Microsoft licensing explained (a try)

Microsoft licensing is hard and complex. Many options are offered by Microsoft for the right to use their software.

It is a skill to be able to provide the best advise and to implement licensing the correct way. First there are many different agreements, plans and programs. Secondly there are many rules, small letters, exceptions and not so obvious restrictions documented in not always very well known documents.

In this blog I will provide a highlevel overview of Microsoft licensing. When you understand the basics, Microsoft’s  detailed information on all the agreements and enrollments will provide the details.

Buy or lease agreements

The right to use Microsoft software can be obtained via two ways:

  1. as a retail boxed software. Customers buy a box with the software on DVD and the license to use the software.
  2. as part of Volume Licensing. Customers receive a license. Software is downloaded from a Microsoft portal. Customers which agree in a Volume Licensing agreement get discount and other benefits.

Volume Licensing  can be either purchased, leased or leased/purchased. Depending cash position, dynamics of the organization a lease or purchase is the best option.  Agreements for organizations with over 5 computers are part of the Microsoft Volume Licensing. There are programs for organizations with 5-250 computers and for organizations with over 250 computers.

For Service Providers Microsoft has a pay-as-you-go model available. A service provider is only charged for the actual usage of a product. This can even be a single hour.

Volume Licensing has three important components which you should be aware of.

  • agreements or programs
  • enrollments
  • software assurance

An agreement is an procurement contract. In the contract Microsoft and the customer agree on many things. It has information on processes like True-Up and defines the length of the contract, the payment, term for additional product license acquisitions, subsequent orders and perpetual rights.

Enrollements are available as part of enterprise agreement and select licensing programs. Enrollments are contracts about the ordering of software. The customer promises to buy a certain quantity of software and certain types of software. In return the customer receives discount.

Enrollments are a Microsoft way to push customers to a certain direction. This can be towards purchasing Software Assurance or towards purchasing Hyper-V, standardize on Office or consume cloud services like Azure.

Software Assurance (SA) is a kind of maintenance contract. Customers have the right to use the latest version software. Another benefit is the right to move license to other servers or to cloud environments. Microsoft is constantly moving benefits which were included in the  license to SA. Cost of SA is about 25% of the license price paid each year.

For some agreements the customer can decide to buy SA as addition to the license. In many agreements SA is included. SA has been introduced by Microsoft to guarantee a steady cashflow. Before SA Microsoft got a lot of revenue after the release of a new version of software. Then the revenue dropped to be increased at the next release. With SA Microsoft monthly gets money from customers on SA.

The reference guide explains it all.

Available Agreements 

The image below shows the major agreements available to corporate . There are also agreements for government, education, charity, service providers and partners of Microsoft.

These programms are all focussed on on-premises software usage. They offer however the possibility to use Microsoft cloud services as well.

Pricing for all agreements are very different. Organizations with over 250 users/computers get a better price than those with a few users. Organizations with many desktops get better discounts than with few desktops. Schools get about 80 % discount for licenses.

To be able to start an agreement organizations must meet certain conditions. For example a minimum purchase or have all workstations installed with the latest Office version.

It is perfecty possible to have a customer use various agreements.

Microsoft license agreements

Agreements for small orgs with 5-250 computers or users 

  • Open License
  • Open Value
  • Open Value Subscription

Open License is just buying the license. This provides the customer the right to use to software as long as he wants. There is no rental available. A maitenance program called Software Assurance can be purchased if the customer wants to upgrade to the most recent version software. Software is paid upfront.

Open Value is including Software Assurance. The customer can annualize their billing over 3 years or they can pay upfront. After three year no more payments and the license belongs to the customer. Licenses can only be added to the agreement. So if your organization shrinks you might have to pay for more licenses than needed.

Open Value Subscription means the customer rents the software. When the rental period has expired and is not extended the software may not be used anymore. Licenses can be added (True Up) or removed from the agreement (True down)

These agreements can be sold by any Microsoft partner.

Agreements for large orgs with over 250 computers or users

  • Select and Select Plus
  • Enterprise Agreement
  • Enterprise Agreement Subscription

Select Plus is a purchase programm with an option to buy SA. To qualifiy for Select Plus customers have to buy an initial order of 500 points per product pool. Microsoft products are groups in three pools: applications, systems, and server.  500 points equals for example 250 Office licenses. The more points a customer has, the better discount.  More on Select Plus here.

Select Plus is being replaced by  a new agreement for midsized organisations called Microsoft Products and Services Agreement (MPSA). A FAQ here. The general rollout of MPSA licensing is planned for late 2014 which is when all enrollments will be expected to start following the MPSA model. Microsoft describes the MPSA as blending elements of the Microsoft Business and Services Agreement, Select Plus licensing and Microsoft Online Services subscriptions. A compare between Select Plus and MPSA is here.

Microsoft Enterprise Agreement can be purchased at a Microsoft Licensing Solution Provider  only. The Microsoft Enterprise Agreement allows organizations with more than 250 PCs, devices and/or users to purchase  Microsoft licenses  and cloud services over a three-year period at the best available pricing. As Software Assurance is included customers have the right to use the most recent version. At the end of the three years the license becomes a perpetual license. This means the customer can use it as long as he wants. Customers cannot reduce the number of licensed software during the three year period.

Microsoft Enterprise Subscription Agreement is a pay-as-you-go model. It is a rental agreement for three year which includes Software Assurance. Customers have the ability to decrease the number of licensed software each year during the True-Up process. There is no initial CAPEX. Costs are booked as operational costs. Licenses in this agreement are  nonperpetual (or subscription) licenses, which provide the right to use a particular licensed product until the end of the license-agreement term.  A requirement is that all desktops of the customer are standardized on Office, Windows or the Core CAL.

More info here. 

The difference between both is explained here.

MOSA Microsoft Online Subscription Agreement

MOSA is a dedicated licensing agreement for using Microsoft Online Services like Office 365. After signing the MOSA customers can purchase subscriptions under the  Microsoft Online Subscription Program (MOSP). This is a subscription-based Microsoft Volume Licensing program for organizations with one or more users that want to subscribe to, activate, provision, and maintain services seamlessly and affordably. The services available in this program  include Office 365, Windows Azure Platform, CRM Online, and Intune

Agreements for Service Providers

  • Microsoft Services Provider License Agreement (SPLA)

Agreements for Education

  • School Enrollment
  • Campus and School Agreement (CASA) = Specifically for qualified academic institutions such as schools, colleges, universities, including research facilities, interested in purchasing five or more licenses.
  • Enrollment for Education Solutions (CASA+EES or OVS-ES).
  • Microsoft Campus Agreement for higher education
  • Microsoft School Agreement for primary and secondary education institutions.

Enrollments

An enrollement is an extension of some agreements like the Enterprise Agreement. The target of an enrollment is to stimulate customers to buy a number of licenses or standardize on Microsoft products. In return they get discount.

