Category Archives: Uncategorized

Using Netscaler Application firewall to protect against ShellShock

With the recent announcement of the ShellShock vulnerability many vendors have done a great job with coming with patching / fixes to close the vulnerability. Citrix has released an knowledge article which shows what Citrix products are affected here –> http://support.citrix.com/article/CTX200217

But! Citrix has also released an update to AppFirewall signature to include fixes to services which are exposed via Netscaler. For instance if we have an load balanced service which is load balanced via Netscaler, and the services running in the back are affected or vulnerable we can use AppFirewall to protect them from the attack.

First we need to update the signature files (Citrix released an update yesterday) (Update version)
shellshock1

Then we can see that the new signature files include fixes for shellshock.

shellshock2

The actions are by default set to block. So when creating an appfirewall policy we can bind this to an particular vServer or URL.

image

Important to set signature action to block

image

image

But note that these rules only apply to services that are exposed via the Netscaler, and not the netscaler itself. Refer to the document which is posted above.

System Center Configuration Manager 2012 R2 CU3

Today Microsoft released CU3 version of ConfigMgr 2013 R2, and there are some minor bugfixes but there is also one important new change here!

That is the ability to define allowed Management Points for a client to communicate with,

This cumulative update introduces a new registry key on clients that will restrict which management point (MP) a client can communicate with. This can be useful in environments with multiple MP’s in different forests, and the clients are only able to communicate with a subset of them. Setting the registry value to only those MP’s reachable by the client can improve overall efficiency. The new registry value is AllowedMPs, a REG_MULTI_SZ (multi-string) type under HKEY_LOCAL_MACHINE\Software\Microsoft\CCM

Each entry is the Fully Qualified Domain Name of the management point(s) with which the client is allowed to communicate. This value does not affect the selection of any other site systems such as distribution points, software update points, etc.; it only affects the primary site MP selection. Note: Once defined, there is no “fallback” or other method for clients to communicate with other MP’s. It is not intended for mobile clients.”

From the KB  http://support.microsoft.com/kb/2994331

New book project, Azure IaaS free ebook

This is something that I have been thinking about for some time, since I have written two books for publisher in the last year. Now and I saw that when writing the books that much of the stuff I wrote about became outdated pretty fast after the books were released.

So therefore I came up with an idea, what if I wrote it as an ebook and was responsible for the distribution myself ? This would make it alot easier to keep it up to date since I didn’t need to have a publisher to keep “control” over the source, and since it is only in ebook form I can easily update the content to keep it “up-to-date”

So therefore I present my current ebook project,

Azure – IaaS Getting started

this book will cover the basics about the most, but will deep dive into the IaaS features of Azure. I am about 20% in the writing process so it is not ready for release yet, since I’m only one guy.

If you are above average skilled in Azure and want to contribute to the writing process, please get in contact with me on msandbu@gmail.com my whole goal with this book is to make it easier to get the “whole” picture of Azure and having up to date content.

So stay tuned for the release!

Pricing difference between vCloud Air and Microsoft Azure

Now lately I’ve seen alot of blogpost talking about how cheaper one of them is compared to the other. Now most of the time I don’t read them as much, but this time I’ve decied to write a post about it to do a comparison.

Note I am not being prejudice even if I have a MVP logo, I’m trying to get a clear picture of what the pricing actually is. If anyone has any feedback to this post I would really appriciate getting feedback in the comment field below.

For the comparison I’m going to show difference between Virtual Private Cloud offering from Vmware and Virtual Machines from Microsoft Azure.

First of Virtual Private Cloud offering from Vmware is more of a cloud container you gain access to a set of resources and you define yourself what you want to do with those resources, while Microsoft Azure is based upon virtual machines, you have a predefined size based upon the template.

So let us define for this example that we have 5 virtual machines with 2 GHZ each and 4 GM RAM. (Note there are no sizes in Azure that are the equal size so I’m going with Medium based instances which have about 3,5 GB RAM and 2x 1,6 GHZ) and I’m only comparing with the information that I can find on the vendors websites.

