VMware NSX

Security Update: 8 Advances in End-User Computing from VMware

Employees across enterprise organizations in today&#rsquo;s mobile-cloud world expect simple user experiences to help them be productive. IT often runs into challenges supporting these expectations while keeping their environments secure.

Our team has focused on empowering organizations with an enterprise-secure approach and consumer-simple experience through a digital workspace. Employees can securely access any app, on any device in their own digital workspace provided by VMware Workspace ONE, powered by VMware AirWatch unified endpoint management technology.

Over the course of 2017, we&#rsquo;ve introduced many security capabilities across the Workspace ONE platform, which includes advancements in VMware Horizon 7 and VMware Horizon Cloud. Let&#rsquo;s take a closer look at those security capabilities, as well as existing security integrations and security features that elevate Workspace ONE to the digital workspace platform that organizations can trust.

1. Derived Credentials

Earlier this year, we announced our derived credentials solution as part of Workspace ONE. This was huge news for organizations mandated by certain directives, such as FIPS 201, that require use of smart cards, personal identification verification (PIV) or common access cards (CAC) for access to physical, logical and network resources.

Smart cards, PIV and CAC worked great on desktops and laptops, but the experience on mobile devices was poor and costly because special hardware was needed to read the cards. To help with this issue, the National Institute of Standards and Technology (NIST) updated FIPS 201 in 2013 and the following year released SP 800-157, with guidelines on how to generate and utilize alternative tokens, which they refer to as a derived PIV credentials, also commonly referred to as derived credentials or PIV-D. This helped provide better experience, implementation and deployment on mobile devices accessing physical, logical and network resources.

We released our derived credentials app, called VMware PIV-D Manager, that enables the use of derived credentials with native apps and profiles, VMware apps and third-party AirWatch SDK-enabled apps. PIV-D Manager even integrates with other derived credentials solution providers such as Entrust and Intercede.

2. Boxer S/MIME

VMware Boxer, one of our Workspace ONE productivity apps, is an integrated mobile email, calendar and contacts app that helps increase productivity by giving end users a great user experience. Security was a big focus on our Boxer app this year.

We started by enabling S/MIME support for sending and receiving signed and/or encrypted mail. S/MIME is a standard for public key encryption and signing of MIME (Multipurpose Internet Mail Extensions) data that allows for secure email exchange. Organizations have the option of signing an email for authenticity and/or encrypting email messages for an added layer of security.

3. Boxer Classification Markings

In various regulated industries, such as public sector, healthcare and financial, sensitive emails often need to be specifically marked or classified when they are sent and received. When it comes to email, messages typically get a classification appended in the subject line, top or bottom of the body, etc. For example, an email message should be marked &#rsquo;unclassified&#rdquo; or &#rsquo;secret&#rdquo; depending on the content of the email.

Earlier this year, we announced support for classification markings in the Boxer app, which integrates with the built-in Microsoft Exchange transport rules. This capability also integrates with TITUS, Boldon James and janusNET.

4. Boxer Information Rights Management

In addition to S/MIME and classification marking support, we added full support for information rights management (IRM). IRM is a form of data loss prevention (DLP), which can specify access permissions to email messages, including the ability to restrict copy-paste, restrict email forwarding, enforce email message content expiration and more. As you can tell, we put a lot of emphasis on email security through our Boxer app!

5. AirWatch & NSX Integration

AirWatch and NSX integration was introduced over a year ago, and the amount of customer interest in it hasn&#rsquo;t slowed down since. When apps on mobile devices have access to communicate to any resource in the data center, this represents a challenge for IT as the attack surface within the data center can be large.

The AirWatch and NSX integration aims to solve this problem by limiting each mobile app to only communicate to the server that it needs to talk to, using the tunneling capability in AirWatch and the micro-segmentation capability in NSX. Combining these two technologies vastly reduces the access footprint from the mobile device and the attack surface in the data center.

Organizations, like Vallejo Sanitation and Flood Control District, can raise their security posture from the mobile device to the data center using the AirWatch and NSX integration.This type of integration can also help organizations along their journey towards General Data Protection Regulation (GDPR) compliance, as data in transit utilizes AES-256 bit encryption.

VMworld 2017 Panel Discussion:

“Data Privacy, theGDPR &the Globalization of Compliance”

Add GRC3109PU via VMworld U.S. schedule builder.

AddGRC3109PE via VMworld Europe schedule builder.

6. Horizon & NSX Integration

We know that apps on mobile devices and data center resources can be tunneled and micro-segmented for an extra layer of security. We can take that same concept and apply it towards desktop virtualization.

Integrating Horizon and NSX, customers can effectively secure east-west traffic within the data center, preventing malware from spreading across the data center if a virtual desktop is compromised because each desktop is effectively isolated from other desktops. IT can quickly and easily administer networking and security policy that dynamically follows end users&#rsquo; virtual desktops and apps across infrastructure, devices and locations. This extra level of security takes desktop virtualization to a whole new level!

VMworld 2017 Breakout Session:

“Securing Your Horizon Virtualized Apps & Desktop Investments with NSX”

Add SIE2034BU via VMworld U.S. schedule builder.

Add SIE2034BE via VMworld Europe schedule builder.

7. Just-in-Time Management Platform (JMP)

We introduced JMP earlier this year, our next-generation desktop and application delivery platform, which enables fust-in-time desktops and apps. Imagine a virtual desktop that is created when a user logs in and destroyed when that user logs out. IT can set up a pool of virtual desktops that fits this model, including pools that can access the internet and pools that cannot, effectively creating separation parameters for higher security. Virtual desktops in each pool only get created when a user logs into a specific pool.

With the JMP platform extending across Horizon 7 and Horizon Cloud, IT has the ability to inject apps and user environment settings into the desktop the moment a user logs in. Having pristine desktops created at every login and destroyed at every logoff eliminates malware that the user may have accidentally installed during the session.

