Tech Support

I needed to do a physical to virtual conversion of a Windows NT 4 system into an ESXi 6.0 environment.

Readily available conversion tools will not work. I was able to convert the system using the steps listed below, which, at the highest level, amounts to taking a file image of the NT 4 hard disk and using it in the ESXi virtual machine.

Task One — Get VMDK Files

Create vmdk images of the existing hard drive

Note: I received a vmdk image of the hard drive that was created with VMware Converter 3.0.3. I assume, but have not confirmed, that the results described below could have been attained had I used Acronis to image the drive and then converted the Acronis image to the vmdk format.

Task Two — Create VM

Create a VM from the vSphere Web Client
Compatibility: ESXi 6.0 and later (VM Version 11)
Guest OS Family: Windows
Guest OS Version: Microsoft Windows NT (ignore the warning about the OS no longer being supported)
Customize Hardware:

You will not be able to specify more than a single CPU
Set memory as desired, I went with 512 MB
Delete the hard disk the system created for you (use the X mark that will appear to the right)
Delete the SCSI controller the system created for you (use the X mark that will appear to the right)
Make sure the network entry has a check in the Connect at power on box
Modify the Video card settings to increase the memory as desired, I went with 8.79 MB
Place the scanned hard drive image in vmdk format into the folder that vSphere created for your new virtual machine
Use the new device option at the bottom to add the existing hard drive you scanned from the physical machine
- Select the Existing Hard Disk alternative and click add
- Navigate to the folder in your VM datastore to locate the relevant vmdk image file
- After the system creates the device, customize its settings to show up as IDE 0

Note: The system defaulted to a SCSI target and added a new SCSI controller, which I deleted after establishing the hard drive as an IDE device. If your disks are set up as SCSI disks then you will need to use a SCSI controller and targets and not IDE as I did on the system I describe here.
Click Finish.

Task Three — Boot VM, Install VMware Tools and Adjust Display Resolution

Open a Console and Power on the VM (I prefer the remote console)
Send the Control-Alt-Delete sequence to your VM from the VMRC menu at the upper left of the console
Install VMware Tools from the Manage; Install VMware tools option from the VMRC menu
I did a “complete install” rather than a “typical install” — I don’t know if that matters
You will get a warning about a failure to automatically install a network adapter, that’s ok
The installer will prompt you to reboot, let it do so
The system should now see the additional video memory you originally provisioned, adjust display resolution from the display NT control panel and reboot

Task Four — Enable Networking

Remove existing network adapters via the NT Network control panel and reboot
Add a new VMware Virtual Ethernet Adapter via the Network control panel
Point the control panel at “C:\Program Files\VMware\VMware Tools\Drivers\vmxnet”
Configure IP and DNS as you desire
Reboot
Upon reboot your system should have network access

Task Five – Add Uniprocessor Support to MPS Installations
If your physical computer has more than one processor you will likely encounter problems running that operating system in the ESXi environment. I found that while the system ran, it used excessive amounts of CPU capacity, even when idling. I believe this is happening because the hardware abstraction layer (HAL) installed on these systems is for multiprocessor systems. ESXi only uses one processor with Windows NT.

To remedy this problem, follow the following instructions, which I found at https://www.vmware.com/support/ws3/doc/ws32_disks7.html

Copy the hal.dll file and the NTOSKRNL.EXE file from the Windows NT CD-ROM or Windows NT Service Pack CD-ROM (if a service pack is installed) to a temporary folder. On Service Pack CD-ROMs these files are found in the \i386 folder.

Rename the hal.dll file to unihal.dll, and rename the NTOSKRNL.EXE file to UNIKRNL.EXE.

Copy the files you renamed in Step 2 to the C:\winnt\system32 folder. (If the system environment variable SYSTEMROOT is not C:, then use the appropriate path instead of C:\winnt\system32.)

Remove the read-only attribute from the boot.ini file,

attrib -s -h -r C:\boot.ini

modify the [operating systems] section in boot.ini to read:

[operating systems]
multi(0)disk ….\WINNT40=”Windows NT Server Version 4.00″
multi(0)disk ….\WINNT40=”Windows NT Version 4.00 [UNIHAL]” /hal=unihal.dll /kernel=unikrnl.exe

Note: The last line, from the second multi(0)disk to /kernel=unikrnl.exe, must be on one line.

Save the boot.ini file, exit the text editor, then restart the computer.
When the computer reboots, choose Windows NT Version 4.00 [UNIHAL] from the Windows NT boot menu.

This is the configuration you should use in the virtual machine.

Task Six – Remove Unused Hardware Drivers
If your physical NT computer had hardware not included in the virtual environment you should consider removing the related drivers from your virtual NT system. Windows NT is not PNP. It will not be using those drivers. Why not clean things up and remove the chance of conflicts with unused drivers?

Good luck.

In a VDI environment users may experience delays, hangs, freezes and pauses when using the Microsoft Office suite of applications such as Word, Excel, Outlook and PowerPoint.

I've also heard this described as "lumpy" performance!

This can be seen in Office versions 2007, 2010 and the latest 2013 (including Office 365 click to run) with all updates applied for both Office and Windows.

While this can be caused by a number of factors, such as insufficient vCPU/vRAM in the guest OS or resource contention at the host level, it could also be due to a setting within Office to disable hardware acceleration.

The key is to understand exactly what is happening and verify it is not "latency" on the LAN/WAN connection and that only Office applications appear to be affected and randomly freeze, while other applications do not hang.

1. Within one of the Office applications exhibiting the issue, go to File --; Options

2. Go to Advanced --; Display

3. Tick "Disable hardware graphics acceleration" and Click "Ok".

Note: This setting applies to all applications (i.e. If you set it in Word, Excel will pick up the setting at next launch).

4. Close all Office applications and then open the application which exhibits the problem the most and confirm this has resolved the issue.

Note: If this has not resolved the issue the problem may be due to resource contention either in the guest or host.

If this is the cause, user feedback after 5-10 minutes us usually along the lines of "wow what did you do" and "that's a million times better!" or "it's like a local desktop", provided everything else in the VDI environment is optimized and working correctly.

5. To deploy this fix to all users, this setting can be made in a group policy object (GPO) to ensure all VDI users get this optimization.

User Configuration -; Administrative Templates -> Microsoft Office 2013 --;

Miscellaneous -; Do not use hardware graphics acceleration

As a consultant I perform a lot of VMware Horizon View implementations and I find several of the implementation tasks repetitive. One of those tasks is the creation of a role within vCenter to give the service account used by View Administrator to connect to vCenter server a role with only the required permissions.

While some people use the Administrator role this is wrong and the correct permissions VMware state in the View documentation should be used.

There are two sets of permissions, there are the default required permissions for View to create full clones and power off/on desktops etc, and there are additional permissions required if View Composer is being used to create linked clones.

I created the PowerCLI script below which can be used to create a role for "Horizon View (inc Composer)" and add the required permissions documented by VMware to save myself time.

Connect-VIServer -Server

New-VIRole -Name "Horizon View (inc Composer)"
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Anonymous")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "View")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Read")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Act as vCenter Server")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Disable methods")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Enable methods")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "System tag")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Create folder")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Delete folder")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Browse datastore")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Low level file operations")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Allocate space")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Move network")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Remove")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Configure")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Assign network")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Advanced settings")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Create new")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Create from existing")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Register")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Remove")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Unregister")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Move")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Power On")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Power Off")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Suspend")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Reset")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Perform wipe or shrink operations")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Rename")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Set annotation")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Add existing disk")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Add new disk")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Remove disk")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Raw device")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Host USB device")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Change CPU count")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Memory")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Add or remove device")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Modify device settings")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Settings")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Change resource")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Upgrade virtual machine compatibility")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Reset guest information")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Advanced")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Disk lease")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Swapfile placement")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Extend virtual disk")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Disk change tracking")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Unlock virtual machine")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Query unowned files")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Reload from path")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Query Fault Tolerance compatibility")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Display connection settings")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Configure managedBy")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Create snapshot")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Revert to snapshot")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Remove Snapshot")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Rename Snapshot")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Customize")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Clone virtual machine")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Deploy template")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Read customization specifications")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Allow disk access")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Assign virtual machine to resource pool")
Set-VIRole -Role "Horizon View (inc Composer)" -AddPrivilege (Get-VIPrivilege -Name "Migrate powered off virtual machine")

The VMware View Agent which is installed in all virtual desktops (and RDS hosts) managed by Horizon View, includes the VMware Adobe Flash Optimizer internet explorer add-on.

This IE add-on is provided so the View administrator can control the flash settings for all virtual desktops in the desktop pool to optimize them for a VDI environment to improve bandwidth.

There are two settings which can be configured on the desktop pool (which are disabled by default):

Flash Quality - which controls the quality of the flash movie, reducing bandwidth requirements
Flash Throttling - which controls the frame rate of the flash move, again reducing the bandwidth requirements

When a user opens Internet Explorer they will be presented with a prompt requesting if they wish to enable or disable this add-on.

