Hardly a day goes by without somebody asking how to deploy App Volumes or take advantage of Virtual SAN on View virtual desktops in VMware Horizon 6. This new VMware Horizon 6 with App Volumes and Virtual SAN Reference Architecture provides the answers.
Based on the proven approach of modular pod and block design principles, this validated architecture offers a standard, repeatable, scalable design that IT architects, consultants, and administrators can adapt to their own requirements and environments.
The reference environment and hardware configuration were both subjected to rigorous performance benchmarking, workload simulation, and operations testing.
Wherever possible, this reference architecture offers alternate ways to answer customer needs. For instance, Horizon 6 provides end users with access to all their desktops and applications through a single, unified workspace, whether they connect to their View desktops directly or use RDSH to connect to a desktop session. Similarly, RDSH application remoting and App Volumes AppStacks and writable volumes provide different methods for delivering applications. These alternatives and many more are supported by Virtual SAN.
Test results support the following conclusions:
- App Volumes improved the desktop consolidation ratio and reduced CPU and memory usage while providing satisfactory or better end-user experience.
- Storage provisioning and management required little effort, and performance was excellent, with low latency from Virtual SAN, even under heavy load.
- Desktop maintenance, storage provisioning and management, and application delivery and patching required only minimal time and effort from one administrator for this large deployment.
The bottom line is that the VMware Horizon 6 with App Volumes and Virtual SAN Reference Architecture shows how a deployment for 960 users on 700 linked-clone View desktops and 260 RDSH sessions can provide performance equivalent to high-end physical computers.
The book can be found here VMware Horizon 6 with App Volumes and Virtual SAN Reference Architecture.
Explore the VMware Horizon 6 Toolbox Auditing and Remote Assistance Capabilities
If you have VMware Horizon® Enterprise Edition with VMware vRealize™ Operations for Horizon, you can already audit sessions and usage. If you have Horizon View Standard Edition or Horizon Advanced Edition (which do not contain vRealize Operations for Horizon), you can use the Horizon Toolbox to audit sessions and usage. Horizon Toolbox has some additional functionality that vRealize Operations for Horizon does not provide:
- Client (device) auditing
- Snapshot auditing
- Remote assistance
Downloading Horizon 6 Toolbox
Administrators who have deployed View virtual desktops in VMware Horizon 6 can now download the free Horizon Toolbox Web portal from VMware Labs. When you install Horizon Toolbox on the View Connection Server, you can access the Horizon Toolbox Web UI through the administrator account. The latest version of Horizon Toolbox is 1.5 and contains the auditing and remote assistance functions. Future development plans include policy management capabilities.
Architectural changes to vSphere 6
vCenter Server 6 has some fundamental architectural changes compared to vCenter Server Server 5.5. The multitude of components that existed in vCenter Server 5.x has been consolidated in vCenter Server 6 to have only two components vCenter Management Server and Platform Services Controller, formerly vCenter Server Single Sign-On.
- Single Sign-On (SSO)
- Certificate Authority
The vCenter Management Server consolidates all the other components such as Inventory Service & Web Client services along with its traditional management components. The vCenter Server components can be typically deployed in with either embedded or external PSC. Care should be taken to understand the critical differences between the two deployment models. Once deployed one cannot move from one mode to another in this version.
- Sufficient for most environments. Easiest to deploy and maintain
- Aimed at minimizing fault domains. Use in conjunction with only one of VMware Product or Solution.
- Multiple standalone instances supported
- Replication between embedded instances not supported
- Supports Windows & Appliance
vCenter Server with External PSC
- Recommend this if deploying/growing to multiple vCenter Server instances that need to be linked
- Reduces footprint by sharing Platform Services Controller across several vCenter Servers
- Deploy more than one PSC to provide resilience within the environment
- Supports Windows & Appliance
Options available for vCenter Server failure protection
vCenter Server deployed in embedded mode can be backed up with VDP or third party backup software that leverage VADP. Currently there is no simple mechanism available to backup the PSC when is external to the vCenter Server. Multiple instances of PSC should be leveraged to protect against an individual external PSC failure.
Majority of the customers have virtualized their vCenter server and leverage VMware HA to protect against Hardware failure. VMware HA can also protect against guest OS failure through the use of heartbeat and watchdog services.
Third party solutions like Symantec ApplicationHA layer on top of VMware HA and can also monitor and restart vCenter services in the event of any failure. Using a solution like Symantec ApplicationHA, one can monitor all of the components of vCenter server. In the event it is unable to resolve issues by restarting services, it interacts VMware HA to reset the virtual machine. Symantec ApplicationHA has a specific agent for vCenter agent that helps monitor and protect all aspects of vCenter.
With the release of vSphere 6, SMP Fault tolerance is available for up to 4 vCPU. This can also protect against hardware failure, but is applicable only to vCenter Server instances that can fit within the 4 vCPU virtual machine size. Any application failure is not protected by SMP-FT.
