Eric Sloof

For vSphere-based environments, vShield solutions provide capabilities to secure the edge of the vDC, protect virtual applications from network-based threats, and streamline antivirus protection for VMware View deployments by offloading AV processing to dedicated security VMs. These new product offerings can start securing infrastructure almost immediately since all the underlying compute resources are already present in the vsphere environment.

These same solutions in the traditional security model would have taken months to authorize and provision in the physical data center. vShield Edge provides network-edge security and gateway services to isolate the virtual machines in a port group. Common deployments of vShield Edge include protecting access to a company’s Extranet. vShield Edge can also be used in a multi-tenant cloud environment where the vShield Edge provides perimeter security for each tenant’s virtual datacenters (or VDC).

vShield Edge secures the edge of a virtual datacenter with firewalling, VPN, NAT, DHCP, and Web load-balancing capabilities that enable rapid, secure scaling of cloud infrastructures. Along with network isolation, these edge services create logical security perimeters around virtual datacenters and enable secure multi-tenancy. New features in vShield Edge include the ability to set up static routing, instead of requiring NAT for connections to the outside, as well as certificate-based VPN. vShield Edge provides network-edge security and gateway services to isolate the virtual machines in a port group. Common deployments of vShield Edge include protecting access to a company’s Extranet. vShield Edge can also be used in a multi-tenant cloud environment where the vShield Edge provides perimeter security for each tenant’s virtual datacenters (or VDC).

vShield App helps you overcome the challenges of securing the interior of your virtual datacenter. vShield App is software-based, it is deployed as a virtual appliance. As a result, vShield App is better than physically securing the virtual datacenter because it is a lot less expensive than buying a number of physical firewalls and segmenting them into different security zones. Also, with vShield App, you can create virtual firewalls with unlimited port density. vShield App provides complete visibility and control of inter-virtual machine traffic in logical security zones that you create. vShield App provides hypervisor-level introspection into the inter-VM traffic. vShield App enables multiple trust zones in the same ESX/ESXi cluster. vShield App also allows you to create intuitive, business language policies, using the vCenter Server inventory for convenience.

Advanced Grouping capabilities in vShield App allow even more sophisticated policies to be managed with ease Layer 2 protection coupled with APIs enable automatic quarantining of compromised VMs.  vShield Data Security provides knowledge of protected data across cloud environments and lowers cost of compliance by helping define scope Enterprise roles in vShield Manager provides the separation of duties required by security and compliance standards.

UEFI virtual BIOS. Virtual machines running on ESXi 5.0 can boot from and use the Unified Extended Firmware Interface (UEFI). When you create a new virtual machine on an ESXi 5.0 host you have the option to choose for virtual machine version 8. This new version brings a lot of extra (scalability) features but there’s one other interesting new feature. The Extensible Firmware Interface can be selected to replace the BIOS of a virtual machine. EFI is the successor of the traditional BIOS which is used since the introduction of the IBM PC back in 1981. If you want to host Apple Mac OS X 10.6 in a virtual machine, you need EFI. In this video I’ll show you how to get access to the EFI interface. I’ll also show you how you can get access to the pre-OS command line environment.

When you select a guest operating system, BIOS or Extensible Firmware Interface (EFI) is selected by default, depending on which firmware the operating system uses. Mac OS X Server guest operating systems support only EFI. If the operating system supports both BIOS and EFI, you can change the default before you install the guest operating system. Use the Virtual Machine Properties dialog box at the end of the creation process or after the virtual machine is created. The Firmware selection pane is on the Options tab under Advanced > Boot Options.

vSphere 5.0 also supports booting ESXi hosts from the Unified Extensible Firmware Interface (UEFI). With UEFI you can boot systems from hard drives, CD-ROM drives, or USB media. Booting over the network requires the legacy BIOS firmware and is not available with UEFI.

VMware HA clusters enable a collection of ESXi hosts to work together so that, as a group, they provide higher levels of availability for virtual machines than each ESXi host could provide individually. When you plan the creation and usage of a new VMware HA cluster, the options you select affect the way that cluster responds to failures of hosts or virtual machines.

Before creating a VMware HA cluster, you should be aware of how VMware HA identifies host failures and isolation and responds to these situations. You also should know how admission control works so that you can choose the policy that best fits your failover needs. After a cluster has been established, you can customize its behavior with advanced attributes and optimize its performance by following recommended best practices.

VMware HA provides high availability for virtual machines by pooling them and the hosts they reside on into a cluster. Hosts in the cluster are monitored and in the event of a failure, the virtual machines on a failed host are restarted on alternate hosts.

