Welcome to vSphere-land!

For better or worse, administrators usually accept the default VMware hypervisor security settings.

VSphere is fairly secure, but VMware security breaches can still occur. Careless mistakes and questionable administrative decisions can weaken infrastructure security — especially if IT pros are more concerned about management convenience than about hardening the hypervisor, hosts and virtual machines (VMs).

To help prevent snafus, here are five ways to maximize VMware hypervisor security.

Firewalls prevent VMware hypervisor security from getting burned
Physical firewalls protect servers and devices directly connected to physical networks, but they aren’t always effective at protecting VMs connected to virtual networks. So use virtual firewalls in conjunction with physical firewalls to ensure that network traffic is secure at every level and nothing slips through the cracks.

Sometimes, virtual machine network traffic doesn’t leave the host or travel over a physical network. Traffic between VMs on the same vSwitch and port group remains inside the host. It travels in the host’s memory, through the virtual network — rather than over the physical network. As such, it’s outside the physical firewall’s protection zone.

Read the full article at searchvmware.com…

Keeping your customer’s physical environment secure is more straightforward than dealing with security in a virtual environment. There are a number of hidden risks and concerns that solution providers need to be prepared for before fielding customer questions about vSphere security.

Virtualization expert Eric Siebert breaks down what you need to know about securing your customer’s vSphere environment, including Payment Card Industry Data Security Standard (PCI DSS) concerns, anti-virus software and ESX firewalls. Siebert also explains which third-party virtualization security products and vendors can be useful to solution providers.

How does security in virtual environments differ from physical environments?

Most of the security-hardening techniques that solution providers would normally use in physical environments apply to virtual environments as well. These techniques are typically used at the guest operating system (OS) level, which is no different in virtual environments. There are, however, other security areas that you need to be concerned with inside virtual environments that don’t exist with traditional physical servers.

Solution providers need to recognize that the host opens up more attack vectors inside virtual environments, with the biggest being toward the ESX Service Console and the ESXi Management Console. These consoles run as privileged virtual machines (VMs) on the host and hold the keys to accessing any VM on the host. There are a variety of methods that can be used to access a host, including Secure Shell, vSphere Client, scripting application programming interfaces (APIs) and Web browser access. All of these access points need to be properly secured to protect the host and its VMs.

Read the full article at searchsystemschannel.com…

If you’re shopping for a new VMware vSphere backup tool, there are many things you should take into account when deciding between the different VMware backup solutions on the market. Buying backup software for a virtualized environment is more complicated than buying software for traditional servers because the virtualization architecture changes the way backup and recovery is performed. In this tutorial, we look at the questions you’ll face when choosing VMware backup software. Then, you can download our free VMware backup solution checklist.

Does the backup software support virtualization?

The obvious first question you need to ask is if the product supportsvirtualization and, if so, to what degree. Some vendors were slow to adapt their existing backup products to support virtualization, but almost all backup products today support it in some way. Other vendors like Veeam and Quest(formerly Vizioncore) developed backup products from the ground up specifically for VMware backup. When looking at backup software, check and see how deep the product’s integration with vSphere is, and if the vendor has fully embraced the virtualization architecture and the features that make backups more efficient in vSphere. It is possible to perform backups of virtual servers in the same manner as physical servers using a backup agent installed in the guest OS. However, this method is inefficient and can cause poor performance due to excessive resource usage.

Read the full article at searchdatabackup.com

Implementing a virtual desktop infrastructure (VDI) involves many critical considerations, but storage may be the most vital. User experience can often determine the success of a VDI implementation, and storage is perhaps the one area that has the most impact on the user experience. If you don’t design, implement and manage your VDI storage properly, you’re asking for trouble.

VDI’s impact on storage

The biggest challenge for storage in VDI environments is accommodating the periods of peak usage when storage I/O is at its highest. The most common event that can cause an I/O spike is the “boot storm” that occurs when a large group of users boots up and loads applications simultaneously. Initial startup of a desktop is a very resource-intensive activity with the operating system and applications doing a lot of reading from disk. Multiplied by hundreds of desktops, the amount of storage I/O generated can easily bring a storage array to its knees. Boot storms aren’t just momentary occurrences — they can last from 30 minutes to two hours and can have significant impact.