8. Smart Policies

Smart Policies are available in Horizon 7 and Horizon Cloud for IT to provide end users with a truly contextual user experience. For example, policies dynamically change depending on the device used or the location services are being accessed from.

True single sign-on (SSO) enables end-to-end authentication from Workspace ONE to Horizon virtual desktops and apps, for a secure and simple user experience. Users aren&#rsquo;t prompted for multiple logins once they&#rsquo;ve authenticated into the Workspace ONE portal. Client policies such as enabling or disabling clipboard redirection, USB, printing and more can be set by IT using Smart Policies. Horizon is certified to meet FIPS 140-2 and Common Criteria requirements as a result of the secure policies powered by Smart Policies.

For organizations looking for even more advanced security capabilities across Workspace ONE, look no further than Workspace ONE integrations with our ecosystem of mobile security leaders in the VMware Mobile Security Alliance. Workspace ONE integrates with technologies from our Mobile Threat Defense partners, Cloud Access Security Brokers partners and more to further enable comprehensive cybersecurity across mobile devices, apps, networks and cloud services.

Learn more about our end-user computing (EUC) security initiatives at VMworld U.S.andVMworld Europe. If you&#rsquo;re not attending VMworld, you still have time to register!

To learn more about the security capabilities in Workspace ONE, visit vmware.com/workspaceone.

The post Security Update: 8 Advances in End-User Computing from VMware appeared first on VMware End-User Computing Blog.

Read more..

Disaster Recovery with VMware NSX-V and Zerto

Note, this is a reposting of the blog that I initially postedhere onhumairahmed.com. In a prior blog, VMware NSX and SRM: Disaster Recovery Overview and Demo, I described and demoed how VMware NSX and SRM with vSphere Replication combined provide for an enhanced disaster recovery (DR) solution. SRM also provides additional integration with NSX when Storage Policy Protection Groups (SPPGs) are used by providing the ability to automate network mappings. One of the great things about the NSX-V platform, is it can be used with any DRorchestration tool that supports the VMware vSphere ESXi hypervisor. Some of the tools customers are using with NSX include VMware SRM, Dell EMC RP4VM, Zerto, and Veeam. As SRM was discussed and demonstrated in a prior blog, Zerto and NSX together is explained in more detail below.

For more details on Disaster Recovery with NSX, make sure to check-out theDisaster Recovery Solutions with NSX [NET1188BU]session at upcoming VMworld 2017 on August 28th. I will discuss DR with NSX and DR Orchestration tools (SRM, RP4VM, and Zerto) in more detail. Justin Giardin from iland will discuss how they use NSX and Zerto to provide DRaaS solutions. Additionally,Ian Allie from Dell EMC Enterprise Hybrid Cloud (EHC) will discuss how they use NSX and RP4VM to provide DR services for their customers.

Similar to vSphere Replication, Zerto provides the ability to replicate workloads at the VM-level. Zerto Virtual Manager (ZVM) is a standalone manager installed on a Windows workstation. The diagram below shows how ZVM is deployed within the management vCenter domain in a multisite Cross-VC NSX environment.

Figure 1: Example NSX + Zerto DR Deployment

Once ZVM is linked to the respective vCenter, a user can log-on ZVM using vSphere credentials. From the ZVM a Zerto Virtual Replication Appliance (VRA) can be installed on the desired hosts that have VMs that need to be protected.

Figure 2: Deploying Zerto VRAs

In Figure 3, it can be seen that there are four VMs in the Zerto Virtual Protection Group (VPG) being replicated/protected.

Figure 3: Four VMs in Zerto Virtual Protection Group

Similar to what was shown prior with SRM, Zerto can also ensure when a application or site failure eventoccurs the application(s) are recovered on the same network thanks to NSX logical networks spanning both sites and vCenter domains. In addition to the consistent networking across sites/vCenters, consistent security also exists. Thus, the end result is better recovery time objective (RTO) for applications as the IP address for the application does not need to change and security policies do not have to be manually replicated.

Figure 4 below shows how the default network mapping is configured within ZVM. By default, all workloads will failover to the respective default Failover Network upon actual failover and respective Failover Test Network when testing the Zerto DRplan.

Figure 4: Configuring Default Network Mappings in Zerto

As Figure 5 shows, differentFailover Networks andFailover Test Networks can also be configured for each specific VM.

Figure 5: Configuring Network Mappings for Specific VMs in Zerto

An extremely valuable capability of leveraging NSX with DR Orchestration tools like SRM, RP4VM, and Zerto is the capability to test the DR plan without any disruption to the production network. NSX enables this by allowing for isolated test logical networks to be created easily with the same IP addressing scheme. The DR orchestration tools can then be configured to use the isolated test networks for realistic DR Plan testing. This is represented in the below diagram using Zerto.

Figure 6: Simplified DR Testing Using Test NSX Logical Networks

As mentioned prior, for more details on Disaster Recovery with NSX and DR orchestration tools like SRM, RP4VM, and Zerto, make sure to check-out theDisaster Recovery Solutions with NSX [NET1188BU]session at upcoming VMworld 2017 on August 28th.

The post Disaster Recovery with VMware NSX-V and Zerto appeared first on Network Virtualization.

Read more..

How digital workspaces are empowering employees

Every organisation wants to use technologies that show a demonstratable business outcome, and employee productivity is one of the key attributes they want to improve upon.

Achieving this requires a business to offer better end-user experiences, become more flexible in regards to working habits, and open up access of corporate systems to new devices.

VMware has been helping companies to achieve these goals by focusing on empowering the digital workspace with its Workspace ONE platform. This includes using VMware Horizon to provide the necessary infrastructure to securely deliver the apps and data employees need, accessible on any device, and VMware AirWatch to manage their apps and devices.

Lufthansa Cargo is one such business: it has managed to cut costs, increase efficiency and better manage applications as a result of VMware AirWatch.

