09 jun 2017

E2EVC Virtualization Conference Prague 2017

0 Reacties
Klik hier om terug te gaan naar het overzicht

E2EVC Virtualization Conference is a non-commercial, virtualization community event from engineers to engineers. The main goal is to bring the best virtualization experts together to exchange knowledge and to establish new connections. B-Critical is attending E2EVC in june 2017 in Prague  with quite an amount of consultants: Igor van der Burgh (@Igor_vd_burgh), Ronald Grobben (@rgrobben1)  Nico van der Stok (@NicovanderStok).

Thursday 8th of June

After a trip from Schiphol Amsterdam we arrived in Prague Airport in the afternoon. Sun was shining, all was well. We took a taxi into town an found our hotel.

 

Friday 9th of June

We started the day with a “Welcome Opening Speech” by Alex Cooper. During this speech Alex gave some updates and general information. Numbers etc…

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 First Session,  ControlUp – “all things new and cool for virtualization geeks”  Alex introduced Eugene on stage with a couple of jokes. ControlUp started a couple years ago as a small startup company. But nowadays grown into a 50 people company, with there monitoring tool wide adopted by the community.  In this traditional opening session, Eugene shows all the new awesomeness the ControlUp has come up with in 2016. And as normally when someone ask a good question they will be rewarded with a little bottle of snaps. During the session Eugene was showing the AWS integration which is new in the product. Also a nice option is a “Hourly Cost” column. During the presentation @gadi_fe came into the presentation explaining all about the NetScaler Monitor by ControlUp

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Second Session – “Modern IT Management with Microsoft Operations Management Suite” This session was presented by Stefan Johner and Stefan Roth. This session was basically giving the insight about the Operations Management Suite. OMS is a Cloud Service that ar able to receive data from your individual servers or your System Center Operations Manager installation, where the SCOM MS server are being used as a gateway for your infrastructure to send logs, performance info and result of the checks your Agents are doing on your servers. But it does not stop with these informations since you are able to choose between a number of what Microsoft calls “Solutions” a kind of intelligence pack, and currently there are 12 individual Solutions to choose from – but in the future it will be possible to buy solutions from 3’ party vendor. So this is the fastest solution for querying logs, assets and other big data.

 

Third Session, “Interactive Windows Logon and Fast user switching”, This session presented by the man himself Alex Cooper & Alex Danilychev whilst Alex Danilychev was connected remotely on the phone. The presentation was about Virtual Display Manager from iShadow. During the session they did a real time demo with the product. Second part of the presentation was away to control the way the multiple screens are presented thru a mobile phone using an app. So you can see this more like an IoT remote control solution.

 

Fourth Session “VDI Like a Pro” the guys from LoginVSI did a somewhat funny quiz with all of the audience. Everybody needed to login at Kooha.it and fill in the correct PinCode. After the quiz, they give some insights from there VDI like a pro reports. eports! The VDI Like a Pro Labs have been hard at work testing OS performance for VDI and tuning them for optimal user experience. In the session they presented there benchmark results for the latest OS releases and the optimized results using the latest #VDILikeaPro tuning templates. They also pointed there UX measurement tools at the cloud, and will share some of there benchmark results for the DaaS Solutions from Azure and Amazon Workspaces.

 

 

Fifth Session “On-Prem and Public Cloud Availability Your Way”, This session was presented by Clint Wyckoff talking about Veeam software. First he made a promise to the audience that there was no marketing crap on the slides. He was talking and demoing the new “Veeam Agent for Windows and Linux” in which you can create a backup for Physical or Cloudbased workstation and servers. Due to various factors, including complex hardware configurations and regulatory compliance requirements, some physical servers and workstations cannot be virtualized. And everyday occurrences such as lapses in connectivity, hardware failures, file corruption — even ransomware or theft — can leave an organization’s data at risk.eeam® Agent for Microsoft Windows solves these issues and also closes the gap that some enterprises face with large, heterogeneous environments and further enables workload mobility by delivering Availability for cloud-based workloads.

 

Six Session “NVIDIA GRID: A Technical Conversation with Insider”, This session was hosted by Jared Coward, he is talking about the reason why to use GPU. Jared was talking about all the technology and product ranges of Nvidia. He was also showing the ability of Citrix Director to monitor the the utilization of Nvidia GPU.

