Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Assumption:

I assume you have the following infrastructure ready.

  • Domain Controller: DC1PVDC01
  • Certificate Authority: DC1PVCA01
  • AD FS Server: DC1PVADFS01
  • Exchange Server: DC1PVEXCH01

Naming Convention:

  • DC1= Data Center 1 (location)
  • P=Production Systems
  • V=Virtual Server
  • DC=Domain Controller

So on so forth.

Proposed Web Application Proxy Server:

Option Description
Virtual Machine Name DC1PVWAP01
Memory 4GB
vCPU 1
Hard Disk 1 50GB
Network Adapter 2
Guest Operating System Windows Server 2012 R2
Hyper-v Integration Service Installed

Windows Server Role:

Role Web Application Proxy

 

Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated WAP network name. The following binding order will be maintained within Windows operating systems:

  1. First in Order- WAP internal adapter connected to the trusted network.
  2. Second in Order- WAP external adapter connected to the un-trusted network.

The following are the network configuration for WAP server.

Option IP Address Subnet Default Gateway DNS
Internal Network 10.10.10.2 255.255.255.0 Not required 10.10.10.1
External Network 192.168.1.1 255.255.255.0 192.168.1.254 Not required

Important! External Network can be assigned public IP if WAP server isn’t placed behind frontend router/firewall. In an edge configuration WAP external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and WAP wizard/console names. For example:

  • WAP adapter connected to the trusted network: Internal Network
  • WAP adapter connected to the un-trusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your un-trusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the WAP Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a WAP cluster.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

  1. Internal Network (Highest)
  2. External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose Public Host Name Public IP Address
Exchange webmail.yourdomain.com 203.17.x.x
SharePoint sharepoint.yourdomain.com 203.17.x.x

 

External Firewall Rules

The following NAT rules will be added into perimeter network to publish application and services through WAP. This rule is only apply if you please Web Application Proxy (WAP) behind a firewall or Cisco ASA otherwise you don’t need it.

Rule(s) Description Source IP Destination IP Address Port NAT Destination
1 Exchange Any 203.17.x.x 443 192.168.1.2
2 SharePoint Any 203.17.x.x 443 192.168.1.3

 

Building Web Application Proxy Server on Windows Server 2012 R2 Steps:

  1. Install Windows Server 2012 R2.
  2. Configure TCP/IP of Windows Server 2012 R2
  3. Join Web Application Proxy server to Domain
  4. Install Web Application Proxy Role
  5. Configure Kerberos Constraint Delegation
  6. Configure the firewall to allow HTTPS traffic on port 443 for clients to communicate with the AD FS server
  7. Configure Firewall if WAP Server placed behind a Cisco ASA
  8. Install Public certificate into Web Application Proxy Server
  9. Publish Application

Configure Kerberos Constraint delegation

1. On the domain controller, open Server Manager. To do this, click Server Manager on the Start screen.

2. Click Tools, and then click ADSI Edit.

3. On the Action menu, click Connect To, and then on the Connection Settings dialog box, accept the default settings to connect to the default naming context, and then click OK.

4. In the left pane, expand Default naming context, expand DC=yourdomain, DC=com, expand CN=Computers, right-click CN=DC1PVWAP01, and then click Properties.

5. On the CN=DC1PVWAP01 Properties dialog box, on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit.

6. On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/DC1PVWAP01.yourdomain.com and click Add. Then enter HTTP/DC1PVWAP01 and click Add. The Values list now contains two new entries; for example, HTTP/DC1PVWAP01.yourdomain.com and HTTP/DC1PVWAP01.

7. On the Multi-valued String Editor dialog box, click OK.

8. On the CN=DC1PVWAP01 Properties dialog box, click OK.

9. In Server Manager, click Tools, and then click Active Directory Users and Computers.

10. In the navigation pane, under yourdomain.com, click Computers. In the details pane, right-click the Web Application Proxy server, and then click Properties.

11. On the DC1PVWAP01 Properties dialog box, on the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.

12. Click Add, and on the Add Services dialog box, click Users or Computers.

13. On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web servers that use Integrated Windows authentication; for example, WebServ1, and then click OK.

14. On the Add Services dialog box, in the Available services list, select the http service type, and then click OK.

15. On the DC1PVWAP01 Properties dialog box, click OK.

Configure AD FS (Optional when using pass-through pre-authentication)

1. On the Start screen, type AD FS Management, and then press ENTER.

2. Under the AD FSTrust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Import data about the relying party published online or on a local network. In Federation metadata address (host name or URL), type the federation metadata URL or host name for the partner, and then click Next.