The international cargo company has been striving for paperless operations, and is relying on strong mobile support to get there.

Sven Gartz, captain and electronic flight bag (EFB) administrator at Lufthansa Cargo, explained that switching from a desktop-based device to a mobile EFB brought two main advantages.

&#rsquo;The first was weight reduction; mobile devices enabled us to remove extensive built-in elements from the cockpit. This generated a five-figure sum of fuel efficiency per year,&#rdquo; he said.

&#rsquo;The second was that the mobile devices enabled us to quickly provide employees with updates, new apps and new approaches which saved the company money because there is a cost for every minute a pilot is on duty,&#rdquo; he added.

Using standardised tablets enabled the company to reduce its time-consuming approval cycles, while contracts with standardised product manufacturers trimmed down Lufthansa Cargo&#rsquo;s operating costs significantly.

The cargo company also used the AirWatch compliance engine to ensure that its mobile devices can stop applications from interfering with each other, as the company needs to make sure air traffic is operational and that applications don&#rsquo;t cause EFB outages.

No workplace is the same – and while organisations are attempting to produce modernised workplaces, they all have different requirements in order to get there.

For example, Koningin Elisabeth Institute (KEI), a rehabilitation hospital in Belgium, experienced downtime regularly. But as its reliance on technology grew, any downtime had an increasingly negative impact on the organisation.

Stefaan Dewulf, head of the organisation&#rsquo;s IT department, explained that its 150 devices were running on different operating system versions and that updates had to be done manually, device by device – a time-consuming process.

&#rsquo;We decided on VMware Horizon, a VDI solution. There is nothing on the local client anymore, everything is in the data center. A doctor taps their card into the device and gets a connection into the PC and the data center and can access the patient data they need,&#rdquo; he said.

But no solution is complete without thinking about security – and after seeing NSX at VMworld, Dewulf was convinced NSX was the best solution for the hospital to secure its data center.

Dewulf said: &#rsquo;Everything is more secure and faster than before so log on times have reduced,&#rdquo;.

Dewulf added that there were three key technology advantages of the VMware technology: &#rsquo;It&#rsquo;s very powerful, it&#rsquo;s easy to manage and it&#rsquo;s ready for the future,&#rdquo; he said.

It&#rsquo;s a great example that demonstrates how traditional ways of managing, securing and supporting users, apps, devices and data may no longer meet the needs of businesses. Businesses need to think out of the box to empower their digital workspace. Both Lufthansa Cargo and KEI are doing just that, and they&#rsquo;re reaping the rewards.


To learn more about how we have helped our customers adopta Cross-Cloud approach read our bloghere.

Read more..

Monthly NSX Customer Advisory – June 2017

In this communication, we detail the top trending issues with VMware NSX for vSphere and provide you with helpful information on how to address the issues while we build a permanent fix.

For up-to-date Top Trending NSX issues, previous and current, seeKB Article Trending support issues in VMware NSX for vSphere 6.x (2131154).

Spotlight Issues

NSX for vSphere Version Component Issue Summary Resolution/Work around KB Number
6.2.x Controller NSX controller shows as disconnected in the web client leading to data path issues for VNIs handled by the disconnected controller. This issue is resolved in VMware NSX for vSphere 6.2.4.
If you choose not to upgrade, as a workaround, you can make an API call to the controller communications and disable IPsec for controller.
6.2.x,6.3.x ESXi ESXi 5.5 and 6.0 hosts fail with a purple diagnostic screen (PSOD): VMCIEventDelayedDispatchCB@com which occurs due to race condition in dvfilter vmci socket deregistration. This issue is resolved in ESXi 5.5 Patch 8 and ESXi 6.0 Patch 3.
To work around this issue, uninstall the dvfilter-dsa driver.
6.2.x,6.3.x ESXi Connectivity issues when using Emulex elxnet Driver. Packets get dropped, resulting in intermittent connectivity issues and loss of ping packets. This issue is resolved in Emulex elxnet Driver version For more details, refer the KB article. 2091192
6.2.x NSX Manager vsfwd connection to the NSX Manager fails. Running the esxcli network ip connection list |grep 5671 command, you see entries similar to: tcp 53 0 CLOSED 75797 newreno vsfwd This issue is resolved in ESXi 6.0 Patch Release, ESXi600-201610001. For more details, refer the KB article. 214687

Trending KB

Issue:Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products.

Affected Version: 6.2.x, 6.3.x

Resolution:The KB / Solution explains the current status of implementation of TLSv1.1 or TLSv1.2 protocol across applicable VMware products. For more details, please refer to: KB:2145796.

VMware Recommended Release

VMware recommends NSX 6.2.6 for new deployments. The minimum version a customer should be running is NSX 6.2.2 based on critical bug fixes identified as having a general impact in an NSX environment. For more information, seeMinimum recommended version for NSX for vSphere with GID, ESXi, and vCenter Server (2144295).

Don’t Forget!

Subscribe to my.vmware.comto get timely notifications on NSX Product Releases, Fixes and upcoming patches.

The post Monthly NSX Customer Advisory – June 2017 appeared first on VMware Tech Alliances (TAP) Blog.

Read more..

Announcing the Introduction to VMware Horizon 7 for Citrix Administrators

We are excited to announce the Introduction to VMware Horizon 7 for Citrix Administrators white paper. This guide is for Citrix administrators or anyone with a Citrix background who wants to learn about VMware Horizon 7. It offers a tour of Horizon 7, how the Citrix components map to a Horizon 7 deployment, and the steps to get you started in evaluating Horizon 7.

This guide covers some of the recent advances in Horizon 7, as well as how VMware JMP technologies deliver an enterprise-class, innovative solution. We also detail the key areas where Horizon 7 delivers a modern, enterprise-secure, and consumer-simple virtual desktop and application solution:

  • Enterprise-class application-publishing and virtual-desktop solution
  • Simple, fast, efficient management at scale
  • Consistent, adaptive user experience
  • Flexible, robust security

Did you know that Citrix XenApp and XenDesktop are very similar in architecture to VMware Horizon 7? Both solutions use a combination of connection brokers, web-based application catalogs, and RDSH or VDI servers to securely deliver virtual desktops and applications.