For Enterprise Agreements the following enrollements are available:

  • Server and Cloud Enrollment (SCE). The most recent enrollment which replaces the ones listed below.
  • Enrollment for Application Platform (EAP)
  • Enrollment for Core Infrastructure  (ECI)
  • Enrollment for Windows Azure (EWA)

Server and Cloud Enrollment (SCE) covers datacenter products both on-premises and in the cloud. It  includes SQL Server, SharePoint, Biztalk, the Core Infrastructure Suite, Visual Studio and Azure.  There is no growth of licenses required but a minimum purchase of licenses is required. For example to meet SCE requirements customers must purchase minimum of 50 SQL Server core licenses or 5 SharePoint licenses. Also customers needs to cover the entire Enterprise server footprint with SA.
More info on SCE

Enrollment for Application Platform contains SQL Server, Visual Studio, SharePoint and Biztalk. It provides up to 40% discount but a license growth is expected to be 20-30% over a baseline.

Enrollment for Core Infrastructure offers discounts for a bundle of  Windows Server and System Center. Two bundles are available. The Core Infrastructure Suite Datacenter and Core Infrastructure Suite Standard. Discount of 20% is given on bundle as compared to product licenses individually

More info on ECI and EAP

This image compiled by Enpointe.com clearly shows the differences in enrollements

enrollment programs

Legal documents

When the agreement has been signed the customer should comply to certain Microsoft published documents. These documents explain how licenses should be applied.

The Microsoft Business and Service Agreement (MBSA) is the perpetual umbrella agreement that dictates the basic terms for all signed licensing agreements between your organization and Microsoft. This master agreement defines contract terms common to Microsoft licensing, service, and support agreements. MBSA is applicable for Select, Select Plus and Enterprise Agreements.

An important document for on-premises software is the Product Usage Rights. Service Providers have to use the Services Provider Use Rights (SPUR)  document. These are frequently published by Microsoft. The PUR describes per Microsoft product how the license should be used.

The Product List is another important document. It has info on avilability of new products, point values, product migration paths and Software Assurance benefits.

Both are binding documents. The customer should apply to what is written in those documents.

It is important to understand to what license the PUR applies. An excellent post at microsoftlicensereview.com about the PUR states:

  • For customers that elect to leverage downgrade rights, the Product Use Rights for the version licensed, not the version running will apply.

 

Some terms being used

Microsoft uses various terms in licensing documents. Some are explained here.

True-up
Customers with an Enterprise Agreement or Open Value contract agree to use a certain number of licenses. The customer is allowed to use more licenses than agreed. Once a year the customer reports the number of licenses in use. The difference between the number of licenses in the EA or Open Value and the actual usage is the True-up. Reporting the true-up once a year is mandatory.

Level and No Level
Microsoft provides discount when customers purchase a certain number of licenses. If the number of license is below a threshold this is called no Level. Level means the customer has acquired more licenses than the threshold and will get more discount. So LEVEL licenses are always cheaper than NOLEVEL

Levels in some products have numbers like Level C or Level D.

Pricing levels 
For enterprise Agreements there are pricing levels. Starting at Level A which provides the lowest discount to Level D which offers the highest discount. Governments always get Level D discount. The numbers in the second column shows the number of desktops in use by the organization.

EA level A 250 – 2.399
EA level B 2.400 – 5.999
EA level C 6.000 – 14.999
EA level D 15.000 +

Step-up licensing 
customers with a volume agreement including Software Assurance can upgrade the edition of software for a reduced price. For example they can upgrade from Windows Server Standard Edition to Datacenter Edition.
more info here 

Points
Some agreements like Select Plus use points to determine if a customer qualifies for the agreement. Each Microsoft product has points. These are documented in the Product List.

Pricelist

Many pricelists are available on Internet. Prices are hard to understand as you will see different prices for what looks like the same product. As you have learned the price depends on type of organization, agreement, enrollment, number of licenses in use etc.

This is a pricelist of Kernel Software

 

Advertisements

Zerto releases Virtual Replication 3.5

Today Zerto released Zerto Virtual Replication (ZVR) 3.5. Virtual Replication does per VM replication and recovery orchestration  and is targeted at enterprises and service providers using VMware vSphere. Especially in the US a growing number of service providers use Zerto VR to offer Disaster Recovery as a Service (DRaaS) to their customers.

Zerto partners with Cisco. Cisco is using ZVR in their blueprints for service providers. Cisco customers can use these blueprints to offer DRaaS services to their customers to enhance their business model.

New major features in ZVR 3.5 are:

  1. Offsite backup
  2. VMware VSAN support
  3. new action APi’s
  4. alerts and notification enhancements
  5. tolerant failover

This release also includes fixes.

Virtual Replication 3.5 is available for immediate download from the Zerto portal.

Zerto-VR-35JPG

A video explaining and demoing the features can be seen here.

New in ZVR 3.5 is the ability for Offsite backup. Offsite backup is basically a copy of a regular replica stored in a safe place for a longer period.
The name ‘Offsite Backup’ can be a bit confusing. The functionality can be compared to NetApp SnapVault. Bascially Offsite Backup is a vault (or backup) for replica’s. The purpose is to make sure the replica can be retrieved over a longer time window.

The regular ZVR replica has a protection of max. 5 days. Offsite backup allows to restore data of up to one year back in time. Offsite backups can be stored on SMB/CIFS shares. Storing offsite backup data in Amazon cloud storage is supported as well using a tool which presents Amazon storage a fileshare over SMB.

The offsite backup is wrapped in a so-called Zerto Backup Package. The package contains a full backup of all virtual machines part of a Zerto Virtual Protection Group. The package is portable. It does not need the exact Zerto Virtual Manager installation of version to be restored.

Mind offsite backup is not a replacement for regular backup software. It does not have deduplication, is not an archiving solution and is not able to recover single files.

Use cases for Offsite backup are:

  • compliance use:
  • archiving of test/dev virtual machines. Think about a software company usung VM’s for development
  • 3rd site for storage of backup
  • cost reduction

Tolerant failover means a failover is still regarded succesfull even when some of the  VMs are recovered but cannot be not turned on. Causes for a VM not being able to start could be for example an IP conflict, MAC address conflict or not enough resources in a resource pool.

 

 

Checking hardware recommendations might prevent VSAN nightmare.

<update June 4>

Jason Gill posted the Root Cause Analysis done by VMware on his issue with VMware described below. Indeed the issue was because of the usage of the Dell PERC H310 controller which has a very low queue depth. A quote:

While this controller was certified and is in our Hardware Compatibility List, its use means that your VSAN cluster was unable to cope with both a rebuild activity and running production workloads. While VSAN will throttle back rebuild activity if needed, it will insist on minimum progress, as the user is exposed to the possibility of another error while unprotected. This minimum rebuild rate saturated the majority of resources in your IO controller. Once the IO controller was saturated, VSAN first throttled the rebuild, and — when that was not successful — began to throttle production workloads.

