VMworld Europe here I come!

In less then 54 days I’m attending VMworld Europe in Barcelona again. My first VMworld visit was in Cannes (France) in 2009. This year I visit VMworld with two other Ictivity (Dutch VMware partner) colleagues. After VMworld, the vision, future directions and key announcements are shared with other colleagues and customers.

Here are a couple of reasons why I’m so excited to visit VMworld Europe:

1. General sessions

In the general sessions the vision, future directions and key announcements will be presented.

Key focus areas for the general sessions are:

  • Transform your data center into real private clouds
  • Extend into public clouds for more freedom and control
  • Enable a new digital workforce to with technology
  • Transform your security architecture

2. Breakout sessions

Each day I Pick a couple of sessions with a maximum of 3. The session choice is based on content and the presenter. Each session is recorded so you can watch it anytime after VMworld. The content catalog can be found here: link.

3. Solution Exchange

The Solution Exchange is packed (over 130) with vendors who support VMware.  Learn more about the latest solutions and technologies from these vendors.

4. Hands-on Labs

During VMworld I visit the hands-on labs a couple of times. With the hands-on labs you’re able to discover  one or more product(s) in short time. I really like the quality of the hands-on labs. After VMworld the new labs will be available (link).

5. Catch up with people

VMworld is a great place to meet friends, share knowledge and network with other people. Share and extend you’re knowledge!

6. Barcelona

Barcelona guarantees great weather, food and culture. Make some spare time to explore Barcelona.

7. Parties

Each day one or more vendor parties are organized. Pick some and have a great time. Here is overview of some parties (when more information is available the list will be updated):

EventDateRegistrationDescription
vRockStarSunday 10 September Link
Partner Exchange receptionMonday 11 September
vExpert PartyTuesday 12 SeptemberInvite only
VMware BeNeLuxTuesday 12 September
Veeam PartyTuesday 12 September
VMworld Customer Appreciation PartyWednesday 13 SeptemberIncluded in a full conference pass. The band is still unknown. Last year the band Empire of the sun was the main act.

VMworld is an awesome experience!  More information can be found here:

  • When: September 11 – 14  2017
  • Where: BARCELONA , FIRA GRAN VIA
  • Registration: link

Special thanks to the vExpert team for providing me a bloggers pass! See you at VMworld Barcelona!

Horizon Access Point / Unified Access Gateway (UAG) implementation tips

In 2013 I created a blog post with some tips for implementing a VMware Horizon View Security Server (link)”. Now the Unified Access Gateway (UAG) is replacing the VMware Security Server. So it’s time for a new blog post with some implementation tips about VMware Access Point / Unified Access Gateway (UAG). Here’s an overview of the tips:

  • The Unified Access Gateway (UAG) provides secure access to the following environments:
    • VMware Horizon
    • VMware Identity Manager
    • VMware AirWatch

  • In version 2.9 Access Point is renamed to Unified Access Gateway (UAG)
  • UAG is included in the Horizon standard, advanced and enterprise license
  • UAG 2.9 supports Horizon 6.2.3, 6.2.4 and 7.1.0
  • UAG includes some improvements (such as blast Extreme) that are not available in the Horizon Security Server
  • UAG is deployed in the DMZ and replaces the Horizon Security Server (Windows based)
  • UAG is packaged as an OVF.  It’s a hardened Linux appliance based on Suse Enterprise Linux. So there no need for Windows OSes in the DMZ which improves security!
  • Hardware specifications for the UAG are:
    • 2 vCPU
    • 4 GB memory
    • 20 GB harddisk
    • 1,2 or 3 Network adapters
  • Create an IP pool before deploying the UAG
  • Below is an overview of the VMware UAG firewall ports configuration:

The documentation about the the firewall ports can be found here.

(*1) When using Blast Extreme over port 443, port 8443 is not needed

  • The administration user interface (UI) can be used to set up and manage the Unified Access Gateway environment. To access to the management interface go to: https://ipaddress:9443/admin
  • Upgrading UAG is not supported. Install a new appliance. It’s highly recommend to create a PowerShell script for the deployment that can be used everytime when installinging a new UAG.
  • When deploying UAG using PowerShell, download the latest deployment scripts, link
  • The following certificates can be used:
    • Single-Server Name Certificate
    • Subject Alternative Name (SAN)
    • Wildcard Certificate
  • Convert the certificate into PEM-format files for the certificate chain and the private key, then convert the .pem files to a one-line format that includes embedded newline characters
  • If your certificate is in PKCS#12 (.p12 or .pfx) format, or after the certificate is converted to PKCS#12 format, use Openssl to convert the certificate to .pem files
  • There is NO need to pair Horizon Connection Servers with Access Point or UAG. Uncheck the boxes in the Connection Server:

  • Before configuring Radius authentication, first test if PCoIP and Blast access works:
    • Test a native Horizon Client using PCoIP.
      Test a native Horizon Client using Blast.
      Test the HTML Access Client (which also uses Blast)
  • Some browsers have problems with Client HTML access (link). To solve this problem change the checkorigin property.
    • On each Horizon Connection Server
    • Add a line in the “locked.properties” file (C:\Program Files\VMware\VMware View\Server\sslgateway\conf)
    • checkOrigin=false
    • Save
    • Restart the VMware Horizon View Connection Server service.

