Aug 31

New Horizon 6 Reference Architecture Highlights App Volumes and Virtual SAN

Posted on August 31, 2015 by Jessica Flohr By Donal Geary, Desktop Virtualization Reference Architecture Engineer, VMware Gary Sloane, Consulting Writer and Editor, VMware

Hardly a day goes by without somebody asking how to deploy App Volumes or take advantage of Virtual SAN on View virtual desktops in VMware Horizon 6. This new VMware Horizon 6 with App Volumes and Virtual SAN Reference Architecture provides the answers.
Based on the proven approach of modular pod and block design principles, this validated architecture offers a standard, repeatable, scalable design that IT architects, consultants, and administrators can adapt to their own requirements and environments.

Embedded mode vCenter Server 6

New Horizon 6 Reference Architecture Highlights

The reference environment and hardware configuration were both subjected to rigorous performance benchmarking, workload simulation, and operations testing.

Wherever possible, this reference architecture offers alternate ways to answer customer needs. For instance, Horizon 6 provides end users with access to all their desktops and applications through a single, unified workspace, whether they connect to their View desktops directly or use RDSH to connect to a desktop session. Similarly, RDSH application remoting and App Volumes AppStacks and writable volumes provide different methods for delivering applications. These alternatives and many more are supported by Virtual SAN.

Embedded mode vCenter Server 6

New Horizon 6 Reference Architecture Highlights

Test results support the following conclusions:

  • App Volumes improved the desktop consolidation ratio and reduced CPU and memory usage while providing satisfactory or better end-user experience.
  • Storage provisioning and management required little effort, and performance was excellent, with low latency from Virtual SAN, even under heavy load.
  • Desktop maintenance, storage provisioning and management, and application delivery and patching required only minimal time and effort from one administrator for this large deployment.

The bottom line is that the VMware Horizon 6 with App Volumes and Virtual SAN Reference Architecture shows how a deployment for 960 users on 700 linked-clone View desktops and 260 RDSH sessions can provide performance equivalent to high-end physical computers.


The book can be found here VMware Horizon 6 with App Volumes and Virtual SAN Reference Architecture.

Rating: 5/5

Jul 13

VMware Horizon View Toolbox Instructions

Explore the VMware Horizon 6 Toolbox Auditing and Remote Assistance Capabilities

VMware Horizon Toolbox is a Web portal that acts as an extension to View Administrator in View virtual desktops in VMware Horizon™ 6. With the Horizon Toolbox, you can determine the correct system size and load for View Connection Server, locate each user’s login and logout times, and find out how many endpoints are using which clients, for example, iOS, Android, Windows, or OS X. Use the VMware Horizon Toolbox Web portal to address auditing and management assistance issues.
If you have VMware Horizon® Enterprise Edition with VMware vRealize™ Operations for Horizon, you can already audit sessions and usage. If you have Horizon View Standard Edition or Horizon Advanced Edition (which do not contain vRealize Operations for Horizon), you can use the Horizon Toolbox to audit sessions and usage. Horizon Toolbox has some additional functionality that vRealize Operations for Horizon does not provide:
  • Client (device) auditing
  • Snapshot auditing
  • Remote assistance

Auditing Sessions

Auditing Sessions

Auditing Users Usage

Auditing Users Usages

Auditing Snapshots

Auditing Snapshots

Auditing Clients

Auditing Clients

Downloading Horizon 6 Toolbox

Administrators who have deployed View virtual desktops in VMware Horizon 6 can now download the free Horizon Toolbox Web portal from VMware Labs. When you install Horizon Toolbox on the View Connection Server, you can access the Horizon Toolbox Web UI through the administrator account. The latest version of Horizon Toolbox is 1.5 and contains the auditing and remote assistance functions. Future development plans include policy management capabilities.

Rating: 5/5

Jul 08

vCenter Server 6 Deployment Topologies and High Availability

Architectural changes to vSphere 6

Posted on March 9, 2015 by Mohan Potheri

vCenter Server 6 has some fundamental architectural changes compared to vCenter Server Server 5.5. The multitude of components that existed in vCenter Server 5.x has been consolidated in vCenter Server 6 to have only two components vCenter Management Server and Platform Services Controller, formerly vCenter Server Single Sign-On.