Read the full Root Cause Analysis here at Reddit

Another interesting observation while reading the thread on Reddit is that the Dell PERC H310 actually is an OEM version of the LSI 2008 card. John Nicholson wrote a very interesting blog about the H310 here.

Dell seems to use H310 with old firmware. When using the latest firmware the queue depth of the Dell PERC H310 can be increased to 600!

We went from 270 write IOPS at 30 ms of write latency to 3000 write iops at .2ms write latency just by upgrading to the new firmware that took queue depth from 25 to 600

This article explains how to flash a Dell PERC H310 with newer firmware. I am not sure if a flashed PERC H310 is supported by VMware. As a HBA with better specs is not that expensive I advise to only flash Dell PERC H310 when used in non-production environments.

————————————————————-

June 02, 2014

An interesting post appeared on Reddit. The post titled My VSAN nightmare describes a serious issue in a VSAN cluster. When one of the three storage nodes failed displaying a purple screen, initially all seemed fine. VMware HA kicked in and restarted VM’s on the surviving nodes (two compute and two storage nodes). The customer was worried about redundancy as storage was located on just two nodes now. So SSD and HDD storage was added to one of the compute nodes. This node did not have local storage before.

However exactly 60 minutes after adding new storage,  DRS started to move VM’s to other hosts, lots of IO were seen, all (about 77) VM’s became unresponsive and all died. VSAN Observer showed that IO latency had jumped to 15-30 seconds (up from just a few miliseconds on a normal day).

VMware support could not solve the situation and basically said to the customer: “wait till this I/O storm is over”. About 7 hours later the critical VM’s were running again. No data was lost.

At the moment VMware support is analyzing what went wrong to be able to make a Root Cause Analysis.

Issues on VSAN like the one documented on Reddit are very rare.  This post will provide some looks under the cover of VSAN. Hope this helps to understand what is going on under the hood of VSAN and it might prevented this situation happening to you as well.

Lets have a closer look at the VSAN hardware configuration of the customer who wrote his experiences on Reddit.

VSAN hardware configuration
The customer was using 5 nodes in a VSAN cluster: 2x compute nodes (no local storage )  and 3x storage nodes, each with 6x magnetic disks and 2x SSD’s, split into two disk groups each.
Two 10 Gb nics where used for VSAN traffic. A Dell PERC H310 controller was used which has a queue depth of only 25. Western Digital WD2000FYYZ HDDs were used with a capacity of 2 TB, 7200 rpm SATA drives. SSD’s are Intel DC S3700 200 GB.

The Dell PERC H310  is interesting as in Duncan Epping post here it is stated:

Generally speaking it is recommended to use a disk controller with a queue depth > 256 when used for VSAN or “host local caching” solutions

VMware VSAN Hardware Guidance also states:

The most important performance factor regarding storage controllers in a Virtual SAN solution is the supported
queue depth. VMware recommends storage controllers with a queue depth of greater than 256 for optimal
Virtual SAN performance. For optimal performance of storage controllers in RAID 0 mode, disable the write cache, disable read-ahead,
and enable direct I/Os.

Dell states about the Dell PERC H310

 Our entry-level controller card provides moderate performance.

Before we dive into the possible cause of this issue lets first provide some basics on VMware VSAN. Both Duncan Epping and Cormac Hogan of VMware wrote some great posting about VSAN. Recommended reads! See the links at the end of this post.

VSAN servers 
There are two ways to install a new VSAN server:

  1. assemble one yourself using components listed in the VSAN Hardware Compatibility Guide
  2. use one of the VSAN Ready Nodes which can be purchased. 16 models are available now from various vendors like Dell and Supermicro.

Dell has 8 different servers listed as VSAN Ready Node. One of them is the PowerEdge R720-XD which is the same server type used by the customer describing his VSAN nightmare. However the Dell VSAN Ready Node has 1 TB NL-SAS HDD while the Reddit case used 2 TB SATA drives. So likely he was using servers assembled himself.

Interesting is that 4 out of the 8 Dell VSAN Ready Node server use the Dell PERC H310 controller. Again, VMware advises a controller with a queue depth of over 250 while the PERC H310 has 25.

Dell-vsan-ready-node

VSAN storage policies
For each virtual  machine or virtual disk active in a VSAN cluster an administrator can set ‘virtual machine storage policies’. One of the available storage policies is named ‘number of failures to tolerate’. When set to 1, virtual machines to which this policy is set will survive a failure of a single disk controller, host or nic.

VSAN provides this redundancy by creating one or more replica’s of VMDK files and stores these at different storage nodes in a VSAN cluster.

In case a replica is lost, VSAN will initiate a rebuild. A rebuild will recreate a replica of VMDKs.

VSAN response to a failure. 

VSAN’s response to a failure depends on the type of failure.
A failure of SSD, HDD or the diskcontroller results in an immediately rebuild. VSAN understand this is a permanent failure which is not caused by for example planned maintenance.

A failure of the network or host results in a rebuild which is initiated after a delay of 60 minutes. This is the default wait. The wait is because the absense of a host or network could be temporary (maintenance for example) and prevents wasting resources. Duncan Epping explains details in this post How VSAN handles a disk or host failure .
The image below was taken from this blog.

If the failed component returns within 60 minutes only a data sync will take place. Here only the data changed during the absence will be copied over to the  replica(s).

A rebuild however means that a new replica will be created for all VMDK files being not compliant. This is also referred to as a ‘full data migration’.

To change the delay time see this VMware KB article Changing the default repair delay time for a host failure in VMware Virtual SAN (2075456)

Control  and monitor VSAN rebuild progress
At the moment VMware does not provide a way to control and monitor the progress of the rebuild process. In the case described at Reddit basically VMware advised ‘wait and it will be alright’. There was no way to predit for how long the performance of all VM’s stored on VSAN would be badly affected because of the rebuild. The only way to see the status of a VM is by clicking on a VM in the vSphere web client. Then select its storage policies tab, then clicking on each of its virtual disks and checking the list – it will tell you “Active”, “Reconfiguring”, or “Absent”

For monitoring  VSAN Observer provides insight on what is happening.

Also looking at the clomd.log could give indication of what is going on. This is the logfile of the Cluster Level Object Manager (CLOM)

It is also possible to use command line tools for administration, monitoring and troubleshooting. VSAN uses Ruby vSphere Console (RVC) command line. Florian Grehl wrote a few  blogs about managing VSAN using RVC

The VMware VSAN Quick Troubleshooting and Monitoring Reference Guide has many details as well.

Possible cause
It looks like the VSAN rebuild process which started exactly 60 minutes after having added extra storage initiated the I/O storm. VSAN was correcting an incompliant storage profile and started to recreate replica’s of VMDK objects.

