Category Archives: Reviews

Getting Started with the Free Log Insight for vCenter

Getting Started with the Free Log Insight for vCenter

Courtesy of

VMware gives away a 25-OSI pack of vRealize Log Insight 3.3 for all users with a supported vCenter Server license. VMware vRealize Log Insight is a log management software with intuitive dashboards, sophisticated analytics and broad third-party extensibility. It provides deep operational visibility and faster troubleshooting.

Log Insight is not a new product. I’ve already written about it during the beta phase and the final product was introduced back in 2013. With the release of vSphere 6.0 Update 2, VMware has included a 25-OSI package to all vCenter installations allowing all customers to use the product in small environments for free.

In this post I am goging to explain how to obtain the 25-OSI pack and deploy Log Insight for vCenter.

VMware vRealize Log Insight 3.3.1 for vCenter Server is available as virtual appliances. The download has been added to the vSphere 6.0 section, but there is no difference to the “VMware vRealize Log Insight 3.3.1” package, available in the vRealize section.

Download vSphere 6.0

Log Insight 3.3 for vCenter Server will accept any vCenter Server 6.0 Standard, Enterprise, or Enterprise Plus license. For vCenter Server 5.x users, a license key can be found on the Log Insight 3.3 for vCenter Server download page:

Use the Deploy OVF Template function to install the Appliance:

The extra small configuration supports up to 20 ESXi hosts. To take full advantage of the 25-OSI package, and generally for production, the small configuration is recommended. The largest deployment supports up to 1500 ESXi hosts (15,000 events/second). There is no need to make a final decition here. The appliances can be extended later.  


After finishing the deployment wizard, wait a couple of minutes until the Appliances has finised initial configuration tasks. The appliances is available when the following screen is visible in the console:

To configure VMware Log Insight, open a browser and navigate to the URL mentioned in the console and select Next > Start New Deployment

Add a License key. You can either use your vCenter Server 6.0 License key, or the key provided at the Log Insight download page.

Log Insight is now ready to collect logs. The following sources can be configured:

  • vSphere Integration, collects data from vCenter Server and ESXi hosts
  • Agents installed on Linux or Windows systems
  • Syslog Server

To add your vSphere Environment to Log Insight, open Configure vSphere integration »

Add your vCenter Server:

This will automatically configure the vCenter Server, and all ESXi hosts to send their logs to the appliance. You can verify the state, and add/remove ESXi hosts on the detail page:


Logfiles are now ready to be analysed. I’ve deployed 2 ESXi hosts with a vCenter Server, so there are still 22 free licenses left to add more ESXi hosts, or other systems.


VMware Log Insight is not limited to VMware products. It’s intended as central logging system. It is shipped with the following agents:

  • VMware vRealize Log Insight 3.3.1 – Window agent
  • VMware vRealize Log Insight 3.3.1 – Linux agent 32/64-bit (RPM)
  • VMware vRealize Log Insight 3.3.1 – Linux agent 32/64-bit (Debian)
  • VMware vRealize Log Insight 3.3.1 – Linux agent 32/64-bit (binary)

I’m installing the Linux Agent on a Debian based Ubuntu 14.04.4 LTS.


root@aztec:~# dpkg -i VMware-Log-Insight-Agent_3.3.1-3636434.deb
Vorbereitung zum Entpacken von VMware-Log-Insight-Agent_3.3.1-3636434.deb ...
Entpacken von vmware-log-insight-agent (3.3.1-3636434) ...
vmware-log-insight-agent (3.3.1-3636434) wird eingerichtet ...
Starting VMware Log Insight Agent: *

Installation completed.

ATTENTION: Please edit configuration file:

For online documentation please visit:
Trigger für ureadahead (0.100.0-16) werden verarbeitet ...
ureadahead will be reprofiled on next reboot

The Agent needs to know the address of the Log Insight server. Any further configuration can then be done from the Log Insight Management console. Edit the configuration file /etc/liagent.ini and set the hostname to your Log Insight server.

The Linux host should now appear in the Agent Configuration.


Groups can be created to deploy the same configuration on a large number of hosts. I’ve created a group for Linux Hosts and added the gathering of /var/log/syslog:

I’ve also added the Log Insight Server as Syslog server on my router. Very nice and quick solution for small networks. But what is the outstanding feature of VMware vSphere Log Insight? Content Packs!

