the Connection Servers in the POD are working as expected and supports True SSO.

 

 

 

 

 

 

 

 

 

 

Enrollment Server to Active Directory Connection Status

The <FQDN> enrollment server’s connection to the domain <Domain Name> is still being established.This message is displayed if True SSO is configured for the Domain, but the Enrollment Server is yet to connect to the Domain Controller.

 

If the message lasts for more than a minute, please verify the Enrollment Server has network connectivity, can resolve the name of the Domain and can reach the Domain Controller.

 

The <FQDN> enrollment server’s connection to the domain <Domain Name> is stopping or in a problematic state.This message is displayed if the Enrollment Server encounters problem reading PKI information from the Domain Controller.

 

Please check the specific Enrollment Server&#rsquo;s log file which will provide more info related to the specific Domain Controller.

 

It might be caused by:

a. Some issue with the Domain Controller itself.

b. DNS not being configured properly.

 

The <FQDN> enrollment server has not yet read the enrollment properties from a domain controller.This message could be displayed because

a. The Enrollment Server has not connected to the Domain Controller yet, as it is most likely just starting up.

b. It is a new domain and was just added to the environment. Therefore, the Enrollment Server has not connected to the Domain Controller, yet.

 

If this message lasts for more than a minute, please check the following:

a. The network connectivity might be extremely slow.

b. The Enrollment Server is having difficulties accessing the Domain Controller.

 

The <FQDN> enrollment server has read the enrollment properties at least once, but has not been able to reach a domain controller for some time.This message is displayed when the Enrollment Server cannot poll the Domain Controller for PKI-related environment changes.

 

An Enrollment Server reads the full PKI configuration from the Domain Controller when it connects to it for the first time and polls for incremental changes every two minutes.

 

This message may not indicate True SSO failure.

 

As longas the Certificate Authority servers are able to access the Domain Controller, the Enrollment Server will be able to issue Certificates for True SSO.

 

The <FQDN> enrollment server has read the enrollment properties at least once, but either has not been able to reach a domain controller for an extended time or another issue exists.This message is displayed if the Enrollment Server is not able to reach the Domain Controller for an extended period of time. During this time, the Enrollment Server will try to discover an alternative Domain Controller for that domain.

 

If a CA Server is able to access a Domain Controller, the Enrollment Server will still issue certificates for True SSO, else it will result in Enrollment Server failing to issue Certificates for True SSO.

 

A valid enrollment certificate for this domain’s<Domain Name> forest is not installed on the <FQDN> enrollment server, or it may have expired.This message is displayed when a valid Enrollment Certificate is missing for the domain from the Enrollment Server.

 

Most likely, the Enrollment Certificate is:

a. Not installed on the Enrollment Server.

b. Invalid or expired.

 

The Enrollment Certificate is issued by an Enterprise CA of the domain. On the Enrollment Server, the Certificate can be verified by:

a. Opening Certificate Management snap-in for the local computer store in MMC.

b. The Enrollment Certificate can be found in the &#rsquo;Personal&#rdquo; certificate container and can be verified it exists and is valid.

 

Alternatively, the Enrollment Server&#rsquo;s log file can provide additional information regarding the state of all the certificates that were located.

 

To resolve the issue, please follow the View Admin Guide and re-deploy the Enrollment Certificate on the Enrollment Server.

 

 

 

 

 

 

 

 

 

 

 

Enrollment Certificate Status

The template <Name> does not exist on the <FQDN> enrollment server domain.

This message is displayed if the Certificate Template configured to be used for True SSO is not setup correctly or the Template name was misspelled during True SSO configuration.

 

To resolve the issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA and check the configuration of True SSO using the &#rsquo;vdmUtil&#rdquo; tool

 

Certificate TemplateStatus
Certificates generated by this template can NOT be used to log on to WindowsThis message is displayed when the Certificate Template configured for True SSO is missing certain options required for it to work.

 

To resolve this issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA.

 

The template <Name> is smartcard logon enabled, but cannot be used.This message is displayed when the Certificate Template configured for True SSO is missing certain options required for it to work.

 

To resolve this issue, please follow the View Admin Guide and setup the Certificate Template correctly on the Enterprise CA.

 

The certificate server <CN> of <CA> does not exist in the domain.

This message is displayed if the Common Name for the CA is not configured correctly.

 

Please verify that the Common Name (CN) specified for the CA in the True SSO configuration is accurate and is spelled correctly.

 

 

 

 

 

Certificate Server ConfigurationStatus

The certificate is not in the NTAuth (Enterprise) store.This message is displayed if the CA is not a member of the forest.

 

To resolve the issue, please manually add the CA Certificate to the NTAuth store of the forest in question.

 

The <FQDN> enrollment server is not connected to the certificate server <CN> of <CA>.This message is displayed if the Enrollment Server is not connected to the CA.

 

This might be a transitional state and may occur when the Enrollment Server has just started or the CA was recently added/configured for True SSO.

 

If the message lasts for more than a minute, it indicates that the Enrollment Server failed to connect to the CA.

 

To resolve the issue, please verify the Enrollment Server can resolve the name of the CA, check the network connectivity between the Enrollment Server and the CA and the system account for the Enrollment Server has permissions to access the CA.

 

Certificate Server ConnectionStatus
The <FQDN> enrollment server has connected to the certificate server <CN> of <CA>, but the certificate server is in a degraded state.This message is displayed if the CA has dramatically slowed down while issuing certificates.