The following diagram compares the major Citrix XenApp and XenDesktop components to those of VMware Horizon 7.

For details on this diagram and more, download the Introduction to VMware Horizon 7 for Citrix Administrators now.

The post Announcing the Introduction to VMware Horizon 7 for Citrix Administrators appeared first on VMware End-User Computing Blog.

Read more..

Application Workload Guidance and Design for Virtualized SAP S/4HANA® on vSphere (Part 2/4)

In part 1 we introduced the concept of SAP HANA Application Workload guidance and using example business requirements to come up with a workload and vSphere cluster design for the SAP environment. In the second part we will look at storage, network and security design for the proposed customer environment.Availability Design

The availability design depends on the single point of failure (SPOF) analysis of components. There are components in the SAP infrastructure that are one of a kind and are potential SPOFs; other components are capable of having multiple instances for load balancing and availability.

SAP S/4HANA Architecture

This section summarizes SAP S/4HANA architecture concepts and terminology used in this document. SAP uses the term system landscape, which contains all the SAP systems that have been installed. It can consist of several system groups for which SAP systems are linked by transport routes. Transport routes refer to the path of code migrations between SAP systems, for example from development (DEV) to quality assurance (QAS) to production (PRD) (https://help.sap.com/saphelp_nw74/helpdata/en/63/a30a4ac00811d2851c0000e8a57770/content.htm).

The architecture of a single SAP system is multitier and consists of the following components:

  • Application servers (SAP Web application servers) – These are ABAP or Java (J2EE) based, depending on the specific SAP product or module. Two types exist:
  • Primary application server (PAS) – An application server instance that is installed with SAP Central Services in newer NetWeaver releases and is part of the base installation.
  • Additional application servers (AAS) – Application servers installed as required for horizontal scalability.
  • SAP Message Service – The SAP Message Service is used to exchange and regulate messages between SAP instances in an SAP system. It manages functions such as determining which instance a user logs in to during client connect and scheduling batch jobs on instances configured for batch.
  • SAP Enqueue Service – The SAP Enqueue Service manages the locking of business objects at the SAP transaction level. Locks are set in a lock table stored in the shared memory of the host on which the SAP Enqueue Service runs.
  • Database server – SAP S/4HANA and SAP S/4HANA Suite support SAP HANA as the backend database for all applications. Each module has its own individual standalone SAP HANA database.
  • The following SAP services are defined based on the Message Service and Enqueue Service:
    • SAP Central Services – In newer SAP versions, the Message Service and Enqueue Service have been grouped into a standalone service. Separate SAP Central Services exist for ABAP- and Java-based application servers. For ABAP variants, it is called ABAP SAP Central Services (ASCS); for J2EE variants, it is called SAP Central Services (SCS).
    • Replicated enqueue server – This component consists of the standalone enqueue server and an enqueue replication server. The replicated enqueue server runs on another host and contains a replica of the lock table (replication table). If the standalone enqueue server fails, it must be restarted on the host on which the enqueue replication server is running, because this host contains the replication table in a shared memory segment. The restarted enqueue server uses this shared memory segment to generate the new lock table, after which the shared memory segment is deleted. SAP Central Services and the database are both SPOFs and therefore require considerations for high availability.

Single Point of Failure Analysis

The following SPOFs exist in the SAP NetWeaver architecture:

  • Database – Every application work process makes a private connection to the database at the start. If the connection is interrupted due to database instance failure, the work process attempts to set up a new connection and changes to &#rsquo;database reconnect&#rdquo; state until the database instance restarts. User sessions with database activity in process receive SQL error messages, but their logged-in sessions are preserved on the application server.
  • SAP Message Service and Enqueue Service – Failure of these services has a considerable effect on the system because all transactions that contain locks must be rolled back and any SAP updates being processed fail.

The isolation of the Message Service and Enqueue Service from the central instance (CI) helps address the high-availability requirements of these SPOFs. The SAP Central Services component is &#rsquo;lighter&#rdquo; than the CI and is much quicker to start up after a failure.

SAP Application Tier Availability

Every SAP application should have a minimum of two servers. Because they are serving the same function, these servers must be separated from each other by using antiaffinity rules. An SAP application server and database server can be collocated on the same physical server by using affinity rules to optimize performance in certain situations. vSphere DRS affinity rules help protect SAP application and database components by providing appropriate separation between the primary and standby servers as well as between multiple application servers.

Figure 1. SAP Application Tier Availability

vSphere HA for Database and vSphere FT for SAP Central Services:

The ideal high-availability solution for SAP S/4HANA SPOF components is to leverage vSphere HA and other SAP-specific mechanisms for the database and vSphere FT for SAP Central Services. By having more than two application servers with antiaffinity rules, the application services can be protected.

Figure 2. vSphere HA and vSphere FT – The Ideal High-Availability Solution for SAP S/4HANA SPOF Components

Storage Design

VMware storage virtualization can be categorized into three layers of storage technology. The bottom layer is the storage array, consisting of physical disks presented as logical disks—that is, storage array volumes or LUNs—to the layer above, the virtual environment occupied by vSphere. Storage array LUNs are formatted as VMware vSphere VMFS—that is, virtual machine file system—volumes in which virtual disks can be created. VMs consist of virtual disks that are presented to the guest OS as disks that can be partitioned and used in file systems. Figure 10 shows these storage layers.

Figure 3. Storage Virtualization Layers

vSphere VMFS is a cluster file system that provides storage virtualization optimized for VMs. Each VM is encapsulated in a small set of files, and vSphere VMFS is the default storage system for these files on physical SCSI disks and partitions. VMware supports Fibre Channel and iSCSI protocols for vSphere VMFS.

