What to know about vSphere 6.5 Update 1 before upgrading

vSphere 6.5 Update 1 is the first major update after the GA release of vSphere 6.5. Besides great new improvements such as vSAN 6.6.1 some nasty bugs are fixed. Here’s a short list you want to know before upgrading to vSphere 6.5 Update 1:

  • Upgrade from vSphere 6.0 Update 3 is now a supported upgrade path to vSphere 6.5.
  • Customers who are still on vSphere 5.5 will need to be on at least vSphere 5.5 Update 3b, build 3252642 in order to upgrade to vSphere 6.5 Update 1.
  • Discontinuation of third party vSwitch. Customers using 3rd patry switches such as Cisco Nexus 1000V, Cisco VM-FEX, , HPE 5900v and IBM DVS 5000v will need to migrate off those switches after vSphere 6.5 Update 1. So  vSphere 6.5 Update 1 is the final release that support these 3rd party switches!
  • General Support has been extended. This means that support for vSphere 6.5 will now end November 15, 2021.
  • vCenter Server Foundation will support from 3 host to 4.
  • With the vSphere 6.5 Update 1 you are prepared for the VMware Cloud on AWS (hybrid cloud) solution.
  • The vCenter Server needs to be running 6.5 U1 before upgrading your hosts to 6.5 U1.
  • The vSphere Client (HTML5) supports content library and OVF deployment operations (it’s still grayed out at the moment), as well as operations on roles and permissions, basic customization of the Guest OS, and additions to virtual machine, host, datastore, and network management.
  • A new version of vSAN 6.6.1 is added with new capabilities such as vSphere Update Manager (VUM) support. Manage vSAN software upgrades through integration with vSphere Update Manager.
  • vSAN Performance Diagnostic. This new feature is all about analyzing benchmarks and give recommendations.
  • New vSAN Licensing for ROBO and VDI. The vSAN licensing editions are expanded with an Enterprise model that allows encryption and stretched clusters.
  • Scalability improvements of vCenter Server:
    • Maximum vCenter Servers per vSphere Domain: 15 (increased from 10)
    • Maximum ESXi Hosts per vSphere Domain: 5000 (increased from 4000)
    • Maximum Powered On VMs per vSphere Domain: 50,000 (increased from 30,000)
    • Maximum Registered VMs per vSphere Domain: 70,000 (increased from 50,000)
  • vSphere 6.5 no longer supports the following processors:
    • Intel Xeon 51xx series
    • Intel Xeon 30xx series
    • Intel core 2 duo 6xxx series
    • Intel Xeon 32xx series
    • Intel core 2 quad 6xxx series
    • Intel Xeon 53xx series
    • Intel Xeon 72xx/73xx series

More information:

  • VMware ESXi 6.5 Update 1 Release Notes, link
  • VMware vCenter Server 6.5 Update 1 Release Notes, link


VMworld Europe here I come!

In less then 54 days I’m attending VMworld Europe in Barcelona again. My first VMworld visit was in Cannes (France) in 2009. This year I visit VMworld with two other Ictivity (Dutch VMware partner) colleagues.

Here are a couple of reasons why I’m so excited to visit VMworld Europe:

1. General sessions

In the general sessions the vision, future directions and key announcements will be presented.

Key focus areas for the general sessions are:

  • Transform your data center into real private clouds
  • Extend into public clouds for more freedom and control
  • Enable a new digital workforce to with technology
  • Transform your security architecture

2. Breakout sessions

Each day I Pick a couple of sessions with a maximum of 3. The session choice is based on content and the presenter. Each session is recorded so you can watch it anytime after VMworld.  The session builder can be found here, link.

3. Solution Exchange

The Solution Exchange is packed (over 130) with vendors who support VMware.  Learn more about the latest solutions and technologies from these vendors.

4. Hands-on Labs

During VMworld I visit the hands-on labs a couple of times. With the hands-on labs you’re able to discover  one or more product(s) in short time. I really like the quality of the hands-on labs. After VMworld the new labs will be available (link).