The Platform Services Controller (PSC) provides a set of common infrastructure services encompassing
  • Single Sign-On (SSO)
  • Licensing
  • Certificate Authority

The vCenter Management Server consolidates all the other components such as Inventory Service & Web Client services along with its traditional management components. The vCenter Server components can be typically deployed in with either embedded or external PSC. Care should be taken to understand the critical differences between the two deployment models. Once deployed one cannot move from one mode to another in this version.

Deployment Models

vCenter Server with Embedded PSC:
The embedded PSC is meant for standalone sites where vCenter Server will be the only SSO integrated solution. In this case a replication to another PSC is not necessary.
  • Sufficient for most environments. Easiest to deploy and maintain
  • Aimed at minimizing fault domains. Use in conjunction with only one of VMware Product or Solution.
  • Multiple standalone instances supported
  • Replication between embedded instances not supported
  • Supports Windows & Appliance
Embedded mode vCenter Server 6

Figure 1: Embedded mode vCenter Server 6

vCenter Server with External PSC

In this configuration the PSC is external to the vCenter Server. This configuration allows multiple vCenter Servers to link to a PSC.
  • Recommend this if deploying/growing to multiple vCenter Server instances that need to be linked
  • Reduces footprint by sharing Platform Services Controller across several vCenter Servers
  • Deploy more than one PSC to provide resilience within the environment
  • Supports Windows & Appliance
vCenter Server 6 with External PSC

Figure 2: vCenter Server 6 with External PSC

Options available for vCenter Server failure protection

Backup (VDP / Third Party VADP)

vCenter Server deployed in embedded mode can be backed up with VDP or third party backup software that leverage VADP. Currently there is no simple mechanism available to backup the PSC when is external to the vCenter Server. Multiple instances of PSC should be leveraged to protect against an individual external PSC failure.

VMware HA

Majority of the customers have virtualized their vCenter server and leverage VMware HA to protect against Hardware failure. VMware HA can also protect against guest OS failure through the use of heartbeat and watchdog services.

Third Party Solutions that layer on top of VMware HA

Third party solutions like Symantec ApplicationHA layer on top of VMware HA and can also monitor and restart vCenter services in the event of any failure. Using a solution like Symantec ApplicationHA, one can monitor all of the components of vCenter server. In the event it is unable to resolve issues by restarting services, it interacts VMware HA to reset the virtual machine. Symantec ApplicationHA has a specific agent for vCenter agent that helps monitor and protect all aspects of vCenter.


With the release of vSphere 6, SMP Fault tolerance is available for up to 4 vCPU. This can also protect against hardware failure, but is applicable only to vCenter Server instances that can fit within the 4 vCPU virtual machine size. Any application failure is not protected by SMP-FT.

Database Clustering

For vCenter servers backed by Microsoft SQL databases, SQL clustering can be leveraged to provide reduced downtime for unplanned events and for OS patching.

Platform Service Controller

Multiple External PSC instances can be used for a single site to service one or more vCenter servers. A load balancer is required to frontend the PSC instances. The PSC instances replicate state information between each other.

vCenter Server High Availability

With vCenter Server 5.5 Update 3 and later, Windows Server Failover Cluster is supported as an option for providing vCenter Server availability. Two instances of vCenter Server are in a MSCS cluster, but only one instance is active at a time. VMware only supports 2 node clusters.

Use cases for this solution:
  • This solution helps reduce downtime for maintenance operations, such as patching or upgrades, on one node in the cluster without taking down the vCenter Server database.
  • Another potential benefit of this approach is that MSCS uses a type of “shared-nothing” cluster architecture. The cluster does not involve concurrent disk accesses from multiple nodes. In other words, the cluster does not require a distributed lock manager. MSCS clusters typically include only two nodes and they use a shared SCSI connection between the nodes. Only one server needs the disks at any given time, so no concurrent data access occurs. This sharing minimizes the impact if a node fails.
  • Unlike the vSphere HA cluster option, the MSCS option works only for Windows virtual machines and does not support the vCenter Server Appliance.
  • Before you can set up MSCS for vCenter Server availability, you must create a virtual machine with one of the following guest operating systems:
    • Windows 2008 SP2
    • Windows 2012 R2 Datacenter

Additionally, you must add two RDM disks to this VM. These disks must be mounted and when they are added, you must create a separate SCSI controller with the bus sharing option set to physical. The RDM disks must also be independent and persistent.