For vCenter servers backed by Microsoft SQL databases, SQL clustering can be leveraged to provide reduced downtime for unplanned events and for OS patching.
Multiple External PSC instances can be used for a single site to service one or more vCenter servers. A load balancer is required to frontend the PSC instances. The PSC instances replicate state information between each other.
With vCenter Server 5.5 Update 3 and later, Windows Server Failover Cluster is supported as an option for providing vCenter Server availability. Two instances of vCenter Server are in a MSCS cluster, but only one instance is active at a time. VMware only supports 2 node clusters.
- This solution helps reduce downtime for maintenance operations, such as patching or upgrades, on one node in the cluster without taking down the vCenter Server database.
- Another potential benefit of this approach is that MSCS uses a type of “shared-nothing” cluster architecture. The cluster does not involve concurrent disk accesses from multiple nodes. In other words, the cluster does not require a distributed lock manager. MSCS clusters typically include only two nodes and they use a shared SCSI connection between the nodes. Only one server needs the disks at any given time, so no concurrent data access occurs. This sharing minimizes the impact if a node fails.
- Unlike the vSphere HA cluster option, the MSCS option works only for Windows virtual machines and does not support the vCenter Server Appliance.
- Before you can set up MSCS for vCenter Server availability, you must create a virtual machine with one of the following guest operating systems:
- Windows 2008 SP2
- Windows 2012 R2 Datacenter
Additionally, you must add two RDM disks to this VM. These disks must be mounted and when they are added, you must create a separate SCSI controller with the bus sharing option set to physical. The RDM disks must also be independent and persistent.
In this configuration all vCenter Server services can be protected individually. The backend Microsoft SQL database can also be protected separately with SQL Clustering.
Deployment Modes for vCenter Server
- This model protects the platform service controller service by having multiple instances of PSC locally behind a load balancer. Failure of a PSC does not impact the usage of the infrastructure. The PSCs should also be separated from each other physically using anti-affinity rules. The PSCs replicate state information vCenter Server nodes are individually clustered with WSFC for HA. The vCenter Servers interact with the PSCs through a load balancer.
In this configuration each site is independent with PSC replication between sites. The vCenter Server is aware of the site topologies and use the local PSC under normal circumstances. Customers are able to seamlessly move the vCenter Servers between PSCs when necessary. This topology allows for Enhanced Linked Mode (ELM) which is facilitated by the PSC. Enhanced Linked Mode provides for a single point of management for all vCenter Servers in the same vSphere domain. In vSphere 6 the Windows-based and Virtual Appliance-based vCenter Servers have the same operational maximums and can belong to the same linked mode configuration. The configuration replicates all license, global permissions, tags and roles across all sites.
Combining the high availability configuration in a local site with the multi site configuration. Each site is populated with at least two PSCs for high availability. vCenter Server nodes are individually clustered with WSFC for HA.
vCenter Server 6 has a new deployment architecture. In this blog we have discussed the deployment modes for vCenter Server based on different requirements. The modes of deployment can go from a minimal local deployment to a multi site high availability deployment. There are many high availability options available for vCenter Server and one can mix and match these based on customer requirements.
App Volumes Overview
App Volumes is a real-time application delivery and life cycle management tool. Enterprises can use App
Volumes to build real-time application delivery systems that ensure that applications are centrally managed.
Applications are delivered to desktops through virtual disks. There is no need to modify desktops or
applications themselves, and the App Volumes solution can be scaled out easily and cost-effectively, without compromising end-user experience.
App Volumes complements the VMware End-User Computing portfolio by integrating with existing VMware
Workspace™ Portal, application, and desktop solutions.
The book can be found here VMware App Volumes Deployment Guide.
vSphere Replication use cases
■ Data protection and disaster recovery within the same site and across sites
■ Data center migration
■ Replication engine for VMware vCloud Air™ Disaster Recovery
■ Replication engine for VMware vCenter™ Site Recovery Manager™
vSphere Replication features and benefits
■ Simple virtual appliance deployment minimizes cost and complexity.
■ Integration with vSphere Web Client eases administration and monitoring.
■ Protect nearly any virtual machine regardless of operating system (OS) and applications.
■ Only changes are replicated, which improves efficiency and reduces network utilization.
■ Recovery point objectives (RPOs) range from 15 minutes to 24 hours and can be configured on a
per–virtual machine basis.
■ Compatibility is provided with VMware Virtual SAN™, traditional SAN, NAS, and local storage.
■ Quick recovery for individual virtual machines minimizes downtime and resource requirements.
■ Optional network isolation and compression help secure replicated data and further reduce network
■ Support for Microsoft Volume Shadow Copy Service (VSS) and Linux file system quiescing improves reliability of recovered virtual machines.