5. Catch up with people

VMworld is a great place to meet friends, share knowledge and network with other people. Share and extend you’re knowledge!

6. Barcelona

Barcelona guarantees great weather, food and culture. Make some spare time to explore Barcelona.

7. Parties

Each day one or more vendor parties are organized. Pick some and have a great time. Here is overview of some parties (when more information is available the list will be updated):

vRockStarSunday 10 September Link
Partner Exchange receptionMonday 11 September
vExpert PartyTuesday 12 SeptemberInvite only
VMware BeNeLuxTuesday 12 September
Veeam PartyTuesday 12 September
VMworld Customer Appreciation PartyWednesday 13 SeptemberIncluded in a full conference pass. The headlinder this year is the Kaiser Chiefs! Last year the band Empire of the sun was the main act.

This year the headline of the VMworld Europe party will be the Kaiser Chiefs! A complete list of VMworld Europe gatherings can be found here, link.

VMworld is an awesome experience!  More information can be found here:

  • When: September 11 – 14  2017
  • Registration: link

Special thanks to the vExpert team for providing me a bloggers pass! See you at VMworld Barcelona!

Horizon Access Point / Unified Access Gateway (UAG) implementation tips

In 2013 I created a blog post with some tips for implementing a VMware Horizon View Security Server (link)”. Now the Unified Access Gateway (UAG) is replacing the VMware Security Server. So it’s time for a new blog post with some implementation tips about VMware Access Point / Unified Access Gateway (UAG). Here’s an overview of the tips:

  • The Unified Access Gateway (UAG) provides secure access to the following environments:
    • VMware Horizon desktops and applications
    • VMware Identity Manager
    • VMware AirWatch or VMware Workspace ONE per-app tunnels and tunnel proxy
    • VMware Content Gateway service to allow VMware Content Locker access to internal file shares and Microsoft SharePoint

  • In version 2.9 Access Point is renamed to Unified Access Gateway (UAG)
  • UAG is included in the Horizon standard, advanced and enterprise license
  • The use cases listed above can be mixed on the same UAG or seperated on multiple UAGs
  • UAG 2.9 supports Horizon 6.2.3, 6.2.4 and 7.1.0
  • UAG includes some improvements (such as blast Extreme) that are not available in the Horizon Security Server
  • UAG is deployed in the DMZ and replaces the Horizon Security Server (Windows based)
  • UAG is packaged as an OVF.  It’s a hardened Linux appliance based on SUSE Enterprise Linux. So there no need for Windows OSes in the DMZ which improves security!
  • Hardware specifications for the UAG are:
    • 2 vCPU
    • 4 GB memory
    • 20 GB harddisk
    • 1,2 or 3 Network adapters
  • Create an IP pool before deploying the UAG
  • Below is an overview of the VMware UAG firewall ports configuration:

The documentation about the the firewall ports can be found here.

(*1) When using Blast Extreme over port 443, port 8443 is not needed

  • The administration user interface (UI) can be used to set up and manage the Unified Access Gateway environment. To access to the management interface go to: https://ipaddress:9443/admin
  • Upgrading UAG is not supported. Install a new appliance. It’s highly recommend to create a PowerShell script for the deployment that can be used everytime when installinging a new UAG.
  • When deploying UAG using PowerShell, download the latest deployment scripts, link
  • The following certificates can be used:
    • Single-Server Name Certificate
    • Subject Alternative Name (SAN)
    • Wildcard Certificate
  • Convert the certificate into PEM-format files for the certificate chain and the private key, then convert the .pem files to a one-line format that includes embedded newline characters
  • If your certificate is in PKCS#12 (.p12 or .pfx) format, or after the certificate is converted to PKCS#12 format, use Openssl to convert the certificate to .pem files
  • There is NO need to pair Horizon Connection Servers with Access Point or UAG. Uncheck the boxes in the Connection Server:

  • Before configuring Radius authentication, first test if PCoIP and Blast access works:
    • Test a native Horizon Client using PCoIP.
      Test a native Horizon Client using Blast.
      Test the HTML Access Client (which also uses Blast)
  • Some browsers have problems with Client HTML access (link). To solve this problem change the checkorigin property.
    • On each Horizon Connection Server
    • Add a line in the “locked.properties” file (C:\Program Files\VMware\VMware View\Server\sslgateway\conf)
    • checkOrigin=false
    • Save
    • Restart the VMware Horizon View Connection Server service.

