Migrate a VMware View linked-clone replica to another ESXi host

The other day I was patching the hosts in a cluster which currently hosts our Virtual Desktop environment.  I’ve put the first host in the cluster into the maintenance mode and migrated all the Virtual Desktops to the other host in the cluster.  Unfortunately I also migrated the VMware View Linked-Clone replica residing on that host.  I forgot to un-tick the prompt tick box about “Powered off VMs” which comes up after you initiate maintenance mode for the host.  Luckily this didn’t create a major issue as VMware View doesn’t care about which host the replica resides on.  It only cares about the datastore the replica and the linked clones are stored on (so it’s best to turn off SDRS for VDI clusters*). But nevertheless, I wanted to migrate replica back to its original host.  However, when I tried to do so, I’ve realised the migrate option on the replica was greyed out.

ProtectedReplicaNOvMotion

Later on I found out that this was due to VMware View replicas being protected.  They cannot be vMotioned using vCenter credentials.  So I up-protected the replica using “Sviconfig.exe” provided with VMware View Composer installation, vMotioned it to it’s original host, then protected it using the same tool.  It’s best to keep replicas protected to avoid issues.

VMware recommends using this tool if you want to get rid of “Orphaned” replicas, I didn’t use it for this purpose but the method applies for that case.  Our VMware View environment is version 5.3.

Here are the steps for un-protecting a linked-clone replica:

1. Logon to your server hosting VMware View Composer.  In our environment it’s on the same server as vCenter.  Navigate to the VMware View Composer directory.

sviconfig

2. Right click on the white background with the Shift button down and click “Open command window here”.

CMD

3. Prepare your script. Sviconfig.exe is case sensitive.  It might be a good idea to create a batch file to avoid typos and casing mistakes.  I’ve made the the bits of the script you need to edit red.

SVIConfig -operation=UnprotectEntity -DsnName=VMwareComposerDatabase -DbUsername=DatabaseUser -DbPassword=”DatabaseUserPassword” -VcURL=https://vCenter-FQDN/sdk -VcUserName=vCenterAdmin -VcPassword=”vCenterAdminPassword” -InventoryPath=”/DataCentre/vm/VMwareViewComposerReplicaFolder/replica-09010db9-f5d1-418a-bf48-b15dafcfc4b3” -Recursive=true

-DsnName= DSN for your VMware Composer Database
-DbUsername= The user that can access the VMware Composer Database
-DbPassword= The password for the database user, use quotation marks if you have special characters such as “$” in the password.

DSN

-VcURL= Pretty obvsious, the path to your vCenter server, I recommend using the FQDN.
-VcUserName= Your vCenter admin user, I recommend putting in the domain name infront of it if any.
-VcPassword= The vCenter admin password, use quotation marks if you have special characters such as “$” in the password.

InventoryPath= This parameter can be tricky, usually the replicas are stored under the VMwareViewComposerReplicaFolder, you can find the replica store by doing an advanced search using the vSphere client.

SearchReplicavCenter

/vm before the replica data store name is required and if your data center object is not the top level object and is inside a folder you must reflect this in the path you’re using.

4. Paste your script into the CMD screen you opened previously.  Hit enter and wait for sviconfig to complete its process.

UnProtect-replica

Check the “Successfully unprotected entities line”.  It should say “1”.  You can unprotect the whole folder VMware Composer Replica Folder by altering the path to: “/DataCentre/vm/VMwareViewComposerReplicaFolder” in which case you should see more than 1 entity in the Successfully unprotected entities line.

5. The replica is now un-protected, migrate it using vSphere.  Once the migration is complete, protect it by running this script.

SVIConfig -operation=ProtectEntity -DsnName=VMwareComposerDatabase -DbUsername=DatabaseUser -DbPassword=”DatabaseUserPassword” -VcURL=https://vCenter-FQDN/sdk -VcUserName=vCenterAdmin -VcPassword=”vCenterAdminPassword” -InventoryPath=”/DataCentre/vm/VMwareViewComposerReplicaFolder/replica-09010db9-f5d1-418a-bf48-b15dafcfc4b3” -Recursive=true

Protect-replica

Here are few helpful forum links and kb articles for anyone who is interested, pretty much the same information, I just elaborated on the subject a bit more.

https://communities.vmware.com/message/1344984

http://blogs.vmware.com/euc/2009/01/view-composer-how-to-delete-orphaned-replicasource-entries-in-vcenter.html#comment-2537

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008704

*SDRS will break your virtual desktop environment if you are using linked-clones.

Customising the Cisco Jabber MSI file using Microsoft Orca

Last year we moved on to a Cisco based telephony infrastructure and installed Cisco Jabber on our client machines. We deployed Cisco Jabber via Microsoft group policies using the standard MSI file provided by Cisco. The deployment was successful however we ended up getting a lot of complaints from the users about not being able to login.

After some troubleshooting together with support, we established that the GPO deployed Jabber application was trying to authenticate against a WebEx Connect server on the cloud rather than the Unified Communication server based locally in the LAN. Since there was no WebEx Messenger subscription, the login process was failing. The solution was to customise the MSI file and prevent the installed Jabber application from trying to authenticate against a Webex Connect server.

Note:

You need to add a SRV record on your local DNS server for the Auto Discovery to work. Depending on your version of Call Manager (in our environment we use 9.1), add the following SRV records, some environments may require both records:

Cisco Unified Communications Manager Version 9.x

_cisco-uds._tcp.example.com SRV service location:
priority = 6
weight = 30
port = 8443
svr hostname = IP or FQDN of your Cisco Unified Communications Manager server

Cisco Unified Communications Manager Version 8.x

_cuplogin._tcp.example.com SRV service location:
priority = 8
weight = 50
port = 8443
svr hostname = IP or FQDN of your Cisco Unified Presence server

For the purposes of this post I will be customising the latest version of the Jabber application, version 10.5.  But the customisation should work with version 9.0 or higher.  You will need to download and install Microsoft Orca for the customisation process.

Here are the steps:

First download the Jabber version you want to customise including the administrator package. Extract both zip files under a common folder.

cisco-jabber-download

Start Microsoft Orca.

microsoft-orca

Open the MSI file using Microsoft Orca by clicking File then Open.

microsoft-orca-2

The tables column on the left hand side will get populated.

microsoft-orca-3

Click Transform and then Apply Transform.

microsoft-orca-4

Navigate to CiscoJabber-Admin-ffr.10-5-1 > CustomInstall and open the CiscoJabberProperties.mst file.

microsoft-orca-5

Find the Property table on the left hand side frame and scroll down to the end on the right hand side frame.

microsoft-orca-6

Select the CLEAR item and change its value to 1.

microsoft-orca-7

Select the EXCLUDED SERVICES item and change its value to WEBEX.

microsoft-orca-8

Remove all the other green bordered items so only the CLEAR and EXCLUDED SERVICES Property items are left.

microsoft-orca-11

Click Tools then Options and make sure all the options are set the way it is in the capture below.

microsoft-orca-9

Click File then Save Transformed As, give the new MSI file a unique name and hit Save.

microsoft-orca-10

You can now use this newly created MSI file with your group policy deployment.

OWA over UAG – You do not have permissions to view this folder or page

Straight after upgrading my Exchange 2010 servers to Service Pack 3, the Outlook Web App page (OWA) published over Unified Access Gateway (UAG) started throwing the following error:

You do not have permissions to view this folder or page

UAG requires Basic Authentication over OWA.  For some reason Integrated Windows Authentication got turned on after the SP3 upgrade.

http://technet.microsoft.com/en-us/library/ee921443.aspx

Turning Integrated Windows Authentication off via the Client Access OWA settings resolved the issue.  Though beware, you have do this on all your Client Access servers.  

emc-client-access

win-auth no-win-auth

SVA installation issue – “Unable to install SVA: com.symantec.vsep.VSEPException: bad certificate…”

Symantec Security Virtual Appliance (SVA) was failing to deploy on to my Esxi hosts, producing the following error in the logs and on screen:

“Unable to install SVA: com.symantec.vsep.VSEPException: bad certificate, fingerprint: 99:eb:e7:73:e1:63:54:2c:94:81:7a:aa:c3:b9:3a:67:04:73:2e:ee”

SVA_Installation.log

01 Oct 2014 16:58:31 [Installer] INFO – ———————
01 Oct 2014 16:58:31 [Installer] INFO – Symantec Endpoint Protection SVA Installer, Copyright (C) 2012 Symantec Corporation.  All rights reserved.
01 Oct 2014 16:58:31 [Installer] DEBUG – Connecting to vCenter…
01 Oct 2014 16:58:31 [PasswordField] INFO – Enter the vCenter password for [administrator]:
01 Oct 2014 16:58:37 [Installer] DEBUG – Connected.  Searching for host 10.40.4.14…
01 Oct 2014 16:58:37 [Installer] DEBUG – Found host 10.40.4.14
01 Oct 2014 16:58:38 [Installer] DEBUG – Installing SVA…
01 Oct 2014 16:58:38 [Installer] DEBUG – Initializing with vShield Manager…
01 Oct 2014 16:58:41 [VersionNumber] DEBUG – Version number is small: 5.0.0
01 Oct 2014 16:58:41 [PasswordField] INFO – Set the admin user password for the SVA:
01 Oct 2014 16:58:46 [PasswordField] INFO – Re-enter the admin user password:
01 Oct 2014 16:58:49 [Installer] DEBUG – Installing…
01 Oct 2014 16:58:49 [Installer] INFO – 1 – vmfs1: 480551MB free
01 Oct 2014 16:58:49 [Installer] INFO – 2 – vSwap: 727756MB free
01 Oct 2014 16:58:49 [Installer] INFO – 3 – vmfs2: 430177MB free
01 Oct 2014 16:58:49 [Installer] INFO – 4 – vmfs3: 279286MB free
01 Oct 2014 16:58:49 [Installer] INFO – 5 – vmfs4: 517274MB free
01 Oct 2014 16:58:49 [Installer] INFO – 6 – vmfs6: 566659MB free
01 Oct 2014 16:58:49 [Installer] INFO – 7 – vmfs5: 536508MB free
01 Oct 2014 16:58:49 [Installer] INFO – 8 – esxi4-sas-das: 112131MB free
01 Oct 2014 16:58:49 [Installer] INFO – 9 – vmfs7: 514768MB free
01 Oct 2014 16:58:49 [Installer] INFO – 10 – vmfs8: 422368MB free
01 Oct 2014 16:58:49 [Installer] INFO – 11 – vmfs9: 279334MB free
01 Oct 2014 16:58:49 [Installer] INFO – 12 – vmfs10: 452658MB free
01 Oct 2014 16:58:49 [Installer] INFO – On host esxi4.domain.com, which datastore would you like to install the SVA:
01 Oct 2014 16:58:52 [Installer] DEBUG – You chose: 8
01 Oct 2014 16:58:52 [Installer] DEBUG – You chose datastore: esxi4-sas-das
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Network: DMZ
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Skipping network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Network: Edmonton Client Network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Skipping network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Network: Swift
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Skipping network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Network: Test Network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Skipping network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Network: VM Network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Skipping network
01 Oct 2014 16:58:52 [VMWareHost] DEBUG – Network: vmservice-vshield-pg
01 Oct 2014 16:58:52 [Installer] INFO – 1 – DMZ
01 Oct 2014 16:58:52 [Installer] INFO – 2 – Edmonton Client Network
01 Oct 2014 16:58:52 [Installer] INFO – 3 – Swift
01 Oct 2014 16:58:53 [Installer] INFO – 4 – Test Network
01 Oct 2014 16:58:53 [Installer] INFO – 5 – VM Network
01 Oct 2014 16:58:53 [Installer] INFO – On host esxi4.domain.com, which network would you like to install the SVA:
01 Oct 2014 16:58:54 [Installer] DEBUG – You chose: 5
01 Oct 2014 16:58:54 [Installer] DEBUG – Uploading…
01 Oct 2014 16:58:55 [Installer] ERROR – ———————
01 Oct 2014 16:58:55 [Installer] ERROR – Unable to install SVA: com.symantec.vsep.VSEPException: bad certificate, fingerprint: 99:eb:e7:73:e1:63:54:2c:94:81:7a:aa:c3:b9:3a:67:04:73:2e:ee
01 Oct 2014 16:58:55 [Installer] ERROR – settings file: C:\Symantec\Installation-Files\esxi4.xml
01 Oct 2014 16:58:55 [Installer] ERROR – vcenter_ip_address=10.40.1.200
01 Oct 2014 16:58:55 [Installer] ERROR – sva_ip_address=null
01 Oct 2014 16:58:55 [Installer] ERROR – sva_gateway=null
01 Oct 2014 16:58:55 [Installer] ERROR – sva_subnet=null
01 Oct 2014 16:58:55 [Installer] ERROR – sva_dns=null
01 Oct 2014 16:58:55 [Installer] ERROR – sva_hostname=sva-04
01 Oct 2014 16:58:55 [Installer] ERROR – esx_ip_address=10.40.4.14
01 Oct 2014 16:58:55 [Installer] ERROR – vshield_ip_address=10.40.1.191
01 Oct 2014 16:58:55 [Installer] ERROR – location_of_package=C:\Symantec\Installation-Files\Symantec_Endpoint_Protection_12.1.2_Security_Virtual_Appliance_ML.ova
01 Oct 2014 16:58:55 [Installer] ERROR – datastore_prompt=1
01 Oct 2014 16:58:55 [Installer] ERROR – sylink_xml=C:\Symantec\Installation-Files\sylink.xml
01 Oct 2014 16:58:55 [Installer] ERROR – com.symantec.vsep.VSEPException: com.symantec.vsep.VSEPException: bad certificate, fingerprint: 99:eb:e7:73:e1:63:54:2c:94:81:7a:aa:c3:b9:3a:67:04:73:2e:ee
01 Oct 2014 16:58:55 [Installer] ERROR – Stack trace:
01 Oct 2014 16:58:55 [Installer] ERROR – com.symantec.vsep.vmware.VMWareHost.installSVA(VMWareHost.java:344)
01 Oct 2014 16:58:55 [Installer] ERROR – com.symantec.vsep.vmware.VMWareHost.installSecurityVirtualAppliance(VMWareHost.java:579)
01 Oct 2014 16:58:55 [Installer] ERROR – com.symantec.vsep.installer.Installer.main(Installer.java:827)
01 Oct 2014 16:58:55 [Installer] ERROR – ———————

I’ve opened a case with support and posted my problem on the Symantec forums, as it turns out this error was being produced due to an expired certificate on the SVA.OVA file, downloaded from fileconnect.symantec.com.

Support sent me a new OVA file and I’ve managed to get it deployed on all Esxi hosts straight away.

Here is the Symantec thread for anyone who is interested:

https://www-secure.symantec.com/connect/forums/sva-installation-issue-unable-install-sva-comsymantecvsepvsepexception-bad-certificate-finger

I’ve placed the file on a publicly accessible FTP server, as far as I know, Symantec have or will be replacing the file on fileconnect, however if you find it hasn’t been replaced yet, send me a message on the above thread and I’ll send you the path for the file.

SEPM12.1 – Security Virtual Appliance Unknown Status

I have recently deployed Symantec EndPoint Protection in our my environment.  Great product, unfortunately can be a little tricky to configure sometimes.

For the purposes of this post, I’m assuming you have installed and configured the following:

  • vShield Manager
  • Security Virtual Appliance on each Esxi host, SVA must be installed on each host hosting virtual machines using a vShield-enabled Shared Insight Cache.
  • Symantec EndPoint Protection Manager
  • Symantec EndPoint Protection Client

Once all of the above is installed and configured, you may find you are getting a “Unknown Status” in the Security Virtual Appliance column of the Client table in Symantec EndPoint Protection Manager.

SEPM-clients-view

This is because you haven’t installed the VMware EPSEC 2.0 Driver for vShield.  You can check this by running the following in command on the Guest OS of the affected VM.

Open Command Prompt with elevated privileges,  type “fltmc” and hit enter… This will display a set of filter names.  Make sure the filter “SymEPSecFLt” is present on that list.  If not, the driver is not installed.

fltmc

There are a bunch of different methods to install the driver…

Method1:

  1. Right-click on the VM > Guest > Install / Upgrade VMware Tools > Interactive Tools Upgrade.
  2. Console on the VM and start the installation from the mounted image.
  3. Choose Modify.
  4. From the feature list, expand the VMCI Driver and add the “vShield Drivers“.
  5. Click Next, then Change.
  6. Wait for the installation to complete.
  7. Once the installation is complete the SEP installed on the Guest OS should be checking in with the SVA of the host it’s hosted on and the SEPM.

Method2:

This method is useful if you are installing the driver in multiple virtual machines with Windows guest operating systems.

  1. Right-click on the VM > Guest > Install / Upgrade VMware Tools > Automatic Tools Upgrade.
  2. Paste the following parameters in the Advanced Options,
    /S /v “/qn REBOOT=R ADDLOCAL=ALL REMOVE=Hgfs,WYSE”
  3. Click OK and wait for the installation to complete.
  4. Reboot VM or VMs at a convenient time (unfortunately suppressing the reboot, doesn’t replace it).
  5. Once the reboot is complete the SEP installed on the Guest OS should be checking in with the SVA of the host it’s hosted on and the SEPM.

Here are some great blogs on how to deploy Symantec End Protection with vShield-enabled Shared Insight Cache.  You can find some very detailed procedures on how to deploy vShield, Security Virtual Appliance and EndPoint Protection manager.

https://www.interworks.com/blogs/ijahanshahi/2014/08/06/how-deploy-ova-ovf-template-using-vmware-vsphere-desktop-client
http://thinkingloudoncloud.com/2013/06/symantec-endpoint-protection-integration-vmware-horizon-view-part1/

Dell PowerConnect series switch CLI commands

Here is a list of basic CLI commands which will help you manage your Dell PowerConnect series switches…

Show
/// Port VLAN details
> show interfaces switchport gigabitethernet 1/0/1
/// Port channel VLAN details
> show interfaces switchport port-channel 1
/// Port configuration
> show interfaces configuration gigabitethernet 1/0/1
/// Port channel configuration
> show interfaces configuration port-channel 1
/// VLAN 100 details
> show vlan tag 100
/// Display static routes
> show ip route static
/// Stack info
> show switch
/// Show all access-lists
> show access-lists

Find physical port using MAC
/// This will return a port #
> sh mac address-table address d4:be:d9:e8:d0:8d

Config
All config commands must be run under Global Config Mode.

/// Enable Privileged EXEC mode
> enable
/// Enter Global Configuration mode
> config

Create VLAN
/// Enter VLAN mode
> vlan database
/// Create VLANs number 100 to 150
> vlan 100-150

Select Interface
/// Select one port
> interface gigabitethernet 1/0/1

Select Interface range
/// Select a range of ports
> interface range gigabitethernet 1/0/1-24

Port VLAN Modes
General — The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1Q mode).

PVID (1-4095) — Enter a VLAN ID to be added to untagged packets. The possible values are 1-4095. VLAN 4095 is defined according to standard and industry practice as the discard VLAN. Packets classified to the discard VLAN are dropped.

/// Select interface
> interface gigabitethernet 1/0/1
/// Change VLAN mode to general
> switchport mode general
/// Set native VLAN to 100 (U)
> switchport general pvid vlan 100
/// Add VLAN 101 as untagged
> switchport general allowed vlan add 101 untagged
/// Add VLAN 102 as tagged
> switchport general allowed vlan add 102 tagged

Access — The port belongs to a single untagged VLAN. When a port is in Access mode, the packet types that are accepted on the port cannot be designated. Ingress filtering cannot be enabled/disabled on an access port.

/// Select interface
> interface gigabitethernet 1/0/1
/// Change VLAN mode to access
> switchport mode access
/// Make port a member of VLAN 100 (U)
> switchport access vlan 100

Trunk — The port belongs to VLANs on which all ports are tagged (except for one port that can be untagged).

/// Select interface
> interface gigabitethernet 1/0/1
/// Change VLAN mode to trunk
> switchport mode trunk
/// Set native VLAN to 100 (U), only one untagged VLAN allowed
> switchport trunk native vlan 100
/// Make port a member of VLAN 102 (T)
> switchport trunk allowed vlan 102

Set port IP address and mask
/// Set the IP address with mask
> ip address 1.1.1.1 255.255.255.0

Create a port channel
/// Create port-channel 1
> interface port-channel 1

Add ports to port channel
/// Select interface
> interface gigabitethernet 1/0/1
/// Add port 1 to port-channel 1
> channel-group 1

Set route
/// Set a static route
> ip route 1.1.1.1 (dest.) 255.255.255.0 (mask) 2.2.2.2 (gw)

Enabling PortFast
/// Select interface
> interface ethernet 1/0/1
/// Enable portfast on port
> spanning-tree portfast

/// Select interface range
> interface range ethernet all
/// Enable portfast on range
> spanning-tree portfast

Create a IP based Access-List
/// Create access-list ACL1
> ip access-list extended ACL1
/// Deny 1.10 access to 1.1
> deny ip 10.40.1.10 255.255.255.0 10.40.1.1 255.255.255.0
/// Permit everything else
> permit ip any any
/// Select interface
> interface gigabitethernet 1/0/1
/// Apply ACL to port
> service-acl input (output) ACL1

Using TFTP download software and boot code to stacked switches
Copy software first, then copy the boot software.
/// Copy software to all switches
> copy tftp://{tftp address}/{file name} unit://*/image
/// Copy boot software to all switches
> copy tftp://{tftp address}/{file name} unit://*/boot
/// Verify active image
> show bootvar
/// Activate new image on all switches
> boot system image-1 all
/// Reload stack
> reload