Monitor vSAN with ControlUp

One of the new enhancements of ControlUp 7.3 is vSAN monitoring support. ControlUp will detect the vSAN cluster(s), objects and displays real-time vSAN specific metrics and metadata. In this blog post I highlight the features of the new vSAN integration in ControlUp 7.3.


The vSAN cluster is automatically recognized by ControlUp when the following requirements are met:

  • PowerShell minimum Version 5.0
  • VMware PowerCLI 10.1.1.x
  • .NET framework version 4.5
  • vSAN Performance service should be turned on on the cluster
  • The user account configured for the hypervisor connection requires the “storage.View” permission.

Running ControlUp is easy, no installation is needed, simple execute a single executable (ControlUpConsole.exe). After starting ControlUp, add the vCenter server and the vSAN cluster(s) are automatically recognized. When clicking on the vSAN cluster you see real-time metadata and performance metrics.


There are several preset views available with vSAN metrics such as:

  • vSAN Performance. Includes vSAN performance metrics such as IOPS, latency, cache and buffers.
  • vSAN Health. Includes the vSAN health checks
  • vSAN Host Network. Includes vSAN network I/O and packet loss metrics.

You can easily switch between predefined views in the “Colum Preset”. Here is an overview of vSAN metrics used by ControlUp:

Datastores: Name, Type, Capacity, Read/Write IOPS, Read/Write Rate, Read/Write Latency, Compression, Capacity Deduplication, Congestion, Outstanding IO, Disk Configuration, Total Used Capacity, Total Used – Physically Written, Total Used – VM Overreserved, Total Used – System Overhead, vSAN Free Capacity, vSAN Health, vSAN Cluster Health, vSAN Network Health, vSAN Physical Disk Health, vSAN Data Health, vSAN Limits Health, vSAN Hardware Compatibility Health, vSAN Performance Service Health, vSAN Build Recommendation, vSAN Online Health.
Datastores on Hosts: Name, Type, Capacity, Read/Write IOPS, Read/Write Rate, Read/Write Latency, Compression, Capacity Deduplication, Congestion, Outstanding IO, Local Client Cache Hit IOPS, Local Client Cache Hit Rate, vSAN Max Read Cache Read Latency, vSAN Max Write Buffer Write Latency, vSAN Max Read Cache Write Latency, vSAN Max Write Buffer Read Latency, vSAN Min Read Cache Hit Rate, vSAN Write Buffer Min Free Percentage, vSAN Host Network Inbound/Outbound I/O Throughput, vSAN Host Network Inbound/Outbound Packets Per Second, vSAN Host Network Inbound/Outbound Packet Loss Rate

When navigating you see all those metrics available on the vSAN cluster, vSAN datastores on hosts, virtual disks and vSAN Host network utilization views. You can easily drill down by double clicking from the vSAN datastore to the diskgroup(s) on each ESXi host and then drill down to the the virtual disk(s). From the virtual disk(s) you can drill down to the Windows process.

Example: Find the root cause of high IOPS load on the vSAN cluster.

In the following example we will identify a Windows process that is causing high IOPS stress on the vSAN cluster. We drill down from the vSAN cluster to the vSAN diskgroup of the ESXi host to the virtual disk to the process level in the VM to find the root cause of the high IOPS.

  • In the vSAN Performance view we see the stress level has changed and a high IOPS load.

  • In the IOPS we see that the threshold of 2000 is crossed. This threshold is default and can be adjusted. The Virtual Expert suggest to navigate to the “Datastore on Hosts (IOPS detailed View).

  • When double clicking on the “Datastore on Host” we see that “esxin04.lab.local” is generating the IOPS load.

  • The vSAN diskgroup of the “esxin04.lab.local” host has a virtual disk that belongs to the “ControlUp-vSAN-Test” VM that is causing the high IOPS load.

  • When double clicking on the virtual disk we go the the “Processes” view and see that “diskspd.exe” process is causing the high IOPS load.

  • Optional: Right click on the process and select kill to end the “diskspd.exe” process. This stops the IOPS load on the vSAN cluster.

This example shows how easy it is to identify what process is causing stress on the vSAN cluster.

Alerting and reporting

For alerting you can add triggers in ControlUp to notify you when something happens on the vSAN cluster such as a change in the stress level for a period of time.

When using the triggers you’re able to start investigating it right away when something happening on the vSAN cluster. All the vSAN data is transferred to ControlUp Insight for historical reporting and analytics. This is great for analyzing data and trends over time and can be very useful when investigate issues and understanding what is going on you’re environment.


ControlUp is easy to set-up and great for fast troubleshooting. In version 7.3 is vSAN support added. As shown in the this blog post with a couple of double clicks you’re able to perform a root cause analysis and find what process is causing the high IOPS on the vSAN.