SLA:

First of Virtual Private Cloud from VMware has an 99.9% SLA for virtual machines
Microsoft Azure has 99,9% SLA for single virtual machines and 99,95% for multiple role instances. (NOTE: f you deploy a single VM instance within an availability set, you will receive no advanced warning or notification of platform maintenance)

Other features:

The base configuration from Virtual Private Cloud from Vmware contains

10 GHz
vCPU 20 GB vRAM
2 TB of Standard Storage

10 Mbps of Bandwidth (this is official bandwidth for connections out of the data center)

2 Public IP Addresses + support

This is for the price of €727 a month. So for this I can configure 5 virtual machines with 2 GHZ and 4 GB of RAM each and with ~400 GB of disks each.

From Azure I can configure 5x Medium virtual machine instances (Linux based since I don’t want a licensing discussion here)

This will cost about €332.44 a month, and for 2 TB of storage for page blobs is about €74.47 a month. (Locally redundant) + Support which is €223.41 a month (Note that since the support is so different from the vendors, I will choose to exclude it from the price comparison) Public Ip addresses are given from a cloud service and can be one or more adresses. I also need to add storage transactions since all IO to the Blob storage is considered a transaction. So 200 million storage transactions each month equals to €7,45 a month

I also need to define bandwidth usage, for Azure I can define the bandwidth usage to for instance 100GB which costs about €8.49 a month(Note that this bandwidth cost is for US + Europe egress) (Vmware does not charge for data transfer). This sums up to €422,5 euro a month.

Performance: Principled Technologies did a test on virtual machine instaces on both Azure and Vmware and they concluded that the CPU performance is about 2x the performance in vCloud compared to Azure (Note that this is pr vCPU)

http://www.slideshare.net/PrincipledTechnologies/v-chs-cpuperformance0714

Which means that if we have 10 GHZ in vCloud (We would need atleast 20 GHZ in Azure to have the similiar performance CPU-wise)

vCloud Air Azure
10 GHz
vCPU 20 GB vRAM
2 TB of Standard Storage

10 Mbps of Bandwidth
2 Public IP Addresses

5x Medium Instances =
2 x 1.6GHz CPU * 5 = 16 GHZ
2x 3,5 GB RAM * 5 = 17,5 GB
2 TB Page blobs
200 Million storage transactions
100 GB Bandwidth usage
Cloud services public adresses
€644 each month €422,85 each month

Note that this price for Azure is if we use the virtual machines 24/7, we use all 2 TB of storage, we use all the 100 GB bandwidth. If we do not use this much the cost each month will be lower. NOTE: All medium instances have 200mbps bandwidth)

Now, both of them have other options for prepaid 12 months options since this is a cheaper option I going to add them to the option in the table.

Prepaid 12 Month Vmware Prepaid 12 Month Azure
€8,203 (Where €8724 is normal) cost €3805 (€5074 is the normal cost)

Its clear to see that Azure is cheaper over the long run, since it has a really good discount when buying for certain amounts prepaid. http://azure.microsoft.com/en-us/offers/commitment-plans/

But it does not perform as well as Vmware. If we were to compare performance/cost we would have another calculation. Since as I mentioned we would need atleast twice the amount of CPU power to be able to have the same amount of performance and in this case I would need to add another virtual machine instance.

vCloud Air Azure
10 GHz
vCPU 20 GB vRAM
2 TB of Standard Storage
6x Medium Instances =
~20 GHZ
21 GB RAM
€644 each month €489.33 each month

This takes the CPU/memory calculation in the mix but it does not say anything about storage performance. Note that Azure Datadisks for medium instances have max 500 IOPS. (While a storage account can have up to 20.000 IOPS) and the maximum size of a blog disk is 1 TB. And Medium instance can have up to 4 Datadisks and therefore a max amount of 2000 IOPS.

Now as I see it, we can’t compare these two solutions equally. So it is not an apple vs apple comparison. vCloud has the flexibility that you “purchase” a bunch of resources and you can form and mold them as you want. It has better performance since it is mostly a IaaS platform, while on the other hand you have Azure which has different forms and shapes that you can purchase depending on what the customers needs.