PowerShell example

I prefer the create a PowerShell script for the deployment of the UAG. This script deploys a single UAG with a single NIC and provide secure access to the Horizon View environment. The certificate will be generated automatically and is self-signed (in production environments use an signed certificate).

When re-deploying an UAG with PowerShell there is no need to manually remove the appliance. When the config is the same the old appliance is automatically removed.

Before using PowerShell make sure the following requirements are met, link.

PowerShell script:


[General]
#
# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.
#

name=UAG01

#
# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware
#

source=C:\temp\euc-access-point-2.9.0.0-5202536_OVF10.ova

#
# target refers to the vCenter username and address/hostname and the ESXi host for deployment
# Refer to the ovftool documentation for information about the target syntax.
# See https://www.vmware.com/support/developer/ovf/
# PASSWORD in upper case results in a password prompt during deployment so that passwords do not need
# to specified in this .INI file.
# In this example, the vCenter username is administrator@vsphere.local
# the vCenter server is 192.168.0.21 (this can be a hostname or IP address)
# the ESXi hostname is esx1.myco.int (this can be a hostname or IP address)
#
target=vi://administrator@vsphere.local:PASSWORD@192.168.250.30/dc-beerens-01/host/mgnt

#
# vSphere datastore name
#

ds=NFS-01

#
# vSphere Network names. A vSphere Network Protocol Profile must be associated with every referenced network name. This specifies
# network settings such as IPv4 subnet mask, gateway etc.
#

netInternet=dmz-vlan100
netManagementNetwork=dmz-vlan100
netBackendNetwork=dmz-vlan100
deploymentOption=onenic
ip0=192.168.250.32
netmask0=255.255.255.0
dns=192.168.250.2
#syslogUrl=syslog://server.example.com:514

#
# Setting honorCipherOrder to true forces the TLS cipher order to be the order specified by the server. This can be set on
# UAG 2.7.2 and newer to force the Forward Secrecy ciphers to be presented first to improve security.
#

honorCipherOrder=true

[Horizon]

#
# proxyDestinationUrl refers to the backend Connection Server to which this UAG appliance will connect.
# It can either specify the name or IP address of an individual Connection Server or of a load balanced alias to connect
# via a load balancer in front of multiple Connection Servers.
#

proxyDestinationUrl=https://192.168.250.71

#
# proxyDestinationUrlThumbprints only needs to be specified if the backend Connection Servers do not have
# a trusted CA signed SSL server certificate installed (e.g. if it has the default self-signed certificate only).
# This is a comma separated list of thumbprints in the format shown here.
#

proxyDestinationUrlThumbprints=sha1:‎f1 c2 b8 0a 3f 7b 87 df 33 96 22 49 66 40 70 1a 11 74 9e b1

tunnelExternalUrl=https://vdi.ivobeerens.nl:443
blastExternalUrl=https://vdi.ivobeerens.nl:443

#
# pcoipExternalUrl must contain an IPv4 address (not a DNS name)
#

pcoipExternalUrl=31.151.8.45:4172

  • name: The name of the Unified Access Gateway (UAG)
  • source: The location of the OVF file
  • target: Specifies the vCenter Server information and target ESX host.
  • ds: datastore to deploy the UAG
  • vSphere Network names: This section contains the network settings such as:
    • Portgroup
    • IP Address
    • Subnetmask
    • Amount of NICs
    • DNS server(s)
  • honorCipherOrder: This allows forward secrecy ciphers to be presented first in the cipher list to improve security.
  • proxyDestinationUrl: URL representing the Horizon backend server (internal Connection server)
  • proxyDestinationUrlThumbprints: This contains the thumbprint of the Connection Server

  • tunnelExternalUrl: URL used by Horizon Clients to connect the secure tunnel to this UAG appliance
  • blastExternalUrl: URL used by HTML Access Clients to connect to this UAG appliance
  • pcoipExternalUrl: URL used by Horizon Clients to connect using PCoIP to this UAG appliance (external IP address)

When the UAG deployment successfully executes other configuration (UI or PowerShell) options can be added such as:

  • Trusted certificates
  • Radius authentication
  • Identity Manager

 

 

 

Fix orphaned vSAN objects

In the vSphere Web client an orphaned  vSAN object was listed named:

/vmfs/volume/vsanuuid

From the vSphere Web Client you cannot manage orphaned vSAN objects . To check and fix orphaned vSAN objects, the Ruby vSphere Console (RVC) is needed.  The ‘vsan.check_state’ command checks if VMs and Virtual SAN objects are valid and accessible.

After logging in the RVC (rvc administrator@vsphere.local@localhost), execute the “vsan.check_state -r” command at the cluster level:

/localhost/dc-beerens-01/computers/CL-01/vsan.check_state -r

The “-r” parameter refreshes the VMX and registers the VMs.

After running the “vsan.check_state -r” command, the vSAN object is listed as VM back again in the vSphere Web Client.