If you as the View administrator wish to control the flash settings based on the desktop pool setting, giving the user the option to disable this add-on is going to make any of those optimizations unapplicable as the add-on will not be enabled.

Additionally the user may not know what to answer, causing confusion and support calls. This should be enabled via group policy so that the user is not prompted and the add-on is enabled.

Alternatively you may choose to disable the add-on if you are not using the flash optimization settings.

To enable or disable an add-on in Internet Explorer following these steps:

1. Within IE click on the settings cog image.
2. Select Manage Add-ons.
3. You will see the VMware Adobe Flash Optimizer add-on with a status of New (or Enabled/Disabled if you clicked one of the options when you opened IE).
4. Right click the add-on and select More Information

5. Note the Class ID and click Copy.

6. Paste the information to the clipboard as below and copy out the "Class ID".

Name:                   VMware Adobe Flash Optimizer
Publisher:              VMware, Inc.
Type:                   Browser Helper Object
Architecture:           32-bit
Version:                6.1.0.4767
File date:              ?11 ?February ?2015, ??17:47
Date last accessed:     ?30 ?April ?2015, ??11:57
Class ID:               {A500A600-5B69-4011-AC50-5ACB97D04B72}
Use count:              0
Block count:            8
File:                   flashOptimizer.dll
Folder:                 C:\Program Files\VMware\VMware View\Agent\bin

7. Create a group policy object (GPO) for IE or amend an existing one.
8. Under Computer OR User Configuration (as applicable) create the following setting:
Administrative Templates/Windows Components/Internet Explorer/Security Features/Add-on Management/Add-on List

9. Enter the Class ID and a value to enable or disable the add-on within IE.
0 - Disable add-on and cannot be changed by user
1 - Enable add-on and cannot be changed by user
2 - Enable add-on but be changed by user

10. Apply the GPO to the required OU and perform a gpupdate.

Following an update within Windows 8.1 Update 1 the mouse cursor within a VMware View desktop my occasionally disappear.

When locking the desktop (ctrl+alt+del) and subsequently unlocking the desktop, it can be noted that the cursor has disappeared.

You may however notice some objects are highlighted as you move the mouse.
Reconnecting the desktop session or logging off/on allows the cursor to return.

This can be resolved by disabling cursor suppression in the registry; by doing so in either your master image and recomposing the desktop pools, or creating the reg key in a group policy preference and restarting all the desktops.

1. Open Regedit
2. Navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
3. Note that "EnableCursorSuppression" is set to 1 which is the default of enabled.

4. Set "EnableCursorSuppression" to 0

As you may already know, VMware have disabled the popular memory management and memory saving feature; Transparent Page Sharing (TPS) in later releases of ESXi by default.

ESXi 5.1U3 and future Update releases of ESXi 5.0 and 5.5 including ESXi 6.x have TPS disabled, however this can be enabled in the advanced settings of the host.

Technically it's still there and enabled but it is only creating pointers for duplicate memory pages at the individual VM level, so there is no inter-VM page sharing taking place.

If you don't know the full details of why this is you can read all about it on VMware's KB..
Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing (2080735)
http://kb.vmware.com/kb/2080735

When it comes to a Horizon View deployment with desktop pools containing 100's of desktops this is a feature which saves lot of physical memory on the ESXi hosts, by creating pointers to an identical page in memory rather than duplicating a page.

Having this disabled by default can cause the design and specification of a Horizon View environment to change significantly, as memory saving of between 10% and 40% can be achieved with it enabled.
If you are upgrading an existing View environment you need to be acutely aware of this, as you the memory on your hosts may become contented if you were close to the limit.

If you have assessed and approved the security risk associated with enabling TPS in a desktop environment, you can from within the nice Horizon View web GUI enable TPS based on a desktop pool setting.

That's right based on a desktop pool setting!
So you could have a number of general desktop pools with many 100's of desktops which do not have a security requirement to have TPS disabled, as such you can enable it on those pools at the pod or global level.
Likewise you may have a more secure desktop pool which must have TPS disabled and you can use TPS at the VM level or pool level for this secure desktop pool.

You configure the TPS scope within Horizon View Administrator at the pool level. This can be done when creating a new desktop pool or by editing an existing pool.

This applies to both full clone and linked clone (View Composer) desktop pools.
You will find the setting under "Advanced Storage Options", which is interesting as it doesn't really have anything to do with storage!

You can set the "Transparent Page Sharing Scope" to a number of options:

Virtual Machine (is the default)
Desktop Pool
Pod
Global

You may choose to set this to Pod or Global to get maximum memory savings in your Horizon View environment, however you can set different pools to different settings based on your requirements.

Occasionally you may come across a requirement for an App-V application to write to the native registry (i.e. that of the desktop which the App-V client is installed on). By default all App-V applications write their registry keys and values to the virtual registry specific to that published App-V.

That same virtual registry may contain registry keys created during the installation and sequencing of an application. It is possible to exclude certain registry paths during the sequencing, but any new keys will still be created in the virtual registry at exection time.

An App-V application can see both the virtual registry and the native registry (also known as merge).

If you require the App-V application to read from the native registry, App-V already does this by default, it sees a merged view of both native and virtual registry.

However if you require the App-V application to write to the native registry instead of the virtual registry, then that requires an exclusion on the App-V client.

The following reg key in App-V 5.x allows administrators to specify registry paths that App-V packages can write to (instead of the virtual registry).

HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Subsystem\VirtualRegistry
PassThroughPaths (REG_MULTI_SZ)

However note that this key applies to ALL App-V packages published to that computer, you cannot be specific. So all App-V packages will then be able write to that path. So you want to keep these specific and to a minimum where possible.

For reference by default the following native registry paths can be written to by all App-V packages:

HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_CURRENT_USER\SOFTWARE\Policies

If you require to add an additional path it should be entered on a seperate line. In my case I was required to add the following key to allow an App-V application to perform some very specific integration with Internet Explorer for a bespoke application vendor.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

To deploy this to all computers in the domain a simple group policy preference was created to replace the reg key.

Note: Ensure you include the defaults plus your additional reg path.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Subsystem\VirtualRegistry

Value: PassThroughPaths (REG_MULTI_SZ)

Value Data:

HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_CURRENT_USER\SOFTWARE\Policies

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

Thats all there is to it, its pretty strightforward once you understand it. I don't expect the native registry to be written to by many applications and it's virtual and native application integration that will drive the need for the use of the pass through reg paths.

This USB 3.0 thumb drive rivals Samsung's T1 in read speed, but writes barely faster than a hard drive.

USB flash drives have become the almost universal method of sneakernetting small amounts of data. Small by today’s standards, anyway. However, it’s getting to the point where these thumb drives can take on the larger data sets that had, until now, been the province of portable hard drives. Witness Visiontek’s USB 3.0 Pocket SSD. Little larger physically than the average flash drive, it starts at 128GB capacity and maxes out at a substantial 512GB.

There's also no surtax for the higher capacities, as there has often been in the USB thumb drive market. The Visiontek Pocket SSD is actually a bit pricier per gigabyte in its lower capacities, though all can be had for between 30 and 40 cents per GB if you shop around.

Performance

The 512GB Pocket SSD is a very fast reader for a USB 3.0 mass storage device, topping out at about 420MBps in AS SSD—nearly as fast as Samsung’s T1 USB 3.0 SSD. Alas, it’s only half the writer the T1 is, managing a hard drive-like 140MBps compared to the Samsung drive’s 310MBps. Random access times are quite quick, as they should be with anything NAND-based. According to VisionTek, the NAND is MLC in this case, and shouldn't suffer any write drop-offs like TLC. Then again, TLC generally performs at about 140MBps when writing. Just saying.

While a very good reader, the Pocket SSD was actually outperformed in sustained writes by a Seagate Backup Plus Fast USB 3.0 hard drive (using RAID 0).

While the VisionTek Pocket SSD matched up well with the Samsung T1 reading, and even when writing our 20GB set of small files and folders, it was distinctly overmatched when it came to writing our single 20GB archive.

I quite like the convenience of the Visiontek USB 3.0 Pocket Drive as well as its read performance. But as affordable as it is, I wish it were a bit cheaper. Why? Because when I perused Amazon, the 512GB version of the Samsung T1 was available for $150, while the same-capacity Pocket SSD cost $180. It should go without saying that a faster drive for less money is the more attractive purchase. I’m guessing that with the release of Samsung’s metal-jacketed T3, which is to be available in up to 2TB capacities, the price of the T1 might dip even a bit further.

Also, the Samsung T1, while a different form factor, actually feels a bit lighter and fits in most pockets as easily as a thumb drive. In many cases, more comfortably. That said, I like a little heft in my thumb drives as it makes them a tad easier to locate in my pocket- and compartment-mad backpack. I'd also bet on the Pocket SSD surviving heavy abuse better than the T1.

