Tag: NVGRE

System Center Logo

Summary: Update Rollup 8 for System Center 2012 R2 and Azure Pack now available

Yesterday Microsoft released Update Rollup 8 for System Center 2012 R2 and Windows Azure Pack. Again with the Update Rollups for Windows Azure Pack and System Center, Microsoft not only delivers bug fixes, they also release new features.

There are some really cool highlights in this Update Rollup:

  • Network Virtualization Improvements (Multiple External IP Addresses,…)
  • SCDPM bug fixes
  • Better Checkpoint Integration (Checkpoint Quotas,…)
  • Support for SQL Server 2014 SP1
  • Support of Tier Storage in VMM for Storage Spaces
  • Hyper-V ACL Support in VMM
  • New Network devices in SCOM

Here you can get a quick update on what’s new in Update Rollup 8:

  • Data Protection Manager (KB3086084)
    • The DPM Agent crashes intermittently during a backup.
    • If you are trying to recover data from an imported tape, DPM may crash with a “Connection to the DPM service has been lost” error.
    • If you try to back up a SharePoint site that uses SQL Always On as a content database, SQL logs are not truncated as expected.
    • You cannot verify tape library compatibility for tapes that use RSMCompatmode settings such as IBM 35xx, 2900, and so on.
    • If you have multiple SharePoint farms hosted on the same SQL cluster with different instances but the same database names, DPM cannot back up the correct SharePoint farm content.
    • If you run Update Rollup 7 for Data Protection Manager 2012 R2, and you have already configured online protection for one or more protection groups, trying to change the protection group populates the default DPM settings for the “Select long-term goals” wizard instead of the previous configured values.
    • When you try to protect a SQL failover cluster, the Data Protection Manager UI crashes for every backup or synchronization operation.
    • If you install Update Rollup 7 for Data Protection Manager 2012 R2, self-service recovery for SQL databases may not work.
  • Operations Manager (KB3096382)
    • Slow load of alert view when it is opened by an operator
      Sometimes when the operators change between alert views, the views take up to two minutes to load. After this update rollup is installed, the reported performance issue is eradicated. The Alert View Load for the Operator role is now almost same as that for the Admin role user.
    • SCOMpercentageCPUTimeCounter.vbs causes enterprise wide performance issue
      Health Service encountered slow performance every five to six (5-6) minutes in a cyclical manner. This update rollup resolves this issue.
    • System Center Operations Manager Event ID 33333 Message: The statement has been terminated.
      This change filters out “statement has been terminated” warnings that SQL Server throws. These warning messages cannot be acted on. Therefore, they are removed.
    • System Center 2012 R2 Operations Manager: Report event 21404 occurs with error ‘0x80070057’ after Update Rollup 3 or Update Rollup 4 is applied.
      In Update Rollup 3, a design change was made in the agent code that regressed and caused SCOM agent to report error ‘0x80070057’ and MonitoringHost.exe to stop responding/crash in some scenarios. This update rollup rolls back that UR3 change.
    • SDK service crashes because of Callback exceptions from event handlers being NULL
      In a connected management group environment in certain race condition scenarios, the SDK of the local management group crashes if there are issues during the connection to the different management groups. After this update rollup is installed, the SDK of the local management group should no longer crash.
    • Run As Account(s) Expiring Soon — Alert does not raise early enough
      The 14-day warning for the RunAs account expiration was not visible in the SCOM console. Customers received only an Error event in the console three days before the account expiration. After this update rollup is installed, customers will receive a warning in their SCOM console 14 days before the RunAs account expiration, and receive an Error event three (3) days before the RunAs account expiration.
    • Network Device Certification
      As part of Network device certification, we have certified the following additional devices in Operations Manager to make extended monitoring available for them:

      • Cisco ASA5515
      • Cisco ASA5525
      • Cisco ASA5545
      • Cisco IPS 4345
      • Cisco Nexus 3172PQ
      • Cisco ASA5515-IPS
      • Cisco ASA5545-IPS
      • F5 Networks BIG-IP 2000
      • Dell S4048
      • Dell S3048
      • Cisco ASA5515sc
      • Cisco ASA5545sc
    • French translation of APM abbreviation is misleading
      The French translation of “System Center Management APM service” is misleading. APM abbreviation is translated incorrectly in the French version of Microsoft System Center 2012 R2 Operations Manager. APM means “Application Performance Monitoring” but is translated as “Advanced Power Management.” This fix corrects the translation.
    • p_HealthServiceRouteForTaskByManagedEntityId does not account for deleted resource pool members in System Center 2012 R2 Operations Manager
      If customers use Resource Pools and take some servers out of the pool, discovery tasks start failing in some scenarios. After this update rollup is installed, these issues are resolved.
    • Exception in the ‘Managed Computer’ view when you select Properties of a managed server in Operations Manager Console
      In the Operations Manager Server “Managed Computer” view on the Administrator tab, clicking the “Properties” button of a management server causes an error. After this update rollup is installed, a dialog box that contains a “Heart Beat” tab is displayed.
    • Duplicate entries for devices when network discovery runs
      When customers run discovery tasks to discover network devices, duplicate network devices that have alternative MAC addresses are discovered in some scenarios. After this update rollup is installed, customers will not receive any duplicate devices discovered in their environments.
    • Preferred Partner Program in Administration Pane
      This update lets customers view certified System Center Operations Manager partner solutions directly from the console. Customers can obtain an overview of the partner solutions and visit the partner websites to download and install the solutions.
  • Orchestrator & SMA (KB3096381)
    • SQL Server 2014 Service Pack 1 (SP1) is now supported in Orchestrator 2012 R2.
    • After you export and then import a Runbook, the Password field of Run Program activity is corrupted.
    • SMA: SQL Server 2014 Service Pack 1 is now supported in Service Management Automation 2012 R2.
    • SMA: Service Management Automation 2012 R2 does not let you stop jobs that are in the queued state.
  • Service Provider Foundation (KB3096384)
    • Installing update rollups for Service Provider Foundation causes additional bindings to be created, and this makes a Service Provider Foundation website inaccessible.
    • Quotas for multiple NAT connections are not supported. For more information about this feature, see WAP Update Rollup 8 documentation.
  • Virtual Machine Manager (KB3096389)
    • Support for SQL Server 2014 SP1 as VMM database
      With Update Rollup 8 for SC VMM 2012 R2 you can now have Microsoft SQL Server 2014 SP1 as the VMM database. This support does not include deploying service templates by using the SQL profile type as SQL Server 2014 SP1. For the latest information about SQL Server requirements for System Center 2012 R2, see the reference here.
    • Support for VMWare vCenter 6.0 management scenarios
      With Update Rollup 7, we announced support for management scenarios for vCenter 5.5. Building on our roadmap for vCenter and VMM integration and supportability, we are now excited to announce support for VMWare vCenter 6.0 in Update Rollup 8. For a complete list of supported scenarios, click here.
    • Ability to set quotas for external IP addresses
      With Update Rollup 7, we announced support for multiple external IP addresses per virtual network, but the story was incomplete, as there was no option to set quotas on the number of NAT connections. With UR8, we are glad to announce end-to-end support for this functionality, as you can now set quotas on the number of external IP addresses allowed per user role. You can also manage this by using Windows Azure Pack (WAP).
    • Support for quotas for checkpoints
      Before UR8, when you create a checkpoint through WAP, VMM does not check whether creating the checkpoint will exceed the tenant storage quota limit. Before UR8, tenants can create the checkpoint even if the storage quota limit will be exceeded.
    • Ability to configure static network adapter MAC address during operating system deployment
      With Update Rollup 8, we now provide the functionality to configure static network adapter MAC addresses during operating system deployment. If you have ever done Bare Metal provisioning of hosts and ended up having multiple hosts with the same MAC addresses (because of dynamic IP address assignment for network adapters), this could be a real savior for you.
    • Ability to deploy extended Hyper-V Port ACLs
      With Update Rollup 8 for VMM, you can now:

      • Define ACLs and their rules
      • Attach the ACLs created to a VM network, VM subnets, or virtual network adapters
      • Attach the ACL to global settings that apply it to all virtual network adapters
      • View and update ACL rules configured on the virtual network adapter in VMM
      • Delete port ACLs and ACL rules
    • Support for storage space tiering in VMM
      With Update Rollup 8, VMM now provides you the functionality to create file shares with tiers (SSD/HDD).
    • Issue 1
      Creation of Generation 2 VMs fails with error 13206
    • Issue 2
      VMM does not let you set the owner of a hardware profile with an owner name that contains the “$” symbol.
    • Issue 3
      HA VMs with VLAN configured on the network sites of a logical network cannot be migrated from one host to another. Error 26857 is thrown when you try to migrate the VM.
    • Issue 4
      The changes that are made by a tenant administrator (with deploy permissions to a cloud) to the Memory and CPU settings of a VM in the cloud through VMM Console do not stick. To work around this issue, change these settings by using PowerShell.
    • Issue 5
      When a VM is deployed and put on an SMB3 file share that’s hosted on NetApp filer 8.2.3 or later, the VM deployment process leaves a stale session open per VM deployed to the share. When many VMs are deployed by using this process, VM deployment starts to fail as the max limit of the allowed SMB session on the NetApp filer is reached.
    • Issue 6
      VMM hangs because of SQL Server performance issues when you perform VMM day-to-day operations. This issue occurs because of stale entries in the tbl_PCMT_PerfHistory_Raw table. With UR8, new stale entries are not created in the tbl_PCMT_PerfHistory_Raw table. However, the entries that existed before installation of UR8 will continue to exist.
    • Issue 7
      In a deployment with virtualized Fiber Channel adapters, VMM does not update the SMI-S storage provider, and it throws an exception.
    • Issue 8
      For VMs with VHDs that are put on a Scale out File Server (SOFS) over SMB, the Disk Read Speed VM performance counter incorrectly displays zero in the VMM Admin Console. This prevents an enterprise from monitoring its top IOPS consumers.
    • Issue 9
      Dynamic Optimization fails, leaks a transaction, and prevents other jobs from executing. It is blocked on the SQL Server computer until SCVMM is recycled or the offending SPID in SQL is killed.
    • Issue 10
      V2V conversion fails when you try to migrate VMs from ESX host to Hyper-V host if the hard disk size of the VM on the ESX host is very large.
    • Issue 11
      Live migration of VMs in an HNV network takes longer than expected. You may also find pings to the migrating VM are lost. This is because during the live migration, the WNV Policy table is transferred (instead of only delta). Therefore, if the WNV Policy table is too long, the transfer is delayed and may cause VMs to lose connectivity on the new host.
    • Issue 12
      VMM obtains a wrong MAC address while generating the HNV policy in the deployments where F5 Load Balancers are used.
    • Issue 13
      For IBM SVC devices, enabling replication fails in VMM because there is a limitation in SVC in which the name of the consistency group should start with an alphabetical character (error code: 36900). This issue occurs because while enabling replication, VMM generates random strings for naming the “consistency groups” and “relationship” between the source and the target, and these contain alphanumeric characters. Therefore, the first character that’s generated by VMM may be a number, and this breaks the requirement by IBM SVC.
    • Issue 14
      In Update Rollup 6, we included a change that lets customers have a static MAC address even if the network adapter is not connected. This fix did not cover all scenarios correctly, and it triggers an exception when there’s a template with a connected network adapter, and then you later try to edit the static address in order to disconnect the network adapter.
    • Issue 15
      Post Update Rollup 6, as soon as a host goes into legacy mode, it does not come back to eventing for 20 days. Therefore, the VM properties are not refreshed, and no events are received from HyperV for 20 days.This issue occurs because of a change that’s included in UR6 that set the expiry as 20 days for both eventing mode and legacy mode. The legacy refresher, which should ideally run after 2 minutes, now runs after 20 days; and until then, eventing is disabled.Workaround:
      To work around this issue, manually run the legacy refresher by refreshing VM properties.
    • Issue 16
      Post-UR7, deleting a virtual network does not correctly clean up the cluster resources for the Network Virtualization Gateway. This causes the cluster role (cluster group) to go into a failed state when a failover of the HNV gateway cluster role occurs.
  • Windows Azure Pack (KB3096392)
    • Administrators cannot offer and tenants cannot use multiple external IP addresses through a Network Address Translation (NAT) connection.
      Even though Microsoft System Center Virtual Machine Manager (VMM) has functionality to allocate IP addresses for this purpose, the WAP administrator and tenant experiences do not provide such functionality. Administrators can now allocate a set of external IP addresses for tenants to use when you create NAT rules. The administrator can set up the IP address quota through the Administrator Portal virtual machine (VM) extension.
    • Tenants can create only one checkpoint per virtual machine.
      Administrators can create plans that include quotas that let tenants create multiple VM checkpoints.
    • An unexpected exception is generated by the PowerShell command “Get-MgmtSvcSqlDatabase.”
      The command Get-MgmtSvcSqlDatabase does not retrieve SQL database information. The following examples return exception “Object reference not set to an instance of an object”:

      • Get-MgmtSvcSqlDatabase -AdminUri $AdminUri -Token $Token -HostingServerId “someid” -DisableCertificateValidation
      • Get-MgmtSvcSqlDatabase -AdminUri $AdminUri -Token $Token -HostingServerId $hostserver.ServerId -Name “somename” -DisableCertificateValidation
      • Get-MgmtSvcSqlDatabase -AdminUri $AdminUri -Token $Token -HostingServerId ” someserverid” -Name “datatest” -DisableCertificateValidation
    • An unexpected exception is generated by the PowerShell command “Remove-MgmtSvcMySqlHostingServer.” 
      This command fails with the exception “Index (zero-based) must be greater than or equal to zero and less than the size of the argument list” when you run statements such as the following:

      • Remove-MgmtSvcMySqlHostingServer -AdminUri $AdminUri -Token $Token -HostingServerId $HostServer[0].ServerId -DisableCertificateValidation
      • Remove-MgmtSvcMySqlHostingServer -AdminUri $AdminUri -Token $Token -HostingServerId “someserverid” -DisableCertificateValidation
    • When you create a virtual machine through the Tenant Portal, the menu dropdown boxes are not sorted.
      When a tenant tries to create a VM and the list of items is larger than some items, it becomes very difficult to find the necessary machine image or template.
    • Attaching ISOs in a generation 2 (gen 2) VM fails after three or four attach or detach operations.
      The attach and detach operations on ISO disks and VM gen 2 allocate adapters never releases the adapters for reuse.After you apply this update, detaching the disk adapter enables the adapter to be reused again.

This Update Rollup is one of the bigger one Microsoft released in terms of Azure Pack IaaS Scenarios. This update brings several great improvements to the implementation of Checkpoints and Network Virtualization. Update Rollup 8 finally bringing end to end support for multiple external IP Addresses for the NVGRE Gateways inside WAP as well as VMM. Also better support for Checkpoints on Hyper-V in the WAP Portal as well as VMM.

As always, before you deploy an update rollup in production, make sure, you have tested it in your test or lab environment.



System Center Logo

Summary: Update Rollup 7 for System Center 2012 R2 and Azure Pack now available

Last week Microsoft released Update Rollup 7 (UR7) for System Center 2012 R2 and Windows Azure Pack. And as always, Update Rollup 7 does not only include a bunch of fixes, it also includes some new features. This time especially Windows Azure Pack and System Center Virtual Machine Manager got some nice updates. Components that are fixed and updated in this update rollup

  • Data Protection Manager (3065246)
    • Support for Windows 10 Client operating system
    • Ability to use an alternative DPM server to recover from Azure Backup Vault
    • Improvements for backup on Hyper-V Replica VMs
    • Other improvements and fixes…
  • Orchestrator & SMA (3069115)
    • Orchestrator: some small fixes
    • SMA
      • SMA runbook execution fails if a PowerShell execution policy is set to Unrestricted through a Group Policy Object.
      • Fixed an error when you try to save or import a runbook in SMA
  • Operations Manager (will be released later)
    • The rollup is delayed by few weeks, as engineering team is working on recently reported issues.
  • Service Manager (3063263)
  • Service Provider Foundation (3069355)
    • This update includes general API changes to improve product quality.
  • Virtual Machine Manager (3066340)
    • Support for Windows 10 Client Operating System
    • Support for new Linux Operating Systems (Debian 8)
    • Support for VMWare vCenter 5.5 management scenarios (more infos VMWare vCenter 5.5 management scenarios)
    • Support for Multiple External IP Addresses per Virtual Network
    • Option to Reassociate Orphaned virtual machines to their Service or VM role
    • Support for VMM DHCP Extension PXE/TFP Forwarding
    • Some scale improvements if you have more than 50 Hyper-V Hosts
    • Some Hyper-V Network Virtualization (HNV) fixes and improvements
    • Other fixes…
  • Windows Azure Pack (3069121)
    • Tenants cannot delete the checkpoints of their virtual machines
    • Support for VM names of up to 15 characters
    • Displaying VHD items during virtual machine creation when there are no hardware profiles in the plan
    • Incompatible VHDs are offered to the tenant when attaching a VHD to a virtual machine
    • Support for tenant plan viewing and self-subscription permission based on security groups
    • Support for Shielded Virtual Machine Management when it’s run on Windows Server 2016 Preview
    • Virtual Machine performance data displayed in the tenant portal
    • Other fixes and improvements…
  • Windows Azure Pack Web Sites (3069358)
    • Adds support for IPv6 to IP SSL functionality
    • Changes Web Deploy publishing from publish.domain.com to site.scm.domain.com.
    • Other fixes and improvements…

One of the new features I want to highlight is the possibility to add multiple public (external) IP addresses to  Virtual Network (Using Hyper-V Network Virtualization HVN). This means a tenant can assign multiple public IP addresses on his NAT gateway and do port forwarding, for example if he runs multiple webservers in that VM Network. This is a feature a lot of customers especially service provider have missed for a long time.

Another improvement we can see is the support for the next release of Windows Server and also support for Windows 10.

 



Windows Server

List of Recommend Hotfixes and Updates for Hyper-V Network Virtualization (HNV)

I already made some post where I list the websites to recommended hotfixes and updates for Clusters, Hyper-V and File Server such as the Scale-Out File Server for Hyper-V over SMB. Now Microsoft also has an official list for Recommended hotfixes, updates, and known solutions for Windows Server 2012 and Windows Server 2012 R2 Hyper-V Network Virtualization (HNV) environments. Which will list hotfixes for Hyper-V, Windows Server and System Center related to Network Virtualization.

You can find the List here on the Microsoft Support Site: KB2974503 Recommended hotfixes, updates, and known solutions for Windows Server 2012 and Windows Server 2012 R2 Hyper-V Network Virtualization (HNV) environments



Cisco UCS C200 M2 with Windows Server 2008 R2 and Windows Server 8 #HyperV

Cisco UCS and Hyper-V Enable Stateless Offloads with NVGRE

As I already mentioned I did several Hyper-V and Microsoft Windows Server projects with Cisco UCS. With Cisco UCS you can now configure stateless offloads for NVGRE traffic which is needed for Hyper-V Network Virtualization.

Cisco UCS Manager supports stateless offloads with NVGRE only with Cisco UCS VIC 1340 and/or Cisco UCS VIC 1380 adapters that are installed on servers running Windows Server 2012 R2 operating systems.

To use this you have to create Ethernet Adapter Policy, and set the Configuring an Ethernet Adapter Policy to Enable Stateless Offloads with NVGREin the Resources area:

  • Transmit Queues = 1
  • Receive Queues = n (up to 8)
  • Completion Queues = # of Transmit Queues + # of Receive Queues
  • Interrupts = # Completion Queues + 2

And in the Option area set the following settings:

  • Network Virtualization using Generic Routing Encapsulation = Enabled
  • Interrupt Mode = Msi-X

Make also sure you have installed eNIC driver Version 3.0.0.8 or later.

For more information, see http:/​/​www.cisco.com/​c/​en/​us/​td/​docs/​unified_computing/​ucs/​sw/​vic_drivers/​install/​Windows/​b_​Cisco_​VIC_​Drivers_​for_​Windows_​Installation_​Guide.html.



WAP Register SPF

Windows Azure Pack – Virtual Machine Cloud

One of the big features of Windows Azure Pack right now is the integration of a Infrastructure as a Service offering or in other words Virtual Machine Cloud. VM Cloud allows you to integrate your existing System Center Virtual Machine Manager 2012 R2 and Hyper-V environment over SPF (Service Provider Foundation) API, so you can create a offering similar to the Windows Azure IaaS experience.

I had the chance working on several Windows Azure Pack projects where we have integrated the Virtual Machine Cloud and created offerings for service providers as well as for enterprise companies for internal use. Two parts of I really like about the solution in the integration of Hyper-V Network Virtualization and the integration of VM Roles, which are basically a solution to deploy services instead of just Virtual Machines. Microsoft also finally fixed the issue we had in App Controller and other products to connect to a Virtual Machine via the Hyper-V Console from outside your organization by using a Remote Desktop Gateway.

Architecture

To deploy the VM Cloud or IaaS offering in Windows Azure Pack you need several roles, services and components. If you want to know more about the Windows Azure Pack Architecture, check out the following blog post.