A possible cause for this I/O storm could be that the rebuild of almost all VMDK files in the cluster was executed in parallel.  However according to Dinesh Nambisan working for the VMware VSAN product team;

 “VSAN does have an inbuilt throttling mechanism for rebuild traffic.”

VSAN seems to use  a Quality of Service system for throttling back replication traffic. How this exacty works and if this is controlable by customers is unclear. I am sure we will soon learn more about this as this seems key in solving future issues with low-end controllers and HDDs combined with a limited number of storage nodes.

While the root cause has yet to be determined a combination of configuration choices could have caused this:

1. Only three servers in the VSAN cluster were used for storage. When 1 failed only two were left. Those two both were active in rebuild for about 77 virtual machines at the same time.
2. Using SATA 7200 rpm drives as the HDD persistent storage layer. Fine for normal operations when SSD is used for cache. In a rebuild operation not the most powerfull drives having low queue depths.
3. Using an entry level Dell PERC H310 disk controller. The queue depth of this controller is only 25 while advised is to use a controller with 250+ queue depth.

Some considerations
1. Just to be on the safe side use controllers with at least 250+ queue depth
2. for production workloads use N+2 redundancy.
3. use NL-SAS drives or better hdd. These have much higher queue depths (256) compared to SATA hdd (32).
4. in case of a failure of a VSAN storage node: try to fix the server by swapping memory/components to prevent rebuilds. A sync is always better than a rebuild.

5. It will be helpfull if VMware added more control for the rebuild process. When n+2 is used, rebuild could be scheduled to be executed only during non-business hours. Also some sort of control of priority on which replica’s are rebuild first would be nice. Something like this:

in case n+1: tier 1 vms rebuild after 60 minutes. tier 2,3  rebuild during non-business hours
in case n+2: all rebuilds only during non-business hours. Tier 1 vm’s first, then tier 2 then tier 3 etc.

Some other blogs about this particular case
Jeramiah Dooley Hardware is Boring–The HCL Corollary

Hans De Leenheer VSAN: THE PERFORMANCE IMPACT OF EXTRA NODES VERSUS FAILURE

Some usefull links providing insights into VSAN

Jason Langer : Notes from the Field: VSAN Design–Networking

Duncan Epping and others wrote many postings about VSAN. Here a complete overview.

A selection of those blog posts which are interesing for this case.
Duncan Epping How long will VSAN rebuilding take with large drives?
Duncan Epping 4 is the minimum number of hosts for VSAN if you ask me
Duncan Epping How VSAN handles a disk or host failure
Duncan Epping Disk Controller features and Queue Depth?

Cormac Hogan VSAN Part 25 – How many hosts needed to tolerate failures?

Cormac Hogan Components and objects  and What is a witness disk 

 

Driver IRQL not less or equal (bridge.sys)

I experienced an annoying issue on my Windows 8 laptop. All of a sudden the laptop got a blue screen showing a text.

Your PC ran into a problem and needs to restart. We’re just collecting some error info, and then we’ll restart for you.

Driver IRQL not less or equal (brdige.sys)

I had no idea what could be causing this. My laptop was running for many months without any issues. Now all of a sudden a couple of crashes in one hour.

Using Google I found out it could be related to Hyper-V which was installed. So I started Hyper-v Manager , selected Virtual switch manager and deleted the switch which was connected to the wireless network adapter.

Problem solved.

I did not try to solve the problem by installing new drivers as I was not using the Wifi nic.

What are threats of data stored in ‘the cloud’ and how cloud providers protect their customers

The spying done by the NSA and revealed by Edward Snowden for sure did not much good for revenues of companies selling cloud solutions.

Nobody believes anymore that NSA’s main purpose is to defeat terrorisme. Foremost NSA is very interested in political views of other countries (Germany, the EU), financial data (Swift bank tranfers)  and economical spying (Brazilian oil company Petrobras). National security is used as an excuses to violate people’s privacy.

A lot has to change in the minds of US. At a CIA congress in June Congressman Mike Rogers says Google Is Unpatriotic For Not Wanting NSA To Spy On Its Users.

Many US firms colaborated with the NSA enabling them to add backdoors to hardware and software. See for example this article  on how Microsoft helped the NSA, The NSA itself tampered with US-made routers by intercepting shipments to customers, add backdoors and then shipped the router to the final destination (source The Guardian)

Outsourcing  infrastructure or applications is a matter of trust.  There is a saying that ‘Trust arrives on foot but leaves on horseback’

Add the Patriot Act, American Stored Communications Act (SCA) and the Foreign Intelligence Surveillance Amendments Act (FISAA) and many,  especially European and Brazilian organizations, are worried to store any privacy, intellectual property or any other sensitive information in a datacenter which they do not own and trust. Red alert when the provider is a US company.

Microsoft  admitted in 2011 that data owned by Europeans and stored in European datacenters but processed by US firms is not safe for US authorities.  (source ZDnet).

Data requests
So how many times US authorities request data from providers and what kind of data is requested? Meta data or actual data like content of email? The problem is that this kind of information cannot be made public by law. Providers are not allowed to reveal court orders. They are allowed to reveal the number of orders with a delay of 6 months after the order was handed over. The Guardian has an article about this.

Microsoft received from  January to June 2013  fewer than 1,000 orders from the Fisa court for communications content during the same period, related to between 15,000 and 15,999 “accounts or individual identifiers”.

The company, which owns the internet video calling service Skype, also disclosed that it received fewer than 1,000 orders for metadata – which reveals communications patterns rather than individual message content – related to fewer than 1,000 accounts or identifiers.

Mind these numbers are for all Microsoft services including Skype and Outlook.com. So in many cases court orders from Fisa are related to personal accounts and not to enterprise accounts.

This is important to understand the problem.

Non disclosure of  National Security Letter or court orders (gag order)

US authorities like FBI, US Department of Justice  can request  a cloud/service provider to hand over customers data without disclosing that request to the customer. This is a so called gag order. The official name of such a request is a National Security Letter or NSL.

In any cloud contract of Microsoft and likely every US provider as well some lines are written like the ones below:

The cloud services that Microsoft provides to are governed by contract (the "Contract"). The Contract provides that Microsoft may disclose data to satisfy legal requirements, comply with law or respond to lawful requests by a regulatory _or
judicial body, or as required in a legal proceeding. The Contract also provides that, unless prohibited by law, Microsoft must use commercially reasonable efforts to give notice of any such disclosures in advance, or as soon as commercially reasonable after such

Reach of Patriot Act
So how far reaches that notorious Patriot Act? When is data safe? Nobody knows for sure. Likely it is effective on data stored on servers of any company located in:

– The United States;
– The European Union with a parent company located in the United States;
– The European Union and  uses  data processing services of a subsidiary which is established in the United States;
– The European Union and uses a third party for data storage or data processing, like a US-based hosting company;
– The European Union, but  does structural business with a company in United States of America.