Unlike with the Samsung T1, there's no cable to carry or lose.

Conclusion

The Visiontek USB 3.0 Pocket SSD is self-contained (no cable to lose as with the Samsung T1), affordable, and a very fast reader. It also shed heat quite well in my testing and has a nice heft to it. Nothing to dislike there. If the thumb drive is your preferred form factor, go for it. But only for distributing data. If backup is your goal, then a hard drive is nearly as fast and a lot more affordable. If money is no object, the Samsung T1 or T3 are better USB 3.0 SSDs for backup.

Parse is a Mobile Backend as a Service platform, owned by Facebook since 2013. In January of 2016, Parse announced that its hosted services would shut down in January of 2017.

In order to help its users transition away from the service, Parse has released an open source version of its backend, called Parse Server, which can be deployed to environments running Node.js and MongoDB.

This guide supplements the official documentation with detailed instructions for installing Parse Server on an Ubuntu 14.04 system. It is intended first and foremost as a starting point for Parse developers who are considering migrating their applications, and should be read in conjunction with the official Parse Server Guide.

Prerequisites

This guide assumes that you have a clean Ubuntu 14.04 system, configured with a non-root user with sudo privileges for administrative tasks.

Step 1 — Install Node.js and Development Tools

Begin by changing the current working path to your sudo user's home directory:


cd ~

NodeSource offers an Apt repository for Debian and Ubuntu Node.js packages. We'll use it to install Node.js. NodeSource offers an installation script for the the latest stable release (v5.5.0 at the time of this writing), which can be found in the installation instructions. Download the script with curl:


curl -sL https://deb.nodesource.com/setup_5.x -o nodesource_setup.sh

You can review the contents of this script by opening it with nano, or your text editor of choice:


nano ./nodesource_setup.sh

Next, run nodesource_setup.sh. The -E option to sudo tells it to preserve the user's environment variables so that they can be accessed by the script:


sudo -E bash ./nodesource_setup.sh

Once the script has finished, NodeSource repositories should be available on the system. We can use apt-get to install the nodejs package. We'll also install the build-essential metapackage, which provides a range of development tools that may be useful later, and the Git version control system for retrieving projects from GitHub:


sudo apt-get install -y nodejs build-essential git

Step 2 — Install an Example Parse Server App

Parse Server is designed to be used in conjunction with Express, a popular web application framework for Node.js which allows middleware components conforming to a defined API to be mounted on a given path. The parse-server-example repository contains a stubbed-out example implementation of this pattern.
Retrieve the repository with git:


git clone https://github.com/ParsePlatform/parse-server-example.git

Enter the parse-server-example directory you just cloned:


cd ~/parse-server-example

Use npm to install dependencies, including parse-server, in the current directory:


npm install

npm will fetch all of the modules required by parse-server and store them in ~/parse-server-example/node_modules.

Step 3 — Test the Sample Application

Use npm to start the service. This will run a command defined in the start property of package.json. In this case, it runs node index.js:


npm start


Output

> parse-server-example@1.0.0 start /home/sammy/parse-server-example
> node index.js

DATABASE_URI not specified, falling back to localhost.
parse-server-example running on port 1337.

You can terminate the running application at any time by pressing Ctrl-C.

The Express app defined in index.js will pass HTTP requests on to the parse-server module, which in turn communicates with your MongoDB instance and invokes functions defined in ~/parse-server-example/cloud/main.js.

In this case, the endpoint for Parse Server API calls defaults to:
http://your_server_IP/parse

In another terminal, you can use curl to test this endpoint. Make sure you're logged into your server first, since these commands reference localhost instead of a specific IP address.

Create a record by sending a POST request with an X-Parse-Application-Id header to identify the application, along with some data formatted as JSON:

curl -X POST \
  -H "X-Parse-Application-Id: myAppId" \
  -H "Content-Type: application/json" \
  -d '{"score":1337,"playerName":"Sammy","cheatMode":false}' \
  http://localhost:1337/parse/classes/GameScore


Output

{"objectId":"fu7t4oWLuW","createdAt":"2016-02-02T18:43:00.659Z"}

The data you sent is stored in MongoDB, and can be retrieved by using curl to send a GET request:


curl -H "X-Parse-Application-Id: myAppId" http://localhost:1337/parse/classes/GameScore


Output

{"results":[{"objectId":"GWuEydYCcd","score":1337,"playerName":"Sammy","cheatMode":false,"updatedAt":"2016-02-02T04:04:29.497Z","createdAt":"2016-02-02T04:04:29.497Z"}]}

Run a function defined in ~/parse-server-example/cloud/main.js:

curl -X POST \
  -H "X-Parse-Application-Id: myAppId" \
  -H "Content-Type: application/json" \
  -d '{}' \
  http://localhost:1337/parse/functions/hello


Output

{"result":"Hi"}

Step 4 — Configure Sample Application

In your original terminal, press Ctrl-C to stop the running version of the Parse Server application.
As written, the sample script can be configured by the use of six environment variables:

Variable	Description
`DATABASE_URI`	A MongoDB connection URI, like `mongodb://localhost:27017/dev`
`CLOUD_CODE_MAIN`	A path to a file containing Parse Cloud Code functions, like `cloud/main.js`
`APP_ID`	A string identifier for your app, like `myAppId`
`MASTER_KEY`	A secret master key which allows you to bypass all of the app's security mechanisms
`PARSE_MOUNT`	The path where the Parse Server API should be served, like `/parse`
`PORT`	The port the app should listen on, like `1337`

You can set any of these values before running the script with the export command. For example:


export APP_ID=fooApp

It's worth reading through the contents of index.js, but in order to get a clearer picture of what's going on, you can also write your own shorter version of the example . Open a new script in your editor:


nano my_app.js

And paste the following, changing the highlighted values where desired:

~/parse-server-example/my_app.js

var express = require('express');
var ParseServer = require('parse-server').ParseServer;

// Configure the Parse API
var api = new ParseServer({
  databaseURI: 'mongodb://localhost:27017/dev',
  cloud: __dirname + '/cloud/main.js',
  appId: 'myOtherAppId',
  masterKey: 'myMasterKey'
});

var app = express();

// Serve the Parse API on the /parse URL prefix
app.use('/myparseapp', api);

// Listen for connections on port 1337
var port = 9999;
app.listen(port, function() {
    console.log('parse-server-example running on port ' + port + '.');
});

Exit and save the file, then run it with Node.js:


node my_app.js


Output

parse-server-example running on port 9999.

Again, you can press Ctrl-C at any time to stop my_app.js. As written above, the sample my_app.js will behave nearly identically to the provided index.js, except that it will listen on port 9999, with Parse Server mounted at /myparseapp, so that the endpoint URL looks like so:

http://yourserverIP:9999/myparseapp

And it can be tested with curl like so:


curl -H "X-Parse-Application-Id: myOtherAppId" http://localhost:9999/myparseapp/classes/GameScore`

Conclusion

You should now know the basics of running a Node.js application like Parse Server in an Ubuntu environment. Fully migrating an app from Parse is likely to be a more involved undertaking, requiring code changes and careful planning of infrastructure. For greater detail on this process, reference the official Parse Server Guide, particularly the section on migrating an existing Parse app.

SSL certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application. Let’s Encrypt provides an easy way to obtain and install trusted certificates for free.

This tutorial will show you how to set up TLS/SSL certificates from Let’s Encrypt for securing multiple virtual hosts on Apache, within an Ubuntu 14.04 server.

We will also cover how to automate the certificate renewal process using a cron job.

Prerequisites

In order to complete this guide, you will need:

An Ubuntu 14.04 server with a non-root sudo user, which you can set up by following our Initial Server Setup guide
A functional Apache web server installation hosting multiple virtual hosts

It is important that each virtual host is set up in its own separate configuration file, and can be accessed externally via browser. For a detailed guide on how to properly set up Apache virtual hosts on Ubuntu, follow this link.

For the purpose of this guide, we will install Let’s Encrypt certificates for the domains example.com and test.com. These will be referenced throughout the guide, but you should substitute them with your own domains while following along.

When you are ready to move on, log into your server using your sudo account.

Step 1 — Install the Server Dependencies

The first thing we need to do is to update the package manager cache with:


sudo apt-get update

We will need git in order to download the Let’s Encrypt client. To install git, run:


sudo apt-get install git

Step 2 — Download the Let’s Encrypt Client

Next, we will download the Let’s Encrypt client from its official repository, placing its files in a special location on the server. We will do this to facilitate the process of updating the repository files when a new release is available. Because the Let’s Encrypt client is still in beta, frequent updates might be necessary to correct bugs and implement new functionality.

We will clone the Let’s Encrypt repository under /opt, which is a standard directory for placing third-party software on Unix systems:


sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

This will create a local copy of the official Let’s Encrypt repository under /opt/letsencrypt.