The VMware vSphere Replication 6.0 technical paper presents an overview of the architecture, deployment, configuration, and management of vSphere Replication..
vCenter Server 6.0 Availability Guide
vCenter Server has become a mission critical part of most virtual infrastructures. It can be a single point of failure if it is not designed for availability. vCenter Server 6 has many changes relating to vCenter Server and its components and careful consideration has to be made in the design of its architecture.
There are multiple solutions for high availability. Many of these options can be combined to provide different levels of availability. vSphere HA, FT, vCenter Watchdog services and in guest clustering solutions can be combined depending on customer requirements for availability.
The Platform Services Controller (PSC) serves many VMware solutions in addition to vCenter Server such as VROPS, View, etc. The PSC deployment modes have to be carefully evaluated based on unique customer requirements and architected appropriately as well.
Password requirements differ for vCenter Server and for ESXi hosts.
vCenter Server Passwords
In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP, or the local operating system for the vCenter Single Sign-On server. See Edit the vCenter Single Sign-On Password Policy, or see the relevant Active Directory or OpenLDAP documentation.
By default, ESXi enforces requirements for user passwords.
Your user password must meet the following length requirements:
- ■ Passwords containing characters from one or two character classes must be at least eight characters long.
■ Passwords containing characters from three character classes must be at least seven characters long.
■ Passwords containing characters from all four character classes must be at least six characters long.
When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.
The password cannot contain the words root, admin, or administrator in any form.
An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.
You can also use a passphrase, which is a phrase consisting of at least three words, each of which is 8 to 40 characters long.
Example: Creating Acceptable ESXi Passwords
The following password candidates meet the requirements of ESXi.
- ■ xQaTEhbU: Contains eight characters from two character classes.
■ xQaT3pb: Contains seven characters from three character classes.
■ xQaT3#: Contains six characters from four character classes.
The following password candidates do not meet the requirements of ESXi:
- ■ Xqat3hb: Begins with an uppercase character, reducing the effective number of character classes to two. Eight characters are required when you use only two character classes.
■ xQaTEh2: Ends with a number, reducing the effective number of character classes to two. Eight characters are required when you use only two character classes.
This video expands on the diagram provided in knowledge base article: “VMware vSphere 5 Memory Management and Monitoring diagram (2017642)”
It provides a comprehensive look into the ESXi memory management mechanisms and reclamation methods, and also provides the relevant monitoring components in vCenter Server and the troubleshooting tools like ESXTOP.
VMware vSphere 5 Memory Management and Monitoring diagram
Download out the full VMware vSphere 5 Memory Management and Monitoring diagram poster
VMware Security Advisories
VMware ESXi 5.5 without patch ESXi550-201312001
VMware ESXi 5.1 without patch ESXi510-201310001
VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03
VMware ESXi 4.1 without patch ESXi410-201312001
VMware ESXi 4.0 without patch ESXi400-201310001
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201310001
VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege “Add Existing Disk” to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot.
Unpriviledged vCenter Server users or groups that are assigned the predefined role “Virtual Machine Power User” or “Resource Pool Administrator” have the privilege “Add Existing Disk”.
The issue cannot be exploited through VMware vCloud Director.
- A workaround is provided in VMware Knowledge Base article 2066856.
- In a default vCenter Server installation no unprivileged users or groups are assigned the predefined role “Virtual Machine Power User” or “Resource Pool Administrator”.
- Restrict the number of vCenter Server users that have the privilege “Add Existing Disk”.
VMware would like to thank Shanon Olsson for reporting this issue to us through JPCERT.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-5973 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
Known Issues (*)
Deploying these patches does not remediate the issue if the ESXi or ESX file /etc/vmware/configrules has been modified manually (modifying this file is uncommon). Customers who have modified this file should apply the workaround after installing the patch.
After deploying the patches, Virtual Machines that have their names ending in “-flat”, “-rdm” or “-rdmp” will no longer power on. See the VMware Knowledge Base article listed under “Workaround” for a solution.
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
ESXi and ESX
ESXi550-201312001 contains ESXi550-201312101-SG
ESXi510-201310001 contains ESXi510-201310101-SG
update-from-esxi5.0-5.0_update03 contains ESXi500-201310101-SG
ESXi410-201312001 contains ESXi410-201312401-SG
ESXi400-201310001 contains ESXi400-201310401-SG
ESX410-201312001 contains ESX410-201312401-SG
ESX400-201310001 contains ESX400-201310401-SG
VMware Knowledge Base article KB2066856
Initial security advisory in conjunction with the release of ESXi 5.5 patches on 2013-12-22
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
VMware security response policy
General support life cycle policy
VMware Infrastructure support life cycle policy
vSphere 5.5 Update 1
vSphere 5.0 and earlier
- vSphere 5.0 Security Hardering Guide
- vSphere 4.1 Security Hardering Guide
- vSphere 4.0 Security Hardering Guides
Other VMware Products
- NSX-v v1.6 – Security Hardening Guide
- vRealize Configuration Manager 5.5
- vRealize Automation
- vRealize Operations Manager