VCAP-DCD 5.1 vs 5.5

I’ve decided to reschedule my VCAP-DCD exam for the 5.5 version. I will be sitting the exam on 8/23 at VMworld 2014.  After taking a closer look at the blueprint, here are the differences I see.

VCAP-DCD 5.1
- 225 minutes
- 100 questions
- 6 design questions

VCAP-DCD 5.5
- 195 Minutes
- 46 questions
- 5 design questions
- 1 Master design question

One big change I also see – there is no mention in blocking you from going back to review flagged questions. This is a big change. Although time management may not allow a whole lot of time to review flagged questions. I am guessing the design questions will still take 15 to 20 minutes a piece. The Master design question needs 30 minutes.

The “Master design question” still remains a mystery.

If you are sitting the exam, you still have the option to cancel your current exam and reschedule for the 5.5 version. I had to problems at all with scheduling the new exam. Just make sure you do it before your cancellation window.

VDCD550 https://mylearn.vmware.com/lcms/web/portals/certification/VCAP_Blueprints/VCAP-DCD-VDCD550-Exam-Blueprint-v3_2.pdf

VDCD551: https://mylearn.vmware.com/lcms/web/portals/certification/VCAP_Blueprints/VCAP5-DCD-Exam-Blueprint-v3_0.pdf

 

Exam discounts: http://www.vmworld.com/community/conference/us/learn/training

You will still need to request authorization for the exam even if you were approved for 5.1. https://mylearn.vmware.com/

 

VCAP-DCD VMworld 2014 study group

I want to see how many people would be interested in getting together on 8/23 for a study session on VCAP-DCD. I am not a certified instructor, this will be a group discussion. Or we can cut out a bunch of VMware visio shapes and slap stuff together for a design practice session (pin the vSwitch on the donkey). This is very informal, no sponsors and no budget. If there are just a handful of people, I think whom ever has the best hotel lounge, that’s where we can meet. Let’s make it a couple of hours, 6PM to 8PM. If we get hundreds or thousands of people, I’m going to jump in the river. Or we can try to relocate to a park. I will put the word out on twitter.

I am staying at the Triton Hotel. After looking at pictures of the lounge, maybe 5 or 10 people can fit. Email me if you are interest: james.burd@burdweiser.com

VCP IaaS exam experience

It has been a year or two since I’ve had time to sit down and actually take an exam. I knew with the announcement this year that VCP certifications would need to be renewed before March 2015, I had to do something.

My background leading up to the decision to take the VCP IaaS exam: I have been working with vCloud for the past 7 months. I deployed a single cell in our development environment for the company I am with. It has been great for controlling VM sprawl. I built it as a model for test and production. I kept it simple at first with easy catalogs that joined the development domain, no wild double NAT’s or crazy vApps with multi networks. It is best to get your feet planted firmly in the concepts of vCloud before you take off with that stuff.

My study materials:

- My first exposure to vCloud was last year at VMworld when I won a book from the VMUG group titled “VMware vCloud Architecture Toolkit (vCAT)“. It is a beast of a book. It is not something you want to sit down with and just read from end to end. It is a collection of reference documents. I jumped back and forth with the book to overview material that was important to me. I used it often when designing my architecture.

- I spent time watching the VMware blogs on vCAT.

- I spent plenty of time watching the PluralSight videos from Chris Wahl: VMware vCloud Director 5.1 Essentials “Installing and Configuring” and “Managing and Monitoring“. Also Jake Robinson’s “VMware vCloud Director Organizations” and “VMware vCloud Director Essentials” with David Davis. These are the best training videos! They are worth every bit of money you pay for a subscription to PluralSight.

- I did have a chance to attend the VMware vCloud Director: Install, Configure, Manage course a few months ago. It was really cut and dry material. It was not anything really new for me. It was great to get my hands on the class material though. The book really helped with studying for the exam.

- As a part of the VMware vCloud course, the instructor Shawn Bolan gave us access to Measureup.com practice exams for VCP-Cloud. For $100 you can get two months of access to this practice exam. For me, I was taking the IaaS exam, so it was a little different taking this practice exam based on a different exam (VCP-Cloud).