After users boot up, log in and load applications, storage I/O typically settles down; however, events like patching desktops, antivirus updates/scans and the end-of-day user log off can also cause high I/O. Having a data storage infrastructure that can handle these peak periods is therefore critical.

Cost is another concern. The ROI with VDI isn’t the same as server virtualization, so getting adequate funding can be a challenge. A proper storage infrastructure for VDI can be very costly, and to get the required I/O operations per second (IOPS) you may have to purchase more data storage capacity than you’ll need.

Expect to spend more time on administration, too. Hundreds or thousands of virtual disks for the virtual desktops will have to be created and maintained, which can be a difficult and time-consuming task.

Read the full article in the March 2011 issue of Storage Magazine…

VSphere Enterprise Plus is the only tier of VMware licenses that provides Host Profiles, which streamline host provisioning and configuration, and Distributed vSwitches, which are advanced virtual switches that span multiple hosts. Enterprise Plus also includes other new features and increased resource limits.

As a result, many companies that have Enterprise licenses might consider upgrading to Enterprise Plus. But these VMware licenses can be expensive, and organizations usually require you to prove their business case and justify their cost. This sample letter should help make a convincing argument for upgrading to vSphere Enterprise Plus.

Read the full article at searchvmware.com…

I recently did a new series of tips on the new version of vShield for Tech Target that covers what the various components of the product family are, how to deploy to the Manager, Zones & App components and some additional tips for using vShield. The tips are broken into several smaller tips and I’ll be posting links to all of them here as they are published.

• Part 1 - VShield: Breaking down the VMware security suite
• Part 2 - Zeroing in on vShield Endpoint and Edge features
• Part 3 - VShield Manager: Installing VMware’s virtual security appliance
• Part 4 - Installing VMware vShield Zones for a virtual firewall
• Part 5 - Top 10 VMware security tips for vShield users

With all the talk lately of IPv4 addresses being exhausted on the internet I thought I would post a snippet from my book Maximum vSphere that covers IPv6 support in vSphere. This is just a small part of a whole chapter on networking so for more good networking information be sure an check out my book, currently only $28.22 on Amazon.

Another new feature in vSphere is support for IP version 6 (IPv6) which is the successor to the traditional IPv4 IP addresses that are commonly used today. IPv6 was created to deal with the exhaustion of the number of IP addresses that IPv4 supported. IPv4 uses 32-bit IP addresses which yields a maximum number of around 4 billion unique IP addresses. IPv6 on the other hand uses 128-bit IP addresses which results in an insanely high number of unique IP addresses (340 undecillion or 3.4 x 10 to the power of 38). Besides more IP addresses IPv6 also has many enhanced features over IPv4 like stateless host auto-configuration to obtain IP addresses, mandatory IPSEC for security and mandatory multi-cast. IPv4 addresses are all numeric and an IPv4 address is 4 bytes, also referred to as octets (4 bytes of 8 bits = 32-bits) such as 192.168.1.125 or in binary it would be 11000000 10101000 00000001 11111101. Each byte contains 8 bits which results in possible values of 0 through 255 or a total of 4,294,967,296 possible IP addresses.

IPv6 addresses are 16 bytes (128 bits) and represented in hexadecimal and a typical IPv6 address is in the following form: hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh. IPv6 addresses have both a full and shorthand notation, the full notation displays the whole address of 8 sections, i.e. E3D7:0000:0000:0000:51F4:9BC8:C0A8:7625; the shorthand notation drops the extra zeros which are common in IPv6 addresses, i.e. E3D7::51F4:9BC8:C0A8:7625. The double colon denotes the zero sections that were dropped. Support for IPv6 was enabled in vSphere for the networking in the VMkernel, Service Console and vCenter Server. Support for using IPv6 for network storage protocols is currently considered experimental and not recommended for production use. Mixed environments of IPv4 and IPv6 are also supported.

To enable IPv6 on a host you simply select the host and choose the Configuration tab and then Networking. If you click the Properties link (not the vSwitch Properties) there is a checkmark to enable IPv6 for that host. Once enabled you must restart the host for the changes to take effect. Once restarted you will see in the VMkernel, Service Console (ESX) or Management Network (ESXi) properties of the vSwitch both an IPv4 and IPv6 address as shown below.

You can edit the IPv6 settings and specify to obtain IPv6 addresses automatically through DHCP or through router advertisements as well as set a static address. While IPv6 is better than IPv4 it has not seen widespread adoption and in order to use it your network environment needs to support it, this includes DNS/DHCP servers, switches and routers. In many cases IPv6 is tunneled through IPv4 networks so both can co-exist together.

One additional note to add about IPv6 support in vSphere, as of vSphere 4.1, IPv6 is supported for:

• Guest virtual machines
• ESX/ESXi management
• vSphere client
• vCenter Server
• vMotion
• IP storage (iSCSI, NFS)-experimental

NOTE: IPv6 is not supported for vSphere vCLI, VMware HA and VMware FT logging.

Update from VMware on vShield support:

We have support for IPv6 on the roadmap for vShield Edge to support IPv6 on external interface. For vShield App, Zones and Endpoint, we will be agnostic to v4 vs. v6 being as layer 2. Beyond that, vShield manager will support all UI for the v6 configs. Regarding timeframe, we may phase in the support for this over a few releases and exact details are in works.

Since VMware first introduced its ESXi hypervisor at the end of 2007, the ESX-vs.-ESXi debate has escalated. But now that VMware plans to phase out ESX and switch to ESXi, migrating to ESXi has become increasingly important.

But the reality is that many VMware shops still run the ESX hypervisor. ESXi has a radically different management approach, and many ESX shops have avoided ESXi because it lacked the power of ESX’s service console. Additionally, several ESX features were not available in early ESXi iterations.

But ESXi has steadily matured, and now the consensus is that the stripped-down hypervisor is on par with ESX’s features and management. But many IT shops still run ESX because they are used to it, and the transition to ESXi can be time-consuming and difficult.

Now that ESXi will replace ESX, you may be ready to switch hypervisors. But you might have to convince your boss and coworkers to get on board. To end the ESX vs. ESXi debate for good, this sample letter should help you make a convincing argument for migrating to ESXi.

Read the full article at searchvmware.com…

After you implement virtualization for your customers it is important to define the priorities for their virtual machines (VMs). If you do not, your customers may find that their critical applications now run slower than before. Setting up resource controls can be a valuable service that VARs can offer their customers. The value can be two-fold: it helps to define customer priorities so that mission-critical VMs get access to the resources they need to run their workloads, and it allows VARs to show their customers the benefits of virtualization.

Here we will learn the resource control features in vSphere and how solutions providers can use them to set up a virtualized infrastructure that works for their customers.

Read the full 2-part article (Part 1, Part 2) at searchsystemschannel.com…

When it comes to backing up virtual machines in VMware vSphere, you need to leverage the strengths of virtualization to maximize your backup efficiency. You also need to know what to back up as well as how to back it up. In addition, you can’t use the same principles that you use in a traditional environment to back up a virtual environment. The following are eight vSphere backup best practices.

Read the full article at searchdatabackup.com…

HP just released a new low-cost server which they have dubbed the “Microserver” due to its small size. The server doesn’t seem to belong their ML line of servers and seems to be a standalone server with a name instead of a model which is more geared towards consumers and small businesses. Here are the basic specifications of the server:

• AMD Athlon II NEO N36L 1.3 Ghz dual-core processor
• 1GB (1×1GB) Standard/8GB Maximum DDR3 Unbuffered ECC memory (only 2 DIMM slots)
• Embedded AMD SATA controller with RAID 0/1, Embedded AMD eSATA controller
• HP 160GB 3G SATA Non-Hot Plug 7,200rpm 3.5″ ETY Hard Drive (total of LFF 4 drive bays)
• Embedded HP NC107i PCI-Express Gigabit Ethernet Server Adapter
• HP 200w Non-Hot Plug, Non-Redundant Power Supply
• 2 expansion slots Slot - 1 PCIe Gen 2×16, 1 PCIe Gen 2×1
• (7) USB 2.0 ports: 4 front , 2 rear, 1 internal