When you create a VMware HA cluster, a single host is chosen as the master host to communicate with vCenter Server and to monitor the state of the other, slave, hosts and their virtual machines. Different types of host failures are possible and must be detected and appropriately dealt with. To do this, the master host must distinguish between a failed host and one that is in a network partition. Datastore heartbeating is used to do this.

Auto Deploy is a new method for provisioning ESXi hosts in vSphere 5.0.  At a high level the ESXi host boots over the network (using PXE/gPXE), contacts the Auto Deploy Server which loads ESXi into the hosts memory.  After loading the ESXi image the Auto Deploy Server coordinates with vCenter Server to configure the host (using Host Profiles and Answer Files (answer files are new in 5.0).  Auto Deploy eliminates the need for a dedicated boot device, enables rapid deployment for many hosts, and also simplifies ESXi host management by eliminating the need to maintain a separate “boot image” for each host.

Image profiles and VIBs are available in software depots from VMware or from VMware partners, and managed using the Image Builder PowerCLI. You can use software depots, image profiles, and software packages (VIBs) to specify the software you want to use during installation or upgrade of an ESXi host. Understanding how depots, profiles, and VIBs are structured and where you can use them is a prerequisite for in-memory installation of a custom ESXi ISO, for provisioning ESXi hosts using VMware Auto Deploy, and for some custom upgrade operations.

VIB A VIB is an ESXi software package. VMware and its partners package solutions, drivers, CIM providers, and applications that extend the ESXi platform as VIBs.
VIBs can be used to create and customize ISO images or installed asynchronously onto ESXi hosts. VIBs are available from software depots.

Image Profile An image profile defines an ESXi image and consists of VIBs (software packages). An image profile always includes a base VIB, and might include
additional VIBs. You examine and define an image profile using the Image Builder PowerCLI.

In vSphere 5.0, VMware has released a new storage appliance called VSA. VSA is an acronym for “vSphere Storage Appliance”. This appliance is aimed at our SMB (Small-Medium Business) customers who may not be in a position to purchase a SAN or NAS array for their virtual infrastructure, and therefore do not have shared storage. Without access to a SAN or NAS array, SMB customers are unable to implement many of vSphere’s core technologies, such as vSphere HA & vMotion. Customers who decide to deploy a VSA can now benefit from many additional vSphere features without having to purchase a SAN or NAS device to provide them with shared storage.

Each ESXi server has a VSA deployed to it as a Virtual Machine.The appliances use the available space on the local disk(s) of the ESXi servers & present one replicated NFS volume per ESXi server. This replication of storage makes the VSA very resilient to failures. The NFS datastores exported from the VSA can now be used as shared storage on all of the ESXi servers in the same datacenter. The VSA creates shared storage out of local storage for use by a specific set of hosts. This means that vSphere HA & vMotion can now be made available on low-end (SMB) configurations, without external SAN or NAS servers.

There is a CAPEX saving achieved by SMB customers as there is no longer a need to purchase a dedicated SAN or NAS devices to achieve shared storage.There is also an OPEX saving as the management of the VSA may be done by the vSphere Administrator and there is no need for dedicated SAN skills to manage the appliances. The installation & configuration is also much simpler than that of a physical storage array or other storage appliances.

Link to the VSA Installation Demo

VMware Zimbra for Android (VZA) is a native Android collaboration application that allows you to access your email, calendar, contacts, tasks and files from any Android device, specifically smartphones and tablets.

VZA supports any Microsoft ActiveSync compliant email server and also supports the VMware Zimbra Collaboration Suite (ZCS). With ZCS as the backend, VZA offers several additional ZCS-only features such as Briefcase, Saved Searches and many others that are not available in any of the Android email applications in the market today.
Be one of the first one to try, rate and comment - http://labs.vmware.com/flings/vza

Srinivas and his team are very excited to announce that v1.1 is now approved by Apple and is available in the App Store right now.  Be sure to first get updated vCMA so get the latest version of the backend vCMA server (v1.1) that is required for the new client. You can download the latest vCMA appliance at: http://labs.vmware.com/flings/vcma. The biggest "feature" in v1.1 of the client is to support management of ESX and ESXi hosts directly from the iPad without requiring a vCenter server instance. 