- I did plenty of the practice exams. 1. The VMware VCP IaaS mock exam. If I missed questions, I would research the answers. 2. Practice exams from Paul McSharry here, here and here. 3. Measureup.com Mock exams. For each mock exam I would actually have my vCAT book and my class material to go over questions and answers. It is not just an exercise to pass a mock exam, but an experiance to learn something new.

- Read plenty of PDF’s. 1. The vShield Installation and Upgrade Guide. 2. The vCloud Director User’s Guide. 3. The vCenter Chargeback Manager Users’s Guide.

The Exam itself:

- I really hate sitting exams. For me it is like sitting there waiting for an electric shock at the end. I had 90 minutes for 85 questions. I think I averaged 1 question every 45 seconds. The questions were not super wordy like a VCAP exam. The mix of questions between vCloud, chargeback, vCloud connector and vShield seemed pretty balanced like it was in the mock exam. You will see every topic from the exam blueprint! I had marked about 10 questions for review. At the end I had about 15 minutes left. I spent a few minutes going over anything that I might have missed. I felt fairly confident in my answers, so I ended the exam. No electric shock at the end, I passed!

You really need hands on with the products. I have to admit, I have not work with chargeback or vCloud connector yet. Those are optional products. I do not have a need for them in my environment. I only reviewed the PDF documents for these. These are probably questions that I missed. If you have a home lab, try to build all of these components out!

You really need time to deploy not just simple networking and vApps, but some of the more complicated items as well. Networking is a big focus in the exam. It is also vital to know when using vCloud. Knowing how to navigate the vCloud administrative options is vital!

Why the VCP-IaaS exam and not VCP-vCloud? Gregg Robertson has a pretty good post on the differences between the two.

Good luck to anyone seeking to take the exam!

Working with XenDesktop 7.x printing policies for external sessions

This post is specifically looking at printer policies to block external users from enabling printers. There is a lack of documentation and a bit of confusion when looking at the policies in XenDesktop.

Lets say you have a simple deployment, internal and external users.

 



Citrix StoreFront Deployment

Let’s focus on printing for now. You want to allow internal users to map printers and deny external users from mapping home printers. This would be a DLP strategy to keep data from leave the session from a remote location. Looking at the policies, you would think that just allowing internal and deny internal would work.

assign ctx policy 2 - incorrect

Wrong. Printing is actually enabled by default without a policy in place. I could not find this documented anywhere! That should be the first disclaimer on http://support.citrix.com/proddocs/topic/xendesktop-7/ps-console-policies-rules-printer-clients-v2.html.

It took working with support for weeks to find the proper configuration to block printing from external clients. I even worked with the NetScaler teams, thinking the policy had to be tied to the SmartHost name.

The correct configuration is almost a double negative. Set “Client printer redirection – Prohibit” and “Auto-create client printers – Do not create client printers”.

define ctx policy

Set the access controller filter to “Allow with Netscaler” using asterisk (if you have just one NetScaler) as the farm name and access condition. This is allowing the “deny printers” policy to apply to anyone who uses the NetScaler. If you want to use a specific NetScaler, use the SmartHost name for the Farm Name.

assign ctx policy 3

Also Apply a second filter to the Delivery Group with “Allow”.

assign ctx policy 4The final configuration should look like this:

assign ctx policy 5This will block external users from using home printers to printer data from a Citrix session. Users will also need to authenticate against the NetScaler when logging on from an external network. This is best practice, but you do have the option to authenticate directly against storefront (not recommended).

 

 

VMworld 2014 Alumni

Don’t forget to sign up for the VMworld Alumni program this year as you sign up for VMworld 2014. If you have attended two or more VMworld conferences as a full paid attendee, you qualify!

When I first saw Alumni, I thought “Yes I have attended previous VMworld events”. But it is a new program this year. This alumni protal launched on 8/25/2013. You will get 25 points for signing up and 100 points for every VMworld you attended. I think these points are awarded after you attend the event. No word if you can receive 100 points for previous VMworlds attended. The link to transfer previous enrollments is currently a place holder page.

Learn more here: http://www.vmworld.com/community/conference/us/learn/programs/alumni

The alumni program allows you to earn points for merchandise rewards, various activities and special offers. I have not seen anything specific. Earn CloudCred for registering for the Alumni Portal while on site at VMworld, and earn extra CloudCred points for referring a friend! Alumni members have enjoyed a $200 discount on VMworld registration for the past several years.

Stop by the VMworld Alumni lounge located at Jillians at the Metreon. Pick up your free gift, use the free wifi, enjoy snacks and beverages and relax playing a game of pool.

http://www.vmalumniportal.com/

 

PernixData and Dell – first test results

Before I go to deep into the layout of this benchmark, let me say that Frank Denneman came out with some great articles on testing SSDs. I highly recommend reading some of his posts to understand how to benchmark hardware and understand the results. To see what PernixData is all about, check out this post from Jason Nash.

I’ve been testing PernixData with Dell hardware this week, trying to find the ceiling on local SSD drives first. My plan is to test what I can place closet to the hypervisor as possible (within a blade). That’s right, I’m testing a Dell M620 blade solution with Dell Compellent storage on FC. It is more common to find add-on PCIe cards for rack mount servers when using SSD solutions, but I am looking to find what kind of performance I can get out of a blade system with SSD drives on a PERC controller. I will be testing SLC SSD drives (Toshiba MK4001GRZB) that are controlled from the local PERC H710 controller.  PernixData has a great set of documents for configuring disk controllers. I am not using the H710P controller (which has a FastPath for IO to bypass the controller cache and get committed directly to the physical disk from host RAM through the second controllers dual-core ROC processor). It sounds a little like EMC ExtremeIO, but on a much smaller scale. CTIO and FastPath provide enhanced performance benefits to SSD volumes. It is important to remember that if you are working with multiple drives on a RAID controller and JBOD is not an option, you need to configure individual disks in RAID 0, not grouped in RAID 0 (although this can be done to take advantage of the performance of both drives at once).

The tests I ran involved running 5 VM’s with IOMeter, 4K and 100% reads on a 30GB file. The queue depth is the default VMware 64. Of course all work loads are different. Not all applications are built the same. If you are looking to test something like SQL, I recommend using BenachMark factory from Quest (Dell). You can record a production workload and play it back on the test platform to see how well something like this would work in your environment. The purpose of the test is to find out how many IOPs I can get out of the solution. I would not recommend relying on something like IOMeter to benchmark something for production.

Make sure your VM guest has a separate paravirtual SCSI controller for the data drive you are testing. Also, make sure everything in the environment along the storage fabric is tuned for best performance. From the server BIOS, PERC controller, HBA cards, fiber switches, fiber interconnects and storage controllers.

Compellent Disk configurations in VMware

 My first test was with Write Back. These test results had better results of course, but only by 10K or so IOPS. I saw as high as 150K IOPS for the FVP cluster, but it usually stayed around 120K IOPS.

PD Cluster level performance 01 post 1-5 upgrade (Write Back)

PD Cluster level performance 02 post 1-5 upgrade (Write Back)

 My second test results was with write through, which is my preferred model since the data is written to the datastore at the same time. You can see that IOPS came in just under 120K IOPS. Still not bad! The dip in this chart is from me starting up another VM with the same test.

PD Cluster level performance 01 post 1-5 upgrade (Write thru)

PD Cluster level performance 02 post 1-5 upgrade (Write thru)

 

You can see what goes on with my Compellent storage on the back end with the same results:

PD Compellent volume last day perf (Write Back)PD Compellent SSD last day perf (Write Back)PD Compellent 15K last day perf (Write Back)PD Compellent 7K last day perf (Write Back)

All I can say is Holy Cow! SSD’s sure do give great performance when they are closer to the server! I do start to wonder what this does to the life cycle of the drives if they run at a constant rate like this. But like I said, every workload is different. I saw as high as 60K IOPS per SSD in the Dell M620 blades. Would I say this first hardware test is an enterprise solution? Perhaps, it is defiantly cost effective! It depends on your level of comfort with the hardware and your use case.

Working with the Pernix Data software is so easy! It is very simple to install and manage. It is also a breeze to remove when you are done with a POC. If you are working with iSCSI, you will need to adjust your path selection policies after it is removed. You can also use the software without any SSDs, to see what type of performance you are getting from your datastore. PernixData FVP works with block storage protocols today (FC, iSCSI, and FCoE), and will soon support NFS. FVP uses server-side flash (SSDs or PCIe cards) to increase storage performance in vSphere environments.

.

My next tests? I think this will involve using the Dell M620 Blade with PCIe to see what results I can get from that using PernixData. Dell is really on me to use FluidCache, but that is something down the road I will get to.

March 26th, 2014 events in Houston

Here are some of the great VMware  / IT events going on in Houston and webinars March 26th:

1. Citrix or VMware. Which VDI solution can? Which can’t? Join Citrix and Microsoft® for a half-day workshop aimed at helping you succeed with VDI. We’ll cover the answers to three essential questions you must consider during your VDI evaluation.

2. Virtual Lunch and Learn“Become a Flash Superhero”. Improving Application Performance with EMC Flash, hosted by Sam Marraccini, EMC Flash Technology Evangelist. 

Join UDI on-site for a fajita lunch at the UDI Houston Office:
10595 Westoffice Drive
Houston, TX 77095
OR
Join us via Webex
and receive a FREE PIZZA to enjoy during the webcast!
*Must Register by March 25th
DATE: Wed. March 26th
TIME: 11:30 a.m – 1:00 p.m.

At this exclusive seminar, you will learn that not all flash solutions are alike. Find out how to put flash to work for you.

- Leverage flash for higher performance in your data center.

- Boost IT efficiency.

- Get the right functionality at the right price.

- Implement flash to enable other benefits, from server consolidation to deduplication.

 

- Webinars -

1. Architecting Better Customer Experiences: The Nexus of EA and CX. Find out how to put Enterprise Architecture (EA) in the driver’s seat of Customer Experience (CX) initiatives by upgrading your business process and EA practices to focus engagement, desired outcomes and user empathy.

2. The Real ROI for Network Visibility: Join Ixia and featured guest from Forrester Research in an interactive webinar discussion on ROI for network visibility.

 

 

Pluralsight VMware vSphere Security course review

I took some time to go over the VMware vSphere Security course from Pluralsight this week. This course was released on 1/14/2014 and was created by Brian Tobia.

Anyone can install vSphere. It takes a good admin or architect to take into consideration the security aspects of a deployment and how it fits into your organization.

Let me first say that the course seems very long! But each lesson kept my attention and I would find myself saying “I knew that” or “ohh, there is something new”. It is definitely worth going over once or twice.

First, Brian starts off by talking about security basics. When I first heard him mention certificates, not much was covered. I was wanting more! That comes later in vCenter Security Server. So don’t panic, you will get to see more on PKI in a later section.

The next topic goes on to talk about vSwitch security. A lot of vSphere admins may be familiar with this topic. The options have been around for a long time. I think most of this section would be on any VCP exam. Forged transmissions, MAC changes and promiscuous mode are all covered in a step by step video. Brian also explains the relation of the vSwitches and other network hardware when it comes to BPDU and spanning tree. This would be a good overview for your network admins to review as well.

We then move on to Virtual Machine security. VM template creation and deployments are covered in this section. Snapshots and disk security (persistent and non-persistent disks) are also covered. The only thing I do not recall being covered in this section is the virtual machine VMCI device. This is a VM communication interface to provide a high speed communications channel between a VM and the hypervisor. It is optional to enable VMCI between VMs. Honestly I have never seen this device used. I’m sure there is a use case for it, but I have not used it to date. If you were using a monitoring device like Gigamon to inspect VM traffic on a host, you would not see network traffic if you used the VMCI. This device would cause a big security concern if it were left in use.

Host security is covered in the following topic. This is the main topic I see covered when it comes to vSphere security. There are so many options to cover when it comes to the host. In the last few years hosts have been joining Microsoft AD. Brian does a great job on covering this step by step. Of course no security course would be complete without going over the ESXi firewall. You will see step by step options for what you can configure in the host based firewall. The firewall portion is a good topic to cover because I see many people who confuse the host firewall and how it relates to virtual machines. Want to see what Lock-down mode is all about? This is covered as well. If you have not used it before, this is your chance to see it in action. Host profiles have been around for a while. If you have not seen or used host profiles before, this may be a good evaluation of whether to use them or not.  SSL is covered just a little, but gets more in depth in the following topic.

Sever Security is my favorite topic. Brian does a great job at explaining SSL certificates and how they play a role in securing your environment. I think SSL should have received it’s own dedicated topic in this course. It would have been nice to show how the Certificate Automation tool works and how you would apply certificates to different VMware products. The vCSA is also covered in this topic. Right out of the box this Linux based appliance is locked down for security. There is a live lab that covers adding the vCSA to active directory.

Single Sign on has changed in vSphere 5.5 and this topic is covered very well. If you are looking to understand what it is all about, I highly recommend reviewing this section. The SSO add-in is an important piece if you have vCenter servers talking to each other or if you want to work with other vSphere products. I would expect vSphere 6.0 to include SSO for other products like vCloud and SRM.

The next section pretty much covers the vSphere hardening guide. This is recommended reading material for those looking to secure VMware environments. All versions can be found on the VMware site at https://www.vmware.com/support/support-resources/hardening-guides.html.

I was surprised to see a section for Log Insight. This tool is a separately license product from vSphere and vCenter. It is an excellent product for reviewing logs. This section goes over the deployment and configuration of Log Insight. The live labs show just how easy it is to configure and deploy.

And the last topic goes over Compliance Management and hardening with vCenter Configuration Manager. The vCM is another product that is licensed outside of the vSphere products. For those looking for an overview of vCM, Brian does a great job (as usual) with demonstrating how the product is deployed and how it is configured. The vCM helps with regulatory compliance and assessing host configurations. If topics outside of the vSphere suite are covered, why not vShield or NSX? Both are very lengthy topics. I’m sure PluralSight will be coming out with a video soon on the NSX.

Overall I thought this was an excellent course. I’m sure I will listen to it again on one of my drives in to work. A lot of topics are cover that will leave you wondering “should I do something about that” or “I should really look into these add-on products”.

 

Deploying Citrix NetScaler Insight Center on vSphere 5.x

I must have beat my head against this virtual appliance deployment for a whole day! If you are not familiar with the Citrix NetScaler Insight Center, it “delivers unprecedented visibility and enables real-time control in response to network traffic from a variety of services such as cloud, mobile and virtual desktops. Together NetScaler Insight Center and ActionAnalytics bring visibility and control to the datacenter”. To read more, follow this Citrix link for the skinny: http://www.citrix.com/products/netscaler-application-delivery-controller/features/visibility.html

The initial version of this virtual appliance did not have a version compatible with vSphere, only Citrix Xen Server. In mid June there was a press release announcing a version that would work with vSphere. Looking at the download section you will notice almost all .xva files. My initial reaction was “I need to convert this file to an OVA or OVF”. VMware converter will not convert a .xva file. Citrix XenConvert 2.3.1 is the only tool that will do the conversion to an OVA or OVF. But, the encoding for Citrix product will not work on vSphere. OVF and OVA files generated by Citrix cannot be imported by VMware due to different encoding (utf-16 vs. utf-32). If you try to import the OVA or OVF file into VMware you will get an XML error. I ran across numerous Citrix and VMware posts referring to standing up a XenServer, then do an export or convert. These methods would not work for this virtual appliance.

Looking at the deployment guide from Citrix on how to install this on VMware was a little confusing. It looks like it was written by someone who knew very little about VMware products. Why would you need the VMware OVF tool installed? Reading that made me really wonder how much effort I needed to put into this deployment.

The answer to all of this was a little simpler. Looking at the download section there is one option for a zip package.

NSIC-DL

This is the latest version that will work for the initial deployment of vSphere. Version 120.13 is what you want to use as of the date of this post. You will also notice that Citrix has posted “In order to upgrade ESX VM from builds before 120.13 release to 120.13+ builds, fresh install of the 120.13+ build is recommended”.

Within this zip file there is an OVF that is encoded to utf-32. Once you download this version it is as simple as deploying a regular virtual appliance. I recommend reviewing the Citrix Reference Architecture while planning your deployment. When you get your virtual appliance up and running, the default username and password are nsroot / nsroot.