In this configuration all vCenter Server services can be protected individually. The backend Microsoft SQL database can also be protected separately with SQL Clustering.

Clustering based high availability for Windows based vCenter Server

Figure 3: Clustering based high availability for Windows based vCenter Server

Deployment Modes for vCenter Server

Local vCenter Server & PSX High Availability:
  • This model protects the platform service controller service by having multiple instances of PSC locally behind a load balancer. Failure of a PSC does not impact the usage of the infrastructure. The PSCs should also be separated from each other physically using anti-affinity rules. The PSCs replicate state information vCenter Server nodes are individually clustered with WSFC for HA. The vCenter Servers interact with the PSCs through a load balancer.
Local vCenter and PSC high availability

Figure 4: Local vCenter and PSC high availability

Multiple Site vCenter Server and PSC basic Architecture:

In this configuration each site is independent with PSC replication between sites. The vCenter Server is aware of the site topologies and use the local PSC under normal circumstances. Customers are able to seamlessly move the vCenter Servers between PSCs when necessary. This topology allows for Enhanced Linked Mode (ELM) which is facilitated by the PSC. Enhanced Linked Mode provides for a single point of management for all vCenter Servers in the same vSphere domain. In vSphere 6 the Windows-based and Virtual Appliance-based vCenter Servers have the same operational maximums and can belong to the same linked mode configuration. The configuration replicates all license, global permissions, tags and roles across all sites.

Multi-site vCenter Server and PSC basic architecture

Figure 5: Multi-site vCenter Server and PSC basic architecture

Multiple Site vCenter Server & PSC with High Availability Architecture:

Combining the high availability configuration in a local site with the multi site configuration. Each site is populated with at least two PSCs for high availability. vCenter Server nodes are individually clustered with WSFC for HA.

Multi-site vCenter Server and PSC high availability architecture

Figure 6: Multi-site vCenter Server and PSC high availability architecture


vCenter Server 6 has a new deployment architecture. In this blog we have discussed the deployment modes for vCenter Server based on different requirements. The modes of deployment can go from a minimal local deployment to a multi site high availability deployment. There are many high availability options available for vCenter Server and one can mix and match these based on customer requirements.

Rating: 5/5

Jul 03

VMware App Volumes Deployment Guide

This deployment guide presents a high-level overview of VMware App Volumes™. It describes App Volumes capabilities, architecture, and implementation requirements and addresses frequently asked high-level questions about deploying an App Volumes solution.

App Volumes Overview

App Volumes is a real-time application delivery and life cycle management tool. Enterprises can use App
Volumes to build real-time application delivery systems that ensure that applications are centrally managed.
Applications are delivered to desktops through virtual disks. There is no need to modify desktops or
applications themselves, and the App Volumes solution can be scaled out easily and cost-effectively, without compromising end-user experience.
App Volumes complements the VMware End-User Computing portfolio by integrating with existing VMware
Workspace™ Portal, application, and desktop solutions.

App Volumes

VMware End-User Computing Solutions


The book can be found here VMware App Volumes Deployment Guide.

Rating: 5/5

Jul 02

VMware vSphere Replication 6.0 – Technical Overview

VMware vSphere® Replication™ is a virtual machine data protection and disaster recovery solution. It is fully integrated with VMware vCenter Server™ and VMware vSphere Web Client, providing host-based, asynchronous replication of virtual machines. vSphere Replication is a proprietary replication engine developed by VMware that is included with VMware vSphere Essentials Plus Kit and higher editions of VMware vSphere, VMware vSphere with Operations Management™ editions, and VMware vCloud® Suite editions.