5. On the Specify Display Name page type a name in Display name, under Notes type a description for this relying party trust, and then click Next.

6. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party then click Next.

7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

8. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box. For more information about how to proceed with adding claim rules for this relying party trust, see the Additional references.

9. in the AD FS Management console, you must set the endpoint to be Proxy Enabled

Configure Certificate Template in CA

Note: This steps is only applicable when using Enterprise certificate authority.

1. Open the Certificate Templates snap-in.

2. In the details pane, right-click an existing certificate that will serve as the starting point for the new certificate, and then click Duplicate Template.

3. Choose whether to duplicate the template as a Windows Server 2003–based template or a Windows Server 2008–based template.

4. On the General tab, enter the Template display name and the Template name, and then click OK.

5. Define any additional attributes such as mark “private key exportable” for the newly created certificate template.

Export & Import Certificates into Web Application Proxy Server

This is a very important steps for published app to work correctly. You must export .pfx certificate from application servers (Exchange, SharePoint or Lync Server) to Web Application Proxy Server so that internet explorer, web application proxy server and application servers validate same certificates.

Exporting a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  8. Leave the default settings and then enter your password if required.
  9. Choose to save the file and then click Finish. You should receive an “export successful” message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Install Web Application Proxy Role

1. On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

3. On the Select server roles dialog, select Remote Access, and then click Next.

4. Click Next twice.

5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.

6. On the Confirm installation selections dialog, click Install.

7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Configure Web Application Proxy

1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. In the navigation pane, click Web Application Proxy.

3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

5. On the Federation Server dialog, do the following, and then click Next:

  • In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.yourdomain.com.
  • In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

7. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.yourdomain.com.

8. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

9. On the Results dialog, verify that the configuration was successful, and then click Close.

Publish Application using AD FS Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://sp.yourdomain.com/app1/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://sp/app1/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish an integrated Windows authenticated application

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://owa.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://owa/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.
  • In the Backend server SPN box, enter the service principal name for the backend server; for example, HTTP/owa.yourdomain.com.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Client Certificate Pre-Authentication

You can publish an application using pre-authenticated client certificate. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://app.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://app.yourdomain.com/&#8217;

-Name ‘Client certificate preauthentication application’

-ExternalPreAuthentication ClientCertificate

-ClientCertificatePreauthenticationThumbprint ‘123456abcdef123456abcdef123456abcdef12ab’

Publish Application using Pass-through Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Preauthentication page, click Pass-through, and then click Next.

4. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://maps.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://maps/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

5. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

6. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Windows Store App or Oauth2

You can publish an application using pre-authenticated Windows Store App. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Set-WebApplicationProxyConfiguration –OAuthAuthenticationURL ‘https://fs.yourdomain.com/adfs/oauth2/&#8217;

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://storeapp.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://storeapp.yourdomain.com/&#8217;

-Name ‘Windows Store app Server’

-ExternalPreAuthentication ADFS

-ADFSRelyingPartyName ‘Store_app_Relying_Party’

-UseOAuthAuthentication

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Web Application Proxy is a role in Windows Server 2012 R2. Web Application Proxy brings some functionality of Microsoft Forefront TMG and Microsoft Forefront UAG but not all of them. Since Microsoft phased out Forefront product line except FIM. Web Application Proxy provides functionality or role in Windows Server 2012 R2 for customer who still wants use Microsoft platform to publish their application such as Exchange 2013, Lync 2013 and SharePoint 2013 to external clients and vendors.

Web Application Proxy provides pre-authentication and authorization method using Active Directory Federation Services including multifactor authentication and access control. Deployment of ADFS is separate to Web Application Proxy which means you must have a separate server hosting ADFS role.

Benefits of Web Application Proxy

  • Pre-authentication—Only authenticated traffic can get into the corporate network.
  • Network Isolation—Incoming web traffic cannot directly access backend servers.
  • Selective Publishing—Only specific applications and paths within these applications are accessible.
  • DDoS Protection—Incoming traffic arrives at Web Application Proxy before hitting the corporate network. Because Web Application Proxy acts as a proxy, many DDoS attacks can be prevented from reaching the backend servers.
  • Selective Ports- Apply deny ALL and allow selected ports. This policy will prevent SQL injection.
  • Extended validation– URL validation and verification using public certificate authority. Support strong security and encryption using SHA and 2048 bit certificate encryption.

