Home » VMware Manuals » Computer Software » VMware VS4-ENT-PL-A » Manual Viewer

VMware VS4-ENT-PL-A Setup Guide - Page 205

Auto Deploy Security Considerations, Troubleshooting Auto Deploy

View all VMware VS4-ENT-PL-A manuals

Add to My Manuals
Save this manual to your list of manuals

Page 205 highlights

Chapter 7 Installing ESXi Auto Deploy Security Considerations Understanding potential security risks helps you set up your environment in a secure manner. Secure your network as you would for any other PXE-based deployment method. Auto Deploy transfers data over SSL to prevent casual interference and snooping. However, the authenticity of the client or of the Auto Deploy server is not checked during a PXE boot. The boot image that the Auto Deploy server downloads to a machine can have the following components. n The VIB packages that the image profile consists of are always included in the boot image. n The host profile and host customization are included in the boot image if Auto Deploy rules are set up to provision the host with a host profile or a host customization setting. n The administrator (root) password and user passwords that are included with host profile and host customization are MD5 encrypted. n Any other passwords associated with profiles are in the clear. If you set up Active Directory by using host profiles, the passwords are not protected. Use the vSphere Authentication Service for setting up Active Directory to avoid exposing the Active Directory passwords. n The host's public and private SSL key and certificate are included in the boot image. You can greatly reduce the security risk of Auto Deploy by completely isolating the network where Auto Deploy is used. Troubleshooting Auto Deploy The Auto Deploy troubleshooting topics offer solutions for situations when provisioning hosts with Auto Deploy does not work as expected. Auto Deploy TFTP Timeout Error at Boot Time A TFTP Timeout error message appears when a host provisioned by Auto Deploy boots. The text of the message depends on the BIOS. Problem A TFTP Timeout error message appears when a host provisioned by Auto Deploy boots. The text of the message depends on the BIOS. Cause The TFTP server is down or unreachable. Solution u Ensure that your TFTP service is running and reachable by the host that you are trying to boot. Auto Deploy Host Boots with Wrong Configuration A host is booting with a different ESXi image, host profile, or folder location than the one specified in the rules. Problem A host is booting with a different ESXi image profile or configuration than the image profile or configuration that the rules specify. For example, you change the rules to assign a different image profile, but the host still uses the old image profile. VMware, Inc. 205