vSphere Replication use cases

■ Data protection and disaster recovery within the same site and across sites
■ Data center migration
■ Replication engine for VMware vCloud Air™ Disaster Recovery
■ Replication engine for VMware vCenter™ Site Recovery Manager™

vSphere Replication features and benefits

■ Simple virtual appliance deployment minimizes cost and complexity.
■ Integration with vSphere Web Client eases administration and monitoring.
■ Protect nearly any virtual machine regardless of operating system (OS) and applications.
■ Only changes are replicated, which improves efficiency and reduces network utilization.
■ Recovery point objectives (RPOs) range from 15 minutes to 24 hours and can be configured on a
per–virtual machine basis.
■ Compatibility is provided with VMware Virtual SAN™, traditional SAN, NAS, and local storage.
■ Quick recovery for individual virtual machines minimizes downtime and resource requirements.
■ Optional network isolation and compression help secure replicated data and further reduce network
bandwidth consumption.
■ Support for Microsoft Volume Shadow Copy Service (VSS) and Linux file system quiescing improves reliability of recovered virtual machines.


The VMware vSphere Replication 6.0 technical paper presents an overview of the architecture, deployment, configuration, and management of vSphere Replication..

Rating: 5/5

May 19

vCenter Server 6.0 Availability Guide

vCenter Server 6.0 Availability Guide

vCenter Server has become a mission critical part of most virtual infrastructures. It can be a single point of failure if it is not designed for availability. vCenter Server 6 has many changes relating to vCenter Server and its components and careful consideration has to be made in the design of its architecture.

There are multiple solutions for high availability. Many of these options can be combined to provide different levels of availability. vSphere HA, FT, vCenter Watchdog services and in guest clustering solutions can be combined depending on customer requirements for availability.

The Platform Services Controller (PSC) serves many VMware solutions in addition to vCenter Server such as VROPS, View, etc. The PSC deployment modes have to be carefully evaluated based on unique customer requirements and architected appropriately as well.

The VMware vCenter Server 6.0 Availability Guide is a great resource for architecting a HA solution for vCenter Server. I hope you find it useful!
Posted on May 19, 2015 by Mohan Potheri

Rating: 5/5

Dec 02

ESXi and vCenter Server 5.5 Documentation – Password Requirements


Password requirements differ for vCenter Server and for ESXi hosts.

vCenter Server Passwords

In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP, or the local operating system for the vCenter Single Sign-On server. See Edit the vCenter Single Sign-On Password Policy, or see the relevant Active Directory or OpenLDAP documentation.
ESXi Passwords

By default, ESXi enforces requirements for user passwords.

Your user password must meet the following length requirements:

    ■ Passwords containing characters from one or two character classes must be at least eight characters long.
    ■ Passwords containing characters from three character classes must be at least seven characters long.
    ■ Passwords containing characters from all four character classes must be at least six characters long.

When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.

The password cannot contain the words root, admin, or administrator in any form.


An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

You can also use a passphrase, which is a phrase consisting of at least three words, each of which is 8 to 40 characters long.
Example: Creating Acceptable ESXi Passwords

The following password candidates meet the requirements of ESXi.

    ■ xQaTEhbU: Contains eight characters from two character classes.
    ■ xQaT3pb: Contains seven characters from three character classes.
    ■ xQaT3#: Contains six characters from four character classes.

The following password candidates do not meet the requirements of ESXi:

    ■ Xqat3hb: Begins with an uppercase character, reducing the effective number of character classes to two. Eight characters are required when you use only two character classes.
    ■ xQaTEh2: Ends with a number, reducing the effective number of character classes to two. Eight characters are required when you use only two character classes.

Rating: 5/5

Dec 01

VMware vSphere 5 Memory Management and Monitoring diagram (2017642)

This video expands on the diagram provided in knowledge base article: “VMware vSphere 5 Memory Management and Monitoring diagram (2017642)”
It provides a comprehensive look into the ESXi memory management mechanisms and reclamation methods, and also provides the relevant monitoring components in vCenter Server and the troubleshooting tools like ESXTOP.