Web Application Proxy Infrastructure

  • Active Directory Domain Services (AD DS)
  • Internal Domain Naming System (DNS)
  • External DNS Name Resolver or ISP
  • Active Directory Federation Services (AD FS)
  • Active Directory Certificate Services (AD CS)
  • Web Application Proxy Server(s)
  • Public Certificate Authority
  • Internal Enterprise Certificate Authority
  • Backend Application Server(s)

Web Application Proxy Network

Web Application proxy can be deployed in several topologies. In all these scenario Web Application Proxy needs two network adapter.

Edge Firewall: Behind a frontend firewall like Cisco ASA to separate it from internet. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server.

DMZ: Behind a frontend firewall like Cisco ASA to separate it from internet and before corporate firewall like Cisco ASA to separate it from corporate network. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server. For client certificate authentication, you must also configure the firewall to allow traffic on port 49443.

Edge Configuration: One network adapter directly connected to internet and another network adapter connected to corporate network. Web Application Proxy can be a member of an Active Directory Domain.

TCP/IP Configuration Examples

Scenario Internal NIC External NIC
non-domain joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: 10.10.10.254

DNS:10.10.10.21

IP:192.168.0.10Subnet: 255.255.255.0

Gateway: NIL

DNS: NIL

Domain Joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: NIL

DNS:10.10.10.21

IP: 203.17.x.x Public IPSubnet: 255.255.255.0

Gateway:203.17.x.254 Public Gateway

DNS: 8.8.8.8 or Public DNS

DNS Requirement

  • Internal DNS: Web Application Proxy must resolve internal fully qualified domain name of backend application server such as Exchange or SharePoint server. You must configure correct DNS record and TCP/IP Settings of Web Application Proxy Server either using DNS server or editing hosts file in WindowsSystems32DriversEtc location.
  • External DNS: External client must resolve fully qualified domain name of application. In this case, you must configure HOST (A) record in public DNS server. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.

Load Balancer Consideration

Web Application Proxy does not have in-built load balancer or ISP redundancy functionality. Depending on your requirements, you can use any hardware or software load-balancer to balance load between two or more Web Application Proxy Servers.

Domain Joined or non-domain joined

Web Application Proxy can be deployed without joining the server to an Active Directory domain or by joining the Web Application Proxy server to a standalone domain in a perimeter network.

You can deploy Web Application Proxy with a read-only domain controller. However, if you want to deploy Web Application Proxy and DirectAccess on the same server, you cannot use a read-only domain controller.

Authentication Consideration

Web Application Proxy can work with the following authentication protocols.

  • AD FS pre-authentication
  • Integrated Windows authentication
  • Pass-through pre-authentication

Network Time Protocol (NTP)

You must have a proper NTP server in your organization. NTP server can be your domain controller or a Cisco Core Switch. Timestamp must identical between AD FS and Web Application Proxy Server.

Certificate Authority

There are two types of certificate requirements for Web Application Proxy Server- Public CA and Enterprise CA.

  • Public CA: External clients to be able to connect to published web applications using HTTPS, Web Application Proxy must present a certificate that is trusted by clients. In this case you must bind a public certificate with published application in backend server and web application proxy server.
  • Enterprise CA: AD FS certificates must match federation service value. AD FS can use internal Enterprise CA. For examples, Common Name (CN) of Certificate is adfs.superplaneteers.com

Supported Certificate Template

Web Server Certificate with single common name, subject alternative name (SAN) certificates, or wildcard certificates.

Pass-Through Pre-Authentication

When you publish Exchange and SharePoint using Web Application proxy Server, you can pass-through authentication to the specific application instead of AD FS or Web Application Proxy. In this case Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS. Pass-through authentication is still a worry-free deployment because it prevent DDoS and SQL injection and provide network isolation.

vSphere 5.5 is Catching Up with Hyper-v 2012 R2

Is VMware catching up with Microsoft? Yes you heard correct. I said “VMware is catching up with Microsoft” VMware released a latest update vSphere 5.5 to catch up with Microsoft Windows server 2012 R2. Here is a short comparison of VMware improvement to catch up with Hyper-v 2012 R2.

