Hi All,
Can anyone here please assist me with the PowerShell script to list the custom CPU and memory shares are defined for each individual Virtual Machines in my VCenter ?
I just need to know which VMs got this setting and how much are they assigned.
Thanks,
I need to create a graph from csv file for last quarter for CPU & memory over commit for a cluster.
so say 1st week of July, 2nd week .. for 3 months.
http://www.jonathanmedd.net/2012/01/basic-cluster-vmware-capacity-check-with-powercli.html
also kunal had a script but these are static ones, ie current overcommit number they give
so i am looking for weekly csv file for CPU & Memory overcommit for a cluster
thanks
Hi,
I use the Horizon view app from the Windows Store on my Surface Pro 3 and I realized that some shortcuts are missing. For instance I cannot multi-select holding the CRTL key and clicking or holding the CRTL + SHIFT key.
Any tips to fix this?
Thanks,
Stephanie
I had problems starting VMs that worked before.
Also had the certificate error message when trying to check for an update.
Saw a post here saying v6 doesn't work in macOS Sierra: https://www.igorkromin.net/index.php/2016/10/04/vmware-fusion-stops-working-after-macos-sierra-upgrade/
Does anyone else has this problem?
No sure if I want to upgrade since people are posting problems with v8 here as well.
Hey all,
I am looking for a script to to help me clean up datastores from left over files. After vmotion sometimes the datastore leaves behind folders with only files with the exts, .hlog .nvram -aux.xml and .vmxf files. I would like to see if it is possible to make a script to help round up and delete these.
Thanks in advance,
Andy
I am trying to change the UUID of a VM on ESXi 6.0.0. I have followed the instructions in the knowledge base, but every time I power on the VM, the uuid.bios immediately reverts to the previous value.
My procedure is:
As soon as I power it on, I see that the uuid.bios in the .vmx file has reverted to its previous value.
I'm not using vCenter Server, but I even tried un-registering the VM before editing the .vmx and then re-registering it, just in case. I also tried rebooting the esxi host after changing the .vmx file. In all cases, the uuid.bios immediately reverts when I power on the VM.
Can anyone suggest how I can make the UUID change persist?
Thanks,
Neil.
Hi ,
we have couple of users who are unable to connect to there VDI via PCoIP but it works via RDP .
can any one please suggest what could be blocking ?
Logs of user who isnt able to connect to VDI :
07/29/2015, 12:40:08.444> LVL:2 RC: 0 AGENT :pcoip_agent_connect_req: ==========> New connection request <===========
07/29/2015, 12:40:08.444> LVL:2 RC: 0 AGENT :tera_agent_read_external_udp_address: RegQueryValueEx could not find the pcoip.external_udp_address value in the Software\Policies\Teradici\PCoIP\pcoip_admin_defaults key, sending no value to server.
07/29/2015, 12:40:08.444> LVL:2 RC: 0 AGENT :tera_agent_read_external_udp_address: RegQueryValueEx could not find the pcoip.external_udp_port value in the Software\Policies\Teradici\PCoIP\pcoip_admin_defaults key, sending no value to server.
07/29/2015, 12:40:08.444> LVL:2 RC: 0 AGENT :Client address is 0.0.0.0:0 (host order)
07/29/2015, 12:40:08.475> LVL:1 RC:1359 AGENT :pcoip_agent_connect_req: tera_agent_generate_version_1_scrambling_tag() failed
Working user logs :
07/24/2015, 17:44:51.343> LVL:2 RC: 0 AGENT :pcoip_agent_register: operate as rds agent is false
07/24/2015, 17:45:20.979> LVL:2 RC: 0 AGENT :pcoip_agent_connect_req: ==========> New connection request <===========
07/24/2015, 17:45:20.979> LVL:2 RC: 0 AGENT :tera_agent_read_external_udp_address: RegQueryValueEx could not find the pcoip.external_udp_address value in the Software\Policies\Teradici\PCoIP\pcoip_admin_defaults key, sending no value to server.
07/24/2015, 17:45:20.979> LVL:2 RC: 0 AGENT :tera_agent_read_external_udp_address: RegQueryValueEx could not find the pcoip.external_udp_port value in the Software\Policies\Teradici\PCoIP\pcoip_admin_defaults key, sending no value to server.
07/24/2015, 17:45:20.979> LVL:2 RC: 0 AGENT :Client address is 0.0.0.0:0 (host order)
07/24/2015, 17:45:21.010> LVL:2 RC: 0 AGENT :pcoip_agent_connect_req: For Soft Host: Using Version 1 Tag
07/24/2015, 17:45:21.026> LVL:2 RC: 0 PRI :pcoip_agent_connect_req: {s_tag:0xa2b9b541f5f4d592} Session ID for Soft Host: Tag:'orm1QfX01ZIA' Value:a2b9b541f5f4d592
07/24/2015, 17:45:21.026> LVL:2 RC: 0 AGENT :pcoip_agent_connect_req: {s_tag:0xa2b9b541f5f4d592} initialized local receiver, mailbox name is agnt0001
07/24/2015, 17:45:21.026> LVL:2 RC: 0 AGENT :server_listen_on_addr is 10.216.102.81:0 (host order)
07/24/2015, 17:45:21.026> LVL:2 RC: 0 AGENT :pcoip_agent_connect_req: {s_tag:0xa2b9b541f5f4d592} Session ID = 1; codec = 2.