Section	Page
vSphere Installation and Setup	1
Contents	3
About vSphere Installation and Setup	7
Updated Information	9
Introduction to vSphere Installation and Setup	11
Overview of the vSphere Installation and Setup Process	11
System Requirements	13
ESXi Hardware Requirements	13
Recommendation for Enhanced ESXi Performance	15
Hardware Requirements for vCenter Server, the vSphere Web Client , vCenter Inventory Service, and vCenter Single Sign-On	17
vCenter Server Software Requirements	22
vSphere Web Client Software Requirements	22
Providing Sufficient Space for System Logging	23
Required Ports for vCenter Server	23
Required Ports for the vCenter Server Appliance	25
Conflict Between vCenter Server and IIS for Port 80	26
DNS Requirements for vSphere	26
Supported Remote Management Server Models and Minimum Firmware Versions	27
Before You Install vCenter Server	29
Preparing vCenter Server Databases	30
vCenter Server Database Configuration Notes	30
Create a 64-Bit DSN	31
Confirm That vCenter Server Can Communicate with the Local Database	31
Maintaining a vCenter Server Database	32
Configure Microsoft SQL Server Databases	32
Create a SQL Server Database and User for vCenter Server	33
Set Database Permissions By Manually Creating Database Roles and the VMW Schema	34
Set Database Permissions by Using the dbo Schema and the db_owner Database Role	35
Use a Script to Create a vCenter Server User by Using the dbo Schema and db_owner Database Role	35
Use a Script to Create a Microsoft SQL Server Database Schema and Roles	36
Use a Script to Create Microsoft SQL Server Database Objects Manually	37
Configure a SQL Server ODBC Connection	40
Configure Microsoft SQL Server TCP/IP for JDBC	41
Configure a Microsoft SQL Server Database User to Enable Database Monitoring	42
Configure Oracle Databases	42
Configure an Oracle Database User	43
Use a Script to Create a Local or Remote Oracle Database	44
Use a Script to Create the Oracle Database Schema	44
Configure an Oracle Connection for Local Access	46
Configure an Oracle Database Connection for Remote Access	46
Connect to an Oracle Database Locally	47
Configure an Oracle Database User to Enable Database Monitoring	48
Prerequisites for Installing vCenter Single Sign-On, Inventory Service, and vCenter Server	49
How vCenter Single Sign-On Affects vCenter Server Installation	51
vCenter Single Sign-On Deployment Modes	52
vCenter Single Sign-On and High Availability	54
vCenter Single Sign-On Components	56
Setting the vCenter Server Administrator User	56
Authenticating to the vCenter Server Environment	57
How vCenter Single Sign-On Affects Log In Behavior	57
Identity Sources for vCenter Server with vCenter Single Sign-On	58
Synchronizing Clocks on the vSphere Network	59
Synchronize ESX and ESXi Clocks with a Network Time Server	59
Synchronize the vCenter Server Appliance Clock with an NTP Server	60
Configure a Windows NTP Client for Network Clock Synchronization	60
Download the vCenter Server Installer	61
Using a User Account for Running vCenter Server	61
Installing vCenter Server on IPv6 Machines	61
JDBC URL Formats for the vCenter Server Database	62
Running the vCenter Server Installer from a Network Drive	63
Required Information for Installing or Upgrading vCenter Single Sign-On, Inventory Service, vCenter Server, and the vSphere Web Client	63
Download the vCenter Server Installer	68
Microsoft SQL Database Set to Unsupported Compatibility Mode Causes vCenter Server Installation or Upgrade to Fail	69
Installing vCenter Server	71
vCenter Server Installation and Sign-In Process	71
vCenter Server Components and Support Tools	74
Download the vCenter Server Installer	75
Install vCenter Single Sign-On, the vSphere Web Client , vCenter Inventory Service, and vCenter Server by Using Simple Install	75
Install vCenter Single Sign-On, the vSphere Web Client, and vCenter Inventory Service as Part of a vCenter Server Simple Install	76
Install vCenter Server as Part of a Simple Install	77
Use Custom Install to Install vCenter Server and Required Components	78
Install the First or Only vCenter Single Sign-On Instance in a vCenter Server Deployment	79
Install an Additional vCenter Single Sign-On Node at an Existing Site	80
Install an Additional vCenter Single Sign-On Node at a New Site	81
Install or Upgrade the vSphere Web Client	82
Install vCenter Inventory Service Separately by Using Custom Install	83
Install vCenter Server as Part of a Custom Install	85
Add a vCenter Single Sign-On Identity Source	87
Active Directory Identity Source Settings	88
Active Directory LDAP Server and OpenLDAP Server Identity Source Settings	89
Assign Permissions in the vSphere Web Client	89
Hierarchical Inheritance of Permissions	90
Install or Upgrade vCenter Server Java Components Separately	92
Install or Upgrade vCenter Server tc Server Separately	93
vCenter Single Sign-On Installation Fails	93
Download and Deploy the VMware vCenter Server Appliance	94
Create a Custom Password on the First Boot for the vCenter Server Appliance	96
Configure a vCenter Server Appliance to Use the vCenter Single Sign-On of a Different Virtual Machine	97
Format for the vCenter Server Appliance Configuration File	98
After You Install vCenter Server	101
Install vCenter Server Components and Support Tools	102
Install the Client Integration Plug-In in the vSphere Web Client	102
Install or Upgrade the vSphere Web Client	103