VMware also supports raw device mapping (RDM). RDM enables a VM to directly access a volume on the physical storage subsystem. It can be used only with Fibre Channel or iSCSI. RDM provides a symbolic link from a vSphere VMFS volume to a raw volume. The mapping makes volumes appear as files in a vSphere VMFS volume. The mapping file, not the raw volume, is referenced in the VM configuration.

To access virtual disks, a VM uses virtual SCSI controllers. These virtual controllers include BusLogic Parallel, LSI Logic Parallel, LSI Logic SAS, and VMware Paravirtual. From the standpoint of the VM, each virtual disk appears as if it were a SCSI drive connected to a SCSI controller.

For more background on storage virtualization, see the vSphere Storage Guide at https://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-storage-guide.pdf.

Virtual Storage Design

This section applies the virtual storage concepts to a storage design for an SAP database on vSphere. The example here is a scale-up SAP HANA system based on the virtual SCSI controller assignments described in the Best Practices and Recommendations for Scale-up Deployments of SAP HANA on VMware vSphere white paper (http://www.vmware.com/files/pdf/SAP_HANA_on_vmware_vSphere_best_practices_guide.pdf).

Virtual SCSI Driver Virtual Device File System
LSI Logic/Paravirtual 0:0 /usr/sapX
Paravirtual 1:0 /hana/data/
Paravirtual 2:0 /hana/log/
Paravirtual 3:0 /hana/shared/

Table 9. SAP HANA Layout for Virtual SCSI Controller

The boot drive can be configured with the paravirtual driver, but configuration depends on the guest OS version. For details, see VMware knowledge base article 1010298, Configuring Disks to Use VMware Paravirtual SCSI (PVSCSI) Adapters (http://kb.vmware.com/kb/1010398).

Figure 4. Example Storage Layout for Scale-Up SAP HANA

Storage Sizing by Module Based on SAP Guidelines

Module Memory GB Data GB Log GB Shared GB Backup GB
BW/4HA_SRV 650 780 325 650 390
CRM 250 300 125 250 150
MDG 250 300 125 250 150
S/4 800 960 400 800 480
SRM 250 300 125 250 150
TM 250 300 125 250 150

Table 10. Database Component Storage Sizing for SAP S/4 HANA

As a default, the backup volume is stored under the /hana/shared volume. To store backup data, creation of a dedicated VMDK volume or NFS mount point is recommended.

TDI Compliant Pure Storage:

The solution was implemented initially with FC Storage on an all All Flash Array from Pure Storage (M50). Pure Storage M50 array is an SAP TDI compliant storage.

Figure 5. Pure Storage FlashArray//M50

The following aresome of the advantages ofrunning SAP HANA on Pure Storage:

  • Datareduction – SAP HANA performsdatacompression in column stores on two levels: dictionary and advanced. Furtherdatareductionresults of around 1.9–2.3 have been experienced. SAP HANA does not compress row store tables, so thedatareductionis even higher when there are row store tables. This use case is analytics, so there are no row store tables.
  • Encryptionoff-loading – SAP HANA encryptsonly datavolumes; it does not encryptlog volumes. Switch off theencryptionon SAP HANA and use the Pure Storage FlashArrayencryption,which can preserve valuable SAP HANA CPU cycles. That in turn can be used more efficiently to process analytical queries.
  • SAP homogeneous system copy and backup and recovery using storage snapshots – System copy, backup, and recovery using Pure Storage snapshots are extremely fast and efficient. The entire process can be automated very easily via a script and can be scheduled on a regular basis. There is no need to invest in backint third-party SAP-certified tools. This process enables customers to achieve very low RTO and RPO.

Fibre Channel SAN Design:

A Brocade Generation 6 redundant and resilient SAN Fabric was used for this deployment. When designing the SAN for an all-flash array, understanding the application workloads and the intended scalability, redundancy, and resiliency requirements is the main factor to consider.

When deploying a Fibre Channel storage array, the main design consideration is the adequate sizing of the ISLs between the edge switches where the servers are connected and the core switches where the storage arrays are connected. In implementations where the Fibre Channel storage arrays are deployed to serve specific latency- and I/O-intensive applications, such as OLTP database servers, connecting both servers and Fibre Channel storage array to the core backbone switches can be advantageous.

Figure 6. RedundantFibre Channel Fabric

Virtual SAN All Flash Storage:

After Validation of the solution, all the storage for the SAP modules were migrated to an All Flash virtual SAN infrastructure and the validation tests were repeated. Virtual SAN is not yet supported for SAP S4/HANA production but it can be used for QA and Dev/Test environments.

VMware virtual SAN was used for the management cluster and as an alternate for the TDI storage for SAP HANA. All storage components used were certified for VMware virtual SAN and provided by Western Digital.

VMware virtual SAN features the following components:

  • Two disk groups per server
  • Each disk group contains
  • One NVMe 1.5TB drive for caching
  • Two 3.5TB SSD drives for capacity

The total capacity of all-flash VMware vSAN is 52TB.

Figure 7. VMware vSAN All-Flash Datastore

SAP S/4HANA Network Design Considerations:

The network components were designed based on the foundational VVD concepts. VMware NSX is available as part of this design, to provide networking and security for application workloads. Details on the VVD network design and components can be found in Architecture and Design in VMware Validated Designs Documentation. VMware NSX is the foundation for networking in the Software-Defined Data Center (SDDC), which is leveraged for SAP S/4HANA. Each node has 4X10GBPS network connections across a pair of Brocade enterprise class VDX in redundant configuration.

SAP HANA Client Zone VMware VMware NSX Design:

VMware NSX greatly facilitates the creation and deployment of network services. The actual abstraction of these services, however, is a collaborative effort. To create an optimized virtual architecture, at a minimum this involves the network operations team, the storage team, virtual infrastructure administrators, application owners, and database administrators. This should not be an isolated task.