Also important to note that vCloud Air (Is as I have read about) that it is priced upon recourses you buy, not what you use so If you have bought 10GHZ and only use 50% you still need to pay the same amount, while Azure is based upon what you use.

Also the options around the ecosystem is also completely different. So I appriciate any feedback here! If I have done a wrong calculation or if statements are wrong.

Dell vWorkspace EOP–Configuration

For those who do not know what vWorkspace is, take a look at my previous blogpost regarding vWorkspace –> http://msandbu.wordpress.com/2014/04/20/introduction-to-dell-vworkspace/

EOP (Enhanced Optimized Protocol) is an enhancement to the RDP protocol which Dell (or Quest) have developed which is a part of vWorkspace. Now Microsoft has made alot of improvements to the RDP procotol in 2012 and 2012 R2, but it is nowhere near Citrix in how it performs over WAN and the ability to deliver high-graphic content. EOP contains mulitple enhancements to the procotol to even the difference, like:

EOP Xtream. Accelerates RDP and EOP traffic on wide area networks (WANs). This provides for an improved user experience by providing faster RDP screen responses and improved performance of all EOP features.

EOP Print. A single-driver printing solution that satisfies both client-side and network printing needs in a vWorkspace environment.

EOP Audio. Enables support for applications that require the use of a microphone, such as dictation, collaboration, and certain Voice Over Internet Protocol (VOIP) applications such as Office Communicator and Lync.

EOP Multimedia Acceleration. Enables the redirection of Flash content and Microsoft DirectShow content (anything that can be played in Microsoft Windows Media Player) from the VDI or Windows RDSH Session through an RDP Virtual Channel to the client access device. There it is played using the local compression/decompression technology (CODEC).

EOP Flash Acceleration. Allows playing of Flash content.

EOP Graphics Acceleration. Reduces bandwidth consumption and dramatically improves the user experience, making RDP usable over WAN connections.

EOP Universal USB. EOP Universal USB enables the use of virtually any USB connected device, such as PDAs, local printers, scanners, cameras, and headsets to be used in conjunction with VDI.

EOP MultiMon. Enables support for multiple monitors, which is monitor aware.

Where do I configure EOP ? Firstly under Connection policies, choose create new

image

Then during the wizard, define which EOP enhancements you want to enable to the end user

image

Remember to assign it to a user as well.

image

You also need to enable Graphics acceleration on the particular desktop as well.
In my case I have a RemoteFX enabled VDI machine. So right click and choose Properties.

image

And under EOP Graphics choose enable –>

 image

How can I verify that it is working ?
For instance Flash Redirection, when starting a Flash video on the remote session the flash redircetion engine should fire up a local flash instance and show the video from your device instead of being rendered on the host.

image

From Netbalancer I can see that PNFMMRHost.exe starts when I start a flash video, this process is part of the Quest Flash Redirection engine.

Text echo (Now this is inded a very good feature to have in a RDP session with high latency) since it displays in real time what the user is typing, even thou it might not appear in the desktop right away.

image

So with testing Graphic accleration I did a basic test, opened a remote session and from within the session I opened Internet Explorer and opened URL gamespot.com after the page was fininshed loading I logged out of the session.

With Graphic Accleration enabled

image

Disabled

image

So this was just few of the enhanced features that EOP brings, more to come. Note that next week the Beta 8.5 will be released.

Using Netscaler with UPN and Storefront

Had a case earlier today where a customer wanted to configure Netscaler to authenticate with UPN instead of SamAccountName. And using UPN instead of SamAccountName makes sense in many cases, since it easier for users to remember their email-address instead of their username.  So in this scenario my samAccoutName is msandbu and my UPN is marius.sandbu@demo.no

Now by default Netscaler is setup with samAccoutName under server logon name attribute. This defines what kind of account name you are allowed to logon with using Netscaler.

If you try to logon with UPN when SamAccountName is defined you will get this kind of error message on the StoreFront Server.

image

So Storefront strips the domain info sent from the Netscaler and tries to validate the credentials to Active Directory.

So how to fix this ?