The last one is the most unclear one and open for many interpretations.

There are some other serious security issues as well when using cloud. Amazon supplied Windows Server images in 2014 which were not patched since 2009. Auto update was disabled. Also HP and GoGrid offered images which were not up-to-date with latest security patches and also had auto-update disabled. Microsoft was the only investigated cloud provider which offered up-to-date images. (source Bkav).

So there are some serious issues to solve in cloud computing. What actions are taken by cloud providers to regain trust and how likely are those to keep the bad guys out?

  1. Object to court orders and go to court
  2. Trying to change mind of government
  3. Offer encryption
  4. Contracts
  5. Datacenters located in the EU
  6. Operate datacenters by branches
  7. Employ non US staff
  8. Use non ‘made in the United States’ software or hardware

Object and go to court
In several cases cloud providers like Google and Microsoft went to court when they received a National Security Letter. In an interesting case in 2013 when the FBI handed over a NSL to Microsoft including a non-disclosure, Microsoft went to court.

FBI wanted to have information on an Office 365 customer. After Microsoft filed this challenge in Federal Court in Seattle, the FBI withdrew its Letter.

Microsoft challenged the letter in court, saying the law the FBI used to obtain it violated the First Amendment, and was an unreasonable ban on free speech. 

In 2014 a Seattle judge ordered to unseal certain documents of this case. More information on gigaom.com

While this is a small success, many NSLs remain undisclosed.

Trying to change mind of US government
Microsoft is asking the US government this as described in this June 2014 post by Microsoft:

  • End bulk collection
  • Reform the FISA Court
  • Commit not to hack data centers or cables
  • Continue to increase transparency

See this article  Microsoft presses the US government on NSA reform

Encryption
Microsoft and others are doing its very best to make NSA life as hard as possible. They offer encryption in about any solution which stores on-premise created data in Microsoft Azure. The customer is the only one having the encryption key. Office 365 files stored in SharePoint Online and OneDrive for Business will have its own encryption key, So even when the NSA puts a gun to Microsoft head they will not be able to hand over readable data. Microsoft is working on encryption of data travelling between Azure datacenters. Google and others already encrypt that data.

Make sure data is encrypted the moment it leaves your on-premise trusted infrastructure. For how long encryption will be effective remains to be seen. NSA is building a datacenter  with supercomputer to decrypt AES encrypted data (source Forbes)

SSL traffic to and from Azure Web Sites can now be encrypted using Elliptic Curve Cryptography (ECC) certificates. Reversing a private key from a public key is about 10 times harder then when classic encryption methods. More info on ECC here. 

The story of email firm Lavabit shows the power of FBI , NSA and others. Lavabit provided encrypted email services which protect privacy of users. Snowden was one of the users of Lavabit (and probably the reason for the interest of FBI in Lavabit). One day the FBI knocked on the door of the owner of Lavabit holding a court order requiring the installation of surveillance equipment on the Lavabit network.The court order also required Lavabit to hand over its SSL private keys. Lavabit objected to comply, since that would give access to all messages to and from all customers, which would be unfair and unreasonable.

The owner refused, searched for a lawyer, got into a courtcase. The result: Lavabit had to hand over 5 SSL private keys. Lavabit even tried to handover the cryptgraphic material in printed form, stretched over 11 pages in a four-point font. (source Sophos.com)

In the end Lavabit had to close the company. (Source: the Guardian)

Contracts
Recently Microsoft proudly published that their contracts with customers using cloud services comply to the highest standards of the EU. Privacy authorities across Europe approve Microsoft’s cloud commitments.  While this contract is usefull so Microsoft customers are assured Microsoft complies to privacy laws, it is not a guarantee data is safe for the bad guys/curious types like NSA and FBI. As Microsoft states: they will have to handover data if requested and even do not have to inform the customer about the handover.

Datacenters located in the EU
There are severall reasons why US cloud providers offer datacenters located in the EU. First to provide the best possible latency. Secondly because EU laws prohibit certain type of data to be stored outside the EU.
Data stored in a EU datacenter but processed by a US firm is by no ways safe for Patriot Act. See the story about a US judge which orders Microsoft to hand over data stored in a Dublin datacenter. Microsoft goes to court. Many information on internet on this case, like this article.

Operate datacenters by branches of US companies
VMware entered the public cloud IaaS market a while ago by offering vCloud Hybrid Service. Besides 4 US-located datacenters they also have one datacenter located in Slough near London (UK). They stated at VMworld that data is safe for Patriot Act because vCHS is  operated by VMware UK. The datacenter is owned by UK company Savvis. I do not think this can avoid US authorities with court orders to hand over data as VMware UK has a parent in the US.

Employ non-US staff
Dutch telecom and IT services company KPN recently announced that its public cloud offer named CloudNL is fully managed by Dutch administrators which are not bound by U.S. law. This way, according to KPN, the company is not required to hand over data to NSA, FBI and other non-Dutch organizations. However KPN is 100% owner of US company iBasis. This ownership would make KPN a target for the Patriot Act as it does ‘structural business with a US company’. However the KPN believes access by NSA etc via iBasis is blocked because servers are located in Dutch datacenters. Dutch newspaper Trouw reported  (english here). Computerworld has an interesting article on CloudNL as well.

Use non ‘made in the United States’ software or hardware
When software made by US companies is used  the NSA could have a backdoor. Or the Patriot Act could have influence on the requirement to hand over data. So IT company Capgemini decided to build a cloud in which not a single component is made in the US. It provides software for email, calender sharing, presentations, file sharing and video conferencing. News about this cloud offer called Clair was published by nu.nl (translation in English

Capgemini does have about 27 offices in the US so even that might be a backdoor.

Conclusion
There is a lot uncertainty about the power of US acts like the Patriot Act. The only way to find out the reach are legal battles in court. Not all companies offering cloud services are interested in legal battles. They have an interest to be friends with US authorities.

Encryption of data which could be interesting for others and make sure to own the encryption key is a first step to secure data.

 

 

Microsoft TechEd 2014 North America coverage

This post will provide info on blogs and Twitter accounts which cover Microsoft TechEd 2014 in North America. BTW TechEd stands for “Technical Education.”

I will focus on blogs covering infrastructure services like Azure, Windows Server, Hyper-V and System Center.

Microsoft is doing a great job by publishing recordings of all breakout sessions on Channel 9. Free to view for everyone. Sessions of May 12 were available within 24 hours. Some of the breakout sessions are even streamed live. For a schedule see here. 

If you are attending TechEd you can download the PowerPoint slides even before the breakout session starts. Go to http://northamerica.msteched.com/catalog and select the session.

Derek Seaman covers many sessions live on his blog . His Twitter account is here.

