Think IPM

Thursday, January 31, 2013

Minimum XenDesktop / PVS account access into vSphere needed.

Screenshot_013013_025200_PMIf you are looking to lock down the your XenDesktop/PVS service account’s access into the vSphere environment, you need to read Jarian Gibson’s post: http://jariangibson.com/2010/12/21/using-xendesktop-5-with-vmware/

He details all the rights necessary along with discrepancies between vSphere and Citrix’s eDoc terminology.  Really useful stuff and invaluable for getting things working correctly in a locked down environment.  After reading through his post though, if you just need to Cut and Paste a list of rights for your vSphere team to implement, here you go.

Custom vSphere Role for XenDesktop/PVS & XenDesktop Setup Wizards
Create a role in vCenter with the following permissions:

  • Datastore Permissions
    • Allocate space
    • Browse datastore
    • Low level file operations
  • Network Permissions
    • Assign network
  • Resource Permissions
    • Assign virtual machine to resource pool
  • System Permissions –
    These permissions are automatically added when you create a role in vCenter.
    • Anonymous
    • Read
    • View
  • Task Permissions
    • Create Task
  • Virtual Machine/Configuration Permissions
    • Add existing disk
    • Add new disk
    • Change CPU count
    • Change resource
    • Memory
    • Remove disk
  • Virtual Machine/Interaction
    • Power Off
    • Power On
    • Reset
    • Suspend
  • Virtual Machine/Inventory
    • Create New
    • Create from existing
    • Remove
    • Register
  • Virtual Machine/Provisioning
    • Clone virtual machine
    • Allow disk access
    • Allow virtual machine download
    • Allow virtual machine files upload
  • Virtual Machine/State
    • Create snapshot
    • Revert to snapshot
  • Global
    • Manager custom attributes
    • Set custom attribute
  • Virtual Machine/Provisioning
    • Clone Template
    • Deploy Template

These rights have been vetted with Citrix XenDesktop 5.6, Citrix Provisioning Server 6.1 and vSphere 4.1 & 5.

Click Here to Continue Reading >>

Tuesday, January 29, 2013

Patching and Antivirus : Technology Doppelgangers?

As I am sitting here thinking about Windows Patching, it strikes me that there are some real parallel threads among patching and Antivirus.

They both seem to be a necessary evil.  AntiVirus software is notorious for wrecking applications.  Support always has a sneaky suspicion that your Antivirus program is actively working against your business applications but you are obligated to run it.  On the flip side, patching applications might just break them.  It's a gamble.  Fix one thing, break two more.  You just can't be sure without properly testing.

Antivirus programs are mini patch managers.  There probably is no better example of a program that needs almost constant updating and patching than an Antivirus program.  Those definition files come out at a furious pace sometimes.  Centralized patching and Antivirus definitions are critical to not bringing your network to a crawl during peak times.

Both Antivirus and Patching strategies have a security angle.  They actually work hand in hand.  One knocking down threats that probe and attack and the other closing holes and reducing attack surfaces for threats that are already there.

With all these similar and synergistic qualities, do you see Antivirus components and patch management a part of an overarching security strategy or separate and distinct solutions?  With separate and distinct ownership and roles in the environment?


Originally published on  http://thwack.solarwinds.com/thread/53912 – Please direct any comments there.
Click Here to Continue Reading >>

Monday, January 28, 2013

VNXe Software Update 2.4.0.20932

If you haven’t logged into your VNXe Unisphere recently, you may have missed the newest software version released this month. (2.4.0.20932)

image
vStrong has the full release notes here :
http://www.vstrong.info/2013/01/11/emc-vnxe-series-version-2-4-0-20932/

If you are running VMware with NFS datastores, this release might be of interest to you.

  • Writable snapshots for VMware NFS-based datastores
  • VMware SRM support

Assuming you have a current support contract with EMC and you decide to do the upgrade, you can go to support.emc.com and open a Live Chat session to request that EMC do the upgrade.  They have an arm of their Support Division that will perform remote upgrades.  You provide them the maintenance window and they Webex in and execute.  You can also do VNXe upgrades by yourself but really there is little benefit and if something were to go awry, you would have no air support.  I like to recommend having the EMC Remote Upgrade team do it for this reason.

Click Here to Continue Reading >>

Friday, January 25, 2013

Don’t trust the Internets… Not all of them at least.

SNAGHTMLa06c1d
Source: http://processchecker.com/file/CITRIX.exe.html

Sure, you can probably find plenty of Thin Client users that will claim Citrix is a virus but I expect much more you, Internet!

Click Here to Continue Reading >>

Wednesday, January 23, 2013

Why do we Bother patching systems?

So there are a bunch of reasons people patch their systems.  In fact, there are probably more reasons people patch systems than why they wouldn't. (although there are some valid reasons NOT to patch things IMHO)
So why do you patch your systems?   Seems like a pretty easy question except that the answers can be pretty varied and there is usually a bit of overlap.
Security? People patch all the time for security.  Unpatched systems are just WAITING to be infected or exploited. No?
Application fixes?  Stuff gets borked. ;) Vendors push out patches continuously to fix things that should have never made it out of beta testing.
Support compliance? If you are having any issue and call support, after pressing 1 for English, you are almost immediately directed to update to the latest hotfixes and patches for the particular product.  'Licensing issues?  Patch and then we'll talk.'  It can be almost comical at times.
Because? Some people just do it because they were told to.
Personally, since I deal primarily with new systems as a consultant, I patch for Application Fixes and Support Compliance.  Keeping your systems secure usually falls under someone else (Namely the client).   I rely on Firewall, Security, even Network guys to keep the Internet baddies out of my projects.
Oh and don't worry if you are silently thinking Because as your reason.  That accounts for about 99% of the time I click Windows Update on my personal laptop.

Originally published on http://thwack.solarwinds.com/thread/53760 – Please direct any comments there.
Click Here to Continue Reading >>

Monday, January 21, 2013

Choosing to work with consultants …

I'm a consultant. I work for a pretty established consulting firm. That's my perspective. Recently though, I've been getting some real world experience on how tough it must be for a company or individual to hire a consulting company to work with.

You see, I am in the midst of remodeling my kitchen. It's now time to purchase cabinets and the process has been extremely challenging. I've noticed some parallels in that industry that mimic mine and its helping me understand the process a bit more.  Mind you, it is not helping me make the decision, just helping me understand why I am struggling with it so much.

For starters, the solutions are complicated.  With a ton of options out there and many different configurations, putting them all together is difficult. Whether it's software or cabinetry, you really need someone who has practical experience using and implementing the different components.  Like everything out there, you can do your due diligence on the Internet and research the pros and cons of various things but without real world experience, it's tough to accurately cut through to the truth of a solution.

Designs are presales activities but they are not free.  This is a delicate balancing act that is walked by the vendor. You, as the client, want and need to see as much detail before committing to a project and the vendor needs to provide enough for a client to be comfortable but not so much that they just go out and purchase it themselves.  Or worse, that they they just bring it to a competitor to price out.  The design component is part of the value add that the firm brings to the table.  I can understand and empathize with the protective nature of this process since a vendor doesn't want to see their ideas implemented by others who undercut them on cost and leveraged their presales design experience. 

Budgets are just estimates and starting points many times.  Since you are working with very complex solutions with seemingly unlimited options and variables, it is very difficult to get a precise true cost.  As the customer, you most likely don't even know all the options until you begin to get into the post sales design work. The potential lack of exact details in a presales design also contribute to the lack of financial accuracy.   You can get a range that should be close but it really won't be vetted until you start the engagement and are committed to the vendor.  Any number of things can drive costs up or down once you are in the thick of a project.

Choosing a partner is an exercise of trust. You can meet and interview tons of people and definitely get a feel for who you jive with and who is competent but that doesn't necessarily guarantee the best outcome.  It also becomes increasingly hard to fairly compare solution providers apples to apples as the complexity of a solution increases.  You can get referrals, view past work and scour the Internet for praise or belly aches but at the end of the day, you are probably just trusting your gut.

Click Here to Continue Reading >>

Friday, January 18, 2013

Friday Fun from the EMC Crew

Ran across the EMC Style 2013 video1 this morning.  Silly and Funny.  Great way to start the weekend!

1Might be considered offensive for those with NetApp Arrays.  (or those with a sensitivity to bad dance moves).

Click Here to Continue Reading >>

Thursday, January 17, 2013

Invalid Backing on a Virtual Machine’s Network adapter.

Have you ever noticed Invalid backing on your Network Adapter in the Virtual Machine Property screen? 
Of course not!  You are an administrator!  …But if you want to see it or are curious what a consultant with limited rights might see, take a look!

imageUntitled_Clipping_011513_045930_PM

Basically, if you see Invalid Backing on your VM and everything (network-wise) is working fine, it’s a permissions issue.  You just don’t have the rights to see the networks configured on the host.  Nothing much to worry about technically.  Politically speaking though, you might want to rethink your strategies… Winking smile

Click Here to Continue Reading >>

Tuesday, January 15, 2013

Patch Management? I don't care for it but YOU should!

Patch Management! How exciting? Eagerly waiting up till the wee hours of the night on Patch Tuesdays, waiting for Microsoft to release the latest round of security patches and application fixes. I’m sure it’s like Christmas Eve EVERY SINGLE MONTH for Systems Administrators!

As a consultant though, who coincidentally doesn’t really care much for the holidays either (all the hustle and bustle of people shopping and deadlines for purchasing things – Bah, Humbug!), Patch Tuesdays don’t even raise an eyebrow for me. You see, I’m a project based consultant. I normally enter environments with a specific purpose and specific deliverables. Set up a solution, configure it, test it, document it, train the staff on it’s operations and then move on to the next project. When I implement a system, it is normally completely patched up with the latest build numbers, versions and security fixes. Honestly, patch management is not even on my radar (or in my scope). Sure, I know it will need to be done eventually, but it most likely will not be done by me… Yeah, maybe I’m a rotten consultant but I think I am much more like a typical consultant on a typical project at a typical client in a typical environment.

I have seen shrinking budgets that have pushed patch management to the bottom of most client’s priority lists. I think there is a misconception that you can just run Windows Update on your machines and keep them up to date. Of course if you manage 2 machines, go for it! But as you scale up, you DO need a patch management solution to keep your systems up to date and secure. As a consultant implementing solutions for clients, there is a reason that I am using the latest releases with up to date hotfixes and security patches. It helps ensure that the solution will not only be its most reliable and stable but also that software vendors will be able to support the solutions efficiently.

So I’m curious, when guys like me walk out of the building, are you (the client) putting in patch management solutions, clicking Windows Update every so often or just moving onto the next project (like me)?


Originally published on http://thwack.solarwinds.com/thread/53615 – Please direct any comments there.

Click Here to Continue Reading >>

Wednesday, January 9, 2013

Hold your horses, Explorer!

By Jacques Bensimon -

We’re all familiar in our Remote Desktop Services and XenApp builds with the necessity of using the “Run logon scripts synchronously” policy to ensure that the user environment is properly set up (drive mappings, per-user application tweaks, etc.) before the Explorer desktop or first published application is launched.

clip_image002

This has traditionally worked just fine on all the server platforms used for RDS and XA.  Note that, in those environments, this policy has the desirable effect of waiting not only for traditional logon scripts (legacy and GPO) to finish executing but also for the RDS-specific UsrLogon.cmd (the root “application compatibility script” triggered by the AppInit Registry entry at key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup”) to terminate.

 

I noticed years ago, without at first paying it too much attention, that Windows XP did not seem to obey this policy, at least during the first user logon after startup, despite the fact that the policy description claimed that it applied to all Windows platforms.  On a private single-user workstation, this did not seem to matter much since drive mappings would become available soon enough, generally before the user had a chance to launch an app (no published applications to worry about here) and most per-user application tweaks had likely already been applied during previous logons and were still present in the user’s local or roaming profile.  However, with the advent of VDI and XenDesktop, along with their various enabling technologies like Citrix Provisioning Services, virtual machine pools (often configured to restart the VM at logoff), all manner of fancy profile strategies (like mandatory profiles supplemented by AppSense Environment Manager or other third-party product), the new XenApp capability of publishing applications that execute on XenDesktop pools, etc., the need to coordinate logon time script activities on workstation platforms during all logons has become much more critical, and the apparent failure of the “Run logon scripts synchronously” policy to have the promised effect much more annoying.

 

For Windows XP (and in theory subsequent workstation platforms), the explanation and solution were provided by KB304970 -- Scripts May Not Run Before Windows Explorer Starts Even Though the "Run Logon Scripts Synchronously" Setting is Enabled.  In short, the additional “Always wait for the network at computer startup and logon” policy must also be enabled in order for the original policy to apply during the first logon after startup.

clip_image004

So, this also works in Windows 7, right?  Not quite.  Whether by omission or by design, this stopped working in Windows 7 until a hotfix was made available via KB2550944 -- Group Policy logon scripts do not run in Windows 7 or in Windows Server 2008 R2.  Note that the hotfix applies whether or not Service Pack 1 is installed and that it is *not* provided via Windows Update.  Surprisingly, as the KB article’s title indicates, it appears to also be required on Windows Server 2008 R2 – frankly, I hadn’t noticed the issue there (the first user of the day never mentioned anything! J), but I’ll be applying it religiously from now on.

 

Windows 8Windows Server 2012?  I don’t yet know, but I’m keeping my fingers crossed that the above hotfix found its way into the code.


Later,

J3

Follow Jacques @JacqBens 

Click Here to Continue Reading >>

Friday, January 4, 2013

Lunch Flow Chart Social Media style.

Just messing around with some mind mapping software (bubbl.us) and came up with this.  These web driven mind mapping sites are super easy to use to create simple charts.  It was pretty easy to map out everything into a semi understandable diagram.

  Social-Media-Map_1ubl28yo
Clearly I love the internets. Smile

Click Here to Continue Reading >>