Step 3 — Set Up the Certificates

Generating an SSL Certificate for Apache using the Let’s Encrypt client is quite straightforward. The client will automatically obtain and install a new SSL certificate that is valid for the domains provided as parameters.

Although it is possible to bundle multiple Let’s Encrypt certificates together, even when the domain names are different, it is recommended that you create separate certificates for unique domain names. As a general rule of thumb, only subdomains of a particular domain should be bundled together.

Generating the first SSL certificate

We will start by setting up the SSL certificate for the first virtual host, example.com.

Access the letsencrypt directory:


cd /opt/letsencrypt

Next, we will execute the interactive installation and obtain a bundled certificate that is valid for a domain and a subdomain, namely example.com as base domain and www.example.com as subdomain. You can include any additional subdomains that are currently configured in your Apache setup as either virtual hosts or aliases.

Run the letsencrypt-auto command with:


./letsencrypt-auto --apache -d example.com -d www.example.com

Notice that the first domain name in the list of parameters will be the base domain used by Let’s Encrypt to create the certificate, and for that reason we recommend that you pass the bare top-level domain name as first in the list, followed by any additional subdomains or aliases.

For this example, the base domain will be example.com. We will need this information for the next step, where we automate the certificate renewal process.

After the dependencies are installed, you will be presented with a step-by-step guide to customize your certificate options. You will be asked to provide an email address for lost key recovery and notices, and you will be able to choose between enabling both http and https access or forcing all requests to redirect to https.

When the installation is finished, you should be able to find the generated certificate files at /etc/letsencrypt/live. You can verify the status of your SSL certificate with the following link (don’t forget to replace example.com with your base domain):

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

You should now be able to access your website using a https prefix.

Generating the second SSL certificate

Generating certificates for your additional virtual hosts should follow the same process described in the previous step.

Repeat the certificate install command, now with the second virtual host you want to secure with Let’s Encrypt:


./letsencrypt-auto --apache -d test.com -d www.test.com

For this example, the base domain will be test.com.

Again, you can verify the status of your SSL certificate with the following link (don’t forget to replace test.com with your base domain):

https://www.ssllabs.com/ssltest/analyze.html?d=test.com&latest

If you want to generate certificates for additional virtual hosts, simply repeat the process, and don’t forget to use the bare top-level domain as your base domain. We will use this information for the next step, where we set up auto renewal using a cron job.

Step 3 — Set Up Auto-Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the Let’s Encrypt client again with the same parameters previously used.

To manually renew the certificate we previously generated for the domain example.com, for instance, we should run:

./letsencrypt-auto certonly --apache --renew-by-default -d example.com -d www.example.com

Notice that we need to provide the same list of domains again for the renewal command, otherwise the Let’s Encrypt client will generate a new certificate instead of renewing the existing one.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will automatically handle the renewal requests for you.

To facilitate this process, we will use a shell script that will verify the certificate expiration date for the provided domain and request a renewal when the expiration is less than 30 days away. The script will be scheduled to run once a week. This way, even if a cron job fails, there’s a 30-day window to try again every week.

For each virtual host certificate you set up, you need to create a cron job to execute the renewal script. In our case, we will set up two different cron jobs in order to renew the certificates for both example.com and test.com.

First, download the script and make it executable. Feel free to review the contents of the script before downloading it.


sudo curl -L -o /usr/local/sbin/le-renew http://do.co/le-renew

sudo chmod +x /usr/local/sbin/le-renew

The le-renew script takes as an argument the base domain name associated with the certificate you want to renew. You can check which domain was used by Let’s Encrypt as your base domain name by looking at the contents inside /etc/letsencrypt/live, which is the directory that holds the certificates generated by the client.

You can run the script manually with:


sudo le-renew example.com

Since we just created the certificate and there is no need for renewal just yet, the script will simply output how many days are left until the certificate expiration:


Output

Checking expiration date for example.com...
The certificate is up to date, no need for renewal (89 days left).

Setting Up Auto Renewal for the First Virtual Host Certificate

We will start by setting up auto renewal for the domain example.com.
Edit the crontab to create a new job that will run this command every week. To edit the crontab for the root user, run:


sudo crontab -e

Include the following content, all in one line:


 


crontab

30 2 * * 1 /usr/local/sbin/le-renew example.com>> /var/log/le-renew.log

Save and exit. This will create a new cron job that will execute the le-renew command every Monday at 2:30 am, for the domain example.com. The output produced by the command will be piped to a log file located at /var/log/le-renewal.log.

Setting Up Auto Renewal for the Second Virtual Host Certificate

Setting up auto renewal for additional virtual host certificates should follow the same process described in the previous step. We will set up an additional cron job for auto renewing the domain test.com.
Edit the crontab for the root user with:


sudo crontab -e

Include the following content, all in one line:


crontab

30 2 * * 1 /usr/local/sbin/le-renew test.com>> /var/log/le-renew.log

In this guide, we used the same renewal log file (/var/log/le-renew.log) for both domains. If you'd rather separate the output for ease of parsing, feel free to change the log location used in each of the cron definitions.

Save and exit. Your additional virtual host certificate should now be covered for auto renewal.

Step 5 — Updating the Let’s Encrypt Client (optional)

Whenever new updates are available for the client, you can update your local copy by running a git pull from inside the Let’s Encrypt directory:


cd /opt/letsencrypt

sudo git pull

This will download all recent changes to the repository, updating your client.

Conclusion

In this guide, we saw how to install free SSL certificates from Let’s Encrypt in order to secure multiple virtual hosts on Apache. Because the Let’s Encrypt client is still in beta, we recommend that you check the official Let’s Encrypt blog for important updates from time to time.

Ever had an accident when out and about? Trip or fall at work? Or a problem with your vmnics on your ESXi server not ordering correctly?

Anyone that has built enough ESXi servers has come across this. Particularly if the hardware varies, however most annoyingly when it's exactly the same server and expansion cards and we want everything to be named "exactly" the same (because us techies can very picky).

Anyway to the point as you want a fix so you can get on with everything else you need to do right?!

This happens because ESXi assigns the vmnic number (e.g. vmnic0, vmnic1.. etc) as the physical adapters are detected. While this should happen in an order that makes sense (based on PCI bus numbering and/or MAC address increments) this does not always happen. Now this happens alot less than it used back when I was doing ESX 3.x installs, it still occurs with ESXi 5.1!

1. Put your host in maintenance mode (VMs will need to be powered off or vMotioned to other hosts if in a cluster)

2. SSH to the ESXi server and login as "root".

Note: You may need to start the SSH service (under Configuration --> Security Profile)

3. Edit the hosts config file:

vi /etc/vmware/esx.conf

4. Locate the section where the devices are mapped to names:

e.g. /device/000:003:00:0/vmkname = "vmnic0"

5. Make your required name changed so your vmnics are labelled as you require.

6. Don't forget to save!

:wq!

7. Reboot the ESXi server

reboot

8. Exit maintenance mode

9. Power on and/or vMotion the VMs back (if DRS is not enabled).

10. Job done!

The Fysbis Trojan runs without root and has an extensible, modular architecture.

A cyberespionage group of Russian origin known as Pawn Storm is infecting Linux systems with a simple but effective Trojan program that doesn't require highly privileged access.

Pawn Storm, also known as APT28, Sofacy or Sednit, is a group of attackers that has been active since at least 2007. Over the years, the group has targeted governmental, security and military organizations from NATO member countries, as well as defense contractors and media organizations, Ukrainian political activists and Kremlin critics.

The group is known for using zero-day exploits -- exploits for previously unknown vulnerabilities -- as well as other infection techniques like spear-phishing emails with malicious attachments. Its primary tool is a Windows backdoor program called Sednit, but the group also uses malware programs for Mac OS X, Linux and even mobile operating systems.

Its preferred malware tool for Linux is a Trojan program called Fysbis, according to researchers from security firm Palo Alto Networks. It has a modular architecture allowing attackers to expand its functionality as needed through plug-ins that get pushed down to individual victims.

"Fysbis can install itself to a victim system with or without root privileges," the Palo Alto researchers said Friday in a blog post. "This increases the options available to an adversary when it comes to selecting accounts for installation."

As a cyberespionage tool, Fysbis is primarily designed for data theft. As such, even if it doesn't gain control over the whole system, it can still achieve its primary goal of stealing potentially sensitive documents that the user has access to, or spying on the user's Web browsing and other activities.

Fysbis shows that Advanced Persistent Threat (APT) actors often don’t require advanced methods to reach their objectives, the Palo Alto researchers said.

"Despite the lingering belief (and false sense of security) that Linux inherently yields higher degrees of protection from malicious actors, Linux malware and vulnerabilities do exist and are in use by advanced adversaries," they said.