Aidan Finn does live blogging. His Tweets are here.

David Hill covers TechEd at his website here .  His Tweets are here.

WindowsITPro will have many articles on TechEd.

If you like your blog to be added here, send me an email (mvdb22 at gmail dot com)

 

 

 

Citrix product names and functionality

Citrix is notorious for changing names of their products. Also they have a wide range of software and it is easy to be completely lost of what purpose the software has.

So this is a small blog to quickly inform about current name, former name and functionality. I also mention some technologies.

Citrix XenDesktop 7 = the product which combines VDI (XenDesktop) and server based computing (XenApp) in a single SKU with various editions. The name XenApp was basically killed by Citrix in this release.  

Citrix XenDesktop = the VDI solution of Citrix. Since XenDesktop 7.5 a seperate product for delivering virtual desktops. Citrix un-killed XenApp because the naming XenDesktop for two solutions was very confusing for customers.

Citix XenApp = the new name for formerly known as WinFrame, MetaFrame and Presentation Server. Does application virtualization (Server Based Computing). The name was killed by Citrix since XenDesktop 7 and XenApp features were added to XenDesktop suite 7.0 However now again available as XenApp 7.5. Hope this text makes sense;-)

Citrix XenMobile Device Manager = software installed on Windows Server to perform mobile device management. Software was acquired from Zenprise. Is used in a MDM scenario where device is owned by organization, Provides full control over device. Apps are pushed to device.

Citrix XenMobile AppController (also spelled as App Controller)= an appliance based on Linux running as a virtual machine. It is responsible for application aggregation to mobile devices. It is able to publish mobile apps, SaaS apps, web URLs and XenApp or RDS published desktops and applications.  Requires Citrix NetScaler for secure access using micro VPN.

Citrix WorkSpace Suite = a bundle of current Citrix solutions like XenApp, XenDesktop, XenMobile, ShareFile and Netscaler. One bundle enables customers to deliver and manage apps and desktops to all possible clients.  Announced at Synergy 2014. Pressrelease here

Citrix XenApp AppCenter = management console to centrally manage XenApp center using a single console.

Citrix Provisioning Services (PVS) = a solution to stream an operating system to a server over the network. The advantage is to be able to use a single image for multiple servers. Originally developed by Ardence.

Citrix XenDesktop Machine Creation Services (MCS) = process of XenDesktop to create a pool of virtual desktops and deploy those.

Citrix DesktopPlayer for Mac = enables running Windows virtual machines in Mac OSX even offline using XenDesktop Local Mode. Equal to VMware Fusion

Citrix DesktopPlayer for Windows = delivers a Windows virtual desktop to any laptop in any network situation (offline, low bandwidth WiFi) targeted at Bring You Own laptops.

Citrix Receiver = agent software required to handle published applications or desktops running on Citrix XenApp. Used to be named ICA client in the past. Supports many platforms including Linux and HTML5 browsers.

Citrix Receiver X1 = app installed on mobile devices to replace part of features of the current Home Worx app. It unifies Receiver and WorxHome. WorxHome will still be required for enrolling devices.

Citrix Independent Computing Architecture (ICA)  = protocol developped by Citrix to transfers display information, mouse, keyboard and device info over the network between server and client.  

Citrix High Definition eXperience (HDX) = a set of technologies to improve the user experience on XenApp and XenDesktop

Citrix FrameHawk = a technology (not a product) to improve user experience when using WiFi. It will be embedded in HDX in use by XenApp and XenDesktop. More here.

Citrix MDX = a technology to secure mobile apps. It adds a security layer on native iOS and Android apps so IT have control over those apps. Additionally MDX creates micro VPN sessions between the app and the corportate network using NetScaler

Program Neighborhood Agent or PNagent = old name for Citrix Applications. It was a client used to launch XenApp applications from a launchpad. Did not offer  integration with Windows start menu.

XenApp Plugin = agent installed on client OS which adds published applications to the start menu for seamless integration with local installed applications.

Citrix Web Interface = a web portal which is able to publish applications and desktops to users connecting from the Internet. Announced end of life and does not support recent Citrix software. StoreFront is successor.

This is an image to provide some insight how XenMobile is integrated with StoreFront and NetScaler. The image is taken from this very interesting blogpost titled How to integrate StoreFront into XenMobile… And than what?!  written by Bas van Kaam.

 

Citrix Secure Gateway = free software solution which offers ICA-proxy connections over SSL. Required to offers applications and desktops to internet users, in combination with Netscaler, Access Gateway and StoreFront/Webinterface. Secure Gateway 3.3 is supported up to 2016(XenApp 6.5)

Citrix NetScaler = application delivery controller. Has many functions like ssl vpn, load balancing, application performance enhancement, application security. Available as hardware and software appliance. Available in three editions.

Citrix NetScaler Gateway, formerly Citrix Access Gateway (CAG) Enterprise Edition.

Citrix StoreFront =  Portal for publishing XenDesktop and XenApp desktops and applications. Successor of Citrix Web Interface which will be end of life 2015.

 

Citrix Independent Management Architecture (IMA) = Citrix ‘housekeeping’ architecture. IMA is not a product but a protocol and a database which is used to communicate information about licenses, policies, sessions and server loads between servers in a Citrix farm. 

Citrix FlexCast Management Architecture (FMA) =  replacement of IMA. Introduced in XenDesktop 7. XenApp 7.5 will now use FMA instead of IMA. FMA is an architecture to deliver virtual desktops, apps and hosted shared desktops. More info here and here 

Citrix Desktop Studio Microsoft Management Console 3.0 (MMC) based management console used to configure and manage XenDesktop 5 sites

Citrix Studio =  Microsoft Management Console 3.0 (MMC) based management console used to configure and manage XenDesktop 7 and 7.5 sites

Citrix Worx Home. An app which is installed on mobile devices. Worx Home connects to XenMobile Device Manager and XenMobile App Controller

Citrix Worx Store = not a product but the name of the apps catalogue available once Worx Home has been installed on a mobile device. Available apps and applications are published by AppController.

More info here.

Citrix WorxMail = secure mail client for iOS and Android. Uses micro-VPN to communicate with mailserver. Does encryption. IT department can control data (like wipe it when device is stolen)

Citrix WorxWeb = secure webbrowser for iOS and Android.

Citrix WorxNotes = app to take simple notes on mobile devices

Citrix WorxEdit = editor to edit office files on mobile devices

Citrix WorxDesktop = access desktops from mobile device . More info here

 

Citrix ShareFile = Dropbox for the enterprise. IT is able to provide access to files to mobile devices while keeping control.

Citrix CloudGateway = not a product but a bundle of products.