VMware vSphere 5 Memory Management and Monitoring diagram

VMware vSphere 5 Memory Management and Monitoring diagram


Download out the full VMware vSphere 5 Memory Management and Monitoring diagram poster

Rating: 5/5



VMware Security Advisories


VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
1. Summary
VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
2. Relevant releases

VMware ESXi 5.5 without patch ESXi550-201312001
VMware ESXi 5.1 without patch ESXi510-201310001
VMware ESXi 5.0 without patch update-from-esxi5.0-5.0_update03
VMware ESXi 4.1 without patch ESXi410-201312001
VMware ESXi 4.0 without patch ESXi400-201310001

VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201310001

3. Problem Description
a. VMware ESXi and ESX unauthorized file access through vCenter Server and ESX

VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege “Add Existing Disk” to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot.

Unpriviledged vCenter Server users or groups that are assigned the predefined role “Virtual Machine Power User” or “Resource Pool Administrator” have the privilege “Add Existing Disk”.

The issue cannot be exploited through VMware vCloud Director.


  • A workaround is provided in VMware Knowledge Base article 2066856.


  • In a default vCenter Server installation no unprivileged users or groups are assigned the predefined role “Virtual Machine Power User” or “Resource Pool Administrator”.
  • Restrict the number of vCenter Server users that have the privilege “Add Existing Disk”.

VMware would like to thank Shanon Olsson for reporting this issue to us through JPCERT.

The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2013-5973 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

Known Issues (*)

Deploying these patches does not remediate the issue if the ESXi or ESX file /etc/vmware/configrules has been modified manually (modifying this file is uncommon). Customers who have modified this file should apply the workaround after installing the patch.

After deploying the patches, Virtual Machines that have their names ending in “-flat”, “-rdm” or “-rdmp” will no longer power on. See the VMware Knowledge Base article listed under “Workaround” for a solution.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
ESXi and ESX

ESXi 5.5
md5sum: 549b5eb75f1d4d937019d2c28e15a4fe
sha1sum: c2656b25e2a85799d4aa79ded942d4c322e9487a
ESXi550-201312001 contains ESXi550-201312101-SG

ESXi 5.1
md5sum: 00b6a97b3042dc45da52e20b67666387
sha1sum: 8b0e2e832d0c603991718da17e1f73de4f0969cc
ESXi510-201310001 contains ESXi510-201310101-SG

ESXi 5.0
md5sum: 7e6185fa3238a4895613b39e57a2a94b
sha1sum: aa3929d2c8183aeaecdc238cbbf4d270bd70dd07
update-from-esxi5.0-5.0_update03 contains ESXi500-201310101-SG

ESXi 4.1
md5sum: f85c0c449513b88b22f19a5f11966d5e
sha1sum: cfde5abbef77976b76d55813ae1e7bbbbca25b7b
ESXi410-201312001 contains ESXi410-201312401-SG

ESXi 4.0
md5sum: 3075bce1b19a52b053a5dc18d06d40e0
sha1sum: 19952da0dd9f81ea299cb8ae6c462f11566b56e0
ESXi400-201310001 contains ESXi400-201310401-SG

ESX 4.1
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
ESX410-201312001 contains ESX410-201312401-SG

ESX 4.0
md5sum: 9d47cf815ed142a17f97002379b5e386
sha1sum: 91082ec4263333f9b996883cb53dbe9aab7a88b5
ESX400-201310001 contains ESX400-201310401-SG

6. Change log
2013-12-22 VMSA-2013-0016
Initial security advisory in conjunction with the release of ESXi 5.5 patches on 2013-12-22
7. Contact

E-mail list for product security notifications and announcements:

This Security Advisory is posted to the following lists:

* security-announce at
* bugtraq at
* full-disclosure at

E-mail: security at
PGP key at:

VMware Security Advisories

VMware security response policy

General support life cycle policy

VMware Infrastructure support life cycle policy

Mar 10

VMware Security Hardening Guides

Security Hardening Guides provide prescriptive guidance for customers on how to deploy and operate VMware products in a secure manner. Guides for vSphere are provided in an easy to consume spreadsheet format, with rich metadata to allow for guideline classification and risk assessment. They also include script examples for enabling security automation. Comparison documents are provided that list changes in guidance in successive versions of the guide.

Hardening Guides

vSphere 6.0

vSphere 5.5 Update 1

vSphere 5.5

vSphere 5.1

vSphere 5.0 and earlier

Other VMware Products