In fact, in most business environments where Windows predominates detecting Linux malware might be harder because of a lack of visibility and expertise. That's because such organizations would naturally focus on supporting and protecting their Windows systems.

This might help explain why many attack groups have added Linux Trojans to their respective arsenals in recent years, regardless of whether their motivation was espionage or traditional cyber-crime.

Motorists in Mumbai, India, ride past a billboard displaying Facebook's Free Basics initiative on Dec. 30, 2015. India has become a battleground over the right to unrestricted Internet access.

No, Internet.org is not a nonprofit organization that subsidizes Internet access for new users

You may have heard that Internet.org is a nonprofit organization launched by Facebook CEO Mark Zuckerberg and dedicated to bringing Internet access to people who can't access it, or can't afford it.

But this isn't true -- not any of it.

The realities of Internet.org came into question last week when India banned it from the country. If the Internet is good, and Internet.org simply exists to get people on it, why was it banned?

Let's start with a basic question.

What is Internet.org?

Internet.org is not a nonprofit company or even an organization. Internet.org is a business development group within Facebook aimed at increasing Facebook's users and revenue.

The group is headed by Chris Daniels, whose entire career at Facebook and Microsoft before then has been in business development. His title on LinkedIn is: "Vice President, Product - Internet.org at Facebook."

What is business development? I think the best definition comes from James Cohane. He defines business development as: "the function at the company responsible for identifying, securing, and/or managing relationships with organizations outside of the company (excluding customers and suppliers) that helps other key functions at the company achieve their respective goals."

And that's what Internet.org is. Its function is to work with other companies, carriers and governments to help Facebook as a company achieve its goal to increase the number of Facebook users.

Ultimately, for both Facebook and its partners, Internet.org is nothing more than a customer-acquisition initiative.

OK, so what? At least Facebook is bringing the Internet to more people, right?

Wrong.

How Internet.org keeps people off the Internet

Facebook's Internet.org division is doing many things to connect poor people to online resources, from drones to free access. For now, the main way is through a site and app called Facebook Free Basics (which used to be also called Internet.org, confusingly).

You can access Free Basics only with permission by your carrier. Free Basics is available on 38 countries, all of which are in Africa, Asia, the Middle East and Latin America.

Internet.org and Free Basics operate in countries where data use is often charged by the megabyte or by the minute. So the idea of using the Internet for free can be an attractive idea to many of these users.
Facebook chooses which sites are included and which are rejected, and the local carriers may get veto power as well.

Facebook has published these criteria, which are focused on the size of the data load, and has thus far not rejected any sites for reasons that are not technical. Facebook claims that any site, including competitors, are allowed to join Facebook's Internet. For example, Facebook does not enforce the "community guidelines" required of companies setting up shop on Facebook.com.

What's really surprising is that Facebook isn't even providing the subsidy -- the local carriers are, according to a report on Buzzfeed.

That same report also pointed out that nearly all Free Basics users were already on the Internet before they started using Free Basics. They simply use it to reduce their data bills. Carriers participate because it's part of their customer acquisition strategy. It's a "free" thing they can offer customers.

Instead of providing Internet access to people who didn't have it, Facebook's Internet.org is more frequently taking people who do have Internet access and taking them off it.

Facebook says Internet.org's mission is to get people online for the first time. Under the Internet.org umbrella, there's no doubt that they're working toward that goal. In these early days, however, there's no evidence that most Free Basics users are new to the Internet.

When users choose Free Basics, the carrier unplugs them from the Internet and plugs them directly into Facebook's servers, a walled garden that provides the equivalent of stripped down sites, but is not the Internet. (Facebook runs all user requests through proxy servers, which ping the websites for data updates and other content.)

Once on the site or the app, users are shown a list of icons representing websites. By tapping on an app icon, users go to what looks like a stripped down version of the website. For example, a news site might show the news headlines for you to click on to read the story, but the pictures might be small thumbnail versions, and user comments may have been removed. If you want to look at a picture full size, it will send you over to the for-pay Internet where you can see the picture in all its glory, but pay the normal carrier data rate for it.

How Facebook's Internet is different from the real Internet

Internet.org claims to provide access to the Internet for free. In fact, it's not the Internet that Internet.org offers.

One difference is scale. There are a few dozen sites on Facebook Free Basics. For a while there were just 38, but they're continuing to grow it. These include Wikipedia, the Facts for Life health site run by the United Nations Children's Fund, BBC News, a weather site, and typically a few local resources for each market. And, of course, Facebook.

Eventually, it might reach as many as 100 sites, so let's generously use 100 as the number of "sites" on the service.

The most conservative number of websites on the web that I could find is 2 billion sites.
So even if Free Basics "sites" were actual sites on the Internet (which they're not), it would be 0.02 percent of the web.

The real Internet is at least 10 million times bigger than Facebook's fake Internet.
It's like McDonald's giving a poor person a free sesame seed and claiming credit for giving them a free Big Mac.

The other important difference for Facebook is that Free Basics offers a version of the "web" without any of Facebook's competitors.

Facebook is open to competitors, and has invited everyone to participate in Internet.org. But none have decided to embrace it so far.

Internet.org offers an "Internet" without Google Search or any other Google service, for example.
It also lacks the most valuable resources. Facebook Free Basics has no government sites, no educational institutions, no entertainment.

It's a brilliant scheme for Facebook, if you want to take the cynical view. It gets the customers, the user data and the ability to monetize with advertising, while keeping people off the Internet and away from rival companies and other services that might distract people from spending most of their time on Facebook.

Why India banned Facebook Free Basics

The legality of Facebook Free Basics has been hotly debated in India for the past few months, as India's telecom regulator considered the matter.

During that time, Facebook used the social network to spearhead an astro-turf campaign. It offered users there the option to have their voice heard on the issue, along with peer pressure: It informed users which of their friends had "voiced their opinion about Free Basics." When users clicked, they were greeted with a note written by Facebook in support of Free Basics that could be sent to the regulator with the click of the mouse.

The campaign didn't work. India banned it.

The reason is net neutrality. Indian regulators determined that Internet.org and Free Basics created a two-tier system, where startups buying into Facebook's fake Internet were giving privileged access to users, and those not buying into it were disadvantaged.

Internet.org and Free Basics is really nothing more than something called a "zero-rating" content scheme, where some content is provided outside the normal data plan -- something widely viewed as anticompetitive and a violation of net neutrality.

Let's say, for example, that a user reads a certain news site on a phone. The user might later sign up for Free Basics, and to save money, starts getting news on the BBC News site instead. That's the kind of choice net neutrality laws are designed to prevent.

The bigger picture, though, is that many other companies, organizations and governments are working to bring down the cost of Internet access, and also to spread the reach of the Internet. Facebook's Internet.org and Free Basics interferes and competes with those initiatives by incentivizing users to use Facebook's fake, walled garden Internet.

Today, Internet.org is a customer acquisition strategy that mainly takes people off the real Internet some of the time and puts them on a fake, Facebook-controlled alternative.

Facebook has long been accused of creating a walled garden social network, and also of duplicating the Internet on Facebook itself.

Internet.org is the ultimate expression of that strategy. Facebook found a way for people to use Facebook without using the Internet, while simultaneously getting credit for providing a massive good for humanity.
But as an informed technologist, you should know: Internet.org is neither the Internet nor an organization. Free Basics is not free and does not provide the basics that people can access on the real Internet.

Internet.org is just Facebook being Facebook, doing everything it can to get as many users as possible.

This story, "The surprising truth about Facebook's Internet.org" was originally published by Computerworld.

Author: Mike Elgan
Credit: Danish Siddiqui/Reuters

The MazarBOT appears aimed at compromising online bank accounts.

A malware program for Android seen advertised on Russian underground forums in the last few months appears to have made its first big debut.

MazarBOT can take full control of a phone and appears to be targeting online banking customers, wrote Peter Kruse, an IT security expert and founder of CSIS Security Group, based in Copenhagen, which does deep investigations into online crime for financial services companies.

"Until now, MazarBOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code to be deployed in active attacks," Kruse wrote.

CSIS saw a "swarm" of SMSes sent to random phone number in Denmark on Friday," Kruse wrote. The messages contained a link to an Android package file, which is MazarBOT.

MazarBOT will stop installing itself if it detects an Android device that is running within Russia, perhaps to avoid drawing attention from the country's authorities.

"CSIS was not surprised to observe that the malware cannot be installed on smartphones located in Russia," Kruse wrote.

If phones pass the location test, MazarBOT installs Tor, short for The Onion Router. Tor is a network of distributed nodes that provide greater privacy by encrypting a person’s browsing traffic and routing that traffic through random proxy servers.

The malware then sends an SMS saying "Thank you" along with the device's location to a phone number with Iran's country code.

MazarBOT can exert a lot of control over a phone. It can open up a backdoor to monitor a device, send SMSes to premium rate numbers and read two-factor authentication codes send by SMS.