Options

vSphere 5.5

Hyper-v 2012 R2

Host CPU Core

320 (Previous version 160)

320

vCPU/Host

2048

2,048

vCPU/Guest

64 (Previous version 8)

64

Host Memory

4TB (Previous version 2TB)

4TB

vRAM/VM

1TB (Previous version 32GB)

1TB

VM/Host

2048 (previous version512)

2048

Maximum Node

32

64

Max VM/Cluster

4000

8,000

Networking

Link Aggregation Control Protocol Enhancements

Traffic Filtering

Quality of Service Tagging

SR-IOV Enhancements

Enhanced Host-Level Packet Capture

40GB NIC support

10GigE Simultaneous Live Migrations is only for 8 Vms

Support for SR-IOV networking devices

Dynamic Virtual Machine Queue (D-VMQ)

Accelerating Network I/O

IPsec Task Offload for Virtual Machines

Metering virtual machine use in a multitenant environment

IP Address Management (IPAM)

Hyper-V Network Virtualization

Hyper-V Extensible Switch

Quality of Service (QoS)

Remote Desktop Protocol (RDP) WAN Optimizations

WebSocket Protocol

Server Name Indicator (SNI)

Direct Access and VPN

Private VLANS (PVLANS)

Trunk Mode to Virtual Machines

Unlimited 10GigE Simultaneous Live Migrations

Site-to-site network connections using private IP address

Cisco NVGRE (Network Virtualization using Generic Routing Encapsulation)

Storage

Support for 62TB VMDK

MSCS Updates

vSphere 5.1 Feature Updates

16GB E2E support

PDL AutoRemove

vSphere Replication Interoperability

vSphere Replication Multi-Point-in-Time Snapshot Retention

vSphere Flash Read Cache

64TB VMFS

64TB RDM

64TB VHDX

VHD de-duplication

high availability, performance, reliability, and scalability features on inexpensive commodity storage

Offloaded Data Transfer (ODX)

Resilient File System

Deploy large NTFS volumes

Thin Provisioning and

And Trim

Cluster Shared Volume version 2

iSCSI Software Target

Support for VMware Virtual Machines and NFS 4.1

High Performance Highly Available Storage with SMB

SMB Scale-Out

Virtual Fiber Channel

256TB+ pass through disk (RDM)

Local Storage

64TB (Previous version 2TB)

64TB

Dynamic Memory

Yes

Yes

Resource Metering

Yes (Previous version No)

Yes

Hardware GPU

Yes (Previous version No)

Yes

Unified VDI

No. Buy VMware View

yes

Guest OS Application monitoring

Yes (Previous version No)

yes

Incremental Backups

Yes (Previous version No)

yes

VM Replication

Yes (Previous version No)

yes

Guest Clustering with Dynamic Memory

No

yes

Multi-tenant

No (Buy VMware vCloud)

yes

VMware goes after biz critical apps with vSphere 5.5

VMware what’s New

Windows Server 2012 R2 what’s New

VMware vSphere: What’s New 5.0

HA: VMware provides several features that can be leveraged to increase the availability of a virtualized environment.With the latest release, several enhancements have been incorporated within VMware vCenter Server Heartbeat. These feature enhancements are the result of the focus of VMware in three key areas — manageability, usability,and application support.

Networking:  There are two broad types of networking capabilities that are new or enhanced in the VMware vSphere 5.0 release. The first type improves the network administrator’s ability to monitor and troubleshoot virtual infrastructure traffic by introducing features such as
• NetFlow
• Port mirror

The second type focuses on enhancements to the network I/O control (NIOC) capability first released in vSphere 4.1. The following are the key NIOC enhancements:
• User-defined resource pool
• vSphere replication traffic type
• IEEE 802.1p tagging

User-defined network resource pools in vSphere 5.0 provide an ability to add new traffic types beyond the standard system traffic types that are used for I/O scheduling.

Performance:  The following are some of the performance highlights:

VMware vCenter™ Server scalability
• Faster high-availability (HA) configuration times
• Faster failover rates – 60% more virtual machines within the same time
• Lower management operational latencies
• Higher management operations throughput (Ops/min)

Compute
• 32-way vCPU scalability
• 1TB memory support

Storage
• vSphere® Storage I/O Control (Storage I/O Control) now supports NFS – Set storage quality of service priorities per virtual machine for better access to storage resources for high-priority applications Network
• vSphere® Network I/O Control (Network I/O Control) – Gives a higher granularity of network load balancing vSphere vMotion®
• vSphere vMotion® (vMotion) – Multi–network adaptor enablement that contributes to an even faster vMotion
• vSphere Storage vMotion® (Storage vMotion) – Fast, live storage migration with I/O mirroring

Technical:

These advancements build on the core capacities in vSphere to provide improved
scalability; better performance; and easier provisioning, monitoring and troubleshooting. This paper focuses on
the following new features and enhancements:
• Virtual machine enhancements
• Improved SSD handling and optimization
• Command-line enhancements
• VMware® ESXi™ firewall
• vSphere Image Builder
• vSphere Auto Deploy server
• vSphere Host Profiles
• VMware vCenter™ Update Manager

Storage: VMware vSphere™ 5.0 brings many new capabilities to extend the benefits of vSphere 4.1. These new features and enhancements to core capabilities in vSphere provide more performance optimization and easier provisioning, monitoring and troubleshooting.

