Over the last months I gathered more and more experience about VMware’s secure Linux appliance that allows secure access to a virtual Desktop (and more) over an unsecure network (e.g.) the Internet: Unified Access Gateway (UAG).
Keep in mind the UAG is not just a replacement for the old Windows based Security Sever, it is also offering much more functionality (Edge Services for Airwatch / Workspace One, reverse proxy, 2nd-factor authentication integration, etc.).
There might be use cases where we want to design our horizon environment in a way that we use the UAGs not just for external unsecure access, but internally as well.
- Offering access to internal users coming from a not so trust-worthy site/location (including a second-factor authentication for those users). // Access restricted via Firewalls/ACLs
- Constraints to always use tunneled connections (because of network-simplicity or security constraints).
I love the vCenter Server Appliance. The migration works pretty well. Still from time to time I stumble across minor problems (which until now were always quite easy to workaround/fix).
One of this migration ‘issues’ I was faced with recently at a customers site.
We migrated a vCenter against an ESXi host which was using a distributed switch and the corresponding portgroup as a target network.
Since we add the virtual network adapter directly on the ESXi host to the distributed switch we need to have an ephemeral portgroup (otherwise only the vCenter could add the VMs network adapter to this portgroup).
The general process of the migration look like the following.
- Deploy a new and empty vCenter Server appliance and connect it to the network
- A temporary IP-address is given to this vCenter Server appliance
- All relevant data of the source windows based vCenter Server is exported and transferrred over the network to the new vCenter Server appliance
- When the whole data-set is transferred, shutdown the original vCenter and give the new vCSA the network identity of the original vCenter
Unfortunately the last step was not working properly. After a certain amount of time (and coffee) the migration process has stuck at 50% – Shutting down source machine
Within the vSphere world we have currently one goal regarding our vCenter. Migrate it from a Windows based installation to the vCenter Server Appliance (vCSA).
The doing of this migration is pretty straight forward and works pretty well (e.g. here). But since we will shutdown the original vCenter VM based on Windows afterwards we need to make sure how to deal with applications that were running besides the vCenter.
We need to migrate them as well. Especially in case of the Horizon View Composer we need to do some proper planning, otherwise our linked-clones (which require the composer) cannot be created and maintained anymore (refresh, rebalance, recompose (R-R-R) operations).
Doing that migration is quite straight-forward. But we need to do some specific and not very well known tasks before we can do all of the steps.
Goal: Migrate the vCenter to the vCSA and get rid of all currently used Oracle Databases within the VMware vSphere & Horizon environment.
- Define a Maintenance windows and make sure no further Horizon View maintenance operations takes place (R-R-R).
- Backup the Horizon Composer Database with the included View backup mechanism.
- Create Windows Server for the Composer (compvm)
- Create a Database for the Composer and the corresponding ODBC connection.
- Restore the Backup on the compvm
- Repoint Horizon within the View Admin to the new Composer
- Test Maintenance Operations
- Clean up old databases.
###UPDATE: 26th October it is
The majority has decided. We will meet on the 26th October at around 6PM. Please enter your / any name in the doodle so that I can make a proper reservation.
After the success of the first #vBeers I have organized in Munich, I want to meet up with friends & community geeks who are interested in virtualization & beer/drinks.
Since I moderate from time to time the (famous) #beer2b in the center of Munich, I realized that a lot of useful input/information/thinking can come up as soon as you talk to other people in the field in a relaxed atmosphere. This will be the second edition of #vBeers in Munich. We had a group of 10-12 people at our first gathering. Let’s see if we can keep up with the number.
Since VMworld US and VMworld Europe has been passed and we worked out most of the news, I am pretty sure we will find great topics for further discussions.
WHEN? 26th October (Vote here). Please use your name/ email so that I can do a proper reservation.
Augustiner Keller (Arnulfstr. 52, 80335 München)
Löwenbräu Keller (Nymphenburger Str 2 – München) – 18:30
IMPORTANT: If you want to come it would be great if you sign yourself up in the doodle mentioned so I can make sure we have enough space/seats for our meet-up.