Install a Local Copy of vSphere Web Client Help	104
Install the Update Manager Server	105
Install or Upgrade vSphere ESXi Dump Collector	106
Install or Upgrade vSphere Syslog Collector	108
Install or Upgrade vSphere Auto Deploy	109
Install or Upgrade VMware vSphere Authentication Proxy	110
Uninstall VMware vSphere Components	111
Creating vCenter Server Linked Mode Groups	111
Linked Mode Considerations for vCenter Server	112
Linked Mode Prerequisites for vCenter Server	113
Joining a Linked Mode Group During and After Installation	113
Join a Linked Mode Group After Installation	114
Isolate a vCenter Server Instance from a Linked Mode Group	115
Set the IP Address for a Linked Mode vCenter Server with Multiple Network Interfaces	115
Linked Mode Troubleshooting	116
Configure Firewall Access by Opening Selected Ports	116
Configuring VMware vCenter Server - tc Server Settings in vCenter Server	116
VMware vCenter Management Webservices Service Fails to Start	118
Back Up the Inventory Service Database on Windows	118
Restore an Inventory Service Database Backup on Windows	118
Back Up the Inventory Service Database on Linux	119
Restore an Inventory Service Database Backup on Linux	119
Reset the vCenter Inventory Service Database	120
Enable IPv6 Support for vCenter Inventory Service	121
Before You Install ESXi	123
Options for Installing ESXi	123
Interactive ESXi Installation	123
Scripted ESXi Installation	123
Auto Deploy ESXi Installation	124
Customizing Installations with ESXi Image Builder CLI	124
About ESXi Evaluation and Licensed Modes	124
Media Options for Booting the ESXi Installer	125
Download and Burn the ESXi Installer ISO Image to a CD or DVD	125
Format a USB Flash Drive to Boot the ESXi Installation or Upgrade	125
Create a USB Flash Drive to Store the ESXi Installation Script or Upgrade Script	127
Create an Installer ISO Image with a Custom Installation or Upgrade Script	128
PXE Booting the ESXi Installer	129
About the TFTP Server, PXELINUX, and gPXE	129
Sample DHCP Configuration	130
About PXE Configuration Files	132
PXE Boot the ESXi Installer by Using PXELINUX and a PXE Configuration File	132
PXE Boot the ESXi Installer by Using PXELINUX and an isolinux.cfg PXE Configuration File	133
PXE Boot the ESXi Installer Using gPXE	135
Installing and Booting ESXi with Software FCoE	136
Using Remote Management Applications	136
Required Information for ESXi Installation	136
Installing ESXi	139
Installing ESXi Interactively	139
Install ESXi Interactively	139
Install ESXi on a Software iSCSI Disk	141
Installing, Upgrading, or Migrating Hosts Using a Script	142
Approaches for Scripted Installation	142
Enter Boot Options to Start an Installation or Upgrade Script	142
Boot Options	143
About Installation and Upgrade Scripts	144
About the Default ks.cfg Installation Script	144
Locations Supported for the Installation Script	145
Path to the Installation or Upgrade Script	145
Installation and Upgrade Script Commands	145
Differences Between ESXi 4.x and ESXi 5.x Scripted Installation and Upgrade Commands	153
Disk Device Names	154
About the boot.cfg File	154
Install, Upgrade, or Migrate ESXi from a CD or DVD Using a Script	155
Install, Upgrade, or Migrate ESXi from a USB Flash Drive Using a Script	156
Performing a Scripted Installation or Upgrade of ESXi by PXE Booting the Installer	157
Installing ESXi Using vSphere Auto Deploy	157
Understanding vSphere Auto Deploy	157
Introduction to Auto Deploy	157
Rules and Rule Sets	159
Auto Deploy Boot Process	160
Auto Deploy Roadmap and Cmdlet Overview	164
Auto Deploy Roadmap	164
Auto Deploy PowerCLI Cmdlet Overview	165
Preparing for vSphere Auto Deploy	167
Prepare Your System and Install the Auto Deploy Server	167
Install PowerCLI and Prerequisite Software	170
Using Auto Deploy Cmdlets	170
Set Up Bulk Licensing	171
Managing Auto Deploy with PowerCLI Cmdlets	173
Assign an Image Profile to Hosts	173
Assign a Host Profile to Hosts	174
Assign a Host to a Folder or Cluster	175
Test and Repair Rule Compliance	176
Provisioning ESXi Systems with vSphere Auto Deploy	177
Provision a Host (First Boot)	177
Reprovisioning Hosts	178
Reprovision Hosts with Simple Reboot Operations	178
Reprovision a Host with a New Image Profile	179
Update the Host Customization in the vSphere Web Client	180
Using Auto Deploy for Stateless Caching and Stateful Installs	180
Introduction	181
Understanding Stateless Caching and Stateful Installs	182
Set Up Stateless Hosts to Use Auto Deploy with Caching	184
Prepare for Auto Deploy with Stateless Caching	184
Configure a Host Profile to Use Stateless Caching	185
Enable Stateful Installs for Hosts Provisioned with Auto Deploy	186
Prepare Hosts Provisioned with Auto Deploy for Stateful Installs	186
Configure a Host Profile to Enable Stateful Installs	186
Setting Up an Auto Deploy Reference Host	187
Understanding Reference Host Setup	188
Configuring an Auto Deploy Reference Host	189
Configure ESXi Dump Collector with ESXCLI	189
Configure Host Profiles for an Auto Deploy Reference Host with the vSphere Web Client	190
Set Up ESXi Dump Collector from the Host Profiles Interface in the vSphere Web Client	191
Set Up Syslog from the Host Profiles Interface in the vSphere Web Client	192
Set Up Networking for Your Auto Deploy Host in the vSphere Web Client	193
Consider and Implement Your Partitioning Stategy	193
Advanced Management Tasks	194
