Xtravirt

by Michal Grzeszczak

My name is Michal Grzeszczak and I am a senior consultant at Xtravirt (www.xtravirt.com), an independent cloud consulting business and VMware Master Services Competent Partner.  In this blog, I’d like to share with you my experience of L2 bridging with VMware® NSX-T Data Center and help you to understand some of the differences between NSX-T and NSX-V, as well as cover some NSX use cases.  

Customer background:

The customer is one of the leading organisations in the betting and gambling industry and have been using NSX-V for some time now. When it came to their new greenfield environment, they decided to deploy NSX-T 2.4 Data Center. This decision was largely based on the fact that NSX-T Data Center provides bridging firewalls natively for L2 software bridging, which was their main requirement. Also, given that NSX-T will be the de facto network and security virtualisation platform offered by VMware going forward, by specifying it for this environment the customer is able to future proof the deployment. 

Future upgrades are also accounted for as upgrading from NSX-T 2.4 to future NSX-T releases is simpler than performing upgrades from a previous version of V or T.

NSX-T 2.4 was a major update and brought many changes to the architecture of the product, the main ones being:

The NSX Manager and NSX Controllers were merged into one appliance deployed in a Cluster of 3 Nodes therefore minimising the footprint of the solution and operational complexity. 

The other major change was the introduction of the new Simplified UI which “requires just the bare minimum of user input, offering strong default values with prescriptive guidance for ease of use. This means fewer clicks and page hops are required to complete configuration tasks.”

NOTE: In NSX 2.4 two UIs are presented - one is the new Simplified UI, the other one is Advanced. The latter is taken from NSX-T 2.3. The future plan is to remove the Advanced UI and provide all of the functionality via the Simplified UI.

 What are the key benefits of choosing NSX-T over NSX-V?

 There are many benefits of NSX-T over NSX-V, to name a few:

NSX-T doesn’t require vCenter, however it can be added to NSX-T as a Compute Manager and allows for up to 16 Compute Managers per NSX 2.4 solution . There is no longer a 1:1 requirement like there was with NSX-V. 

KVM Hypervisor support

Bare Metal Edges provide sub-second failover 

Data Plane Development Kit (DPDK) Optimising Forwarding - DPDK is a set of data plane libraries and network interface controller drivers for fast packet processing

New, more flexible Overlay technology - Geneve replaces     VXLAN  https://docs.vmware.com/en/VMware-Validated-Design/4.3/com.vmware.vvd.sddc-nsxt-design.doc/GUID-CF3C47CA-9BEB-4213-8F08-1494261BF3EC.html 

Bi-directional Forwarding Detection support

BGP (Border Gateway Protocol) expanded functionality with features like Route Maps

Much clearer User Interface (UI)

What were the specific use cases for this case customer and the design considerations?

USE CASE 1 - NSX-T Edge L2 Bridging - Integration of physical, non-virtualised database servers that require L2 connectivity to the virtualised environment. 

Design considerations:

In NSX-T 2.4 two options are possible to bridge L2 workloads - using ESXi Bridge Clusters or Edge Bridge Profiles. The latter is recommended to use as the former will be deprecated in future. 

Ideally the use of dedicated Bare Metal Edges, however this is not a requirement. 

The possibility to deploy Edge Bridges in collapsed vSphere Clusters >     Management + Edge or Compute + Edge

Consider having active and standby Edge Nodes on different hosts to avoid throughput drop, because VLAN traffic needs to be forwarded to both Edge Nodes in promiscuous mode.

Overlay traffic can be tagged on a Distributed Port Group or Uplink Profile, but please avoid double tagging. 

VLAN traffic should not be tagged on the Uplink Profile.

Distributed Port Group for VLAN traffic connecting to the Edge Node should be in a Trunk Mode. The reason for this is due to the fact that Edge doing Bridging adds 802.1Q tag when transposing Overlay traffic to VLAN. 

Consider having the same MTU value across your environment - if you can, choose MTU of 9000 for better performance. 

Several Bridge Profiles can be configured, and a given Edge can belong to several Bridge Profiles. By creating two separate Bridge Profiles, alternating active and backup Edge in the configuration, the user can easily make sure that two Edge nodes simultaneously bridge traffic between Overlay and VLAN

Constraints:

Edge Cluster with minimum 2 Edge Nodes in Active/Standby mode is needed.

Standby uplinks are not supported on the Edge Node.

Source Based Load Based Teaming is not supported on the Edge Node.

The port group on the VSS/VDS sending and receiving traffic on the VLAN side should be in promiscuous mode, allowing MAC Address changes and Forge Transmits.

Deployment:

Follow the deployment guide here - https://youtu.be/IwpujflzJhY 

Or here https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.3/com.vmware.nsxt.admin.doc/GUID-7B21DF3D-C9DB-4C10-A32F-B16642266538.html 

Validation:

Log in to the Edge Node with your credentials.

Type “nsxcli”.

“Get l2bridge-ports-config” will show the Bridge Port State (Active Edge will have Forwarding, Standby will have Stopped), VLAN ID configured and Bridge UUID which can be copied and used to do a packet capture on the Edge Node.

To do the packet capture type “start capture interface “copied Bridge UUID” and hit enter, ping from VM to Physical Server to see the flows. 

USE CASE 2 - NSX bridging firewall - Secure communication between physical database servers and Overlay workloads.

The configuration of the bridging firewall can be done currently only on the Advanced UI.

Security rules are configured per Logical Switch aka Segment in Simplified UI. 

NSX-T grouping objects like NSGroups can be used to provide abstraction from the IP based approach.

USE CASE 3 - vRealize Network Insight - Monitoring tool that can provide visibility into both Physical and Virtual environments. 

NSX-T 2.4 is fully supported with the latest vRealize Network Insight version 4.1.

Make sure you are allowing ports for communication between vRNI and other devices after the deployment. For example, ESXi Hosts to vRNI Collector on UDP 2055. The full list of ports needed can be found here - https://docs.vmware.com/en/VMware-vRealize-Network-Insight/3.9/com.vmware.vrni.install.doc/GUID-FDDA5F2F-7C3B-472A-A17D-39582FBD5996.html 

There is a new website that provides in-depth information about new features in vRNI, definitely worth visiting - https://vrealize.vmware.com/t/vmware-network-management/  

What were the outcomes?

Overall, this deployment was a complete success as we were able to satisfy all of the requirements that the customer had. All the production physical databases were able to communicate on the same L2 segments, virtualised and connected to NSX-T segments workloads. On top of that, communication between those workloads was secured by NSX-T Bridging Firewall. vRealize Network Insight was used to provide visibility into the environment. Its ability to quickly troubleshoot network and firewall related issues in both virtual and physical realms allows admins to take a breath in the never-ending battle of making the networks stable.

I hope you enjoyed my blog, if you’d like to talk to Xtravirt about your business’s networking and security requirements, then please send an email to [email protected]

Some Useful links:

By Curtis Brown

Windows Admin Center is a new, locally-deployed, browser-based management tool set that lets you manage your Windows Servers with no Azure or cloud dependency. It gives you full control over all aspects of your server infrastructure and is particularly useful for managing servers on private networks that are not connected to the Internet.

Windows Admin Center is the modern evolution of "in-box" management tools, like Server Manager and MMC. It complements System Center - it's not a replacement.

 This blog is a ‘how to’ guide on installing and using the Admin Center.

Installation

The installation starts with a pretty straightforward Window Installer.

It will ask if you want to use MS Update to keep it updated – probably a good idea!

When you install it, it can be a local install on Windows 10 accessed via a browser directed to https://localhost:6516 or installed on a Server in Gateway mode (https://servername).  You’ll need a supported browser – MS Edge (obviously) and Google Chrome currently. Internet Explorer doesn’t make the cut.

You can use a self-signed SSL certificate (not good) or a signed one.  If you’ve got a domain CA, simply create a Computer certificate in the server’s Personal Store and get the thumb print of this certificate.  A tip – Copy the thumbprint into notepad first and take out the spaces otherwise it won’t accept it.

Using Admin Center

Open the browser and point at the URL discussed above.

If you click on the Cog icon, you can access settings.  We can configure a number of items, notably access rights.

In Extensions, we can see further functionality that can be added.

Immediately useful ones are Active Directory, DHCP and DNS.

From the Server Manager page, we add servers.  This requires suitable credentials, so Service Accounts might be worthwhile here. Here we can see we’ve got two servers. LABSRV01 is the server we’ve installed the Admin Center on, while LABDC01 is our Domain Controller (DC).

If we select the DC, we see that we can remotely configure quite a lot of both server configuration items, but also, where applicable, we can use the Extensions installed earlier.

The PowerShell option allows us to open a PowerShell session on the target system – quite useful.

How about remote access to the Windows Registry?

The Active Directory extension allows for some administration of Computer and User objects.

Closing Thoughts…

As an administration tool, especially in the second line upwards support context, this is actually quite a useful tool in a modern environment.  In order to support slightly older Windows server releases, a few adjustments are needed on the server side to allow access, though the effort might be worth it.

Although aimed at a largely server management context, it may also be useful in some desktop contexts, particularly for diagnostic and investigation work.

Although Xtravirt are a primarily Virtualization focused business, by the very nature of what we do, we also have to use tooling and technology both within the virtual estate (such as Guest Operating Systems) as well as in the wider environment supporting the virtualization platform (such as Active Directory, DNS etc).  If you’re in the process of a virtualization effort and require guidance on integration into a wider estate, then Xtravirt may be able to help.

About the author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strengths in VDI, storage integration, backup and disaster recovery design/implementation. He was awarded VMware vExpert 2019.

About Xtravirt

By Curtis Brown

Introduction

As VMware Horizon® 7 has developed, we’re starting to see the product evolve from the existing Horizon Admin Console based on Flash to a new Horizon Console based on HTML5. It’s a steady evolution, in much the same light as VMware® vCenter HTML5 console evolved through releases of VMware vSphere® 6.5 and 6.7.

The 7.8 release of VMware Horizon is the most feature-rich to date and adds much in the way of configuration settings as well as provisioning.

A Quick Guided Tour

So how do we access this new console?  VMware have been particularly imaginative with the URL.  While the old console had the URL of HTTPS://(Connection Server)/admin, we now have HTTPS://(Connection Server)/newadmin for the new console. Which at least allows us to access both consoles.

At the logon page, we can enter our admin credentials.

Once logged in, we see the nice, clean HTML5 interface.

On the left a navigation pane; at the top, we have a dashboard view – this has a splash screen at the moment, so it appears to be more of a placeholder.

Users & Groups covers entitlements while the Inventory section covers the resources to be published, much in the same way as the old console.

JMP is new – this refers to the Just-In-Time Management Platform.  This will be covered in a future post, but it provides a means to integrate Horizon View, User Environment Manager and App Volumes for assigning and controlling resources.

The last section, Settings, is a new area in the Console.  It provides the direct replacement for the Settings in the old admin console, allowing the admin to configure Servers, Cloud Pod Architecture and other settings.

Notice in the vCenter Servers page, it still includes Composer.  Although there’s a push to move to Instant Clones, Composer based Linked Clones are still alive and well.

If we add a vCenter, we get presented with a cleaned up, but familiar wizard.

One significant difference is the non-appearance of the Security Server tab.  However, as is common in the later 7.x iterations admin console, it is possible to register Unified Access Gateway appliances.

Closing Thoughts

There are a few areas where it’s still a work in progress, some of which are a little odd.  While you can configure Cloud Pod Architecture, you can’t control the basic global settings or the Events database, let alone add a Horizon license key.  Remember though, it’s a work in progress and for day-to-day admin, it’s pretty good.

 About the author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strengths in VDI, storage integration, backup and disaster recovery design/implementation. He was awarded VMware vExpert 2019.

About Xtravirt

By Curtis Brown

 I like product names that ‘does what it says’ on the tin (or download…) – VMware Identity Manager is such a product, and then some.  VMware Identity Manager (vIDM) does just that – it manages the various facets of Identity. Now let’s consider what we use Identity for?  Typically, it’s the following:

For the purposes of authentication into a solution – who are you?

For the entitlement to resources – what you can do, based on who you are?

VMware Identity Manager provides this layer, providing a central point to answer these key questions as a part of VMware Workspace ONE.

In order to be able to answer the authentication ‘who are you?’ it typically leans on existing directory services (usually Active Directory) to generate its own synchronized directory listings and passes through requests for validation – i.e. a password or multi-factor token, to the appropriate solution.

For the entitlement to resources, VMware Identity Manager can present a wide range of resources on its own.  These include Cloud services, complete with Single-Sign-On integration, as well as VMware Horizon (either Cloud or On-Premises).  Using the Directory above, we can use the user’s credentials as part of the ‘what can you do?’ along with other policy elements such as location (by IP address) and device type.

Because VMware Identity Manager sits as a sort of gatehouse between the user and resources, it stands apart from a single environment.  This means that it’s entirely possible to integrate several disparate environments behind a single portal.  In this scenario, you might need to integrate several different directory services and authentication layers as well as grant entitlements to resources.

This article takes a high-level look into how you’d go about this.

vIDM Connectors

VMware Identity Manager follows the concept of a Connector; providing a service for integration into an estate, usually for Directory services, but also for plugging into authentication mechanisms such as RADIUS and Kerberos as well as providing a hook into resources such as VMware Horizon.

In order to add multiple directories, you’ll need to deploy multiple Connectors – at least one per domain (ideally a pair for resilience).  In an on-premises deployment, the vIDM appliance has a built-in Connector, though it’s probably wise to deploy separate, standalone Connectors.  These are available as either a Linux based appliance, or a Windows Server installable application (included as part of the VMware Workspace ONE Enterprise Systems Connector).

In either case, within vIDM, you need to log into the Admin console and go through “Identity & Access Management”, select Setup and the “Add Connector” button to generate an activation code.

Once you’ve done this, it’s a case of deploying the Connector, and logging onto its web interface (https://connectorFQDN:8443) and completing a wizard.  All you do here is drop in the Activation Code, the root certificate used for vIDM and set a local Admin password.  Simple!

In vIDM, you’ll see your new Connector – note the installed version conforms to what you’ve deployed (here, a Windows connector).

With this in place, we can set up a Directory synchronisation.

 Creating a Directory

With the connectors in place, you add each directory.  You’ll notice below I’ve already added the first Domain, Galaxy.local.  Let’s add another.

In the Add Directory wizard, it’s the same process as would be the case for adding the first – though using the new Connector.  Remember that you’ll also need to select attribute mappings and Organisational Units for Users and Groups.  Once you’re done, you’ll see multiple directories:

Authentication

When we add our directory, we should enable the Connector to provide authentication for this directory as well.

With this done, we have quite a bit of latitude with respect to authentication.  With a Connector in place, we can integrate with domain specific multi-factor authentication (MFA) solutions, then tie it all together with the use of policies to select what conditions dictate which authentication mechanism to use – for example, a User in Group X on an iPhone on IP address Y must use Password and RADIUS.

Assigning Applications

So now we can use both directories for assigning users/groups to applications.  For cloud-based applications, it’s possible to grant access to users from any domain.  The limiting factor here is, if the application is leveraging SSO – it might not be able to support multiple domains.

Adding Horizon

When you integrate VMware Horizon into Identity Manager, it too leverages the Connector, so if you have separate Horizon instances in each Domain, you can set each of these up.

It’s possible to configure the Client Access FQDN for each Horizon instance on each IP range, configured in vIDM, so you have further options.

Closing Thoughts…

So, what does this mean? VMware Identity Manager, either as part of a VMware Horizon deployment, or broader ranging as part of a Workspace ONE delivery really can be the one ring to rule them all.  It can provide a single access point for all users in a business, regardless of whether they are separated into different business units with their own Active Directory, and still present their applications.

A use case for this might be providing a single front end to unify resources following an acquisition – two separate environments fronted by a single interface as a starting point for a migration?  Maybe.

by Curtis Brown

VMware’s virtual desktop and application publishing portfolio has gotten increasingly complex of late, with a mix of cloud and on-premises offerings, and this is even before you consider the components that make up the supporting pieces, such as User Environment Manager, App Volumes and integration with Workspace ONE.

In this article I hope to provide you with a (little) clearer view as to which Horizon to look out onto (pun intended).

 The On-Prem option – Horizon 7

This is the ‘great original flavour’ of VMware’s desktop virtualization offering.  The customer provides the tin to host it all on, builds a VMware vSphere estate (with VMware vSphere for Desktops included in the suite) and then layers on the VMware Horizon components for delivery of either Virtual Desktops or Remote Application publishing.

It does have several pro’s and cons –

You have flexibility on the scale and architecture, including geographic locations.

Scaling from very small to incredibly large, through the ability to leverage Cloud Pod Architecture.

Proximity to on-premises services and corporate network users can be an advantage, particularly for client/server resources.

Scaling down is expensive as you own the tin it’s hosted on.

It can generate VDI desktops, RDS Desktops and applications, using a number of delivery methods (Linked, Instant and full clones) of whatever specification you’ll need.

Being the most developed product, in combination with being in a customer-owned environment, it has a greater range of integration points with third party products, for example, there are numerous application delivery tools available.

When On-Prem is also Cloudy – Horizon View on VMware Cloud on AWS

This next offering is also the newest.  VMware Cloud on Amazon Web Services (VMC on AWS) is an Infrastructure as a Service (IaaS) offering that allows a customer to purchase VMware vSphere environments on AWS. As an IaaS solution, the customer has more control over the estate than would be the case in most XaaS offerings, to the point that it is possible to deliver VMware Horizon View on the platform.

Functionally, this is the same as the on-premises Horizon View, right down to the point that you build your own servers for hosting the otherwise identical components, however, there are a small number of caveats.  The biggest one of these is that you can’t use Linked Clones for delivering desktops – only full or instant clones are supported.  Although given that Instant Clones are rapidly superseding Linked clones, this is not that much of a loss.

As this is a Cloud solution, there are still questions to answer with respect to connectivity to on-premises resources, though if application services are moved to AWS, this is less of an issue.

By leveraging multiple tenants and AWS connectivity, it is possible to scale outwards for geographical and resilience reasons.  It is even possible to run a Cloud Pod federation that includes both on-premises and VMware Cloud on AWS-hosted Horizon Pods.  It’s a little more elastic than an on-premises solution in that you can scale down the VMware Cloud on AWS tenant.

Going Full Cloud – Horizon Cloud

The next option is VMware’s true Desktop-as-a-Service (DaaS) offering, Horizon Cloud.  Currently, this is available in two flavours – Horizon Cloud on IBM Cloud and Horizon Cloud on Microsoft Azure.   Each of these have slightly different attributes that affect use cases, however as both use a common management backplane, they’re similar to administer.

The key thing that separates the Horizon Cloud flavour is that because it’s a DaaS offering, the buyer is literally just an administrator of desktops – all the broker components and (in the case of the IBM Cloud hosted) infrastructure is controlled and maintained by VMware.  If you require elasticity in scaling both up and down, this is the most dynamic offering as it is purchased in desktop capacity units as a subscription service.

Horizon Cloud on IBM Cloud

This is hosted on an IBM platform based on VMware vSphere technology.  This option is comparatively cheap and is intended to be the ‘all in one’ greenfield solution as the license includes the compute capacity as well as Horizon licensing.

It can provide full VDI desktops, or Remote Desktop Session Host (RDSH) based desktops and published applications.  For VDI, it can produce non-persistent desktops using Linked Clone technology. There are several Nvidia GPU offerings for graphic intensive desktops, but only for full VDI.

While this solution offers VMware App Volumes for application delivery to the desktops (no user assigned disks), it does not support the use of App Volumes with RDSH servers, unlike the Horizon View offerings.

As a DaaS offering, rather than IaaS, integration is limited – for example, little ability to leverage virtualisation-based app delivery tools outside App Volumes and no agentless anti-virus.

Horizon Cloud on Microsoft Azure

By leveraging the same broker technology and management portal as Horizon Cloud on IBM Hosted, it is now possible to deploy on your own Microsoft Azure tenant.  In this case, an appliance is used to automate the cloning process for deploying full clones in Azure – there is no Instant Clone capability here currently.

This is largely intended for those who want to do desktop virtualisation and already have Azure. It’s not particularly cheap as you must pay both VMware (for Horizon licensing) and Microsoft for the Azure VMs. While it has no App Volumes support at all, it does, however, have enhanced 3D graphics support through Microsoft Azure GPU-enabled infrastructure for RDS workloads.

Closing Thoughts

The choice is quite broad, but must be considered with care, leaning heavily on the use case.  The discovery process is more critical than ever and should be embarked upon before signing on the dotted line for a product to ensure that not only is the solution sized and designed correctly, but that the correct platform is selected in the first place.

The Horizon Cloud DaaS offerings are compelling, but they aren’t a panacea – you still need to design and administer the solution.  You’ve only eliminated the infrastructure support and moved your desktops further away from your users and their data.

Horizon View remains the most flexible product and, with the VMware Cloud on AWS support, even offers a cloud presence and better scaling options than previously.  An interesting option here is a hybrid approach of Horizon View on-premises, but federated with an AWS hosted tenant for DR.  The disadvantage is that you need to keep the platform running rather than throwing infrastructure issues over the fence to VMware and that infrastructure will be costly.

Ultimately, it’s a ‘choose your poison’ decision, which re-emphasises the point above – don’t rush in and buy first/design later – carry out a proper investigation into the options and decide based upon business requirements and use cases.

By Curtis Brown

VMware vSAN™ is VMware’s hyper-converged storage solution.  It has quite a few different methods of providing resilience for the data hosted in it, but these all require some careful consideration when designing the cluster.  In this blog I take a look at the configuration options and the design repercussions.

Storage Policy with respect to Resilience

All the approaches are ultimately defined by the VMware vSphere Storage Policy definitions. These policies are defined in VMware vCenter and are applied to objects (usually VMs, but can be individual disks, VM configuration files), subject to the compatibility with the underlying vSAN cluster.  However, there are limitations.

The most basic, default policy is RAID-1 configured with a Failures to Tolerate (FTT) of 1 – classic mirroring.  In vSAN, this means a complete mirror of the given object, creating two components. In addition, there’s a smaller Witness component.  This means we must have a minimum of three nodes in a cluster (though four would be recommended for maintenance and failover).  We can up the ante here by increasing FTT value, but while resilience improves there is an obvious impact on capacity.

We can also look at using Erasure Coding to give us RAID-5/6 protection.  This takes our object and breaks it out into components, with the data striped across them for resilience.  From a configuration perspective, all that separates them is that the FTT value of 1 means RAID-5, while FTT of 2 is RAID-6.  However, this does impact the number of components created.  In RAID-5, for any object, we have three components created with data striped with a parity bit across them.  So rather than the 200% footprint as with RAID-1, we only need 133% instead and get the same resilience, though at a performance cost. RAID-6 requires a fourth object and an extra parity bit, so the footprint is in between at 150%.  In either case, we still have a witness component too, so RAID-5 needs a minimum of 4 hosts (5 recommended) and RAID-6 needs 5 hosts (6 recommended).

Fault Domains

Of course, physically our clustered hosts are usually installed in one or more physical racks. Ideally, we’d spread the nodes across racks to mitigate the loss of a rack.  vSAN provides Fault Domain functionality to provide an awareness of these physical boundaries.

Consider a Fault Domain as a grouping of hosts within the cluster to represent a boundary of resilience to ensure that vSAN objects subject to a Storage Policy are deployed across the domains, so providing resilience to a loss of a domain (i.e. the loss of a rack) outage.

However, it’s not quite as easy as slinging your hosts into a pair of racks and setting up two zones. As stated above, even RAID-1 requires three hosts due to three objects.  This has a knock-on impact when defining Fault Domains too.  For RAID-1 based policies, the number of Fault Domains can be represented by the formula (2 x FTT)+1, while RAID 5/6 is (2 x FTT)+2. Therefore, RAID-1 at a minimum requires three domains while RAID-6 would require at least six domains (6 = (2 x 2)+2).

This obviously has limitations as to how useful the feature is when mapped to physical racks – Are you going to spread a small 6-node cluster across six racks to achieve six domains?  Or, perhaps across two racks and configure 6 zones, but you could lose three in the event of a rack failure so negating the effort of configuring Fault Domains in the first place.

We now see that the scale of the cluster and physical placement are important factors when deciding whether to use Fault Domains.

Stretch Clusters

This approach is designed to be used across different locations (latency permitting) and largely builds on the concept of Fault Domains.  Here, we have two defined Fault Domains (a Preferred and Secondary).  Alongside these, we also deploy a Witness appliance in a third location – this serves as a third Fault Domain.  We also break out the Failures to Tolerate into two values.

Primary Failures to Tolerate – Refers to Site level failure and can be a value of zero (no resilience, all data resides on either the Preferred or Secondary site) or 1, where the data is replicated between the two domains in the manner of RAID-1.

Secondary Failures to Tolerate – Analogous to FTT in a single site, this is the resilient behaviour within the single site and so can be configured as RAID-1 or RAID-5/6 with various FTT values.

The PFTT value effectively sits above the SFTT value, resulting in the following:

Logically speaking, for a given object, such as a VMDK, the Primary value essentially pushes a RAID-1 mirror across each site, with a Witness component in the appliance.  The Secondary element in concert with the RAID setting defines the policy within a site, here a straightforward RAID-1 mirror.

For the numbers of hosts, we therefore need to adhere to the needs of the local policy (be that RAID-1, 5 or 6) and double-up for the second site.

As this resides in a stretch vSphere cluster, we also need to build in some stickiness with respect to compute – so designing DRS and HA accordingly to match the preferred sites.

Closing Thoughts…

When embarking on a vSphere with vSAN design, one should consider not just the compute factors when deciding the number of hosts, but what level of storage protection will be required for the VMs.  In fact, by using the protection as a starting point (i.e. ‘We want RAID-6, so a minimum of five hosts is recommended’), the RAM and CPU can be defined above that – whether scaling upwards (five big hosts) or outwards (more, smaller hosts).  Even the physical rack design might be a determining factor – whether you can spread across racks or not.

If you’re about to embark on a VMware vSphere based hyper-converged solution, then Xtravirt can help. We have considerable experience in this area and can help with advisory, design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.

 About the author

Curtis Brown is a Lead Consultant at Xtravirt.   His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

 About Xtravirt

By Curtis Brown

There are a considerable number of blog posts and articles that have looked at the individual components of the VMware® End User Compute stacks, so I thought I’d take a high-level look at some of what’s possible when we take the whole solution in its entirety.

The Moving Parts

In the early days of VMware’s End User Compute efforts, we were looking at a relatively simple stack of VMware vCenter, ESX and Virtual Desktop Manager (or, to you young folks, Horizon View 1.0 or 2.0 back in 2007/8).  These days, things are somewhat more powerful, offering a wider array of capabilities, but these capabilities also require more moving parts.

The diagram below shows the VMware components that could be deployed in a solution.  

 Now, let’s look a little deeper…

For Virtual Desktop delivery, we have the underlying infrastructure of VMware vSphere with vCenter and ESXi.  However, we can enhance this further in two ways. Firstly, we can leverage local storage by implementing VMware vSAN rather than rely on a SAN/NAS based solution. Secondly, we could deploy VMware NSX to provide enhanced security in the form of micro-segmentation of the network as well as anti-malware protection using Guest Introspection.

For publishing desktops, we have VMware Horizon View. The connection servers provide the brains, managing entitlements and provisioning of desktop and application pools. For secure access from untrusted or external networks, we deploy either Security Servers, or, more recently, Unified Access Gateway appliances to serve as a proxy into the solution.  VMware Horizon View Composer is used to manage and deploy non-persistent Linked Clone desktops.  Although this approach is in decline as Instant Clone technology replaces it.

We then need to consider the management and delivery of applications and user settings.  For the latter, we can integrate VMware User Environment Manager.  This can manage both environmental settings (including delivery of application shortcuts, drive mappings etc) as well as eliminating the issues related to Windows Roaming Profiles.  For application delivery, we can use App Volumes within the virtual estate or leverage the estate itself to publish Remote Desktop Session Host based remote applications.  ThinApp, although somewhat out of favour these days, remains an option for direct delivery to Windows Endpoints (via VMware Workspace ONE Identity Manager) or within Horizon View desktops.

When it comes to monitoring the estate, we can use VMware vRealize Operations Manager with the VMware Horizon Management Pack.  It’s possible to expand further still by leveraging more of the vRealize suite, notably VMware vRealize Log Insight for capturing logs from both the solution as well as the environment.

We then move out into two topics – The Endpoint and the User. These are somewhat integrated topics these days as they do overlap.  

VMware Workspace ONE comprises two key elements:  

Unified Endpoint Management can provide control, configuration and administration to endpoints, be they mobile devices or traditional desktops.  

Identity Manager provides the user authentication layer into the solution as a whole, while also providing a unified catalogue of applications and services, whether publish via VMware Horizon or whether through single sign-on to cloud services.  

Another offering that is often overlooked, but still a part of the VMware Horizon licensing (at the Advanced and Enterprise level) is VMware Mirage.  This can provide image level management of Windows based client desktop/laptops. FLEX leverages the Mirage infrastructure in conjunction with VMware Workstation and VMware Fusion to provide an offline VDI capability.

What parts are available is largely defined by what is purchased.  Some parts are included in the various VMware Horizon editions, while some, notably VMware vSAN, VMware NSX and VMware Horizon FLEX are separate products.  In the case of Workspace ONE, VMware Horizon Advanced and above includes just Workspace ONE Identity Manager Standard.  To get the full Workspace ONE suite requires purchase of Workspace ONE as a specific product.

VMware Horizon editions can be compared at:

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/horizon/vmware-horizon-editions-compare-chart.pdf.

 The Art of the Possible

For the purposes of looking at what is possible, let us assume that an Alien Space Bat has deemed it fit to leave an unlimited budget for us to acquire all these tools.  Here’s a few ideas of what we could achieve:

By integrating the full VMware Workspace ONE with Horizon, we can fully manage security between a user, a managed endpoint and access to Virtual Desktops.  By managing the device using VMware Workspace ONE Unified Endpoint Management and establishing Compliance checking, we can define an Identity Manager policy that allows access only to users with valid credentials who are using compliant devices to the Workspace ONE catalogue. In turn, users can then access a VDI desktop from the relevant icon in Workspace ONE.

It is possible to provide a single portal to a geographically spread VMware Horizon VDI offering that will connect users seamlessly to the nearest desktop instance. Workspace ONE Identity Manager can provide location awareness based on client IP address.  By defining IP ranges, and relating these to the public DNS name for the local Horizon site, Workspace ONE will direct users to the nearest VMware Horizon site for optimum performance.  This leverages VMware Horizon Cloud Pod Architecture to present a common entitlement across all instances.

App Volumes, User Environment Manager and NSX Distributed Firewall Rules can be tied to Active Directory groups.  We can therefore deploy an application in an App Volumes App Stack, with a standard configuration provided by UEM and permit traffic from the application to a specific server all tied to a single Active Directory Group.

And these are but a few options.  When you consider that a number of these offerings are now available in a cloud-based form, the options broaden still.  Workspace ONE components both offer cloud and on-premises variants, while VMware Horizon now includes not only the on-premises offering, but also the ability to deploy on top of VMware Cloud on AWS or the full Desktop-as-a-Service offering of Horizon Cloud.

 Closing Thoughts…

As a range of products that can be built in an array of different configurations, it is possible to design and deploy solutions that fit a broad variety of use cases, from simple to very specific.

If you are looking to deploy a new Digital Workspace solution or wish to enhance or upgrade what you currently have, then Xtravirt can help. We have a long track record of successful digital workspace projects and can provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.  

 About the author

Curtis Brown is a Lead Consultant at Xtravirt.   His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

 About Xtravirt

By Simon Eady

Big IT failures and problems always seem to make the news and it often takes a big ‘real world’ problem for people to realise the importance that IT has within almost every sector.

And while not all is revealed to the public eye as to how or why such IT failures occur – nor may they really care as long as their service continues to work – it is safe to say that no company wants to be the one that incurs an IT failure or problem, as this can directly affect the way they’re perceived by staff, existing and prospective customers.

So, the question is, how can they mitigate and protect against it from happening?

Well, this isn’t just about having the right IT infrastructure in place – although of course that helps - but it is about monitoring that IT infrastructure. Often, businesses may neglect monitoring their infrastructure due to budget constraints or lack of interest, but it can very quickly become a priority when a serious issue occurs.

Without careful monitoring of IT infrastructure, downtime and critical issues can become increasingly more likely causing serious impact to the business. Being pro-active and making sure you have a monitoring system in place can help you be better prepared and maximise the efficiency of your IT infrastructure.

Key reasons for monitoring

There are a number of benefits for organisations from monitoring IT infrastructure beyond just detecting issues.

Troubleshooting

By monitoring IT infrastructure, potential issues can be identified and detected before they become critical and result in downtime. A good monitoring system can enable you to detect and resolve issues before any users get affected.

Reporting

A monitoring system gives you complete visibility of your IT infrastructure so can help provide useful metrics and analytics. Regular reporting can help you gain insights into a number of areas such as identifying trends, usage levels, network/system availability.

Efficiency

With issue detection and troubleshooting taking less time with a monitoring system, IT resources can be freed up to focus on core infrastructure and IT services and service delivery.

 vROps as a monitoring tool

When it comes to monitoring there are a number of tools and solutions available, in my experience working in this area, I’m finding that many organisations are opting for VMware vRealize® Operations™ Manager (vROps) as their preferred monitoring tool for the entire estate, whether it be Virtual or Physical.

vROps is VMware’s operations management and monitoring product that enables organisations to consolidate multiple tools as they strive to achieve that holy grail of getting a single source of truth that covers the whole estate.

Built with resilience in mind, coming with built-in features such as High Availability to help protect against an analytics cluster node failure, vROps also offers tremendous extensibility by way of management packs via VMware, Blue Medora vROps integration, or the vendor of the product that you want to monitor.

What’s more, VMware (and Blue Medora integration packs) also allow users to hook in their hybrid cloud estate, so whether you have applications or workloads in Azure or AWS, you can centrally monitor and alert effectively.

vROps provides a whole host of benefits to organisations as a comprehensive solution for IT infrastructure monitoring, including:

Automation – vROps can not only alert but also remediate, either manually via prompts or automatically, both using hook ins to vCenter and vRO

Customisation – whether it be dashboards or reports, customers can tailor vROps to suit their specific needs

Capacity planning – with the projects feature you can present or change scenarios to vROps and it will give you instant feedback on the impact it would have risk-based alerts - vROps can forewarn people of a potential issue with regards to disk growth, or usage of CPU/RAM/LAN

Effective and concise alerting – using the ability to filter out all the background noise and understand what is really going on in the estate

Scalability – vROps can monitor a vast number of objects

Workload placement – ensuring your workloads are accurately and effectively placed maximising your ROI on your hardware and ensuring your end users are getting the resources they need.

In addition to all the business benefits, vROps also has a strong user community that can offer tips, tricks and guidance to get the most out of vROps.

 Final thoughts

The bottom line is, businesses want to quickly know where there is an issue and what caused it, but perhaps more importantly, where an issue may be initiating so that it can be stopped before it becomes serious. Monitoring IT infrastructure and vROps can help businesses achieve this, or at the very least give a firm handle on what is happening and why, so issues, problems and failures can be addressed quickly and efficiently.

If you want to know more about how you can maximise the efficiency of your IT infrastructure and monitoring solutions, then Xtravirt can help. We provide advisory, design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.  

About the Author

Simon Eady joined the Xtravirt consulting team in October 2014. He has wide ranging IT experience including Virtual Infrastructure design and implementation, while currently specialising in vRealize Operations and vRealize Automation. He was awarded VMware vExpert 2018, is a leader of the South West UK VMUG Group and is a graduate of the VMware Advanced Architecture Course 2018.

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

By Curtis Brown

Introduction

VMware PowerCLI has been in existence for quite some time and over the last 2 years it has been moving at quite a rapid pace.  It has traditionally been used to provide PowerShell based command and control functionality within VMware vSphere environments, with particular focus on the ability to create scripted functions for automation purposes.  Used in conjunction with automation and orchestration tooling, a great many bespoke capabilities are available.

During 2018, there has been a release around every 2 months, the current release, version 11 was released in October and provides support for the following:

vSphere 6.7U1

VMware Horizon 7.6

NSX-T 2.3

VMware Cloud on AWS

Being based on PowerShell, it is also compatible with third party modules, such as those administering Active Directory, to provide an integrated solution across a wide range of products.

In this blog, I look at PowerCLI’s ability to support VMware Horizon.

 Installing VMware PowerCLI

 Installing PowerCLI was once a case of downloading an installer from the VMware Portal and installing the components.  However, PowerCLI is now published from the PowerShell Gallery on the internet (https://www.powershellgallery.com/packages/VMware.PowerCLI/11.0.0.10380590) permitting installation on a connected PC straight from the PowerShell interface, simply by running:

Install-Module -Name VMware.PowerCLI

You might get something like this (accept the default):

Then it’ll install…

To allow execution of local scripts:

Set-ExecutionPolicy RemoteSigned

Then, run the following to confirm it’s all installed successfully.

Once installed, it’s worth configuring the Customer Experience Program participation by Enabling or Disabling this (It stops nag messages).

Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $true $false

After that, the basic PowerCLI is ready to go.

 What can we do for Horizon?

 ‘Out of the box’, PowerCLI only provides  the ability to connect or disconnect to the Connection Server, so providing a conduit for accessing the Horizon APIs.  To connect to Horizon Connection Server:

Connect-HVServer -Server connectionserverFQDN -user adminuser@domain -Password XXXX

However, VMware maintain example scripts at https://github.com/vmware/PowerCLI-Example-Scripts that can be used as a basis for automation of Horizon and the other supported components.  

By downloading the scripts as a ZIP file, it is possible to install them.  First, check $env:PSModulePath to locate the modules directory paths (usually, there’s the user specific path, plus system ones)

For Horizon, we extract VMware.hv.helper from the ZIP and drop this into C:\Program Files\WindowsPowerShell\Modules.

In PowerShell, we then unblock the newly exported folder by running

dir ‘C:\Program Files\WindowsPowerShell\Modules\VMware.Hv.Helper\’ | Unblock-File

With this in place, we can now use a whole raft of useful PowerShell commands (they can be listed by using Get-Command -Module 'VMware.Hv.Helper'). These can be used for automation of tasks and generating reports.

For example, Get-HVPoolSummary will list configured pools, including their type, assignment type and status:

And we can see how many VMs are available:

Get-HVHealth shows a basic status:

By leveraging the ‘New‘ and ‘Remove’ commands, it is possible to provision and destroy new Pools (desktops and applications), entitlements, RDS Farms and Cloud Pod objects such as Sites and Entitlements.  For Example, setting up Shared Desktop pool ‘Teachers 1’:

Closing Thoughts

What we have here is a set of powerful tools that are not just capable of managing the VMware vSphere infrastructure, but can also expand into the realm of delivering desktop pools – all from scripting and automation.  For example, it would be possible to create a script that would leverage PowerShell to create an Active Directory Group and populate it, then create a desktop pool and grant the members of the group access to it.  Further, this could be used in concert with vRealize Automation and Orchestration to provide a portal for self service requests for generating desktop pools and services.

Given that the current release supports VMware Cloud on AWS as well as VMware Horizon, this offers the tantalizing prospect of being able to programmatically manage a federated on-prem and AWS hosted Horizon Cloud Pod Architecture.  The sky is the limit!

If you’re planning to deploy a Virtual Desktop solution, we can help. Xtravirt provide design and implementation services to create the right solution for your organisation. Contact us and we’d be happy to use our wealth of knowledge and experience to assist you.  

 About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

 About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

By Stuart Robinson & Jainie Morar

At a time when applications are moving to the cloud and workers are increasingly mobile, organisations are finding that their traditional perimeter defence techniques like VPNs and firewalls simply don’t give them the security they need.  If finding a new approach to network security is on your IT agenda, then you’ve probably heard ‘Software Defined Perimeter (SDP)’ being thrown around a fair bit.  If you are wondering what is SDP and what all the fuss is about, then please read on.

What is SDP?  

Identified by Gartner as a top technology for security in 2017, Software Defined Perimeter (SDP) is an architecture and protocol guide, the original 1.0 specification was released in 2014 and its goal was to highlight the benefits of an ‘authenticate first’ and ‘connect later’ approach to connecting users to their data. Originally developed for IT infrastructure in the defence sector it was developed on the premise that connections are restricted on a need to know basis, it wasn’t just out of bounds to people without permission, it wasn’t visible to them, this is where the term ‘Black Cloud’ came in. It is now spreading wider into enterprise use where it promises to help mitigate a broad set of security vulnerabilities that affect IT infrastructure protected by more conventional perimeter security.

Currently the accepted method to connect to environments is with TCP/IP via Virtual Private Networks (VPN) or Network Access Controls (NAC), the issue here essentially being that these rely on a connect and authenticate method. A malicious data packet getting as far as authentication is already at your gates and from here may be able to innumerate your assets, if someone were to get within your walls with malicious intent they may be able to move laterally around your system and uncover all manner of goodies that you thought were off limits.

SDP works on a zero-trust model, which means that before someone can even approach the data layer they have to go through the Gateway, this will assess who you are via a Single Packet Authorisation (SPA) and will also go through a number of other parameters such as the device being used, location, time of day and number of other checks. It will then look at the policy laid out by your organisation and define the perimeter of what you have access to.  Once in, you are strictly restricted to the perimeter your policy has set you, no ifs, no buts, no peeking over the wall, that is all you can see. As a default SDP trusts no-one and admits users on a case by case basis.

Why do I need it?  

In short, IT has moved on and is continuing to move at quite a pace. Twenty years ago, apps sat on servers in one room and access control was set by a simple firewall existing between IP addresses and servers and now we are in the age of cloud computing and virtualisation

If you’re reading this, then it probably has not escaped your notice that malware attacks and data leaks are on the news frequently and this could be attributed to the fact that organisations aren’t keeping their infrastructure security up to date with their infrastructure or their working model. More people are working from home, on flexible hours, on varying devices from all over the world and this creates a plethora of problems.  

The rise of cloud has also created a problem for the world of security, your information is now distributed in a variety of places, apps are located in globally distributed public clouds, hosted on 3rd party platforms, as well as on corporate and co-located datacentres.  It’s no longer nestled in the warm cosy safety of your building. Users are also now no longer based at a single premise and are mobile and distributed.  Here lies the problem, people coming in from everywhere trying to get to information hosted all over the place, it’s hard to build a wall around everything (and we know, Trump’s tried). Effectively the traditional perimeter has blurred – SDP re-establishes the perimeter and puts it back with the user. It overcomes the constraints of traditional tools by creating an individual perimeter for each user.  

Traditional perimeter-based approach to network security has failed to adequately protect organisations and a new approach is needed. SDP is user centric and based around a set of policies laid out by the owner, implemented and looked after by the IT team. No more adjusting firewall permissions because Ben from accounting is on location and working from home more often, the gateway sees where he’s coming from and adjusts the perimeter accordingly, no more access to the competitor account data while he’s sat in Evil Corps headquarters.  

OK, so it’s safer?

So, that’s the measure of it – SDP redefines the perimeter and associates it back with the user to create a zero-trust security model, but it can also allow you to manage resources more effectively. Due to its policy-based approach the requirement to adjust firewalls and user permissions is reduced so saving time now and is scalable for future savings. With everything going through the single point of access, you can change everything at once at the network layer and make policies a lot more granular to cover a vast array of scenarios.  

Because SDP is about creating dynamic and secure network segments between a source and destination systems, it provides a better security solution for how today’s IT works. The source can be any type of device in any location and the destination can be any type of application or service in any location accommodation for mobility, BYOD and cloud computing.

Most impressively, because all traffic is encrypted, and all the policies are applied top to bottom, you can easily transition to an IaaS cloud environment and keep the same level of security on and off premises. All of this and it offers you reporting to save your IT team even more time.  

Where did it come from and what’s next?

Let’s not beat around the bush, this is not new. Google have had an internal means of having employees connect securely from untrusted networks without the use of a VPN for years, called BeyondCorp it has essentially achieved many of the goals set out by the CSA’s SDP specification. Before them a collective called the Jericho Forum out lined the problem of de-perimeterisation in 2003 and set the goals to; define the problem, define the solution, work on fully utilising the cloud via collaborative methods securely and write the Identity, Entitlement and Access Management Commandments. They also debated ‘smart data’ before the forum was declared a success and disbanded in 2013, so Software Defined Perimeter already had a solid base to stand on and has been proven in both a defence and corporate environment courtesy of Google.  

The future then is looking good for SDP, as the method is adopted more widely, and more companies are creating SDP solutions the offering can only get stronger. These zero trust network concepts are adopted by many security or network gear vendors such as VMware NSX, Cisco ACI and Cyxteras AppGate to name but a few. There are also several opensource SDP products out there such as SDP Waverly Labs, so it’s very much out there for you to get your hands on.  

The advantages to a company with workloads on-premises and in the cloud seem endless, for ease of the user, ease of the IT admin and deterring Cyber Criminals. If security is a major part of your IT plans in the coming years, then an SDP solution could well be the answer.

If IT security is on your organisation’s agenda, then we can help. We help businesses transition from the world of securing devices and zones to protecting entire agile cloud infrastructures and ecosystems, tackling breaches before they occur, and providing practical steps for safeguarding your people and organisation from cybercrime. If you want to find out more, visit https://www.xtravirt.com/cybersecurity/ or click here to contact us.

Related services

Network Virtualisation Planning workshop

Secure infrastructure services and solutions  

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

By Curtis Brown

The somewhat anticipated release of VMware vSphere 6.7 Update 1 is now with us.  So, the burning question now is “Can I upgrade?”.  The answer is not quite as simple as a yes or no as this is always a mine field, particularly where interoperability is concerned.  My intention with this article is to save you some of the leg work with respect to investigating product interoperability.

However please note, this article doesn’t dig into hardware compatibility, or compatibility with third party products, simply because of the vast array of possible scenarios.

  Compatibility with Horizon View 7

The most common starting point is VMware Horizon 7 itself.   By checking the VMware product Interoperability Matrix, we can see that the minimum release of VMware Horizon that is validated with VMware vSphere 6.7 Update 1 is the latest release, 7.6.

VMware Horizon 7.6 - COMPATIBLE

VMware App Volumes

VMware App Volumes 2.14 and the more recent patch release are both listed as a valid configuration.  This would also be the recommended release for use with VMware Horizon 7.6, although it has quite a generous level of backward compatibility.

One observation of note is that the poorly adopted cul-de-sac release 3.0 product has not been validated against 6.7, but as this was explicitly incompatible with 6.5, so this is not particularly surprising.

VMware App Volumes 2.14.2 - COMPATIBLE

VMware vRealize Operations for Horizon

With respect to VMware vRealize Operations support in general, release 6.6.1 or later is required.  This is driven by vSphere rather than Horizon which can work with older vROps releases.

For a VMware Horizon environment running on VMware vSphere 6.7 Update 1, the VMware vRealize Operations for Horizon plugin needs to be on 6.6.0 to support VMware Horizon 7.6 to retain compatibility through to VMware vSphere.

However, care should be taken with the compatibility between the Horizon plugin and vRealize Operations itself.  As the Horizon component only supports Horizon 7.6 directly on release 6.6.0 of the plugin, the interoperability matrix dictates that VMware vRealize Operations should be running on release 6.7.

VMware vRealize Operations Manager 6.7 - COMPATIBLE VMware vRealize Operations for Horizon 6.6 - COMPATIBLE

Of course, for features, guest operating system compatibility, the latest version is recommended.

VMware User Environment Manager 9.5 - COMPATIBLE

VMware NSX for vSphere

Although not every VMware Horizon deployment uses VMware NSX, it’s included to flag a possible concern. With respect to straight VMware vSphere interoperability, VMware NSX for vSphere 6.4.2 and 6.4.3 both support for vSphere 6.7 Update 1.  However, the supported Horizon release (7.6) has yet to be validated with NSX 6.4.2 or 6.4.3.  This is  unlikely to cause an issue, and validation is likely to be only a matter of time, though it may be enough to cause a pause for thought.

VMware NSX for vSphere 6.4.3 - SUBJECT TO CONFIRMATION BY VMware REGARDING HORIZON 7.6

Upgrading Desktop Templates

With respect to upgrading templates, the back-end components should be upgraded prior to the agents within the image.  As such, upgrading this rather depends on how many change windows are being used to upgrade the above components.  In all cases, VMware have limited support for backward compatibility for agents, so there is flexibility here.  The VM templates have the following components/dependencies:

VMware App Volumes Agent – used for registering the VM and the logged in user to App Volumes manager.

VMware UEM Agent – used for managing the user persona via UEM.

VMware vRealize Operations for Horizon Agent – although a version is integrated as part of the VMware Horizon Agent, for full functionality in line with the release of vRealize Operations for Horizon, the dedicated agent is recommended.

VMware Horizon Agent – this is used to provide components for managing deployment, assignment and the remote desktop protocol to the desktop.  It is recommended that this is installed after VMware Tools has been upgraded.

VMware Tools – required for interaction with vSphere, as well as providing optimised device drivers for the guest OS.

The VM virtual hardware version – this is defined by the VMware ESXi release. Upgrading should only be carried out once VMware Tools are upgraded but can be beneficial for performance reasons.

Where hardware GPUs are deployed, there are further considerations.  For example, if the templates are deployed using a vDGA (Dedicated Graphics) or Nvidia vGPU configuration, further investigation into supported Nvidia drivers should be carried out.

 What to upgrade first?

Where to start upgrading will be driven from your starting point, so it’s well worth looking at compatibility of the release that you’re starting at with the relevant components.

Upgrading VMware vRealize Operations and the Horizon plugin is likely to be the best starting point as this supports all the monitored components backwards for a number of releases. In addition, it is the least disruptive activity for users.

After this, updating App Volumes Managers would be the next step.

Upgrading VMware Horizon follows the order it has always followed – VMware Composer, followed by Connection Servers and Security Servers.  The recommendation, however, would be to take the time to retire any Security Servers and replace them with VMware Unified Access Gateway appliances instead.

Where deployed, VMware NSX would be next on the list..

After this, the vCenter upgrade followed by the VMware ESXi hosts should take place.  In the case of the latter, as mentioned previously, pay close attention where hardware GPUs are deployed as this may need upgraded drivers and software in-line with the vSphere release.  If vSAN is deployed, this would take place as the closing step of upgrading all the ESXi hosts in the cluster, ensuring that there is enough space to carry out such an upgrade.

With respect to the desktop templates, upgrading of components can be staged, but the supporting services must be in place first.

Closing Thoughts

Although there are a fair few items to consider, so long as the components are upgraded with consideration to each other and in the proper order, it’s possible to uplift the entire stack to support VMware vSphere 6.7 Update 1.  The only caveat is the lack of interoperability testing  between releases of VMware Horizon 7.6 and NSX 6.4, though it should be remembered that there is no direct connection between the two products and VMware have yet to actually publish test results for this combination.

 If you are looking to get the best from VMware infrastructure and understand your upgrade and compatibility options, please contact us, and we’d be happy to use our wealth of knowledge and experience to assist you.

 About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

 About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

By Curtis Brown

Introduction

As a highly respected, award winning VMware partner, Xtravirt has had the opportunity to send consultants on VMware’s Advanced Architecture Course at their headquarters in Palo Alto.  The first two consultants attended earlier this year, and I got my opportunity in September 2018.

This article (a somewhat non-technical one) describes the purpose of the course and my experience attending it.

What is the Advanced Architecture Course?

VMware have always been a technology company.  As the product portfolio has grown outwards far beyond the original hypervisor product, VMware have realised that while the technology is perfectly good, what is more important is the purpose to which the technology is applied.

Often, solutions get purchased (or for that matter, sold) based purely on the technology and its capabilities.  This rather misses the more important point of ‘what benefit will this solution be to the business and why should we use it?’  As such, in the worst cases, such acquisitions can end up as ‘shelf-ware’ – acquired, tested but ultimately deemed of little value and not used.  This is harmful to the customer and, significantly, harmful to how VMware is perceived by the customer.

The Advanced Architecture Course is a product of VMware’s desire to change the emphasis to being business needs driven.  The course aims to take experienced consultants and architects and provide them with a business needs oriented approach to discovering requirements and proposing solutions to meet those requirements.  A key part of this involves educating consultants on how to present to C level executives – all of which is quite a departure from the comfort zone for technically focused consultants.

My Adventures in Palo Alto

I’ll gloss over the journey out there (which was quite an adventure in itself – avoiding Hurricane Florence, almost missing a connection and losing a suitcase…) and focus on the course itself.

The course was a nine-day affair and to pass the course as a whole, we had to accrue a score of greater than 70% on all the objectives.  This included points for the pre-course online study (on matters ranging from ITIL and TOGAF through to VMware Workspace ONE), points for passing the end of day tests on content and the final presentation – which I’ll describe later.

It all started early on a sunny California Monday morning (at 7am!).  The first day focussed on VMware’s model for developing a business’ journey from basic virtualisation through to hybrid cloud and microservices as well as their model describing application of Digital Workspace technologies to business.  The approach consciously avoids specific products – so, for example, for Digital workspace, it describes the journey from traditional identity management through multi-factor authentication to single-sign-on.

Day 2 focused on the importance of requirements gathering, but broadening from just the traditional technical viewpoint outwards to business requirements – ‘we need to increase business revenue by… ’.  The importance of adapting the operating processes as well as IT were emphasised on Day 3.  A key message was that technology is only a part of the solution, without adapting to accommodate new abilities, those new abilities will still be hog-tied by legacy approaches to new needs.

We then had a particularly interesting day being taught presentation techniques, covering presenting to large audiences, conflict resolution and useful tips and tricks.

From here on out, the focus was on new technology, but with a business as a driver slant.  It’s not possible to replay much of the course content here for non-disclosure reasons, though, again, the idea was to broaden the knowledge of consultants.  As such, the breadth of technical areas covered was vast.  It included Cloud and DevOps, through network virtualisation and End User Compute to emerging solutions such as serverless computing, app containerization and Kubernetes.

The final day, although the briefest was the most challenging.  At the beginning of the course, the attendees were broken down into groups and given a case study.  From this, the groups had to work out a requirements matrix and put together a 20-minute final presentation (plus 10 minutes of questions) covering requirements, conceptual and logical design for a global solution encompassing both Software Defined Data Centre and End User Compute technologies.  This led to many long days putting in additional hours throughout the two weeks as well as some weekend work.  The presentation was to be given to a panel consisting of senior VMware staff (senior vice presidents and the likes) serving as the C-level execs of this fictional corporation.  This contributed most of the points on the course – so a pass here was important.

Fortunately, I was surrounded by thirty-seven of the smartest consultants and architects from all four corners of the world.  It was a real pleasure to work with these guys and I have to say that, despite the difficulty of the course, I wasn’t too surprised that we all passed.

Closing Thoughts

It was without doubt a tough course, intended to take the attendees out of their comfort zone to both broaden skills while also attempting to equip them for dealing with a bigger picture than just technology.  For me, it certainly has taught me a great deal, disproving the line “you can’t teach an old dog new tricks”.

Certainly, I consider myself fortunate to be working in a company that provides the opportunity to attend courses such as this.  It’s an investment for the company, of course, but one that ultimately benefits the customer.

(The day trip up to San Francisco was rather nice too, I can recommend the calamari and chips at Pier 39…).

About the Author

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2018 and is a graduate of the VMware Advanced Architecture Course 2018.

About Xtravirt

Xtravirt are an experienced consulting firm dedicated to delivering outcomes to help customers solve their IT challenges. We design and build strategies to help customers unlock the full potential of cloud, datacentre and workspace technology.

We are the VMware Global and EMEA Professional Services partner of the year.

By Curtis Brown

As an efficient and secure platform, VMware vSphere® provides a powerful and flexible foundation for business that accelerates the transformation to hybrid cloud. With vSphere you can support new workloads and use cases while keeping pace with the growing needs and complexity of the SDDC infrastructure.

One of the announcements that coincided with this years VMworld 2018 event in Las Vegas was VMware vSphere 6.7 Update 1 and a new variant of VMware vSphere – Platinum Edition. In this blog I look at the main highlights of this new release and the related new edition.

  Platinum Edition

Platinum Edition sits above VMware vSphere Enterprise Plus, inheriting its feature set but adds the following:

VMware AppDefense VMware AppDefense is an integrated component in Platinum Edition. It provides a powerful, yet interesting approach to security.  Rather than taking the approach of actively monitoring for expected threat vectors (such as monitoring TCP/UDP ports, looking for malware etc), AppDefense uses machine learning to establish knowledge of the ‘known good’ state of a VM – it is aware of what traffic comes from, or travels to, the VM and so picks up how the VM behaves in normal operation.

If the VM strays from this normal operation, AppDefense raises the alarm. Taking this approach is more resource efficient than active solutions seeking known vectors, while also providing greater coverage for new attack vectors by watching for changes in behaviour from ‘known good’ rather than trying to look for ‘known bad’.

Credits for VMWare Cloud on AWS For those purchasing 5 vCPUs or more, VMware will include $10,000 worth of AWS credits as part of a promotion once Platinum Edition is released as General Availability.

  vSphere 6.7 Update 1

In parallel to the release of Platinum edition, VMware vSphere reaches 6.7 Update 1.  This builds upon the previous 6.7 release by adding the following:

VM Encryption meeting US Government FIPS 140-2 Validation requirements as well as encryption of cross-vCenter vMotion traffic.

Support for Trusted Platform Module (TPM) 2.0:

At the hardware level, providing security for the ESXi installation itself.

At the VM level as a virtual TPM to allow features such as Microsoft Virtualization Based Security to be enabled fully.

Improvements in Security Access Logging for audit purposes.

Fully featured HTML5 vSphere Client covering all vSphere capabilities.

Enhanced Content Library

  Closing Thoughts

VMware vSphere, by VMware’s own admission, is now a mature product, however, it continues to evolve providing enhancements to manageability, performance and security. It probably doesn’t get the attention it deserves, but as the underpinning of most of VMware’s solutions, vSphere is as important as ever to VMware.

In light of the imminent end of support for VMware vSphere 5.5, the release of 6.7 Update 1 emphasises the importance of maintaining currency with the latest release, not merely for shiny new features, but to maintain and enhance security in an ever-dangerous world.

Xtravirt is a leading cloud and virtualisation consultancy and VMware specialist with the ultimate combination of deep experience and agility to design and deliver IT transformations. We are also the VMware Global Professional Services Partner of the Year.

If you need assistance in getting the best from VMware vSphere, please contact us, and we’d be happy to use our wealth of knowledge and experience to assist you.

  Useful links

Under the Hood - VMware vSphere Platinum Edition

Under the Hood – vSphere 6.7 update 1

Xtravirt Upgrade Service for VMware vSphere

Virtualisation health check service for VMware vSphere

  About the Author

By Michal Grzeszczak, Senior Consultant, Xtravirt

 As a Senior Consultant at Xtravirt, I recently spent time with a customer, a major European airline, to plan and oversee the deployment of VMware NSX®.

In the aviation industry, a data breach could have catastrophic repercussions.  Concerned about data security, the customer chose VMware NSX for its security capabilities.  This is because NSX allows for micro-segmentation, a practice through which workloads are individually cordoned off to prevent any East-West movement in the event of a breach.  In contrast to most IT networks, where one firewall protects the entire perimeter, a breach in a micro-segmented network can only impact a small subset of data.

With the objective to increase environment security and control East-West traffic, the project was managed in five key phases:

 Phase 1 – Discovery and Planning

Xtravirt kicked off the project with a 2-day planning workshop with key technical staff and subject matter experts.  In this phase we confirm and capture the full scope of requirements and ensure we fully understand the current environment.  This process reveals any prerequisites, potential roadblocks and validates the use case.

In this instance, the customer has two data centres, one vCenter Server (version 6.5) and uses vRealize Network Insight (vRNI) to monitor their environment.

During the initial discovery phase, it became apparent that vRealize Network Insight (vRNI) could be used to better understand East-West traffic and to map the customer’s applications to the security policy that could be provided by NSX Distributed Firewall (NSX DFW).

Both solutions, vRNI and NSX DFW, are quite unique in the market and help solve many typical problems associated with securing workloads in modern data centres. In this instance, they helped to:

- gain a better understanding of the flows of the applications, how they communicate with the outside world as well as within the application itself

- secure East-West traffic and avoid reliance on the perimeter firewall to segment those workloads.

 Phase 2 – Installation and configuration of vRNI

The installation and configuration of vRNI onto the customer’s environment involved adding the “Data Sources” to the vRNI, where the data (flows) would be collected. There are many data sources supported by vRNI, including for example - vCenter, NSX-V, NSX-T, as well as third party devices like Cisco, AWS and Arista.   A list of supported solutions can be found here: https://docs.vmware.com/en/VMware-vRealize-Network-Insight/3.6/com.vmware.vrni.install.doc/GUID-4BA21C7A-18FD-4411-BFAC-CADEF0050D76.html

After adding the necessary sources, vRNI collected all the flows for a 30-day monitoring period.  Other VMware solutions such as Application Rule Manager, allow for a maximum of 7-days monitoring and provide a great option for small applications. However, vRNI’s 30-day monitoring period is especially useful when applications in the environment are particularly active during specific times, like a payroll application.

 Phase 3 – Defining workloads

The next step was to define which workloads were part of which application.  In this particular case, we had 4 main requirements:

- micro-segmentation of Application “A” which consisted of 3 tiers. Each tier needed to talk to other tiers only on needed ports, thus securing flows within the application.

- micro-segmentation of Application “B” which consisted of 3 sub-applications.  The goal here was to secure traffic between sub-applications and not within each sub-application.

- mapping of the shared services (active directory, monitoring etc.) that are necessary for the applications to function properly.

- mapping of the users that need access to those applications.

As the users and shared services communicate with all applications in the environment, we started with the first two requirements.

It is very easy to create a logical application in vRNI. You simply add workloads to the tiers that make each application. In the case of Application “A”, the action was to create three tiers, each with corresponding workloads. In the case of application “B”, even when dealing with multiple applications, the process was the same as the requirement was to secure Inter-Application flows. We simply added workloads from each sub-application to the corresponding Tier in vRNI.

 Phase 4 – Security planning

The next step was to go to the “Plan Security” section of vRNI and select our new logical application. That presented us with a “pizza” view of the tiers of the application, in both application cases. We then selected each tier of the pizza/application and extracted incoming and outgoing flows to a .csv file. This part of the application mapping can be done directly in vRNI.  However, due to the complexity of the applications, we needed to view these flows in an Excel sheet.

The most time-consuming part of the implementation at this point had been to map flows from vRNI to the design document section for security rules / security groups / IPSets in NSX DFW. Use of filtering options in Excel and colour coding the types of traffic allowed us to have a clear visual representation of the flows in the environment. We divided the flows into Shared Services, Inter-Application communication between applications that we were mapping, Intra-Application communication between workloads that we were mapping as well as user access.

 Phase 5 – Application Mapping

Establishing communication between mapped applications and unmapped applications is the final stage. Under the scope of the engagement our role was to map 2 out of 70 applications. Our role as consultants was to ensure knowledge transfer and develop a repeatable process so the customer could complete their own application mapping.

Once the whole environment is mapped, then Security Groups / IPSets in DFW can be created for all applications.  Specific rules will be put in place to cover necessary flows between applications.

During the process of application mapping we were able to get necessary information about Shared Services and Users. The former was mapped into a separate NSX DFW section on top of all the other sections to be checked by DFW first (rules in NSX DFW are checked top to bottom). These sections will need to be constantly updated as more applications will be mapped and will require additional ports to be open to communicate with Shared Services. The latter was divided into floors, buildings and countries with corresponding IPSets to provide more controlled access. Those IPSets were added to two Security Groups - “Super Users” and “General Users” and were added to each application’s section to allow for management traffic.

 Conclusion

By scoping out the project with the customer from the offset and having a clear and concise goal in place we were able to decide on the right tools for the job and move forward with minimal stumbling blocks. vRNI gave us a clearer picture of the road ahead and defined the East – West traffic that needed to be segmented and controlled to ensure that any potential data breaches could be stopped fast and with minimal leakage.

vRNI and NSX DFW created the perfect combination for a creating a market leading security solution and better still working to a planned and repeatable process made the whole operation smooth from beginning to end.

 Find out more

If you would like to learn more about how Xtravirt can help you improve the security of your IT environment, contact us and we’d be happy to use our wealth of knowledge and experience to assist you.

Xtravirt (www.xtravirt.com) are the VMware Global Services Partner of the Year and have achieved the VMware Master Services Competency for Network Virtualization – a testament to our expertise in delivering NSX environments.  

 About the author

By Curtis Brown

Introduction

This little post is a ‘how to guide’ for enabling encryption on VMware vSAN.  To do this, we’ll need a few ingredients:

A VMware vSphere 6.5 cluster with VMware vSAN enabled

A Key Management Server Solution (KMS)

The Key Management Server (not to be mistaken for Microsoft’s license key solution) provides encryption keys for vSAN encryption.  This should be a robust solution (ideally, multiple nodes) as without this, vSAN becomes inaccessible!  Also, a tip – don’t put your KMS solution in the vSAN you’re about to encrypt, that would be a really bad idea!

In the case of the estate stood up for this blog post, HyTrust KeyControl 4.1 was deployed.  It’s an easy to use product that does exactly what’s required.

Registering the KMS in VMware vSphere

VMware vCenter supports the KMIP standard (VMware have certified a number of products) for connected KMS servers.  In the case of our HyTrust KeyControl appliance, we have to enable the KMIP server service and set the protocol to version 1.1.

We also need to set up a service User account on here.  It’s important not to set a password for this account.  We’re using certificates to authenticate and setting a password prevents vSphere from using the account with the HyTrust solution.  We download the SSL certificate for the user (this is a ZIP file containing the CA certificate and user certificate as PEM files).

Logged on as an administrator in the VMware vCenter Web Client, we open up the configuration of the vCenter server and add our KMS:

We enter a name for the cluster and the details for the first node (we can add other nodes under this cluster later).  The port is 5696 for most solutions.  

We then have to trust the certificate for the Server:

At this point, we have the configuration, but it’s yet to establish a trusted connection.  We need to establish the trust using the menu option below:

There are a few ways of achieving this (see the screenshot below), but we’ll be uploading the certificates snagged earlier:

In our case, we upload the User PEM twice:

And, voila, we’re ready to go forth and enable vSAN encryption

Enabling VMware vSAN Encryption

Here’s the easy bit.  We’ll assume that you already have vSAN up and running and will be enabling vSAN encryption.  If this is a pre-existing cluster, remember to leave room in the cluster to accommodate the emptying and reformatting of a host.  This operation will temporarily remove a host from the cluster as the disk formatting is changed.

We open the Cluster Configuration and select vSAN>General.

Edit the settings to enable Encryption.  We can erase the disks before use if we wish, but the key item is selecting the KMS server and clicking OK.  Allowing reduced redundancy reduces the number of VM data moves while the process to encrypt is under way.

At this point the cluster will reconfigure, enabling de-duplication.  This can take a little while so be patient. And that’s it done.

Closing Thoughts

This is a relatively simple feature to enable, providing a measure of data security for little effort.

If you’re considering developing a VMware vSAN based estate and need assistance, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

About the Author

By Curtis Brown

Introduction

In the wonderful world of VMware based virtualisation, there has been a concerted effort in recent years to not just virtualise the compute side of matters but expand out into networking (with VMware NSX) and the provisioning of storage (VMware vSAN). This all results in a single VMware Hyper-converged infrastructure offering.

An important factor within this is security.  VMware vSphere itself has considerable security with its small footprint, hardened hypervisor and the move towards a hardened Linux based appliance as the preferred option for the VMware vCenter management server.  VMware NSX can be argued to be a security product in and off itself – providing not only edge firewalling capabilities but per-VM based firewalling with the Distributed Firewall and support for agentless malware protection solutions with the Guest Introspection framework.

But what of VM storage? SAN solutions can offer security measures, subject to the SAN vendor, but how does this apply in a VMware vSAN environment?

There are two options available:

VM Encryption

VMware vSAN Encryption

Each has some pros and cons – so let’s take a look.

 VM Encryption

 Fundamentally, this is the encryption of virtual machines themselves.  There are third party (and, for that matter, in-guest) encryption offerings, but we’ll focus on the built-in VM encryption capability that was released in VMware vSphere 6.5.

It’s pretty straightforward to set up, requiring only two things – the deployment of an encryption Key Management Server (compatible ones are listed here and in the Interoperability guide) and a VMware vSphere Storage Policy.  After that, apply the policy to a given VM and – hey Presto!

So, what’s the catch? The encryption works on all IO operations for the VM itself at the top level – as it’s written to the Virtual Disk. This means that all IO operations in transit are encrypted as well as at rest on the physical disk.

From a security standpoint, this is very secure, and as it’s on a per-VM basis, it’s granular – you don’t need to encrypt everything (though you could argue that this is a management overhead).  However, the downside in a vSAN environment is that the encryption occurs before de-duplication, so no space saving is possible.

There are further caveats with VM encryption to be aware of:

The VM Snapshot ‘Capture the virtual machine memory’ function is not compatible.

vSphere Fault Tolerance does not work with VM encryption.

Suspending (and resuming) encrypted VMs is not supported.

In addition, not all vSphere integrated backup solutions can support VM level encryption.

 vSAN Encryption

 VMware vSAN Encryption uses the same Key Management Server, but this time the VMware vSAN storage is itself encrypted.  It’s applied at the cluster level, so anything stored in the vSAN cluster is encrypted – no management overhead as such, but no granularity.

All data travel is in an unencrypted state – it is encrypted when the data hits the caching tier, decrypted when it is de-staged from the cache for de-duplication and writing to the data tier.  This means that data-deduplication can be applied in combination with encryption, however the down-side is that encryption is therefore limited to data at rest (i.e. written to disk) as opposed to end-to-end as would be the case for VM encryption.

As encryption is at the storage tier, it is essentially invisible to VM operations – so vSphere operations such as Fault Tolerance and snapshots are fully supported and most vSAN aware backup solutions aren’t impacted.

 Comparing the options

 To compare these two options:

Closing Thoughts

 Both mechanisms have their use cases.  VM encryption is the more secure when you consider that it is capable of full end-to-end encryption.  It also benefits from being able to support traditional SAN datastores as well as vSAN. However, some VMware vSphere functionality is impaired when compared to vSAN and there is more of a management overhead.  In a modern all-flash estate, IO drops caused by encryption are negligible in both cases, so performance should not be a concern.

VM Encryption is worth considering, though it does add a layer of complexity to an estate. If the deployment of a robust KMS (Key Management Server) solution is a must, then there is configuration of the solution itself.

 If you’re considering implementing or upgrading a VMware vSphere environment and data security is a concern, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

 About the Author

By Jon Shelton

It may not be new news to many people, but Citrix XenApp 6.5 went to End of Life (EOL) status on 30th June 2018.

Many businesses may still be running this version (first released in 2011) as it is considered to be a pretty stable version, but also because it was the last release to use the old IMA (Independent Management Architecture).

With the release of XenDesktop v7.x, XenApp began to use the FMA (Flexcast Management Architecture) and with it came a number of technical and terminology changes including, Sites instead of Farms, Delivery Controllers instead of Data Collectors, the introduction of Machine Catalogs and Delivery Groups and the removal of Local Host Cache (LHC).

Citrix have also, this year, renamed their entire product portfolio, including XenApp and XenDesktop which is now renamed ‘Citrix Virtual Apps and Desktops’ (further details here)

The first version to use this new naming was ‘Citrix Virtual Apps and Desktops 7 1808’, released in August

 So what does EOL mean?

EOL in Citrix terms, means that this is the date after which security related hotfixes, technical support and product downloads will no longer be available. Click here to find out more about the milestones for Citrix products.

 New Product Release Schedule

Citrix have also recently gone to a new product release schedule, where a new version of Virtual Apps and Desktops with new features is released every quarter.

Keeping up with this release schedule is a pretty daunting prospect for many organisations. To allow for this, Citrix have introduced the Long-Term Service Release (LTSR) (currently v7.15), the idea being that this release will be supported for 5 years. Cumulative Updates will be released (with fixes only) roughly every 4-6 months.

The alternative, for organisations that are happy to upgrade their environment more frequently, is the Current Release (CR). This is a more rapid release cycle (3-9 months) and each new CR will contain new features and bug fixes, but fixes are less likely to be released between versions. In order to remain in support on a CR, you will need to upgrade to the latest version.

Both LTSR and CR require a current Customer Success Services contract. 

So what are my options?

To remain supported, organisations need to have spun up projects to migrate to a newer version before the June deadline. XenApp 6.5 will continue to work and run beyond this date but as there will be no further support and product downloads, doing nothing is a risky option. Generally, organisations have 3 main options to remain supported as outlined below:

Option 1:

Upgrade on premise/cloud hosted Citrix infrastructure

XenApp/XenDesktop 7.x uses the FMA architecture, this diagram shows the core components of a Citrix site

XenApp 6.5 can be upgraded to Virtual Apps and Desktops 7.x by installing the core components such as the delivery controllers and then using PowerShell cmdlets to migrate the data into the new site. After upgrading the sites users will have access to the many new features which have been introduced between v6.5 and v7.15, including:

Individual session host mode worker servers can be upgraded using the 7.x installer, however many organisations may prefer to take the opportunity to build new servers for the purpose on a newer OS (bear in mind that XenDesktop 7.15 requires at least Windows 2008 R2 SP1).

Enhanced graphics integration

Adaptive transport (faster remote access from anywhere)

Improved printing experience (advanced stapling, paper source selection and load balancing capabilities)

HTML5 video redirection (client side rendering of internal HTML5 web content)

Logon duration improvements (insightful analytics of user logon process and timing details)

Workspace Environment Management (intelligent resource management & profile technology)

App layering (robust layering technology based on Unidesk acquisition)

 Option 2:      

Migrate to Citrix Cloud

Citrix Cloud is a compelling solution for a lot of organisations because it takes a lot of the management overhead away from running a Citrix environment.

Citrix Cloud comprises many different aspects, but the Virtual Apps and Desktops Service component takes core components like delivery controller, database, licensing and management components into the cloud. These components are managed by Citrix and updated regularly.

The customer managed components are the Citrix VDA’s and (optionally) Netscaler and Storefront.

The customer resource locations can be at multiple on-premise locations, private or public cloud. Each resource location will require at least one cloud connector machine, which is the communication channel between Citrix Cloud and resources in the resource location. The cloud connector is installed from the Citrix Cloud console and managed and updated by Citrix.

 Option 3:      

Virtual Apps Essentials

Another option for Azure customers is Virtual Apps Essentials. Virtual Apps Essentials, however, does have a few limitations including:Available on Azure only (cannot be linked to on-premise, private cloud)

This architecture can be deployed from the Azure Store and the server image used can be a standard Citrix image (this is the quickest deployment method). Alternatively, your own server image can be uploaded if, for example, you want to customise it in advance by loading applications, changing settings etc. Published applications can then be deployed and configured using the in-built applications collections.

Available on Azure only (cannot be linked to on-premise, private cloud)

Can deliver applications but not desktops

Lacks the proactive notifications and alerting of Citrix Cloud

Includes Netscaler Gateway for secure remote access but cannot be linked to a customer managed Netscaler

Overall, there is no getting away from it, Citrix XenApp 6.5 has gone end of life and if you haven’t accounted for this you need to be assessing your options now and working towards implementing upgrades or moving to an updated cloud infrastructure.

 Xtravirt is a leading Citrix solutions advisor and integrator, accredited across the entire Citrix portfolio, and have successfully transformed numerous organisations. If you are looking to get more out of your existing Citrix solution or are considering a move to Citrix Cloud infrastructure, contact us and we’d be happy to use our wealth of knowledge and experience to assist you.

To find out more visit https://xtravirt.com/citrix

Useful links:

Packaged service: Cloud Readiness Assessment for Citrix

Packaged service: Citrix CloudConnect for Microsoft Azure

Case study: Citrix Netscaler solution ensures maximum performance for law enforcement agency 

About the author

Jon Shelton joined the Xtravirt consulting team in February 2018. He has delivered a wide range of projects involving specification, design and implementation of Microsoft, Citrix and VMWare solutions. His specialist areas include End User Computing and Microsoft Server Technology design and implementation with a particular strength in Citrix. He is a Citrix CCE-V, MCSE and VCP.

  About Xtravirt