The malware also has a remote debugging function, which Kruse wrote allows "for a variety of advanced attacks on the network" that a particular Android device uses.

"MazarBOT is pretty advanced and nasty Android malware," Kruse wrote. "Several factors indicate that it was designed as malware primarily targeting online banking customers. In fact, it will most likely succeed in circumventing most online banking protection solutions."

Author: Jeremy Kirk (IT News)

The default pathing policy for a LUN can be changed (for example from Fixed to Round Robin). This can be a LUN on an iSCSI or FC array (or FCoE for that matter). When I refer to pathing policy I'm referring to what you may have seen if you've ever clicked manage path's on a VMFS datastore and see it set to Fixed, Round Robin (RR) or Most Recently Used (MRU).

In this example I will be changing the default pathing policy for an EqualLogic array from Fixed to Round Robin.

Before I get into how to change the multi-pathing policy, it's important to understand the below 3 plugins (NMP, SATP and PSP):

NMP (Native Multipathing Plugin) is an extensible multipathing module within ESXi. "esxcli storage nmp" can be used to manage devices associated with NMP and to set path policies. SATPs and PSPs are plugins within the NMP plugin.
SATP (Storage Array Type Plugin) determines how path failover is handled for a specific storage array.
PSP (Path Selection Plugin) determines which physical path is used to issue an I/O request to a storage device.

The PSP as shown below can be set manually per LUN and per ESXi server. Note the SATP is shown and not changeable (e.g. VMW_SATP_EQL for a Dell EqualLogic iSCSI array in this case).

Of course changing it this way is a very slow and tedious process, and does not account for new LUNs created in the future.

So we need a way to change the PSP for all the LUNs on an ESXi server and set it to default for any new ones we create in the future. Enter "esxcli" ta-da!

With "esxcli storage nmp satp" commands we can list and set the PSP used for specific SATP's.

1. Run the following command to list all the SATP's and their default PSP

~ # esxcli storage nmp satp list

Name                 Default PSP    Description
------------------- ------------- ------------------------------------------
VMW_SATP_EQL         VMW_PSP_FIXED Supports EqualLogic arrays
VMW_SATP_MSA         VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_ALUA        VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_DEFAULT_AP VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_SVC         VMW_PSP_FIXED Placeholder (plugin not loaded)
VMW_SATP_INV         VMW_PSP_FIXED Placeholder (plugin not loaded)
VMW_SATP_EVA         VMW_PSP_FIXED Placeholder (plugin not loaded)
VMW_SATP_ALUA_CX     VMW_PSP_RR     Placeholder (plugin not loaded)
VMW_SATP_SYMM        VMW_PSP_RR     Placeholder (plugin not loaded)
VMW_SATP_CX          VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_LSI         VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_DEFAULT_AA VMW_PSP_FIXED Supports non-specific active/active arrays
VMW_SATP_LOCAL       VMW_PSP_FIXED Supports direct attached devices
~ #

2. Change the default PSP for a SATP

The following command changes the default PSP for all LUNs using that SATP. So in this case all EqualLogic LUNs will be changed to use the Round Robin PSP.

"esxcli storage nmp satp set -P= -s="

~ # esxcli storage nmp satp set -P=VMW_PSP_RR -s=VMW_SATP_EQL
Default PSP for VMW_SATP_EQL is now VMW_PSP_RR

3. List the SATP's and their default PSP again, notice it has now changed

~ # esxcli storage nmp satp list

Name                 Default PSP    Description
------------------- ------------- ------------------------------------------
VMW_SATP_EQL         VMW_PSP_RR     Supports EqualLogic arrays
VMW_SATP_MSA         VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_ALUA        VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_DEFAULT_AP VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_SVC         VMW_PSP_FIXED Placeholder (plugin not loaded)
VMW_SATP_INV         VMW_PSP_FIXED Placeholder (plugin not loaded)
VMW_SATP_EVA         VMW_PSP_FIXED Placeholder (plugin not loaded)
VMW_SATP_ALUA_CX     VMW_PSP_RR     Placeholder (plugin not loaded)
VMW_SATP_SYMM        VMW_PSP_RR     Placeholder (plugin not loaded)
VMW_SATP_CX          VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_LSI         VMW_PSP_MRU    Placeholder (plugin not loaded)
VMW_SATP_DEFAULT_AA VMW_PSP_FIXED Supports non-specific active/active arrays
VMW_SATP_LOCAL       VMW_PSP_FIXED Supports direct attached devices
~ #

4. For the change to take affect, the ESXi server must be restarted.

Ensure your host is in maintenance mode and VMs are either powered off or vMotioned to another host before doing do.

5. Once the server has restarted if you go back to view "Manage Paths" on the LUN you will see it has now changed to Round Robin.

6. Now you can repeat process this for all your remaining ESXi servers.

OR

Why not use power of host profiles to use this as a reference host and apply this as the default PSP for the SATP on other hosts and monitor them for compliance in case someone changes it in the future or rebuilds a host and forgets!

In this post we will cover some protocol settings, GPOs, Flash and 3D rendering etc. VCP6-DTM Objective 2.3 – Configure PCoIP/RDP Protocol Settings, is another chapter, another objective towards the VCP6-DTM certification exam.

Considering the recent announces about Horizon 7 I believe that the exam’s topics and objectives will get modified accordingly in the future. But for now this is not the case, and we just stick with what’s on the official VMware blueprint, covering the VCP6-DTM exam. Lets continue and clear out another topic today.

vSphere Knowledge.

Configure HTML access
Describe protocol requirements
Locate ADM template files
Explain GPO settings
Configure flash quality and throttling
Configure 3D rendering capabilities

Tools

Horizon View Administration Guide
Horizon View Architecture Planning Guide
Horizon View Administrator
Horizon View ADM files

Configure HTML access

HTML access (VMware Blast) allows access with any client without the need to have previously installed the view client application. Just inside a browser. During the installation of Horizon View connection server, the HTML access is an installation option (checked by default) and the installer configures the VMware Horizon View Connection Server (Blast-In) rule in Windows Firewall to open TCP port 8443, used by HTML Access.

Blast connections however limit the number of simultaneous connections for one connection server to 800 (it’s 2000 simultaneous connections for PCoIP). Check the image below from the View Architecture planning PDF.

Describe protocol requirements

When using the Blast Secure Gateway:

Browser TCP 8443 > Connection Server TCP 22443 > View Desktop
Browser TCP 8443 > Security Server TCP 22443 > View Desktop

When not using the Blast Secure Gateway:

Browser TCP 22443 > View Desktop

In all cases:

Browser TCP 443 > Connection Server
Browser TCP 443 > Security Server

Required Featues– When using the Blast Secure Gateway:

The Remote Experience Agent must be installed in the View Desktop. Install this feature in the parent image, and recompose the pool to ensure all View machines have this installed.

Pool Requirements:

In the View Administrator page, edit the pool settings and ensure that the maximum resolution of any one monitor setting must be 1920×1200 or higher so that the View desktop has at least 17.58 MB of video RAM.
The HTML Access setting must be enabled within the pool.

Connection server:

You must install the HTML Access Web Portal on the View Connection server to enable the HTML Access functionality. For more information, see the Horizon View HTML Access document.

Check this KB as well: Troubleshooting VMware Horizon View HTML Access

The HTML access needs to be used with compatible browsers. The progress in browsers technology is so fast that telling you that you must have Chrome version 20 or 30 wouldn’t make sense. It’s just too fast. But compatible browsers like chrome, Firefox or latest IE

For Blast Secure Gateway and the HTML Access agent, by default, TLS 1.1 and TLS 1.2 are enabled and TLS 1.0 is disabled. You can configure the security protocols and cipher suites for both components. See Configuring Security Protocols and Cipher Suites for Blast Secure Gateway in the View Security document and Configure Security Protocols and Cipher Suites for HTML Access Agent in the Horizon Client and View Agent Security document.

Locate ADM template files

View provides several component-specific Group Policy Administrative (ADM and ADMX) template files. You can optimize and secure remote desktops and applications by adding the policy settings in these ADM and ADMX template files to a new or existing GPO in Active Directory. All ADM and ADMX files that provide group policy settings for View are available in a bundled .zip file named VMware-Horizon-View-Extras-Bundle-x.x.x-yyyyyyy.zip

View PCoIP Session Variables (pcoip.adm) – Contains policy settings related to the PCoIP display protocol.

View PCoIP Client Session Variables (pcoip.client.adm) – Contains policy settings related to the PCoIP display protocol that affect Horizon Client for Windows.

You can easily import them into the a new or existing policy via right click the Administrative Templates> Add/remove Templates

They’ll appear under the “Classic Administrative Templates (ADM)” …

Explain GPO settings

There are quite a few values which can be overridden, through those adm templates. Those are quite self-explanatory. I’d invite you to go through one by one, and see by yourself what options are there.