Reregister Auto Deploy	194
Set Up Host Profiles for Static IP Addresses in the vSphere Web Client	194
Using Auto Deploy with the VMware vCenter Server Appliance	195
Set Up the vCenter Server Appliance to Use a Standalone Auto Deploy Server	196
Set Up Auto Deploy on the vCenter Server Appliance	196
Host Customization in the vSphere Web Client	197
Auto Deploy Best Practices and Security Consideration	200
Auto Deploy Best Practices	200
Set up a Highly Available Auto Deploy Infrastructure	204
Auto Deploy Security Considerations	205
Troubleshooting Auto Deploy	205
Auto Deploy TFTP Timeout Error at Boot Time	205
Auto Deploy Host Boots with Wrong Configuration	205
Host Is Not Redirected to Auto Deploy Server	206
Auto Deploy Host with a Built-In USB Flash Drive Does Not Send Coredumps to Local Disk	206
Package Warning Message When You Assign an Image Profile to Auto Deploy Host	207
Auto Deploy Host Reboots After Five Minutes	207
Auto Deploy Host Does Not Network Boot	208
Auto Deploy Host Does Not Get a DHCP Assigned Address	208
Auto Deploy Host Cannot Contact TFTP Server	209
Auto Deploy Host Cannot Retrieve ESXi Image from Auto Deploy Server	209
Recovering from Database Corruption on the Auto Deploy Server	210
Problems if You Upgrade vCenter Server But Do Not Upgrade Auto Deploy Server	211
Auto Deploy Proof of Concept Setup	212
Proof of Concept Preinstallation Checklist	212
Install the TFTP Server	213
Install and Set Up vSphere PowerCLI	213
Prepare Auto Deploy Target Hosts	214
Prepare the DHCP Server	215
Prepare the DNS Server	216
Install Auto Deploy Server Software	217
Configure the Auto Deploy and TFTP Environment in the vSphere Web Client	218
Prepare the ESXi Software Depot	219
Set Up the First Host and Provision with Auto Deploy	220
Write Rules for the First Host	220
Provision the First Host	221
Configure the Proof of Concept Reference Host	222
Create and Apply a Host Profile with the vSphere Web Client	223
Create a Rule for Other Target Hosts	223
Provision All Hosts and Set Up Host Customizations	225
Using vSphere ESXi Image Builder CLI	225
Understanding Image Builder	226
Image Builder Overview	226
Software Depots and Their Components	227
Image Builder PowerCLI Overview	227
Image Profiles	228
Acceptance Levels	229
Structure of ImageProfile, SoftwarePackage, and ImageProfileDiff Objects	230
Image Builder Installation and Usage	233
Install Image Builder PowerCLI and Prerequisite Software	233
Using Image Builder Cmdlets	234
Image Builder Common Tasks	235
Create an Image Profile	235
Add VIBs to an Image Profile	236
Export an Image Profile to ISO or Offline Bundle ZIP	237
Preserve Image Profiles Across Sessions	238
Working with Acceptance Levels	239
Change the Host Acceptance Level	240
Set the Image Profile Acceptance Level	241
Image Builder Workflows	242
Examining Depot Contents	242
Creating Image Profiles by Cloning Workflow	243
Creating Image Profiles from Scratch Workflow	244
Editing Image Profiles Workflow	245
Setting Up ESXi	247
ESXi Autoconfiguration	248
About the Direct Console ESXi Interface	248
Configure the Keyboard Layout for the Direct Console	248
Create a Security Banner for the Direct Console	249
Redirecting the Direct Console to a Serial Port	249
Redirect the Direct Console to a Serial Port by Setting the Boot Options Manually	249
Redirect the Direct Console to a Serial Port from the vSphere Web Client	250
Redirect the Direct Console to a Serial Port in a Host Deployed with Auto Deploy	250
Set the Password for the Administrator Account	251
Configuring the BIOS Boot Settings	251
Change the BIOS Boot Setting for ESXi	251
Configure the Boot Setting for Virtual Media	252
Host Fails to Boot After You Install ESXi in UEFI Mode	252
Network Access to Your ESXi Host	253
Configure the Network Settings on a Host That Is Not Attached to the Network	253
Managing ESXi Remotely	254
Configuring Network Settings	254
Choose Network Adapters for the Management Network	254
Set the VLAN ID	255
Configuring IP Settings for ESXi	255
Configure IP Settings from the Direct Console	255
Configure IP Settings from the vSphere Web Client	255
Configuring DNS for ESXi	256
Configure DNS Settings from the Direct Console	256
Configure DNS Suffixes	256
Test the Management Network	256
Restart the Management Agents	257
Restart the Management Network	257
Disable the Management Network	257
Restoring the Standard Switch	258
Test Connectivity to Devices and Networks	258
Storage Behavior	258
About the Scratch Partition	260
Set the Scratch Partition from the vSphere Web Client	260
Host Stops Unexpectedly at Bootup When Sharing a Boot Disk with Another Host	261
View System Logs	261
Configure Syslog on ESXi Hosts	262
Enable Lockdown Mode Using the Direct Console	263
Enable Lockdown Mode Using the vSphere Web Client	263
Enable ESXi Shell and SSH Access with the Direct Console User Interface	264
Set the Host Image Profile Acceptance Level	264
Reset the System Configuration	265
Remove All Custom Packages on ESXi	266
Disable Support for Non-ASCII Characters in Virtual Machine File and Directory Names	266
Disable ESXi	266
After You Install and Set Up ESXi	267
Managing the ESXi Host with the vSphere Web Client	267
Licensing ESXi Hosts	267
About ESXi Evaluation and Licensed Modes	267
Recording the ESXi License Key	268
Access the ESXi License Key from the Direct Console	268
Access the ESXi License Key from the vSphere Web Client	268

Match case Limit results 1 per page

Auto Deploy Security Considerations

Understanding potential security risks helps you set up your environment in a secure manner.

Secure your network as you would for any other PXE-based deployment method. Auto Deploy transfers

data over SSL to prevent casual interference and snooping. However, the authenticity of the client or of the

Auto Deploy server is not checked during a PXE boot.

The boot image that the Auto Deploy server downloads to a machine can have the following components.

The VIB packages that the image profile consists of are always included in the boot image.

The host profile and host customization are included in the boot image if Auto Deploy rules are set up

to provision the host with a host profile or a host customization setting.

The administrator (root) password and user passwords that are included with host profile and host

customization are MD5 encrypted.

Any other passwords associated with profiles are in the clear. If you set up Active Directory by

using host profiles, the passwords are not protected.

Use the vSphere Authentication Service for setting up Active Directory to avoid exposing the

Active Directory passwords.

The host's public and private SSL key and certificate are included in the boot image.

You can greatly reduce the security risk of Auto Deploy by completely isolating the network where Auto

Deploy is used.

Troubleshooting Auto Deploy

The Auto Deploy troubleshooting topics offer solutions for situations when provisioning hosts with Auto

Deploy does not work as expected.

Auto Deploy TFTP Timeout Error at Boot Time

A TFTP Timeout error message appears when a host provisioned by Auto Deploy boots. The text of the

message depends on the BIOS.

Problem

A TFTP Timeout error message appears when a host provisioned by Auto Deploy boots. The text of the

message depends on the BIOS.

Cause

The TFTP server is down or unreachable.

Solution

Ensure that your TFTP service is running and reachable by the host that you are trying to boot.

Auto Deploy Host Boots with Wrong Configuration

A host is booting with a different ESXi image, host profile, or folder location than the one specified in the

rules.

Problem

A host is booting with a different ESXi image profile or configuration than the image profile or

configuration that the rules specify. For example, you change the rules to assign a different image profile,

but the host still uses the old image profile.

Chapter 7 Installing ESXi

VMware, Inc.

205