Windows Azure Pack VM Cloud Architecture

Picture Source: TechNet

  • Hyper-V – You need a Hyper-V environment for hosting virtual machines.
  • System Center Virtual Machine Manager – In a VM Cloud environment you need your Hyper-V resources to connect to a Virtual Machine Manager. You can connect multiple Virtual Machine Manager servers so called VMM stamps. If you are using Hyper-V Network Virtualization (NVGRE) make sure you build a highly available VMM Cluster for each stamp.
  • Service Provider Foundation – To bring those VMM stamps inside Windows Azure Pack you need an API solution called Service Provider Foundation. Every VMM stamp has to be registered in Windows Azure Pack trough a Service Provider Foundation Endpoint.
  • Windows Azure Pack Tenant Portal – The Portal for tenants/customers to manage Virtual Machines
  • Windows Azure Pack Admin Portal – The Portal for Administrator to register new VMM stamps and create offerings for customers.
  • Service Management API – You always need this if you deploy Windows Azure Pack.
  • SQL Server – SQL Server for Windows Azure Pack, SPF and Virtual Machine Manager
  • RD Gateway – Remote Desktop Gateway for the Console Connection to the Virtual Machine
  • System Center Operations Manager – If you just want to monitor your VM environment or you want to do chargeback you need Operations Manager and Service Reporting.

How to setup VM Cloud in Windows Azure Pack

After you have setup your environment you have to register your Service Provider Foundation and VMM in Windows Azure Pack. Enter the address of the SPF Endpoint and the address of the VMM Server.

WAP Register SPF

You can than add VMM servers or VMM Stamps to the Windows Azure Pack.

VMMStamp in WAP

You can now select the Cloud you want to use for your offering. If you create a new plan you can select which VMM stamp and cloud should be used for the offering. You can limit resources like Virtual Machine count, CPU cores, RAM, Storage, VM Networks, Templates and more inside plans and add-ons. You can than offer these plans and add-ons to your customers.

WAP VM Cloud Plan

As another part you can extend the solution by adding a SMA Web Service endpoint to the Windows Azure Pack and configure it for the Virtual Machine Clouds. With this solution you can link SMA Runbooks to actions in Windows Azure Pack VM Cloud, SPF and Virtual Machine Manager.

WAP Link SMA Runbook to VMM Action

If you need to enable Console access to the Virtual Machine to the tenant users, you also have to register a Remote Desktop Gateway. This will allow user to access the Virtual Machine without having a IP address set inside the VM.

Tenant VM Console Access WAP

Remember there are much more steps you have to do. For example configuring the fabric in System Center Virtual Machine Manager or configuring the Remote Desktop Gateway to have access to the Hyper-V hosts. And if you are doing NVGRE (Hyper-V Network Virtualization) you may also want to have NVGRE Gateways in place so customers can leave the Virtual Network and connect to the physical network or the internet. So setting this thing up is one part but having it designed and configured the right way is another.



PowerShell NetAdpater Advanced Property

Hyper-V Network Virtualization NVGRE: No connection between VMs on different Hyper-V Hosts

I have worked on some project with Hyper-V Network Virtualization and NVGRE, and today I have seen an issue with Encapsulated Task Offloading on some HP Broadcom Network adapters.

 

Issue

I have Hyper-V Hosts running with 10GbE Broadcom Network Adapters (HP Ethernet 10Gb 2-port 530FLR-SFP+ Adapter) with driver version 7.8.52.0 (released in 2014). I have created a new VM Network based on Hyper-V Network Virtualization using NVGRE. VM1 is running on Host1 and VM2 is running on Host2. You can ping VM2 from VM1 but there is no other connection possible like SMB, RDP, HTTP or DNS. If you are using a NVGRE Gateway you can no even resolve DNS inside those VMs. If VM1 and VM2 are running on the same Hyper-V host everything between those VMs works fine.

Advanced Driver Settings

If you are using Server Core, which you should by the way, you can use the following command to check for those settings:

PowerShell NetAdpater Advanced Property

 

Resolution

The Broadcom Network adapters have a feature called Encapsulated Task Offloading which is enabled by default. If you disable Encapsulated Task Offloading everything works fine. You can disable it by using the following PowerShell cmdlet.

After that connection inside the VMs started to work immediately, no reboot needed.



5Nine Hyper-V Security Console

5nine Cloud Security for Hyper-V 4.0

Security is a critical part in your datacenter and with a high virtualization rate it gets even more critical and complex to manage. Gartner estimates that in 2014 roughly 75% of all servers will be virtual with the number continuing to rise, year after year. If you are working in a highly virtualized environment you know how difficult it can be to protect your virtual machines and networks. It is even harder if you are a cloud service provider and you want to protect your customer, sometimes you don’t even have access into the virtual machines and you cannot really make sure the customer does everything right.

