Các video giới thiệu về giải pháp triển khai mạng Route ảo trên VMware


Tổng kết các bước cài 1 Route ảo bằng pfSense
Bước 1. Tạo máy ảo VM trên Vmware vCenter ESXi5.1
pfSense1

Bước 2. Cấu hình VM cho pfSense
pfSense2

Bước 3. Chọn hệ điều hành FreeBSD 64bit cho pfSense
pfSense3

Bước 4. Tạo 2 card NIC phân dải mạng WAN và mạng LAN / DMZ
pfSense4

Các bước tiếp theo là cấu hình và sử dụng pfSense

Install pfsense in vmware esxi

How to multi public WAN IP’s with PFSense

PFSense Load Balance Dual Wan 2 ISP IP Choice Cable TV

pfsense WiFi Hotspot

pfsense multi wan / load balancing

pfSense – LoadBalance e FailOver

Configuring a DMZ in pfSense 2.0

PFSENSE Download limit per IP

pfSense 2.0 – Limit Download & Upload bandwidth per IP

Configuring NAT Port Forwarding in pfSense 2.0:

4 – PfSense – Step by Step Firewall, Alias , NAT, Rules, and virtual ip:

Tutorial pfSense Firewall NAT 1:1

Bài thực hành: cách xây dựng–cài–cấu hình Router Firewall mềm trong một mạng ảo ESXi 5.1 của VMware


Mục đích của việc ảo hoá các thiết bị mạng Router Firewall:

1. Nhằm thay thế, bổ sung hoặc

2. Tiết kiệm chi phí khi phải đầu tư thêm thiết bị mạng định tuyến, tường lửa, NAT, VPN, OpenVPN, DirectMAP, Bridge từ các hãng Cisco / Barracuda, Juniper, Fortigate …

3. Dễ dàng triển khai, kiểm soát và sử dụng hệ thống thiết bị Router này khi chúng được ảo hoá trên hệ thống VMware.

 

Về cơ bản:

– Hệ thống mạng Router là cách làm đã có từ lâu, trên các thiết bị phần cứng Router Firewall đều có các phần mềm Firmware của các công ty đối tác phát triển phần mềm cho các thiết bị nổi tiếng như: Cisco, Juniper …

– Việc ảo hoá mạng của VMware có thể nói là cuộc cách mạng trong giải pháp triển khai và quản lý mạng hiệu quả, đó là “Phần mềm định nghĩa và thiết lập ra mạng” tôi dịch nôm của từ SDN “Software defined Networking”.

– VMware đang trở thành đế chế số 1 trong giải pháp ảo hoá máy tính và có thể cũng là số 1 về mạng ảo hoá (SDN), gần đây nhất VMware cũng công bố kiến trúc VMware NSX. Cuộc đua công nghệ thật thú vị.

 

Tham khảo ý kiến:

Seven reasons VMware NSX, Cisco UCS and Nexus are orders of magnitude more awesome together

VMware’s Martin Casado- Energy and Chaos – Network Computing

http://searchnetworking.techtarget.com/news/2240204863/VMware-NSX-Network-virtualization-doesnt-need-to-be-a-turf-war

 

Với góc nhìn của người làm công nghệ, triển khai, sửa dụng công nghệ VMware tôi có 3 ý kiến sau:

1. VMware có những bước đi công nghệ thật mau chóng, mạnh mẽ, thật đáng để những người làm công nghệ theo đuổi và đổi mới tư duy công nghệ.

2. Loạt bài viết trên, viết về công nghệ mới của VMware theo kiểu “Điếm rất đậm chất Mỹ” nhằm che đây một sức mạng của “Sóng thần” sẽ cuốn phăng đi tất cả các đối tác sản xuất thiết bị như CISCO, Juniper … nếu họ không chấp nhận cuộc chơi mới, thay đổi công nghệ theo cái sân mà VMware là kẻ thiết lập ra nó “NSX”.