VMware vSphere Log Insight is not just a log aggregator, it also has a deep understanding of log entries, allowing administrators to find quick solutions for problems. Here are some examples from the VMware vSphere Content pack, which is available by default:



VMware Social Media Advocacy

Get peace of mind with these simple monitoring tips

Get peace of mind with these simple monitoring tips

If a server falls over in the forest and no one raises an incident, does it actually go down?

As every good VMware administrator knows, there is no known good reason on earth as to why you shouldn’t be using some form of monitoring solution to keep watch on your VMware platforms. As the “VMware guy” you really can’t afford to waste your time keeping a constant watchful eye on things, just in case something bad were to happen. But let’s face it – from time to time bad things do happen!

There are many, many options available in the market to poke and probe your infrastructure to check if it’s all still there, doing what it should be doing. These range from free tools that simply ping devices and alert you if something fails to respond, to monster-sized monitoring and management solutions that cost an arm and a leg. The big comprehensive solutions are great, but they are typically very complex to design, deploy, configure and keep running, and will often only alert you to an issue once it has occurred and the phone is already ringing with your boss saying “has anything changed on the VMware platform today?”. That’s when panic sets in as you realise the production VMware cluster is spiralling into a full meltdown. The two options available to you are a) start troubleshooting the issue and hope you find a solution PDQ, or b) pick up your jacket, exit the building, and start getting your LinkedIn profile up to date because you’re going to need a new job!

Taking a proactive approach

Wouldn’t a better approach be to discover potential issues in your environment before they were about to happen? What if you could fix an issue before it brings down your entire VMware cluster? Surely that would have you rise up the ranks to demigod level and then you could spend more time playing with all the cool new things you wish you had time to try.

I’ve spent the last few months getting to know the Runecast Analyzer product very well.  I can honestly say “Wow! I’m impressed”. From the simplicity of the product to be able to quickly deploy and have it scanning your environment in minutes, to its easy-to-use and great looking web interface, it really is an excellent tool to have in your toolbox.

Rich capability

What makes Runecast really stand out to me, is that it is capable of looking at the setup of your VMware platform and check this against three main sources of information:

  1. VMware knowledge base articles
  2. VMware best practice guides
  3. VMware security hardening guides


The expert guys who developed and founded Runecast (VCDX #74, VCAP’s, VCPs, etc) continuously monitor and assess new KB’s, best practice guides and security recommendations, and determine how to check for them. These updates are then automatically pulled down into the Runecast Analyzer appliance on a regular basis.

Once a scheduled scan occurs and picks up a potential issue in your environment, not only does Runecast flag this issue, it provides you with a copy of the KB article directly in the web interface or a link to the best practice/security hardening guide where it came from. This means you can fully understand the issue before you decide to address it or choose to ignore it.

For example, it may be a requirement in your environment to allow certain non-standard settings such as allowing promiscuous mode on a port-group. In this instance you can simply choose to ignore this alert by way of the highly configurable filter. Runecast will continue to re-scan your environment on a regular basis (defined by you) to ensure continuous compliance and help protect you against configuration drift.


It also allows you to send the log files from vSphere hosts and Virtual Machines (the VMs VMware logs, not from inside the Virtual Machines Operating Systems/applications, just to be clear) to the Runecast Analyzer appliance and have these logged and checked for issues too. All of this can be configured in the Runecast UI (provided the account you use has sufficient permissions in vCenter to make these changes) by a couple of simple clicks. It couldn’t actually be any easier than that, could it?

And… it does all this onsite, so no data is sent back from the appliance for analysis somewhere in a different country, or stored on a server that you have no control over – so there’s no issues with security there.

As I said, I’ve been giving this VM monitoring and troubleshooting solution a really good bash around for the last few months, and I’m well impressed. If you fancy checking it out for yourself you can download a free 30-day trial, and get it up and running in your own environment in minutes. And who knows, perhaps just doing this alone could help save one tree, sorry, server from falling over.

By Stuart McEwan

– See more at:

VMware Social Media Advocacy

The Practical Path to NSX: Security, Automation, Application Continuity

The Practical Path to NSX: Security, Automation, Application Continuity

Read more about network virtualization with VMware NSX here: Milin Desai of VMware discusses an overview of VMware NSX at VMworld 2015. He highlights the 3 most common pain points within customers and how VMware NSX has addressed them through its value proposition. See a live demo of VMware NSX’s infrastructure security, IT automation, and application continuity in action.