 

If this message persists for extended time, please check if the CA or the Domain Controller(s) is overworked. Once the issue is resolved and the CA resumes as normal, this message will not be displayed.

 

The <FQDN> enrollment server can connect to the certificate server .<CN> of <CA>, but the service is unavailable.This message is displayed if the Enrollment Server is connected to the CA, but unable to issue any certificates for True SSO.

 

This is a transitional state and will update rapidly. If the CA does not recover or does not become able to issue certificates, the state will be updated to &#rsquo;Disconnected.&#rdquo;

 

To resolve the issue, please check the CA is up, the Enrollment Server can reach it and the CA is properly configured for True SSO.

 

3. After successfully setting up True SSO, we see logon attempts failing, and the following error is reported in the logs:

LogonUI] cred::ReportResult(): Reported authentication failure. Status=0xC00000BB (WinErr=50) and subStatus=0x00000000 (WinErr=0).

This is PKI environmental issue, preventing smartcard logon to be successful using
the certificates generated by the CA. The following steps should fix the issue. VMware recommends following one step at a time and then testing to see if the issue is fixed. If not, then proceed to the next.

1. In the majority of cases, this is due to a problem with the Domain Controller certificate and the resolution is to refresh it, or to install if not already present. The Domain Controller certificate must be generated using one of these templates: &#lsquo;Domain Controller&#rsquo;, &#lsquo;Domain Controller Authentication&#rsquo; or &#lsquo;Kerberos Authentication.&#rsquo; Only one of these should be present, we will refer to it as ‘Domain Controller certificate’ below. To refresh:

  1. Load the Certificates MMC and then target it at the computer account: &#lsquo;Start&#rsquo; -> &#lsquo;Run&#rsquo; -> &#lsquo;MMC&#rsquo; -> &#lsquo;File&#rsquo; -> &#lsquo;Add/Remove Snap-in&#rsquo; -> &#lsquo;Add&#rsquo; -> &#lsquo;Certificates&#rsquo; -> &#lsquo;Add&#rsquo; -> &#lsquo;Computer Account&#rsquo; -> &#lsquo;Next&#rsquo; -> &#lsquo;Finish&#rsquo; -> &#lsquo;Close&#rsquo; -> &#lsquo;OK&#rsquo;
  2. Expand: &#lsquo;Certificates (Local Computer)&#rsquo; -> &#lsquo;Personal&#rsquo; -> &#lsquo;Certificates&#rsquo;
  • Right click on the &#lsquo;Domain Controller certificate&#rsquo; -> &#lsquo;All tasks&#rsquo; ->&#lsquo;Renew/Request Certificate with New Key&#rsquo;
  • Restart Domain Controller.

2. Deploy the CA root certificate via the domain GPO to Trusted Root Certification Authorities. Perform this step on all domain that users may be logging on to using True SSO. Refer to microsoft.com/en-us/library/cc772491(v=ws.11).aspx.

3. Make sure the template used by True SSO does not have “Do not include revocation information in issued certificate” selected. Refer to vmware.com/euc/2016/04/true-sso-setting-up-in-a-lab.html section: Adjust the settings of various properties of the new template as marked in screenshot.

Conclusion

This concludes our blog post on what to consider for setting up True SSO in a production environment, as well as various configuration options. We also talked about domain/forest trust scenarios where VMware supports True SSO. Finally, we reviewed some advanced settings that might allow admins to tweak True SSO if it does not work as expected out of the box. We also reviewed troubleshooting guidelines for some common issues related to True SSO and discussed the various warning/error messages that can be displayed on the Dashboard for True SSO.

Because you liked this blog:

  • VMware Horizon 7 True SSO: Setting Up In a Lab
  • Automating Horizon 7 with VMware PowerCLI 6.5
  • Announcing the VMware Horizon 7 Enterprise Edition Multi-Site Reference Architecture Paper

The post VMware Horizon 7 True SSO: Advanced Features appeared first on VMware End-User Computing Blog.

vSpeaking Podcast Episode 37: Storage and Availability with Yanbing Li

 Allgemein, Knowledge Base, Site Recovery Manager, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für vSpeaking Podcast Episode 37: Storage and Availability with Yanbing Li
Feb 282017
 

A few weeks ago, VMware reported solid fourth quarter earnings of $441 million, or $1.04 a share, on revenue of $2.03 billion, up 9 percent from a year ago. Non-GAAP earnings were $1.43 a share. CEO Pat Gelsinger said VMware’s fourth quarter was “one of the most balanced quarters for VMware in years.” One of

The post vSpeaking Podcast Episode 37: Storage and Availability with Yanbing Li appeared first on Virtual Blocks.

vSpeaking Podcast Episode 37: Storage and Availability with Yanbing Li

 Allgemein, Knowledge Base, Site Recovery Manager, Updates, VMware, VMware Partner, VMware Virtual Infrastructure, vSphere  Kommentare deaktiviert für vSpeaking Podcast Episode 37: Storage and Availability with Yanbing Li
Feb 282017
 

A few weeks ago, VMware reported solid fourth quarter earnings of $441 million, or $1.04 a share, on revenue of $2.03 billion, up 9 percent from a year ago. Non-GAAP earnings were $1.43 a share. CEO Pat Gelsinger said VMware’s fourth quarter was “one of the most balanced quarters for VMware in years.” One of

The post vSpeaking Podcast Episode 37: Storage and Availability with Yanbing Li appeared first on Virtual Blocks.