Stuff I'm Up To

Technical Ramblings

How to use vSphere 6.x Certificate Manager — March 10, 2017
Guidelines for Microsoft Clustering on vSphere — March 9, 2017

Guidelines for Microsoft Clustering on vSphere

This article provides links to a subset of articles that provide guidelines and support status for running various Microsoft clustering solutions and configurations on VMware vSphere.

VMware provides customers additional flexibility and choice in architecting high-availability solutions. Microsoft has clear support statements for its clustering solutions on VMware.

Additionally, VMware provides guidelines in terms of storage protocols and number of nodes supported by VMware on vSphere, particularly for specific clustering solutions that access shared storage. Other clustering solutions that do not access shared storage, such as Exchange Cluster Continuous Replication (CCR) and Database Availability Group (DAG), can be implemented on VMware vSphere just like on physical systems without any additional considerations.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1037959

Horizon SSL/TLS Ciphers — February 25, 2017

Horizon SSL/TLS Ciphers

After running an SSL scan on our external facing Horizon Security Server, using Qualys’ SSLTest and receiving an A- rating, I wanted to fix that by getting at least an A. But in order to do that I needed to understand what was required to get it to an A.

The problem I faced was that I was being marked down for not supporting Perfect Forward Secrecy (PFS).

The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

Continue reading

Horizon Updating Certificates — February 24, 2017

Horizon Updating Certificates

Updating certificates on the Windows hosts for Connection and Security Servers.

Import the signed SSL server certificate into the Windows local computer certificate store on the Windows Server host.

In the Certificate snap-in, import the server certificate into the Certificates (Local Computer) > Personal > Certificates folder.

Select Mark this key as exportable.

Click Next and click Finish.

For View Connection Server or Security server, add the certificate Friendly name, ‘vdm’, to the new certificate that is replacing the previous certificate. You should only have one certificate with the friendly name vdm, so make sure it’s only the most current certificate.

Right-click the new certificate and click Properties

On the General tab, in the Friendly name field, type vdm.

Click Apply and click OK.

Continue reading

VCSA /storage/log Full — February 1, 2017
Blank Dialog when Managing Connection Server — January 27, 2017
View Composer Certificate —
VMware Horizon Infrastructure Upgrade — January 4, 2017

VMware Horizon Infrastructure Upgrade

Upgrading VMware Horizon is going to be a fun task for the weekend. It means upgrading 3 connection servers, a security server, the vcenter server and the composer server. This is all so we can disable SSLv3 on the ESXi hosts they all run on.

Migration was originally planned from 5.3 to 6.2, as this is the earliest version that resolves the SSLv3 problem. But if we’re going to have to upgrade, why not go all the way to v7?

Continue reading

VMWare View 5.3 & vSphere 5.5 — October 25, 2016

VMWare View 5.3 & vSphere 5.5

As part of our patching process we applied security patches to one of the vSphere ESXi servers. All seemed to go well until we tried to compose systems onto it. We ended up with VDI clients being added to the server, but they’d never start up.

Clearly this was something to do with the patches that were applied.

Checking the log bundle we produced it was certainly an SSL related issue. Those damned certificates again! Well not quite.

Reading through the vmware-vdicomposer.log I picked up on a few of these messages:

Machine Name: VDICOMPOSER, Timestamp: 24/10/2016 15:01:52, App Domain Name: SviWebService.exe, Thread Identity: , Windows Identity: NT AUTHORITY\SYSTEM, OS Version: Microsoft Windows NT 6.1.7601 Service Pack 1, reason: ServiceUnreachable access host: vdiesx01.domain.local access port: 902 disk datastore path: [vdiesx01_fio] VDITestNew_1/VDITestNew_11-internal.vmdk expected certificate thumbprint:

Very strange, a blank thumbprint. Checking the VDI database table dbo.VPX_HOSTS we compared the expected thumbprint to the actual thumbprint on the vSphere server and all looked good. But something couldn’t be right.

Continue reading

VMWare Horizon Client for Linux — October 21, 2016

VMWare Horizon Client for Linux

That was an interesting challenge. A colleague was trying to install the VMWare Horizon Client into Linux without any real Linux experience. I know that installing things into Linux isn’t as cut and dried as running a setup program in Windows, but VMWare really don’t help themselves by making this easy for Linux noobs.

The actual install runs a .bundle file script which does carry out the install fairly seamlessly, but when it finishes it turns out that it looks for some older dependencies than are available on the flavour of Linux being used.

How’s a Linux noob supposed to understand that?

Continue reading

vCenter Server Appliance Patching — October 20, 2016

vCenter Server Appliance Patching

The online manual suggests that all you need do is mount (attach) the ISO onto the VCSA and then from the command line stage and install the patches:

# software-packages stage --iso
# software-packages install --staged

After mounting the ISO to VCSA the hurdle I encountered from the command line was that software-packages “command not found”.

So I gave up on the command line and went back to the web GUI (very unlike me).

Continue reading

VMWare Updates —

VMWare Updates

As we’re running the VSCA appliance we can’t use the GUI Update Manager plug-in as that only works with Windows, despite VMWare being very Linux based. So, for us, keeping the hosts up to date is a manual process from the command line.

Download the latest VMWare updates from the support site.

https://my.vmware.com/group/vmware/patch#search

Then stick them onto a volume that all the hosts have access to. For big infrequent storage we use a Synology NAS and an NFS share that is mounted on all servers.

Make sure SSH is enabled on the host you want to update, under Manage, Settings, Security Profile in VCSA.

Migrate all of your running hosts off to another and put it into maintenance mode. The non-running will get migrated by maintenance mode.

~ # esxcli software vib update -d /vmfs/volumes/SYNOLOGY/vSphere/5.5/Updates/ESXi550-201608001.zip

Continue reading