VMware Advocacy

Working with the VMware vCenter Server Appliance

Working with the VMware vCenter Server Appliance

While working with the VMware vCenter Server Appliance (VCSA) the last couple of years I came across several bits and pieces of information that I collected which, I think, are useful for working with the VMware vCenter Server Appliance (VCSA) and combined them in this blog post.

VMware vCenter Server provides a centralized platform for managing your VMware vSphere environments through a single pane of glass. The VMware vCenter Server Appliance (VCSA) is a preconfigured Linux-based virtual appliance that can be deployed simply as a Virtual Machine. This VM is optimized for running vCenter Server and the associated services on Linux.

Highlighted in this VMware vCenter Server Appliance blogpost:

  • Change the Password and Password Expiration Settings of the Root User
  • Enabling SSH, Local Access and Bash shell
  • Unlocking a locked out Root account
  • Updating or patching the VCSA
  • VCSA startup stages after reboot
  • WinSCP to vCenter Server Appliance


Change the Password and Password Expiration Settings of the Root User

When you deploy the vCenter Server Appliance, you set the initial password of the root user, which expires after 365 days by default. For security reasons, you can change the root password, as well as the password expiration settings. In version 5.5 and 6.0 of the VCSA the root password expires in 90 days, with the updated version by default the root password will expire in 365 days. You can login to the VMware Appliance Management Interface (VAMI) with a web browser on the following address:

Important: If there is no VAMI page showing up on port 5480 you are probably running VCSA version 6.0, because VMware removed the VAMI from vCenter Server 6.0. This issue can be resolved by updating the VCSA to Update 1 or later. For the necessary steps on upgrading please check the paragraph about Updating or patching the VCSA.

  1. Login with Root and the root-password.


  1. Go to Administration in the left panel


  1. In the right panel you can Change the Root Password
  2. In the panel below you can adjust the Password Expiry Settings


Enabling SSH, Local Access and Bash shell

After installing the VCSA local access and SSH access will be disabled. If you need to install plugins in the VCSA like the NexentaConnect for VSAN you will need SSH access to adjust some local settings and add the package for the plugin. You have multiple ways to activate Local Access and SSH possibilities.

Option 1: Through the VMware Appliance Management Interface

  • Login to the VAMI
  • Go to Access in the left pane
  • Check the two boxes enabling ssh login and bash shell


Option 2: Through the vSphere Web Client

  • Login to the vSphere Web Client
  • Go to Administration > System Configuration > Right-Click the correct VCSA node > Edit settings


  • Adjust accordingly how you would like it to behave



Unlocking a locked out Root account

If the root account is not accessible through the console, the secure shell, and the Virtual Appliance Management Interface (VAMI) (vCenter Server Appliance 5.5 and 6.0 Update 1+), the root account has been inactivated due to password expiration. To reactivate the root account, the vCenter Server appliance must be rebooted and the kernel option modified in the GRUB bootloader to obtain a root shell.

First of all you have to edit the settings of the VCSA to delay the boot sequence through the vSphere Client. Make sure you know on which ESX host the VCSA runs before you shut it down. The time between when you power on the virtual machine and when it exits the BIOS or EFI and launches the guest operating system software is short. You can change the boot delay or force the virtual machine to enter the BIOS or EFI setup screen after power on.

Delaying the boot operation is useful for changing BIOS or EFI settings such as the boot order. For example, you can change the BIOS or EFI settings to force a virtual machine to boot from a CD-ROM.


  1. In the vSphere Client inventory, right-click the virtual machine and select Edit Settings.
  2. Click the Options tab and under Advanced select Boot Options.
  3. In the Power on Boot Delay panel, select the time in milliseconds to delay the boot operation.
  4. (Optional) Select whether to force entry into the BIOS or EFI setup screen the next time the virtual machine boots.
  5. (Optional) Select whether to try to reboot after a boot failure.
  6. Click OK to save your changes.
  7. Power-On the VCSA

To reactivate the root account:

  • When the GRUB bootloader appears, press the spacebar to disable autoboot
  • Type p to access the appliance boot options
  • Enter the GRUB password

Note: If the vCenter Server appliance was deployed without editing the root password in the Virtual Appliance Management Interface (VAMI), the default GRUB password is vmware. If the vCenter Server appliance root password was reset using the VAMI, then the GRUB password is the password last set in the VAMI for the root account.

Use the arrow keys to highlight VMware vCenter Server Appliance and type e to edit the boot settings

  • Scroll to the second line displaying the kernel boot parameters
  • Type e to edit the boot command
  • Append init=/bin/bash to the kernel boot options
  • Press Enter. The GRUB menu reappears
  • Type b to start the boot process. The system boots to a shell
  • Reset the root password by running the passwd root command
  • Restart the appliance by running the reboot command


Updating or patching the VCSA

Depending on which VCSA version you are running you have two options to update the VCSA.

Option 1 – Updating or Patching the VCSA through a SSH connection

  • Download VCSA update from the following location:
  • Upload the ISO to a Datastore
  • Attach the downloaded ISO to the VCSA virtual machine (Do not forget to check the connected box)
  • SSH to the VCSA

    ssh root@vcsa_hostname

  • Run the following commands

To stage the ISO

software-packages stage –iso

Run through the EULA (with ENTER) and answer with yes. To see the staged content

software-packages list –staged

To install the staged rpms

software-packages install –staged


After patching is successful use the following command to reboot the VCSA

Shutdown reboot –r Update_to_last_patches


Option 2 – Updating or Patching the VCSA through the VAMI

You can also update the VCSA throught the VAMI web interface when you are running a version of VCSA which has a active/available VAMI

  • Login to the VAMI Web Interface through port 5480


  • Go to Update in the left panel and than in the right panel to Check Updates


You have the choice to use a CDROM or download it through a URL.


VCSA startup stages after reboot

The VCSA goes through different stages while booting, it has five visible stages:

  • You can connect to the IP address/FQDN of the VCSA


  • Error message 503 when trying to connect to the vSphere Web Client

503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http16LocalServiceSpecE:0x7f809c7187b0] _serverNamespace = /vsphere-client _isRedirect = false _port = 9090)

  • You will see a Blanc screen while trying to connect to the vSphere Web Client
  • The vSphere Client web server is initializing message is visible


  • You can login through the vSphere Web Client Login Screen  (Do not forget the administrator@vsphere.local instead of root)


Now the VCSA is fully booted and operational.


WinSCP to vCenter Server Appliance

When trying to connect WinSCP to the vCenter Server Appliance (VCSA) you will get an error message and you can not connect to upload or retrieve files from the VCSA. When you copy files using WinSCP, part of the operation happens on the target Linux system. The default Appliance Shell cannot be the remote partner of WinSCP. You must enable the Bash shell on the appliance, you can do that through the VAMI as described in the paragraph about Enabling SSH, Local Access and Bash shell. You can also do it by

  • Login to the VCSA through a SSH connection
  • Provide the the username root and the root password when prompted
  • Inserted the following commands:

Than go to the Bash shell


In the bash shell switch from default shell to Bash

chsh -s /bin/bash root

Now you can use WinSCP to place or get files on the VCSA

To return the Bash shell to the Appliance shell use

chsh -s /bin/appliancesh root

When using Linux to place or retrieve files you can use PSCP.

By Edwin Weijdema

VMware Advocacy

In Guest VMware Tools CLI commands

In Guest VMware Tools CLI commands

In general it seems typical that VMware Tools gets installed on the Guest OS and then left alone after that. While doing some reading and working on some “slowness” issues, I’ve found the Tools CLI to become very handy and powerful.

On the Windows side of things here are a few “common” commands to use tools via the command line. First we need to get into the directory where tools is installed and the toolbox command can be run. The default directory is “C:Program FilesVMwareVMware Tools”

The command below in the screenshot lists the base commands available with the VMwareToolboxCmd: VMwareToolboxCmd.exe help


I’m not covering all of the commands there but the documentation from VMware does a good job.

I’ve been using the VmwareToolboxCmd.exe stat “subcommandhere” for seeing stats within the GuestOS and I’ve included the snipit from the VMware doc with a little detail for each stat subcommand:


As you can see it covers many useful areas to see if the VM is having performance issues related to CPU Limits perhaps or to see if any memory is ballooning, or swapping(I’ve also included memres and cpures just to see if your VM has any reservations):


You can manually turn timesync with the host on/off/and check status:


Another command that I would imagine is useful would be the disk command and shrink subcommands that can be used to actually shrink and reduce the space the virtual disk takes up. As you can see from the screenshot my test VM is a linked clone and this can not be run against it. This doesn’t work against thick provisioned VMs as it wouldn’t shrink the virtual disk since the space has already been allocated for the virtual disk:


**NOTE certain version of Fusion have a “Clean Up Virtual Machine” button and Workstation has a “Compact” menu command that will do the same thing.

