Design of authentication to vSphere

Similar Questions

• authentication in vSphere 5.0 and 5.1

  I try to get the user handle, before and after SSO authentication. The factory PDFs are a little vague on some issues. I have the complete set of the ISOs for 5.5, but not of 5.1 and 5.0. I've been trying to deduce how things work out for 5.0 and 5.1 of the Whats New publications and working backward. Here's what I think are the available authentication options.

  vSphere 5.0

  ---------------------

  Direct connection of ESXi 5.0 host; local database (/ etc/passwd etc.), Active Directory

  vCenter Server Appliance; local database (/ etc/passwd etc.), Active Directory

  vCenter Server Windows version; local database (SAM database), Active Directory

  vSphere 5.1

  ---------------------

  Direct connection of ESXi 5.0 host; local database (/ etc/passwd etc.), SSO

  vCenter Server Appliance; SSO only

  vCenter Server Windows version; SSO only

  SSO on VCSA; local database (/ etc/passwd etc.), Active Directory, LDAP

  SSO on Windows Server. local database (SAM database), Active Directory, LDAP

  I found no mention of LDAP in any of the official documentation of VMware with the exception of the 4 layer port numbers and Figure 2 authentication SINGLE pdf, but I found a web page or two claiming the use of OpenLDAP in a vSphere virtual lab environment as a source of identity 5.

  Then, the table above is correct?

  Thank you

  My screenshots is VCSA.

• Design of new environment VSphere, VMotion, Storage, NIC issues

  I have a new environment I design. The plan is to have two host 5.1 running VSphere. Each host will have multiple servers requiring HA. I intend to have an additional Buffalo storage server. Here are my questions.

  So that HA using Vmotion, will it store the data store of the virtual machine on the storage server? Or the data store would be on the host where the virtual machine, and then if this host fails it copies on?

  NIC how would I need per server for HA? I count at least 3. One for the network traffic, management and SAN. All I'm missing?

  OK, so if I put my two hosts in a HA cluster and I have my VM installed on a separate storage server and one of my crashes VSPhere hosts will be able to restart my virtual computer on the other host?

  Yes, assuming that both hosts have access to the storage and HA is configured correctly.

  And VMotion is just for a scheduled maintenance?

  Not only for maintenance, but also for example load management/distribution.

  André

• Design of authentication issues and wireless security

  Wireless newbie here... I had to quicky throws a wireless deployment in a new office/warehouse building. I have the basic net upward and the work. My remote access point associated the 2106 in the main office and users can associate and authenticate to the AP 1130 G and can access the office network. I did the basic configs and now seeks to tighten security. My questions are the following:

  (1) the user clients are Dell laptops with built-in radio. They authenticate using JUMP... How to migrate to EAP or I have to. I have a Cisco ACS as RADIUS authentication.

  (2) can I use sort of a supplicant client on laptops?

  (3) how to filter mac while rogue AP and clients of thugs can not try and associate.

  (4) am I correct in assuming the connections between the AP 1130 and 2106 are secure and if so what I need to change anything to strengthen them?

  (5) I have an AP in the main building, I want Setup to detect rogue AP I associate him as a regular access point and push a kind of policy so that it becomes a detector?

  I have attached a diagram to explain. Any help would be appreciated.

  v/r

  Chad

  1 JUMP is a form of EAP, so you already have something to terminate your EAP sessions. The WLC can do to an extent, or ACS. We chose you will be based on your needs for the rich functionality, scalability, and manageability. I would say that PEAP-MSCHAPv2 offers a good compromise between ease of use and safety and that it is significantly better than LEAP.

  2 No, begging stick with Windows XP SP2. This can be configured by using the domain policy (2 k 3 SP1 or higher) and is pretty good. Just make sure that your laptops have new Intel drivers on them. Dell in particular have been pretty bad with sends former pilots in the builds.

  3 MAC authentication is now lergely, considered to be a waste of time. It's so easy to spoof a MAC address, it is ridiculous, and there is a fair amount of work for the privΘ.

  4. the tunnel LWAPP crypt all management / config / traffic safety between the AP and WLC, while user data are simply wrapped in LWAPP, so it can potentially be read if the packets are captured.

