Pluralsight VMware vSphere Security course review

I took some time to go over the VMware vSphere Security course from Pluralsight this week. This course was released on 1/14/2014 and was created by Brian Tobia.

Anyone can install vSphere. It takes a good admin or architect to take into consideration the security aspects of a deployment and how it fits into your organization.

Let me first say that the course seems very long! But each lesson kept my attention and I would find myself saying “I knew that” or “ohh, there is something new”. It is definitely worth going over once or twice.

First, Brian starts off by talking about security basics. When I first heard him mention certificates, not much was covered. I was wanting more! That comes later in vCenter Security Server. So don’t panic, you will get to see more on PKI in a later section.

The next topic goes on to talk about vSwitch security. A lot of vSphere admins may be familiar with this topic. The options have been around for a long time. I think most of this section would be on any VCP exam. Forged transmissions, MAC changes and promiscuous mode are all covered in a step by step video. Brian also explains the relation of the vSwitches and other network hardware when it comes to BPDU and spanning tree. This would be a good overview for your network admins to review as well.

We then move on to Virtual Machine security. VM template creation and deployments are covered in this section. Snapshots and disk security (persistent and non-persistent disks) are also covered. The only thing I do not recall being covered in this section is the virtual machine VMCI device. This is a VM communication interface to provide a high speed communications channel between a VM and the hypervisor. It is optional to enable VMCI between VMs. Honestly I have never seen this device used. I’m sure there is a use case for it, but I have not used it to date. If you were using a monitoring device like Gigamon to inspect VM traffic on a host, you would not see network traffic if you used the VMCI. This device would cause a big security concern if it were left in use.

Host security is covered in the following topic. This is the main topic I see covered when it comes to vSphere security. There are so many options to cover when it comes to the host. In the last few years hosts have been joining Microsoft AD. Brian does a great job on covering this step by step. Of course no security course would be complete without going over the ESXi firewall. You will see step by step options for what you can configure in the host based firewall. The firewall portion is a good topic to cover because I see many people who confuse the host firewall and how it relates to virtual machines. Want to see what Lock-down mode is all about? This is covered as well. If you have not used it before, this is your chance to see it in action. Host profiles have been around for a while. If you have not seen or used host profiles before, this may be a good evaluation of whether to use them or not.  SSL is covered just a little, but gets more in depth in the following topic.

Sever Security is my favorite topic. Brian does a great job at explaining SSL certificates and how they play a role in securing your environment. I think SSL should have received it’s own dedicated topic in this course. It would have been nice to show how the Certificate Automation tool works and how you would apply certificates to different VMware products. The vCSA is also covered in this topic. Right out of the box this Linux based appliance is locked down for security. There is a live lab that covers adding the vCSA to active directory.

Single Sign on has changed in vSphere 5.5 and this topic is covered very well. If you are looking to understand what it is all about, I highly recommend reviewing this section. The SSO add-in is an important piece if you have vCenter servers talking to each other or if you want to work with other vSphere products. I would expect vSphere 6.0 to include SSO for other products like vCloud and SRM.

The next section pretty much covers the vSphere hardening guide. This is recommended reading material for those looking to secure VMware environments. All versions can be found on the VMware site at

I was surprised to see a section for Log Insight. This tool is a separately license product from vSphere and vCenter. It is an excellent product for reviewing logs. This section goes over the deployment and configuration of Log Insight. The live labs show just how easy it is to configure and deploy.

And the last topic goes over Compliance Management and hardening with vCenter Configuration Manager. The vCM is another product that is licensed outside of the vSphere products. For those looking for an overview of vCM, Brian does a great job (as usual) with demonstrating how the product is deployed and how it is configured. The vCM helps with regulatory compliance and assessing host configurations. If topics outside of the vSphere suite are covered, why not vShield or NSX? Both are very lengthy topics. I’m sure PluralSight will be coming out with a video soon on the NSX.

Overall I thought this was an excellent course. I’m sure I will listen to it again on one of my drives in to work. A lot of topics are cover that will leave you wondering “should I do something about that” or “I should really look into these add-on products”.