3. Giờ là sân chơi của VMware đã đủ rộng, với câu nói “VMware NSX: A tool for peace, not war”, tôi viết lại đây là kiểu “Điếm Mỹ” vì thực tế không phải nó là hoà bình, mà là chiến tranh. Nhưng tất cả các đối tác như CISCO, Juniper dù muốn dù không cũng phải nâng cao công nghệ và không sản xuất phát triển các công nghệ mạng mà VMware dần đưa vào thay thế là SDN. Họ mất thế mạnh, vũ khí chuyên về mạng do vậy làm gì có chiến tranh khi tất cả đều là tù binh và bị cuốn theo Ware của VMware ?

Câu chuyện hài hước này còn dài tập đối với nhiều người, nhưng các nhà phát triển công nghệ thì khá rõ rồi.

 

Thực hành:

– Xây dựng 1 hệ thống mạng và Router Firewall thông qua giải pháp ảo hoá mạng của VMware ESXi 5.1

Bước 1. Tạo và chia tách các máy chủ VM ảo hoặc máy trạm client trong hệ thống mạng vCenter VMware ESXi 5.1 thành 2 lớp mạng ảo : WAN & LAN

–> Mỗi máy ảo dịch vụ ESXi 5.1 sẽ có 2 card mạng ảo.

eM0 ==> WAN

eM1 ==> LAN

Bước 2. Download file ISO bootable cho cài đặt Router firewall từ  hãng pfSense (http://pfsense.org )

Bước 3. Cấu hình máy chủ ESXi 5.1 chứa máy VM cài pfsense router cần cấu hình NTP service  với 3 địa chỉ phổ biến sau:

0.us.pool.ntp.org

north-america.pool.ntp.org

pool.ntp.org

Bước 4. Cấu hình và chọn lớp mạng WAN & LAN qua Web trên Router (pfsense).

WAN –> eM0

LAN –> eM1

Bước 5. Kiểm nghiệm vận hành của Windows 7 giao tiếp với Router pfsense sau khi ảo hoá nó.

Video thực hành:

Trân trọng cảm ơn !

Cách cấu hình tăng hoặc giảm kích thước ổ cứng ảo .VMDK


1. Cách tăng và chia ổ:

When you created your virtual machine you of course created the number of disks and their sizes as per the requirements, best practice guidelines or just your best estimation for its use. However, as requirements change and the amount of data in your virtual machine grows, from time to time you need add additional storage. How do you resize the virtual disk (.VMDK)?

Resizing virtual disks is relatively straight forward. However, as with anything before making changes ensure you have a backup (especially when making changes to disks).
Note: You cannot change the disk size if you take a snapshot, plus if there was an issue with the disk the snapshot would be useless anyway.
Another thing to be aware of is you can only INCREASE the size of a virtual disk. You cannot reduce the size of a virtual disk, VMware does not currently allow it as it could risk losing data. If you want to reduce the disk size you could either use VMware converter to copy the VM and resize the disks at the same time or create a new smaller virtual disk and copy the data over to it.
To Increase the size of a virtual disk (.VMDK):

1. Shutdown the virtual machine.
2. Right click on the virtual machine and select “Edit Settings”.

3. On the “Hardware” tab, select the virtual disk you would like to resize and in the “Capacity” section enter the required size.

We are not finished yet. If you boot the virtual machine now the OS will not see the new size, it will only see the old size. You need to expand the volume into the new free space. Below are two methods of doing this, and deeding on the guest OS and your preference depends which one you will choose.
Method 1 (Windows DISKPART) will of course only work in windows.
Method 2 (GParted) will work for any OS, including Linux and Unix provided as the file system type is supported by your chosen partition utility.
Method 1 (Windows DISKPART):
1.
Click Start –> Run and type “diskmgmt.msc”
2. You will see the free space after your volume.