  • Citrix CloudGateway Express includes StoreFront Services and Access Gateway
  • Citrix CloudGateway Enterprise  includes StoreFront Services, Access Gateway  and  AppController

 

XenDesktop 7 App edition = the replacement of XenApp 6.5. Server Based Computing. Able to offer desktops and published applications

Citrix AppDNA = analyzes the dependencies of Windows and web applications. Usefull for migration for one Windows Server or Desktop platform to another. Also make clear dependencies on other applications. It reports if an application will run on another platform.

Citrix Profile Management = tool for management of Windows profiles. Available for customers having SA on XenApp or XenDesktop.

Citrix XenDesktop Director = troubleshooting webbased tool for XenDesktop 7 and higher targeted at helpdesks. EdgeSight is part of the solution. More info here

Citrix CloudBridge = WAN optimizer.

Citrix CloudPlatForm = an opensource cloud management platform. Able to manage different hypervisors.

Citrix EdgeSight = Performance analyser. Included in some editions of XenApp and XenDesktop. Can for example be used to determine cause of slow login times.

Citrix XenServer = the hypervisor of Citrix for Intel and AMD platforms.

Citrix XenClient = a type 1 client hypervisor. Typically installed on desktops and laptops. Images can centrally be managed.

Citrix VDI-in-a-Box =  software appliance deployed as a VM supporting XenServer, Hyper-V and VMware ESXi. Allows for simplified deployment of VDI without the need for shared storage.

Citrix GoToMeeting = service which enables webinars, online meetings with ability to share desktop, presentations, have chats etc.

Citrix Application Streaming = end of life product. Did application streaming like Microsoft App-V.

Citrix Resource Manager = end of life. Part of Presentation server. Resource Manager collects, displays and stores data about system performance, applications or process use.

VMware VSAN will be GA in the week of March 10. Licensing per socket or desktop

During a special webinar at March 6 VMware announced the general availability of Virtual SAN (VSAN). VSAN 1.0 will be available in the week of March 10.

If you are unaware of VSAN: It is probably the product which release got the most attention other than that of vSphere. VSAN offers SAN-features using server based storage.

Benefits of VSAN are:

  • Reduce investment costs by using cheap low cost storage instead of expensive SAN
  • Pay as you grow model instead of large upfront investments. If you need more storage capacity simply add SDD or HDD instead of having to buy a new SAN extension.
  • It lowers operational costs because it is simple to use, does not require a storage administrator and has increased automation

VSAN can be implemented in two ways: either select your own choice of hardware based on the special VSAN HCL or select from 16 preconfigured VSAN Ready nodes available from  IBM, Cisco, Fujitsu and Dell. HP and others are expected to deliver VSAN Ready nodes at GA or sometime later.

At least three nodes are required. The maximum number of nodes in a VSAN 1.0 cluster is 32.

vSphere 5.5 Update 1 will support VSAN GA. I will not be surprised if Update 1 is released at the same time as VSAN.

Cormac Hogan and Duncan Epping are writing a book on VSAN to be published by VMware Press. Release date is expected before VMworld. More details at ntpro.nl

VMware will announce pricing at GA.

The Register did some research and found several pricelists mentioning Virtual SAN. It seems VSAN  can be purchased in two ways:

  • per CPU socket. Commercial listprice is around US $ 3100.- excluding Support and Subscription. Academic and VMware Volume Purchasing prices are lower.
  • per desktop. A 1o pack VSAN desktop will cost around US $ 600,-

<update>VSAN went GA at March 12. Pricing is now made public. See for an overview this post.

There will be some special offers for VSAN:

-customers using the beta will receive a discount of 20%.

-customers using VMware Virtual Storage Appliance will get reduced pricing when they upgrade to VSAN.

VMware release a new VSAN Design and Sizing Guide edition March 2014 which can be downloaded here.

VMware has a free Hands-on Lab (HOL)available which enables you to play and explorer with VMware VSAN. No need to have hardware, software and licenses. The HOL is running in the cloud.

More information:

This is a very good post by Chad Sakac. It provides some different views on two VMware statements on VSAN. Chad states:

It IS NOT an accurate statement to say that VSAN is “better” or “performs better” because it’s embedded in the kernel.

It IS NOT an accurate statement to say (as a general statement) that VSAN is lower CAPEX than external storage – though it IS accurate that it offers a compelling CAPEX picture in many use cases.

Cormac Hogan – Virtual SAN (VSAN) Announcement Review

Duncan Epping – VMware Virtual SAN launch and book pre-announcement!

Ivo Beerens – VMware VSAN Launch Q&A

What it takes to write a book on IT

As you might know currently I am authoring a book on Microsoft hybrid cloud. The book will explain Windows Azure IaaS and how to connect on-premise Windows Server/System Center infrastructures to Windows Azure to create a hybrid cloud. The book will discuss cloud computing, Microsoft Cloud OS, Azure datacenters, VPN, PowerShell, Hyper-V Recovery Manager, App Controller, StorSimple,  Windows Azure Pack, billing, costs structure, administration, monitoring and much, much more.

In a series of blogpostings I will describe my experiences in writing this book. This first blog in the serie will give you an indication about the tasks involved in writing a book.

One thing to consider when wanting to write a book yourself: it will take LOTS of time.

Things I did/ do to write the book:

  • discuss contract and content with the publisher
  • discuss with girlfriend about sponsoring 😉
  • create the outline. This provides the publisher an indication about content,
  • do research on content for the book.
  • install software in testlab. Create screendumps etc.
  • write first draft of chapters
  • search for reviewers
  • contact with Microsoft
  • write TIS. This has description of the author and content of the book. Used for publication at sites like Amazon.com
  • write bio used in book.
  • fill in invoice forms for publisher. During severall stages of the book an invoice is sent.
  • create images
  • contact with publisher with questions on reviewing etc
  • contact with reviewers
  • process reviews made by publisher and reviewers
  • monitor status of delivery of reviews
  • write blog for promotion
  • write final draft of chapters

Hope this gives an impression of the amount of work. My book will have about 250 pages. I estimate I will need about 200-250 hours to do all the tasks involved in writing the book.

 

RVTools version 3.6 released

RVTools made by Rob de Veij is one of the best FREE tools available which helps consultants and system administrators in inventory and managing a VMware vSphere infrastructure. It offers a lot of information on the configuration of storage, network, virtual machines, ESX hosts  and a LOT more. Information can easily be downloaded in CSV format so you can do for example capacity planning. With RVTools you can disconnect the cd-rom or floppy drives from the virtual machines and RVTools is able to update the VMware Tools installed inside each virtual machine to the latest version.

If you do not know RVTools I strongly recommend to download the tool and see for yourself how useful it is and makes your life much easier. You won’t regret.

Download here.

New in the RVTools 3.6 release:

  • New tabpage with cluster information
  • New tabpage with multipath information
  • On vInfo tabpage new fields HA Isolation response and HA restart priority
  • On vInfo tabpage new fields Cluster affinity rule information
  • On vInfo tabpage new fields connection state and suspend time
  • On vInfo tabpage new field The vSphere HA protection state for a virtual machine (DAS
  • Protection)
  • On vInfo tabpage new field quest state.
  • On vCPU tabpage new fields Hot Add and Hot Remove information
  • On vCPU tabpage cpu/socket/cores information adapted
  • On vHost tabpage new fields VMotion support and storage VMotion support
  • On vMemory tabpage new field Hot Add
  • On vNetwork tabpage new field VM folder.
  • On vSC_VMK tabpage new field MTU
  • RVToolsSendMail: you can now also set the mail subject
  • Fixed a datastore bug for ESX version 3.5
  • Fixed a vmFolder bug when started from the commandline
  • Improved documentation for the commandline options

StarWind SAN V8 Beta 3 is available

StarWind software released StarWind SAN V8 Beta 3.

The software products uses local storage on servers running Windows Server to provide SAN features. It supports features like VMware HA, vMotion, Hyper-V Live Migration etc. It also does replication and deduplication and much more.

This is an interesting storage solution for small and midsized organisaties who do not have the budget for expensive SAN solutions.

This will be the last beta release. A release candidate is expected soon. The final release will probably made available second half of February 2014.

If you are using SAN V8 Beta 1 or Beta 2 you can update by installing Beta 3 over the existing installation.

New in this third beta:

LSFS device:
• Correct processing of device size parameters and usage of available storage of underlying disk.
• Fixed he issue which led to disk write errors (when certain amount of data was written on the device and device files multiplied).

Synchronous replication for LSFS device:
• Fixed snapshot management functionality: creation and deletion of snapshots now works correctly.
• Fixed the issue, where the state of HA node changed to “unsynchronized ” without any reason.

VSS providers:
• Hardware VSS provider is now available for LSF S devices and LSFS devices with synchronous replication.
• Software VSS Provider is now available for LSFS devices.

Asynchronous replication:
• Replication on very slow channels is now possible.
• Mounting of snapshot fixed.
• Replication algorithm fixed.
Minor fixes to the VAAI commands processing implemented.

Release notes are here.

Download the software here

Save the Date! TechEd Europe 27-31 October 2014 in Barcelona

Microsoft released the location and date for TechEd Europe 2014. It will be held 27-31 October  in Barcelona. The venue is the Fira Barcelona.

Registration opens in spring 2014

More info here.

Exchange does not support NFS. Vote and you might change that.

You might be aware that Microsoft does not support running virtualized instances of Exchange which virtual disk files are hosted on NFS datastores. Microsoft will provide best effort support if you are running into issues. Microsoft does however support running Exchange on SMB 3.0 file shares presented to Hyper-V servers.

See the storage requirements of Exchange 2013 here.

This is an interesting post about the lack of NFS support for Exchange by Microsoft.

Exchange will perfectly run when hosted on NFS. Many organizations use this configuration without issues and they probably are even not aware of this limitation. Here is a  view by Tony Redmond NFS and Exchange: not a good combination:

Many storage vendors like Tintri, Maxta, NetApp and Nutanix use NFS.

You might change the support policy by voting ‘I agree‘ on this survey titled support storing exchange data on VMDKs on file shares(nfs/smb)

The replies by many experts in this survey are very interesting to read.

Running Citrix AppController on Windows Azure (it won’t)!

Since 2013 Citrix supports running XenApp & XenDesktop on Windows Azure.  I wanted to be able to have a demo / Proof of concept  environment showing XenApp, XenMobile, AppController and ShareFile on Windows Azure to demo to customers.

My  experiment was to see if AppController can  run on Windows Azure. To make a long story short: it does not… 

If you are interested in why not, read on.

AppController is distributed by Citrix as a virtual appliance. It can run on XenServer, Hyper-V and VMware ESXi. I could not find any documentation which said which Linux distribution is used. If I had that info I could decide if AppController could be run on Azure. There is no mentioning of Azure support in Citrix documentation nor on blogs. 

As Azure runs Hyper-V 2008 and Hyper-V 2012 in datacenters and does support some Linux guest I deciced just to give it a go. In the Netherlands we say “if you do not shoot, you will always miss.. ”

So I downloaded the VHD file and created a new virtual machine on Hyper-V Manager. This allowed me to configure the appliance. It requires  an IP-address.  I set this is x.x.x.4 .  I enabled SSH to be able to do some remote management.

I also created a virtual network in Azure to have control over the subnet used by the AppController VM.

First challenge was the format of the VHD supplied by Citrix. This was in a dynamically expanding disk which Azure does not support. So I needed to convert the vhd from dynamically expanding to fixed size. I used Hyper-V Manager for that task. Mind you will need enough diskspace to host the maximum filesize of the VHD. The maximum filesize of the supplied VHD is set to 50 GB.

After that I did an upload to Azure and tried to convert the VHD to Disk. Error! Grrr.  The filesize was not a whole number. So used Vhd resizer on my laptop to convert the vhd filesize to a whole number. This finished in about 15 minutes.

Another upload. Luckily empty spaces in a VHD are not uploaded to Azure so upload is rather quick.

As an administrator you do not have much control over IP assignment in Azure. IP-addresses are assigned by a Microsoft managed DHCP server. The first VM which boots in an ’empty’ subnet will receive IP x.x.x.4 , the next x.x.x.5 and so on.

So created a VM using the just uploaded vhd. Made sure this VM was the first in the subnet. Booted the VM and the state shows running. However no response on http/https/ssh.

Windows Azure does not offer a remote console. So there is no way to monitor the boot process of this Linux based virtual machine. I guess the boot process just halts on trying to ‘find’ some hardware devices like network interface.

I hope this info was usefull.

 

Veeam releases free RDP Appliance for Hyper-V Server

Microsoft has a free hypervisor offering called Hyper-V Server 2012 R2. Hyper-V Server 2012 R2 is fully equal to the Hyper-V role in Windows Server 2012. The only item not available in the free edition is the free usage rights for virtual machines running on a host installed with Hyper-V. Each virtual machine instance running on free Hyper-V Server 2012 R2 needs to be licensed.

Hyper-V Server 2012 R2 comes as a core installation. This means there is no graphical userinterface available to perform management. Especially connecting to the console of the virtual machine can be a challenge. Hyper-V Manager does not run on the Hyper-V Server itself. Adminstrators needs access to another Windows Server 2012 or Windows 8 with   Remote Server Administration Tools (RSAT) installed to be able to access the console of VM’s.

Veeam to the rescue. The company released a free virtual appliance which is a RDP proxy. The appliance runs CentOS and installs on a Hyper-V host. The appliance can connect to virtual machines using VMconnect. VMconnect is a modified RDP for connection to consoles of virtual machines. VMconnect is able to connect even when the virtual machine does not have an IP-address.

Read more of this post

%d bloggers like this: