Category Archives: Uncategorized
With the recent announcement of the ShellShock vulnerability many vendors have done a great job with coming with patching / fixes to close the vulnerability. Citrix has released an knowledge article which shows what Citrix products are affected here –> http://support.citrix.com/article/CTX200217
But! Citrix has also released an update to AppFirewall signature to include fixes to services which are exposed via Netscaler. For instance if we have an load balanced service which is load balanced via Netscaler, and the services running in the back are affected or vulnerable we can use AppFirewall to protect them from the attack.
Then we can see that the new signature files include fixes for shellshock.
The actions are by default set to block. So when creating an appfirewall policy we can bind this to an particular vServer or URL.
Important to set signature action to block
But note that these rules only apply to services that are exposed via the Netscaler, and not the netscaler itself. Refer to the document which is posted above.
Today Microsoft released CU3 version of ConfigMgr 2013 R2, and there are some minor bugfixes but there is also one important new change here!
That is the ability to define allowed Management Points for a client to communicate with,
This cumulative update introduces a new registry key on clients that will restrict which management point (MP) a client can communicate with. This can be useful in environments with multiple MP’s in different forests, and the clients are only able to communicate with a subset of them. Setting the registry value to only those MP’s reachable by the client can improve overall efficiency. The new registry value is AllowedMPs, a REG_MULTI_SZ (multi-string) type under HKEY_LOCAL_MACHINE\Software\Microsoft\CCM
Each entry is the Fully Qualified Domain Name of the management point(s) with which the client is allowed to communicate. This value does not affect the selection of any other site systems such as distribution points, software update points, etc.; it only affects the primary site MP selection. Note: Once defined, there is no “fallback” or other method for clients to communicate with other MP’s. It is not intended for mobile clients.”
From the KB http://support.microsoft.com/kb/2994331
This is something that I have been thinking about for some time, since I have written two books for publisher in the last year. Now and I saw that when writing the books that much of the stuff I wrote about became outdated pretty fast after the books were released.
So therefore I came up with an idea, what if I wrote it as an ebook and was responsible for the distribution myself ? This would make it alot easier to keep it up to date since I didn’t need to have a publisher to keep “control” over the source, and since it is only in ebook form I can easily update the content to keep it “up-to-date”
So therefore I present my current ebook project,
Azure – IaaS Getting started
this book will cover the basics about the most, but will deep dive into the IaaS features of Azure. I am about 20% in the writing process so it is not ready for release yet, since I’m only one guy.
If you are above average skilled in Azure and want to contribute to the writing process, please get in contact with me on email@example.com my whole goal with this book is to make it easier to get the “whole” picture of Azure and having up to date content.
So stay tuned for the release!
Now lately I’ve seen alot of blogpost talking about how cheaper one of them is compared to the other. Now most of the time I don’t read them as much, but this time I’ve decied to write a post about it to do a comparison.
Note I am not being prejudice even if I have a MVP logo, I’m trying to get a clear picture of what the pricing actually is. If anyone has any feedback to this post I would really appriciate getting feedback in the comment field below.
For the comparison I’m going to show difference between Virtual Private Cloud offering from Vmware and Virtual Machines from Microsoft Azure.
First of Virtual Private Cloud offering from Vmware is more of a cloud container you gain access to a set of resources and you define yourself what you want to do with those resources, while Microsoft Azure is based upon virtual machines, you have a predefined size based upon the template.
So let us define for this example that we have 5 virtual machines with 2 GHZ each and 4 GM RAM. (Note there are no sizes in Azure that are the equal size so I’m going with Medium based instances which have about 3,5 GB RAM and 2x 1,6 GHZ) and I’m only comparing with the information that I can find on the vendors websites.
First of Virtual Private Cloud from VMware has an 99.9% SLA for virtual machines
Microsoft Azure has 99,9% SLA for single virtual machines and 99,95% for multiple role instances. (NOTE: f you deploy a single VM instance within an availability set, you will receive no advanced warning or notification of platform maintenance)
The base configuration from Virtual Private Cloud from Vmware contains
vCPU 20 GB vRAM
2 TB of Standard Storage
10 Mbps of Bandwidth (this is official bandwidth for connections out of the data center)
2 Public IP Addresses + support
This is for the price of €727 a month. So for this I can configure 5 virtual machines with 2 GHZ and 4 GB of RAM each and with ~400 GB of disks each.
From Azure I can configure 5x Medium virtual machine instances (Linux based since I don’t want a licensing discussion here)
This will cost about €332.44 a month, and for 2 TB of storage for page blobs is about €74.47 a month. (Locally redundant) + Support which is €223.41 a month (Note that since the support is so different from the vendors, I will choose to exclude it from the price comparison) Public Ip addresses are given from a cloud service and can be one or more adresses. I also need to add storage transactions since all IO to the Blob storage is considered a transaction. So 200 million storage transactions each month equals to €7,45 a month
I also need to define bandwidth usage, for Azure I can define the bandwidth usage to for instance 100GB which costs about €8.49 a month(Note that this bandwidth cost is for US + Europe egress) (Vmware does not charge for data transfer). This sums up to €422,5 euro a month.
Performance: Principled Technologies did a test on virtual machine instaces on both Azure and Vmware and they concluded that the CPU performance is about 2x the performance in vCloud compared to Azure (Note that this is pr vCPU)
Which means that if we have 10 GHZ in vCloud (We would need atleast 20 GHZ in Azure to have the similiar performance CPU-wise)
vCPU 20 GB vRAM
2 TB of Standard Storage
10 Mbps of Bandwidth
|5x Medium Instances =
2 x 1.6GHz CPU * 5 = 16 GHZ
2x 3,5 GB RAM * 5 = 17,5 GB
2 TB Page blobs
200 Million storage transactions
100 GB Bandwidth usage
Cloud services public adresses
|€644 each month||€422,85 each month|
Note that this price for Azure is if we use the virtual machines 24/7, we use all 2 TB of storage, we use all the 100 GB bandwidth. If we do not use this much the cost each month will be lower. NOTE: All medium instances have 200mbps bandwidth)
Now, both of them have other options for prepaid 12 months options since this is a cheaper option I going to add them to the option in the table.
|Prepaid 12 Month Vmware||Prepaid 12 Month Azure|
|€8,203 (Where €8724 is normal) cost||€3805 (€5074 is the normal cost)|
Its clear to see that Azure is cheaper over the long run, since it has a really good discount when buying for certain amounts prepaid. http://azure.microsoft.com/en-us/offers/commitment-plans/
But it does not perform as well as Vmware. If we were to compare performance/cost we would have another calculation. Since as I mentioned we would need atleast twice the amount of CPU power to be able to have the same amount of performance and in this case I would need to add another virtual machine instance.
vCPU 20 GB vRAM
2 TB of Standard Storage
|6x Medium Instances =
21 GB RAM
|€644 each month||€489.33 each month|
This takes the CPU/memory calculation in the mix but it does not say anything about storage performance. Note that Azure Datadisks for medium instances have max 500 IOPS. (While a storage account can have up to 20.000 IOPS) and the maximum size of a blog disk is 1 TB. And Medium instance can have up to 4 Datadisks and therefore a max amount of 2000 IOPS.
Now as I see it, we can’t compare these two solutions equally. So it is not an apple vs apple comparison. vCloud has the flexibility that you “purchase” a bunch of resources and you can form and mold them as you want. It has better performance since it is mostly a IaaS platform, while on the other hand you have Azure which has different forms and shapes that you can purchase depending on what the customers needs.
Also important to note that vCloud Air (Is as I have read about) that it is priced upon recourses you buy, not what you use so If you have bought 10GHZ and only use 50% you still need to pay the same amount, while Azure is based upon what you use.
Also the options around the ecosystem is also completely different. So I appriciate any feedback here! If I have done a wrong calculation or if statements are wrong.
For those who do not know what vWorkspace is, take a look at my previous blogpost regarding vWorkspace –> http://msandbu.wordpress.com/2014/04/20/introduction-to-dell-vworkspace/
EOP (Enhanced Optimized Protocol) is an enhancement to the RDP protocol which Dell (or Quest) have developed which is a part of vWorkspace. Now Microsoft has made alot of improvements to the RDP procotol in 2012 and 2012 R2, but it is nowhere near Citrix in how it performs over WAN and the ability to deliver high-graphic content. EOP contains mulitple enhancements to the procotol to even the difference, like:
EOP Xtream. Accelerates RDP and EOP traffic on wide area networks (WANs). This provides for an improved user experience by providing faster RDP screen responses and improved performance of all EOP features.
EOP Print. A single-driver printing solution that satisfies both client-side and network printing needs in a vWorkspace environment.
EOP Audio. Enables support for applications that require the use of a microphone, such as dictation, collaboration, and certain Voice Over Internet Protocol (VOIP) applications such as Office Communicator and Lync.
EOP Multimedia Acceleration. Enables the redirection of Flash content and Microsoft DirectShow content (anything that can be played in Microsoft Windows Media Player) from the VDI or Windows RDSH Session through an RDP Virtual Channel to the client access device. There it is played using the local compression/decompression technology (CODEC).
EOP Flash Acceleration. Allows playing of Flash content.
EOP Graphics Acceleration. Reduces bandwidth consumption and dramatically improves the user experience, making RDP usable over WAN connections.
EOP Universal USB. EOP Universal USB enables the use of virtually any USB connected device, such as PDAs, local printers, scanners, cameras, and headsets to be used in conjunction with VDI.
EOP MultiMon. Enables support for multiple monitors, which is monitor aware.
Where do I configure EOP ? Firstly under Connection policies, choose create new
Then during the wizard, define which EOP enhancements you want to enable to the end user
Remember to assign it to a user as well.
You also need to enable Graphics acceleration on the particular desktop as well.
In my case I have a RemoteFX enabled VDI machine. So right click and choose Properties.
And under EOP Graphics choose enable –>
How can I verify that it is working ?
For instance Flash Redirection, when starting a Flash video on the remote session the flash redircetion engine should fire up a local flash instance and show the video from your device instead of being rendered on the host.
From Netbalancer I can see that PNFMMRHost.exe starts when I start a flash video, this process is part of the Quest Flash Redirection engine.
Text echo (Now this is inded a very good feature to have in a RDP session with high latency) since it displays in real time what the user is typing, even thou it might not appear in the desktop right away.
So with testing Graphic accleration I did a basic test, opened a remote session and from within the session I opened Internet Explorer and opened URL gamespot.com after the page was fininshed loading I logged out of the session.
With Graphic Accleration enabled
So this was just few of the enhanced features that EOP brings, more to come. Note that next week the Beta 8.5 will be released.
Had a case earlier today where a customer wanted to configure Netscaler to authenticate with UPN instead of SamAccountName. And using UPN instead of SamAccountName makes sense in many cases, since it easier for users to remember their email-address instead of their username. So in this scenario my samAccoutName is msandbu and my UPN is firstname.lastname@example.org
Now by default Netscaler is setup with samAccoutName under server logon name attribute. This defines what kind of account name you are allowed to logon with using Netscaler.
If you try to logon with UPN when SamAccountName is defined you will get this kind of error message on the StoreFront Server.
So Storefront strips the domain info sent from the Netscaler and tries to validate the credentials to Active Directory.
So how to fix this ?
You have to define the SSO name attribute in the LDAP credential, to samAccountName.
Then the Netscaler firstly validates the UPN, get the SamAccountName of the user and then forwards that to Storefront and logs in.
Important to remember that Storefront always tried to revalidate the info from Netscaler
Yesterday, Dell annouced the launch of their next generation PowerEdge servers. This new generation contains a bunch of new servers. The new models can be seen here –> http://en.community.dell.com/techcenter/extras/w/wiki/7520.dell-13th-generation-poweredge-server-resources
Now one of the most important new models is the PowerEdge R730xd server, now one of the nifty features here is that it supports the new 1,8” SSD drives.
So this makes alot of different combinations.
- 18 x 1.8” SSD + 8 x 3.5″ HDD + 2 x 2.5 (rear) – (17TB via 960GB) hot-plug SATA SSD + (48TB via 6TB) NL SAS HDD + (3.5TB via 1.8TB) SAS HDD
- 24 x 2.5” HDD or SSD + 2 x 2.5” HDD or SSD (rear) – 43TB via 1.8TB hot-plug SAS HDD + 3.5TB via 1.8TB hot-plug SAS HDD. Up to 4 NVMe PCIe SSD (6.4TB via 1.6TB)
- 12 x 3.5 HDD or SSD + 2 x 2.5 HDD or SSD (rear) – 72TB via 6TB NL SAS HDD + 3.5TB via 1.8TB SAS HDD
- 16 x 3.5 HDD or SSD + 2 x 2.5 HDD or SSD (rear) – 96TB via 6TB NL SAS HDD + 3.5TB via 1.8TB SAS HDD
And with the new PERC9 which has increased cache and troughput available http://www.dell.com/learn/us/en/19/campaigns/dell-raid-controllers it’s quite a Powerhouse.
Now some of the new features from a managment perspectice with the new release are:
* iDrac Quick Sync
This allows users to take care of some basic management of their PowerEdge servers with a near-field communication (NFC) device, such as a smart phone or tablet. Users can set their IP address, boot devices, and even pull off inventory information and health reports while at the box.
* iDrac Direct
We have also added in the ability via iDRAC with Lifecycle Controller to perform system management tasks from the USB port that is in the front of the server. Customers can load a configuration file on a USB port, iDRAC with LC will detect that a USB key has been plugged in, will pull the configuration information off, and will configure the system quickly, simply, and error-free. Additionally, you can ditch the crash cart and use your tablet or laptop to plug directly into the USB port in the front of the system and launch into iDRAC with Lifecycle Controller.
There are also other new features like.
* SanDisk Cache
This is available on some of the new models, but this feature uses locally SSD drives on the servers to be used for caching –> http://www.sandisk.com/about-sandisk/press-room/press-releases/2014/sandisk-das-cache-software-now-available-for-next-generation-dell-poweredge-servers/ this feature only works on Red Hat / SUSE Linux and Hyper-V this is because that this feature requires and os filter driver that is used to move data back and forth from the cache. Vmware support comes later next year.
Dell has also done some tests/benchmarks against the new servers and conclude that they host up to 18% more users than the old servers –> http://en.community.dell.com/dell-blogs/dell4enterprise/b/dell4enterprise/archive/2014/09/08/new-dell-servers-host-up-to-18-more-virtual-desktop-users
StorageReviewand CRN has already published a review of the new generation servers and are both impressed with the performance of these new generation servers –> http://www.storagereview.com/dell_poweredge_13g_r730xd_review
Now im sure that this is only one of the few big announcements from Dell this year. Also important to remember that Dell & Nutanix is releasing their XC-series later this fall. Also Dell is one of the few selected partners that have been choosen for deployment of Vmware EVO:RAIL / RACK
On the next Netscaler Masteclass in October I will be presenting a session, regarding System Center and Netscaler. To talk about different forms of integration and monitoring.
For those who aren’t familiar with the Masterclass it is a webinar series that is hosted by Citrix, which are hosted once a month.
So sign up here if you want to know more –> http://www.citrix.com/events/netscaler-master-class.html
Microsoft just released a the first of Microsoft Azure IaaS exams! which going towards another specialist exams –> Microsoft Specialist: Microsoft Azure Infrastructure Solutions
You can see the exam objectives here –> https://www.microsoft.com/learning/en-us/exam.aspx?id=70-533
They have also created a training course –>
- 20533A: Implementing Microsoft Azure Infrastructure Solutions (5 Days)
Now I have already created a quick study guide here which will get you one step on the way towards the exam.