 

 

 

 

 

 

 

Another cool new feature which is going to be released is within XenServer to ability to migrate a VM (Desktop) which is using a vGPU live.. The only thing is there will be a pauze for 1 second or less

 

 

 

 

 

 

Seventh Session “My Top 10 List of Remote End-User Experience Benchmarking Tools” , This was a interesting session by Dr. Benny Tritsch, he explained all of the tools he uses to benchmark and compare virtualisation solutions.

 

Eight Session “How to impress your customers in a few easy steps” This session was presented by Helge Klein, talking about uber Agent. First Helge gave an insight High Level how uber Agent works. One of the key components is that it uses Splunk as a backend. Splunk is basically a system that can analyse big chunks of data. After explaining some options and integrations a demo was done by Timm.

 

Ninth Session  “Making web data and cookies manageable once and for all” This was the last session of the day and was all about Avanite presenting an update on there products. Web data has long gone unmanaged with websites storing unknown data on systems.  Historically this consisted of small files that were easily manipulated.  With the introduction of the webcache file roaming web data is difficult and expensive.  Security is of prime concern with the web being the primary source of malware.  WebCache Manager addresses these issues, reducing the size of the webcache and deleting all unnecessary data from systems.

 

Saturday 10th of June

Session 1, Room 2 “NetScaler goes cloud – Part II”.Carsten Bruns (Citrix CTA) of Sapago presented a session on running Azure in the Cloud on Azure.

Netscaler on Azure will only work in Single IP mode, that’s what your documentation may say, but actually not, in fact, Carsten higly recommends not to take that road due to many limitations, forget about it, Multi IP mode is the way to go. Note that you will have to buy and bring your own license to use Netscaler on Azure. When you deploy Netscaler from Azure, you can select DS2_V2 (SSD) or A2 (HDD) mode, depending on your budget and requirements. Select Standard machine, not basic machines, as they do not support multiple network interfaces or Azure load balancing, which is a must for Netscaler in Azure. Make sure to select a HA group when deploying your instance, as you cannot change this afterwards.

Multi IP Mode will require at least a Public IP and multiple IP Addresses. You only get 1 subnet, so that means you configure 1 Subnet IP on your private side, and can talk to any node in that subnet. From your public IP, you will NAT to your private IP, and that is how you can access it from the Internet.

Another scenario would be to go for a multiple NIC deployment, in this case you will be able to use multiple Subnets, one Subnet for each NIC. In Azure, you have to setup your Security groups correctly.

A security group in Azure defines the boundaries between networks like a firewall.

Since the firmware on Azure is different from regular firmware, updating is not as straightforward as usual, also the upgrade will change your MAC Address, which is why you should use pooled licenses instead of MAC based platform licenses.

Based on a LoginVSI test with 4 launchers in the Datecenter, Carsten performed a stress test of 100 ICA sessions through the Netscaler in Azure, logging into the XenApp Servers in Azure, using Sharefile as a method to get the LoginVSI share synchronized between the datacenter (where the LoginVSI management server is) and the cloud, where the XenApp workers are. The result of the stress test was shown in a demo. 0-100 users CPU usage is always around 2-3% on the Package Engine CPU, it seemed the bottleneck was far from reached with only 100 simultaneous sessions, the lab environment didn’t support a heavier load than said 100 concurrent users.

 

 

Session 1, Room 1 Emily Apsey. Plan, Test, Implement – Nvidia vGPU VDI Performance Engineer”

Emily is a Senior Performance Engineer at Nvidia. She gained specialization in the field of Performance Engineering in 2009 while working as a Product Engineer at Esri. Emily became actively involved in understanding the performance and scalability of ArcGIS Pro in the virtualized environment. Emily primarily focused on the use of GPU’s in the virtualized environments and was actively involved in VMware’s vGPU beta program. As part of the Nvidia Performance Engineering team, Emily specializes her work in software performance and Nvidia GRID technologies. Her primary responsibilities include working with ISV’s and the creation of GRID Application Guides.

