Search This Blog

ESXi VMkernel Port “Management traffic” Checkbox

Here is the screenshot of the services that can be enabled on an ESXi v.6 VMkernel NIC port.2015-12-28_13-38-49

All these services look very self-explanatory, until I am doing some research on the ESXi management redudancy and discovering this post.

Here is the quick summary of the post, plus others I learned about the VMkernel port.

  • The “Management traffic” checkbox does nothing but enabling that VMkernel NIC for HA hearbeat traffic.
  • It has nothing to deal with the management of the ESXi host. When the checkbox is not checked, you still can manage the ESXi host via vCenter Server or SSH to the ESXi host via the IP address associated with the VMkernel port.
  • Why isn’t there a checkbox for iSCSI or NFS traffic?
    • Answer: any VMkernel port can talk to iSCSI or NFS storage. There is no need to enable the service.
  • Prior to vSphere 6, only one default gateway is defined for the ESXi host in the GUI (ESXi 5.5 allows to add additional TCP/IP stack, including default gateway & DNS, in CLI). All VMkernel ports use the same default gateway for the traffic that is not local to each VMkernel port subnet.
  • Here is the sceenshot in vSphere 5.5, only one Default TCP/IP stack

2015-12-28_14-56-47

  • Here is the screenshot in vSphere 6, three TCP/IP stacks by default. Each can have different deffault gateway. Additional custom TCP/IP stack still needs to be created by CLI.

2015-12-28_14-58-57

Hold Off Upgrading ESXi 5.5 with VSAN to ESXi 6.0

If you are running ESXi 5.5 with VSAN, DO NOT upgrade the ESXi host from 5.5 to 6.0. When mixing ESXi 5.5 and 6.0 in the VSAN cluster during the host upgrade, it can cause permanent data loss. See this VMware KB2139969 for more information. As December 25, 2015, no fix is available yet.

If you have to upgrade to ESXi 6.0 now, the safe approach is to migrate the VMs on the VSAN to other non-VSAN storage prior to the upgrade.

Windows Server Message Block (SMB) Protocol

Versions

There are several different versions of SMB used by Windows operating systems:

SMB Version

Operating System

Note

CIFS Windows NT superseded by SMB1
SMB 1.0 (or SMB1) Windows 2000, XP, Server 2003,
Server 2003 R2
SMB 2.0 (or SMB2) Windows Vista (SP1 or later),
Server 2008
SMB 2.1 (or SMB2.1) Windows 7, Server 2008 R2
SMB 3.0 (or SMB3) Windows 8, Server 2012
SMB 3.02 (or SMB3) Windows 8.1, Server 2012 R2 In Windows 8.1 and Server 2012 R2, the option to completely disable CIFS/SMB1 support is introduced. It is not the default configuration.
SMB 3.1.1 Widnows 10, Server 2016

Negotiated Versions

Here’s a table to help you understand what version you will end up using, depending on what Windows version is running as the SMB client and what version of Windows is running as the SMB server:

OS Windows 8.1
WS 2012 R2
Windows 8
WS 2012
Windows 7
WS 2008 R2
Windows Vista
WS 2008
Previous Version
Windows 8.1
WS 2012 R2
SMB 3.02 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 8
WS 2012
SMB 3.0 SMB 3.0 SMB 2.1 SMB 2.0 SMB 1.0
Windows 7
WS 2008 R2
SMB 2.1 SMB 2.1 SMB 2.1 SMB 2.0 SMB 1.0
Windows Vista
WS 2008
SMB 2.0 SMB 2.0 SMB 2.0 SMB 2.0 SMB 1.0
Previous Version SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0 SMB 1.0

* WS = Windows Server

Check SMB Version

In Windows 8 or Windows Server 2012 or later, a new PowerShell cmdlet can easily tell what version of SMB the client has negotiated with the File Server. For Windows version prior to Windows 8, there is not an easy way – need to use Network Monitor, Message Analyzer (recommended) or Wireshark to capture and look into the packets.

To check the negotiated SMB version between the client and file server

  1. Access a remote file server (or create a new mapping to it)
  2. Use Get-SmbConnection

To check the SMB version on the local computer

  1. dir \\localhost\c$
  2. Get-SmbConnection –ServerName localhost
    • run the Get-SmbConnection cmdlet within 10 seconds after the dir command
    • the SMB client will tear down the connctions if there is no activity

ps_getsmbconnection

Recommendation

Microsoft strongly encourage to update to the latest of SMB. However, be aware of compatibility with the older Windows operating systems and third-party application implementation.

  • VMware
    • vCenter Server Appliance 5.5.x / 6.0.x and vRealize Automation 6.2.x support SMB1 only (KB2134063)

Source

Microsoft Jose Barroeto’s Blog

Blogger Editor - Open Live Writer Update 2

Today, my Open Live Writer is updated to build 0.5.1.4. The feature I wanted in my Update 1 post is here – support Blogger label.

The label can be entered in the new box under the tool bar; multiple labels can be separated by comma. Even the “Refresh List” feature (the two arrows on the right of label box) does not work, I am very thankful for the development team continuing to add new features in a short time.

olw_label.box

Check eDellRoot Certificate and Rogue Certificate

The eDellRoot certificate was a hot topic back in November 2015. This post just summarizes the tools to use check this and other rogue certificate on your computer.

Detection

Steps to check if your computer (mainly the Dell laptop) is vulnerable by the eDellRoot certificate

  1. Use Internet Explorer or Chrome (Firefox has its own certificate store, so this test site doesn’t work).
  2. Go to https://edell.tlsfun.de/

Removal

If the bad eDellRoot certificate is found on your computer, use the Dell’s official remover to remove it.

Audit the root CA stores

Furthermore, you can scan and audit the trusted root CA stores – both Microsoft (using by IE and Chrome) and Mozillla (using by Firefox), with the following tools:

  • RCC from http://trax.x10.mx/apps.html
  • the upcoming version of Sigcheck from Mark Russinovish at Microsoft
    • Mark Russinovich announced this on Twitter
    • As 12/22/2015, this version of Sigcheck is still in beta. Not yet available. I will post an update when the final version is available in public.

Recommended Topologies for VMware vSphere 6.0.x

VMware has a KB (KB2108548) that summarizes the recommended topologies for vSphere 6.0.x deployment on the Platform Services Controller (PSC) and vCenter Server. I’s a good read.

My pick will be one of the following topologies in most of the deployment – simple configuration with sufficient redudance.

2015-12-21_10-41-22

2015-12-21_10-42-49

Blogger Editor - Open Live Writer Update 1

In my recent post, I was glad that Open Live Writer is available, but it had a problem with Blogger authenticate. Today I found this in its issue tracker.

Following the instruction posted in the issue tracker, I opened Open Live Writer and closed, and then reopened. A new option “Google Blogger” is avaialble in the blog type. After entering the my Blooger URL and authrorizing the access, I am writing this post in Open Live Writer!!! The version is 0.5.1.2. Thank you for the great work!

2015-12-21_09-08-15

The next feature I want is to support “Labels”, like many people requested. The good news is that they are working on it. I will keep an eye on this and post on the next update when it’s available.

Use WinSCP to Transfer Files in vCSA 6.7

This is a quick update on my previous post “ Use WinSCP to Transfer Files in vCSA 6.5 ”. When I try the same SFTP server setting in vCSA 6.7...