The commands are pretty much the same within a Linux OS, below is a screenshot of a CentOS VM. The default directory for this is /usr/sbin/ and the command is “vmware-toolbox-cmd”:vmware-toolbox-cmd-help

There are many more commands that can be run from within the Guest OS, as I stated I’ve been using and seeing these commands used to track down slowness issues within VMs.

Note these commands were taken from the following User’s Guide from VMware andVMware vSphere 6.0 Documentation Center.

By Brandon Bazan Twitter – @bbazan

VMware Advocacy

VMware NSX and Cisco ACI: NSX Now Supported on ACI

VMware NSX and Cisco ACI: NSX Now Supported on ACI

In May of 2015, we did a video around VMware NSX vs. Cisco ACI. As part of that video, we made the prediction that VMware NSX and Cisco ACI would not be an either/or discussion in the future (I also did a webinar on the topic that you can download here). At the time, the common question we were getting from clients was if they should be using NSX or ACI. My opinion was that Cisco ACI quite well complimented the feature sets of VMware NSX and that one could really support the other.

Now let’s fast forward to last month (February 2016) to Cisco Live Berlin where an announcement was made that supported just that idea. In  sessions at the conference, they talked about a number of overlay networks in Cisco ACI and specifically mentioned VMware NSX. So what are these use cases? I’m planning on doing a series of videos to explore the topic further. The next video will discuss heavily utilizing Cisco ACI with an overlay of VMware NSX. After that, we’ll look at the opposite – more heavily leveraging the feature sets of NSX on top of the fabric automation feature sets that exist in ACI.

VMware NSX and Cisco ACI: NSX Now Supported on ACI


Watch on GreenPages’ YouTube channel

VMware Advocacy

First Look: VMware Host Client

First Look: VMware Host Client

Now you can manage an ESXi host with any HTML5-compliant browser.
By Tom Fenton

VMware just announced that VMware Host Client 1.0 is shipping with vSphere 6.0 Update 2 (U2), which was released last week. Host Client allows an HTML 5 Web browser to be used to view and manage an individual ESXi host. It can be used on almost any OS: Windows, OS X, Android or any other OSes that support an HTML 5 browser. Prior to this release, the vSphere native client running on a Windows system was required to access an ESXi host.

I just installed vSphere 6.0 U2 for the first time. Let’s take a brief look at the installation process and key features, before I give my final thoughts on it.

First, I entered the IP address of my ESXi host in my Chrome browser that was running on my Windows laptop and clicked “Open the VMware Host Client.” I was presented with a basic login screen (see Figure 1). I didn’t need to install anything on either my ESXi host or laptop.

Figure 1. The Host Client login screen.

After logging on, I was presented with a dashboard for my ESXi host (Figure 2). It did give a warning about the host being managed by my vCenter server. The desktop had all the features I would expect, including the ability to manage the server, monitor server performance, and shut down or reboot the server.

Figure 2. The Host Client dashboard.

By using the icons on the left hand side of the screen, I was able to dive down and see my virtual machines (Figure 3), storage, and networking on my ESXi host. Let’s take a brief look at each of these features.

Figure 3. Managing virtual machines.

By right-clicking on a virtual machine (VM), I was able to perform common management functions on it (see below). However, it does not allow you to perform cloning, vMotion, or other operations that require a vCenter server. You can even open a console to a VM and access it via your Web browser.

Figure 4. Many, but not all, virtual machine management abilities can be done via the Web browser.

One of the most common tasks on an ESXi server is creating and importing VMs in to your ESXi server. Host Client allows you to created VMs from scratch, deploy VMs from an OVF or OVA file and register an existing VM. I decided to test this functionality by deploying a new instance of Damn Small Linux (DSL) on my host via an OVA file on my laptop. Deploying the OVA was simple and direct via the wizard, as shown in Figure 5. I dropped the DSL OVA file into wizard, specified the storage and networking and clicked finish. In less than one minute, I had a running instance of DSL. It couldn’t have been more intuitive.

Figure 5. Deploying a new OS instance as a VM.

The storage function ( Figure 6) supports most common storage-related functions, including browsing datastores to examine the files on it.

Figure 6. Storage capabilities.

Host Client offers performance-monitoring functions, and as Figure 7 shows, I was able to display graphs for the CPU, memory, disk, and network activity on a host.

Figure 7. Monitoring the environment.

The Monitor function also has panes to track and analyze the events, tasks, logs and notifications that relate to the host.

I was able to log into my ESXi Server using the Host Client via various devices, including my Samsung Galaxy S5 smartphone (Figure 8), MacBook and Samsung tablet. The screen size was a little small on the smartphone and tablet, but overall it was still functional; I was able to move the screen around to see the information that I needed.

Figure 8. The Host Client on a Samsung Galaxy smartphone.

Delivering the Goods
Every once in a while, VMware releases a product that makes my life just a little bit easier, and Host Client is definitely one of those products. Prior to Host Client, getting quick access to a single host used to entail finding a Windows system and installing the native client on it; this was always just a little annoying to me.

Having Host Client means that I can conveniently access, monitor, and manage a host from just about any device. With its management functions I can manage the network, storage and VM lifecycle, monitor the performance of an ESXi host, and display events and tasks. I can do all this without having to install anything on my ESXi host; I just need to point my browser at it and access it. This is a fine tool you’ll certainly find useful, and which will add a bit of convenience to your life.

About the Author

Tom Fenton works in VMware’s Education department as a Senior Course Developer. He has a wealth of hands-on IT experience gained over the past 20 years in a variety of technologies, with the past 10 years focused on virtualization and storage. Before re-joining VMware, Tom was a Senior Validation Engineer with The Taneja Group, were he headed their Validation Service Lab and was instrumental in starting up its vSphere Virtual Volumes practice. He’s on Twitter @vDoppler.

VMware Advocacy

VMware NSX. What are we solving?

VMware NSX. What are we solving?

NSX has been the acronym on the lips of everyone in the SDN space.  So I have been studying the VMware NSX software defined networking platform in preparation for my VCIX exam in the coming months and I have this few thoughts to share from some of my study materials about this exciting product from VMware, but what is it and what does it mean to your organization?VMware NSX is a network virtualization platform from VMware. The software is reportedly able to operate using any hypervisor and it is a completely non-disruptive solution which can be deployed on any IP network from any vendor – both existing traditional networking models and next generation fabric architectures. The physical network infrastructure already in place is all that is required to deploy a software-defined data center with NSX.

What are We solving?

i. Physical Networks are hard to scale in multi-tenant’s data-center environment i.e. Business Units, Customers and acquisitions can benefit from this type of overlay topology.

ii. Physical networks make VM mobility across data centers tougher when we use complex layer 2 adjacency design.

Logical networks allow for greater automation and ease of provisioning since everything is done in software. (Logical Switching, Firewall, Routing, Load balancing).

iii. Server virtualization, a software abstraction layer (i.e. server hypervisor) reproduces the familiar attributes of an x86 physical server (e.g. CPU, RAM, Disk, NIC) in software. This allows components to be programmatically assembled in any arbitrary combination to produce a unique VM in a matter of seconds.

With NETWORK virtualization, the functional equivalent of a “network hypervisor” reproduces layer 2 to layer 7 networking services (e.g. switching, routing, firewalling, and load balancing) in software. These services can then be programmatically assembled in any arbitrary combination, producing unique, isolated virtual networks in a matter of seconds. With VMware NSX, existing networks are immediately ready to deploy a next generation software defined data center. Customers are using NSX to drive business benefits as shown in the figure below.

The main themes for NSX deployments are Security, IT automation and Application Continuity.


Security: NSX can be used to create a secure infrastructure, which can create a zero-trust security model. Every virtualized workload can be protected with a full stateful firewall engine at a very granular level. Security can be based on constructs such as MAC, IP, ports, vCenter objects and tags, active directory groups, etc. Intelligent dynamic security grouping can drive the security posture within the infrastructure. NSX can be used in conjunction with 3rd party security vendors such as Palo Alto Networks, Checkpoint, Fortinet, or McAffee to provide a complete DMZ like security solution within a cloud infrastructure. NSX has been deployed widely to secure virtual desktops to secure some of the most vulnerable workloads, which reside in the data center to prohibit desktop-to-desktop hacking.

Automation: VMware NSX provides a full RESTful API to consume networking, security and services, which can be used to drive automation within the infrastructure. IT admins can reduce the tasks and cycles required to provision workloads within the datacenter using NSX. NSX is integrated out of the box with automation tools such as vRealize automation, which can provide customers with a one-click deployment option for an entire application, which includes the compute, storage, network, security and L4-L7 services. Developers can use NSX with the OpenStack platform. NSX provides a neutron plugin that can be used to deploy applications and topologies via OpenStack.

Application Continuity: NSX provides a way to easily extend networking and security up to eight vCenter either within or across data center. In conjunction with vSphere 6.0, customers can easily vMotion a virtual machine across long distances and NSX will ensure that the network is consistent across the sites and ensure that the firewall rules are consistent. This essentially maintains the same view across sites. NSX Cross vCenter Networking can help build active – active data centers. Customers are using NSX today with VMware Site Recovery Manager to provide disaster recovery solutions. NSX can extend the network across data centers and even to the cloud to enable seamless networking and security.


Switching: Logical switching enables extension of a L2 segment / IP subnet anywhere in the fabric independent of the physical network design.

Routing: Routing between IP subnets can be done in the logical space without traffic leaving the hypervisor; routing is performed directly in the hypervisor kernel with minimal CPU / memory overhead. Routing is done by the Distributed Logical Router and one of the features of the Edge Service gateway. It supports Static and Dynamic routing protocols (OSPF, ISIS, BGP). The distributed logical routing (DLR) provides an optimal data path for traffic within the virtual infrastructure (east-west communication). Additionally, the NSX Edge provides an ideal centralized point for seamless integration with the physical network infrastructure to handle communication with the external network (north-south communication) with ECMP-based routing.

 Connectivity to physical networks: L2 and L3 gateway functions are supported within NSX to provide communication between workloads deployed in logical and physical spaces.

Edge Firewall: Edge firewall services are part of the NSX Edge Services Gateway (ESG). The Edge firewall provides essential perimeter firewall protection which can be used in addition to a physical perimeter firewall. The ESG-based firewall is useful in developing PCI zones, multi-tenant environments, or dev-ops style connectivity without forcing the inter-tenant or inter-zone traffic onto the physical network.

 VPN: L2 VPN, IPSEC VPN, and SSL VPN services to enable L2 and L3 VPN services. The VPN services provide critical use-case of interconnecting remote datacenters and users access.

 Logical Load-balancing: L4-L7 load balancing with support for SSL termination. The load-balancer comes in two different form factors supporting inline as well as proxy mode configurations. The load-balancer provides critical use case in virtualized environment, which enables devops style functionalities supporting variety of workload in topological independent manner.

DHCP & NAT Services: Support for DHCP servers and DHCP forwarding mechanisms; NAT services. NSX also provides an extensible platform that can be used for deployment and configuration of 3rd party vendor services. Examples include virtual form factor load balancers (e.g., F5 BIG-IP LTM) and network monitoring appliances (e.g., Gigamon – GigaVUE-VM).Integration of these services is simple with existing physical appliances.

In more post, as i advance in my studies i will go deep on this wonderful product from VMware.

Head, Solutions Architect at Integrated Laynet Technologies Ltd.

VMware Advocacy

VMware gives AirWatch single sign-on, app catalog support


VMware gives AirWatch single sign-on, app catalog support

VMware Inc. has enhanced its AirWatch enterprise mobility management (EMM) platform with enhanced deployment security and workflow features.

AirWatch 8.3 is intended to address the continuing quest to “enable more work to be done on the mobile platform,” said Blake Brannon, vice president of product marketing for AirWatch. “User experience trumps everything at the end of the day.”

With that in mind, VMware has added support for its new Workspace ONE application virtualization client that aims to provide a unified experience across every endpoint on the corporate network. Workspace ONE, which was introduced last week, enables employers to define the security level of an application based upon the requirements of the device accessing it. This feature enables single sign-on (SSO) to be applied to simplify installation by enabling users to avoid having to enter passwords by using VMware’s cloud -based authentication service.

AirWatch security now provides conditional access to any app or services using  the same technology used for mobile SSO, but with additional capability for the application to determine if it’s running on a container, jailbroken phone or managed device. “Effectively, it allows you to restrict someone from going to apps outside of the corporate app store and causing a breach,” Brannon said.

Access to corporate data can now be micro-segmented only to specific services rather than to the entire backend database. “Rather than giving every user access to the full network, an app can be given access to just to the servers they need to communicate with,” Brannon said. “We can effectively have millions of VLANs at one time.”

The new release also expands the AirWatch Privacy First Program with a website and visual privacy app that provides education about security and privacy while also dispensing advice on the value of mobile devices for productivity. VMware said AirWatch’s mobile management systems separates work and personal data, never allowing IT to capture personal information such as texts, personal emails, photos and notes-to-self. “You have a right to abide by privacy laws around the world,” Brannon said. Policies can now be set by someone other than the IT administrator, such as a chief privacy officer. This is particularly relevant in international situations where privacy laws may vary.

AirWatch 8.3 also adds industry templates, conditional access to mobile apps and device-to-datacenter security with expanded integration between AirWatch and VMware NSX network virtualization. The templates were compiled from analysis of customer mobile deployments to determine the best way to represent industry-specific workflows. “We’ve built the process to be wizard-driven so you don’t have to discover all the settings yourself,” Brannon said.

NSX integration enables administrators to dynamically set policies between AirWatch and NSX from a single console, limiting the footprint that mobile apps, data, devices and networks have inside the data center connection.

Cloud pricing per user starts at $103, with a full price schedule posted here. AirWatch claims to have 62,000 business customers.

VMware Advocacy

A full cloud stack – Autolab 2.6 – Part 1

As done in my previous Labs, I’ll use Ravello as main plaform to develop a complete stack for a cloud service – doesn’t matter if for private or public use, the stack will be the same.

I’ll begin using Autolab 2.6 from Ravello blueprint to save some time, as this will be illustrated in this first post.

Then, I’ll add a NSX component. In my previous post I built 2 clusters, one of them for management, the other one for production, resources to be managed by the first cluster, and NSX resided in the management cluster. So, it was double-nested, first by the ESXi, second by ESXi nested in Ravello.

This means a heavy load of the whole environment.

Now, I’ll use the Ravello environment as management cluster, and a cluster for production, following the post edited by Sam McGeown

Other posts will follow, showing vCloud Director 8.0 install and AirVM for management, since vCD 8 doesn’t provide a GUI.

I will jump the initial phase of Autolab deployment since it’s the topic of my next post (and many others around the Net).


The follwing image is my lab. Please do not consider the last 2 ESXi, I needed them to perform the previous nested installation of NSX.


Now we’ll begin starting the first 2 VMs, NAS and Domain Controller. As soon as they’re started, we’ll proceed with the remaing 3, the vCenter and 2 ESXis. We’ll turn on just 2 instead of 3 as per Autolab blueprint because I don’t want to destroy my previous vCenter environment, made, as described above, of 2 custers of 2. Anyway, 2 ESXis will be enough.

Time to download NSX. IMPORTANT: initially I downoladed 6.2: DO NOT! You must use 6.1 since the first one won’t start in Ravello, no matter if changing NIC or adding RAM. Probably it depends on the underlying “magics” casted by Ravello. At least, this is what happened to me. You’re warned 🙂

After NSX download from, I’ll receive a OVA file – not accepted by Ravello upload. I must open the OVA in OVF decompressing in by 7-zip in a folder:

Then import it in Ravello Library (if you didn’t before, you must download and install the GUI VM Import Tool).

To make things as simple as possible, I’ll use the same settings that Sam used:

  • Hostname: nsx
  • IP:
  • Subnet:
  • Gateway:
  • DNS:
  • Search: lab.local

Ready to deploy in our environment, start up and enter in console to configure and setup, after accessing with admin/default, same for enable:

Once rebooted, access is allowed from one of the 2 windows machines, DC or VC:

Accessing with the default credentials – admin/default – we’ll be presented with the home page, choosing “View Summary” you’ll have the main data screen. Be sure that the first 3 services are running – SSH is not important since we’ll configure it from this GUI.

The tab “Manage” up right will allow you to configure the device. Starting with General, where to setup syslog server (optional), adjust NTP server if not already setup before, and locale settings.2016-03-07_010024.jpg

Moving down using the left side menu, we can set network (any modification will need a reboot as shown below), and SSL certificate will allow you to create a new one to send it to any Certification Authority, to upload an existing one, or just leaving the fake one generated during installation.

We can set up a FTP Server for backups – optional – and schedule them. Lastly (for this section), the Upgrade line, a simple “Ugrade” button:

Now it comes the connection with vSphere elements – if NSX services are not started, the system won’t allow these settings. Lookup service will ask details for authentication to SSO (and acceptance of the server thumbprint): the success wil be shown with a green leed in “Status” line. Same procedure for vCenter connection – in this case, in addiction to the green led we’ll refresh the inventory clicking the arrows beside it.

The whole NSX installation proces will end up adding a new item inside vCenter – using webclient, since C# one wn’t show it.


Even if I settle up AD to be used as LDAP in vCenter, and LABAdministrator as enterprise global administrator, NSX didn’t allow me to make changes if not administrator@vsphere.local logged in.

In the next part that will come in a few days, we’ll configure NSX in order to deploy Controllers, will prepare hosts, and deploy VXLAN and Edges. Following we’ll add vCloud Director and a GUI to manage it.