PowerShell example

I prefer the create a PowerShell script for the deployment of the UAG. This script deploys a single UAG with a single NIC and provide secure access to the Horizon View environment. The certificate will be generated automatically and is self-signed (in production environments use an signed certificate).

When re-deploying an UAG with PowerShell there is no need to manually remove the appliance. When the config is the same the old appliance is automatically removed.

Before using PowerShell make sure the following requirements are met, link.

PowerShell script:

# UAG virtual appliance unique name (between 1 and 32 characters).
# If name is not specified, the script will prompt for it.


# Full path filename of the UAG .ova virtual machine image
# The file can be obtained from VMware


# target refers to the vCenter username and address/hostname and the ESXi host for deployment
# Refer to the ovftool documentation for information about the target syntax.
# See https://www.vmware.com/support/developer/ovf/
# PASSWORD in upper case results in a password prompt during deployment so that passwords do not need
# to specified in this .INI file.
# In this example, the vCenter username is administrator@vsphere.local
# the vCenter server is (this can be a hostname or IP address)
# the ESXi hostname is esx1.myco.int (this can be a hostname or IP address)

# vSphere datastore name


# vSphere Network names. A vSphere Network Protocol Profile must be associated with every referenced network name. This specifies
# network settings such as IPv4 subnet mask, gateway etc.


# Setting honorCipherOrder to true forces the TLS cipher order to be the order specified by the server. This can be set on
# UAG 2.7.2 and newer to force the Forward Secrecy ciphers to be presented first to improve security.



# proxyDestinationUrl refers to the backend Connection Server to which this UAG appliance will connect.
# It can either specify the name or IP address of an individual Connection Server or of a load balanced alias to connect
# via a load balancer in front of multiple Connection Servers.


# proxyDestinationUrlThumbprints only needs to be specified if the backend Connection Servers do not have
# a trusted CA signed SSL server certificate installed (e.g. if it has the default self-signed certificate only).
# This is a comma separated list of thumbprints in the format shown here.

proxyDestinationUrlThumbprints=sha1:‎f1 c2 b8 0a 3f 7b 87 df 33 96 22 49 66 40 70 1a 11 74 9e b1


# pcoipExternalUrl must contain an IPv4 address (not a DNS name)


  • name: The name of the Unified Access Gateway (UAG)
  • source: The location of the OVF file
  • target: Specifies the vCenter Server information and target ESX host.
  • ds: datastore to deploy the UAG
  • vSphere Network names: This section contains the network settings such as:
    • Portgroup
    • IP Address
    • Subnetmask
    • Amount of NICs
    • DNS server(s)
  • honorCipherOrder: This allows forward secrecy ciphers to be presented first in the cipher list to improve security.
  • proxyDestinationUrl: URL representing the Horizon backend server (internal Connection server)
  • proxyDestinationUrlThumbprints: This contains the thumbprint of the Connection Server

  • tunnelExternalUrl: URL used by Horizon Clients to connect the secure tunnel to this UAG appliance
  • blastExternalUrl: URL used by HTML Access Clients to connect to this UAG appliance
  • pcoipExternalUrl: URL used by Horizon Clients to connect using PCoIP to this UAG appliance (external IP address)

When the UAG deployment successfully executes other configuration (UI or PowerShell) options can be added such as:

  • Trusted certificates
  • Radius authentication
  • Identity Manager