Deploying Citrix NetScaler Insight Center on vSphere 5.x

I must have beat my head against this virtual appliance deployment for a whole day! If you are not familiar with the Citrix NetScaler Insight Center, it “delivers unprecedented visibility and enables real-time control in response to network traffic from a variety of services such as cloud, mobile and virtual desktops. Together NetScaler Insight Center and ActionAnalytics bring visibility and control to the datacenter”. To read more, follow this Citrix link for the skinny:

The initial version of this virtual appliance did not have a version compatible with vSphere, only Citrix Xen Server. In mid June there was a press release announcing a version that would work with vSphere. Looking at the download section you will notice almost all .xva files. My initial reaction was “I need to convert this file to an OVA or OVF”. VMware converter will not convert a .xva file. Citrix XenConvert 2.3.1 is the only tool that will do the conversion to an OVA or OVF. But, the encoding for Citrix product will not work on vSphere. OVF and OVA files generated by Citrix cannot be imported by VMware due to different encoding (utf-16 vs. utf-32). If you try to import the OVA or OVF file into VMware you will get an XML error. I ran across numerous Citrix and VMware posts referring to standing up a XenServer, then do an export or convert. These methods would not work for this virtual appliance.

Looking at the deployment guide from Citrix on how to install this on VMware was a little confusing. It looks like it was written by someone who knew very little about VMware products. Why would you need the VMware OVF tool installed? Reading that made me really wonder how much effort I needed to put into this deployment.

The answer to all of this was a little simpler. Looking at the download section there is one option for a zip package.


This is the latest version that will work for the initial deployment of vSphere. Version 120.13 is what you want to use as of the date of this post. You will also notice that Citrix has posted “In order to upgrade ESX VM from builds before 120.13 release to 120.13+ builds, fresh install of the 120.13+ build is recommended”.

Within this zip file there is an OVF that is encoded to utf-32. Once you download this version it is as simple as deploying a regular virtual appliance. I recommend reviewing the Citrix Reference Architecture while planning your deployment. When you get your virtual appliance up and running, the default username and password are nsroot / nsroot.

VMware permission issues and XenDesktop 7.x

I recently setup a new XenDesktop 7 environment in tandem with my XenDesktop 5.6 FP1 and ran into permission issues. This environment consists of XenDesktop using VMware as the hosting infrastructure and MCS with PvD as the provisioning method. While in XenDesktop 7 I attempted prevision Windows 8.1 and Windows 7 desktops but was met with the following error:

DesktopStudio_ErrorId : UnknownDumScheme
Sdk Error Message : Invalid provisioning scheme
Sdk Error ID : Citrix.XDPowerShell.Broker.UnknownDumScheme,Citrix.Broker.Admin.SDK.SetBrokerCatalogCommand
ErrorCategory : ObjectNotFound
DesktopStudio_PowerShellHistory : Create Machine Catalog ‘Desktops’

Inner Exception:
System.InvalidOperationException Invalid provisioning scheme

I watched the tasks in vCenter as it created new VM’s, but then imidiatly deleted disks. I then checked for orphaned VMDK files and found base disks left over from the provisioning process. I couldn’t figure out what “Invalid provisioning scheme” was. I then went on to attempt a pool of Windows XP x86 desktops and was met with a different error:

ErrorID : Citrix.ManagedMachineAPI.NotAuthorizedForOperationException
TaskErrorInformation : Citrix.ManagedMachineAPI.NotAuthorizedForOperationException: Either the account is not granted sufficient privilege or disabled or username/password is incorrect —> Citrix.ManagedMachineAPI.NotAuthorizedForOperationException: Either the account is not granted sufficient privilege or disabled or username/password is incorrect —> System.Web.Services.Protocols.SoapException: Permission to perform this operation was denied.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at VimApi.VimService.CreateVM_Task(ManagedObjectReference _this, VirtualMachineConfigSpec config, ManagedObjectReference pool, ManagedObjectReference host)
at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VmwareVmManager.CreateTargetVm(String name, Int32 memory, Int32 cpuCount, Dictionary`2 extraConfig, ManagedObjectReference datastore, String guestId, ICollection`1 deviceList, ManagedObjectReference folderRef, ManagedObjectReference resourcePoolRef, String version)
at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VmwareVmManager.CreateVm(String name, IVMMetadata metadata, Int32 cpuCount, Int32 memory, String storageID, ManagedObjectReference resourcePoolRef, NetworkInterfaceDetails nics, Boolean enableNetwork, Boolean tagVm)
at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VmwareVmManager.CreateCompleteVM(String name, IVMMetadata metadata, Int32 cpuCount, Int32 memory, String storageId, String dataCenterPath, ManagedObjectReference resourcePool, NetworkInterfaceDetails nics, Boolean enableNetwork, Boolean tagVms, IList`1 disks)
— End of inner exception stack trace —
at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VmwareVmManager.Intercept(Exception e)
at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VmwareVmManager.CreateCompleteVM(String name, IVMMetadata metadata, Int32 cpuCount, Int32 memory, String storageId, String dataCenterPath, ManagedObjectReference resourcePool, NetworkInterfaceDetails nics, Boolean enableNetwork, Boolean tagVms, IList`1 disks)
at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VMwareHypervisor.<>c__DisplayClass1c.<BeginCreateCompleteVM>b__1b(VmwareVmManager manager)
at Citrix.HypervisorCommunicationsLibrary.TaskRunItem`2.Run(T manager)
at HypervisorsCommon.HCL.TaskRunner`1.Run()
— End of inner exception stack trace —
at HypervisorsCommon.HCL.TaskScheduler`1.CompleteTask(IAsyncResult result)
at Citrix.PoolManagement.VMManager.VmmImplementation.Vmware.VMwareHypervisor.EndCreateCompleteVM(IHostingUnitConnector hostingUnit, IAsyncResult result)
at Citrix.MachineCreation.NewProvVMSupport.NewProvVMLogic.CreateVmCallback(IAsyncResult result)

What stood out in this error is the account error. It is not very descriptive on which account it was talking about. Was it the AD machine accounts or was it the permissions to the vCenter host? It turns out both of these errors are related to the vCenter host permissions.

XenDesktop 7 requires more permissions for the vCenter host. I have a specific role in vCenter with a Citrix service account (best practice). I still had my initial permissions from my 5.6 FP1 install. Looking at the permissions list in the Citrix eDocs for integration with VMware, it seems that Citrix has added more permissions to the list. This time last year it was not the same. If you look at the permissions list for XenDesktop 7 you will notice the only difference is the “Virtual machine > Configuration > Advanced” user interface. After adding the appropriate permissions I was able to provision any type of Windows OS.

The permissions can be found here for VMware intergration:

Xendesktop 5.6 FP1 –

XenDesktop 7.1 –

Upgrade Citrix license server for XenDesktop 7

I have recently went through the exercise of upgrading my license server to 11.11.1  in preparation of upgrading to XenDesktop 7. There is an addition to the process that is not really explained in the Citrix eDocs that I would like to explain. In this version of the installation they included the Simple License Service.

When you launch the install media, you will notice that it does not give you the option to run the installation for the license server. You must navigate to the Licensing folder on the install media.



When you launch the install, it will give the option to upgrade. If you do not have a license server installed, it will give you the option to install and not upgrade.



During the installation you will get a notice about Citrix article CTX135976. What this is saying is that Desktop Studio will no longer display license usage information. The screen shot below is an example of the license usage information from Desktop Studio. I am using XenDesktop 5.6 FP1 and my Desktop Studio is After the upgrade, my license information will no longer display in this window. I will edit this post is it is available in XenDesktop 7.


After the upgrade you will be prompted to configure the port for the license server. This is for the Simple License Service. You will notice the addition of the Simple License Service in the start menu.



– The Simple License Service allocates and downloads all the licenses available for a specific product. If you want to allocate and download only some of the licenses for a product, use My Citrix.
– Once you click Allocate and Download, you cannot cancel it. If the Allocate and Download fails, useMy Citrix.
– The Simple License Service does not support redownloading or reallocating of license files. For those features, use My Citrix.
– If you rename the license server, you must reallocate any license files allocated under the old license server name and reinstall the Simple License Service. You cannot use the Simple License Service to reallocate license files. For more information about reallocating files, see Reallocating License Files in Citrix eDocs – Licensing Your Product.
– If the Simple License Service is installed and you upgrade your license server, you must repair the Simple License Service before using it again.


VMware vCenter Server 5.5.0a

As of 10/31/2013 VMware release vCenter 5.5.0a. There are no other corresponding release that came out with this version. It looks like this is a patch to vCenter dealing with log on issues.

The full release notes can be found here.

Issues resolved with this release are as follows

  1. Attempts to upgrade vCenter Single Sign-On (SSO) 5.1 Update 1 to version 5.5 might fail with error code 1603
  2. Attempts to log in to the vCenter Server might be unsuccessful after you upgrade from vCenter Server 5.1 to 5.5
  3. Unable to change the vCenter SSO administrator password on Windows in the vSphere Web Client after you upgrade to vCenter Server 5.5 or VCSA 5.5
  4. VPXD service might fail due to MS SQL database deadlock for the issues with VPXD queries that run on VPX_EVENT and VPX_EVENT_ARG tables
  5. Attempts to search the inventory in vCenter Server using vSphere Web Client with proper permissions might fail to return any results
  6. vCenter Server 5.5 might fail to start after a vCenter Single Sign-On Server reboot
  7. Unable to log in to vCenter Server Appliance 5.5 using domain credentials in vSphere Web Client with proper permission when the authenticated user is associated with a group name containing parentheses
  8. Active Directory group users unable to log in to the vCenter Inventory Service 5.5 with vCenter Single Sign-On
  9. Attempts to log in to vCenter Single Sign-On and vCenter Server might fail when there are multiple users with the same common name in the OpenLDAP directory service
  10. Attempts to log in to vCenter Single Sign-On and vCenter Server might fail for OpenLDAP 2.4 directory service users who have attributes with multiple values attached to their account
  11. Attempts to Log in to vCenter Server might fail for an OpenLDAP user whose account is not configured with a universally unique identifier (UUID)
  12. Unable to add an Open LDAP provider as an identity source if the Base DN does not contain an “dc=” attribute
  13. Active Directory authentication fails when vCenter Single Sign-On 5.5 runs on Windows Server 2012 and the AD Domain Controller is also on Windows Server 2012

Windows 8.1 released today. Does it work with vSphere?

And crowds rejoice over the new Windows 8.1 release. Or do they? Lets see if things work out in a vSphere environment.

I have to honest and say that I did not even test any of the early releases of Windows 8.1 a few months ago. I decided on release day to try things out and here is what I ran in to.

I first tried Windows 8.1 enterprise. There is nothing special about the base deployment of the VM. You select the LSI Logic SAS controller and label the VM with Windows 8. I attempted to use the EFI BIOS with the VM, but it looks like Windows 8.1 is not compatible with this version. Upon setting the BIOS back to default, the VM then booted to the Windows setup fairly quickly. Unfortunately it looks like Windows 8.1 striped out the LSI Logic SAS controller drivers! Even the paravirtual drivers do not work. VMware only provides a floppy drive package for the legacy Bus Logic Parallel drivers. I even attempted to upgrade to hardware ver 9 (seemed to work on VM Workstation) and I ran in to the same issue. I experienced the same issue with Server 2012R2. I tried 8.1 Pro edition as well with no luck!

Turns out, don’t always trust downloads from Microsoft. The downloads I received were fragmented. Check out VMware KB article 1537 to verify the integrity of the download you received from Microsoft. It is best to use the download manager from Microsoft to make sure you receive a good download. Once I received a good download, everything worked great.

Windows 8.1 and 2012R2 run perfectly on vSphere, even with the EFI BIOS.

Free vSphere hands on labs

The vSphere HOL portal was announced last year from VMware. This year the labs from VMworld 2013 are now available for everyone to enjoy.

The lab setup is the exact same thing you would see at VMworld. There is a ton of useful resources for learning. You can do a basic install of vSphere and tinker with most of the advanced options. I encourage all who are looking into VMware products to try out a demo in the portal!

Some of the topics include:

– Applied Cloud Operations
– vSphere Distributed Switch from A to Z
– vSphere Performance Optimization
– Business Continuity and Disaster Recovery In Action
– vCloud Automation Solutions
– Virtual Storage Solutions
– vSphere Big Data Extensions
– vSphere and vSOM 101
– VMware IT Business Management
– vCloud Suite Use Cases – Infrastructure Provisioning (IaaS)
– vCloud Suite Use Cases – Application Provisioning (PaaS)
– vCloud Suite Use Cases – Control & Compliance
– vCloud Suite Use Cases – Quality of Service
– vCloud Suite Use Cases – Business Critical Applications
– vCloud Suite Use Cases – Business Continuity & Disaster Recovery
– Horizon View from A to Z

Hardware vendor VIB depots

Did you know you can update your hardware with VMware Update Manager? Each vendor has a depot URL that ties into VUM.

In VUM, navigate to Configuration – download settings – add download source, enter the URL. Here is a list of vendors I have gathered so far:



IBM: Unfortunately they do not have a direct URL to tie in with UM. Updates are obtained by searching “fix central” on the IBM website.

Cisco: I have not found one yet. Since everything is updated in UCS, this VIB directory may not exist.

I will attach a script later to include all or one.