07/24/2015, 17:45:21.026> LVL:2 RC: 0 AGENT :tera_agent_launch_server: {s_tag:0xa2b9b541f5f4d592} Launching pcoip_server_win32
07/24/2015, 17:45:21.026> LVL:2 RC: 0 AGENT :tera_agent_launch_server: {s_tag:0xa2b9b541f5f4d592} Optional log file path specified as "C:\ProgramData\VMware\VDM\logs\"
07/24/2015, 17:45:21.026> LVL:2 RC: 0 AGENT :tera_agent_launch_server: {s_tag:0xa2b9b541f5f4d592} use_vmware_launcher = false.
07/24/2015, 17:45:21.338> LVL:2 RC: 0 AGENT :tera_agent_launch_server: {s_tag:0xa2b9b541f5f4d592} Using direct CreateProcess: worked [system is vista or newer, windows session id: 0xffffffff, pid: 0x4a8, proc handle: 0x438].
07/24/2015, 17:45:22.338> LVL:2 RC: 0 AGENT :pcoip_agent_connect_req: {s_tag:0xa2b9b541f5f4d592} [1] Waiting for ready message.
07/24/2015, 17:45:25.463> LVL:2 RC: 0 AGENT :sSERVER_SESSION::agent_receiver_callback: message from A:srvr1;B:srvr0001 to A:srvr1, message = 00 00 00 00, len=144
07/24/2015, 17:45:25.510> LVL:2 RC: 0 AGENT :pcoip_agent_connect_req: {s_tag:0xa2b9b541f5f4d592} [1] Got ready message.
Thanks in Advance
Sas
Its seems that vmware guest hardware for the mouse now uses hardware clicks. So in the host control panel swapping mouse buttons has no effect on the guest.
This is a real pain - in a previous version of vmware it used to work correctly.
Running windows .. sometimes I use a mouse with normal buttons, other times the buttons are swapped (left handed).
A few versions back of Workstation it used to be that the guest would copy the mouse button settings for the host.
Swap left/right buttons etc. Now it seems that for each guest I have to change the settings individually.
Is there a way to make the guest follow the host settings?
Can I make vmware guest hardware use the host control panel status for the mouse?
Thanks,
Michael
By Mark Benson, Senior Architect and Senior Staff Engineer, End-User-Computing CTO Office, VMware
Updated September 2016 to include Access Point 2.7.2.
Updated May and August 2016 to include Access Point 2.6 details for use as a Web Reverse Proxy for VMware Identity Manager 2.6/2.7.
In September 2015, I posted A Technical Introduction to Access Point for Secure Remote Access article. Access Point is a VMware virtual appliance which is used with VMware Horizon (View) and Horizon Air (DaaS). In that article I mentioned the ability to perform a scripted deployment of an Access Point virtual appliance using VMware OVF Tool in order to perform a repeatable deployment where all settings can be applied in a way that allows Access Point to be production ready on first boot. This procedure is described in the document Deploying and Configuring Access Point.
Whilst it is great to be able to specify all configuration settings in one go at deployment time, the downside of this is that the OVF Tool command line can become very long and complex. It is also easy to introduce errors on the command line as the command syntax for OVF Tool used in this way can be difficult to get right. Also, it is not possible to validate the settings with OVF Tool and it is therefore very easy to make configuration errors such as setting an admin REST API password that doesn't meet the required complexity rules.
Many Windows administrators managing a VMware Horizon environment need a much simpler way to deploy Access Point in a secure, reliable and repeatable way and to have complete control over the settings. For these reasons, we have developed a sample PowerShell script that can be used to deploy Access Point and which overcomes the main difficulties of using OVF Tool directly on the command line. As this PowerShell script is delivered as a sample script, you can also adapt it as required for your specific needs although in most cases you won't need to modify it at all. The script calls the OVF Tool command but validates the settings and automatically constructs the correct command line syntax. The settings are taken from a simple .INI file. This script runs OVF Tool in a fully supported way for Access Point according the procedure in the document Deploying and Configuring Access Point . Note that no password values or private key values are stored within the .INI configuration files.
The PowerShell script sets all configuration settings for OVF Tool at deployment time. This includes setting up the CA issued SSL Server certificate and all other possible settings. After Access Point has been deployed by this script, there is no need to make configuration changes after deployment. Access Point will be ready for production use on first boot.