Emily explains there is a new Testing Framework for vGPU VDI Performance. It’s still just for internal use, but it will be published soon. It’s developed on VMware vSphere, but will be available for Citrix XenServer and Microsoft Hyper-V. It will minimize 3rd party tools dependencies. Requirements are two GPU enabled servers in a completely configured VDI infrastructure with GRID vGPU drivers. The testing tool will create VM’s, the configuration and the environment settings, run workflows and publish results. For VMware its using json scripts, the SDK with Python, and for Citrix the PowerShell. The tool is potentially Artificially Intelligent (AI) based with metaheuristic algorithms. With AutoIT scripts it will mimic user workflows. The script is compiled as an .exe. Different PowerShell scripts will be available for all different Nvidia vGPU cards like Grid and Tesla. The results will be presented in .csv files with results for HardwareConfig, VMConfig, ClientConfig, etc. Emily showed a demo by running the testing tool in a remote environment. With this tool it’s possible to run 10 tests in a day, instead of one in the traditional way.

 

Session 2, Room 1 
Jorrit van Eijk – Ivanti Senior Pre-sales consultant
Securing Windows desktops – why it’s our problem!

Jorrit talks through “the basics” of securing a Windows desktops to help reduce the risk of ransomware attack and improve image management. Ransomware attacks are up 300%. Whilst deploying virtualized desktops can help keep apps and data in the datacenter, the responsibility of protecting the users from such attacks are no longer the job of the security guys. Securing users and desktops is fast becoming the responsibility of the End User Computing/Windows engineering teams. The software Jorrit is explaining, Ivanti DesktopNow (powered by AppSense) uses white listing of applications, based on Truster Ownership of the files. Something that is available for years in software like AppSense, but also RES ONE Workspace, etc. By demo’s Jorrit shows malicious code can run from an disguised .exe, a Word macro and a Code Injection, but it’s prevented from running by DesktopNow. So something that is there for year’s is now being promoted by using the risk and fear of people for ransomware attacks.

 

Session 3, Room 2 , Adnan Hendricks, an International Consultant at Microspecialist Consulting, Microsoft MVP, MCT, and frequent speaker at events, presented called “Better Security with Windows Server 2016”

These days many companies get hacked and their data gets stolen or, in case of use case Verelox, an ex administrator deleted all customer data and wiped the servers of this hosting company, and this happened only yesterday, the day before this presentation. According to Adnan, had the hosting provider used Server 2016, with Shielded VMs, Credential guard, Just in Time administration, Just enough administration, enhanced threat detection and so on, this hack from the ex employee might not have happened. Adnan recommends to stop using Domain Admin accounts, and only give out local admin rights and use delegated access to limit what your administrators can do. Make local administrator password unique for each server, rather than a single password for all servers.

Most attacks are not detected in the first 200 days (varies by industry), a hacker would send a document containing malicious code to gain access to a users computer, from there they slowly increase their attack surface by stealing tokens or targeting exploits. Windows Server 2016 contains many features to detect and prevent those type access from being successful or undetected, many of these security functions, such as Credential Guard, which protects against pass-the-hash attacks, just need to be switched on by a group policy and do their magic in the background. As a result the hackers that have compromised a users device or session, will not be able to increase surface beyond what the compromised user is allowed to do, and their attacks will be unsuccessful. Just enough administration is a way to gradually manage elevated access from a PowerShell console, for a limited time, without having to make your PowerShell administrator a full domain admin. If a shielded machine is stolen, it cannot be started without satisfying the certificate validations before it can be booted.

The whole focus of Windows Server 2016 security is limiting the attack surface, so that even if a hack takes place, the amount of damage that the hacker can do becomes limited, because all privileges are better protected and managed. Having said that, just moving to Server 2016 is not enough, you will have to turn on the security features yourself and maybe more importantly, manage your privileges well.

Adnan Hendricks, an International Consultant at Microspecialist Consulting, Microsoft MVP, MCT, and frequent speaker at events, presented called “Better Security with Windows Server 2016”

These days many companies get hacked and their data gets stolen or, in case of use case Verelox, an ex administrator deleted all customer data and wiped the servers of this hosting company, and this happened only yesterday, the day before this presentation. According to Adnan, had the hosting provider used Server 2016, with Shielded VMs, Credential guard, Just in Time administration, Just enough administration, enhanced threat detection and so on, this hack from the ex employee might not have happened. Adnan recommends to stop using Domain Admin accounts, and only give out local admin rights and use delegated access to limit what your administrators can do. Make local administrator password unique for each server, rather than a single password for all servers.

Most attacks are not detected in the first 200 days (varies by industry), a hacker would send a document containing malicious code to gain access to a users computer, from there they slowly increase their attack surface by stealing tokens or targeting exploits. Windows Server 2016 contains many features to detect and prevent those type access from being successful or undetected, many of these security functions, such as Credential Guard, which protects against pass-the-hash attacks, just need to be switched on by a group policy and do their magic in the background. As a result the hackers that have compromised a users device or session, will not be able to increase surface beyond what the compromised user is allowed to do, and their attacks will be unsuccessful. Just enough administration is a way to gradually manage elevated access from a PowerShell console, for a limited time, without having to make your PowerShell administrator a full domain admin. If a shielded machine is stolen, it cannot be started without satisfying the certificate validations before it can be booted.

The whole focus of Windows Server 2016 security is limiting the attack surface, so that even if a hack takes place, the amount of damage that the hacker can do becomes limited, because all privileges are better protected and managed. Having said that, just moving to Server 2016 is not enough, you will have to turn on the security features yourself and maybe more importantly, manage your privileges well.

Session 4, Room 2,

Remko Weijnen (CTP, Atlantis Computing) and Geert Braakhekke (4RealIT Solutions) presented a session called “Anatomy of how a company got hacked – part DEUX”

Upgrading to PowerShell 5 will enable the logging of script execution to the event log.

Most Mac OSX devices are unpatched, not only your OS but also your applications have security updates. Even windows 10 has SMB1Protocol enable by default (WannaCry vulnerability if unpatched)

There is a tool (WannaKiwi) to reconstruct the private key used to encrypt your documents so you can recover your encrypted files without paying your bitcoins.

Metasploit is an excellent tool to target documented vulnerabilities, from a command line, you can search for an exploit, and excute its payload to target a targeted device. In a demo, they showed how you can use the MS17 (Ethernal Blue) exploit to target a Windows 7 machine with SP1. This will allow you to perform a number of operating’s including taking a screenshot of the system without the owner of the targeted computer to know about it.

This attack was also attempted to a VM which runs on a host protected by a hypervisor introspection (bit defender), the attack failed proving the introspection could protect the VM successfully, even though there is no agent running on the targeted system.

They showed a demo on how a local administrator can hijack a disconnected RDP Session from the command line, this works on both RDS and ICA, and there is currently no patch against this, the best way to protect against this is log off your admin sessions and configure a group policy to automatically log off disconnected admin sessions after a while.

 

Session 5, Room 2

Sebastian Brand & Barak Nissim (VMware) presented “MASTER CLASS: VMware Horizon Masterclass – Deliver Virtual Desktops and Apps Easily and Effectively”

Workspace ONE is the marketing term that VMware uses now for the combination of Horizon and Airwatch.

After some mandatory marking slides, they switched to the technical presentation, which contained more marketing slides including a Citrix vs VMware comparison.

VMware uses two protocols, the LAN optimized PCOIP or a Web browser based HTML5 Blast/Beat protocol, it seems that there is still no competition for ICA.

Since VMware doesn’t have a load balancing appliance solution, VMware customers that have load balancing requirements are forced to purchase VMware NSX (Hypervisor Network Virtualization) fortunately though, Citrix has a Netscaler VPX edition that can run on VMware ESXi and use with Horizon.

Not only does VMware have a Compatibility guide for 3rd party products, they also have what the call an Interoperability guide, which is basically a compatibility list for VMware products and versions with other VMware products.

VMware gets a lot of problem calls regarding SSL and Domains, Connectivity issues and UEM.

And the there was beer from Igel , Which was good off course.

 

 

Session 6, Room 2 Jim Moyle presented a session called “Infrastucture testing with Pester for fun and profit.

Pester is a tool create to test scripts, and now can also be used to test infrastructure.

Pester is basically is an open source framework to write tests and has made it into Windows 10 .

It goes something like this Describe ‘Something’ { It ‘TestName’ { Test script | Should Be / Should not Be (or Contain, Not contain, Exist, Not exist) } } and returns either positive or negative feedback.

So something is executed, a result is expected, if the result is met, it passed the test, if not met, the test failed. In this way, we can create a simple script to test all sorts of things (create a checklists of sorts) and execute this to see if everything is still behaving as we expect.

This is not monitoring heartbeats, this is configuration and functionality testing.

By default, Pester creates PowerShell console output, formatted in colors, however since this means Pesters kills a lot of puppies, we can add the parameter -quiet and -passthrough to run quietly, returning objects, which we can then use to generate reports, or trigger emails, if there are any failed tests.