From a desktop environment using VMware NSX, theSAP HANA Network Requirements Guidefor tailored data center integration deployments can be decomposed and translated into a virtual network design. Regarding the client zone, the application server network and the network for other SAP HANA clients such as the SAP HANA studio, business intelligence clients, and so on, can be either on the same network or on separate networks. For scalability, management, and security purposes, using separate networks via microsegmentation is recommended. Microsegmentation enables customers to secure, isolate, and characterize network traffic from workload to workload. We also recommend a distributed routing scheme rather than a centralized routing scheme, to optimize for both north–south traffic and east–west traffic.

The east–west dynamic routing capabilities of the DLR are key here because of how SAP HANA load-balances its client connections. SAP uses techniques such as statement routing, connection selection, and command splitting to direct queries to the proper nodes. These routing techniques are based on the type of query and on which node or nodes the data lives on.

As the database grows, the data distribution and types of queries can change. DLRs enable the central management and optimization of east–west traffic by proactively reacting to database growth and traffic patterns.

For external communication with SAP HANA servers that are initiated by a Web browser or a mobile application, a VMware NSX edge services perimeter gateway manages and optimizes north–south network traffic and leverages its multifunction capabilities as a firewall, load balancer, and virtual private network (VPN) device.

And because these external connections can have vastly different security requirements, customers can use VMware NSX to associate firewall rules at the router or at the VM level to achieve greater granularity.

Figure 8. SAP HANA Client Zone VMware NSX Network Design

SAP S4/HANA Security

Standard vSphere security best practices and hardening practices must be applied to secure the infrastructure. Follow guidelines for access control and security policies provided in the VMware Validated Designs Documentation. We address only the application-specific security for SAP S/4HANA in this section.

Microsegmentation for Securing SAP S/4HANA Workloads

SAP microsegmentation enables flexible security policies that align to the multitier architecture of an individual SAP system—presentation, application and database tiers—and also to the landscape of the SAP environment, separating production from nonproduction. Figure 17 shows an SAP microsegmentation example based on the NetWeaver ABAP stack with a backend database. The following are the various tiers and components of the SAP architecture:

  • Client tier – In this example, the SAP client &#rsquo;SAPGUI&#rdquo; accesses the application tier. Customer environments can includebrowser-based access, load balancers, and a Web tier.
  • Application or Central Services tier – Application servers based on the NetWeaver ABAP stack. SAP Central Services handles SAP locking services, messaging between the application servers, and an NFS share required by all the application servers.
  • Database tier – Services are database dependent.
  • The components are isolated into their own respective VMware NSX security groups. Although other classifications are possible, a VMware NSX security group in this example is a definition in VMware NSX and corresponds to a logical grouping of VMs within which there is free communication flow. Communication flow in and out of a security group, and from and to another group, depends on the firewall rules.


Figure 9. Segmentation of SAP S4/HANA with VMware NSX

Security policies shown in Figure 9 provide the following controls:

  • Controlled communication path limited to specific services and protocols between tiers
  • External access permitted to the application tier via the SAP presentation service
  • Access between application and database VMs only via specific database services
  • SAP services ports that vary depending on the &#rsquo;instance number&#rdquo; assigned to the application servers and SAP Central Services. Some values are shownhere.




The post Application Workload Guidance and Design for Virtualized SAP S/4HANA® on vSphere (Part 2/4) appeared first on Virtualize Business Critical Applications.

Read more..

VMware NSX Achieves Common Criteria EAL 2+ Certification

VMware NSX 6.3 for vSphere has achieved Common Criteria certification at the Evaluation Assurance Level (EAL) 2+ (view the certification report). This marks yet another milestone of our commitment to providing industry leading certified solutions for customers from federal departments and agencies, international governments and agencies, and other highly regulated industries and sectors. Along with FIPS, DISA-STIG, ICSA Labs firewall certification, and several other independent evaluations, the Common Criteria compliance accreditation validates NSX as a reliable network virtualization platform that satisfies stringent government security standards.

Common Criteria is an international set of guidelines (ISO-15408) that provides a methodology framework for evaluating security features and capabilities of Information Technology (IT) security products. It is mutually recognized by 26 member nations.

Regulatory compliance is one of the challenges faced by government IT departments in their efforts to modernize legacy systems, and Common Criteria is often required for procurement sales. The Common Criteria accreditation affirms that NSX for vSphere complies with the security requirements specified within the designated level and simplifies the introduction of NSX into government and highly regulated environments. NSX enables customers in the public sector to implement network virtualization to reduce cyber-threats, improve operational efficiency and reduce disaster recovery time.

The following deployment scenario was evaluated for Common Criteria certification:

By awarding a Common Criteria certificate, the Certification Body asserts that the product satisfies the security requirements specified in the associated Security Target.

To run a Common Criteria-compliant NSX installation requires a specific NSX configuration. The steps are explained in Configuring NSX for Common Criteria.

Achieving Common Criteria certification demonstrates our commitments to serving customers from federal departments and agencies, international governments and agencies, and to other highly regulated industries and sectors. We continue to invest in certification efforts to ensure that NSX is the trustworthy network virtualization platform transforming security and addressing automation and application continuity.


All official VMware certifications are available at: http://www.vmware.com/security/certifications.

To learn more about VMware NSX and Compliance

  • Watch an Overview on NSX for Compliance Light Board video
  • Read our other Compliance blogs
  • Visit the NSX Compliance homepage

The post VMware NSX Achieves Common Criteria EAL 2+ Certification appeared first on Network Virtualization.

Read more..

Guest blog: iSanity helps turn blue sky dreams into a reality

As part of an interview series with our partner community, we spoke with the CEO of iSanity in South Africa, Annelee Le Grange, about being part of vCAN (the VMware vCloud Air Network, powered by OVH), and running its whole offering on VMware NSX.