Sponsored? Nope ;-( (BYOW – Bring your own wallet)
I deliver a NSX course to selected VMware Partner in Unterschleißheim. Therefore I hope to convince some of my participants to show up as well ;-)
PLEASE PUT YOURSELF INTO THE DOODLE SO THAT I CAN MAKE A PROPER RESERVATION.
Sometimes I really love the #vCommunity – Just kidding: I love them all of the time. I was confronted with a scenario where only certain users of a Horizon environment should be allowed to access their own Desktop via the Internet.
In general you have certain options to do some kind of restrictions:
- Using Tags on the Connection Server and Create Desktop Pools that only allow the usage by Users coming from a tagged Connection Server
- Using VMware vIDM (Identity Manager) and create conditonal access rules. This will work, but will also create some new overhead to implement vIDM in a high-available fashion.
Some of you know that I like doing some movies of tech-events/VMworld after I have visited it. It has only been a few days since a fantastic VMworld in Las Vegas has been finished.
Once again I met fantastic people to talk about current products and issues within the usage of technology. Fantastic sessions like the NSX community leader summit and the EUC Champion Meet-Up gave me an opportunity to meet even more brilliant people out there in the field.
Maybe this video can serve for some of you as a nice memory. So please take the short time and have a look ;-) I am looking forward to any kind of feedback.
I hope to see most of you again next year and if we haven’t met! It’s time to change that!
During (and around) VMworld 2017 VMware has lifted many of their products to a new level to enable their customer a better and more agile software-defined datacenter than ever. Besides their datacenter portfolio VMware is pushing their vision of a digital workspace in the end-user computing field much further.
Horizon + Airwatch -> Workspace One try to combine all relevant subjects within the EUC field (Identities, Desktops, Applications, Devices, Policies, … ) within one single solution.
The following post summarize the EUC announcements within VMware’s current and upcoming products.
During (and around) the general session at VMworld 2017 (US) VMware has talked about their idea how the future infrastructure within a public and private cloud can be managed.
For friends of VMware ‘s existing products hoping for any kind of bigger announcement the general session might have been a little bit disappointing. VMware’s focus are cloud services and how to manage/operate the private & public cloud.
To make you aware of all kind of changes / new releases within the current product portfolio and the new I tried to summarize key elements of the new products or releases surrounding the #VMworld conference. If new products show up or will be announced over the next days I will keep it updated.
A summary about EUC products and announcement will be created on day 2 of #VMworld 2017.
The following section shows you how to make use of VMware’s Unified Access Gateway (UAG) Appliance to give the enduser access into our virtual Desktop / Remote hosted Applications over an unsecure network like the Internet.
When we are creating this access we have multiple options.
- Using a VPN to ‘tunnel’ into the secure cooperate network environment and connect further to the Horizon View environment.
- Placing a Windows Server in the DMZ and installing/configuring the Horizon View Security Server and make it public accessible.
- Placing the virtual Unified Access Gateway in the DMZ and installing/configuring the Horizon View Security Server and make it public accessible.
What is the / my recommendation nowadays? Go with the Unified Access Gateway. Why?
- It is a general opinion within Security experts that a Windows, even if it’s hardened, offers more attack potentials than a hardened minimal linux.
- Using the Windows based security server creates a 1:1 relationship between the Security Server and the Connection Server, therefore it takes away some access flexibility.
- The UAG is getting more and more features to integrate other solutions like specific Airwatch functionality
- You can make use of the UDP based Blast Extreme Protocol Adaptive Transport protocol that gives you a better remote/user experience even if you are connecting over a lossy network
- It is much easier to operate than the first Access Point versions VMware has made GA a few years ago ;-)
One important aspect of the UAG is that you need to know about the packet-flow between the Horizon Client and the Desktop. You will be dependant on the networking and security guys. Make sure you are able to clearly articulate the requirements and what is going to happen. If you can tell the flow, the other people will be able to help you much better.