3.
Use DISKPART to extend the volume into all the free space:

diskpart

list volume

select Volume 0

extend

exit


4.
You will now see the volume has been extended to use all the free space.

Method 2 (GParted):
To resize the partition on the disk use your favorite partition resizing tool. If you don’t have one mine is GParted, which there is a live CD for.
Download the GParted Live CD
1. Click on the “Options” tab and go to “Boot Options”.

2. Tick “Force BIOS Setup” (This will boot into the BIOS screen when the VM is powered on – This is so that you can mount and ISO image before the OS boots.)

3. Click Ok to reconfigure the virtual machine.

4. Connect the ISO image or connect the CD drive with your GParted Live CD (This is easier with force BIOS option set in step 5).

5. Boot into GParted and you will see the current partion in the now much larger disk.

6. Right click on the partition and select “Resize/Move”.

7. Resize the partition to fill entire remaining space and click “Resize/Move”.

8. Click “Apply” to run the resize task. After sometime depending on the size the task will complete.

9. Reboot the computer, remove the CD and boot into the OS.

10. Depending on the OS it may perform a disk check like Windows Server 2003 here.

11. You should now see the disk has been resized.

Phần 3–Cấu hình VMware Horizon View 5.2


1. Create a domain service account that the View connection server will use to connect to vCenter. On a domain controller create a new AD service account, and set the password to never expire. In my environment the account is called SVC-View01-001. Name is not important, so use whatever naming convention suits you.

2. Login to the vSphere Web Client and from the Home page click on Administration.

In the Administration page click on Role Manager. Create a new role by clicking on the green plus icon. Call it something like View Administrator.

3. Add all of the privileges to the View Administrator role shown in the VMware table below.

4. In the vSphere Web Client navigate to Home > vCenter > Hosts and Clusters, then click on the vCenter name. Now click on the Manage tab and then the Permission tab. Click on the green plus icon to add a permission.

5. Add the domain service account in the left pane, and change the role to View Administrator in the right pane.

6. Launch the View administrator and in the left pane expand View Configuration. Click on Product Licensing and Usage. Enter your View 5 product license key.

7. Under View Configuration click on Servers. Click on the vCenter Servers tab and click Add. Enter the vCenter’s FQDN, your service account name and password. Review the advanced settings in the lower half of the pane to see if they make sense for your environment. I left the defaults.

8. Since we haven’t yet installed View Composer (optional component), select Do not use View Composer.

9. If you are using vCenter 5.1 and ESXi 5.1, you will be presented with some new storage settings. I would leave the all the defaults, as those will produce the best results. If you are using a third party VDI storage accelerator such as Atlantis Computing ILIO then I would disable these storage features as they won’t provide much benefit.

10. At this point the vCenter should be successfully added and have green check boxes under all features.

We have now covered the major configuration steps for the View Connection server components. Next up is a little AD work, creating a VM template, and adding a few desktops to the View administrator console. You can check out that installment in Part 4 here.

 

Cấu hình cho phép từ mạng Internet truy cập vào View Server 5.2:

I ran into an issues where my View clients were able to connect internally on the same LAN with no issues to thier View Desktops, but when attempting to use the Security Server from an outside source the connection would authenticate, show available desktops, start to load a desktop and then fail with the error “The connection to the remote computer ended”.

Not a lot of details beyond that. After running firewall logs, netcat, wireshark to no avail, VMWare Support was able to help me find the field that was in error in the View Administrator. Apparently during a reinstall the internal IP of the PCoIP Secure Gateway field was left as the default internal IP instead of the actually public IP. The external URL under the HTTP(S) Secure Tunnel also exibited a simular setting using the actual hostname of the server and was updated to the public DNS name of the Security Server.