There is a free trail available. Give it a try here: link

Tested SMS PASSCODE multi-factor authentication with VMware Horizon View

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer for a broad range of authentication clients such as:

  • Citrix Web Interface Protection
  • RADIUS Protection
  • Cloud Application Protection
  • IIS Web Site Protection
  • ISA/TMG Web Site Protection
  • Windows Logon Protection
  • Secure Device Provisioning (for ActiveSync devices)

In this review we test how-to integrate SMS PASSCODE with the latest version of VMware Horizon View using RADIUS authentication.


Unlike traditional hardware-token based solutions, SMS PASSCODE works without distribution of any hardware-tokens. As a result, the logistic overhead involved is minimal and roll-out is much faster. On the mobile phone is no software installation needed. Just extract the cell phone number from the AD.

SMS PASSCODE sends a One-Time-Passcode (OTP) to the user mobile phone. SMS PASSCODE looks at multiple factors such as time, geo-location, and type of login system being accessed.

SMS PASSCODE offers a Multi-Factor Authentication (MFA) solution that adds an extra security layer to the VMware Horizon View environment. VMware Horizon View has support for RADUIS authentication.

LAB environment

In the lab environment the following components are installed:

SMS Passcode

  1. Horizon View Clients (PCoIP, RDP and HTML)
  2. Horizon View Security Server
  3. Horizon View Connection Server external
  4. Horizon View Connection Server internal
  5. Microsoft SQL Server
  6. Horizon View Composer
  7. vCenter Server
  8. Active Directory Domain Controller
  9. SMS PASSCODE version with Network Policy Server (NPS) role installed

For the external connection to the VMware Horizon View environment a Multi-Factor Authentication (MFA) is configured by using SMS PASSCODE. The internal Horizon View users don’t use SMS PASSCODE to connect.

The following software versions are used:

  • Windows Server 2012 R2 Active Directory (AD)
  • Windows Server 2008 R2 for the SMS PASSCODE and NPS software role
  • VMware vSphere 6
  • VMware Horizon View 6.1

Instead of using a GSM modem, a Web Service SMS dispatching service is used for sending messages. A GSM modem is highly preferred in a production environment.

Installation and configuration Management

Installation of SMS PASSCODE

SMS PASSCODE is installed on a Microsoft 32-or 64-bit Windows Operating System.. The core components of SMS PASSCODE are:

  • Database Service. The database stores the SMS PASSCODE configuration and user data.
  • Transmitter service. This service is responsible for dispatching messages and validation of SMS PASSCODE logons. Handles load balancing and failover between all GSM modems
  • Load Balancing service. Service responsible for load balancing and failover.
  • Web Administration Interface. Web site for maintaining user and configuration data

These core components can be distributed over one of more servers to provide redundancy and load distribution for enterprise 24×7 uptime demands.  In the lab setup all the core components are installed on a single server.

As Authentication Client Radius protection is selected during the installation.

Network Policy Server (NPS)

On the SMS PASSCODE server the Network Policy Server (NPS) role is installed for RADIUS authentication.


Web Administration Interface (WAI)

The Web Administration Interface (WAI) is available from the web browser on port 2000. From the WAI the configuration of SMS PASSCODE is done.

From the WAI we need to do the following main steps:

  1. Configure AD integration and the messaging infrastructure used in the General settings
  2. Configure the User Integration Policy (UIP)
  3. Configure User Group Policies
  4. Configure transmission infrastructure for creating a dispatching entity

Step 1. General Settings

In the general settings tab AD integration in single sync mode is enabled. With single sync mode users are imported from a single user group.

AD integration

In the globalization options the messaging infrastructure used. The following messages infrastructures can be used in SMS PASSCODE:

  • E-mail OTP
  • Voice call OTP
  • Web service SMS OTP
  • Token OTP
  • Personal passcode OTP

The SMS OTP is the most secure option to use and highly preferable. In our lab environment we use Web service SMS OTP as messaging infrastructure. A 3rd party web service is used for SMS dispatching.

general settings - web service

Step 2. User Integration Policy (UIP)

User Integration Policies are used to configure how users in the SMS PASSCODE database are synchronized with users from one or more Active Directory stores.


When enabling AD integration, users are synced when belonging to a specified group or attribute. For example the mobile attribute is used to retrieve AD users. Only users with the phone number filled in are synced to SMS PASSCODE.


Step 3. User Group Policies (UGP)

User Group Policies (UGP) are used for managing users. Every users is assigned to a UGP and automatically inherits the settings specified by this policy. For example the administrator could change type of passcode dispatching, SMS type (Flash/normal) or Self Service Site permissions in the UGP. A UGP manage user settings on a group basis or on individual basis by overriding the UGP .

We changed the default UGP for the dispatch type to “Send passcodes by web services SMS”.