Configure flash quality and throttling

Flash config affects frame rate of flash content. Here you can control the bandwidth and quality of the movies.

Configure 3D rendering capabilities

3D Rendering Options:

Hardware– The virtual machine must have access to a physical GPU. If the GPU is not available, the virtual machine cannot power on.
Software– The virtual machine’s virtual device uses a software renderer and will not attempt to use a GPU, even if one if present.
Automatic– The default setting. The virtual device selects whether to use a physical GPU or software-based rendering. If a GPU is available on the system and has the resources required by the virtual machine, the virtual machine uses the GPU. Otherwise software rendering is used.

When click the question mark next to the 3D renderer, you’ll get further explanation.

When you change the Allow users to chose protocol from Yes to No, you’ll “unlock” the grayed out option.

If you choose “manage using vSphere client” then you have to specify the amount of memory through vSphere web client.

So you can also change the settings on the virtual hardware (through vSphere Web client only)

When you create or edit a virtual machine, you can configure 3D graphics to take advantage of Windows AERO, CAD, Google Earth, and other 3D design, modeling, and multimedia applications. You can enable 3D on virtual machines that have Windows desktop or Linux guest operating systems.

Not all guests support 3D graphics. To verify 3D support for a guest operating system, see the VMware Compatibility Guide here. Linux distributions must have a 3.2 or later kernel.

In this article we’ll configure full clones driven by automated pools. In this particular case we won’t use VMware Composer, reducing a bit the complexity of View, but on the other hand growing the storage needs. But there is also a time which plays a certain role as full clone gets more time to get created than linked clone.

Identify floating vs. dedicated assignments
Identify and configure the following:
- Pool settings
- 3D renderer
- Provisioning settings
- Templates
- vCenter Server resource settings
- Advanced storage settings
- Guest customization settings

Documentation Tools

Horizon View Administration Guide
Setting Up Desktop and Application Pools in Horizon
Horizon View Administrator

Identify floating vs. dedicated assignments

When View Composer creates a linked clone, it takes a snapshot of the clone’s OS disk. The snapshot uniquely identifies the linked-clone virtual machine. A refresh operation reverts the OS disk to the snapshot. View Composer can refresh a linked clone in as little as half the time it takes to delete and recreate the clone.

Dedicated Desktop Pool– each user is assigned to a desktop and each time user logs in he (she) obtains access to the same desktop.
Floating Desktop Pool– In a floating assignment pool, it’s the opposite. Each user receive different desktops each time he (she) logs in. As simple as that.

You can see the option when start the assistant to create new Desktop Pool.

Identify and configure the following:

Pool settings– assistant of creation of desktop pool.

3D renderer– Virtual Shared Graphics Acceleration (vSGA) and Virtual Dedicated Graphics Acceleration (vDGA), which are vSphere features that use physical graphics cards installed on the ESXi hosts and manage the graphics processing unit (GPU) resources among the virtual machines.

When you select the 3D Renderer hardware-based options, users can take advantage of 3D applications for design, modeling, and multimedia, which typically require GPU hardware to perform well.

The 3D Renderer setting also offers a software option, which provides graphics enhancements that can support less demanding applications such as Windows AERO, Microsoft Office, and Google Earth.

Requirements:

W7 or later
PCoIP as default display protocol and users aren’t allowed to change
for Hardware 3D: vSGA has to be on ESXi 5.1 or later with vCenter 5.1 and later (this will evolve for the exam, imho).
vDGA single physical GPU on ESXi host on single VM. (GPU pass-through) and configure the individual virtual machines to use dedicated PCI devices after the desktop pool is created in View.
You must install VIB corresponding to the graphic card you’re using (from HCL only !!)
W7 has to be vmx8 and later, where W8 has to be vmx9 and later.
To configure the Hardware 3D rendering > Power Of esixting VMs > reconfigure through vCenter > check > power On.

To configure the 3D renderer– you can configure the amount of VRAM that is assigned to the virtual machines in the pool by moving the slider in the Configure VRAM for 3D guests dialog box. The minimum VRAM size is 64MB. For virtual hardware version 9 virtual machines, the default VRAM size is 96MB, and you can configure a maximum size of 512MB. For virtual hardware version 8 virtual machines, the default VRAM size is 64MB, and you can configure a maximum size of 128MB.

Check Horizon View 6 setting up desktops PDF p. 117

When click the question mark next to the 3D renderer, you’ll get further explanation.

When you change the Allow users to chose protocol from Yes to No, you’ll “unlock” the grayed out option.

The different options bring different config options. For example the “Software” 3D renderer options allows you to configure the amount of memory available to your VMs.

When you click the question mark next to the 3D renderer, you’ll get a nice explanations.

So you can also change the settings on the virtual hardware, through vSphere Web client only when selecting the “Manage using vSphere client”

So then you go to your VM and allocate directly the video memory there.

Provisioning settings

Templates
You have to pick one of your templates (if you don’t have one you can clone a VM to template). Note that message saying that only supported OS can be selected. The latest version of View allows even server OS to be selected.

vCenter Server resource settings
The resource settings options allows to pick host/cluster and then resource pool and datastore.

Advanced storage settings
You can enable Storage Accelerator for a View desktop pool. A View Storage Accelerator is most useful for shared disks that are read frequently, such as View Composer OS disks.

Guest customization settings

Concerning Guest customization, the options are:

Use this customization specification
None – customization will be done manually

The customization of the OS is done through vSphere client and it’s vCenter relative.

There you can create customization files for Windows or Linux OS.

ADManager Plus is an utility which easy-to-use software destined to manage Windows Active Directory. It allows managing and reporting and there is also free version. Note that the tool installs itself as a 30 days trial of paid version which offers a lot of features. After 30 days the tool becomes free-only which has “Standard” features (limited to 100 per AD).

Day-to-day admins or technicians, consultants, the tool might be your interest. If you don’t like Powershell the easy to use GUI is for you. Let’s have a look at the options and possibilities. At first you have an option to install x32 or x64 version of the tool. The download is about 74 Mb.

Also note that there are Android and iOS mobile apps are available for FREE in all editions to facilitate Active Directory user account management on-the-go. To be tested… The free edition is restricted to 100domain objects, but has all features as Standard edition. The enterprise edition has then the possibilities to manage OUs in mass.

AdManager Plus – The Features

Too many to show them all.

Active Directory Management
Active Directory Reporting
Bulk User Management
Helpdesk Delegation
AD File Permissions Management
Exchange Management
Clean-up Active Directory
Active Directory Contact Management
User Provisioning
De-provisioning users, computers, contacts
Mobile-based AD User management
Computer Management
OU-based Administration
Active Directory Group Management
Active Directory Group Policy Objects (GPO) Management
Active Directory Password Management
Inactive / Disabled user account management
Active Directory Bulk User Modification
Active Directory Workflow
Template / CSV based Management

Example of use.

Find user or computer accounts not logged on within X number of days
Find expired and unused Active Directory accounts
Locate inactive user or computer accounts and disable, delete, move or enable Active Directory accounts in seconds.
Shows disabled accounts, last logon/logoff time, OS type, etc.
Export report to CSV,XLS,HTML,PDF and CSVDE

ADManager Plus allows trace out all inactive, disabled, account-expired users and computers in Active Directory. You can delete, disable, enable or move these accounts to cleanup your Active Directory effectively and efficiently.

Generate a List of Disabled Accounts
Generate a List of Inactive Accounts
Generate a List of Account Expired Users
Manage Dormant or Stale Accounts: Delete, Disable or Move them to another OU.

For single user or in bulk:

you can reset passwords
modify names
enable and disable accounts
set account expiration dates
set home folders
change profiles
change scripts
move users
change membership and group or distribution lists

To be further tested in my lab, but already I see it as a solid product for any size type organization.

The release notes page.
The product page.
The download page.

A European start-up has announced a hydrogen fuel cell car with just 18 moving parts and a range of 300 miles that is now being tested on public roadways. The Rasa hydrogen fuel cell car from Riversimple Movement has a chassis made from carbon fiber composite skin weighing less than 90lbs.

The Rasa hydrogen fuel cell car has a top speed of 60mph.

The Rasa is a two-door hatchback with a carbon fiber chassis that weighs less than 90lbs.

While a Rasa prototype, which has a top speed of 60mph, is currently being tested on European roads, a one-year public beta trial of 20 vehicles with prospective customers is being proposed for later this year. The company did not release any pricing information on the Rasa.

The car is expected to be on the market beginning in 2018 through a "sale of service" ownership model, which is similar to a lease where a driver has a fixed monthly fee and mileage allowance. With a sale-of-service agreement, Riversimple covers all repairs, maintenance, insurance and fuel expenses of its new, two-door hatchback.

"The Rasa engineering prototype marks another key milestone in bringing an affordable and highly-efficient hydrogen-powered car to market. We really have started from a clean sheet of paper," Hugo Spowers, founder of Riversimple Movement, said in a statement. "The car is simple, light and fun in every respect."