Not a difficult soltuion, but one of those things that is easily overlooked after a lot of troubleshooting and not something that I easily found a solution for on the web or in KB articles. Hopefully this will help someone else.

wpid524-media_1353090006015.png

In View Administrator click on Servers, the Connection Server, then Edit.

wpid525-media_1353090017127.png

Update the HTTP(S) Secure Tunnel External URL and the PCoIP Secure Gateway, PCoIP External URL. Check both boxes

 

Sửa lỗi trường hợp không kết nối vào Desktop VM:

Recently I found myself looking at an error which I’ve seen many times before with different customers View environments in which they are unable to connect to desktops getting the following error..

“The connection to the remote computer ended”

image

In 99% of cases this is usually due to missing firewall rules between the View Client (thick/thin client) and the View Agent (virtual desktop).

The following VMware KB details this error and how to troubleshoot.

http://kb.vmware.com/kb/2013003

However it only affected my test Windows 8 clients which were previously working.

The only thing that has changed was I had been applying and testing the CIS benemarks for Windows 8 in some new GPOs I had created, it had to be those what had broken it, so I set out trying to find which setting.

Unlinking the new CIS GPOs I found I could now connect to my View desktop succesfully so it definatley a setting in the CIS GPOs. The tough job was going through each setting and testing it to find which (initial guess work was not sucessful).

In the end I found the cause to be the following setting:

“System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Enabled”

This setting being configured to enabled, caused a conflict with the View 4.5 connection server settings in the environment which resulted in connections to the View agent from a View client with this policy setting to be rejected.

image

Phần 7–SmartPhone sử dụng VMware Horizon View and HTML access (Blast protocol)


With the release of the VMware Horizon View Feature Pack 1 for VMware Horizon View 5.2 it possible to connect with HTML5 to your View desktop. This without installing additional software. The new HTML5 protocol is called Blast. Connecting by using the Blast HTML protocol can be handy when you are on a device that does not have the VMware View client installed.

The VMware Horizon View Feature Pack 1 contains the following two main components:

  • Remote Experience Agent installer
  • HTML Access installer

Remote Experience Agent installer contains:

  • HTML Access Agent: The HTML Access Agent allows users to connect to Horizon View desktops by using HTML Access
  • Unity Touch: With Unity Touch, tablet and smart phone users can easily browse, search, and open Windows applications and files, choose favorite applications and files,and switch between running applications, all without using the Start menu or Taskbar. Unity touch requires a VMware View Client

This component is installed on the View Desktop (XP SP3, Windows Vista (32-bit), Windows 7 or 8 )

HTML Access installer: This installer configures View Connection Server instances to allow users to select HTML Access to connect to desktops. After you run the HTML Access installer, the View Portal displays an HTML Access icon in addition to the View Client icon.

This component is installed on the Blast Secure Gateway know as View Connection Server (Not the Security Server).

Here is an overview of the components and firewall ports that’s needs to be opened:

VMware Blast

A single security server can support up to 100 simultaneous connections to Web clients using the Blast protocol. For a complete list and drawing of the firewall ports that needs to be opened in a VMware View Security Server environment see my earlier post here.

In the View Administrator the connections using a the Blast protocol can be monitored:

image

Unity Touch is supported on the following Horizon View Client versions:

  • Horizon View Client for iOS 2.0 or later
  • Horizon View Client for Android 2.0 or later

Unity Touch is supported on the following mobile device operating systems:

  • iOS 5.0 and later
  • Android 3 (Honeycomb)

The following Web browsers are supported:

  • Chrome 22 or later
  • Internet Explorer 9 or later
  • Safari 5.1.7 or later
  • Firefox 16 or later
  • Mobile Safari on iOS devices running iOS 6 or later

Don’t expect: that the Blast protocol offers:

  • The same performance as PCoIP!
  • USB and multimedia redirection
  • ThinPrint support

But the Blast HTML protocol can be handy when you are on a device that does not have the VMware View client installed.

image
image

View Portal. Choose between the View Client or HTML access
Logon screen HTML access

foto (1)
foto

Unity touch from iPhone

Trích dẫn nguồn: http://www.ivobeerens.nl/2013/03/20/vmware-horizon-view-and-html-access-blast-protocol/

Phần 6–Cài VMware Horizon View Unity Touch làm gì ?


Yesterday VMware has released the new Horizon View Client 2.0 iOS client to the Apple AppStore. With this client comes a new functionality called Unity Touch. Unity Touch is somehow a part of what VMware introduced as Project AppShift at VMworld 2012. Unity Touch gives the user a greater experience when accessing a virtual desktop from a tablet running iOS or Android. Check this screenshot-show to see how it works.

First requirement is a VMware View 5.2 environment with the VMware Horizon View 5.2 Feature Pack 2 installed on the server and the virtual desktop. Then update your iOS or Android clients to the newest version.

On the left hand side you can see the black slide out navigation tab.

Photo  2

Clicking on this a menu pops in from the left side giving you access to all installed programs on your desktop as well as to your “My Files”.

Photo  4

Starting an Windows application is so easy now. You don’t need to click the start menu and programs menu anymore. Just click on the application in the menu.

Photo  5

The “My Files” menu gives you access to all your files and on the virtual desktop.

Photo  6

You can also register apps as favorite applications as you can see in the next screenshot. I’ve added the control panel here for demonstration. This helps you to even easier accessing your apps on Windows.

Photo  7

From my view this is a cracking feature in the new release! Working on a virtual desktop from a tablet is so easy now. Unity Touch works with al apps installed to the desktop out of the box. Thanks to my colleague Tim Arenz from http://www.horizonflux.com for provisioning me a desktop on his test environment. This helped a lot with this article.

Phần 5–Cấu hình HTML Access for VMware View 5.2


Today I received a new SSD drive for my home lab. It was time to get some new IOPS in my vSphere environment for testing VMware Horizon View 5.2. I haven’t installed View for a while so I was really surprised about the changes I’ve seen in the product. After the general View installation I’ve deployed a Windows 7 desktop pool first as I wanted to test the new HTML access today. Of course I’ve seen it before and I’ve already played with it but didn’t install it by myself yet. The HTML access option comes as a separate installer for both, the server and the agent side. The remote experience agent which is installed on the virtual desktop also brings the necessary software pieces for the Unity Touch feature. From the VMware website you can download the HTML access for the connection server as well as the user experience agent. Just login to your MyVMware account and check the downloads section. The modules are available under the Horizon View downloads. Starting the installation is easy as usual, just click on the installer.

NewImage

I was surprised when I did the installation as their was nothing to configure. Only click Next, Next and Finish and all its set.

NewImage

After installing the HTML access option (Feature Pack 1for View 5.2) the website at https://viewserver/ changes. Before the installation the website offered only the option to download the View Client for accessing the virtual desktops. After installing the Feature Pack you can see the “VMware Horizon View HTML Access” icon.

NewImage

But before using the new feature you’ve to install the client components on the virtual desktop. Again take the installer, this time copy it to the virtual desktop or desktop template and start the installation.

NewImage

The only difference to the server installation part is that you have one additional wizard dialog. It gives you the chance to decide if you want to install HTML access only or also install the Unity Touch features. But of course you want it so just click on Install and start the installation.

NewImage

After the installation and proper configuration of a desktop pool you can go back to the View Connection Server web interface. Click on the HTML access and enjoy!

NewImage

Ha! There is another trap which you should be aware of! HTML access requires HTML5 support but this is not offered by Internet Explorer 9 i.e. which I’ve used to access my virtual desktop. Lessons learned! I’ve installed IE9 afterwards.

NewImage

Using a supported web browser gives you this! A fully functional Windows 7 desktop running in a web browser. Great! I love it.

NewImage

I hope this gives you a quick overview of the HTML Access which comes with the VMware View 5.2 Feature Pack 1. Of course the HTML access doesn’t give you the full functionality of a VMware View Client which is connected via PCoIP but it is great to use on a mobile device for a few use cases.