You have to define the SSO name attribute in the LDAP credential, to samAccountName.

image

Then the Netscaler firstly validates the UPN, get the SamAccountName of the user and then forwards that to Storefront and logs in.

Important to remember that Storefront always tried to revalidate the info from Netscaler

image

Dell Generation 13 servers released

Yesterday, Dell annouced the launch of their next generation PowerEdge servers. This new generation contains a bunch of new servers. The new models can be seen here –> http://en.community.dell.com/techcenter/extras/w/wiki/7520.dell-13th-generation-poweredge-server-resources

Now one of the most important new models is the PowerEdge R730xd server, now one of the nifty features here is that it supports the new 1,8” SSD drives.

So this makes alot of different combinations.

  • 18 x 1.8” SSD + 8 x 3.5″ HDD + 2 x 2.5 (rear) – (17TB via 960GB) hot-plug SATA SSD + (48TB via 6TB) NL SAS HDD + (3.5TB via 1.8TB) SAS HDD
  • 24 x 2.5” HDD or SSD + 2 x 2.5” HDD or SSD (rear) – 43TB via 1.8TB hot-plug SAS HDD + 3.5TB via 1.8TB hot-plug SAS HDD. Up to 4 NVMe PCIe SSD (6.4TB via 1.6TB)
  • 12 x 3.5 HDD or SSD + 2 x 2.5 HDD or SSD (rear) – 72TB via 6TB NL SAS HDD + 3.5TB via 1.8TB SAS HDD
  • 16 x 3.5 HDD or SSD + 2 x 2.5 HDD or SSD (rear) – 96TB via 6TB NL SAS HDD + 3.5TB via 1.8TB SAS HDD

PowerEdge%20R730XD.jpg-550x0[1]

And with the new PERC9 which has increased cache and troughput available http://www.dell.com/learn/us/en/19/campaigns/dell-raid-controllers it’s quite a Powerhouse.

Now some of the new features from a managment perspectice with the new release are:

* iDrac Quick Sync

This allows users to take care of some basic management of their PowerEdge servers with a near-field communication (NFC) device, such as a smart phone or tablet. Users can set their IP address, boot devices, and even pull off inventory information and health reports while at the box.

* iDrac Direct

We have also added in the ability via iDRAC with Lifecycle Controller to perform system management tasks from the USB port that is in the front of the server. Customers can load a configuration file on a USB port, iDRAC with LC will detect that a USB key has been plugged in, will pull the configuration information off, and will configure the system quickly, simply, and error-free. Additionally, you can ditch the crash cart and use your tablet or laptop to plug directly into the USB port in the front of the system and launch into iDRAC with Lifecycle Controller.

There are also other new features like.

* SanDisk Cache

This is available on some of the new models, but this feature uses locally SSD drives on the servers to be used for caching –> http://www.sandisk.com/about-sandisk/press-room/press-releases/2014/sandisk-das-cache-software-now-available-for-next-generation-dell-poweredge-servers/ this feature only works on Red Hat / SUSE Linux and Hyper-V this is because that this feature requires and os filter driver that is used to move data back and forth from the cache. Vmware support comes later next year.

Dell has also done some tests/benchmarks against the new servers and conclude that they host up to 18% more users than the old servers –> http://en.community.dell.com/dell-blogs/dell4enterprise/b/dell4enterprise/archive/2014/09/08/new-dell-servers-host-up-to-18-more-virtual-desktop-users

StorageReviewand CRN  has already published a review of the new generation servers and are both impressed with the performance of these new generation servers –> http://www.storagereview.com/dell_poweredge_13g_r730xd_review

http://www.crn.com/news/data-center/300073939/review-dell-poweredge-r730-is-furious-fast.htm/pgno/0/1

Now im sure that this is only one of the few big announcements from Dell this year. Also important to remember that Dell & Nutanix is releasing their XC-series later this fall. Also Dell is one of the few selected partners that have been choosen for deployment of Vmware EVO:RAIL / RACK

Presenting on Netscaler Masterclass

On the next Netscaler Masteclass in October I will be presenting a session, regarding System Center and Netscaler. To talk about different forms of integration and monitoring.

For those who aren’t familiar with the Masterclass it is a webinar series that is hosted by Citrix, which are hosted once a month.

So sign up here if you want to know more –> http://www.citrix.com/events/netscaler-master-class.html

Implementing Microsoft Azure Infrastructure Solutions exam 70-533

Microsoft just released a the first of Microsoft Azure IaaS exams! which going towards another specialist exams –> Microsoft Specialist: Microsoft Azure Infrastructure Solutions

You can see the exam objectives here –> https://www.microsoft.com/learning/en-us/exam.aspx?id=70-533

They have also created a training course –>

  • 20533A: Implementing Microsoft Azure Infrastructure Solutions (5 Days)

Now I have already created a quick study guide here which will get you one step on the way towards the exam.

Implement Websites (15-20%)

 

Implement Virtual Machines (15-20%)

Implement Cloud Services (15-20%)

Implement Storage (15-20%)

Implement an Azure Active Directory (15-20%)

Implement Virtual Networks (15-20%)

https://www.microsoft.com/learning/en-us/exam.aspx?id=70-533

Shared Computer Support for Office365

One of the problems with using OFfice365 licenses in RDS/Citrix enviroment was that you needed a volume licenses Office to use just ot install. But now! Microsoft announced something called Shared Computer support for Office365, which allows us to install Office365 on RDS/Citrix enviroments without the need to purchase a volume licenses Office.

Quote from the official Microsoft blog –> http://blogs.technet.com/b/uspartner_ts2team/archive/2014/09/03/office-365-shared-computer-activation.aspx

Well I’m pleased to announce that this support is now available as of September 1, 2014.  All SKUs containing Office 365 ProPlus, Project Pro for Office 365, or Visio Pro for Office 365 can be used by multiple users on a shared device or virtual machine.  This is referred to as shared computer activation.

Shared computer activation lets you to deploy Office 365 ProPlus to a computer in your organization that is accessed by multiple users. For example, several nurses at a hospital connect to the same remote server to use their applications, or a group of workers share a computer at a factory.

Now how do I setup this ?

You need to create a configuration.xml file that includes the following lines:

<Display Level=»None» AcceptEULA=»True» /> <Property Name=»SharedComputerLicensing» Value=»1″ />

The display level = none, makes it an silent install, and you also define the shared computer licensing value. Then you use the Office Deployment tool to deploy Office365 with Shared Computer support. Office deployment tool can be found here –> http://www.microsoft.com/en-us/download/details.aspx?id=36778

So how does it work ?

When a user logs on a RDS server he/her will get a dialog box first time they log on

A screen shot of the Activate Office dialog box that tells the user to activate Office by entering the email address that’s associated with the user’s Office subscription. There’s also a Next button

Then they need to enter their associated Office365 user account, after that the application tries to verify against office online and a license token is stored in the user profile for that particular user.

You can verify that the shared computer support is activated by going into the   %localappdata%\Microsoft\Office\15.0\Licensing folder. (DO NOT ALTER THESE FILES)A screen shot that shows two text files in the user’s Licensing folder. One file name has an extension of authString, and the other file name has an extension of signingCert

There are a few gotchas here…

1: The license token expires after a couple of days, As the expiration date for the licensing token nears, Office 365 ProPlus automatically attempts to renew the licensing token when the user is logged on to the computer and using Office 365 ProPlus.If the user doesn’t log on to the shared computer for several days, the licensing token can expire. The next time that the user tries to use Office 365 ProPlus, Office 365 ProPlus contacts the Office Licensing Service on the Internet to get a new licensing token.

Activation limits   Normally, users can install and activate Office 365 ProPlus only on up to five computers. Using Office 365 ProPlus with shared computer activation enabled doesn’t count against the five computer limit.

Microsoft allows a single user to activate Office 365 ProPlus on a reasonable number of shared computers in a given time period. The user gets an error message in the unlikely event the limit is exceeded.

A screen shot of an error message that tells the user that the Office 365 account has recently been used to activate too many computers and that to continue using the product, the user should try again later or sign in with a different Office 365 account

Følg

Få nye innlegg levert til din innboks.

Bli med 44 andre følgere