The list price for this base configuration is $329 but to use this server as a vSphere host you are going to have to upgrade it. There in lies the first problem, only 2 memory slots, the server comes with only a single 1GB DIMM populating the one slot, to get to 4GB of memory you would have to remove it and 2 - 2GB DIMMs, the cost for this is $160. Having only 4GB of RAM in a virtual host is just not enough so to get the server to its maximum supported 8GB capacity you would have to add 2 - 4GB DIMMs, the cost for this is $700 due to the extremely high cost of denser RAM. Now you’re up to over $1,000 for this server as each 4GB DIMM costs more than the server itself. The next problem is the CPU, the AMD Athlon NEO 1.3 Ghz processor is pretty weak to be used for a virtualization. The AMD NEO processor family was designed for ultrathin notebooks and has a very small form factor and low power consumption. As a result while it is a dual-core CPU, 64-bit and includes the AMD-V feature which is required by vSphere the performance is just not going to be good enough for a virtual host running many VMs. There is also the question of if you could even use it with vSphere which may not include the driver for whatever storage controller is being used. HP’s website does not give the model # of it so its pretty much a mystery right now. The embedded NIC is the NC107i which is the same one used in other servers like the ML110 G6 which is supported by vSphere. One would guess they would use the same storage controller as the ML110 G6 which is the B110i which is also supported by vSphere and if thats the case you could at least install and run vSphere on it.

I love everything else about the server, especially its micro form factor case, I’m OK with only 2 expansion slots as you could easily add 2 dual port NICs to it for a total of 5 which would be sufficient for a vSphere host. The one downside it both slots are PCIe which require only PCIe cards which are double that of PCI/PCI-X cards, a dual-port PCIe Intel NIC goes for about $130. While its a neat little server with a small form factor that would be great for home labs I just can’t see using it for virtualization running ESX or ESXi. However I can see it being used as a nice little storage server, you could fill the four drive bays with 1TB drives for less than $300 and install OpenFiler on it and have yourself a nice little storage server to use with vSphere. But to use it for a virtual host just isn’t practical or affordable, I really wish HP would make a whole line of these servers and over more options and expandability. The server does have the TPM security chip slot like other HP servers and also a special slot for a out of band management board called the Microserver Remote Access card (purchased separately) which are enterprise class features. If they would only give this server 2 more DIMM slots and provide more CPU choices this server would be perfect for a small virtualization home lab or business. This server seems geared towards running non-virtualized lightweight applications on it which doesn’t make sense when everyone is going virtual these days.

So if you’re looking for an affordable vSphere home lab or small business server I’d have to recommend you look at the ML110 G6 server instead. The list cost is not that much more, it starts at $469 and it comes with more DIMM slots (4), more PCI slots (4) and more CPU options such as the Intel Core i3-530 (dual core), Intel Xeon X3430 (quad core) and the Intel Xeon X3440 (quad core w/HT). Also be aware that the Microserver does not come with a DVD drive standard which is an additional $49 option, the ML110 G6 does include a DVD drive. The ML110 G6 is a great little server, it’s taller than the Microserver but just as quiet and has low power consumption. I have two of them at home and they are perfect for a vSphere lab, with 4 DIMM slots you can use affordable 2GB DIMMs and get a total of 8GB of memory. In addition the X3440 CPU has hyperthreading which gives you 8 cores to use with a vSphere host. The HP Microserver is a cool concept and reminds me of the Shuttle servers but the small size comes at a cost with HP’s version and it just isn’t a great candidate to use as a vSphere host.