It’s a great way to make sure everything is working as opposed to work through a checklist manually and rely on humans to perform the checks with the same motivation every day.

Sunday 11th of June

Session 1 

René Bigler – Building a hyperconverged infrastructure lab with Nutanix Community Edition

René works as a System Engineer in the public education sector for a Swiss vocational college. His focus is end-user computing in general and Citrix technologies in particular, including Nutanix as hyperconverged infrastructure (HCI). René states its always handy to have access to some sort of lab gear at work/home for testing and learning. Nutanix Community Edition (CE) allows you to bring the latest HCI technology to your lab setup. In this session René outlines some basic considerations when planning to go with Nutanix CE. Nutanix CE is limited to 4 nodes, but it can be fully managed with Prism web console and Nutanix Command Line (NCL). A single-node cluster cannot be expanded. The Intel NUC is a great platform for Nutanix CE. CPU’s recommendation is 4 core minimum, 2 cores are dedicated to the controller VM. You need minimum 2 hard drives (HDD+SSD) per node. Use static IP addresses for the hypervisor hosts and Controller VM’s. Do not use 192.168.5.0/24, it’s reserved for internal use. The cluster needs Internet access. You must upgrade within 30 calendar days when an upgrade is available, else access to your cluster will be blocked. A Nutanix Next account is mandatory. There is only community support, not regular support. You need an image utility like Rufus to create a bootable USB drive from the downloaded image. To lower the minimum installer requirements, login (as root, password nutanix/4u), edit /home/install/phx_iso/phoenix/requirements.py and sysUtil.py. A XenDesktop MCS plug-in is available for the Acropolis HyperVisor (AHV) to build MCS-provisioned VM’s. Be warned – after seeing it in action, you will want to build your own! René Blog:https://dreadysblog.wordpress.com/

Session 2

Saša Mašić, one of the E2EVC grandfathers.

Architecture of Desired Configuration Management (DCM)

This topic is about automation of a datacenter and dealing with configuration changing in automated environments and security implications of managed configurations. Saša discusses best practices and architecture rules for DCM and speaks about best tools for mixed environments, as with Desired State Configuration (DSC). He states that with Group Policies, you never when and if a GPO setting is applied. And no one knows what the resulting settings are. So you need some form of automation that is reliable. Implications with software defined datacenters is you have to write software, the way the vendor created it. Coexistence of different vendors is difficult. Tools that are available are Chef, Puppet, Ansible, DSC for PowerShell, SaltStack. Saša showed a diagram from Gartner with an overview for Scripts vs. Server Automation Tools vs. DCM. His presentation showed architecture sights on complex technical solutions in datacenters.

 

Session 3

Day 3 Sunday, Session 3, Room 1

Automating Citrix NetScaler Deployments & Configurations from the RES ONE Identity Director.

The session was presented by Nico van der Stok & Igor van der Burgh

This is an automation-oriented technical session that outlines how you can use RES ONE Automation and PowerShell to fully automate the deployment and configuration of Citrix NetScaler’s from scratch until a fully configured and ready to use state. And then publish this automation as a re-usable service in the RES ONE Identity Director. Instead of using Nitro Scripting for automating the NetScaler, Nico and Igor showed the way to do this the old fashion way with SSH commands. To overcome the obstacle of uploading certificates and license files to the NetScaler, they showed a way by using TFTP. In a demo movie Nico showed the way to automatically install a NetScaler HP pair. Then RES ONE Identity Director was mentioned. If you see NetScaler as a person, the same on-/offboarding as with persons, can also be used with NetScalers. With NetScaler MAS (Management and Analytics Services) Igor showed how to create SSH commands in the right order. Then these SSH commands were transferred to RES ONE Automation with parameters in a new Module. By adding this Module to a Run Book, this Run book can be attached to RES ONE Identity Director. With this from Delegated Administration the Run Book can be selected and run to create a StoreFront Load Balancing vServer on NetScaler. As a conclusion Nico showed not only the delivery, but also the return to remove the vServer from the NetScaler. Even if you already have experience in automating NetScalers, this session and some of the methods they showed, might have shed some light on new creative insights and possibilities that you probably never considered before.

 

Final Session of Sunday: GEEK SPEEK.

 

 

 

 

 

 

 

 

 

 

 

 

[begin]