Step 4. transmission infrastructure for creating a dispatching entity

In our lab environment we don’t have a GSM modem for send SMS messages, so we used and configure a Web Service Dispatcher service for sending in SMS messages.

step 4 dispatcher

After these four main configuration steps we can test if the SMS message is sent to the user mobile phone by selecting the test button and choose for the Web Service Dispatcher option. A test SMS message is sent to the users mobile phone. If the SMS message arrives on the mobile phone the configuration is ready for the next step.

sms test

When the four main steps are performed it is possible to perform some optional additional steps such as:

  • Adjust the passcode policy to reflect to the organization policy. For example adjust the minimal passcode length, composition of the passcode, lifetime and message composition for the SMS message that is sent to the mobile phone.
  • Create Authentication policies and lockout periods settings
  • Enable Geo IP and IP history lookup to identify where in the world your users are logging-in.
  • Configure date and time restrictions
  • Configure the Self Service Web Site. The Self-service web site is for maintaining the users account settings and Password Resets.

Network Policy Server (NPS)

On the Network Policy Server a RADIUS Client profile is created. The RADIUS profile points to the VMware Horizon View Connection Server (3) that is configured for the external users. In this Client profile we enter the following information:

  • Friendly Name.
  • DNS or IP address of the Connection server.
  • Manually assigned a shared secret that will be used for the RADIUS connection between the NPS and Connection Server.


VMware Horizon View external Connection Server configuration

On the Horizon View Connection Server (3) for the external access we configure 2-factor authentication for Remote Authentication Dial-In User Service (RADIUS). On the VMware Horizon View Connection Server we create a RADUIS profile using the following settings:

Connection Server ViewConnection1

In the primary Authentication Hostname/Address the IP address of the NPS server. NPS is installed on the SMS PASSCODE server. The same shared secret is used from the NPS Client configuration.

Connecting to the VMware Horizon View environment

Externally users connect to the VMware Horizon View environment by using the VMware View Client and HTML Access.

VMware Horizon View Client

When connecting externally to the VMware Horizon View environment by using the Horizon View Client, the following login box appears in the Horizon View Client:


After entering the AD user name and password credentials, a One-Time-Passcode (OTP) is send the user mobile phone.


Entering the OTP in the Next Code: field and you’re authenticated to the VMware Horizon View environment and you see your pool entitlements.

Next code

HTML access

Another option is to connect to the VMware Horizon View environment is by using HTML access. This option does not require any software other than a supported browser such as IE, Chrome or Firefox on the client. HTML access uses the Blast protocol instead of the PCoIP protocol.  The login steps are the same as the Horizon View client.

 html5 html5-1 html5-3


SMS PASSCODE is a multifactor solution that adds an extra security layer to the VMware Horizon View environment. SMS PASSCODE has the following pros:

  • Stable and flexible product. We tested SMS PASSCODE for several months and it is a very stable product. We experienced no crashes or strange things during our tests.
  • Simple installation, configuration and maintaining
  • Can be used in Small and Midsize Business (SMB) till large Enterprise (24×7) environments (scalable).
  • No extra software is needed on the users mobile phone
  • No hardware-tokens are needed
  • Because RADIUS authentication is used, it works with new versions of VMware Horizon View out of the box.

For SMS PASSCODE a Windows Operating System is needed. It would be great if in the future an appliance version can be used wihout the need of a Windows Operating System.

When working with external users that connect to your VMware Horizon View environment an extra security layer is needed besides the standard username and password.

SMS PASSCODE offers that extra layer of security by using 2-factor or Multi-Factor Authentication.

More information

Want to try SMS PASSCODE live or request a free 30 day trial? Click the link. vExperts can obtain a NFR license by sending an email to Provide some documentation that proves you are a vExpert.

Monitor VMware Horizon View environments with ControlUp

A couple of weeks ago ControlUp released version 4.0 with support for VMware Horizon View. In this blog post I share my experience with ControlUp 4.0 monitoring VMware vSphere and VMware Horizon View.

What is ControlUp

ControlUp is a real-time performance monitor for Microsoft Remote Desktop Services (RDS), Citrix, and physical- and virtual server environments. ControlUp can be used to:

  • Troubleshoot performance issues in real time
  • Analyze performance trends and usage patterns
  • Compare and manage multiple computers
  • Investigate incidents and receive email alerts

The new 4.0 version of  ControlUp has added support for:

  • VMware vSphere (4.x and 5.x)
  • Citrix XenServer (6.x)
  • VMware Horizon View desktops (5.x and 6.x)

ControlUp is tested against the following lab environment:

  • VMware ESXi 5.5 Update 2
  • VMware Horizon View 6.x environment with the composer
  • The VDI desktops are part of a floating pool
  • Windows 7 64-bit as VDI desktop OS.