Links

• HP ProLiant MicroServer series Overview
• HP ProLiant MicroServer QuickSpecs
• HP Proliant MicroServer Data Sheet
• HP Proliant ML110 G6 Overview
• HP ProLiant ML110 G6 QuickSpecs
• HP ProLiant ML110 G6 Server Data Sheet

The next release of vSphere won’t include VMware ESX, so you may be unsure how to upgrade your ESX hosts to ESXi hosts. Unfortunately there is no magic bullet, and as with all upgrades, you should not rush into it without being prepared. In this article, I will provide a suggested methodology.

1. Understand the differences between ESX and ESXi

First, you need a good understanding of the differences between ESX and ESXi. The two hypervisors run the same VMkernel, but managing ESXi is different from management ESX. ( VMware provides a basic ESX vs. ESXi comparison on its website and a more detailed one in the ESX vs. ESXi 4.1 KnowledgeBase article.) ESX and ESXi used to differ considerably, but vSphere 4.1 addressed most of them and the two hypervisors are now on par with each other.

Read the full article at searchvmware.com…

I recently did a webcast for searchvmware.com on upgrading to vSphere that covers everything you need to know when upgrading from VI3 to vSphere. Below is the abstract of it along with the links for the webcast with slides/audio and the podcast audio only.

Webcast: Upgrading to vSphere: What you need to know
http://www.bitpipe.com/detail/RES/1282585373_290.html

Podcast: Upgrading to vSphere: What you need to know
http://www.bitpipe.com/detail/RES/1282585786_96.html

ABSTRACT:

If you have an existing VMware Infrastructure 3 environment, upgrading to vSphere — also known as ESX and ESXi 4 — will probably be on the agenda at some point if it hasn’t already. But before jumping into an upgrade of this caliber there are many considerations and requirements that you should be aware of, including hardware, software and database requirements, third-party software compatibility considerations and compatibility with other VMware products. Then, you’ll need to devise an upgrade plan for your existing environment. Upgrading to vSphere is fairly straightforward, but there are many gotchas that can make it more difficult than necessary. To avoid surprises during the upgrade you should properly prepare and know all the steps involved in your upgrade so that it is trouble-free. In this webcast we will cover considerations and steps for upgrading your existing virtual environment to vSphere.

Compatibility & requirement considerations:

* Hardware requirements
* Software & database requirements
* Third-party product compatibility
* VMware product compatibility

Planning an upgrade:

* Upgrade phases
* Upgrade methods

Performing an upgrade:

* Rolling back to a previous version
* Pre-upgrade checklist
* Upgrading vCenter Server
* Upgrading ESX and ESXi hosts
* Upgrading virtual machines

Just happening to be downloading VMware Workstation today to run ESX 4.1 as a guest OS and lo and behold a new version came out today with official support for running ESX/ESXi 4.1 as virtual machines. Doesn’t look like there are any other major changes to Workstation besides the added support for vSphere 4.1 and some minor bug fixes. Download here and release notes are here.

What’s New

VMware Workstation 7.1.1 is a maintenance release that resolves some known issues and adds the following new support. It is a free upgrade for all VMware Workstation 7.x users.

New Support for Guest Operating System

VMware vSphere 4.1 is now supported as a guest operating system. VMware Certified Professionals (VCPs) and virtualization experts can use VMware vSphere 4.1 to install the latest server virtualization software and experiment with server setup, conduct training, show demos, and test production configurations. Running ESX as a guest eliminates the need to have spare hardware available to run ESX natively and enables ESX to run on systems that are not listed on the ESX hardware compatibility list (HCL). For more information on the supported processors and host operating systems, see Considerations for Running an ESX Guest.

This feature is intended for educational and demonstration purposes only and should not be used in production environments. To use this feature, you must download VMware vSphere 4.1 from the VMware Web site and follow the installation documentation provided with VMware vSphere to install ESX.

I participate in a weekly video podcast called vChat along with Simon Seagrave (techhead.co.uk) and David Davis (vmwarevideos.com). Each week we discuss certain topics related to virtualization for about 30 minutes. This weeks episode (vChat #3) we discuss home labs and give advice and our experiences with building our own home labs. So head on over there and check out the latest episode as well as past episodes, you can also subscribe via iTunes.