The topics to be covered in this paper are:
• vSphere® VMFS-5
• vSphere® Storage Distributed Resource Scheduler (Storage DRS)
• vSphere® Storage APIs – Storage Awareness
• Profile-Driven Storage
• Fibre Channel over Ethernet
• vSphere® Storage I/O Control (Storage I/O Control)
• vSphere® Storage APIs – Array Integration
• vSphere® Storage vMotion® (Storage vMotion)

VMware vSphere New Licensing Model:

Attributes ESX4.1 ESX5.0
Licensing Unit CPU CPU
SnS Unit CPU CPU
Core per proc

6 cores  Standard
Enterprise, ESS,
ESS+

12 core for Advanced
and Ent. Plus

unlimited

Physical RAM
Capacity per host

256GB for Standard,
Advanced Ent, ESS, ESS+

Unlimited for Ent. Plus

unlimited

vRAM Capacity
per proc

N/A

24GB Ess, Ess Plus, Standard
32GB Enterprise
48GB Ent. Plus

Pooling of
entitlements

N/A vRAM entitlement shared among ESX Host
Monitoring tool N/A Built-in

So how do you know, how much CPU license you need and how much vRAM entitlement you have? For example, you have 3 dual CPU ESX Host, each CPU has 12 core and you would like to buy standard license to start with. In this case, you need 3 Host X 2 CPU=6 CPU standard license. Your entitlement for vRAM would be 24GBx6CPU=144GB in total because standard license only allow 24GB per CPU. In this capacity, you will be able to virtualize 36 virtual machine that means 4GB per virtual machine. So if your hardware capacity is 192GB than you can not use extra 48GB vRAM.

What happen if you need more vRAM, there are two option either you upgrade your license from standard to enterprise or buy more vRAM license. Say you upgrade to Enterprise license than you are entitled to have 32GBx6CPU=192GB vRAM or you have to buy additional 48GB vRAM license on top of standard license.

Installation of vCenter: Here, for this article, I am doing an in place upgrade of my test VMware vSphere 4.1 infrastructure. In a production environment, this is not an recommended approach. you can download 60 days trial version from from VMware evaluation site. Systems requirements are fairly straight forward. you have to have Windows Server 2008 x64 Server as a domain member. In VMware vSphere 5.0 you can download Linux based VMware vCenter appliance. 

1

2

3

4567891011121314151617181920

21

Installation of New VI Client: Once you finish installing VMware vCenter, you have to have VI Client 5.0 to connect to the vCenter. Follow the screen shot to install VI client.

2223242526

Installation of vSphere Update Manager:

272829303132333435

Installation of ESXi Dump Collector:

36

37

It would be an wise idea to integrate dump collector on vCenter so that you can perform all administrative task from one single platform.

383940414243

Installation of Syslog Collector:

4445464748495051

Installation of Auto Deploy: The vSphere Auto Deploy server simplifies the deployment of VMware ESXi hosts in your environment. Using the Auto Deploy server, you can provision hundreds of physical hosts with VMware ESXi software. You can specify the image to deploy and the host to provision with the image. When a physical host setup for Auto Deploy is turned on, Auto Deploy uses a PXE boot infrastructure in conjunction with vSphere Host Profiles to provision and customize that host. No state is stored on the host itself. Instead, the Auto Deploy server manages state information for each host.
When a physical host is booted, it PXE boots over the network where a DHCP server assigns an IP address and redirects the host to a TFTP server, which directs the host to perform an HTTP boot from the Auto Deploy server. The Auto Deploy server then streams the VMware ESXi software image into memory on the target host. Once the entire image is resident in memory, VMware ESXi boots up and contacts the VMware vCenter Server, where Host Profiles can be used to automatically configure the host. Once the host has been configured, it is placed into the proper VMware vCenter cluster or folder and is available to host virtual machines.

52535455565758

Installation of Authentication Proxy:

5960616263

Once you have installed every all necessary part of vSphere, you can start all the services associated with the new installation.

64

New Features at a Glace:

image

65

66

Relevant References:

Download VMware vSphere 5.0

Technical Resource Center

The Cloud Era is Here