It&#rsquo;s easy for businesses to fall into the trap of thinking they need every piece of new technology possible to keep up with their competitors, whether that&#rsquo;s IoT, hybrid cloud, big data or a number of other technologies. But they must walk before they can run.

The foundation - or the IT backbone – must run smoothly and perfectly support the business infrastructure basics, before any of the blue sky dreams can become a reality. Our clients can dream and we will help make their projects a reality. This is certainly the approach that we took when we looked at how we could provide our clients with the right solutions.

Services over tech

People buy tailored solutions and services from us – not technology. We work with our clients to identify what they want to achieve and propose solutions to meet their requirements.

That&#rsquo;s why the technology has to be right from the get go. VMware is the platform from which we have built and delivered all our cloud services. The technology ticked all the boxes and provided us with the flexibility we required. We did not shop around and did not look at anything else. We believe that our investment in VMWare was the start of a partnership for us that delivered the results and support that we wanted

Going forward, we want to scale up our services further, and it should be no surprise that all of these future services will be delivered on the VMware platform.

What we had to consider

We needed scalable architecture that could deliver supplementary cloud services to enterprises of all sizes in South Africa. VMware&#rsquo;s Cross-Cloud Architecture provided us with a software platform that could support a secure multi-tenant, self-service cloud environment for the customer.

The flexible licensing model and consumptive nature of vCAN offered us the perfect solution from which to build a Greenfields site from the ground up. It meant we could offer our clients cloud real estate, but also provide us with a platform to deliver robust cloud services with full management capabilities using vCloud Director, VMware’s management tool for private and hybrid cloud architectures, and NSX, VMware&#rsquo;s virtual networking and security software product.

Our approach was always to lead with security, and with NSX it was easy to deploy virtual machines while also including McAfee which we could integrate seamlessly.

VMware essentially took the risk out of building the environment and delivery of services. This was very important as we wanted to give our clients the peace of mind that their data is secure and looked after, so they can concentrate on what&#rsquo;s most important to them: their business.

We also had to think about performance and scalability – both of which we get from VMware. Complete integration with Cisco UCS means it&#rsquo;s highly scalable, while NSX has given us complete flexibility to enable companies to pay for what is essentially an empty data centre on a &#lsquo;pay as you grow&#rsquo; model.

Bonus benefits

The huge benefit for us is the multi-cloud story. Our clients have big ambitions, and we need to provide them with the reliability and flexibility they need no matter what. To be able to provide our clients with that kind of reassurance is imperative.

The benefits go beyond performance, scalability and security; we&#rsquo;ve been able to seamlessly integrate the VMware environment with other vendors. Combining these altogether has given us a software-defined data centre in essence to manage.

There is also an element of reassurance we can offer clients that are reluctant to go into the public cloud – which is exactly what we are. From a compliance perspective, with incoming regulations like POPI coming down the line, coupled with compliance expected from the current ECT ACT, etc., we are well prepared as we can provide customers cloud that supports multi-tenancy and micro-segmentation with NSX, giving them a fully secure environment.

We have managed massive savings on capex thanks to being able to report on what we use. The environment has also given us international exposure - including through AWS via the portal. Furthermore, the platform itself is exceptionally green and only uses 3.5kw of power per hour.

Pay it forward

Just as VMware is helping us to look at innovative new technologies, and be geared towards a software-defined and cloudy future, our customers can achieve their dreams too. We want them to be aspirational for the blue skies of tomorrow. We want them to be able to reap the rewards of all the new technologies, and we&#rsquo;ll give them the tools to make it happen.

For insights into our partner ecosystem and to read the latest guest blogs, take a look at the series here, or visit the VMware Partner Network website.

Read more..

Monthly NSX Customer Advisory – May 2017

In this communication, we detail the top trending issues with VMware NSX for vSphere and provide you with helpful information on how to address the issues while we build a permanent fix. Please review the left column of the chart below to search for issues specific to your environment, and click on the hyperlinks to access more detailed information on each.

For additional up-to-date, top trending NSX issues, previous and current, please see KB Article Trending support issues in VMware NSX for vSphere 6.x (2131154).


NSX for vSphere Version

Component Issue Summary Resolution/Work-Around

KB Number

6.2.x , 6.3.x ESXi ESXi 5.5 and 6.0 hosts fail with a purple diagnostic screen (PSOD): VMCIEventDelayedDispatchCB@com which occurs due to race condition in dvfilter vmci socket deregistration. This issue is resolved in ESXi 5.5 Patch 8 and ESXi 6.0 Patch 3.

To work around this issue, uninstall the dvfilter-dsa driver.

KB : 2149242
6.3.x ESXi Hosts fails with a purple diagnostic screen when retrieving flows for ALG enabled protocols. To work around this issue, disable flow monitoring related features: IPFix, LiveFlow, Application Rule Manager, Flow monitoring-global flow collection. KB : 2149908


Top Issues + Resolution / Workaround

NSX for vSphere 6.3.x, 6.2.x

Issue #1:Process to change VXLAN port from 8472 to 4789 may fail or never complete.

Affected Version: 6.2.x, 6.3.x


  1. The process may fail or never complete while changing the VXLAN port from 8472 to 4789 (standard port assigned by IANA).

Resolution: To resolve the issue, run the REST API calls to check the status of the job and resume the change. For more details, please refer to KB2149996.


Issue #2: Guest Introspection USVM reports disk is full.

Affected Version: 6.3.x


  1. You receive an alert that the /var/log disk space is full or almost full on one or more of the Guest Introspection USVMs.
  2. This issue occurs as there is a problem with the internal log maintenance task that causes log files to grow indefinitely, eventually leading to a full disk situation.

Resolution: To work around this issuedelete the Guest Introspection USVM. Click on resolve to redeploy. For more details, please refer to KB2149856.


Issue #3: Distributed Firewall (DFW) packets hitting Default Rule instead of previous Rule allowing/blocking designated traffic.