When the vehicle is in motion, hydrogen passes through a small 8.5 kilowatt (kW) fuel cell (the size currently used in forklift trucks), which has the equivalent to 11 horsepower. As the hydrogen passes through the fuel cell, it combines with oxygen to form water and electricity to drive the motors positioned in each of the four wheels. Water is the only exhaust.

More than 50% of the kinetic energy produced under braking is recovered and turned into electricity to boost acceleration via a bank of super-capacitors. The result is a range of up to 300 miles on 85 ounces (1.5 kilograms) of hydrogen; that's an estimated fuel economy equivalent to 250mpg.

Development of the Rasa was supported by a £2 million grant from the Welsh government in 2015.

Major automakers around the world have announced plans for working hydrogen fuel cell vehicles.

One major issue facing the clean-energy vehicles is a lack of infrastructure to support them -- in other words, the lack stations at which to fuel the cars.

Last year, Toyota, Nissan and Honda announced they will increase efforts to produce more hydrogen fuel cell vehicles and plan to work together to build more fueling stations to support them.

Despite slow market uptake, Hyundai Motor Co. said last year that hydrogen fuel cell vehicles represent the future of eco-friendly cars more than all-electric vehicles.

Hyundai, the largest carmaker in South Korea, began selling its Tucson Fuel Cell SUV in 2014.

In this article we will describe the set-up and configuration of the NetScaler VPX including High Availability/Fault Tolerance.

If you would like to read the other parts of this article series please go to:

Citrix offers a NetScaler VPX Express edition. This is a full functioning freeware virtual appliance with advanced Load Balancing features. The NetScaler VPX Express is not the only freeware load balance appliance, but unlike most competitors the NetScaler VPX Express edition supports a High Available/Fault Tolerant configuration.

The VPX Express is limited to 10Mbit throughput, but this is more than enough for lots of load balancing set-ups. Good examples are the Citrix StoreFront/Web Interface component, the Citrix DDC functionality, Microsoft RD Web Access and MS RD Connection Broker. In this article I will describe the set-up and configuration of the NetScaler VPX including High Availability/Fault Tolerance. In upcoming articles we are going to use this configuration of load balance services based on this set-up.

Importing the NetScaler VPX Express

First step is downloading the NetScaler VPX Express appliance. The download can be found on the Citrix website. To access this page you need to have a MyCitrix account, which can be created without any costs. The virtual appliance is available for XenServer, KVM, Hyper-V and ESX. Pick the download for your virtualization platform.

Figure 1: Download NetScaler VPX

After downloading the virtual appliance it’s time to import the appliance into your virtual infrastructure. The import is pretty easy for most of the hypervisors and Citrix describes the steps in their e-Docs:

I will use Hyper-V, but I’m running on a higher version of Hyper-V (2012R2) where the procedure via Import Virtual Machine does not work. With the latest releases of NetScaler VPX, the platform is officially supported, but there is a different way to add the NetScaler VPX appliance on the hypervisor platform.

To add the NetScaler Appliance to your Hyper-V 2012R2 (or Windows 8.1) infrastructure first create the directory where you would like to store the VM data into and copy the dynamic.vhd file out of the NetScaler VPX Express and download into this directory.

Figure 2: Copy the dynamic.vhd into the directory

Next we start the creation of a new Virtual Machine. In my case I’m using the Hyper-V Manager and start the New Virtual Machine Wizard. I will label my NetScaler VMs NS01 and NS02 and will enter the store location to the just created directory (which stores the NetScaler VHD file).

Figure 3: Specify Name and Location within the Virtual Machine Wizard

In the wizard select the Generation 1 type VM, at least 2048 MB memory, configure the correct VLAN into your infrastructure, followed by selecting Use an existing virtual hard disk and specify the just copied VHD file.

Figure 4: Use an existing virtual hard disk

After the creation, open the Virtual Machine Settings and change the number of virtual processors to 2.

Figure 5: Change the number of virtual processors

When the NetScaler VPX import is completed it’s time to start up the VM. For the first part you need to have a connection to the VM itself. When started you need to enter the basic network information. You need to provide an IPv4 address, a subnet mask and the default gateway. This IP address is being used as the IP address to manage/configure the NetScaler. In NetScaler terms this is the NetScaler IP Address (NSIP).

After entering the information you need to save the entered information. The NetScaler will reboot and after that we can manage the NetScaler via an Internet browser. Again to set-up a high available/fault tolerant NetScaler infrastructure you need to execute this step on both NetScaler, where both require a unique NetScaler IP address logically. In my environment I’m using 192.168.21.100 and 192.168.21.101.

Figure 6: Providing the basic network information

Open an Internet Browser and enter the configured IP address. The logon page is shown. The default logon is username nsroot with the same password (nsroot).

Figure 7: NetScaler logon page

The intial configuration wizard of the NetScaler will automatically be started.

Figure 8: initial configuration of your NetScale

The wizard starts with the second step where you need to provide the Subnet IP address (SNIP). This IP address is being used for communicating with the back-end infrastructure components that are configured as connections within the virtual servers. I’m using 192.168.21.110 and 192.168.21.111 for this article.

Figure 9: Configure Subnet IP Address

The third step is to configure the hostname, a DNS server and the timezone.

Figure 10: Configure Host Name, DNS and Time Zone

After this step the NetScaler needs to be rebooted.

Figure 11: Reboot NetScaler

Although the NetScaler VPX Express is free, a license needs to be added. The free license file can be grabbed from the same page as the NetScaler VPX download. For the license part you need to have the hostID of the NetScaler VPX. This is actually the MAC address of the NIC. You find this within the hypervisor management console or skip the initial configuration wizard (choose license and specify Do it later) and find the host ID within Configuration – System within Hardware Information.

Figure 12: Determine the Host Id

When you choose configuration again the initial wizard is shown again to add the license file. The first step is to get the license file. This is accomplished via the same URL as you download the appliance and browse to the end of the page, where you find the License part and choose Get License.

Figure 13: Determine the Host Id

First you need to accept the license agreement as shown in Figure 14.

Figure 14: Accept the license agreement.

When you haven't downloaded a license you will have a button Get License, the next time the button is called Retrieve More licenses. Whichever option you have the button will generate a new serial number (see Date Issued). Choose the Serial Number for the next step.

Figure 15: Retrieve more licenses, followed by selecting the generated serial number.

A warning appears that you need to have the license server host name or host ID. As described earlier we need the host ID for the NetScaler Express.

Figure 16: License Server Name or Host ID required.

When we continue we can enter the hostID, all other parts are default. In the following screen we need to confirm that we entered the correct information.

Figure 17: Entering and confirming the hostID.

A message appears that the allocation was successful and a question if you want to download the license file.

Figure 18: Allocation completed, downloading the license file.

At this time we successfully acquired and downloaded a license file for the NetScaler VPX Express, which we can add to the NetScaler Express configuration. You need to acquire a license file for both NetScaler Express appliances.

Figure 19: License file downloaded.

Now we have a license we can continue with step 4 of the initial configuration. By choosing the configuration tab we will continue with this wizard.

Figure 20: License file downloaded.

Choose the option “Upload license from a local computer”, followed by Browse. Browse to the location where you just downloaded the license file.

Figure 21: Licenses in the initial wizard.

When the file is added into the appliance an Updated Successfully message will appear. To use the added license the appliance needs to be rebooted.

Figure 22: License uploaded

When the appliance is started again and you logon to the management console, the license information is shown. This information acknowledges that the license uploading is actually successfully and the NetScaler VPX Express is ready to use.

Figure 23: License successfully configured

When on both appliances the license file is uploaded and applied it’s time to configure the appliance in a high available/fault tolerance set-up. This is accomplished via the Configuration tab, within System – High Availability. Within this component an Add button is available to add a node for high availability.

Figure 24: High Availability

In the next window the IP address of the other NetScaler VPX Express needs to be entered including the username and password of that NetScaler.

Figure 25: Add node to HA

The node is added and one of the NetScaler VPX Express appliances will become the Primary node and the other one the secondary.

Figure 26: High Availability configured

Don’t forget to save the configuration otherwise after a reboot the set-up is not available anymore. Use the disk icon on the right side of the management console and choose Yes to confirm to save the running configuration.

Figure 27: Saving current configuration

Summary

In this first part I described the installation and configuration of the NetScaler VPX Express on Hyper-V 2012R2. We downloaded the appliance, added to the hypervisor and configured it on the network. In the next step we set-up a high available configuration based on two NetScaler VPX Express appliances.

In upcoming articles we are going to use the NetScaler VPX Express set-up to load balance different services like Citrix StoreFront, Citrix XML Broker, Microsoft RD Web Access and Microsoft RD Connection Broker.

PS. Don’t forget to change this default password of the nsroot account via System – User Administration – Users.

If you would like to read the other parts of this article series please go to: