Installing Fortinet Fortigate VMX with VMware NSX-V

Recently I had to do an installation of Fortinet Fortigate VMX 6.* on a small cluster that already was running NSX. Since there is hardly any documentation on it besides an older pdf from Fortinet I decided to document my own following of that document.

Since my lab’s still on 6.5 I decided to do everything within the flash client of vCenter.

Disclaimer: I am not a Networking or Security professional so there’s a good chance I am not keeping to some standards in those worlds.

What you need

  • both Fortigate vmx ovf files with vmdk’s for version 6.*
  • Webserver with anonymous access for the deployment of the security vm’s
  • NSX already pre-installed

Setting up the VMX Manager

First you start with deploying the VMX Service Manager from vSphere. It’s important that note that there are two ovf files. One for the Service Manager and one for the Security VM. You need the FortiGate-VMX-Service-Manager.ovf first. During this deployment you need to select two networks. One for management and a sync network. The latter is for communication with the security vm’s only so can be non-routed. It is possible to have a dhcp server running in this vlan as long as it doesn’t provide a default gateway (Servers don’t like multiple gateways. capiche?). For the security vm’s the service manager is able to act as dhcp for the security vm’s. Since I use this vlan for more things I have dhcp running on my domain controller but will set a static ip on the service manager.

When the deployment has finished you can power the VM on and you need to open the console for some commands. Please note that I added the extra end’s to the commands compared to the manual.

Somehow they put the ip config in the ovf but that doesn’t work so you need to set it manually

config global
config system interface
edit mgmt
set ip <IP address for the MGMT interface > <subnet mask>
set allowaccess ping https ssh http
end
end

 

Now we need to configure the default gateway

config vdom
edit root
config router static
edit 0
set device mgmt
set gateway <IP address of gateway>
end
end

 

and configure dns ( I only have 1 dns host)

config global
config system dns
set primary <IPv4 address of DNS server>
set secondary <IPv4 address of DNS server>
end
end

 

So the basic configuration has been done and we should have access to the web interface by now. Just regular https on port 443. Default is admin without password.

If you want you can change the password now (recommended!!)

You’ll see a dashboard similar to this but with an evaluation license.

If you click on FGTVMX License you’ll get a button to install the license.

Click on upload and click ok to install the license, the VMX Service Manager will reboot after this.

With this done we need to set some default settings under Global > System > Settings

Since I only have my Domain Controller for ntp I need to do this from the CLI

config global
config system ntp
set type custom
config ntpserver
edit 0
set server <IPv4 address of NTP server>
end
end
end

and the result

Connecting with NSX

Here we find one of the bigger changes with the manuals of the 5.* releases of Fortigate VMX.

The 6.* releases of Fortigate VMX already come with the NSX service installed so the only thing we need to do is register the VMware NSX SDN. This can be done under Global>Dashboard>Security Fabric> Fabric Connectors.

Fill in all the fields, the image location has to be an anonymous ūüôĀ webserver that has both the vmdk files and the ovf. Click on ok when you are done.

Now we need to edit the connector again to register the service. Select the NSX Connector and click on edit.

Hit the Add Service button and the service will be created for you (previously this had to be done from the cli)

If you now go to the Service Definitions in NSX it will show an Extra one called Fortigate_VMX or whatever you named it.

Configuring NSX for Fortigate VMX

Next thing to do is to create a service deployment. Click on add on the Service Deployment tab under Networking & Security > Installation and Upgrade.

Select the Fortigate service name

Select the cluster where you want to deploy Fortigate VMX

Select the datastore where the Service VM’s need to be placed, the correct portgroup and if you want to use dhcp or an ip pool for the service vm’s.

and finally click finish

NSX will now start deploying the service vm’s. Usually it creates a new resource pool for these but that somehow failed for me.

Next up is creating Security groups for the vm’s that we need to firewall. This is done in the service manager for NSX.

Click add

Choose a name

Choose a rule for when vm’s are a member of this group

I didn’t use the next 2

And hit finish

The group now consists of several of my VDI Desktops

Last but not least we need to create a redirection policy.

Under service composer > security policies click add

Choose a name

skip Guest introspection and firewall rules. Under Network Introspection click add

Choose a name and select the direction of the traffic that gets filtered within the group where this gets applied.

I created two service for all incoming traffic to my security groups and all outgoing.

click next & finish.

Now click on the newly created security policy

click Apply

Select the security group where you want to apply the policy, put it in selected objects and click apply.

With this traffic should be redirected to Fortigate VMX and the firewalling can be setup over there.

The VMware Labs flings monthly for March 2019

We’re already into April that means it’s time for the flings update for March. There have been 3 updates and two new flings. I already have a blogpost about one of the updated flings: The Horizon Helpdesk Utility. The new flings are: Identity Manager Migration/Backup Tool and Physical Desktop as a Thin Client. The updated ones are: vSAN Hardware Compatibility List Checker, vSphere HTML5 Web Client and as said earlier the Horizon Helpdesk Utility.

New Releases

Physical Desktop as a Thin Client

Personally I don’t see the added value for this fling since there are already plenty of products that provide the functionality and you can even do it yourself with gpo’s. (and the logo is outdated as well)

A thin client is a stateless, fanless desktop terminal that has no hard drive. Thin clients provide businesses a cost-effective way to access virtual desktop infrastructures (VDI). To simplify the operation steps to access VDI, some features are embedded in thin clients.

For example:

  • Launch the RDP client default
  • Hide desktop/task bar
  • Disable system options to prevent user using other applications

And so on

This Fling will convert physical desktop as a thin client. It will restrict end-users’ behaviors when users log into physical desktops. After user logged in, Horizon view client will be launched automatically and other applications are forbidden to switch. Physical desktop will log off automatically once user exit Horizon view clients.

Identity Manager Migration/Backup Tool

The Identity Manager Migration/Backup Tool helps you in migrating vIDM settings between environments.

Identity Manager Migration/Backup Tool automates the process of exporting or importing applications and entitlements from one Identity Manager instance to another. If entitlements exists, they will also be backed up to an XML file. This Fling uses Identity Manager API’s for Export, Import, Delete and applying entitlements.

Updated flings

vSAN Hardware Compatibility List Checker

With the vSAN Hardware Compatibility List Checker you can check easily if you’re hardware is supported for VSAN.

Changelog

Version 2.1

  • Fixed the bug that firmware version of some controllers can’t be fetched

Version 2.0

  • Add 3 new checks
  • Controller is VMware certified for ESXi release
  • Controller driver is VMware certified
  • Controller firmware is VMware certified
  • Update HTML report format
  • Bug fixes

vSphere HTML5 Web Client

Nuf said about this one.

Changelog

Fling 4.1.0 – Build 12518617
New Features

  • Hiding VMs in Hosts and Clusters view – A very popular desktop client feature is brought into the vSphere HTML5 client where you can go to User‚Äôs menu, select My preferences and Inventory tab from where you can show/hide VMs in Hosts and Clusters view by selecting the checkbox.
  • User’s menu -> My preferences will have additional preference options like Language, Time Zone, Console and Inventory
  • Developer Center now has API Explorer tab listing all the REST APIs exposed by vSphere SDK.
  • New layout for the feedback tool and feedback tool can be invoked even when a dialog is open on the screen. This enables taking the screenshot of the client including the dialogs. Also, feedback tool now has the ability to add screenshots, this will help you compare the features between different clients and upload the screenshots.

Improvements

  • We added the support back to 6.0 vCenters to the fling. You can now point vSphere HTML5 client fling v4.1 to 6.0 or 6.5 or 6.7 version of vCenter servers.
  • License expiration notification now is increased from 60 to 90 days and includes all the licenses
  • Evaluation License is now shown in the licenses list
  • Sorting and Filtering by License Expiration date in the Licenses list

Known Issues

  • New layout of the feedback tool has issues in the Firefox browser, so you will see old feedback tool in that browser.
  • There are some areas where feedback tool might not capture the screenshot of the dialog, like VM edit settings.

Horizon Helpdesk Utility

For a more complete overview of the Horizon Helpdesk Utility fling so the link I posted in the intro to my previous blogpost.

Changelog

Version 1.3.3.1

  • Removed machine listings from session view (overkill)
  • Improved Environment view to include metrics on all connected infrastructure:
    • vSphere
    • Hosts
    • Datastores
    • Remote Pods
    • Events
    • Problem Machines
  • Added repeated queries for logon breakdown if missed on first instance
  • Added event query support for logon breakdown
  • Added events view for Farm and Desktop pools
  • Added inbuilt find / search to users / machines in pool views
  • Added support for multiselect in pool / farm views
  • Added graph / chart views of machines / sessions and problem machines on the environment overview
  • Added a pod switcher to the environment overview
  • Added a global search to the environment overview
  • Added support for Pod Jumping.
    • the ability to jump to a pod on demand
    • the ability to jump to a pod a session belongs to
  • Added support for an architecture view of Desktop Pools
  • Added support for an architecture view of Farms
    • Enhanced view of servers load evaluator value
  • Added bulk user tasks via pool or farm views:
    • Bulk messaging
    • Bulk log off
    • Bulk disconnect
    • Bulk reset
    • Bulk restart
  • Added support for a local pod view (AKA environment view):
    • Connection servers
    • Farms
    • Desktop pools
  • Added documentation (finally)
  • Added MSI installation support
  • Added a start time column to user sessions (this will persist as a preference)

Dutch VMUG UserCon 2019: a short recap

Currently I am sitting behind my desk still bouncing around after a great Dutch Vmug Usercon yesterday. This was my fourth time presenting at this awesome event and every time I get a little bit better at doing so. With 11 parallel tracks in the afternoon it becomes hard not to find interesting sessions. As always content went from deep technical to marketing or even personal improvement.

My (or more our) session

As said this was the fourth time I presented at the Dutch Vmug and the second time together with my great friend Hans Kraaijeveld. Just like two years ago we had a mix of various flings and tools that could help a Horizon admin in managing their environment. We decided on skipping a couple since we already covered those two years ago or last year in my own session. They did get an honorable mention:

  • VMware OS Optimization Tool (OSOT)
  • Logon Monitor
  • PowerCLi for Horizon.

The tools we did cover are:

  • VMware Horizon Helpdesk fling
  • VMware Performance Tracker
  • VMware log bundle scripts (we still visit too many customer who don’t know about these) & analyzing them with Agent Ransack
  • Procmon

While 20 minutes is really short I think we really did manage to get the message across. We where even able to challenge to audience to present next year and answer some questions. You can find the slides to our presentation over here. This version is in Dutch but you can expect an English one since we will be giving the same presentation with some extras and hopefully live demos at the next https://vcnrw.de/ event on april 4th.

Highlights of the day

Besides our own session the highlights of the day where (re-)connecting with friends. Getting informed about new tech but also the vExpert lunch with Amy Lewis and the afternoon keynote by Jad El-Zein. The vibe during the day was awesome during the entire event!

Any negatives?

While The Fabrique is a great looking location it’s hard to find where you want to go. With a lot of smaller hallways, corners, stairs and stupid doors it sometimes became annoying. And was it just me but I would have liked to find some other softdrinks than this (delicious!) healthy stuff like a coke or something.

 

vExpert 2019? check! Why does it matter for me?

Last week whilst on holiday in Disneyland Paris I received the email every aspiring and existing vExpert was waiting for.

This means that for the fourth consecutive year I have been named a vExpert.

What is a vExpert? (or any other community award like NutanixNTC)

Per the vExpert site the criteria for becoming a vExpert are:

If you are interested in becoming a vExpert the criteria is simple. We are looking for IT Professionals who are sharing their VMware knowledge and contributing that back to the community. The term “giving back” is defined as going above and beyond your day job. There are several ways to share your knowledge and engage with the community. Some of those activities are blogging, book authoring, magazine articles, CloudCred task writing, active in facebook groups, forum (VMTN as well as other non VMware) platforms, public speaking, VMUG leadership, videos and so on.

I totally agree on the above description, for me a real vExpert shares knowledge in one of many ways. But blogging, speaking, tweeting, podcasting, writing isn’t the only way. We answer questions online and offline and if we don’t know the answer than we have an awesome backstop to ask questions called the vCommunity. Is it technical only you might ask? Absolutely not! I have seen hundreds of job changes by now because of the vCommunity. People were helped with personal issues, hell even home deco tips and tricks are shared. I think it’s just in our nature to help one another.

Yes it’s also about advocacy but the sharing of information is all voluntary. Do you want to tweet or blog about stuff? No-one will force you but they do appreciate it if you share news.

One things advocacy program members are also good at is providing feedback. Not only to the software vendor but if you want some feedback about a possible blog post, presentation idea, news item or piece of hardware most of us will give you that feedback. Just be prepared because we can be brutally honest if it sucks!

But there are over 1700 vExperts, is it about quantity or Quality?

This is a point where I personally disagree on how the program is run. I have the idea that they want to grow just to grow and for me the selection criteria could be tightened quite a bit. I value growing but please do it by adding quality. If you look at smaller programs like some of the vExpert subprograms or others like the VMware EUC Champions or Nutanix NTC’s they are most times better managed, get more briefings, nda information and events. Not that the vExpert program is managed badly or doesn’t have an awesome party at VMworld but things just get more complicated at this scale.

But does the program still matter to you?

It certainly does! Through the vExpert program I have managed to grow personally and professionally but also made boatloads of friends online and offline. All the extra’s like licenses, swag and things like that are fun but nothing is as good as knowing you have some great people who are always happy to help you in any way possible!

I want in too, how do I become a vExpert?

Currently the sign ups are closed but until they open again (probably somewhere in June) you can start doing some things already:

  • Start a blog, most people do it as their own knowledge base. Write about what you experienced at work or a customer so you won’t forget it for next time.
  • Get a twitter account, follow a bunch of people and interact with them.
  • Help others out in places like VMTN, Reddit.
  • Present at a vmug or at your employer about things that could be interesting to others. This could be as basic as explaining how your homelab is setup.

If you need help or feedback on your blog or need help on how to build your presentation I am always happy to provide my 2 cents.

When the sign ups are opened again contact your local vExpert pro with how to tackle the application form. You can also ask me or any other vExpert you might know personally.

The VMware Labs flings monthly for February 2019

I am in full prep now for the biggest VMUG UserCon in the World: the Dutch UserCon. I will be doing a presentation with Hans Kraaijeveld about tools & flings (duh) for Horizon View.