.INI File Contents
The apdeploy ZIPfile attached at the bottom of this post contains four example .INI files. ap1-basic.ini is a minimal .INI file which just contains the minimum settings needed. ap2-advanced.ini is a more complex configuration file showing additional settings available. ap3-securid.ini is an example of a configuration including RSA SecurID authentication. ap4-radius.ini is an example of a configuration including RADIUS authentication. You should start with just a basic .INI file to ensure that this deployment method works in your environment. You can then add more advanced settings in your .INI file and repeat the deployment. If you have already deployed the named Access Point appliance, then running the script again will power off the appliance, delete it, and will redeploy it with the current .INI settings. This is a useful capability to use when either upgrading the appliance to a newer version, or just to change any of the settings.
Basic .INI File Example
##############################################
[General]
name=AP1
source=C:\APs\euc-access-point-2.7.2.0-4354291_OVF10.ova
target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/Datacenter1/host/esx1.myco.int
ds=Local Disk 1
netInternet=VM Network
netManagementNetwork=VM Network
netBackendNetwork=VM Network
honorCipherOrder=true
[Horizon]
proxyDestinationUrl=https://192.168.0.209
##############################################
The following table describes each configuration setting. These must be arranged in the .INI file under the appropriate Group Name shown in the first column and as shown in the sample .INI files.
Configuring Access Point as a Web Reverse Proxy for VMware Identity Manager
Access Point 2.6 and newer can be used as a Web Reverse Proxy in front of VMware Identity Manager version 2.6 (and newer). Make sure you use a 2.6 (or newer) version of Access Point e.g.
source=C:\APs\euc-access-point-2.7.2.0-4354291_OVF10.ova
For exact up to date information on Access Point compatibility, refer to the VMware Interoperability Support Matrix and select VMware Access Point and VMware Identity Manager.
For this setup, remove the entire [Horizon] section from the .ini file and replace it with a new [WebReverseProxy] section. Use the values shown in the sample ap10-vidm.ini file in apdeploy ZIP file below. Set the proxyDestinationUrl to the URL of the Identity Manager server. If that service does not use a trusted CA signed SSL server certificate then you will also need to add the proxyDestinationUrlThumbprints value. Leave all other values in [WebReverseProxy] exactly as shown in the sample ap10-vidm.ini.
The setup requires "split DNS" to be setup where the URL hostname for an external user resolved to the address of Access Point, and the same URL hostname for an internal user resolves to the address of the Identity Manager server.
| Group Name | Value | AP Version Required (if applicable) | Example | Description |
|---|---|---|---|---|
| [CertificateAuth] | pemCerts | pemCerts=C:\Users\Administrator\SSL\north-ca-256.cer | Used for certificate authentication to specify the public CA cert file (in PEM base64 format) that was used to issue the required client certificates. See notes below on Client Device certificate authentication. | |
| [General] | deploymentOption | deploymentOption=onenic | Access Point can be created with either one, two or three network interface cards (NICs). Either specify onenic, twonic or threenic. The default is onenic. | |
| dns | dns=192.168.0.1 | Optional DNS server address. Default is none. | ||
| ds | ds=Local Disk 1 | Datastore name which the appliance will be deployed to. | ||
| honorCipherOrder | 2.7.2+ | honorCipherOrder=true | Default value is false. When set to true, the cipher list order for the SSL/TLS 443 listener is determined by the server. This allows forward secrecy ciphers to be presented first in the cipher list to improve security. With Access Point 2.7.2 and newer it is recommended that this is set to true. | |
| ip0 | ip0=192.168.0.10 | IPv4 address for NIC0 (onenic, twonic or threenic) | ||
| ip1 | ip1=192.168.0.11 | IPv4 address for NIC1 (twonic or threenic) | ||
| ip2 | ip2=192.168.0.12 | IPv4 address for NIC2 (threenic) | ||
| name | name=AP1 | Name of the virtual appliance as shown in vCenter. It must be between 1 and 32 characters long. If name is omitted, the PowerShell script will prompt for it. | ||
| netInternet | netInternet=VM Network | The name of the vSphere Network for the Access Point primary network | ||
| netManagementNetwork | netManagementNetwork=VM Network | The name of the vSphere Network for the Access Point management interface network. | ||
| netBackendNetwork | netBackendNetwork=VM Network | The name of the vSphere Network for the Access Point backend network. | ||
| routes0 | 2.7.2+ | routes0=192.168.1.0/24 192.168.0.1,192.168.2.0/24 192.168.0.2 | List of static routes for NIC0. Comma separated list of static routes in the form of: network in CIDR format followed by a space followed by the gateway IP address. A network with addresses 192.168.1.0 to 192.168.1.255 and a subnet mask of 255.255.255.0 is represented in CIDR format as 192.168.1.0/24. | |
| routes1 | 2.7.2+ | List of static routes for NIC1. | ||
| routes2 | 2.7.2+ | List of static routes for NIC2. | ||
| sessionTimeout | 2.7.2+ | sessionTimeout=39600000 | Maximum session time in milliseconds allowed for a logged on user. Default is 36000000 (10 hours). User is automatically logged off after this timeout and is required to log in again. | |
| source | source=C:\Temp\euc-access-point-2.7.2.0-4354291_OVF10.ova | Full path filename of the Access Point .ova virtual machine image. The file can be downloaded from VMware. | ||
| syslogUrl | syslogUrl=syslog://server.example.com:514 | Optional syslog server URL. This allows syslog events to be forward to a syslog management server. | ||
| target | target=vi://administrator@vsphere.local:PASSWORD@ 192.168.0.21/DC1/host/esx1.myco.int
target=vi://administrator@vsphere.local:PASSWORD@ 192.168.0.21/DC1/host/Cluster1/ | Specifies the vCenter Server information and target ESX host. Refer to the OVF Tool documentation for details of the syntax of target.
PASSWORD in upper case is not the actual vCenter password but is a special term used to make OVF Tool prompt the user for the actual vCenter password value. The prompt will appear during execution of the PowerShell script. This avoids the need to store real password values in this .ini file. Note that target must reference a vCenter host or cluste. Deploying direct to a vSphere host is not supported. In this example, 192.168.0.21 is the IP address of the vCenter host and administrator@vsphere.local is the vCenter administrator username.
Note that folder names, host names and cluster names used in the target value are case sensitive.
If you are unsure of the value to use for target, you can omit folder names etc. and OVF Tool will then provide a list of possible values for the next level. This allows you to accurately build up the full target specification one level at a time. | ||
| [Horizon] | authMethods | 2.5+ | authMethods=securid-auth && sp-auth authMethods=radius-auth && sp-auth
authMethods=radius-auth authMethods=certificate-auth && sp-auth | Default when not specified is for pass-through authentication.
e.g. for RSA SecurID authentication specify: authMethods=securid-auth && sp-auth |
| blastExternalUrl | blastExternalUrl=https://ap1.horizon.myco.com:443 | URL used by HTML Access Clients to connect to this Access Point appliance. | ||
| matchWindowsUserName | 2.5+ | matchWindowsUserName=true | Forces subsequent username to be the same username as specified for RADIUS or RSA SecurID authentication. | |
| pcoipExternalUrl | pcoipExtenalUrl=10.20.30.40:4172 | URL used by Horizon Clients to connect using PCoIP to this Access Point appliance. This must include a valid IPv4 address. | ||
| proxyDestinationUrl | proxyDestinationUrl=https://cs1.view.myorg.int | URL representing the Horizon backend server such as an individual View Connection Server or a load balnced alias URL representing a group of View Connection Servers. | ||
| proxyDestinationUrlThumbprints | proxyDestinationUrlThumbprints=sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3 | An optional comma separated list of certificate thumbprints of the certificates on each backend View Connection Server. If the Horizon View environment is using trusted CA signed certificates, this setting can be ignored. For self signed or otherwise untrusted certificates enter the thumbprint values preceded by sha1:. | ||
| tunnelExternalUrl | tunnelExternalUrl=https://ap1.horizon.myco.com:443 | URL used by Horizon Clients to connect the secure tunnel to this Access Point appliance. | ||
| windowsSSOEnabled | 2.7.2+ | windowsSSOEnabled=true | Used in conjunction with Horizon RADIUS authentication in cases when the RADIUS passcode is the same as the Windows domain user password. This then skips the subsequent domain password prompt to allow single sign-on. | |
| [RADIUSAuth] | accountingPort | 2.5+ | accountingPort=1813 | Optional destination UDP port used for sending RADIUS accounting records to the primary RADIUS server. |
| accountingPort_2 | 2.5+ | For optional secondary server. | ||
| authPort | 2.5+ | authPort=1812 | Destination UDP port used for sending RADIUS authentication requests to the primary and secondary RADIUS server. | |
| authPort_2 | 2.5+ | For optional secondary server. | ||
| authType | 2.5+ | authType=PAP | Specify one of PAP, CHAP, MSCHAPv1, or MSCHAPv2. This must match the configuration of the RADIUS server. | |
| authType_2 | 2.5+ | For optional secondary server. | ||
| hostName | 2.5+ | hostName=192.168.0.100 | Hostname or IP address of the primary RADIUS server. | |
| hostname_2 | 2.5+ | For optional secondary server. | ||
| numAttempts | 2.5+ | numAttempts=5 | The number of times a RADIUS request will be sent if there was no reply. Default is 3 times. | |
| numAttempts_2 | 2.5+ | For optional secondary server. | ||
| radiusDisplayHint | 2.5+ | radiusDisplayHint=XXX Token | radiusDisplayHint is a short string that will be included in the client prompt. In this example, the user prompt will be "Enter your XXX Token username and passcode". | |
| realmPrefix | 2.5+ | realmPrefix=NorthDomain\ | Optional text inserted ahead of the username before it is passed to the RADIUS server. | |
| realmPrefix_2 | 2.5+ | For optional secondary server. | ||
| realmSuffix | 2.5+ | realmSuffix=@north.com | Optional text inserted after the username before it is passed to the RADIUS server. | |
| realmSuffix_2 | 2.5+ | For optional secondary server. | ||
| serverTimeout | 2.5+ | serverTimeout=10 | Timeout in seconds after which a RADIUS request will be resent if there was no reply. Default is 5 seconds. | |
| serverTimeout_2 | 2.5+ | For optional secondary server. | ||
| [SSLCert] | pemCerts | pemCerts=C:\Users\admin\My Certs\mycaservercert.pem | Optional SSL Server certificate filename. This should reference a .PEM format file containing the SSL Server certificate to be deployed onto Access Point. The PEM file should contain the SSL Server certifacte and any intermediate and root certificates. If this is omitted, Access Point will generate a self-signed SSL server certificate instead. | |
| pemPrivKey | pemPrivKey=C:\Users\admin\My Certs\mycacertrsakey.pem | Filename of the .PEM file containg the RSA private key for the SSL server certificate referenced in pemCerts above. If pemCerts is specified, then pemPrivKey must also be specified. | ||
| [SecurIDAuth] | externalHostName | 2.5+ | externalHostName=192.168.0.10 | Set this to the IPv4 address of Access Point |
| internalHostName | 2.5+ | internalHostName=192.168.0.10 | Set this to the IPv4 address of Access Point | |
| serverConfigFile | 2.5+ | serverConfigFile=C:\temp\sdconf.rec | Specifies the sdconf.rec file obtained from RSA Authentication Manager Server. | |
| [WebReverseProxy] | authCookie | 2.6+ | authCookie=HZN | Cookie value to track authorized requests. |
| loginRedirectURL | 2.6+ | loginRedirectURL=/SAAS/auth/login?dest=%s | URL to redirect request for user login. | |
| proxyDestinationUrl | 2.6+ | proxyDestinationUrl=https://vidmserver.example.com | URL representing the backend Web server. | |
| proxyDestinationUrlThumbprints | 2.6+ | proxyDestinationUrlThumbprints=sha1:3e ef ed c6 86 75 a6 15 ff c8 96 27 5a 4c ee 8e 16 fd 6e d3 | An optional comma separated list of certificate thumbprints of the certificates on each backend Web Server. If the Web servers are using trusted CA signed certificates, this setting can be ignored. For self signed or otherwise untrusted certificates enter the thumbprint values preceded by sha1: | |
| proxyPattern | 2.6+ | Refer to sample ap10-vidm.ini in the apdeploy ZIP filebelow. | Specifies the regular expression that matches URIs that should be forwarded to the proxyDestinationUrl. | |
| unSecurePattern | 2.6+ | Refer to sample ap10-vidm.ini in the apdeploy ZIP filebelow. | Specifies the regular expression that matches URIs that should be forwarded to the proxyDestinationUrl that don't require an authenticated session. |
pemCerts and pemPrivKey configuration items in the [SSLCert] section of the .INI file reference the SSL certificates file and the RSA private key file both in PEM format. If you don't specify pemCerts and pemPrivKey, Access Point will instead generate a self-signed SSL server certificate. This self-signed certificate will not be trusted by Horizon Clients and therefore users will receive a warning when connecting via Access Point.
For production environments, it is best to obtain an SSL server certificate for use on each Access Point appliance. If you have the PEM format files for the SSL server certificate (including any intermediate CA certificates and root CA certificate) you can reference the files in the pemCerts and pemPrivKey values as described above.
You may have a certificate file with private key and certificate trust chain all in one PKCS#12 format file with either a .p12 or .pfx file extension. To use this file with Access Point you must first convert the PKCS#12 format file into the two PEM format files. You can do this with openssl by running the following example openssl commands which start with a PKCS#12 file called mycaservercert.pfx.
openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem
openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem
openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem
Edit mycaservercert.pem and remove any unnecessary certificate entries. It should contain the one SSL server certificate followed by any necessary intermediate CA certificates and root CA certificate.
In the .INI file, add the following lines.
[SSLCert]
pemCerts=mycaservercert.pem
pemPrivKey=mycaservercertkeyrsa.pem
When the script is run, these certificates and private key will be automatically deployed to the new Access Point appliance. The private key PEM file should be deleted from the Windows machine once Access Point has been deployed.
If you find that the deployment of Access Point works when you don't specify the PEM files (i.e. for Access Point to use a self-signed SSL server certificate) but fails when you supply your own certificate as described above, then follow these steps. It could be caused by a missing intermediate or root certificate in your specified PEM file.
Troubleshooting Deployment Problems
1. I get a security warning about running scripts downloaded from the Internet
Verify that the PowerShell script is the script you intend to run, and then from the PowerShell console, run the command:
unblock-file .\apdeploy.ps1
2. I get an error saying "ovftool command not found".
Make sure you have installed the OVF Tool software on your Windows machine and that it is installed in the location expected by the script. OVF Tool Download.
3. I get an error saying "Invalid Network in property netmask1"
The message may state netmask0, netmask1 or netmask2, Check that a value has been set in the .INI file for each of the three networks (netInternet, netManagementNetwork and netBackendNetwork),Also check that a vSphere Network Protocol Profile has been associated with every referenced network name. This specifies network settings such as IPv4 subnet mask, gateway etc. so make sure the associated Network Protocol Profile has correct values for each of the settings.
4. I get a warning message about the operating system identifier being not supported (id: 85)
The full message is: The specified operating system identifier 'SUSE Linux Enterprise Server 12.0 64bit' (id:85) is not supported on the selected host. It will be mapped to the following OS identifier: 'Other Linux (64-bit)'.
This can be ignored. It is mapped to a supported operating system automatically.
5. How do I configure Access Point for RSA SecurID authentication?
Add the following two lines to the [Horizon] section of your .ini file:
authMethods=securid-auth && sp-auth
matchWindowsUserName=true
Add a new section at the bottom of your .ini file containing:
[SecurIDAuth]
serverConfigFile=C:\temp\sdconf.rec
externalHostName=192.168.0.90
internalHostName=192.168.0.90
The IP addresses should both be set to the IP address of Access Point. The sdconf.rec file is obtained from RSA Authentication Manager (RSA-AM) which should be fully configured according to RSA documentation.
Make sure you are using Access Point 2.5 or newer and that the RSA-AM server is accessible on the network from Access Point.
If there is a firewall between Access Point and your RSA Authentication Manager server, make sure it isn't blocking the communication. This is normally UDP 5500 from AP to RSA-AM and the reply traffic.
Rerun apdeploy PowerShell command to redeploy your Access Point configured for RSA SecurID. Refer to VMware Access Point RSA SecurID Authentication Setup Video for a full step-by-step description of this setup.
Note that when RSA SecurID is configured in the .INI file, then after deployment when Access Point first starts up, it performs a check against RSA-AM. If RSA-AM is not available or if a firewall is blocking communication, this startup will fail.
If you need to redeploy Access Point with the PowerShell command when it was previously configured for RSA SecurID, then you must first "clear node secret" on RSA-AM so that trust can be re-established.
6. How do I configure Access Point for RADIUS authentication?
Add the following two lines to the [Horizon] section of your .ini file:
authMethods=radius-auth && sp-auth
matchWindowsUserName=true
Add a new section at the bottom of your .ini file containing:
[RADIUSAuth]
hostName=192.168.0.100
authType=PAP
authPort=1812
radiusDisplayHint=XXX Token
For more information on these and other settings, refer to the sample ap4-radius.ini file in the latest apdeploy ZIP file below. Also refer to the [RADIUSAuth] descriptions in the table above.
Make sure you are using Access Point 2.5 or newer and that the RADIUS server is accessible on the network from Access Point.
If there is a firewall between Access Point and your RADIUS server, make sure it isn't blocking the communication. This is normally UDP 1812 from Access Point to to the RADIUS server and the reply traffic.
Rerun apdeploy PowerShell command to redeploy your Access Point configured for RADIUS.
Note that when RADIUS is configured in the .INI file, then after deployment when Access Point first starts up, it performs a check against the configured RADIUS server. If the server is not available or if a firewall is blocking communication, this startup will fail.
7. How do I configure Access Point for Client Device certificate authentication?
Add the following line to the [Horizon] section of your .ini file:
authMethods=certificate-auth && sp-auth
Add a new section at the bottom of your .ini file containing:
[CertificateAuth]
pemCerts=C:\Users\Administrator\Documents\SSL\CA Certs\north-ca-256.cer
The .cer file is the public certificate authority (CA) certificate that was used to issue required client device certificates.
A client device certificate must be installed in the user or computer certificate store on the system where the Windows Horizon Client is installed. This proves the identity of the client computer. Unless the client supplies a valid certificate issued by this CA, then Access Point will reject the connection with an error as shown below.
Client devices that do supply a valid certificate will get the normal user authentication prompt.
This feature is typically used to ensure that only Windows domain joined client computers can connect to desktops and applications via Access Point. The client device certificates can be managed automatically as part of a Windows client machine enrolment policy.
For the Cryptographic Service Provider (CSP) specified in the certificate issuing template, use the "Microsoft Enhanced RSA and AES Cryptographic Provider". This supports SHA256 certificates and TLS 1.2. SHA1 is generally now considered too weak for authentication purposes so you should use SHA256.
For Windows to be able to use the certificate for client authentication purposes, the user on the client computer must have read access to the certificate private key. It is not necessary or desirable to make the private key exportable.
8. I get an error saying "Locator does not refer to an object"
This means that the target= value (used by vSphere OVF Tool) is not correct for your vCenter environment. Refer to the table above for examples of the target format used to refer to a vCenter host or cluster. If you are not sure of the names to use, you can start with the top level object, e.g. by specifying:
target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/
This will then show a list of possible names to use at the next level. You can then expand it, one level at a time based on this list.
target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/Datacenter1/
target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/Datacenter1/host
target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/Datacenter1/host/Cluster1/
or
target=vi://administrator@vsphere.local:PASSWORD@192.168.0.21/Datacenter1/host/esxhost1
Note that folder names, host names and cluster names used in the target value are case sensitive.
If you have any questions about this PowerShell script leave a comment below. For any questions on Access Point itself, post a message on the discussion section of the Horizon community forum.
hi Team,
I would like to generate a report with the datastore details (Capacity, Used, Free space) along with the VI servers.
Can you please help me on it.
Regards
Arvin Kumar
I updated my vCenter Server (the latest 4180647) and the update manager fails to install. Any idea what's going on?
I'm currently running update manager 5.5.0.21331.
I thought about letting it delete the old database to see if that would do anything. Not sure if I need the old info or not.
Hi all
Short question: We have a Horizon View 7.0.1 environment with 2 connection servers. Today I replaced the self signed certs with our wildcard certificates. In the browser (https://horizon.company.com) everything's OK and green. But each of the two connection servers is showing a red flag - "Invalid". Do you have any inputs on this? I never had this issue before in other environments.
Regards
Solero
Hi,
in "What's new in 6.5" is written exactly "VMware might also periodically update the vSphere Client outside of the normal vCenter Server release cycle. To ensure that customers can keep current, the vSphere Client can be updated without disruption to the rest of vCenter Server."
So my question is, where to check for those updates? in Update section of Appliance Management on port :5480?
Thanks
Hello,
Ever since we upgraded from vRA 7.0 to 7.0.1 our requests are failing. VMWare support has spent a few weeks working with us without any progress. I thought I would post here in case anyone has any ideas on things to check or has seen this before.
I think we have isolated this problem to a communication issue between the Event Broker Service and the Manager Service. As per this post, Event Broker Service Timeout, we have confirmed that if we turn off the event broker service our requests go through. Also per that article, we have verified that the Iaas components all have the proper certificates and chain (we are using internally signed Microsoft CA certificates). We use event broker subscriptions, so it is not an option to keep the service disabled as a workaround.
To summarize the problem, we fire off a catalog request and it just stays stuck in requested state for hours. We receive the error "Timed out waiting for event broker response". Eventually it fails. To expedite the failures we have increased the event broker service timeout to 5 minutes instead of the default 30 minutes. Here is what we are seeing in the logs.
From the VAMI logs:
From the catalina.out logs on the appliance:
2016-06-08 12:54:21,527 vcac: [component="cafe:advanced-designer" priority="ERROR" thread="serviceSubscribeAmqpTaskExecutor-38542" tenant="" context="8gGhr7z8" token="LPsW1gb7"] com.vmware
.vcac.core.service.event.AmqpServerSubscribeService.handleMessage:254 - Error when handle messasge for subscription 'com.vmware.csp.iaas.blueprint.service.machine.lifecycle.provision-b-vRO
_proxy' with headers '{ebs.targetId=83662e2b-a3d5-4f03-8b1c-d17e3186b6d3, content-length=1985, ebs.eventId=cae1e7d0-2db2-11e6-d735-4feb01c67056, ebs.tenantId=DEPT01, trace-id=8gGhr7z8, ebs.
topic.blockable=true, ebs.correlationId=40440602-bf9b-4e05-9d4d-987cb7081057, ebs.eventTopicId=com.vmware.csp.iaas.blueprint.service.machine.lifecycle.provision, id=7cfa40aa-9efe-7169-613c
-718ee55819af, ebs.targetType=machine, ebs.eventType=event, timestamp=1465415661464}'. Cause '403 Forbidden'
2016-06-08 12:54:21,986 vcac: [component="cafe:advanced-designer" priority="ERROR" thread="queue-pool-executer-1" tenant="" context="8gGhr7z8" token="Uxgp3pDO"] com.vmware.vcac.platform.se
rvice.integration.ErrorRequestListenerActivator.onErrorMessageRequest:43 - Failed message with id [7cfa40aa-9efe-7169-613c-718ee55819af] accepted for error processing.
Error Message: [403 Forbidden].
Message: [GenericMessage [payload=byte[1985], headers={content-length=1985, ebs.eventId=cae1e7d0-2db2-11e6-d735-4feb01c67056, ebs.correlationId=40440602-bf9b-4e05-9d4d-987cb7081057, ebs.ta
rgetType=machine, ebs.targetId=83662e2b-a3d5-4f03-8b1c-d17e3186b6d3, ebs.tenantId=DEPT01, trace-id=8gGhr7z8, ebs.topic.blockable=true, ebs.eventTopicId=com.vmware.csp.iaas.blueprint.service
.machine.lifecycle.provision, id=7cfa40aa-9efe-7169-613c-718ee55819af, ebs.eventType=event, timestamp=1465415661464}]]
org.springframework.web.client.HttpClientErrorException: 403 Forbidden at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91) ~[spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE] at com.vmware.vcac.platform.rest.client.error.ResponseErrorHandler.handleError(ResponseErrorHandler.java:61) ~[platform-rest-client-7.0.1-SNAPSHOT.jar:?] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:641) ~[spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:597) ~[spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557) ~[spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE] at org.springframework.web.client.RestTemplate.put(RestTemplate.java:409) ~[spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE] at com.vmware.vcac.platform.rest.client.impl.RestClientImpl.put(RestClientImpl.java:445) ~[platform-rest-client-7.0.1-SNAPSHOT.jar:?] at com.vmware.vcac.platform.rest.client.services.AbstractService.put(AbstractService.java:157) ~[platform-rest-client-7.0.1-SNAPSHOT.jar:?] at com.vmware.vcac.core.event.broker.rest.client.service.EventService.publishReplyEvent(EventService.java:53) ~[event-broker-client-rest-service-7.0.1-SNAPSHOT.jar:?] at com.vmware.vcac.workflow.event.service.impl.ReplyEventSenderImpl.publishReplyEvent(ReplyEventSenderImpl.java:110) ~[classes/:?] at com.vmware.vcac.workflow.event.service.impl.ReplyEventSenderImpl.sendUnblockEventPropagationSignal(ReplyEventSenderImpl.java:46) ~[classes/:?] at com.vmware.vcac.workflow.event.service.impl.SubscribeWorkflowServiceImpl$WorkflowSubscriptionEventListener.onEvent(SubscribeWorkflowServiceImpl.java:248) ~[classes/:?] at com.vmware.vcac.workflow.event.service.impl.SubscribeWorkflowServiceImpl$WorkflowSubscriptionEventListener.onEvent(SubscribeWorkflowServiceImpl.java:190) ~[classes/:?] at com.vmware.vcac.core.service.event.AmqpServerSubscribeService$AmqpServerSubscribeMessageHandler.handleMessage(AmqpServerSubscribeService.java:251) ~[service-registry-config-7.0.
1-SNAPSHOT.jar:?] at org.springframework.integration.endpoint.PollingConsumer.handleMessage(PollingConsumer.java:103) [spring-integration-core-4.2.0.RELEASE.jar:?] at org.springframework.integration.endpoint.AbstractPollingEndpoint.doPoll(AbstractPollingEndpoint.java:251) [spring-integration-core-4.2.0.RELEASE.jar:?] at org.springframework.integration.endpoint.AbstractPollingEndpoint.access$000(AbstractPollingEndpoint.java:57) [spring-integration-core-4.2.0.RELEASE.jar:?] at org.springframework.integration.endpoint.AbstractPollingEndpoint$1.call(AbstractPollingEndpoint.java:176) [spring-integration-core-4.2.0.RELEASE.jar:?] at org.springframework.integration.endpoint.AbstractPollingEndpoint$1.call(AbstractPollingEndpoint.java:173) [spring-integration-core-4.2.0.RELEASE.jar:?] at org.springframework.integration.endpoint.AbstractPollingEndpoint$Poller$1.run(AbstractPollingEndpoint.java:330) [spring-integration-core-4.2.0.RELEASE.jar:?] at org.springframework.integration.util.ErrorHandlingTaskExecutor$1.run(ErrorHandlingTaskExecutor.java:55) [spring-integration-core-4.2.0.RELEASE.jar:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_72] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_72] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_72]
At this point we are all out of ideas...
Regards,
Darrenoid
Performed a fresh installation of ESXi 6.0.0, 2809209 using the HP media on HP DL360 G9 hosts. One of the hosts will intermittently show the yellow alert triangle and report a configuration issue from the summary tab, but there is no further information. The unknown configuration issue self clears after a few minutes and returns intermittently. Is there a way to detemine what could be causing this issue to appear? The host has been patched to current with all available HP and ESX patches.
Looking to get some basic information on how licensing actually works. We're monitoring hosts, datastores, VMs, etc, but it looks like ONLY VMs are taking up a license. Is this correct? Also, are powered-off VMs using up licenses, and if so can I make it NOT do this?
Please provide a patch of VMware workstation 12 pro for Fedora 23.
Hello,
My Windows 7 Pro SP1 guest is crashing randomly with Workstation 10.0.4. The host is an HP Z420 Workstation with 32GB of RAM and Windows 7 Pro SP1 too.
The error is this: NOT_IMPLEMENTED d:/build/ob//bora-2249910/bora/vmcore/vmx/main/physMem.c:2877.
In the guest Event log I can only see that the OS doesn't shut down clean but nothing else that points to the real cause.
Does anybody know how to fix this?
Thank you,
Sebastian M.
It's in the release notes :
"The following features have reached end of life in Workstation 12 Pro and have been removed:
This is a terrible decision and will keep me from buying the upgrade. I use linux to host windows guests in unity mode and very much want this feature.
Thanks,
Matthew
Hi All,
Was wondering if someone could help me out with an issue we have inside AppVols while running a DR test.
We run production against virtual center A, but in DR, we switch to virtual center B. We already have both A and B defined as machine managers inside AppVolumes, but when DR is invoked, A VC is removed. We setup the storage and re-scan after which the disks are replicated to the DR storage. (We do not have XtremIO replication...instead we have a VNX R/O pool that AppVolumes uses as a replicate and then we suck that into the XIO at DR) This all works absolutely fine and is expected behavior.
However, once I see the volumes inside AppVolumes at DR, there are no assignments against any AppStacks and we have to manually add the permissions back in, which is a labor intensive task and prone to mistakes. Is there another way we can apply the permissions, via SQL perhaps, or do I need to review the whole DR procedure in order to work as it would inside production?
Thanks