Implement Websites (15-20%)
- Deploy websites –> http://azure.microsoft.com/en-us/documentation/articles/web-sites-deploy/
- Define deployment slots; roll back deployments, configure and deploy packages, deploy web jobs, schedule web jobs
- WebJobs: http://azure.microsoft.com/en-us/documentation/articles/web-sites-create-web-jobs/
- Configure websites
- Configure app settings, connection strings, handlers, and virtual directories; configure certificates, custom domains, and traffic manager; configure SSL bindings and runtime configurations; manage websites by using Windows PowerShell and Xplat-CLI
- Configure diagnostics, monitoring, and analytics
- Retrieve diagnostics data; view streaming logs; configure endpoint monitoring, alerts, and diagnostics; monitor website resources –> http://azure.microsoft.com/en-us/documentation/articles/web-sites-monitor/
- Configure scale and resilience
- Configure auto-scale using built-in and custom schedules; configure by metric; change the size of an instance –> http://azure.microsoft.com/en-us/documentation/articles/web-sites-scale/
- Manage hosting plans
- Create hosting plans; migrate websites between hosting plans; create a website within a hosting plan –> http://azure.microsoft.com/en-us/documentation/articles/azure-web-sites-web-hosting-plans-in-depth-overview/
Implement Virtual Machines (15-20%)
- Deploy workloads on Azure virtual machines (VMs)
- Identify supported Microsoft workloads; deploy and connect to a Linux VM; create VMs –> http://support.microsoft.com/kb/2721672 –> http://msdn.microsoft.com/en-us/library/azure/dn451352.aspx –> http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-how-to-log-on/
- Implement images and disks
- Create specialized and generalized images for Windows and Linux; copy images between storage accounts and subscriptions; upload VHDs –> http://azure.microsoft.com/blog/2014/04/14/vm-image-blog-post/
- –> http://azure.microsoft.com/blog/2014/05/01/vm-image-powershell-how-to-blog-post/ –> http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-create-upload-vhd-windows-server/
- Perform configuration management
- Automate configuration management by using PowerShell Desired State Configuration and custom script extensions; enable puppet and chef extensions http://azure.microsoft.com/blog/2014/04/11/vm-agent-and-extensions-part-1/ –> http://azure.microsoft.com/blog/2014/04/15/vm-agent-and-extensions-part-2/ –> http://azure.microsoft.com/blog/2014/04/24/automating-vm-customization-tasks-using-custom-script-extension/
- Configure VM networking
- Settings include reserved IP addresses, access control list (ACL), internal name resolution, DNS at the cloud service level, load balancing endpoints, HTTP and TCP health probes, public IPs, firewall rules, direct server return, and Keep Alive
- http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/ –> –> http://azure.microsoft.com/blog/2014/04/08/microsoft-azure-load-balancing-services/
- Configure VM resiliency
- Scale up and scale down VM sizes; auto-scale; configure availability sets
- http://azure.microsoft.com/en-us/documentation/articles/cloud-services-how-to-scale/#autoscale http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-manage-availability/
- Design and implement VM storage
- Configure disk caching; plan storage capacity; configure operating system disk redundancy; configure shared storage using Azure File service; configure geo-replication; encrypt disks
- http://msdn.microsoft.com/en-us/library/azure/dn790303.aspx http://blogs.msdn.com/b/windowsazurestorage/archive/2011/09/15/introducing-geo-replication-for-windows-azure-storage.aspx http://blogs.msdn.com/b/windowsazurestorage/archive/2014/05/12/introducing-microsoft-azure-file-service.aspx
- Monitor VMs
- Configure endpoint monitoring, alerts, and diagnostics
Implement Cloud Services (15-20%)
- Configure cloud services and roles
- Configure instance count and size, operating system version and family, upgrade and fault domains, ACLs, reserved IPs, and network access rules; configure local storage; configure dedicated and co-located caching, local and cloud configurations, and local disks; configure multiple websites; configure custom domains
- http://azure.microsoft.com/en-us/documentation/articles/cloud-services-how-to-configure/ http://blogs.technet.com/b/yungchou/archive/2011/05/16/window-azure-fault-domain-and-update-domain-explained-for-it-pros.aspx
- Deploy and manage cloud services
- Upgrade a deployment; VIP swap a deployment; package a deployment; modify configuration files; perform in-place updates; perform runtime configuration changes using the portal; scale a cloud service; create service bus namespaces and choose a tier; apply scalability targets
- Monitor cloud services
- Monitor service bus queues, topics, relays, and notification hubs; configure diagnostics
Implement Storage (15-20%)
- Implement blobs and Azure files
- Read data; change data; set metadata on a container; use encryption (SSL); perform an async blob copy; configure a Content Delivery Network (CDN); implement storage for backup and disaster recovery; configure Azure Backup; define blob hierarchies; configure custom domains; configure the Import and Export Service
- Manage access
- Create and manage shared access signatures; use stored access policies; regenerate keys
- Configure diagnostics, monitoring, and analytics
- Configure retention policies and logging levels; analyze logs
- Implement SQL databases
- Choose the appropriate database tier and performance level; configure point in time recovery and geo-replication; import and export data and schema; design a scaling strategy
- Implement recovery services
- Create a backup vault; deploy a backup agent; back up and restore data
Implement an Azure Active Directory (15-20%)
- Integrate an Azure AD with existing directories
- Implement DirSync, O365 integration, and single sign-on with on-premises Windows Server 2012 R2; add custom domains; monitor Azure AD
- Configure the Application Access Panel
- Configure single sign-on with SaaS applications using federation and password based; add users and groups to applications; revoke access to SaaS applications; configure access; federation with Facebook and Google ID
- Integrate an app with Azure AD
- web apps (WS-federation); desktop apps (OAuth); graph API
Implement Virtual Networks (15-20%)
- Configure a virtual network
- Deploy a VM into a virtual network; deploy a cloud service into a virtual network; configure static IPs; configure internal load balancing; design subnets
- Modify a network configuration
- Modify a subnet; import and export a network configuration
- Design and implement a multi-site or hybrid network
- Choose the appropriate solution between ExpressRoute, site-to-site, and point-to-site; choose the appropriate gateway; identify supported devices and software VPN solutions; identify networking prerequisites; configure regional virtual networks and multi-site virtual networks
One of the problems with using OFfice365 licenses in RDS/Citrix enviroment was that you needed a volume licenses Office to use just ot install. But now! Microsoft announced something called Shared Computer support for Office365, which allows us to install Office365 on RDS/Citrix enviroments without the need to purchase a volume licenses Office.
Quote from the official Microsoft blog –> http://blogs.technet.com/b/uspartner_ts2team/archive/2014/09/03/office-365-shared-computer-activation.aspx
Well I’m pleased to announce that this support is now available as of September 1, 2014. All SKUs containing Office 365 ProPlus, Project Pro for Office 365, or Visio Pro for Office 365 can be used by multiple users on a shared device or virtual machine. This is referred to as shared computer activation.
Shared computer activation lets you to deploy Office 365 ProPlus to a computer in your organization that is accessed by multiple users. For example, several nurses at a hospital connect to the same remote server to use their applications, or a group of workers share a computer at a factory.
Now how do I setup this ?
You need to create a configuration.xml file that includes the following lines:
<Display Level=»None» AcceptEULA=»True» /> <Property Name=»SharedComputerLicensing» Value=»1″ />
The display level = none, makes it an silent install, and you also define the shared computer licensing value. Then you use the Office Deployment tool to deploy Office365 with Shared Computer support. Office deployment tool can be found here –> http://www.microsoft.com/en-us/download/details.aspx?id=36778
So how does it work ?
When a user logs on a RDS server he/her will get a dialog box first time they log on
Then they need to enter their associated Office365 user account, after that the application tries to verify against office online and a license token is stored in the user profile for that particular user.
You can verify that the shared computer support is activated by going into the %localappdata%\Microsoft\Office\15.0\Licensing folder. (DO NOT ALTER THESE FILES)
There are a few gotchas here…
1: The license token expires after a couple of days, As the expiration date for the licensing token nears, Office 365 ProPlus automatically attempts to renew the licensing token when the user is logged on to the computer and using Office 365 ProPlus.If the user doesn’t log on to the shared computer for several days, the licensing token can expire. The next time that the user tries to use Office 365 ProPlus, Office 365 ProPlus contacts the Office Licensing Service on the Internet to get a new licensing token.
Activation limits Normally, users can install and activate Office 365 ProPlus only on up to five computers. Using Office 365 ProPlus with shared computer activation enabled doesn’t count against the five computer limit.
Microsoft allows a single user to activate Office 365 ProPlus on a reasonable number of shared computers in a given time period. The user gets an error message in the unlikely event the limit is exceeded.