This month there where three new fling releases and also three updates. The new ones are: PowerCLI Preview for NSX-T, USB Network Native Driver for ESXi and Workspace One UEM Workload Migration Tool. The ones who received an update are PowerCLI for VMware Cloud on AWS, vSphere PKS Plugin and ESXi Embedded Host Client.

New Releases

PowerCLI Preview for NSX-T

This Fling provides a community preview of the upcoming PowerCLI commands for NSX-T management. It comes in the form of a single PowerCLI module and integrates with existing PowerCLI modules.

All commands have been automatically generated. They are in an early stage of development, contain known issues, and will change in the future.

List of the most important known issues:

  • Retrieving an object based on its entire parent object does not work. To remedy this issue, specify the ID of the parent instead of the entire parent object. For instance, when calling Get-FirewallRule, use the -SectionId parameter to specify the ID of the parent section, instead of passing the entire parent firewall section to the -FirewallSection parameter.

USB Network Native Driver for ESXi

This fling is pure homelab goodness!

USB has become one the most widely adopted connection type in the world & USB network adapters are also popular among Edge computing platforms. In some platforms, there is either limited or no PCI/PCIe slots for I/O expansion & in some cases, an Ethernet port is not even available. Another advantage of a USB-based network adapter is that it can be hot-plugged into an system without a reboot which means no impact to the workload, same is true for hot-remove.

This Fling supports three of the most popular USB network adapter chipsets found in the market. The ASIX USB 2.0 gigabit network ASIX88178a, ASIX USB 3.0 gigabit network ASIX88179 & the Realtek USB 3.0 gigabit network RTL8153. These are relatively inexpensive devices that many of our existing vSphere customers are already using and are familiar with.

Workspace One UEM Workload Migration Tool

The Workspace One UEM Workload Migration Tool allows a seamless migration of Applications and Device configurations between different Workspace One UEM environments. With the push of a button, workloads move from UAT to Production, instead of having to manually enter the information or upload files manually. Therefore, decreasing the time to move data between Dev/UAT environments to Production.

Updated flings

PowerCLI for VMware Cloud on AWS

The PowerCLI for VMware Cloud on AWS fling provides a preview of the new and upcoming PowerCLI cmdlets for VMware Cloud on AWS.

Changelog

Version 1.1.0.12022238

  • Added Remove-* cmdlets
  • Added/updated Get-* cmdlets based on latest VMC API definition

vSphere PKS Plugin

Are you running PKS? Than the vSphere PKS Plugin might be a handy addition to your toolkit.

Changelog

Version 1.0.2 – Build 224045

  • Adds support for PKS v1.3
  • Minor bug fixes

ESXi Embedded Host Client

The latest and greatest features for the ESXi Embedded Host Client.

Changelog

Version 1.33.1 build 12086396 (Fling 23) – January 31, 2019
OVF issues

  • Various fixes for ovf import issues
  • ISO files are now imported from OVAs

General

  • Fixed an issue with special characters in datastore names in some versions of ESXi
  • Fix swapped labels for transmit and receive in network chart
  • Network adapters are added to the vm in the correct order
  • Fixed issue with firewall notifications displaying incorrect information
  • provide notifications for expiring licenses
  • Support for Swedish input locale in the vm console
  • Display Fibre channel wwn and wwp as 64bit addresses

The VMware Labs flings monthly for January 2019

One month down, eleven to go for 2019! I am very busy planning the first Nutanix User Group meet and hopefully I will be selected again as vExpert. You can also still apply for vExpert at http://vexpert.vmware.com/. Back to the flings, this month there has been one new release:  Policy Enforcer and four updates: ESXi Embedded Host Client,
vSphere HTML5 Web Client, vSAN Hardware Compatibility List Checker and vSphere PKS Plugin.

New Releases

Policy Enforcer

Policy Enforcer is used to check and remediate restriction policies on a Workspace ONE Managed Windows 10 machine. If a user were to try to override configured Policy CSP settings by attempting to edit the Windows Registry, Policy Enforcer will compare the current value with the MDM configured value and reset the registry if the values differ.

Policy Enforcer can be implemented by uploading the MSI installer to the WS1 UEM console and deploying as an internal app via Apps & Books.

Updated

vSAN Hardware Compatibility List Checker

With the vSAN Hardware Compatibility List Checker you are able to test your hardware against the vSAN Hardware Compatibility list.

The vSAN Hardware Compatibility List Checker is a tool that verifies all installed storage adapters against the vSAN supported storage controller list. The tool will verify if the model, driver and firmware version of the storage adapter are supported.

Using a supported storage controller and firmware is important in a vSAN deployment to ensure normal operations, optimal performance, and to reduce the chances of hardware/firmware issues. This tool can be useful to ensure that a storage device and its firmware went through certification testing supported by VMware and its partners.

Some scenarios where the tool can be useful:

  • Verify if new server and storage adapter are supported for a vSAN deployment
  • Verify if re-purposed server, storage adapter are supported for a vSAN deployment

For a full vSAN system check, please check vSAN health UI through vSphere web client after a vSAN deployment.

Changelog

Version 2.0

  • Add 3 new checks
  • Controller is VMware certified for ESXi release
  • Controller driver is VMware certified
  • Controller firmware is VMware certified
  • Update HTML report format
  • Bug fixes

vSphere PKS Plugin

The vSphere PKS plugin gives the administrator a graphical interface within the vSphere HTML5 console.

Changelog

Version 1.0.1 – Build 168317

  • A PKS instance can be added to the plugin by providing the Ops Manager credentials
  • Support an alternate IP address (such as an NSX floating IP) to be used as the registration server and plugin server IP. It is assumed that the IP will be mapped to the appliance’s NIC via other means
  • Minor bug fixes

ESXi Embedded Host Client

The latest and greatest version of the ESXi embedded host client as found in production since ESXi6.0

Changelog

Version 1.33.1 build 12086396 (Fling 23) – January 31, 2019
OVF issues 

  • Various fixes for ovf import issues
  • ISO files are now imported from OVAs

General 

  • Fixed an issue with special characters in datastore names in some versions of ESXi
  • Fix swapped labels for transmit and receive in network chart
  • Network adapters are added to the vm in the correct order
  • Fixed issue with firewall notifications displaying incorrect information
  • provide notifications for expiring licenses
  • Support for Swedish input locale in the vm console
  • Display Fibre channel wwn and wwp as 64bit addresses

 vSphere HTML5 Web Client

This is the newest release of the HTML5 Web Client for vSphere. The downloadable version is 4.0.1 while the changelog is 4.0 so we’ll have to assume that 4.0.1¬†is a small bug fix. Starting from this version the fling ONLY supports vSphere 6.5 and newer!

Changelog

Fling 4.0 – Build 11785236

  • New Features
    • Support for VC 6.7
    • ESX Agent Manager UI
    • MxN Convergence in System Configuration
    • Import Certificate and Generate CSR
    • Code Capture: the record button can be toggled between hidden and shown.
    • Ability to remove Script Bundles in Autodeploy for 6.7 VC
    • Ability to remove Discovered hosts in Autodeploy for 6.7 VC
    • Export licensing data in CSV for all licensing views
    • Add and Assign license with single operation
    • Authentication Proxy configuration for VC 6.5+ (VC > Configure ¬†> Settings > Authentication Proxy)
  • Improvements
    • Improved performance for Files browser for VC 6.7
  • Bug Fixes
    • Fixed an issue where starting a Code Capture recording would lead to dialogs loading slowly or not at all.
  • Known Issues
    • To open the Fling UI, you need to use https://<Fling IP>/ui
    • The VMware vSphere Update Manager (VUM) plugin will not be loaded when the Fling 4.0 is connected to vSphere 65
  • Release Notes
    • The upgrade from Fling 3.x to Fling 4.0 will require to establish new connection to the vSphere by providing the vSphere credentials.
    • The Fling 4.0 is based on the vSphere 6.7 client and does not support vSphere versions prior to vSphere 6.5

Added Checks to the vCheck for Horizon View

Starting this year I decided to really restart working on the vCheck for Horizon. I had several requests for RDS checks & Active directory plus I really wanted to get rid of everything related to the vmware.hv.helper module to make using it a little easier.

Just like the pools I pull the farms in the connection plugin so these can be used from other plugins.

# --- Get Desktop pools
$poolqueryservice=new-object vmware.hv.queryserviceservice
$pooldefn = New-Object VMware.Hv.QueryDefinition
$pooldefn.queryentitytype='DesktopSummaryView'
$poolqueryResults = $poolqueryService.QueryService_Create($Services1, $pooldefn)
$pools = foreach ($poolresult in $poolqueryResults.results){$services1.desktop.desktop_get($poolresult.id)}

# --- Get RDS Farms

$Farmqueryservice=new-object vmware.hv.queryserviceservice
$Farmdefn = New-Object VMware.Hv.QueryDefinition
$Farmdefn.queryentitytype='FarmSummaryView'
$FarmqueryResults = $FarmqueryService.QueryService_Create($Services1, $Farmdefn)
$farms = foreach ($farmresult in $farmqueryResults.results){$services1.farm.farm_get($farmresult.id)}

# ---- Remove queries
$services1.QueryService.QueryService_DeleteAll()

The deleteall() for the queries needs to be added to clean things up, otherwise you will run out of queries pdq. The RDS plugins I created are visible down below.

Also an AD check was added

The vCenter api call was split into three checks for vCenter itself, ESXi and datastores.

Besides these I have also added a saml check (tested by Aresh Sarkari, thank you!) and truesso checks (don’t have it in my lab so can’t test).

If you want an example of the vCheck that can be found HERE.

The VMware Labs flings monthly for December 2018

Happy New Year everyone! Hope you all had a great (and safe!) end of the year. I just need to close the year up with one thing: an overview of flings that have been released or updated in December. No less than four new flings have arrived: VMware Workspace ONE Provisioning Tool, Dispatch-Solo, Android Device Pre-Verification Suite and PowerCLI for VMware Cloud on AWS. Two flings have received an update: PowerCLI Extensions and the HCIBench.

New

VMware Workspace ONE Provisioning Tool

The VMware Workspace ONE Provisioning Tool gives you an gui to provision and test WS One Applications.

The VMware Workspace ONE Provisioning Tool helps you test and validate your applications (exported as a .ppkg file) and the special-purpose unattend.xml configuration file as part of the Dell Provisioning for Workspace ONE offer. This tool simplifies the testing and validation of this process in your own environment before these files are sent and applied in the Dell factory.

Highlights

  • Simple UI to easily enable the IT admin to validate their ppkg and unattend.xml files in their own environment, mimicking what Dell is doing in the factory.
  • Supports PPKGs and unattend.xmls generated with Workspace ONE UEM Console 1811 or newer.
  • Highly flexible. Allows IT admins to specify the configurations for tool in a text based config file in order to change things like tool timeout and report location, to name a few.
  • Generates a detailed final summary report with client details and app installation results. This file is saved in C:\ProgramData\Airwatch\UnifiedAgent\Logs\PPKGFinalSummary.log after the “Full Process” button is clicked.
  • Halts the process if any steps fails for the given operation, giving the ability to IT admins to view & debug the state of the machine and the apps.

Supported Operations

  • Apply Apps Only – Given a ppkg, this tool deploys the applications on a test windows machine
  • Apply Full process – Given a ppkg and xml file, this tool deploys the applications on a test windows machine followed by Workspace ONE enrollment and Sysprep.

Dispatch-Solo

The Dispatch-Solo fling actually is a prepackaged VM to get you started with dispatch as easily as possible.

Dispatch-Solo is lean version of Dispatch which has been packaged as VM appliance. The goals of Dispatch-Solo are simple:

  • Lower the barrier to entry – get started with Dispatch in a matter of minutes
  • Support nearly the full Dispatch feature set – API compatibility
  • Explore use-cases – get user feedback and iterate

Because Dispatch and serverless is still in its infancy, understanding use cases is the highest priority. It therefore makes sense to continue to focus on getting Dispatch in as many hands as possible and making it as easy as possible to get started exploring its usage. By packaging Dispatch-Solo as a VM appliance, getting started is quick and predictable.

For full documentation and examples see the Dispatch project page.

Android Device Pre-Verification Suite

This Android Device Pre-Verification Suite Fling reduces the time to perform a preliminary test on any Android device from any OEM. Pre-verification result decides whether the device is eligible for a full device verification program or not. This eliminates the TAT (turnaround time) for basic test failures during the initial phase of verification from VMware. Customers/Partners can run this tool at their premise and check whether the device passes the device verification program entry criteria.

PowerCLI for VMware Cloud on AWS

If you are using VMware Cloud on AWS the PowerCLI for VMware Cloud on AWS fling will give you an preview on what to expect from PowerCLI to automate VMC.

This Fling provides a community preview of the upcoming PowerCLI commands for managing VMware Cloud on AWS. It comes in the form of a single PowerCLI module and integrates with existing PowerCLI modules.

All commands have been automatically generated. They are still in development, contain known issues, and will change in the future.

Updated

PowerCLI Extensions

The PowerCLI extensions fling gives you a preview on what to expect in the official PowerCLI releases.

Changelog

Version 3.0.0.11173018

  • Updated PowerCLI.Extensions Module to be compatible with VMware PowerCLI 11.0.0

HCIBench

This one should be known by now, the HCIBench is made for benchmarking your hyperconverged infrastucture. Ideal for things like vSAN but please be aware that it could also possibly be tuned for that.

Changelog

Version 1.6.8.7

  • Enhanced easy-run, put original 4k,70% read as the first test case, then 4k, 100% read and 256k, 100% write
  • Enhanced tvm deployment validation
  • Added Checksum into easy-run consideration
  • Updated guest VM template with increased ring_pages and disk scheduler
  • Added DNS configuration guidance into welcome message

Version 1.6.8.5

  • Added 2 more test cases into easy-run, 4k 100% random read and 256k 100% sequential write
  • Batch deployment will be involved if deploying more than 8 VMs to speed up deployment process
  • Allow user to choose IP prefix when using static IP
  • Optimized UI to allow user to review the results by single click
  • Fixed regression issue when placing Datacenter/Cluster in the folder

 

Setting maintenance mode for Linked Clones using API’s

If you have used the VMware.hv.helper the title of this blog post might sound strange since the set-hvmachine already has a way to set maintenance mode. When Ryan Butler asked me the question this week though I didn’t think of that and dived into the api’s immediately. The machines.Machine_EnterMaintenanceMode method looked good to me and than I though of the vmware.hv.helper and noticed that with

Set-HVMachine -Maintenance ENTER_MAINTENANCE_MODE

it was also possible so set maintenance mode. The usage though made me think immediately that this was not actually using a proper api call but the update function. A quick look at the function itself confirmed this. It sets that status of the virtual machine by directly setting the status.

if ($Maintenance) {
      if ($Maintenance -eq 'ENTER_MAINTENANCE_MODE') {
        $updates += Get-MapEntry -key 'managedMachineData.inMaintenanceMode' -value $true
      } else {
        $updates += Get-MapEntry -key 'managedMachineData.inMaintenanceMode' -value $false
      }
    }
(this is just a snippet of the complete function)

If you are below version 7.5 of Horizon view it’s probably of no use to continue with the rest of this blog post. The api explorer only mentions the relevant functions since 7.5! They have been tried against 7.0.3 and 6.2 and there they don’t work.

So back to the drawing board it was and I needed to look at the API explorer, there are 4 relevant methods for maintenance mode.

As usual there are methods for multiple machines that use an array of id’s (with machines in the name) and methods for single machines id’s (without the machines in the name).

Since I usually use instant clones these days I created a small pool with three linked clones. With get-hvmachine I can show you their names and state.

(get-hvmachine -pool pod2_linked).base | select-object name,basicstate

Since I know that get-hvmachine will already give you the id of a machine it’s easy to do a one liner to set one system in maintenance mode.

 $services1.Machine.Machine_EnterMaintenanceMode((get-hvmachine -machinename p2lc001).id)

and exit maintenance mode.

 $services1.Machine.Machine_ExitMaintenanceMode((get-hvmachine -machinename p2lc001).id)

And the entire pool?

$services1.Machine.Machine_EnterMaintenanceModemachines((get-hvmachine -pool pod2_linked).id)

And exit maintenance mode for the entire pool.

$services1.Machine.Machine_ExitMaintenanceModemachines((get-hvmachine -pool pod2_linked).id)

Okay so we now know how this works but I don’t want to use to vmware.hv.helper module for this at all because I want to be able to use a list of machines or based on part of the name. That can be done using a query. The query entitytype to use is MachineSummaryView and if you use queryfiltercontains it’s also possible to use only a part of the name for a kind of wildcard selection. Combine several of these in with queryfilteror and it gives the opportunity to select them from a list.

$connectionserver="servername"
$hvserver1=connect-hvserver $connectionserver 
$Services1= $hvServer1.ExtensionData
$machines=get-content machines.txt
$queryService = New-Object VMware.Hv.QueryServiceService
$defn = New-Object VMware.Hv.QueryDefinition
$defn.queryentitytype='MachineSummaryView'
[email protected]()
foreach ($machine in $machines) {
    $queryfiltercontains=New-Object VMware.Hv.QueryFiltercontains -Property @{ 'memberName' = 'base.name'; 'value' = $machine }    
    $filterset+=$queryfiltercontains
    }
$orFilter = New-Object VMware.Hv.QueryFilterOr
$orFilter.filters = $filterSet
$defn.filter=$orFilter
$ids=($queryService.QueryService_Create($Services1, $defn)).results
$services1.Machine.Machine_EnterMaintenanceModeMachines($ids.id)
p2lc001
p2lc003

Now I replaced the names in the txt file with only p2lc00

$connectionserver="servername"
$hvserver1=connect-hvserver $connectionserver 
$Services1= $hvServer1.ExtensionData
$machines=get-content machines.txt
$queryService = New-Object VMware.Hv.QueryServiceService
$defn = New-Object VMware.Hv.QueryDefinition
$defn.queryentitytype='MachineSummaryView'
[email protected]()
foreach ($machine in $machines) {
    $queryfiltercontains=New-Object VMware.Hv.QueryFiltercontains -Property @{ 'memberName' = 'base.name'; 'value' = $machine }    
    $filterset+=$queryfiltercontains
    }
$orFilter = New-Object VMware.Hv.QueryFilterOr
$orFilter.filters = $filterSet
$defn.filter=$orFilter
$ids=($queryService.QueryService_Create($Services1, $defn)).results
$services1.Machine.Machine_ExitMaintenanceModeMachines($ids.id)

And back into maintenance mode

So this is a nice way to manage the machines and their maintenance state. Please remember that these scripts only work against horizon 7.5 and higher.

The VMware Labs flings monthly for November 2018

The year’s almost over but for me it feels like it just got started, how does it feel for you? Time certainly flies! This month there was one new fling:¬†vSphere PKS Plugin and five have received updates:¬†Workspace ONE UEM Profile Migration Utility,¬†HCIBench,¬†ESXi Embedded Host Client,¬†Cross vCenter Workload Migration Utility and¬†Workspace ONE Configuration Tool for Provisioning.

New

vSphere PKS Plugin

The vSphere PKS Plugin provides a user interface for managing and monitoring Kubernetes cluster deployments for the PKS platform. Using the vSphere PKS Plugin you can view details about your Kubernetes clusters, including master and worker nodes as well as networking configuration.

Features

The vSphere PKS Plugin:

  • Provides a graphical interface to visualize the Kubernetes clusters deployed and managed by PKS
  • Provides visibility into underlying infrastructure such as VMs, network objects and storage objects that are created when a Kubernetes cluster is deployed in a vSphere environment
  • Provides a centralized launch point for viewing components deployed with the Kubernetes cluster, including nodes and network objects such as routers, logical switches, load balancers
  • Provides a simple user interface to get easy access to the cluster using the kubectl interface and the cluster Dashboard

Updated

Workspace ONE UEM Profile Migration Utility

The Workspace ONE UEM Profile Migration Utility helps  in moving profiles between various WS One UEM Consoles.

Changelog

Version 1.6

  • Added a log file for more advanced troubleshooting and auditing. A new file in the folder called: WS1UEM-Profile-Migration-Utility-log.txt
  • Added logic to ensure the user has to hit Review button before Create
  • Fixed a bug where the Status wouldn’t clear if selecting a new Profile therefore the user was unable to tell if the new Create Profile was successful

HCIBench

The HCIBench is a Hyperconverged Infrastructure Benchmark build around VDbench.

Changelog

Version 1.6.8.1

  • Fixed regression when datastore is in the datastore folder
  • Avoid checking connection to host directly and use tvm deployment instead
  • Added Vdbench version check in summary script

Version 1.6.8

  • Added resource pool and VM folder fields for VMC environment
  • Fixed easy-run disk size issue
  • Enhanced pre-validation error message handling
  • Changed the names of network interface from “Public Network” to “Management Network”, and “Private Network” to “VM Network”

ESXi Embedded Host Client

While the ESXi embedded host client has been officially released for 5.5, 6, 6.5 and 6.7 the fling gets all the latest updates.

Changelog

Version 1.32.0 build 10692217 (Fling 22) – November 2, 2018

  • Import / Export
    • Iso files and nvram files can now be exported and imported (if suppored by the esx version)
    • Files can be individually selected when exporting
    • All advanced vm config options are exported by default
    • Several bug fixes related to the export wizard
  • General
    • Permissions previews now display correctly
    • Support Bundles are now generated on the fly
    • Domain user functionality has been restored
    • Fibre Channel WWNs are displayed in hex

Cross vCenter Workload Migration Utility

If you want to use a gui to move vm’s between different vCenter servers than the¬†Cross vCenter Workload Migration Utility is the tool to use.

Changelog

Version 2.5, November 5, 2018

  • Remember registered site information (without password)
  • Easily retry a previously attempted task in case of failures
  • Search box for keyword filtering of migration task history
  • Option to clear task history by removing completed tasks
  • Added documentation and other links under the help menu
  • Partial fix for an issue related to duplicate network names

Workspace ONE Configuration Tool for Provisioning

The Workspace ONE Configuration Tool for Provisioning assists in building unattend.xml configuration files that can be used by Dell (or others when more provide the service) when delivering systems from the factory to set them up for your environment.

Changelog

Release Update – Version 2.0.0

Improvements

  • The version number is shown in the window title
  • The version number is shown as a comment in the generated XML
  • The product key is now validated to conform with the 11111-11111-11111-11111-11111 pattern
  • Split the locale settings into ‘Operating System Language’, and ‘Region and Keyboard Settings’.
  • ‘Operating System Language’ maps to the language of the operating system installation media, and¬†‘Region and Keyboard Settings’ maps to the locale settings available to the user during OOBE
  • ‘Operating System Language’ is now a required field as it is needed for certain customizations,¬†such as adding a user to the administrators group
  • Removed the ability to set a custom computer name. The computer name now defaults to ‘*’,¬†which causes the Windows OS to generate a random name, taking up to seven characters from¬†the ‘Registered Organization’ field plus eight random characters. This change makes sure¬†every computer has a unique name on the network.
  • The ‘Auto Admin Logon’ feature is no longer selectable. Instead, it will be activated when¬†it is required by the deployment scenario.
  • All deployment scenarios now allow for the creation of a local user.
  • Moved the node from the ‘oobeSystem’ pass to the ‘specialize’ pass
    to be consistent with the node

Bug Fixes

  • Auto Admin Logon would only work with an unattend XML generated for an en-US installation image
  • Enabled the ASSIGNEDTOLOGGEDINUSER=Y flag to enable the WS1 agent to correctly enroll the user¬†in the ‘Workgroup’ deployment scenario
  • Fixed an issue where the ‘Show Privacy Settings’ option would have no effect