For some customers I was looking for a solution with centralized management and a solution which has no impact on the performance of the virtual machines. Through some contacts I had the chance to talk with 5Nine Software which offer some great solutions for Hyper-V management and Hyper-V Security. And in December 5Nine Software released its latest beta version of Cloud Security for Microsoft’s Virtualization solutions called 5Nine Cloud Security for Hyper-V. The new version includes some new features like real-time active anti-virus protection, VM Security groups, a new LWF R2 VM Switch extension, role based access and most importantly support for NVGRE or in otherswords Hyper-V Network Virtualization support which will make especially service providers very happy.

5Nine Hyper-V Security Agentless

Some key details about the 5nine Cloud Security for Hyper-V:

  • Multi-tenant security
  • Agentless, host-based solution for AV scans
  • Supporting Windows Server 2012 R2 Hyper-V
  • Granular control over each virtual machine using Hyper-V Extensible Switch, no agent required
    • Configure the Advanced / Full Kernel mode Virtual Firewall for each VM individually
      • MAC Address filtering
      • ARP Rules
      • SPI (stateful packet inspection)
      • Network traffic anomaly analysis
      • Inbound and outbound per VM bandwidth throttling
      • MAC broadcast filtering
      • All filtering events logging with more data (UM logs only contain blocked events)
    • Configure network filtering rules on a per-VM basis
    • Set inbound/outbound traffic limits and bandwidth utilization by virtual machine
  • Meet the security demands of enterprise, management service providers (MSPs), public sector, and hosting providers who leverage Microsoft’s Hyper-V Server and Cloud Platform
  • Provide the first and only seamless agentless compliance and agentless security solution for the Hyper-V Cloud
  • Deliver multi-layered protection together with integrated, agentless antivirus and intrusion detection capabilities
  • Offer unmatched levels of industry-demanded protection and compliance (including PCI-DSS, HIPAA, and Sarbanes-Oxley)
  • Secure the Cloud environment with anti-virus technology that runs with virtually zero performance impact while simultaneously improving virtual machine density
  • Provide network traffic control between virtual machines
  • Enforce secure multi-tenancy and Virtual Machines Security Groups
  • Provide NVGRE support (Hyper-V Network Virtualization)
  • Detect and block malicious attacks
  • Supports any guest OS supported by Windows Hyper-V including Linux

Architecture

In my lab I had the chance to have a look at the latest beta and wow I was pretty impressed. Well the installation and the management is so easy, you don’t really need any documentation. That’s how a security product should work, it should not make your environment even more complex it should help you to keep your environment secure without adding extra complexity to it.

Let’s see first about the architecture of the environment which is pretty easy. Basically you have 3 components:

  • The Management Service – This would be your 5Nine management server which needs a SQL database (minimum MS SQL Express) and all Hyper-V Hosts are connected to this management server.
  • The Host Management Service – which is basically the software and agent running on the Hyper-V host itself.
  • The Management Console – The console where you can configure everything. The console is simply connected to the management server.

Some impressions

If we have a look at one of my Hyper-V Hosts after the installation you can see some new things on the server. Basically 5Nine Cloud Security adds some services to the Hyper-V hosts (not to the virtual machines) for management and malware protection.

5Nine Hyper-V Security Services

And if we have a look at the Hyper-V Virtual Switch, we can see a new extension added to it.

5Nine Hyper-V Virtual Switch Extension

 

The management console is where the magic happens and you configure your environment. the console in my opinion is pretty simple and you can easy find all the options you need.

5Nine Hyper-V Security Console

Besides the Virtual Firewall you can also configure Antivirus Protection, Firewall logging and a lot more.

5Nine Hyper-V Security Antivirus Settings

But wouldn’t it be great to just manage this from your favorite Datacenter Management tool, called System Center Virtual Machine Manager? Well in version 3 5Nine had created a plugin for Virtual Machine Manager which allows you so set all the settings directly from the VMM console.

5Nine Hyper-V Security System Center VMM Plugin

As I already mentioned I am pretty impressed and I think this is exactly what a lot of customers and service providers are looking for. It provides a simple, centralized and easy to manage Hyper-V Security solution and integrates perfectly in your datacenter.