  5. any will to detecting rogue APs, must really dedicated APs unless you are REALLY paranoid. The major advantage is the fastest detection, but the downside is that the "detector" AP do service customers.

  Kind regards

  Richard

• Authentication & device Vsphere 5 benefits

  Hello guys, sorry to bother you,

  I have 2 questions:

  1 > what are the benefits of installing vsphere 5 mode device rather than on windows server?

  2 > I try to the device, but I did not understand how to open a session with my windows account (AD) on the server for vsphere vmware (in device mode)?

  Thanks in advance.

  I can't tell you why this happens, but the name of the device is not the most important part. It's more network configuration appropriate (addresses, IP address, subnet, gateway address, and DNS server mask) that matters. In addition to the configuration of the camera itself, you must manually create a Host-A DNS entry on your DNS server for the unit to ensure proper name resolution.

  André

• design of network of vSphere - thoughts?

  Hi all

  Looking for some advice/confirmation on a generation, that I am putting together

  Material Blade C3000, 4 switches Passhru

  x 2 servers BL460c G6 with 6 CARDS each.

  Design is similar to the following,

  2 NIC team for production, service on the same vSwitch0, thoughts on this console?

  1 NETWORK adapter on each host for Vmotion

  x 2 card NETWORK ISCSI SAN and SC (ISCSI are not used before just FC)

  1 NETWORK DMZ map on each host

  It work ok? Using PassThru to keep things simple and main switch patch and DMZ appearance.  No security concerns?

  Look forward to the comments.

  See you soon

  Use only 2 NIC for iSCSI... no SC.

  If you have 4 NIC free and you might consider (if possible) to use the VLAN tagging for vMotion, DMZ, management, LAN on the same vSwitch.

  Then for each group of port use the tag VLAN right and bind it on different NIC

  André

• Question design and update

  Hello community,
  
  I have a following question design and update on vSphere 6 with MRS.

  
  In out of our subsidiaries, we have configured following installation:

  -VMware vSphere 5.5 environment with Site Recovery Manager that runs on 5.8 installed U3.
  -Two vCenter server running in a configuration in linked mode, so you only need access to a vCenter server to see both sides.
  

  No, we want to upgrade to vSphere 6 and here I have some question how says it in the best conditions.
  Wouldn't be a good thing or maybe it's mandatory to have a service of external platform controller installed in the vSphere environment and then start the upgrade to vSphere 6 each side has its 'own' PSC.

  Thanks for some tips and training on your side.

  Did you read the documentation regarding the upgrade to SRM 6 located here: Site Recovery Manager 6.0 Documentation Center

  Who will answer all you questions, including your subject to PSC. A short summary, you want a PSC for each site. The reason is that you want that each site to be completely independent of the other.

  If read you the docs and you still have questions, please post them.

• HELP for design

  Hi guys

  I need some advice to virtualize my current server room.

  Currently, there are 4 servers: redundancy DC, WEB/Intranet, Exchange and Financial.Without.

  I'm going to buy a new server + NAS

  My questions are:

  1 should I install the 5.5 ESXI from scratch in the new server and configure 4 VM and a NAS? I can manage it with a laptop management with the VMware client, or Web client, etc...

  It is interesting to have the separate domain controller in another physical server?

  or

  2. install the new server first a Windows 2008 DC, so after WMware workstation 10 and install machine virtual 3? or y at - it another way to install ESXi?

  How much RAM do you recommend for this WMvare server, or how can I calculate it? for each server is fine with 8 GB?

  so can I consider buy the server with 32 GB? I need to also consider memory for the ESXI? How much memory to take this process 4 GB?

  For the physical server hard drives, I think in a RAId 5 with 300 GB. This server will have only the BONES of all the servers, data storage in the NAS. Is it OK?

  And how can the network adapters?

  The second part of this project will build another VMware Server for clustering,

  What do you think of the comrades

  Thank you very much to tip for any comment or suggestion

  KR

  Jesus

  For vCloud, I would recommend this: http://www.vmware.com/files/pdf/VMware-Architecting-vCloud-WP.pdf

  But are you sure that your business really needs a cloud? You mentioned that your server room is small with only 4 servers offering basic services.

  But virtualization is probably the way to follow if you want to reduce costs and consolidate your physical servers. With regard to storage, it is difficult to say how much you would need space, but judging by the size of the server room you maybe not much.

  Take a look at VMware Virtual SAN solution, it allows you to virtualize even the part of storage to your infrastructure, thereby eliminating even the SIN. https://communities.VMware.com/servlet/JiveServlet/downloadBody/25933-102-2-34324/VMware_Virtual_SAN_Whats_New.PDF

  In addition, it is really a lot to learn before you implement virtual infrastructure. Not to mention he must at least have some virtual environments to experience effectively administering and properly design and implement a vSphere infrastructure. As suggested, grasshopper, I highly recommend taking a course to learn the basics of vSphere.

• Validate the design of the network 2 x 10 GbE - NAS only 4 x 1 GB (jumbo frame)

  Dear Sir

  I have a few questions about the design of our new vSphere environment network.

  Detail:

  -Enterprise license

  -vSphere 5 servers (HP DL360p) with each:

  128 GB memory

  2 x Intel E5-2665 (8 cores)

  2 x 10 GbE (HP FlexFabric 554FLR-SFP +)

  -Environment NAS is connected via a LACP of 4 x 1 GB (no dedicated storage network)

  -Network environment is built on Juniper EX4200 is (virtual stack)

  Should / can use frames? :-)

  (a) servers, VMware will have 10 GbE and the storage network is only 4 x 1 GB?

  (b) this will give no problem for end-user connections that connect to the server VM

  running on the infrastructure as the file servers...

  Everything will not use frames but the will of the end user of PC, or is this not a problem?

  Is the picture below to go to the best?

  GRZ,

  Geert

  Honestly, there are a lot of discussions on when to activate the frames.  In my opinion I do not activate initially jumbo frames and watch the traffic.  If the backen was totally 10 GbE or FC, I would definietly enable Jumbo.  If necessary, then I would allow him.  Frames Jumbo will not affect the user who connects to the virtual computer, remember that they need to connect to the ESXi and not the current storage unit.

• WEBVPN and AD group membership

  I desperately need some advice with my design of authentication of WEBVPN.

  How to restrict specific users to connect only to certain profile connection alias?

  For example. Let's say I have the GROUP A and GROUP B GROUP C as an alias, available in the drop down below to the SSL login screen. In AD, I have 3 groups of security, the same. How can I make sure that only members of the group a security group can authenticate to the GROUP a connection profile and not the others. Ideally, I'd like to achieve with the Radius Authentication, but I couldn't find an attribute that has been passed along that I can pre-selection against. Any suggestions are appreciated. Thank you.

  You can use the ldap mapping to authenticate your users against AD with ldap and retrieve the memberOf and this value map to the value of the IETF-class which includes the SAA this to activate Group locking, allowing only users belonging to a specific tunnel group strategy to connect to this strategy of tunnel group.

• VRO - configures .sh documentation

  I'm looking to deploy and configure vRO own 7 on request to part of a pipeline for the automated test to remove test.

  It seems pretty easy to deploy with ovftool and for configuring it, I found vro - configures .sh seems to offer features to configure vRO Control Center, I could not find any documentation to learn how to use some of the options.

  So far I have it add a certificate approved for vcenter.

  ./VRO-configure.sh confiance--/tmp/vcenter.darrylcauldwell.local.pem--sso-certificat.

  Am looking now to add vCenter PSC for authentication, the authentication options are the coffee authentication, authentication incorporated and openldap authentication, my hypothesis is authentication-coffee is the tool that manages the external authentication that is not LDAP.

  The aide./vro-configure.sh shows three mandatory parameters, if they specify the command runs without error, but authentication is not configured

  Authentication-coffee-registry-url./VRO-configure.sh https://vCenter.darrylcauldwell.local/cm -sso-vco-admin-group administrateurs--sso-vco-admin-groupe-domaine vsphere.local

  or

  Authentication-coffee./VRO-configure.sh - registry-url vcenter.darrylcauldwell.local - sso-vco-admin-group administrateurs--sso-vco-admin-groupe-domaine vsphere.local

  Is there a documentation or examples of syntax to use vro - configures .sh?

  As far as I KNOW, there is no detailed documentation for vro - configures .sh

  I could be wrong here but I think that command vro - configures .sh authentication-coffee is only for the configuration of the authentication of COFFEE when you use vRA and cannot be used to configure the SSO authentication in vSphere environment only, I have to ask my colleagues who have worked on this feature, but it seems currently you cannot configure authentication SSO in this way.

  BTW, there is also a REST API to control center that allows you to configure the various parts of the vRO (including authentication) either through the user interface or using tools such as curl. Check https://{vrohost}:8283/vco-controlcenter/docs/

• Infrastructure and the workflow administrator

  I have two types of workflows that I need to run:

  1. infrastructure management.  These are things that Orchestrator has to do with the regular workflow.  They should not be dependent on the account active directory of an employee for authentication to vSphere, but rather a service account.   That's why I need to share a single session in my orchestrator configuration and run it all through this service account. (Unless I think bad - if so correct me)

  2. tasks of the administrator - these are things that must be run on an Ad Hoc basis by the directors of the vSphere environment.  Logging of who did what in vCenter is important and uses permissions and authorization implemented already in vCenter is important for these workflows, because there are different levels of permissions for admins of vSphere configured in vCenter which should apply when these types of workflow are running. So, I need to configure vRO to use 'session by user' instead of 'Share a single session' (unless I think bad - if so correct me)

  However, I can only configure Orhestrator to use 'user logs', or use 'share a single session', but not both.  How people have solved this problem?  This call to two facilities orchestrator, one for administrators and for infrastructure components?

  You may be able to create / remove the connection to host shared on the fly in your workflow to avoid exposing a connection in vCO.

  It's basically the way people made for vCloud Director where you need to have a connection by the organization.

  The other way is to expose workflows accessing a particular host only. You need actions by pulling on the lists of the VM at the start of a vCenter or help to specify a property of presentation of the root element.

  Once done, you can set permissions on the workflow.

  The third way is in your response. You can separate users by vCO...

  The suite is that you should have a special account that has sufficient rights to perform the Infrastructure Management and the use of session by user with this user.

  The first solutions are those requiring the most effort, while the those last less.

• Mgmnt network vCenter question 5

  Our VMware environment is expanding - we are currently redesigning the network connections.  Can anyone offer recommendations or best practices on the following questions.
  (1) on new construction of host can use another range of IP for the management network without causing problems with already used by existing hosts subnets?  Can I change the IP address of the existing hosts without a reconstruction?
  (2) we are very shortage of Cisco ports.  My Network Services team asking if we can combine the network traffic with vMotion traffic on the same physical connection management.  Which would have ramifications

  be if we allow at the same time?  Unless you have a failure of the host all vMotion activities is controlled manually and very light.  We work (ongoing project) on a DR plan, but have nothing in place.

  Is it 2x1GbE or 2x10GbE?
  If it is 2x10GbE and that you have vSphere Ent +, I'd go for the unique design of VDS using NIOC

  

  Check out this blog on a design layout NIC: VMware vSphere 5 host NIC network design layout and vSwitch Configuration [Major Update] | Tech blog | Blog

• SSO + AD = everyone logging in WebClient

  Hello guys,.

  Scenario of

  • VMware vCenter Server Appliance 5.1
  • SSO with Active Directory as a repository for authentication
    • A "Base DN" for users and groups was informed during the configuration process.
    • There is a group of ads that I called 'GS_VMWARE_ADMINS' with my VMware admins inside...

  What is going on

  I noticed that ALL users in the OU that I said in the "Base DN for Users" during SSO + configuration integration AD is authenticated in vSphere WebClient. In Windows, vSphere Client these users are blocked as expected.

  OK... that no members of my "GS_VMWARE_ADMIN" group can connect the WebClient service... Fortunately, the options are unaccesssible. Thank God...

  What I expect

  I expect that only the user in the GS_VMWARE_ADMINS group are able to authenticate in the WebClient vSphere... not every single user in the Department, even with restrictions...

  What I'm missing to get this working this way?

  Kind regards

  FABrizzolla

  No problem. Please mark my answer as "correct".

• Single network or Multi vMotion Nic card

  Here are our current design for our soon vSphere 5.1 deployment

  There has a been a good bit of internal discussions on whether to use a single 10 GB for vMotion network adapter or use two NICs 10 GB for vMotion

  Most of the debate has been around "isolate" the vMotion traffic and makes it as localized as possible

  We all have the vMotion traffic is a vlan separate, vlan127 you can see in our design

  The big question becomes exactly where will the vMotion traffic? What switches/links it really go?

  Is this correct?

  1. If we start with a vMotion nic, then once that Vmotion begins traffic will be generated from the host lose the virtual machine and the host wins the virtual machine. In this scenario, traffic will cross a BNT switch. This leads to two conclusions
     
     
     1. Traffic is never as far away as the nucleus of Juniper
        
     2. vlan127 (vMotion) didn't need to be part of the trunk, go to the heart of Juniper to the TNB
        
  2. If we go with two NICs of vMotion, then the two 10GB network adapters might be involved in vMotion. This means that vMotion traffic between two hosts ESXi could hit a switch BNT, browse the battery connections (two 10 GB between the BNTs connections) and go to another host via a network card. GB 10 it has also led to two conclusions:
     
     1. Traffic is never as far away as the nucleus of Juniper. He remains isolated on a single switch BNT or moves between BNT switches through the two stack 10 GB connections
        
     2. vlan127 (vMotion) didn't need to be part of the trunk, go to the heart of Juniper to the TNB
        

  

  vMotion traffic is just unicast IP traffic (well good, except for some bug) between ESXi configured for vMotion, vmkernel ports if all goes well insulated in a non-routed layer 2 broadcast domain (VLAN). Simple as that. Considering that the traffic will cross physically regardless of the physical NIC is configured for the respective vmkernel ports. The path between the two is obviously depends on the layer 2 switching/STP infrastructure, which in your case would be just the blade chassis switches.

  Multi-NIC vMotion essentially implements several independent streams between different IP addresses and MAC, belonging to the same host. Consider the following:

  Host A and B with vmk1, using physical vmnic1, connected to physical pSwitch1 and vmk2, using vmnic2, connected to pSwitch2. The two pSwitches directly the trunk the VLAN vMotion between them.

  If the two hosts have only vmk1 is enabled for vMotion, traffic will never pass by pSwitch1. If host B has only vmk2 enabled for vMotion or you switch uplink, it'll pass the two pSwitches.

  Now, if you enable the two interfaces for vMotion vmkernel, it is difficult to say how the hosts decide what vmk connects to that. You may find yourself going through the two pSwitches for the two water courses, or you're lucky and you end up with source and destination interfaces that reside on the same pSwitch. I don't know how ESXi decides the pairings, this article seems to suggest it's done deterministically for that in a similar configuration, the same key vmk would connect between them:

  http://www.yellow-bricks.com/2011/12/14/multi-NIC-VMotion-how-does-it-work/

  Whatever the case, unless you need to other hosts on different switches, connected through your hearts only, to be able to vMotion between hosts, there no need at all to mark the vMotion VLANS on your links between chassis and Core switches.

  You see, your question of vMotion Multi-NIC is completely unrelated to this.

  If we start with a vMotion nic, then once that Vmotion begins traffic will be generated from the host lose the virtual machine and the host wins the virtual machine. In this scenario, traffic will cross a BNT switch. This leads to two conclusions

  1. Traffic is never as far away as the nucleus of Juniper
  2. vlan127 (vMotion) didn't need to be part of the trunk, go to the heart of Juniper to the TNB

  1. Yes.

  2. Yes.

  Circulation * could * crosses both switches BNT, according to what I explained above.

  If we go with two NICs of vMotion, then the two 10GB network adapters might be involved in vMotion. This means that vMotion traffic between two hosts ESXi could hit a switch BNT, browse the battery connections (two 10 GB between the BNTs connections) and go to another host via a network card. GB 10 it has also led to two conclusions:

  1. Traffic is never as far away as the nucleus of Juniper. He remains isolated on a single switch BNT or moves between BNT switches through the two stack 10 GB connections
  2. vlan127 (vMotion) didn't need to be part of the trunk, go to the heart of Juniper to the TNB

  1.Yes.

  2.Yes.

  Personally, I'd go with Multi-NIC vMotion use NIOC with soft actions in your config file.