Setup vShield Zones 1.0U1 (for vSphere 4)

March 9th, 2012

Two components to vShield Zones: vShield Manager (centralised management of agents) and vShield agents (the security component that inspects traffic flow and provides firewall protection).

Deploy vShield by obtaining the OVF from the VMware Appliance Marketplace and deploying in vCenter. Follow the prompts to deploy the appliance.

Once deployed, create a new port group on the vSwitch that the vShield Manager was deployed to and call it ‘vsmgmt’ (this name is recognised by all vShield agents).

Edit the settings of the deployed vShield Manager virtual machine and select its Network Adapter 1, change the port group to vsmgmt.

Power on the virtual machine and open the console.

At the login prompt use admin / default to login

At prompt  manger>, type ‘enable’

At prompt manager# , type ‘setup’

Follow the prompts to enter network details (IP, Subnet, Default Gateway, DNS) and save the configuration.

Open a web browser and go to https://<fqdn | ip>

Login with the same account as above

You will login to the vCenter tab. Enter the IP address / name of the vCenter to connect to and login details.

Click Register under vSphere Plug-in, accept the certificate if prompted. The plug-in will now be registered in vCenter.

Once registered, look for the vShield tab under each host in vCenter.

Once the vShield Manager is setup, prepare the vShield agent. Do this by deploying the vShield agent OVF and converting the created virtual machine to a template. This template is then deployed per vSwitch requiring vShield protection.

To deploy a vShield agent, login to vShield Manager and go to the Install vShield tab. Configure the install parameters – select the template to clone (the vShield agent), IP addressing and the vSwitch to protect. Click Install to deploy the vShield agent.

Finally, if HA is deployed in the environment, ensure the vShield agent is disabled for vMotion and ensure that its host isolation response is set to Leave Powered On. Similarly, for DRS ensure that the vShield agent virtual machine is Disabled for automation

Popularity: 5% [?]

Tags: ,
Posted in VMware | No Comments »

vSphere Management Assistant (vMA) Cheat Sheet

March 8th, 2012

Get the OVA from the VMware Appliance Marketplace, deploy it and follow the steps. Power on the virtual machine and open it’s console. On first boot it will go through the initial network configuration, follow the steps. On to the cheat sheet…

Configure hostname:

hostname <new_hostname>

Reset the vi-admin password:

passwd

Add vMA to Active Directory domain:

sudo domainjoin-cli join <domain> <user>

Check the vMA domain status:

sudo domainjoin-cli query

Remove vMA from an Active Directory domain:

sudo domainjoin-cli leave

Enable the vi-user:

sudo passwd vi-user

Add target vCenter to vMA:

vifp addserver <vcenter_fqdn | ip> --authpolicy adauth --username <domain\user>

Add target ESX(i) host to vMA:

vifp addserver <host_fqdn | ip>

List target servers on vMA:

vifp listservers --long

Reconfigure a target:

vifp reconfigure <fqdn | ip>

Remove a server:

vifp removeserver <server>

Set a target server:

vifptarget --set <server>

Run command via vCenter example:

vicfg-nics -l --vihost <esx_host>

Run command direct on ESX(i) host:

vicfg-nics -l

Disconnect from a target:

vifptarget --clear

Shutdown vMA:

halt

Enable syslog server for all targets:

vilogger enable

Enable syslog server for a target:

vilogger enable --server <fqdn | ip>

Enable syslog server with max file size 10MB:

vilogger enable --maxfilesize 10

List names of logs collected:

vilogger list --server <fqdn | ip>

List logging status for all target servers:

vilogger list

Disable syslog server for all targets:

vilogger disable --force

 

Popularity: 7% [?]

Tags: ,
Posted in VMware | No Comments »

netsh – Set Multiple DNS Servers

October 5th, 2011

So to set a single DNS server using netsh at the Windows command prompt you can do as follows:

netsh> interface ip
netsh interface ip>set dns "Local Area Connection" static addr=10.0.0.1

The first command changes to the interface ip context. The second command sets a single DNS server. That’s great when you have one server but many networks will have alternate addresses as well. To add those, use this:

netsh interface ip>add dns "Local Area Connection" addr=10.0.0.2

You can also put index=X at the end of the command to put the server in the right place in the ordered list.

Finally, to get DNS servers via DHCP instead of static, do this:

netsh interface ip>set dns "Local Area Connection" dhcp

The same syntax as above can be used for WINS servers as well, just replace dns with wins.

For Windows 7, the commands are basically the same but some syntax has changed, for example, replace dns with dnsservers and wins with winsservers. The context has also changed when you switch to the interface ip context it will be labelled netsh interface ipv4. Do a “set/add dns ?” for command help.

Popularity: 13% [?]

Tags: ,
Posted in Windows | No Comments »

Windows 8 Developer Preview – Virtual Machine Install

September 20th, 2011

Since Windows 8 Developer Preview / Pre-Beta is now available, thought I’d give it a test running as a virtual machine in VMware Workstation.

Initially tried the 32-bit version of Windows 8 under VMware Workstation  7.0.1 but it failed to start with a HAL_INITIALIZATION_FAILED error, with the fancy new sad face BSOD.

Tried multiple different CPU, Memory and HDD configurations but would always end up with the same result. So, to be sure it wasn’t going to run in Workstation 7, I downloaded the latest build version 7.1.4 and gave that a try. Same result.

As is documented in numerous places online, the Windows 8 Developer Preview will work in VMware Workstation 8 and in the latest build of VirtualBox (v4.1.2). It is not supported in most older virtualization software including Virtual PC. If you’re just intending to run up a Windows 8 virtual machine for testing purposes, VirtualBox is probably the way to go. You can run VMware Workstation as a trial for 30 days but you will then need to purchase whereas VirtualBox is freely available under the GNU GPL v2.

As for Windows 8 on VMware ESX or ESXi (any version), subscribe to this KB for updates:  http://kb.vmware.com/kb/2006859 Note: Although there are Windows 8 options in the Guest Operating System drop down in vSphere / ESXi 5 (though only when editing the VM, not creating it), VMware is not currently supporting Windows 8 in that environment. I ended up getting the same HAL_INITIALIZATION_FAILED sad face BSOD as above in Workstation when trying to get Windows 8 to start under ESXi 5.

Popularity: 19% [?]

Tags: ,
Posted in Windows | 1 Comment »

Getting Windows 7 BitLocker To Backup Recovery Info To Active Directory In A Windows Server 2003 Domain

June 1st, 2011

Long title but pretty much explains it all. Thread about this here [social.technet.microsoft.com]

So you’ve got Windows 7 clients and a Windows Server 2003 domain. All the domain preparation has been completed  (schema extensions for Vista, etc)  and all your Group Policy settings in place to require a machine to backup its recovery keys / recovery passwords to Active Directory before enabling BitLocker, but it isn’t working.

First, try running:

manage-bde -protectors -adbackup c: -id <numerical_id>

I was getting a group policy permission denied error which matched the situation in this thread [social.technet.microsoft.com]

I initially tried setting the necessary GPO options via local policy, see here [blogs.technet.com] – refers to Group Policy, but use local policy (gpedit.msc) on the target Windows 7 machine. This will work, but because you have Windows Server 2003 domain controllers and even trying to set Group Policy on a Windows 7 machine with RSAT installed, the Windows 7 group policy options are not available (i.e. the Fixed Data drive, Operating System drive, etc options). They are only available in the ADMX templates which Windows 2003 can’t read. So, you need to set them using Extra Registry Settings instead.

Also, it turns out that the backup to AD registry settings that get applied have changed from Windows Vista to Windows 7 (because Windows 7 extends upon BitLocker beyond what Vista offered). In Vista the policy created keys called:

  • ActiveDirectoryBackup, REG_DWORD (1)
  • ActiveDirectoryInfoToStore, REG_DWORD (1)
  • RequireActiveDirectoryBackup, REG_DWORD (1)

Windows 7 does not recognise these as they are now on a drive type basis. So, create in your GPO Extra Registry Settings as follows (this is for enabling FVE on an OS drive):

  • OSActiveDirectoryBackup, REG_DWORD (1)
  • OSActiveDirectoryInfoToStore, REG_DWORD (1)
  • OSRequireActiveDirectoryBackup, REG_DWORD (1)

These registry settings should be created in HKLM\SOFTWARE\Policies\Microsoft\FVE

Remove the local settings (if you chose to test that way) and once Group Policy is updated, the correct settings will be applied and AD backup of BitLocker recovery info will work. Note that backup of recovery info is only ever attempted once during the BitLocker enable process. It can be retried with the manage-bde command as shown above though.

Popularity: 22% [?]

Tags: , ,
Posted in Windows | 2 Comments »

« Older Entries