The list of features and bug fixes in this release are listed below:

New in version 1.1.0

- Support for connecting directly to a vSphere host (resolves Null Pointer Exception)
- Integrated interface to input vCMA server settings and login credentials
- Enhanced version compatibility checks between vSphere iPad application and vCMA server
- Fix for Null Pointer Exception when rebooting a host while the host was in maintenance mode
- Store password, if requested by the user, in the keychain
- Ability to properly scroll the host list in landscape mode
- Sorted host list (by name and grouped by vendor ID)
- Display center ellipsis for long virtual machine names
- Better performance metrics when connecting directly to a vSphere host
- Show “Unavailable” or “PoweredOff” message when unable to obtain performance data for a selected VM
- Reflect available actions correctly, for a selected VM, when an operation was completed
- Ability to cancel 'revert to snapshot' action

Srinivas and his team are already working on v1.2, which will address some more feature requests.

 http://itunes.apple.com/us/app/vmware-vsphere-client-for/id417323354?mt=8

VMware Labs present its latest fling CloudCleaner.


CloudCleaner is a handy tool that helps remove all traces of objects created on host machines by vCloud Director(vCD) like Virtual Machines, resource pools, network pools and networks. Simply put, CloudCleaner restores all your host machines running vCD to a clean state.

Some of the great features are:

• Intelligent authentication handling - if your login credentials fail, you'll be given the chance to re-auth in realtime.
• Fast! Uses up to 2000 simultaneous threads
• Auto-detects developer settings - vCenter IP and credentials.
• Safe - auto-detects inconsistencies and repairs them.
• Secured - validates vCenter server certificates and encrypts user data.

Be one of the first one to try, rate and comment - http://labs.vmware.com/flings/cloudcleaner .

VMware vShield is a suite of security virtual appliances built for VMware vSphere 4.1. It is a critical security component for protecting virtualized datacenters from attacks and misuse. vShield App and vShield Edge are the two products in the suite that address network security. The goal of this document is to provide details on the key security technologies implemented in the vShield App and vShield Edge products that enable administrators to build a multitenant virtualized datacenter environment that is flexible, agile, scalable and secure. The document first discusses the challenges in using physical security to protect virtual infrastructure and then describes in detail the key new technologies in vShield products that address those challenges.

 The Technology Foundations of VMware vShield

VMware vShield Edge, part of the VMware vShield family of virtualization security products, provides perimeter security and network services such as DHCP, NAT, Load balancing, and VPN service. vShield Edge is a virtual firewall appliance that can be provisioned on-demand and its services enabled on the fly to meet the flexibility requirement of cloud deployments. The goal of this document is to help customers understand where and how a vShield Edge firewall can be deployed to secure and isolate tenants/organizations, while providing some reference designs along the way. This document will also help VI administrators and network administrators understand the deployment of security and other network services in virtual datacenters using a vShield Edge firewall.

 vShield Edge Design Guide

VMware vShield App, part of the VMware vShield family of virtualization security products, protects applications in the virtual datacenter from network-based threats. vShield App gives organizations deep visibility into network communications between virtual machines and enables granular policy enforcement with security groups. This document helps VI administrators understand the deployment of security around the virtualized server infrastructure using VMware vShield App product. Two reference designs are provided to help customer understand the security deployment around the virtual infrastructure using vShield App product and advantages.

 vShield App Design Guide

VMware vCenter Converter Standalone is a scalable solution to convert virtual and physical machines to VMware virtual machines. You can also configure existing virtual machines in your vCenter Server environment. Converter Standalone eases the exchange of virtual machines among the following products.

• VMware hosted products can be both conversion sources and conversion destinations
• VMware Workstation
• VMware Fusion
• VMware Server
• VMware Player
• Virtual machines running on an ESX instance that vCenter Server manages can be both conversion sources and conversion destinations
• Virtual machines running on unmanaged ESX hosts can be both conversion sources and conversion destinations

You can also use VMware Consolidated Backup (VCB) images to create VMware virtual machines. The VMware vCenter Converter Standalone 5.0 beta includes the following new functionality:

• Preserving the LVM configuration on the source machine during Linux conversions
• Enhanced synchronization including options for scheduling synchronization tasks and performing multiple synchronization tasks in a conversion job
• Optimized disk and partition alignment and cluster size change
• Conversion data is encrypted between the source and the server

Within this community, you will find discussion threads posted during the beta phase. VMware is encourageing you to test the builds and add to these discussions or start new ones. Their forums are an important feedback channel and are closely monitored by product managers and development teams, so be sure to provide feedback wherever possible. VMware is looking forward to hear from you!

http://communities.vmware.com/community/vmtn/beta/public_converter_50