Installation and configuration

The installation is very simple. On a management server execute a single executable (ControlUpConsole.exe).  It’s runs in memory, so there is no installation needed. The console is the GUI for displaying data and running tasks. As prerequisites .Net Framework 3.5 SP1, Active Directory connection and a internet connection  is required. ControlUp will default enabled in Enterprise Mode. The Enterprise Mode offers features that allow you to collaborate with team members and defining user roles and delegate administrative  tasks to different ControlUp users. The other option is to use Standalone Mode. Standalone Mode does not require an active  internet connection but is limited, for example in collaboration and delegation.

After creating an account is is time to create one or more organization(s). An organization represents groups of computers managed by the same administrators. By creating additional organizations it is possible to segment your network computers into different administrative units managed by different administrators.  After this the configuration is ready.

Monitoring VMware environments

For VMware environments you need to add the vCenter Server to the ControlUp Console.  When the vCenter is added, the cluster(s), hosts and VM’s inventory is displayed in the ControlUp console. In the following example we added a vCenter server with a 1 cluster  that contains 3 ESXi hosts.

ESXI hosts

To organize the computers a folder tree is created. For ESXi hosts, counters on CPU, Memory, Networking and storage can be monitored. For every counter a specific tresholds per folder can be configured. Here is an overview of counters that can be monitored on the vSphere layer:


The Stress level reflects the state of the performance metric reported to the console. In the following example we stressed  the ESXi hosts memory threshold (90% >)  by powering extra VMs.


The stress level jumped to high (red) within seconds.  So in real time you see what is happening to the vSphere layer. In the next example we stressed the datastore latency (> 22 ms)  and free datastore space (below 500 MB).


In the above examples we see when a threshold is exceeded on the VMware ESXi hosts, it is displayed almost in real time in the ControlUp Console.

Monitoring VMware Horizon View VDI Desktops

To monitor VMware Horizon VDI desktops,  a lightweight ControlUp agent needs to be installed. The ControlUp agent can be installed in the Golden Image or deployed when the VDI desktop is running. It is important that firewall ports on RCP, WMI, Windows Remote Management and the ControlUp agent firewall ports are allowed. After adding the ControlUp agent, VMware View specific settings can be displayed.

view specific session settings

In the following example we have 4 Windows 7 VDI desktops. As you can see the stress level is low or medium.

View session 1

In a Windows 7 VDI desktop we installed to 3e party tool “heavyload” to generate CPU load on the VDI desktop. When starting “Heavyload” the CPU spiked to 100%.

 view sesion 2  view session 3

In the ControlUp console we looking in the Computer tab and see the Stress level after a couple of seconds changing to “High” and the CPU graph is raising to 100%.

view session 4

To see what is causing the high CPU load we opened “Processes” tab and  sort on the Stress Level to see what process is causing the CPU load. We see that the Process “HeavyLoad.exe” is causing the high load.

View session 5

On the right menu you see some actions that be performed. Here are some examples:

  • Getting a Screenshot of the desktop
  • Ending or killing the process
  • Throttle the CPU for a process

In the following example we use the tool “heavyload” again to generate memory load.  Now we see that the Stress Level is critical again and that the Memory is red.

view session monitoring memory

To see what is causing the high memory load, open the” Processes” tab and  sort on the Stress Level to see what process is causing the high memory load. And again the process “HeavyLoad.exe” is causing the high memory load.

view session memory 1


When a service stops or a event occur it is possible to generate an alert. Using the “Incident Triggers” feature you can configure triggers to detect the following conditions:

  • Stress level
  • Windows Event
  • Computer Down
  • Process Started or Ended
  • User Logged On/User Logged Off
  • Session State changed

When a trigger occur an real time alert can be generated such as sending an email. There are pre-configured incident triggers for Horizon View services and events that occur.

incident triggers

Testing ControlUp

ControlUp has a launched an Expert Program for vExperts and recognized VMware View Consultants. To apply for the license, register here. All other VMware View admins can simply download ControlUp from the ControlUp website and enjoy the free unlimited 30 days trial.


Version 4 is the first version that supports VMware vSphere and Horizon View. In this blogpost I highlighted a couple of examples that shows the strength of ControlUp and how easy it is to install and use. In real time you see what is happing in your environment and drill from the hypervisor down to the Windows process level to identify what is causing the problem. This makes troubleshooting a lot easier on VMware Horizon View environments. The VMware Horizon View specific counters are a bit limited on the moment but ControlUp is asking your feedback on this. If you miss something let them know by using the “feature request” button.

ControlUp has a lot more features then showed in this blog post. Other features are for example:

  • RDP to computer
  • Remote Assistance
  • Use RunAs accounts for actions
  • Update and killing Group Policies
  • Sending messages and chatting with users
  • Multiple computers management on the file system, registry and services.

All these features makes ControlUp a powerful tool for the VMware Horizon View Administrator.