Affected Version: 6.2.x, 6.3.x


  1. In examining Distributed Firewall (DFW) behavior, you may see some packets having a source, destination, and protocol (service) defined in a configured rule hitting the Default rule at the very end of the firewall rule list.
  2. In the dfwpktlogs or in LogInsight, you may see that the SYN packets and the ACK packets are being processed by the configured rule allowing/blocking the defined traffic.
  3. For the same traffic, you see RST and FIN ACK packets hitting the default block/allow rule, meaning that it is not hitting the previously-configured rule.

Resolution: To verify the rules ascribed to the filter or vNIC, type the vsipioctl getrules -f command. From this output, you can verify that the configured rule(s) are being applied to the virtual NIC as expected. For more details, please refer to KB2149818


Issue #4: VMs are removed from Exclusion List while adding new VM.

Affected Version: 6.2.x, 6.3.x


  1. When attempting to add a virtual machine to the NSX Manager’s Exclusion List to remove the DFW filter from the virtual machine, all other existing excluded virtual machines disappear from the Exclusion List.
  2. In the Web UI, after making the second or duplicate attempt, you may see an error similar to:
    Member: VM is already present in exclude list.

Resolution: To avoid this issue, refresh the UI page before adding the VM to the exclusion list. Refreshing the UI will clear any stale sessions and ensure that if another user has already added the VM, it is now reflected in the UI. For more details, please refer to KB2149997.


Issue #5: Backing up the NSX Manager to OpenSSH 7.x or later fails.

Affected Version: 6.2.x, 6.3.x


  1. This issue occurs because the SFTP jar files in the NSX Manager is out of date.

Resolution: To work around this issue, use OpenSSH version 6.x or earlier as your SFTP backup endpoint. For more details, please refer to KB2150053.


Trending KB

Issue #1: Re-installing NSX to upgrade vCNS Endpoint to NSX Guest Introspection.

Affected Version: 6.2.x, 6.3.x

Symptom: How to KB.

Resolution: The KB/Solution explains the procedure to upgrade from vCNS to NSX in the environments where vCNS is configured and used for Endpoint only. For more details, please refer to KB2150140.


VMware Recommended release

VMware recommends NSX 6.2.6 for new deployments. The minimum version a customer should be running is NSX 6.2.2 based on critical bug fixes identified as having a general impact in an NSX environment. For more information, see Minimum recommended version for NSX for vSphere with GID, ESXi, and vCenter Server (2144295).


Have feedback on this NSX Customer Advisory?

We would like to hear from you. Send us your feedback by providing comments on the Feedback Box (available at the bottom of KB Article)Trending support issues in VMware NSX for vSphere 6.x (2131154).

Thank you for helping us continually improve this communication.



Subscribe to my.vmware.com to get timely notifications on NSX Product Releases, Fixes and upcoming patches.

The post Monthly NSX Customer Advisory - May 2017 appeared first on VMware Tech Alliances (TAP) Blog.

Read more..

Progressive Dutch Municipality Protects Citizen Data and Meets Compliance with VMware NSX

Summary: Municipality of Zoetermeer implements Zero-Trust model with VMware NSX-enabled micro-segmentation for advanced security inside data centers. Zoetermeer follows the Dutch BIG (Baseline Information Security Dutch Municipalities) regulations

Zoetermeer is a modern, fast-growing municipality in the province of South Holland. It provides local services such as water supply, sewage and garbage disposal to around 125,000 residents. As a forward-thinking organization, the municipality of Zoetermeer recognizes that the increasing volume of cyber attacks against organizations today has shown that traditional, perimeter-centric security models are no longer effective.

The municipality responded by working with VMware partner ON2IT IT Services on a solution that wouldn&#rsquo;t treat everything inside the network as trusted. Zoetermeer deployed VMware NSX® network virtualization to facilitate a Zero Trust security model. This Zero Trust model is enabled by the unique micro-segmentation capabilities of VMware NSX. Zoetermeer is now compartmentalizing different segments of its network and applying automated, fine-grained security policies to individual applications.

&#rsquo;The municipality of Zoetermeer is committed to delivering digital services to our citizens, and also digital tools to enable the best experience for our employees,&#rdquo; said Mr. Van Gaalen, IT Manager, Municipality of Zoetermeer. &#rsquo;But security must remain paramount. Thanks to VMware, we can provide the right person – citizen or employee - with secure access to the right data, from anywhere.&#rdquo;

In addition to providing advanced security inside its data center, the solutions have enabled the municipality to meet rigorous regulatory compliance requirements. VMware NSX has been instrumental in enabling the municipality of Zoetermeer to conform to BIG (Baseline Information Security Dutch Municipalities). These BIG rules have been introduced by the information security service (IBD) of the Association of Dutch Municipalities (VNG) and consist of a set of security measures that ensure a good basic level of security for municipalities. To meet these guidelines, optimal and transparent IT processes and security rules are required.

Mr. Van Gaalen also noted, &#rsquo;VMware helps us meet the rigorous government requirements for security and data protection. With micro-segmentation, we can better manage security policies across our network, aligning them with individual applications and ultimately reducing risk. It was the clear next step in achieving a secure software-defined data center,&#rdquo; said

A longstanding VMware customer, Zoetermeer was the first Dutch municipality to use VMware Horizon desktop virtualization. As it continues on its journey of mobile digitization, the municipality will soon provide the majority of its employees with digital workspaces when its newly-built town hall opens. It will deploy VMware AirWatch® Mobile Device Management to securely manage its fleet of mobile devices and to support its growing mobile workforce.

The post Progressive Dutch Municipality Protects Citizen Data and Meets Compliance with VMware NSX appeared first on Network Virtualization.

Read more..

Go Que Newsroom Categories

Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 40 bytes)
in /home/content/36/8658336/html/goquecom/wp-includes/wp-db.php on line 2022

Query Monitor